On Wednesday, December 18, 2024 1:03:16 AM Pacific Standard Time Hal Murray via devel wrote:
> Do we have an official support policy? I'm expecting something like "runs > on supported versions of most Unix like OSes with ntp_adjtime". Should we > add "using supported versions of OpenSSL"? devel/hacking mentions an OpenSSL 1.1.1 minimum w/ the use of RAND_Bytes() and symmetric algorithms. > We need crypto for hashing IPv6 addresses, shared key authentication, the > cookies that mode6 uses, and checking the leapsecond file. MD5 is used for IPv6 clock address munging; SHA is used for moe6 nonce, and leap-second validation. > There was some maybe related discussion a while ago for FIPS mode. It > would be not-too-hard to recover the old stand-alone MD5 code. I think > that covers the IPv6, cookie, and leapsecond usage. We would have to add > an ifdef to skip the shared key code which might be useful anyway. I think the standalone MD5 and SHA code is long gone. There current code only wraps around OpenSSL The only semi-production use I have for the symmetric auth code is to sign mode 6 packets. Otherwise, I only use it for testing. I would be nice to move the control interface off of port 123 and away from UDP in general. _______________________________________________ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
