[Git][NTPsec/ntpsec][master] Documentation polishing.
Eric S. Raymond
gitlab at mg.gitlab.com
Sat Feb 2 12:52:47 UTC 2019
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
09a3ecda by Eric S. Raymond at 2019-02-02T12:52:15Z
Documentation polishing.
- - - - -
12 changed files:
- contrib/make-leap-seconds.py
- docs/includes/ntpkeygen-body.adoc
- docs/mode6.adoc
- docs/warp.adoc
- include/nts.h
- ntpclients/ntpkeygen.py
- ntpclients/ntpleapfetch
- ntpclients/ntpq.py
- ntpd/ntp_leapsec.h
- ntpd/ntp_util.c
- pylib/packet.py
- tests/pylib/test_packet.py
Changes:
=====================================
contrib/make-leap-seconds.py
=====================================
@@ -55,7 +55,7 @@ tai = "40" # hardwired
# # is comment
# #$ xxx Update Date
# #@ xxx Expiration Date
-# #h SHA1 hash of payload
+# #h SHA-1 hash of payload
#
# #$ 3676924800
# #@ 3707596800
=====================================
docs/includes/ntpkeygen-body.adoc
=====================================
@@ -14,7 +14,7 @@ in NTP's symmetric key cryptography.
The program produces a file containing ten pseudo-random printable
ASCII strings suitable for the MD5 message digest algorithm.
It also produces an additional ten hex-encoded random bit strings
-suitable for the SHA1 and other message digest algorithms.
+suitable for the SHA-1 and other message digest algorithms.
The keys file must be distributed and stored using secure means
beyond the scope of NTP itself. The keys can also be used as
@@ -93,7 +93,7 @@ format:
|====================================================================
|Field | Meaning
|keyno | Positive integer in the range 1-65,535
-|type | MD5 or SHA1, type of key
+|type | Type of key (MD5, SHA-1, AES-CMAC etc.)
|key | the actual key, printable ASCII or hex
|====================================================================
=====================================
docs/mode6.adoc
=====================================
@@ -522,11 +522,11 @@ request header fields, then the payload.
2b. In CMAC mode, a cryptographic hash of the packet header and
payload with the crypto algorithim using the key.
-The cryptographic hash is 16 octets for MD5 and AES and 20 octets for SHA1.
-Longer digests are truncated.
+The cryptographic hash is 16 octets for MD5 ir AES-CMAC and AES and 20
+octets for SHA-1. Longer digests are truncated.
The key length for AES is 16 bytes. Longer keys are truncated. Shorter
-keys are padded with 0s. MD5 and SHA1 can use any key length.
+keys are padded with 0s. MD5 and SHA-1 can use any key length.
== Compatibility Notes ==
=====================================
docs/warp.adoc
=====================================
@@ -197,7 +197,7 @@ are no longer relevant.
Note that NTPsec has entirely dropped conformance with
https://tools.ietf.org/html/rfc5905[RFC 5906]. Autokey never quite
-qworked, and the design was unstable enough that if there was ever
+worked, and the design was unstable enough that if there was ever
actually a time when it fully conformed to its RFC that span must have
been pretty short.
@@ -217,7 +217,7 @@ client (mode 3) packets. Mode 2 (Symmetric Passive) is still distinct
from mode 3 but its only effect is on initial poll interval.
In figure 8 of section 7.3, 128 bits (16 octets, corresponding to an
-MD5 digest) is not the only possible length for the MAC. This was
+MD5 or AES-CMAC digest) is not the only possible length for the MAC. This was
a pre-NTPsec change present in NTP Classic versions after 2010.
NTPsec conforms to the
=====================================
include/nts.h
=====================================
@@ -14,7 +14,7 @@
/* Configuration data for an NTS association */
struct ntscfg_t {
- char *server;
+ char *server; /* if NUL, use the peer itself (normal case) */
uint32_t flags;
uint32_t expire;
};
=====================================
ntpclients/ntpkeygen.py
=====================================
@@ -14,7 +14,7 @@ ntpkey_AES_<hostname>.<filestamp>
AES (128-bit) keys used to compute CMAC mode authentcation
using shared key cryptography
-The file can be edited by hand to support MD5 and SHA1 for
+The file can be edited by hand to support MD5 and SHA-1 for
old digest mode authentication.
