Hi!
I were testing my builds on rootcanary.org test, where dnsmasq is the
only one failing with DNSSEC validation enabled. I am not sure why, I
think gost crypto algorithm might be broken intentionally on Fedora or
RHEL for legal reason. But I have tested it on Debian unstable and the
result were same. It passes other algorithms, but fails on this one.
I have therefore made it possible to skip GOST support. In addition it
makes that default as well. Is there any distribution, which has GOST
support working? Is it possible that rootcanary.org has wrong signatures?
All other implementations return already insecure status - not
implemented algorithm. This change makes the same for dnsmasq.
Opinions on that?
Cheers,
Petr
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
From 4709f4f07129ac61f52eda4ee186aadbf20f3d74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20Men=C5=A1=C3=ADk?= <pemen...@redhat.com>
Date: Thu, 10 Nov 2022 17:50:11 +0100
Subject: [PATCH] Make ECC-GOST algorithm 12 optional only
According to my testing on rootcanary.org, dnsmasq always fails to
validate the record with algorithm 12. Make it disabled by default,
because it fails both on Debian and Fedora. Enable it by
-DCOPTS=HAVE_GOST define.
---
src/config.h | 9 +++++++++
src/crypto.c | 8 +++++---
2 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/src/config.h b/src/config.h
index df1d985..130ae0f 100644
--- a/src/config.h
+++ b/src/config.h
@@ -131,6 +131,9 @@ HAVE_CRYPTOHASH
HAVE_DNSSEC
include DNSSEC validator.
+HAVE_GOST
+ include DNSSEC algorithm 12 (ECCGOST) support
+
HAVE_DUMPFILE
include code to dump packets to a libpcap-format file for debugging.
@@ -198,6 +201,8 @@ RESOLVFILE
/* #define HAVE_CONNTRACK */
/* #define HAVE_CRYPTOHASH */
/* #define HAVE_DNSSEC */
+/* #define HAVE_GOST */
+/* #define HAVE_GOST */
/* #define HAVE_NFTSET */
/* Default locations for important system files. */
@@ -442,6 +447,10 @@ static char *compile_opts =
"no-"
#endif
"DNSSEC "
+#ifndef HAVE_GOST
+"no-"
+#endif
+"gost "
#ifdef NO_ID
"no-ID "
#endif
diff --git a/src/crypto.c b/src/crypto.c
index 060e27f..8f36839 100644
--- a/src/crypto.c
+++ b/src/crypto.c
@@ -39,7 +39,7 @@
#if MIN_VERSION(3, 1)
#include <nettle/eddsa.h>
#endif
-#if MIN_VERSION(3, 6)
+#if defined(HAVE_GOST) && MIN_VERSION(3, 6)
# include <nettle/gostdsa.h>
#endif
@@ -281,7 +281,7 @@ static int dnsmasq_ecdsa_verify(struct blockdata *key_data, unsigned int key_len
return nettle_ecdsa_verify(key, digest_len, digest, sig_struct);
}
-#if MIN_VERSION(3, 6)
+#if defined(HAVE_GOST) && MIN_VERSION(3, 6)
static int dnsmasq_gostdsa_verify(struct blockdata *key_data, unsigned int key_len,
unsigned char *sig, size_t sig_len,
unsigned char *digest, size_t digest_len, int algo)
@@ -381,7 +381,7 @@ static int (*verify_func(int algo))(struct blockdata *key_data, unsigned int key
case 5: case 7: case 8: case 10:
return dnsmasq_rsa_verify;
-#if MIN_VERSION(3, 6)
+#if defined(HAVE_GOST) && MIN_VERSION(3, 6)
case 12:
return dnsmasq_gostdsa_verify;
#endif
@@ -444,7 +444,9 @@ char *algo_digest_name(int algo)
case 7: return "sha1"; /* RSASHA1-NSEC3-SHA1 */
case 8: return "sha256"; /* RSA/SHA-256 */
case 10: return "sha512"; /* RSA/SHA-512 */
+#ifdef HAVE_GOST
case 12: return "gosthash94"; /* ECC-GOST */
+#endif
case 13: return "sha256"; /* ECDSAP256SHA256 */
case 14: return "sha384"; /* ECDSAP384SHA384 */
case 15: return "null_hash"; /* ED25519 */
--
2.38.1
_______________________________________________
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
https://lists.thekelleys.org.uk/cgi-bin/mailman/listinfo/dnsmasq-discuss