[Git][NTPsec/ntpsec][master] 3 commits: Implement full bogus-packet filtering for pyntpdig.
Eric S. Raymond
gitlab at mg.gitlab.com
Thu Nov 24 04:05:03 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
fce74106 by Eric S. Raymond at 2016-11-23T22:42:35-05:00
Implement full bogus-packet filtering for pyntpdig.
- - - - -
e99f7671 by Eric S. Raymond at 2016-11-23T22:59:41-05:00
Correct a passthrough option.
- - - - -
cd1f4179 by Eric S. Raymond at 2016-11-23T23:04:47-05:00
Implement rfc3339(), required for packet textualization.
- - - - -
3 changed files:
- attic/ntpdate
- ntpdig/pyntpdig
- pylib/util.py
Changes:
=====================================
attic/ntpdate
=====================================
--- a/attic/ntpdate
+++ b/attic/ntpdate
@@ -54,7 +54,7 @@ do
6) PASSTHROUGH="$PASSTHROUGH -6";;
a) PASSTHROUGH="$PASSTHROUGH -a $OPTARG";;
b) ADJUST="$ADJUST -S";;
- B) ADJUST="$ADJUST -j";;
+ B) ADJUST="$ADJUST -s";;
d) PASSTHROUGH="$PASSTHROUGH -d";;
e) echo "ntpdate: -e is no longer supported." >&2;;
k) PASSTHROUGH="$PASSTHROUGH -k $OPTARG";;
=====================================
ntpdig/pyntpdig
=====================================
--- a/ntpdig/pyntpdig
+++ b/ntpdig/pyntpdig
@@ -43,6 +43,7 @@ import sys, socket, select, struct, time, getopt, datetime
try:
import ntp.packet
import ntp.util
+ import ntp.ntp_magic
except:
sys.stderr.write("ntpdig: can't find Python NTP library -- check PYTHONPATH.\n")
sys.exit(1)
@@ -130,25 +131,42 @@ def clock_select(packets):
#
nlist = 0 # none yet
filtered = []
- for server in packets:
+ for response in packets:
def drop(msg):
- log("%s: Server dropped: %s\n" % (server.hostname, msg))
- if server.stratum > NTP_INFIN:
+ log("%s: Response dropped: %s" % (response.hostname, msg))
+ if response.stratum > NTP_INFIN:
drop("stratum too high")
continue
- if server.leap() == "unsync":
+ if response.version() < ntp.ntp_magic.NTP_OLDVERSION:
+ drop("response version %d is too old" % response.version())
+ continue
+ if response.mode() != ntp.ntp_magic.MODE_SERVER:
+ drop("unexpected response mode %d" % response.mode())
+ continue
+ if response.version() > ntp.ntp_magic.NTP_VERSION:
+ drop("response version %d is too new" % response.version())
+ continue
+ if response.stratum == 0:
+ # FIXME: Do some kind of semi-useful diagnostic dump here
+ drop("stratum 0, probable KOD packet")
+ continue
+ if response.leap() == "unsync":
drop("leap not in sync")
continue
- if not server.origin_timestamp < server.reference_timestamp:
+ if not response.origin_timestamp < response.reference_timestamp:
drop("server is very broken")
continue
- if server.origin_timestamp - server.reference_timestamp >= NTP_MAXAGE:
+ if response.origin_timestamp-response.reference_timestamp >= NTP_MAXAGE:
drop("server has gone too long without sync")
continue
- if not server.trusted:
+ if not response.trusted:
drop("request was authenticated but server is untrusted")
continue
- filtered.append(server)
+ # Bypass this test if we ever support broadcast-client mode again
+ if response.origin_timestamp != ntp.packet.SyncPacket.ntp_to_posix(0):
+ drop("unexpected response timestamp")
+ continue
+ filtered.append(response)
if len(filtered) <= 1:
return filtered
=====================================
pylib/util.py
=====================================
--- a/pylib/util.py
+++ b/pylib/util.py
@@ -15,6 +15,14 @@ from ntp.version import *
def stdversion():
return "%s-%s-%s %s" % (VERSION, VCS_TICK, VCS_BASENAME, VCS_DATE)
+def rfc3339(t):
+ "RFC3339 string from Unix time, including fractional second."
+ subsec = t - int(t)
+ t -= subsec
+ rep = time.strftime("%Y-%m-%dT%H:%M:%S", time.gmtime(t))
+ rep += ("%f" % subsec)[1:] + "Z"
+ return rep
+
def portsplit(hostname):
portsuffix = ""
if hostname.count(":") == 1: # IPv4 with appended port
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/48cf0d9bfcb50eb3b6ba5c7246f5f0b68156c8aa...cd1f4179e0550d864d6cb22fe9df5e1b5cb7023f
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20161124/081d0487/attachment.html>
More information about the vc
mailing list