[Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

Petr Menšík pemensik at redhat.com
Mon Jan 25 10:59:10 UTC 2021


Hi Vladislav,

Where is openssl version used anyway? Would it make sense to support
multiple crypto libraries? Why is just nettle support inadequate? Our
crypto team asked me, why is nettle used. It has no independent FIPS
ceritification, so they would like to use different library, like gnutls
or openssl. Is that similar reason to yours?

I would like to remove dependency on hashing function altogether. It is
not required and slows down the requests handling process IMO. It should
be required only when actual cryptography operations are needed. But
lets postpone it after the security updates are solved and without
regressions.

I just did not think long about the name, CRYPTOHASH sound much better.
Thanks!

On 1/25/21 10:53 AM, Vladislav Grishenko wrote:
> Hi,
> 
>> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
>> because, why not? and applied. Looks like a sensible idea.
> 
> Indeed, much better. Thank you
> 
> --
> Best Regards, Vladislav Grishenko
> 
>> -----Original Message-----
>> From: Dnsmasq-discuss <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> On
>> Behalf Of Simon Kelley
>> Sent: Monday, January 25, 2021 3:15 AM
>> To: dnsmasq-discuss at lists.thekelleys.org.uk
>> Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to
>> HAVE_CRYPTOHASH
>>
>> On 24/01/2021 14:30, Vladislav Grishenko wrote:
>>> Hi,
>>>
>>>
>>>
>>> Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash
>> function
>>> from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks,
> Petr!).
>>> But, I think, there's no much sense to bind feature name to specific
>>> cryptolib because this will require rename or introduce more similar
>>> opts for some other cryptolib backend if/when it'll be available (for
>>> example in my dnsmasq-openssl fork).
>>>
>>> If no objections, let's name it "cryptohash" early before 2.84 is out?
>>> Sorry, have missed pre-2.83, but it has dns issues so unlikely be
>>> widely deployed.
>>>
>>> Please refer patch attached.
>>>
>>>
>>
>> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
>> because, why not? and applied. Looks like a sensible idea.
>>
>>
>>
>> Cheers,
>>
>> Simon.
>>
>>>
>>> --
>>>
>>> Best Regards, Vladislav Grishenko
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
>>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 
> 
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210125/325a9f69/attachment.sig>


More information about the Dnsmasq-discuss mailing list