1 /* Copyright (c) 2012-2020 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 /* Hash the question section. This is used to safely detect query
19 retransmission and to detect answers to questions we didn't ask, which
20 might be poisoning attacks. Note that we decode the name rather
21 than CRC the raw bytes, since replies might be compressed differently.
22 We ignore case in the names for the same reason.
24 The hash used is SHA-256. If we're building with DNSSEC support,
25 we use the Nettle cypto library. If not, we prefer not to
26 add a dependency on Nettle, and use a stand-alone implementation.
31 #if defined(HAVE_DNSSEC) || defined(HAVE_CRYPTOHASH)
33 static const struct nettle_hash *hash;
35 static unsigned char *digest;
37 void hash_questions_init(void)
39 if (!(hash = hash_find("sha256")))
40 die(_("Failed to create SHA-256 hash object"), NULL, EC_MISC);
42 ctx = safe_malloc(hash->context_size);
43 digest = safe_malloc(hash->digest_size);
46 unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
49 unsigned char *p = (unsigned char *)(header+1);
53 for (q = ntohs(header->qdcount); q != 0; q--)
57 if (!extract_name(header, plen, &p, name, 1, 4))
58 return NULL; /* bad packet */
60 for (cp = name; (c = *cp); cp++)
61 if (c >= 'A' && c <= 'Z')
64 hash->update(ctx, cp - name, (unsigned char *)name);
65 /* CRC the class and type as well */
66 hash->update(ctx, 4, p);
69 if (!CHECK_LEN(header, p, plen, 0))
70 return NULL; /* bad packet */
73 hash->digest(ctx, hash->digest_size, digest);
77 #else /* HAVE_DNSSEC || HAVE_CRYPTOHASH */
79 #define SHA256_BLOCK_SIZE 32 /* SHA256 outputs a 32 byte digest */
80 typedef unsigned char BYTE; /* 8-bit byte */
81 typedef unsigned int WORD; /* 32-bit word, change to "long" for 16-bit machines */
86 unsigned long long bitlen;
90 static void sha256_init(SHA256_CTX *ctx);
91 static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
92 static void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
94 void hash_questions_init(void)
98 unsigned char *hash_questions(struct dns_header *header, size_t plen, char *name)
101 unsigned char *p = (unsigned char *)(header+1);
103 static BYTE digest[SHA256_BLOCK_SIZE];
107 for (q = ntohs(header->qdcount); q != 0; q--)
111 if (!extract_name(header, plen, &p, name, 1, 4))
112 return NULL; /* bad packet */
114 for (cp = name; (c = *cp); cp++)
115 if (c >= 'A' && c <= 'Z')
118 sha256_update(&ctx, (BYTE *)name, cp - name);
119 /* CRC the class and type as well */
120 sha256_update(&ctx, (BYTE *)p, 4);
123 if (!CHECK_LEN(header, p, plen, 0))
124 return NULL; /* bad packet */
127 sha256_final(&ctx, digest);
128 return (unsigned char *)digest;
131 /* Code from here onwards comes from https://github.com/B-Con/crypto-algorithms
132 and was written by Brad Conte (brad@bradconte.com), to whom all credit is given.
134 This code is in the public domain, and the copyright notice at the head of this
135 file does not apply to it.
