Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH
Hi, > Patch modified to keep backwards compatibility with HAVE_NETTLEHASH > because, why not? and applied. Looks like a sensible idea. Indeed, much better. Thank you -- Best Regards, Vladislav Grishenko > -Original Message- > From: Dnsmasq-discuss On > Behalf Of Simon Kelley > Sent: Monday, January 25, 2021 3:15 AM > To: dnsmasq-discuss@lists.thekelleys.org.uk > Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to > HAVE_CRYPTOHASH > > On 24/01/2021 14:30, Vladislav Grishenko wrote: > > Hi, > > > > > > > > Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash > function > > from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks, Petr!). > > But, I think, there's no much sense to bind feature name to specific > > cryptolib because this will require rename or introduce more similar > > opts for some other cryptolib backend if/when it'll be available (for > > example in my dnsmasq-openssl fork). > > > > If no objections, let's name it "cryptohash" early before 2.84 is out? > > Sorry, have missed pre-2.83, but it has dns issues so unlikely be > > widely deployed. > > > > Please refer patch attached. > > > > > > Patch modified to keep backwards compatibility with HAVE_NETTLEHASH > because, why not? and applied. Looks like a sensible idea. > > > > Cheers, > > Simon. > > > > > -- > > > > Best Regards, Vladislav Grishenko > > > > > > > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH
Hi Vladislav, Where is openssl version used anyway? Would it make sense to support multiple crypto libraries? Why is just nettle support inadequate? Our crypto team asked me, why is nettle used. It has no independent FIPS ceritification, so they would like to use different library, like gnutls or openssl. Is that similar reason to yours? I would like to remove dependency on hashing function altogether. It is not required and slows down the requests handling process IMO. It should be required only when actual cryptography operations are needed. But lets postpone it after the security updates are solved and without regressions. I just did not think long about the name, CRYPTOHASH sound much better. Thanks! On 1/25/21 10:53 AM, Vladislav Grishenko wrote: > Hi, > >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH >> because, why not? and applied. Looks like a sensible idea. > > Indeed, much better. Thank you > > -- > Best Regards, Vladislav Grishenko > >> -Original Message- >> From: Dnsmasq-discuss On >> Behalf Of Simon Kelley >> Sent: Monday, January 25, 2021 3:15 AM >> To: dnsmasq-discuss@lists.thekelleys.org.uk >> Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to >> HAVE_CRYPTOHASH >> >> On 24/01/2021 14:30, Vladislav Grishenko wrote: >>> Hi, >>> >>> >>> >>> Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash >> function >>> from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks, > Petr!). >>> But, I think, there's no much sense to bind feature name to specific >>> cryptolib because this will require rename or introduce more similar >>> opts for some other cryptolib backend if/when it'll be available (for >>> example in my dnsmasq-openssl fork). >>> >>> If no objections, let's name it "cryptohash" early before 2.84 is out? >>> Sorry, have missed pre-2.83, but it has dns issues so unlikely be >>> widely deployed. >>> >>> Please refer patch attached. >>> >>> >> >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH >> because, why not? and applied. Looks like a sensible idea. >> >> >> >> Cheers, >> >> Simon. >> >>> >>> -- >>> >>> Best Regards, Vladislav Grishenko >>> >>> >>> >>> >>> ___ >>> Dnsmasq-discuss mailing list >>> Dnsmasq-discuss@lists.thekelleys.org.uk >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >>> >> >> >> ___ >> Dnsmasq-discuss mailing list >> Dnsmasq-discuss@lists.thekelleys.org.uk >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > ___ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB OpenPGP_signature Description: OpenPGP digital signature ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] RA-acquired address not marked as 'dynamic' with 2.82
On Thu, Sep 17, 2020 at 8:57 AM Christian Ehrhardt wrote: > > Hi, > since nothing happened on this topic (e.g. committed to git / further > discussion) I wondered if you waited for a confirmation. > > The first patch by Iain was ignored or not seen, I'd expect both might work. > Nevertheless in case there was any (hidden) reason I picked the second > patch suggested at: > http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/2020q3/014346.html > > I built dnsmasq 2.82 with it and ran the various Ubuntu tests against it. > I wanted to state that this made it fully work again from my POV and > hope that it can be considered to be applied. > @Simon - Re-ping We now have had 2.83 (released for CVEs) so some activity is happening again I guess. So I thought it might be worth to ping on this "old issue with known fix" once more. > P.S. I wasn't subscribed before so I can't reply directly, due to that > it might be broken up in the tree view of the ML archive, sorry for > that > > -- > Christian Ehrhardt > Staff Engineer, Ubuntu Server > Canonical Ltd -- Christian Ehrhardt Staff Engineer, Ubuntu Server Canonical Ltd ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
[Dnsmasq-discuss] Announce: dnsmasq-2.84
