Re: [chrony-dev] replace md5 with SHA

[Bill Unruh <unruh@xxxxxxxxxxxxxx>]

One point is to use the standard (ie the one Lichvar already set up, and 
presumably works) to make sure that things work with that. If not there must 
be some problem with the communcation between your servers and clients. Then,
when you have that working, you can then try your own version of sha. If it 
now does not work, you have issolated the problem to your implimentaation. 
Right now you have no idea if the problem is with your implmentation, or with
the communication with server. Ie, right now worrying about how you are going
to package this in the smallest package is not a worthwhile worry. How to get
things to work is what you need to do now.

William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/

On Sun, 12 Jun 2016, Earlence Fernandes wrote:

> I'm using the wolf SSL implementation of sha1. I've compiled in wolf SSL. The ntp server is ntp
> classic on Ubuntu. I had first tested md5 to make sure I have setup things correctly. Then I
> switched the server to use sha1. I don't want tomcrypt coz I already have wolf SSL on my diy
> embedded system and flash space is of utmost importance.
>
> Earlence
>
> On Jun 12, 2016 12:09 AM, "Bill Unruh" <unruh@xxxxxxxxxxxxxx> wrote:
>       The hash HAS to be shared  between server and client. Are you sure that the
>       serverrs you are trying to use understand sha? (and ae you sure that your own
>       sha actually correctly impliments the algorithm?-- How?)
>       And why would you not want to use a version which has been well tested?
>       YOu decide to do something on your own and then shout for help when you fall
>       off the cliff and of course have given vitually no information about the route
>       you have taken.
>
>       Perhaps if you were to give the reasons why you would want to do this people
>       could help you accomplish your goals instead of rescuing you from unknown
>       troubles.
>
>
>       William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
>       Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
>       UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
>       Canada V6T 1Z1     |      and Gravity       |  www.theory.physics.ubc.ca/
>
>       On Sat, 11 Jun 2016, Earlence Fernandes wrote:
>
>             I am trying to replace MD5 hashing with SHA1 hashing, but I don't want
>             to take a dependency on
>             libtomcrypt.
>             I got my own SHA1 standalone file similar what chronyd does now for
>             MD5.
>
>             I modified configure to set HASH_OBJ="hash_intsha.o"
>
>             where hash_intsha.c is my source file.
>
>             In that file, I have basically copied the structure of hash_intmd5 but
>             replaced it with calls
>             to my own SHA routines (ofcourse, changing the sha size from 16 to 20
>             by 160bit SHA1)
>
>             I compile this stuff with sechash disabled and --without-tomcrypt. 
>
>             However, the daemon cannot get the time. It runs for a while, and then
>             exits with "No suitable
>             source for sync.." (I run it with chronyd -q)
>
>             I had tested chronyd with MD5 and my own NTP server which serves auth
>             packets, and it worked
>             fine. Now I've changed everything to SHA like the above, but it does
>             not work. Any ideas why?
>
>             -Earlence