Bug 1956873

Summary: Stop using nettle directly, switch dnsmasq to openssl
Product: Red Hat Enterprise Linux 9 Reporter: Alexander Sosedkin <asosedki>
Component: dnsmasqAssignee: Petr Menšík <pemensik>
Status: CLOSED WONTFIX QA Contact: rhel-cs-infra-services-qe <rhel-cs-infra-services-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.1Keywords: FutureFeature, Reopened, Triaged
Target Milestone: beta   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-04 07:28:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2067273    

Comment 1 Petr Menšík 2021-06-28 12:14:12 UTC 
No existing code supports gnutls. But there is existing attempt to support OpenSSL [1] in dnsmasq code, which in my opinion would be more interesting for us. I think it is used on some embedded router devices.

1. https://github.com/themiron/dnsmasq/tree/openssl
Comment 2 Alexander Sosedkin 2021-06-28 12:28:54 UTC 
Switching over to openssl 3.0 sounds fine too.
Comment 3 Petr Menšík 2021-06-29 09:01:36 UTC 
Referenced branch builds under OpenSSL 3.0 successfully. Also unlike nettle support, it passes without errors all ciphers test (used bug #1934936 tool). It seems it works nice even for ghost deactivated in openssl.

I found ecdsa validation [1] uses couple of functions deprecated. Is it possible to EVP_PKEY_* variants instead of EC_KEY_new_by_curve_name, 
o2i_ECPublicKey, ECDSA_do_verify? How important is not using deprecated functions in OpenSSL 3? Is there any example of higher-level API for ECDSA validation?

1. https://github.com/themiron/dnsmasq/blob/989ee9815d795f215d1d12895fbe73d79ac47d41/src/crypto-openssl.c#L310
Comment 4 Petr Menšík 2021-06-29 10:02:44 UTC 
Found some example in man EVP_PKEY_fromdata. Problem with that is they are added only in OpenSSL3. Such concept is not yet present in OpenSSL 1.1. For backward compatibility I think current state would be sufficient.
Comment 5 Petr Menšík 2022-03-23 17:28:55 UTC 
It would solve also GOST algorithm failure. OpenSSL implementation can handle disabled GOST well and passes without a change.
Comment 6 Petr Menšík 2022-03-23 17:35:14 UTC 
It is too late now for inclusion from 9.0. OpenSSL support already exists, even not official. Should be used instead of creation yet another crypto support.
Comment 9 RHEL Program Management 2022-11-04 07:27:47 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 13 RHEL Program Management 2023-05-04 07:28:32 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.