BIND 10 #2402: split cryptolink sign/verify
BIND 10 Development
do-not-reply at isc.org
Thu Oct 25 08:32:12 UTC 2012
#2402: split cryptolink sign/verify
-------------------------------------+-------------------------------------
Reporter: | Owner: fdupont
fdupont | Status: new
Type: | Milestone: New Tasks
enhancement | Resolution:
Priority: | Sensitive: 0
medium | Sub-Project: Core
Component: | Estimated Difficulty: 0
Unclassified | Total Hours: 0
Keywords: |
Defect Severity: Low |
Feature Depending on Ticket: |
Add Hours to Ticket: 0 |
Internal?: 0 |
-------------------------------------+-------------------------------------
Comment (by fdupont):
Done in trac2402. Some comments:
- the cryptolink stuff is easy, the TSIG one is not
- the issue with TSIG is the reuse of TSIG contexts between sign and
verify (BTW it is mainly for testing)
- the proposed solution is to make TSIGContext copyable and to copy it
for changing the operation (aka sign or verify)
- the cost in copying a HMAC structure is to perform again
initialisations and the key scheduling
- BTW the key scheduling (hash keys larger than a block size for HMAC) is
handled by Botan so it is useless (and error prone) to do it in the
cryptolink code!
- of course the whole idea behind this is to be able to replace Botan by
a PKCS!#11 shim (cd bind 9 rt29031a)
So please review the committed trac2402 branch (with trac2402_base tag)
and consider removing the extra key scheduling (or move it in another
ticket/branch)?
--
Ticket URL: <http://bind10.isc.org/ticket/2402#comment:1>
BIND 10 Development <http://bind10.isc.org>
BIND 10 Development
More information about the bind10-tickets
mailing list