Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
>> Daniel has code that does.
>> https://github.com/dfoxfranke/libaes_siv
>> It doesn't build on NetBSD and gets warnings on FreeBSD.
> It gets warnings on Linux as well.
What flavor of Linux? It's clean on Fedora 29.
I thought I saw warnings on FreeBSD, but I just tried again and it looks clean.
It gets WARNINGS on Debian, but those are from building the man pages.
a2x: WARNING: --destination-dir option is only applicable to HTML based outputs
Maybe my clean builds are because I don't have a2x installed on those systems.
---
Anybody recognize this? (from NetBSD)
In file included from /usr/include/stddef.h:37:0,
from /home/murray/ntpsec/libaes_siv/aes_siv.h:8,
from /home/murray/ntpsec/libaes_siv/aes_siv.c:5:
/home/murray/ntpsec/libaes_siv/aes_siv.c:114:24: error: expected declaration
specifiers or '...' before '__builtin_constant_p'
static inline uint64_t bswap64(uint64_t x) { return __builtin_bswap64(x); }
--
These are my opinions. I hate spam.
___
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
>> IANA maintains one. That's what we use on the wire. It's started in >> RFC 5116. RFC 5297 covers the case we want. The magic number is 15. > I don't want magic numbnbers in config files. Then please write some code that translates "AEAD_AES_SIV_CMAC_256" to 15. Since we don't have any implementations for alternatives, things like that are on the bottom of my list. > And more optins in the cipher and ciphersuite strings. Lot's more. The API for that is text. Simple for me. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
On 2/8/19, Hal Murray via devel wrote: > OpenSSL doesn't support what we need yet. > > Daniel has code that does. > https://github.com/dfoxfranke/libaes_siv > It doesn't build on NetBSD and gets warnings on FreeBSD. It gets warnings on Linux as well. But I'm guessing the variables 'block' of type 'block' don't quite rate as high as the issues on the BSDs ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
Yo Hal! On Fri, 08 Feb 2019 14:12:44 -0800 Hal Murray via devel wrote: > > Unfortunately, in this case, I'm not sure if OpenSSL implements > > cipher strings for AEAD selection. I don't think they do. So _if_ > > we implement more than AES_SIV_CMAC_256, we may have to roll our > > own. However, _if_ we have to roll our own, we should make it > > behave similarly to OpenSSL cipher strings. > > There are 2 string "registries" in this area. More. > IANA maintains one. That's what we use on the wire. It's started in > RFC 5116. RFC 5297 covers the case we want. The magic number is 15. I don't want magic numbnbers in config files. > The other one is in the crypto part of OpenSSL. They support strings > like "MD5" and "SHA1" for simple crypto algorithms. You can feed > those to the CMAC routines that we use for shared key authentication. And more optins in the cipher and ciphersuite strings. Lot's more. Avoid premature optimization. > OpenSSL doesn't support what we need yet. Yup. > Daniel has code that does. > https://github.com/dfoxfranke/libaes_siv > It doesn't build on NetBSD and gets warnings on FreeBSD. Yup. > My plan is to ignore the requested options, wire "15" in to the > protocol and call Daniel's code directly. We can clean things up > when we have a selection of algorithms to use. Fine for testing. Not fine for config files. I was, am, talking about the config file format. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin pgpYpmy_4VwmK.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
> Unfortunately, in this case, I'm not sure if OpenSSL implements cipher > strings for AEAD selection. I don't think they do. So _if_ we implement more > than AES_SIV_CMAC_256, we may have to roll our own. However, _if_ we have to > roll our own, we should make it behave similarly to OpenSSL cipher strings. There are 2 string "registries" in this area. IANA maintains one. That's what we use on the wire. It's started in RFC 5116. RFC 5297 covers the case we want. The magic number is 15. The other one is in the crypto part of OpenSSL. They support strings like "MD5" and "SHA1" for simple crypto algorithms. You can feed those to the CMAC routines that we use for shared key authentication. OpenSSL doesn't support what we need yet. Daniel has code that does. https://github.com/dfoxfranke/libaes_siv It doesn't build on NetBSD and gets warnings on FreeBSD. My plan is to ignore the requested options, wire "15" in to the protocol and call Daniel's code directly. We can clean things up when we have a selection of algorithms to use. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
