prep for 1.0.1
hmurray at megapathdsl.net
Thu Mar 1 03:10:00 UTC 2018
devel at ntpsec.org said:
> I see no real blockers. We've got a bunch of little nits and documentation
> issues. I might try to push a fix for #446.
There is no problem unless you setup your keys file to use an algorithm with
a big digest.
The short term clean fix is to reject algorithms with too-big digests. It's
a few lines of code. You can copy it from attic/digest-find.c
The simpler fix, 2 lines in 2 places, is to truncate the length at the place where it is used. That will make bigger/better digests "work", but not the way you might expect and I don't want to document that tangle and we probably don't want to have anything to do with not-as-secure-as-you-expect.
The right fix is to actually support longer digests. I think that requires getting an extension code from IANA. I'd be willing to delay a release if we want to do that. I'd expect days or weeks rather than months, but it might get tangled up with IETF work. (There is current discussion in this area.)
These are my opinions. I hate spam.
More information about the devel