Last week's 2.83 release has proved to have a regression. The symptoms are random log messages reporting "failure to send packet" and the DNS query associated with this is lost. Retries of the query do not fail, so the operational effect of this is minimal. To trigger the bug, dnsmasq has to be under fairly heavy load, and be configured for a mixture or IPv4 and IPv6 upstream DNS servers or, possibly, be using --bind-interfaces. To fix this, I've released 2.84, which has the fix for the regression, and a couple of housekeeping changes. Get it here: http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.84.tar.gz The released security backport to version 2.80 has also been updated to fix the regresssion. http://www.thekelleys.org.uk/dnsmasq/dnspooq-patches/2.80-dnspooq.patch.v2 Cheers, Simon. ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.84
> Get it here: > > http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.84.tar.gz The version string generated is "2.84rc2" $ cat dnsmasq-2.84/VERSION (HEAD -> master, tag: v2.84rc2, tag: v2.84, origin/master, origin/HEAD) Lonnie ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] Announce: dnsmasq-2.84
> On Jan 25, 2021, at 5:21 PM, Lonnie Abelbeck
> wrote:
>
>
>> Get it here:
>>
>> http://www.thekelleys.org.uk/dnsmasq/dnsmasq-2.84.tar.gz
>
> The version string generated is "2.84rc2"
>
> $ cat dnsmasq-2.84/VERSION
> (HEAD -> master, tag: v2.84rc2, tag: v2.84, origin/master, origin/HEAD)
This patch solves the problem:
--- dnsmasq-2.84/bld/get-version.orig 2021-01-25 17:35:04.882908877 -0600
+++ dnsmasq-2.84/bld/get-version2021-01-25 17:35:58.658467974 -0600
@@ -28,7 +28,7 @@
vers=`cat $1/VERSION | sed 's/[(), ]/,/ g' | tr ',' '\n' | grep ^v[0-9]`
if [ $? -eq 0 ]; then
- echo "${vers}" | sort -r | head -n 1 | sed 's/^v//'
+ echo "${vers}" | sort | head -n 1 | sed 's/^v//'
else
cat $1/VERSION
fi
Lonnie
___
Dnsmasq-discuss mailing list
Dnsmasq-discuss@lists.thekelleys.org.uk
http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to HAVE_CRYPTOHASH
Hi Petr, > Where is openssl version used anyway? In https://asuswrt-merlin.net, embedded software for wireless routers > Would it make sense to support multiple crypto libraries? Taking into account existing official support of nettle and required support of system openssl (in asuswrt-merlin) - multilib support looks useful. Current dnsmasq-openssl work is here https://github.com/themiron/dnsmasq > Why is just nettle support inadequate? Because of additional ram/flash footprint, libnettle is used only by dnsmasq among the rest of firmware packages. > Our crypto team asked me, why is nettle used. I believe nettle was picked due openssl licensing incompatibility while initial dnssec approach was done with openssl. Another point is memory usage with openssl, allocations are dynamic so frequent allocations/frees are expected unlike mostly-static nettle. Simon may give more light on this. > It has no independent FIPS ceritification, so they would like to use > different library, like gnutls or openssl. Is that similar reason to yours? My reasons are above, fortunately certification is not an issue for 3rd party project. As for openssl license, 3.x version is compatible, and 1.x has no license issue if used as system library (as we have). Ggnutls support implementation seems possible for me, almost like openssl, tho till this moment I was not really interested (we have no gnutls used in our project). > I just did not think long about the name, CRYPTOHASH sound much better. > Thanks! Np > > On 1/25/21 10:53 AM, Vladislav Grishenko wrote: > > Hi, > > > >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH > >> because, why not? and applied. Looks like a sensible idea. > > > > Indeed, much better. Thank you > > > > -- > > Best Regards, Vladislav Grishenko > > > >> -Original Message- > >> From: Dnsmasq-discuss > >> On Behalf Of Simon > >> Kelley > >> Sent: Monday, January 25, 2021 3:15 AM > >> To: dnsmasq-discuss@lists.thekelleys.org.uk > >> Subject: Re: [Dnsmasq-discuss] [PATCH] Rename HAVE_NETTLEHASH to > >> HAVE_CRYPTOHASH > >> > >> On 24/01/2021 14:30, Vladislav Grishenko wrote: > >>> Hi, > >>> > >>> > >>> > >>> Commit 2024f9729713fd657d65e64c2e4e471baa0a3e5b "Support hash > >> function > >>> from nettle (only)" has introduced HAVE_NETTLEHASH option (thanks, > > Petr!). > >>> But, I think, there's no much sense to bind feature name to specific > >>> cryptolib because this will require rename or introduce more similar > >>> opts for some other cryptolib backend if/when it'll be available > >>> (for example in my dnsmasq-openssl fork). > >>> > >>> If no objections, let's name it "cryptohash" early before 2.84 is out? > >>> Sorry, have missed pre-2.83, but it has dns issues so unlikely be > >>> widely deployed. > >>> > >>> Please refer patch attached. > >>> > >>> > >> > >> Patch modified to keep backwards compatibility with HAVE_NETTLEHASH > >> because, why not? and applied. Looks like a sensible idea. > >> > >> > >> > >> Cheers, > >> > >> Simon. > >> > >>> > >>> -- > >>> > >>> Best Regards, Vladislav Grishenko > >>> > >>> > >>> > >>> > >>> ___ > >>> Dnsmasq-discuss mailing list > >>> Dnsmasq-discuss@lists.thekelleys.org.uk > >>> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > >>> > >> > >> > >> ___ > >> Dnsmasq-discuss mailing list > >> Dnsmasq-discuss@lists.thekelleys.org.uk > >> http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > > > ___ > > Dnsmasq-discuss mailing list > > Dnsmasq-discuss@lists.thekelleys.org.uk > > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > > > > -- > Petr Menšík > Software Engineer > Red Hat, http://www.redhat.com/ > email: pemen...@redhat.com > PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB ___ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss
