Hal Murray <hmur...@megapathdsl.net>:
>
> devel@ntpsec.org said:
> > I see no real blockers. We've got a bunch of little nits and documentation
> > issues. I might try to push a fix for #446.
>
> There is no problem unless you setup your keys file to use an algorithm with
> a big digest.
>
> The short term clean fix is to reject algorithms with too-big digests. It's
> a few lines of code. You can copy it from attic/digest-find.c
Would you do this, please? You obviously know the code and the context.
> The simpler fix, 2 lines in 2 places, is to truncate the length at the place
> where it is used. That will make bigger/better digests "work", but not the
> way you might expect and I don't want to document that tangle and we probably
> don't want to have anything to do with not-as-secure-as-you-expect.
Bletch. No, we don't.
> The right fix is to actually support longer digests. I think that requires
> getting an extension code from IANA. I'd be willing to delay a release if we
> want to do that. I'd expect days or weeks rather than months, but it might
> get tangled up with IETF work. (There is current discussion in this area.)
It's Mark's call whether we hold the release, but what I will advise is that
we put this on the task list for the next one. Please open a tracker request
for enhancement and explain the IANA connection.
Classic had some CVEs out on 27 Feb. Yesterday I merged the one fix we
appear to need; Daniel thinks we plugged the holes leading to the other
five in the protocol refactor.
I plan to fix some documentation nits before we ship.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
