[Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
Gary E. Miller
gem at rellim.com
Fri Feb 8 23:38:49 UTC 2019
Yo Hal!
On Fri, 08 Feb 2019 14:12:44 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> > Unfortunately, in this case, I'm not sure if OpenSSL implements
> > cipher strings for AEAD selection. I don't think they do. So _if_
> > we implement more than AES_SIV_CMAC_256, we may have to roll our
> > own. However, _if_ we have to roll our own, we should make it
> > behave similarly to OpenSSL cipher strings.
>
> There are 2 string "registries" in this area.
More.
> IANA maintains one. That's what we use on the wire. It's started in
> RFC 5116. RFC 5297 covers the case we want. The magic number is 15.
I don't want magic numbnbers in config files.
> The other one is in the crypto part of OpenSSL. They support strings
> like "MD5" and "SHA1" for simple crypto algorithms. You can feed
> those to the CMAC routines that we use for shared key authentication.
And more optins in the cipher and ciphersuite strings. Lot's more.
Avoid premature optimization.
> OpenSSL doesn't support what we need yet.
Yup.
> Daniel has code that does.
> https://github.com/dfoxfranke/libaes_siv
> It doesn't build on NetBSD and gets warnings on FreeBSD.
Yup.
> My plan is to ignore the requested options, wire "15" in to the
> protocol and call Daniel's code directly. We can clean things up
> when we have a selection of algorithms to use.
Fine for testing. Not fine for config files. I was, am, talking
about the config file format.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190208/8491ac81/attachment.bin>
More information about the devel
mailing list