What's up with our MAC support?
Hal Murray
hmurray at megapathdsl.net
Sat Feb 2 10:03:34 UTC 2019
Eric said:
> The docs still talk about MD5 and SHA-1, but the comments in ntpkeygen
> reference something called AES-128 which doesn't seem to be referenced at all
> in the docs or the NTP RFCs.
AES-128 is the replacement for SHA1. If there isn't an RFC, there is a
ready-to-publish draft. It's mentioned in NEWS for 1.1.2 which says:
Support AES-128-CMAC for authentication
https://datatracker.ietf.org/doc/draft-ietf-ntp-mac/
I "fixed" ntpkeygen to generate AES-128 keys rather than the mix of MD5 and
SHA1 it used to make. Apologies if I didn't fix the documentation.
> Have we broken compatibility with other NTPv4 implementations using MD5 and
> SHA-1 MACs?
No.
The actual code will use any algorithm your libcrypto supports.
Your distro may drop support for old crufty algorithms, but MD5 and SHA1 are
so widely used that I'd be surprised if anybody drops them.
--
These are my opinions. I hate spam.
More information about the devel
mailing list