[kea-dev] cryptolink and OpenSSL
Francis Dupont
fdupont at isc.org
Wed Jun 17 19:53:34 UTC 2015
I worked a lot on the support of RSA (and ECDSA) by the cryptolink library
which was (and still is) very useful for the secure DHCPv6 experiment.
I fixed the HMAC code which doesn't implement what the doc describes
and the corresponding unit tests which don't test correctly the code.
Note this has no impact in the current use of cryptolink so it can wait
the next release (aka > 0.9.2).
The problem is th fix use the last OpenSSL HMAC API which is not supported
by some old versions of OpenSSL. As IMHO the old HMAC API is broken (some
critical functions don't return a code one can test even when they can fail)
I think it is not a problem and OpenSSL without the new API should be
rejected by configure.
Today Apple OS X is in this case (but the system OpenSSL is being obsoleted
so it is not a problem to require the brew (or another package tool) OpenSSL).
I don't know for RedHat or CentOS, nor if it can be a problem. Note OpenSSL
is an option, the standard backend is still Botan so it is far to be
a critical issue...
Any comment/opinion?
Regards
Francis Dupont <fdupont at isc.org>
More information about the kea-dev
mailing list