139 /****************************** MACROS ******************************/
140 #define ROTLEFT(a,b) (((a) << (b)) | ((a) >> (32-(b))))
141 #define ROTRIGHT(a,b) (((a) >> (b)) | ((a) << (32-(b))))
143 #define CH(x,y,z) (((x) & (y)) ^ (~(x) & (z)))
144 #define MAJ(x,y,z) (((x) & (y)) ^ ((x) & (z)) ^ ((y) & (z)))
145 #define EP0(x) (ROTRIGHT(x,2) ^ ROTRIGHT(x,13) ^ ROTRIGHT(x,22))
146 #define EP1(x) (ROTRIGHT(x,6) ^ ROTRIGHT(x,11) ^ ROTRIGHT(x,25))
147 #define SIG0(x) (ROTRIGHT(x,7) ^ ROTRIGHT(x,18) ^ ((x) >> 3))
148 #define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
150 /**************************** VARIABLES *****************************/
151 static const WORD k[64] = {
152 0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
153 0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
154 0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
155 0x983e5152,0xa831c66d,0xb00327c8,0xbf597fc7,0xc6e00bf3,0xd5a79147,0x06ca6351,0x14292967,
156 0x27b70a85,0x2e1b2138,0x4d2c6dfc,0x53380d13,0x650a7354,0x766a0abb,0x81c2c92e,0x92722c85,
157 0xa2bfe8a1,0xa81a664b,0xc24b8b70,0xc76c51a3,0xd192e819,0xd6990624,0xf40e3585,0x106aa070,
158 0x19a4c116,0x1e376c08,0x2748774c,0x34b0bcb5,0x391c0cb3,0x4ed8aa4a,0x5b9cca4f,0x682e6ff3,
159 0x748f82ee,0x78a5636f,0x84c87814,0x8cc70208,0x90befffa,0xa4506ceb,0xbef9a3f7,0xc67178f2
162 /*********************** FUNCTION DEFINITIONS ***********************/
163 static void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
165 WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
167 for (i = 0, j = 0; i < 16; ++i, j += 4)
168 m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
170 m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
181 for (i = 0; i < 64; ++i)
183 t1 = h + EP1(e) + CH(e,f,g) + k[i] + m[i];
184 t2 = EP0(a) + MAJ(a,b,c);
205 static void sha256_init(SHA256_CTX *ctx)
209 ctx->state[0] = 0x6a09e667;
210 ctx->state[1] = 0xbb67ae85;
211 ctx->state[2] = 0x3c6ef372;
212 ctx->state[3] = 0xa54ff53a;
213 ctx->state[4] = 0x510e527f;
214 ctx->state[5] = 0x9b05688c;
215 ctx->state[6] = 0x1f83d9ab;
216 ctx->state[7] = 0x5be0cd19;
219 static void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
223 for (i = 0; i < len; ++i)
225 ctx->data[ctx->datalen] = data[i];
227 if (ctx->datalen == 64) {
228 sha256_transform(ctx, ctx->data);
235 static void sha256_final(SHA256_CTX *ctx, BYTE hash[])
241 /* Pad whatever data is left in the buffer. */
242 if (ctx->datalen < 56)
244 ctx->data[i++] = 0x80;
246 ctx->data[i++] = 0x00;
250 ctx->data[i++] = 0x80;
252 ctx->data[i++] = 0x00;
253 sha256_transform(ctx, ctx->data);
254 memset(ctx->data, 0, 56);
257 /* Append to the padding the total message's length in bits and transform. */
258 ctx->bitlen += ctx->datalen * 8;
259 ctx->data[63] = ctx->bitlen;
260 ctx->data[62] = ctx->bitlen >> 8;
261 ctx->data[61] = ctx->bitlen >> 16;
262 ctx->data[60] = ctx->bitlen >> 24;
263 ctx->data[59] = ctx->bitlen >> 32;
264 ctx->data[58] = ctx->bitlen >> 40;
265 ctx->data[57] = ctx->bitlen >> 48;
266 ctx->data[56] = ctx->bitlen >> 56;
267 sha256_transform(ctx, ctx->data);
269 /* Since this implementation uses little endian byte ordering and SHA uses big endian,
270 reverse all the bytes when copying the final state to the output hash. */
271 for (i = 0; i < 4; ++i)
273 hash[i] = (ctx->state[0] >> (24 - i * 8)) & 0x000000ff;
274 hash[i + 4] = (ctx->state[1] >> (24 - i * 8)) & 0x000000ff;
275 hash[i + 8] = (ctx->state[2] >> (24 - i * 8)) & 0x000000ff;
276 hash[i + 12] = (ctx->state[3] >> (24 - i * 8)) & 0x000000ff;
277 hash[i + 16] = (ctx->state[4] >> (24 - i * 8)) & 0x000000ff;
278 hash[i + 20] = (ctx->state[5] >> (24 - i * 8)) & 0x000000ff;
279 hash[i + 24] = (ctx->state[6] >> (24 - i * 8)) & 0x000000ff;
280 hash[i + 28] = (ctx->state[7] >> (24 - i * 8)) & 0x000000ff;