'''
=====================================
ntpclients/ntpleapfetch
=====================================
@@ -280,7 +280,7 @@ INTERVAL=$(( $INTERVAL *1 ))
# #@ number : the NTP date that the file expires
# Date (seconds since 1900) leaps : leaps is the # of seconds to add for times >= Date
# Date lines have comments.
-# #h hex hex hex hex hex is the SHA1 checksum of the data & dates, excluding whitespace w/o leading zeroes
+# #h hex hex hex hex hex is the SHA-1 checksum of the data & dates, excluding whitespace w/o leading zeroes
verifySHA1() {
@@ -296,7 +296,7 @@ verifySHA1() {
local DATA="`echo \"$RAW\" | sed -e'/^#h/d' -e's/^#[\$@]//g' | tr -d '[:space:]'`"
- # Compute the SHA1 hash of the data, removing the marker and filename
+ # Compute the SHA-1 hash of the data, removing the marker and filename
# Computed in binary mode, which shouldn't matter since whitespace
# has been removed
# shasum/sha1sum comes in several flavors;
=====================================
ntpclients/ntpq.py
=====================================
@@ -746,7 +746,10 @@ usage: ntpversion [version number]
"set key type to use for authenticated requests"
if not line:
self.say("Keytype: %s\n" % self.session.keytype)
- elif line not in "DSA, MD4, MD5, MDC2, RIPEMD160, SHA1":
+ elif line not in "DSA, MD4, MD5, MDC2, RIPEMD160, SHA-1, AES-CMAC":
+ # Above list is somewhat bogus. All but oldest versions of NTPsec
+ # will cheerfully use any 16- or 20-bit MAC supported by libcrypto;
+ # NTP Classic will probably barf on AES-CMAC.
self.warn("Keytype %s is not supported by ntpd.\n" % line)
elif line not in hashlib.algorithms_available:
self.warn("Keytype %s is not supported by ntpq.\n" % line)
@@ -756,7 +759,7 @@ usage: ntpversion [version number]
def help_keytype(self):
self.say("""\
function: set key type to use for authenticated requests, one of:
- DSA, MD4, MD5, MDC2, RIPEMD160, SHA1
+ DSA, MD4, MD5, MDC2, RIPEMD160, SHA-1, AES-CMAC
usage: keytype [digest-name]
""")
=====================================
ntpd/ntp_leapsec.h
=====================================
@@ -28,7 +28,7 @@ typedef struct leap_table leap_table_t;
/* Validate a stream containing a leap second file in the NIST / NTPD
* format that can also be loaded via 'leapsec_load()'. This uses
- * the SHA1 hash and preprocessing as described in the NIST leapsecond
+ * the SHA-1 hash and preprocessing as described in the NIST leapsecond
* file.
*/
#define LSVALID_GOODHASH 1 /* valid signature */
=====================================
ntpd/ntp_util.c
=====================================
@@ -309,7 +309,7 @@ stats_config(
/*
* Read leapseconds file.
*
- * Note: Currently a leap file without SHA1 signature is
+ * Note: Currently a leap file without SHA-1 signature is
* accepted, but if there is a signature line, the signature
* must be valid or the file is rejected.
*/
@@ -690,7 +690,7 @@ record_proto_stats(
* Returns: n/a
*
* Note: This loads a new leapfile on the fly. Currently a leap file
- * without SHA1 signature is accepted, but if there is a signature line,
+ * without SHA-1 signature is accepted, but if there is a signature line,
* the signature must be valid or the file is rejected.
*/
void
=====================================
pylib/packet.py
=====================================
@@ -131,7 +131,8 @@ direction.
The RFC 5905 diagram is slightly out of date in that the digest header assumes
a 128-bit (16-octet) MD5 hash, but it is also possible for the field to be a
-160-bit (20-octet) SHA1 hash.
+128-bit AES_CMAC hash or 160-bit (20-octet) SHA-1 hash. NTPsec will
+support any 128- or 160-bit MAC type in lincrypto.
An extension field consists of a 16-bit network-order type field
length, followed by a 16-bit network-order payload length in octets,
=====================================
tests/pylib/test_packet.py
=====================================
@@ -243,14 +243,14 @@ class TestSyncPacket(unittest.TestCase):
except ntpp.SyncException as e:
errored = e.message
self.assertEqual(errored, "Packet is a runt")
- # Test with extension, MD5 or SHA1, 20
+ # Test with extension, MD5 or SHA-1, 20
mac = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
"\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13"
data2 = data + ext + mac
cls = self.target(data2)
self.assertEqual(cls.mac, ntp.poly.polybytes(mac))
self.assertEqual(cls.extension, ntp.poly.polybytes(ext + mac))
- # Test with extension, MD5 or SHA1, 24
+ # Test with extension, MD5 or SHA-1, 24
mac += "\x14\x15\x16\x17"
data2 = data + ext + mac
cls = self.target(ntp.poly.polybytes(data2))
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/09a3ecda4802b610fe6d79011ca52581a509a4d1
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/09a3ecda4802b610fe6d79011ca52581a509a4d1
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190202/6c786f19/attachment-0001.html>
More information about the vc
mailing list