[Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH

Vladislav Grishenko themiron.ru at gmail.com
Tue Jan 26 07:11:04 UTC 2021


Hi Petr,

> Where is openssl version used anyway?
In https://asuswrt-merlin.net, embedded software for wireless routers

> Would it make sense to support multiple crypto libraries?
Taking into account existing official support of nettle and required support of system openssl (in asuswrt-merlin) - multilib support looks useful.
Current dnsmasq-openssl work is here https://github.com/themiron/dnsmasq

> Why is just nettle support inadequate?
Because of additional ram/flash footprint, libnettle is used only by dnsmasq among the rest of firmware packages.

> Our crypto team asked me, why is nettle used.
I believe nettle was picked due openssl licensing incompatibility while initial dnssec approach was done with openssl.
Another point is memory usage with openssl, allocations are dynamic so frequent allocations/frees are expected unlike mostly-static nettle.
Simon may give more light on this.

> It has no independent FIPS ceritification, so they would like to use different library, like gnutls or openssl. Is that similar reason to yours?
My reasons are above, fortunately certification is not an issue for 3rd party project.
As for openssl license, 3.x version is compatible, and 1.x has no license issue if used as system library (as we have).
Ggnutls support implementation seems possible for me, almost like openssl, tho till this moment I was not really interested (we have no gnutls used in our project).

> I just did not think long about the name, CRYPTOHASH sound much better.
> Thanks!
Np

> 
> On 1/25/21 10:53 AM, Vladislav Grishenko wrote:
> > Hi,
> >
> >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
> >> because, why not? and applied. Looks like a sensible idea.
> >
> > Indeed, much better. Thank you
> >
> > --
> > Best Regards, Vladislav Grishenko
> >
> >> -----Original Message-----
> >> From: Dnsmasq-discuss
> >> <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> On Behalf Of Simon
> >> Kelley
> >> Sent: Monday, January 25, 2021 3:15 AM
> >> To: dnsmasq-discuss at lists.thekelleys.org.uk
> >> Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to
> >> HAVE_CRYPTOHASH
> >>
> >> On 24/01/2021 14:30, Vladislav Grishenko wrote:
> >>> Hi,
> >>>
> >>>
> >>>
> >>> Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash
> >> function
> >>> from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks,
> > Petr!).
> >>> But, I think, there's no much sense to bind feature name to specific
> >>> cryptolib because this will require rename or introduce more similar
> >>> opts for some other cryptolib backend if/when it'll be available
> >>> (for example in my dnsmasq-openssl fork).
> >>>
> >>> If no objections, let's name it "cryptohash" early before 2.84 is out?
> >>> Sorry, have missed pre-2.83, but it has dns issues so unlikely be
> >>> widely deployed.
> >>>
> >>> Please refer patch attached.
> >>>
> >>>
> >>
> >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH
> >> because, why not? and applied. Looks like a sensible idea.
> >>
> >>
> >>
> >> Cheers,
> >>
> >> Simon.
> >>
> >>>
> >>> --
> >>>
> >>> Best Regards, Vladislav Grishenko
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Dnsmasq-discuss mailing list
> >>> Dnsmasq-discuss at lists.thekelleys.org.uk
> >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >>>
> >>
> >>
> >> _______________________________________________
> >> Dnsmasq-discuss mailing list
> >> Dnsmasq-discuss at lists.thekelleys.org.uk
> >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
> >
> 
> --
> Petr Menšík
> Software Engineer
> Red Hat, http://www.redhat.com/
> email: pemensik at redhat.com
> PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB





More information about the Dnsmasq-discuss mailing list