[Dnsmasq-discuss] Announce 2.85rc1 and security warning.

Petr Menšík pemensik at redhat.com
Mon Mar 22 12:56:51 UTC 2021 

-DHAVE_CRYPTOHASH is needed only when -DHAVE_DNSSEC is NOT enabled.
Please turn off either DNSSEC or CRYPTOHASH. When DNSSEC is enabled,
CRYPTOHASH is always used without explicit declaration. It is there to
use cryptohash only without DNSSEC support compiled in.

It is unsolved corner case in my solution, which I had no energy or need
to resolve. It is not really required, because both defined are
unnecessary and wrong. If you want to play with it, the reason behind
failure might be nice to find.

Cheers,
Petr

On 3/22/21 9:26 AM, Daniel via Dnsmasq-discuss wrote:
> 
> Le 21/03/2021 à 23:39, Simon Kelley a écrit :
>>
>> On 21/03/2021 12:12, Daniel via Dnsmasq-discuss wrote:
>>> Le 20/03/2021 à 22:55, Simon Kelley a écrit :
>>>> On 20/03/2021 11:11, Daniel via Dnsmasq-discuss wrote:
>>>>> Le 19/03/2021 à 23:37, Simon Kelley a écrit :
>>>>>> On 18/03/2021 08:38, Daniel via Dnsmasq-discuss wrote:
>>>>>>> Hello
>>>>>>>
>>>>>>> Le 17/03/2021 à 22:48, Simon Kelley a écrit :
>>>>>>>> [...]
>>>>>>>>
>>>>>>>> https://thekelleys.org.uk/dnsmasq/release-candidates/dnsmasq-2.85rc1.tar.gz
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Thanks Simon. FYI I didn't get it compiled (as well as 2,84) on
>>>>>>> Debian
>>>>>>> Buster getting
>>>>>>>
>>>>>>> cc  -o dnsmasq cache.o rfc1035.o util.o option.o forward.o network.o
>>>>>>> dnsmasq.o dhcp.o lease.o rfc2131.o netlink.o dbus.o bpf.o helper.o
>>>>>>> tftp.o log.o conntrack.o dhcp6.o rfc3315.o dhcp-common.o outpacket.o
>>>>>>> radv.o slaac.o auth.o ipset.o domain.o dnssec.o blockdata.o tables.o
>>>>>>> loop.o inotify.o poll.o rrfilter.o edns0.o arp.o crypto.o dump.o
>>>>>>> ubus.o
>>>>>>> metrics.o hash_questions.o -ldbus-1   -lidn  -lnetfilter_conntrack
>>>>>>> -lnfnetlink -llua5.2 -lnettle -lhogweed
>>>>>>> /usr/bin/ld: crypto.o: undefined reference to symbol '__gmpz_init'
>>>>>>> /usr/bin/ld: //usr/lib/x86_64-linux-gnu/libgmp.so.10: error adding
>>>>>>> symbols: DSO manquant dans la ligne de commande
>>>>>>> collect2: error: ld returned 1 exit status
>>>>>>>
>>>>>>> It's working by adding -lgmp to nettle_cflags and nettle_libs
>>>>>>>
>>>>>>> nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC
>>>>>>> $(PKG_CONFIG) --cflags 'nettle hogweed' -lgmp\
>>>>>>> HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \
>>>>>>> HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
>>>>>>> nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC
>>>>>>> $(PKG_CONFIG) --libs 'nettle hogweed' -lgmp\
>>>>>>> HAVE_CRYPTOHASH $(PKG_CONFIG) --libs nettle \
>>>>>>> HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
>>>>>>>
>>>>>>> Cheers
>>>>>>>
>>>>>> How are you compiling? What command?
>>>>> uname -a
>>>>> Linux keewi 4.19.0-14-amd64 #1 SMP Debian 4.19.171-2 (2021-01-30)
>>>>> x86_64
>>>>> GNU/Linux
>>>>>
>>>>> . download tarball
>>>>> . untar
>>>>> . sudo make
>>>>>
>>>>> Error. Add the -lgmp to both lines => works fine
>>>>>
>>>> That doesn't make sense. The makefile in the tarball builds a binaery
>>>> which doesn't rely on any libraries other than libc when make is run
>>>> without arguments. Unless you've enabled DNSSEC, there should be no
>>>> dependency on libgmp.
>>> Yes sorry, forgot to mention that I activate some options
>>>
>>> Dnsmasq version 2.85rc1  Copyright (c) 2000-2021 Simon Kelley
>>> Compile time options: IPv6 GNU-getopt DBus no-UBus no-i18n IDN DHCP
>>> DHCPv6 Lua TFTP conntrack ipset auth cryptohash DNSSEC loop-detect
>>> inotify dumpfile
>>>
>> HOW do you activate those options? Please try to tell us EXACTLY what
>> you do, starting from the downloaded tarball.
> . download tarball
> . untar
> . edit src/config.h
> /* Build options which require external libraries.
> 
>    Defining HAVE_<opt>_STATIC as _well_ as HAVE_<opt> will link the
> library statically.
> 
>    You can use "make COPTS=-DHAVE_<opt>" instead of editing these.
> */
> 
> #define HAVE_LUASCRIPT
> #define HAVE_DBUS
> #define HAVE_IDN
> /* #define HAVE_LIBIDN2 */
> #define HAVE_CONNTRACK
> #define HAVE_CRYPTOHASH
> 
> #define HAVE_DNSSEC
> . make
> => error
> 
> . edit Makefile and add -lgmp
> nettle_cflags = `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC    
> $(PKG_CONFIG) --cflags 'nettle hogweed' -lgmp\
> HAVE_CRYPTOHASH $(PKG_CONFIG) --cflags nettle \
> HAVE_NETTLEHASH $(PKG_CONFIG) --cflags nettle`
> nettle_libs =   `echo $(COPTS) | $(top)/bld/pkg-wrapper HAVE_DNSSEC    
> $(PKG_CONFIG) --libs 'nettle hogweed' -lgmp\
> HAVE_CRYPTOHASH $(PKG_CONFIG) --libs nettle \
> HAVE_NETTLEHASH $(PKG_CONFIG) --libs nettle`
> => perfect :)
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20210322/704b3336/attachment.sig>

More information about the Dnsmasq-discuss mailing list