Re: [chrony-dev] Support for another crypto hash?

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Mon, Oct 17, 2011 at 01:25:45PM +0200, Miroslav Lichvar wrote:
> Another way would be to use a crypto library like nss (we can't use
> openssl as it's not compatible with GPL) and allow user to select any
> hash supported by the library. 

The latest code in git now supports both NSS and tomcrypt.

The cmdmon packet format was changed and you'll need to update both
chronyd and chronyc, even when MD5 is used. There is a hack that adds
empty auth data to at least allow reporting protocol version mismatch
between the server and the client, otherwise the request or reply
would be dropped due to bad length and the client would timeout.

You can use any of the hashes supported for the command key or NTP
keys used between chronyd/chronyd. Ntpd currently seems to work only
with MD5 and SHA1, there is an issue with how should be longer hash
values stored, if in an extension field or like the regular MAC.
Chrony currently doesn't use or try to parse extension fields and
won't be compatible with ntpd if the NTP folks decide to use the
extension field.

Also, there is a difference in the keyfile formats. Chrony limits the
length of the password to 2047 chars and it is always read as ASCII
chars, ntpd limits the length to 20 bytes and it's read as ASCII if
it's 20 chars or shorter, and as hex values otherwise.

Would support for reading hex passwords be useful? Any suggestions on
how to extend the format?

-- 
Miroslav Lichvar

---
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/