On Aug 10, 2013, Michael Rash wrote: > On Aug 10, 2013, Radostan Riedel wrote: > > > On Fri, 09. Aug 22:52, Michael Rash wrote: > > > Interesting. When you send an SPA packet with GPG+HMAC with SHA256, how > > > many bytes long is the SPA packet? This info is printed at the end of > > > the client output in --verbose mode. With both DIGEST_TYPE and > > > HMAC_DIGEST_TYPE (which aren't the same thing) set to SHA512 along with > > > a 2048-bit GPG key on my system the SPA packets are nearly 1200 bytes > > > long. Are you using larger GPG keys? > > I'm using 2048-bit rsa keys. > > > > ... > > Client Timeout: 30 (seconds) > > Digest Type: 3 (SHA256) > > HMAC Type: 3 (SHA256) > > Encryption Type: 2 (GPG) > > Encryption Mode: 7 (Asymmetric) > > ... > > send_spa_packet: bytes sent: 1395 > > > > Without HMAC: > > ... > > Client Timeout: 30 (seconds) > > Digest Type: 3 (SHA256) > > HMAC Type: 0 (Unknown) > > Encryption Type: 2 (GPG) > > Encryption Mode: 7 (Asymmetric) > > ... > > send_spa_packet: bytes sent: 1352 > > > > And normally with fwknop 2.0 I was always using sha512 and this still works > > without HMAC: > > ... > > Client Timeout: 30 (seconds) > > Digest Type: 5 (SHA512) > > HMAC Type: 0 (Unknown) > > Encryption Type: 2 (GPG) > > Encryption Mode: 7 (Asymmetric) > > ... > > send_spa_packet: bytes sent: 1409 > > > > The weird thing is that I can use SHA512 as HMAC and Digest type. I can't > > reproduce the client side > > error. > > send_spa_packet: bytes sent: 1495 > > > > I'm attaching my gpg pub key. > > Those packet lengths are getting really close to the 1500 byte maximum > that is enforced by libfko. I'm wondering if a solution might be to use > a higher level of compression either in your gpg engine directly or through > libgpgme, but I don't see an obvious way to manipulate this through > libgpgme. I suspect that if you try 1024-bit keys then everything will > work.
Another quick note on this - in your ~/.fwknoprc file on the client side, if you want to use sha512 for HMAC operations, then I would recommend setting: HMAC_DIGEST_TYPE sha512 DIGEST_TYPE md5 The reason is that DIGEST_TYPE refers to an internal digest in the SPA payload that is verified after decryption (this is a hold over from the original pre-HMAC SPA data format), but there is no security benefit of this digest if you are also using the HMAC mode. This is particularly true if you are going all the way with HMAC sha512, and at the same time this will allow the SPA packet data to be slightly smaller. --Mike > With the key you sent imported into the test suite keyrings as the > server public key (with decryption obviously not working), the client is > able to generate SPA packets. But, with both DIGEST_TYPE and > HMAC_DIGEST_TYPE set to sha512 I'm only getting SPA packets of about 900 > bytes. I'll keep digging. > > Thanks, > > --Mike > > > > regards > > Radi > > > > > -----BEGIN PGP PUBLIC KEY BLOCK----- > > Version: GnuPG v1.4.12 (GNU/Linux) > > > > mQENBFEKTBABCADWT9tIo6F7GzB71eSB4umjwLOKWLRqZptqGJyJl96Vd+HQzlBG > > pvMCdACUfobu361r3ZlLItN7RamOqRdAssRzN0VOf8n9hJaU9Lo6eKXObfdL3Wkq > > lH3Xnwkugxc4sw0vXD9Ht0N8LPt1ltmVQwlqkwWHsnVS7vD51vkVpRgF5Bd0jb/O > > CMVTh+fMWXhJ4KRpPxKhTR2Qaih6peWz4qYEE0xpeXN741O6CGeKuUc9TCeF41eg > > wbI79Im9OODUG0xbQaI7PQSetQYOAv+LASinQh3+QJgw9XLhsPtaLfFSvZCnPKZP > > lsPIm9M11YZjTbNlZ+umi9MY0ilCdCfrTuUhABEBAAG0J1JhZG9zdGFuIFJpZWRl > > bCA8cmllZGVsQHVuaS1tYXJidXJnLmRlPokBOwQTAQIAJQIbAwYLCQgHAwIGFQgC > > CQoLBBYCAwECHgECF4AFAlELw5ACGQEACgkQ3hnG/vupsHjL6ggAkisURuKYL/bu > > EokxXDxKFfAtVoObgrRHmbXFuuVD3gOVSOZBw4J8QRPdUTvsQYt394PdBAbYhjv4 > > sFk3Znz/pWE+IdWIaaRKHQ0MgmY43LLT3UOmYa41go7fX5e4QOUGZ3JBeoRpURRA > > 6WMBmaYFdYN8A9aIeCGVnDfle2WDfGMax3VfUaaLxXwUku/oTR94YcPYdw4GS5+D > > RrR0CmXZEcgZl8bmqS6yNLPIuHZ0P0jbfegpKugfABbELWApKL06kQyEJW5IWsi6 > > vhQP3FTL4GFez835mDl9PIy++UArZqqu09WvfAuOJPzv5WYLRRDQUR0CtOeX0M7J > > S0yG1TeIFIhGBBARAgAGBQJRC8PgAAoJEBKUMvpPlZ1+1C0An3RYLBR+JQNoSebg > > /LG902D/dl06AJ9sQKKxg0oHvdyMac8MFE8aVZD2h7QsUmFkb3N0YW4gUmllZGVs > > IDxyb290QGNoZW1pZS51bmktbWFyYnVyZy5kZT6JATgEEwECACIFAlELw14CGwMG > > CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEN4Zxv77qbB4YdcH/jsrexKgMgPw > > 0r2mB5d99pi2PDmVzqL/BBfSlgkao3eArIx2I9Je/jztTt4ZLHRCrNmU9MYBLYUP > > nmK9Pr3ZYW0BQaDYMATkYbshTEFH55Gf2yQ6X//XRPlMeC1EL64XF8vYxCYgxr/E > > onquA4iFdeLKOrZ9ZuKGMlhXO3qjrSlg55B8uB+0h0B9t6fHXK+Se/2bdX5+eVpA > > DYkGxldBXTkaRkt6kiHS8zBjFcaU6tGXIzwerUFd9VTYov0xKdxsVCSi0+cWaPm0 > > 5uC0SbjyJYcC7369bcK9k/edYVZqxhabLtZpUbIfspqZl2c84snVfgzRhMrAiCtC > > 9//n8Df6Q66IRgQQEQIABgUCUQvD4AAKCRASlDL6T5Wdfty1AJ9d6mg7ugrag5AU > > A9VeBy5VE1Vv1gCfWHuosUFLUqzpqfNMcqVUfwvU2nu0KVJhZG9zdGFuIFJpZWRl > > bCA8cmF5YnVudHVAZ29vZ2xlbWFpbC5jb20+iQE4BBMBAgAiBQJRC8MhAhsDBgsJ > > CAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRDeGcb++6mweAuiB/9d1IBYG/Ka7uni > > wAe8jF4FhTk3QABzORWW3C5ZT6cMsv0QHe0g8WcIOeGVay59dV82CAcaw0UwNZFB > > oA88/gWbUX+BAz2CslKmt5x6aBx/zNTmDgqLj6SKyTKRVFN0uB9zSpTiCElRcQFQ > > OSPA+Khl050WEbepOgJy988MMKBTJBouWPcX0WW901PJsu+NxtlCy7LiaBCS/BGx > > vkIqHeaLc1SyAE3L9nF04khGbrCt8r7IRQ2T23EPc8AL2Jegj0+0IC1sqhIyvo/2 > > 28Y0Ikfqjnn9VFQ9APQlL39ePcOMnvF0JZNK8Rdny7hOcPySwlo3/Oq7XdZcqBmu > > SH7ru3qriEYEEBECAAYFAlELw+AACgkQEpQy+k+VnX7tGwCdGVFIz6s5fG8eS1nU > > Mq+pBlhuXScAnjVhpzzccQOydOJslyMRWFQOt0QntCRSYWRvc3RhbiBSaWVkZWwg > > PHJheWJ1bnR1QGdtYWlsLmNvbT6JATgEEwECACIFAlELw0YCGwMGCwkIBwMCBhUI > > AgkKCwQWAgMBAh4BAheAAAoJEN4Zxv77qbB4Y2wIAIanZBsGAB9Hi+FKgABv/OIX > > C/HJLIoChs9OJAXc05QR0UZQ/Ba1EelSGl8sWh6/Hir3suE4AZrX4XVXy+uTZ31Y > > kn4N/p/JVue9XKEiUMZUOUPZMMwCq7W3gbEsQKfmTiVAmWiJzwb4FQpoVbR9XB81 > > LNcXT3lvC/f83Yo5lIeXsEB7dSxub8iwjeMGas+XuiSbLY4cTwB6L2ES5M32sDyv > > xeo/qKW7ZFk7Bj2f/4wecjdLzBlT8aDmSrgwPCNOgwLWGwGK4ZBmkyiVVkKmz7Ae > > U8UCjHL1L9CTjPBrrTdJxaQLxnWobns6kX93HAGwjjYrXreVWZ0sX7PYKdcWiMSI > > RgQQEQIABgUCUQvD4AAKCRASlDL6T5WdfsO3AJwJrHJ3HrQ5kd540TeHznBqNW8b > > lACcDEyh+ihycno25wEQkCsgcRwHnSe5AQ0EUQpMEAEIAJ8FCGKlmAAiGePag+WV > > FHNXdlYnwGri1+Qus2FcBR/j5MfcUzGN3cw1gqRp3PIJrztsEtNYqceDmT5OBFIf > > 4h2uE/s7AD1SdVSIS1XEwma5coz+6ZzM1DPV6W8IxzC0XUEOeZi+jGl0yU36s+qW > > 2fNw3QmvVTBL01Mp/PnjxOlMVngE0d+3Cilp5XFuQkOWkT0FIAHhJUFrXeqbjEea > > LH5eZPTBjn1Rsrz5ELYF9Wm055HNmnVP0rKYZM5sZV+mZ1zpd+KOcOGiRpslIeCE > > 0nalRQN1aZwnT9n8hv+EijgUmxOKU1ki2lHWYnxw0SSSzlrjrjzNnhsnr8Bq0wJm > > UUsAEQEAAYkBHwQYAQIACQUCUQpMEAIbDAAKCRDeGcb++6mweCgbB/9mzyiAfqHa > > jxDVQy1+DemvHrrxVRnrE9s67Y9j+LjdkzKpiMftRFZRkpBXOq4u7dgBtaV7hpLc > > r5wbUH9MAwQhE6jsoD38vDWu3AGtCQzVCvPHWdRFc7Z2SIuAbks0W41c/58DfNmZ > > +p/xywmKgzdeWqryMZxGlXbaU17KTgRrytlf8eS3qH7DqvXqP+nLMYw+SkXvZ5hR > > u3xbj4sdkJYsGhVOFj15vBB6F+we/OMmQCCXTJaXvxNg93dlZy93M4G72Qrz/tpM > > +FA7QH53YmNE5+hM/LKuVS27z/HlcEPIGptyweMvx5smIbOD3F8FcwK9MKpkTOxu > > 02nKkn1hAOgd > > =1gy0 > > -----END PGP PUBLIC KEY BLOCK----- > > > ------------------------------------------------------------------------------ > > Get 100% visibility into Java/.NET code with AppDynamics Lite! > > It's a free troubleshooting tool designed for production. > > Get down to code-level detail for bottlenecks, with <2% overhead. > > Download for free and get started troubleshooting in minutes. > > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > _______________________________________________ > > Fwknop-discuss mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss > > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