On 2/8/19 3:14 PM, Gary E. Miller via devel wrote: > My point is that instead of coming up with somthing new,we should try > hard to stick to longstanding and well battle tested existing cipher > strings. Agreed! Unfortunately, in this case, I'm not sure if OpenSSL implements cipher strings for AEAD selection. I don't think they do. So _if_ we implement more than AES_SIV_CMAC_256, we may have to roll our own. However, _if_ we have to roll our own, we should make it behave similarly to OpenSSL cipher strings. -- Richard signature.asc Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
Yo Richard! On Fri, 8 Feb 2019 15:01:37 -0600 Richard Laager via devel wrote: > >> dc2827a3 by Richard Laager at 2019-02-07T18:42:59Z > >> nts.adoc: Make AEAD_AES_SIV_CMAC_256 not implicit > >> > >> If the user specifies a NTPCipherSuite string, they need to include > >> AEAD_AES_SIV_CMAC_256 if they want it. Otherwise, if it is > >> implicit, as the document previous said, this would preclude the > >> user from disabling AEAD_AES_SIV_CMAC_256 in the future, should > >> that become necessary. > > > > The traditional way that OpenSSL, and its users (Apache, nginx, > > postfix, sendmail, etc.) hand this is with the "!" operator. > > I'm aware of the ! operator in OpenSSL cipher strings. I assumed you did. > The point of my edit was to replace text which violated the usual > conventions. The previous text was saying that whatever you specified > would have AEAD_AES_SIV_CMAC_256 added onto it. Yup, I 100% agree. > For example, > "AEAD_AES_GCM_256" would actually mean > "AEAD_AES_GCM_256:AEAD_AES_SIV_CMAC_256" (or > "AEAD_AES_SIV_CMAC_256:AEAD_AES_GCM_256", that part wasn't clear). > That is definitely not how cipher strings normally work, and is > undesirable. Yup, I 100% agree. > In fact, even with the ! operator, if the client is > going to add ciphers *after* processing the cipher string, that's not > going to work. Yup, I 100% agree. My point is that instead of coming up with somthing new,we should try hard to stick to longstanding and well battle tested existing cipher strings. RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin pgpEi5ur4kYY_.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
On 2/7/19 6:37 PM, Gary E. Miller via devel wrote: > Yo Richard! > > On Fri, 08 Feb 2019 00:26:27 + > Matt Selsky via vc wrote: > >> dc2827a3 by Richard Laager at 2019-02-07T18:42:59Z >> nts.adoc: Make AEAD_AES_SIV_CMAC_256 not implicit >> >> If the user specifies a NTPCipherSuite string, they need to include >> AEAD_AES_SIV_CMAC_256 if they want it. Otherwise, if it is implicit, >> as the document previous said, this would preclude the user from >> disabling AEAD_AES_SIV_CMAC_256 in the future, should that become >> necessary. > > The traditional way that OpenSSL, and its users (Apache, nginx, postfix, > sendmail, etc.) hand this is with the "!" operator. I'm aware of the ! operator in OpenSSL cipher strings. The point of my edit was to replace text which violated the usual conventions. The previous text was saying that whatever you specified would have AEAD_AES_SIV_CMAC_256 added onto it. For example, "AEAD_AES_GCM_256" would actually mean "AEAD_AES_GCM_256:AEAD_AES_SIV_CMAC_256" (or "AEAD_AES_SIV_CMAC_256:AEAD_AES_GCM_256", that part wasn't clear). That is definitely not how cipher strings normally work, and is undesirable. In fact, even with the ! operator, if the client is going to add ciphers *after* processing the cipher string, that's not going to work. -- Richard signature.asc Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] 6 commits: nts.adoc: Capitalize a MUST
Yo Richard! On Fri, 08 Feb 2019 00:26:27 + Matt Selsky via vc wrote: > dc2827a3 by Richard Laager at 2019-02-07T18:42:59Z > nts.adoc: Make AEAD_AES_SIV_CMAC_256 not implicit > > If the user specifies a NTPCipherSuite string, they need to include > AEAD_AES_SIV_CMAC_256 if they want it. Otherwise, if it is implicit, > as the document previous said, this would preclude the user from > disabling AEAD_AES_SIV_CMAC_256 in the future, should that become > necessary. The traditional way that OpenSSL, and its users (Apache, nginx, postfix, sendmail, etc.) hand this is with the "!" operator. Then you can do things, like: NTPCipherSuite "HIGH:!AEAD_AES_SIV_CMAC_256" RGDS GARY --- Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703 g...@rellim.com Tel:+1 541 382 8588 Veritas liberabit vos. -- Quid est veritas? "If you can’t measure it, you can’t improve it." - Lord Kelvin pgpYp5Y2WbuGZ.pgp Description: OpenPGP digital signature ___ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
