Oh, I think that were just typo when editing that file. Of course
shouln't be there.
Attached fixed patch.
On 11/13/22 14:44, Geert Stappers via Dnsmasq-discuss wrote:
On Thu, Nov 10, 2022 at 06:02:44PM +0100, Petr Menšík wrote:
Hi!
I were testing my builds on rootcanary.org test, where dnsmasq is the only
one failing with DNSSEC validation enabled. I am not sure why, I think gost
crypto algorithm might be broken intentionally on Fedora or RHEL for legal
reason. But I have tested it on Debian unstable and the result were same. It
passes other algorithms, but fails on this one.
I have therefore made it possible to skip GOST support. In addition it makes
that default as well. Is there any distribution, which has GOST support
working? Is it possible that rootcanary.org has wrong signatures?
All other implementations return already insecure status - not implemented
algorithm. This change makes the same for dnsmasq.
....
--- a/src/config.h
+++ b/src/config.h
@@ -198,6 +201,8 @@ RESOLVFILE
/* #define HAVE_CONNTRACK */
/* #define HAVE_CRYPTOHASH */
/* #define HAVE_DNSSEC */
+/* #define HAVE_GOST */
+/* #define HAVE_GOST */
/* #define HAVE_NFTSET */
/* Default locations for important system files. */
Why twice the '/* #define HAVE_GOST */' line?
Groeten
Geert Stappers
--
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
From 45c68f29f0fa3d202072cc51c7d7d2cf38b95e42 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com>
Date: Thu, 10 Nov 2022 17:50:11 +0100
Subject: [PATCH] Make ECC-GOST algorithm 12 optional only
According to my testing on rootcanary.org, dnsmasq always fails to
validate the record with algorithm 12. Make it disabled by default,
because it fails both on Debian and Fedora. Enable it by
-DCOPTS=HAVE_GOST define.
---
src/config.h | 8 ++++++++
src/crypto.c | 8 +++++---
2 files changed, 13 insertions(+), 3 deletions(-)
diff --git a/src/config.h b/src/config.h
index df1d985..a9df5ee 100644
--- a/src/config.h
+++ b/src/config.h
@@ -131,6 +131,9 @@ HAVE_CRYPTOHASH
HAVE_DNSSEC
include DNSSEC validator.
+HAVE_GOST
+ include DNSSEC algorithm 12 (ECCGOST) support
+
HAVE_DUMPFILE
include code to dump packets to a libpcap-format file for debugging.
@@ -198,6 +201,7 @@ RESOLVFILE
/* #define HAVE_CONNTRACK */
/* #define HAVE_CRYPTOHASH */
/* #define HAVE_DNSSEC */
+/* #define HAVE_GOST */
/* #define HAVE_NFTSET */
/* Default locations for important system files. */
@@ -442,6 +446,10 @@ static char *compile_opts =
"no-"
#endif
"DNSSEC "
+#ifndef HAVE_GOST
+"no-"
+#endif
+"gost "
#ifdef NO_ID
"no-ID "
#endif
diff --git a/src/crypto.c b/src/crypto.c
index 060e27f..8f36839 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -39,7 +39,7 @@
#if MIN_VERSION(3, 1)
#include <nettle/eddsa.h>
#endif
-#if MIN_VERSION(3, 6)
+#if defined(HAVE_GOST) && MIN_VERSION(3, 6)
# include <nettle/gostdsa.h>
#endif
@@ -281,7 +281,7 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
return nettle_ecdsa_verify(key, digest_len, digest, sig_struct);
}
-#if MIN_VERSION(3, 6)
+#if defined(HAVE_GOST) && MIN_VERSION(3, 6)
static int dnsmasq_gostdsa_verify(struct blockdata *key_data, unsigned int key_len,
unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo)
@@ -381,7 +381,7 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key
case 5: case 7: case 8: case 10:
return dnsmasq_rsa_verify;
-#if MIN_VERSION(3, 6)
+#if defined(HAVE_GOST) && MIN_VERSION(3, 6)
case 12:
return dnsmasq_gostdsa_verify;
#endif
@@ -444,7 +444,9 @@ char *algo_digest_name(int algo)
case 7: return "sha1"; /* RSASHA1-NSEC3-SHA1 */
case 8: return "sha256"; /* RSA/SHA-256 */
case 10: return "sha512"; /* RSA/SHA-512 */
+#ifdef HAVE_GOST
case 12: return "gosthash94"; /* ECC-GOST */
+#endif
case 13: return "sha256"; /* ECDSAP256SHA256 */
case 14: return "sha384"; /* ECDSAP384SHA384 */
case 15: return "null_hash"; /* ED25519 */
--
2.38.1
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss
