[Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage
Vladislav Grishenko
themiron.ru at gmail.com
Wed Apr 14 06:49:14 UTC 2021
Hi Simon,
> I committed a slightly more comprehensive clean up that fixes
> this.
Thank you, unfortunately it will not compile with 2.x and 3.0 nettle due no
version.h.
It was fixed in my original patch with bignum.h include at first place - for
indirect version, if available.
> This shouldn't be a problem, is both are not available, then the
signatures cannot
> be used.
No problem, may then NO_GOST compile time option please be available to turn
insecure GOST validation off when it's available in nettle?
Before nettle 3.6 there was no such support, so GOST validation was actually
not working.
I'm ok to specially disable it to keep original behavior.
> RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.
Russian authority has draft since 2020 year for GOST R 34.11-2012 which will
(although de facto already is) officially deprecate GOST R 34.10-2001, not
standardized yet by IETF.
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5933-bis-03
Maybe it makes sense for the decision, and nettle has no GOST R 34.11-2012
support at the moment.
Thank you
--
Best Regards, Vladislav Grishenko
> -----Original Message-----
> From: Dnsmasq-discuss <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> On
> Behalf Of Simon Kelley
> Sent: Wednesday, April 14, 2021 3:44 AM
> To: dnsmasq-discuss at lists.thekelleys.org.uk
> Subject: Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune
> GOST/ECDSA usage
>
> On 10/04/2021 15:57, Vladislav Grishenko wrote:
> > Hello,
> >
> >
> >
> > Recent nettle version detection changes in dnsmasq 2.85 have brought
> > build regression with HAVE_CRYPTOHASH defined due no MIN_VERSION
> macro
> > is defined.
>
> That's not good. I committed a slightly more comprehensive clean up that
fixes
> this.
>
> I also built myself a script which test compiles with lots of different
compile-time
> options, to try and avoid this in the future. I counted 20 different
options, so all
> combinations at a million test combinations, and not practical. I do at
least
> check each one by itself, and interacting combinations.
> >
> > Also, DNSSEC GOST validation is not consistent in case only hash but
> > not signature functions are available.
> >
>
> This shouldn't be a problem, is both are not available, then the
signatures cannot
> be used.
>
> > Please refer patch set attached.
> >
> >
> >
> > As for disabling GOST, what if disable it by default?
> >
> > Current implemented GOST algos are obsolete, newer ones didn't pass
> > certification as DNSSEC algo, so.
> >
> >
>
>
> RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.
>
>
> Simon.
>
>
> >
> > --
> >
> > Best Regards, Vladislav Grishenko
> >
> >
> >
> >
> > _______________________________________________
> > Dnsmasq-discuss mailing list
> > Dnsmasq-discuss at lists.thekelleys.org.uk
> > https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discu
> > ss
> >
>
>
> _______________________________________________
> Dnsmasq-discuss mailing list
> Dnsmasq-discuss at lists.thekelleys.org.uk
> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
More information about the Dnsmasq-discuss
mailing list