[gnutls-devel] GnuTLS | Clarify plans for gost implementation (#942)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Thu Feb 20 11:45:19 CET 2020

Andrew Aladjev created an issue: https://gitlab.com/gnutls/gnutls/issues/942

Hello. I was passing by `gnutls`/`nettle` code and found that [recent `gnutls` master branch](https://gitlab.com/gnutls/gnutls/-/blob/master/configure.ac#L1168) received ["gost"](https://en.wikipedia.org/wiki/GOST_(block_cipher)) support.

I am living in post-USSR country and know what political question "gost" is a part of. "*Standards*" related to gost are weak and partially proprietary, you can find more information about [s-box genesis here](https://eprint.iacr.org/2016/071.pdf) for example. I won't provide more redundant information, but **protection against gost support** is a strong question for many people, not only for me.

Today `gnutls` has `ENABLE_GOST` option **disabled by default** and everything is fine. But recent commits into `nettle` [breaks everything](https://gitlab.com/gnutls/nettle/-/blob/master/hmac.h#L213). Today gost is **enabled by default** in `nettle`.

I am sure that russian goverenment will keep integration of gost in other software and regular users like me won't be able to fight with it tomorrow. So I want to add same `IF_GOST` flag for `nettle`. If some software won't build with `gnutls`/`nettle`/`openssl` (with gost disabled) - i won't use it before removing mandatory gost support.

I've provided patch to Niels Möller (nettle developer) and he asked to clarify plans about gost implementation in `gnutls`.

> I don't know what the gnutls team's plans are for this option. From my perspective, as long as the gost ecc code in gnutls accesses nettle's ecc internals, not supported by the nettle abi, it's essentlial that gnutls' gost code isn't enabled by default and doesn't get into binary distributions. But that's not reason to keep the option if/when all the gost curves are suppported in nettle.

Please clarify plans for gost implementation. Thank you.


Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/942
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200220/224c5089/attachment-0001.html>

More information about the Gnutls-devel mailing list