[Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune GOST/ECDSA usage

Simon Kelley simon at thekelleys.org.uk
Wed Apr 14 18:19:35 UTC 2021



On 14/04/2021 07:49, Vladislav Grishenko wrote:
> Hi Simon,
> 
>> I committed a slightly more comprehensive clean up that fixes
>> this.
> 
> Thank you, unfortunately it will not compile with 2.x and 3.0 nettle due no
> version.h.
> It was fixed in my original patch with bignum.h include at first place - for
> indirect version, if available.

Ah, that explains it. It seemed strange to use include bignum.h, but now
I understand the reasoning.

> 
>> This shouldn't be a problem, is both are not available, then the
> signatures cannot
>> be used.
> 
> No problem, may then NO_GOST compile time option please be available to turn
> insecure GOST validation off when it's available in nettle?

And increase the number of test compiles from 1 million to 2 million :)


> Before nettle 3.6 there was no such support, so GOST validation was actually
> not working.
> I'm ok to specially disable it to keep original behavior.

Is there a particular need to do that?
> 
>> RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.
> 
> Russian authority has draft since 2020 year for GOST R 34.11-2012 which will
> (although de facto already is) officially deprecate GOST R 34.10-2001, not
> standardized yet by IETF.
> https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-rfc5933-bis-03
> Maybe it makes sense for the decision, and nettle has no GOST R 34.11-2012
> support at the moment.

That draft doesn't seem to propose an update of RFC8624 to make
34.10-2001 MUST NOT and it suggests that 34.11-2012 will be MAY, so I
think we're fine to leave the 2001 code for now, and implement 2012 when
Nettle provides it.

Cheers,

Simon.

> 
> Thank you
> --
> Best Regards, Vladislav Grishenko
> 
>> -----Original Message-----
>> From: Dnsmasq-discuss <dnsmasq-discuss-bounces at lists.thekelleys.org.uk> On
>> Behalf Of Simon Kelley
>> Sent: Wednesday, April 14, 2021 3:44 AM
>> To: dnsmasq-discuss at lists.thekelleys.org.uk
>> Subject: Re: [Dnsmasq-discuss] [PATCH] Fix HAVE_CRYPOHASH build and tune
>> GOST/ECDSA usage
>>
>> On 10/04/2021 15:57, Vladislav Grishenko wrote:
>>> Hello,
>>>
>>>
>>>
>>> Recent nettle version detection changes in dnsmasq 2.85 have brought
>>> build regression with HAVE_CRYPTOHASH defined due no MIN_VERSION
>> macro
>>> is defined.
>>
>> That's not good. I committed a slightly more comprehensive clean up that
> fixes
>> this.
>>
>> I also built myself a script which test compiles with lots of different
> compile-time
>> options, to try and avoid this in the future. I counted 20 different
> options, so all
>> combinations at a million test combinations, and not practical. I do at
> least
>> check each one by itself, and interacting combinations.
>>>
>>> Also, DNSSEC GOST validation is not consistent in case only hash but
>>> not signature functions are available.
>>>
>>
>> This shouldn't be a problem, is both are not available, then the
> signatures cannot
>> be used.
>>
>>> Please refer patch set attached.
>>>
>>>
>>>
>>> As for disabling GOST, what if disable it by default?
>>>
>>> Current implemented GOST algos are obsolete, newer ones didn't pass
>>> certification as DNSSEC algo, so.
>>>
>>>
>>
>>
>> RFC8624 says it's a MAY. When that changes to MUST NOT, then we'll delete.
>>
>>
>> Simon.
>>
>>
>>>
>>> --
>>>
>>> Best Regards, Vladislav Grishenko
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Dnsmasq-discuss mailing list
>>> Dnsmasq-discuss at lists.thekelleys.org.uk
>>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discu
>>> ss
>>>
>>
>>
>> _______________________________________________
>> Dnsmasq-discuss mailing list
>> Dnsmasq-discuss at lists.thekelleys.org.uk
>> https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
> 
> 



More information about the Dnsmasq-discuss mailing list