secnet status

Ian Jackson ijackson at
Wed Jul 3 23:24:47 BST 2013

Before doing another beta, and then a release, there are some things
that need to be fixed:

  * We need to get rid of CBC-MAC, really!  We don't have much
    algorithm agility, but we do need at the least to have some kind
    of sites-fragment-based capability computation mechanism.

    And we need a new transform.  I propose to implement a simple
    one using HMAC-SHA-512 truncated to 128 bits, and Serpent in
    Counter mode (using the packet sequence number concatenated
    with the block number within the packet as the counter).

  * We need to replace some of our memcmps with a constant time
    version.  I have code to do this.

  * There is an annoying tendency for a restarted secnet not to
    be quite functional; in particular restarting the fixed site
    can cause trouble for mobile sites.  I have a patch series
    half-written to fix this.


More information about the sgo-software-discuss mailing list