[Git][NTPsec/ntpsec][master] 2 commits: In pyntpq, check server trust status.
Eric S. Raymond
gitlab at mg.gitlab.com
Thu Nov 10 10:01:54 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
41892490 by Eric S. Raymond at 2016-11-10T04:45:33-05:00
In pyntpq, check server trust status.
- - - - -
6bcf7a53 by Eric S. Raymond at 2016-11-10T04:57:35-05:00
Address Issue #148: ntpq fails to run on netbsd
...which dies not install cuses by default. Solution: sever the dependency.
- - - - -
3 changed files:
- ntpdig/pyntpdig
- ntpq/ntpq
- pylib/packet.py
Changes:
=====================================
ntpdig/pyntpdig
=====================================
--- a/ntpdig/pyntpdig
+++ b/ntpdig/pyntpdig
@@ -32,6 +32,10 @@ from __future__ import print_function, division
# not looking up 20,000 hosts here. It has not been implemented, so neither
# have these options.
#
+# Finally, logging to syslog by default was a design error, violating
+# Unix principles, that has been fixed. To get this behavior when
+# running in a script, redirect standard error to logger(1).
+#
# The one new option in this version is -p, borrowed from ntpdate.
import sys, socket, select, struct, time, getopt, datetime
@@ -85,6 +89,7 @@ class SNTPPacket:
else:
self.extension_data = None
self.auth_data = None
+ self.trusted = True
def delta(self):
return self.root_delay
def epsilon(self):
@@ -136,12 +141,13 @@ def queryhost(server, concurrent, timeout=5, port=123):
def read_append(s, packets):
d, a = s.recvfrom(1024)
if debug >= 2:
- print("Received: (%d bytes)" % len(d))
ntp.packet.dump_hex_printable(d)
if credentials:
if not ntp.packet.Authenticator.have_mac(d):
- log("no MAC on reply from %s" % packet.hostname)
+ if debug:
+ log("no MAC on reply from %s" % packet.hostname)
if not credentials.verify_mac(d):
+ packet.trusted = False
log("MAC verification on reply from %s failed" % sockaddr[0])
elif debug:
log("MAC verification on reply from %s succeeded" % sockaddr[0])
@@ -197,6 +203,9 @@ def clock_select(packets):
if server.origin_timestamp - server.reference_timestamp >= NTP_MAXAGE:
drop("Server has gone too long without sync")
continue
+ if not server.trusted:
+ drop("request was authenticated but server is untrusted")
+ continue
filtered.append(server)
if len(filtered) <= 1:
=====================================
ntpq/ntpq
=====================================
--- a/ntpq/ntpq
+++ b/ntpq/ntpq
@@ -444,7 +444,7 @@ usage: help [ command ]
text = text.replace("'", '"')
self.say(text)
- def __dolist(self, varlist, associd, op, type, quiet):
+ def __dolist(self, varlist, associd, op, type, quiet=False):
"List variables associated with a specified peer."
try:
variables = self.session.readvar(associd, varlist, op)
=====================================
pylib/packet.py
=====================================
--- a/pylib/packet.py
+++ b/pylib/packet.py
@@ -365,7 +365,7 @@ def dump_hex_printable(xdata):
sys.stdout.write(" ")
i = restart
for idx in range(rowlen):
- if curses.ascii.isprint(xdata[i]):
+ if ord(xdata[i]) >= 32 and ord(xdata(i)) < 127:
sys.stdout.write(xdata[i])
else:
sys.stdout.write('.')
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/a0d515bfa8efc184029faf7eb789ce6e4d3a5062...6bcf7a5341ee73b9992dbeeaa5dfca82b4a0cecb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20161110/314a6749/attachment.html>
More information about the vc
mailing list