[Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST

Gary E. Miller gem at rellim.com
Fri Feb 8 23:38:49 UTC 2019 

Yo Hal!

On Fri, 08 Feb 2019 14:12:44 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:

> > Unfortunately, in this case, I'm not sure if OpenSSL implements
> > cipher strings for AEAD selection. I don't think they do. So _if_
> > we implement more than AES_SIV_CMAC_256, we may have to roll our
> > own. However, _if_ we have to roll our own, we should make it
> > behave similarly to OpenSSL cipher strings.   
> 
> There are 2 string "registries" in this area.

More.

> IANA maintains one.  That's what we use on the wire.  It's started in
> RFC 5116.  RFC 5297 covers the case we want.  The magic number is 15.

I don't want magic numbnbers in config files.

> The other one is in the crypto part of OpenSSL.  They support strings
> like "MD5" and "SHA1" for simple crypto algorithms.  You can feed
> those to the CMAC routines that we use for shared key authentication.

And more optins in the cipher and ciphersuite strings.  Lot's more.

Avoid premature optimization.

> OpenSSL doesn't support what we need yet.

Yup.

> Daniel has code that does.
>   https://github.com/dfoxfranke/libaes_siv
> It doesn't build on NetBSD and gets warnings on FreeBSD.

Yup.

> My plan is to ignore the requested options, wire "15" in to the
> protocol and call Daniel's code directly.  We can clean things up
> when we have a selection of algorithms to use.

Fine for testing.  Not fine for config files.  I was, am, talking
about the config file format.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190208/8491ac81/attachment.bin>

More information about the devel mailing list