> I'm not an expert in this sort of things, but I would suggest you at least > change that to an HMAC.
Good suggestion. Thanks. Mostly, this code has to be backwards compatible. It's setup to do digests: EVP_DigestInit_ex(...); // setup for digest type EVP_DigestInit_ex(...); EVP_DigestUpdate(...); // password EVP_DigestUpdate(...); // packet EVP_DigestFinal_ex(ctx, digest, &len); If we can find a digest type that does HMAC, it should just work. None of the supported digests include HMAC in their name, but there are things like: #define NID_hmacWithMD5 797 #define NID_hmacWithSHA1 163 #define NID_hmacWithSHA224 798 #define NID_hmacWithSHA256 799 #define NID_hmacWithSHA384 800 #define NID_hmacWithSHA512 801 Unfortunately, they don't work. Neither do sha nor mdc2 which are advertised to work. OpenSSL also has a HMAC mode similar to the Digest stuff. -- These are my opinions. I hate spam. _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
