[Git][NTPsec/ntpsec][master] Get us most of the way to MAC verification on pyntpdig replies.

Eric S. Raymond gitlab at mg.gitlab.com
Tue Nov 8 14:56:37 UTC 2016 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
12783d9b by Eric S. Raymond at 2016-11-08T09:55:39-05:00
Get us most of the way to MAC verification on pyntpdig replies.

- - - - -


2 changed files:

- ntpdig/pyntpdig
- pylib/packet.py


Changes:

=====================================
ntpdig/pyntpdig
=====================================
--- a/ntpdig/pyntpdig
+++ b/ntpdig/pyntpdig
@@ -79,7 +79,7 @@ class SNTPPacket:
         self.receive_timestamp = SNTPPacket.rescale(self.receive_timestamp)
         self.transmit_timestamp = SNTPPacket.rescale(self.transmit_timestamp)
         if len(data) > 192:
-            self.extension_data = data[192:-12]
+            self.extension_data = data[-12:192]
             self.auth_data = data[-12:]
         else:
             self.extension_data = None
@@ -124,15 +124,26 @@ def queryhost(server, concurrent, timeout=5, port=123):
                 raise SystemExit(1)
             else:
                 packet += mac
-        s.sendto(packet, sockaddr)
+        try:
+            s.sendto(packet, sockaddr)
+        except socket.error as e:
+            log("socket error on transmission: %s" % e)
+            raise SystemExit(1)
         if debug >= 2:
-            print("Sent to %s:" % (sockaddr[0],))
+            log("Sent to %s:" % (sockaddr[0],))
             ntp.packet.dump_hex_printable(packet)
         def read_append(s, packets):
             d, a = s.recvfrom(1024)
             if debug >= 2:
                 print("Received:")
                 ntp.packet.dump_hex_printable(d)
+            if credentials:
+                if not ntp.packet.Authenticator.have_mac(d):
+                    log("no MAC on reply from %s" % packet.hostname)
+                if not credentials.verify_mac(d):
+                    log("MAC verification on reply from %s failed" % sockaddr[0])
+                elif debug:
+                    log("MAC verification on reply from %s succeeded" % sockaddr[0])
             pkt = SNTPPacket(d)
             pkt.hostname = server
             pkt.resolved = sockaddr[0]


=====================================
pylib/packet.py
=====================================
--- a/pylib/packet.py
+++ b/pylib/packet.py
@@ -1082,6 +1082,15 @@ class Authenticator:
             return None
         else:
             return struct.pack("!I", keyid) + hasher.digest()
-
+    @staticmethod
+    def have_mac(packet):
+        "Does this packet have a MAC?"
+        # According to RFC5909 7.5 the MAC is always present when an extension
+        # field is present. Note: this crude test will fail on Mode 6 packets.
+        # On those you have to go in and look at the count.
+        return len(packet) > 48
+    def verify_mac(self, packet):
+        "Does the MAC on this packet verify according to credentials we have?"
+        return True
 
 # end



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/12783d9bdd02efba1404ad3c56a858f5edec092b
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20161108/01b19a2f/attachment.html>

More information about the vc mailing list