[Git][NTPsec/ntpsec][master] Documentation polishing.

Eric S. Raymond gitlab at mg.gitlab.com
Sat Feb 2 12:52:47 UTC 2019


Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
09a3ecda by Eric S. Raymond at 2019-02-02T12:52:15Z
Documentation polishing.

- - - - -


12 changed files:

- contrib/make-leap-seconds.py
- docs/includes/ntpkeygen-body.adoc
- docs/mode6.adoc
- docs/warp.adoc
- include/nts.h
- ntpclients/ntpkeygen.py
- ntpclients/ntpleapfetch
- ntpclients/ntpq.py
- ntpd/ntp_leapsec.h
- ntpd/ntp_util.c
- pylib/packet.py
- tests/pylib/test_packet.py


Changes:

=====================================
contrib/make-leap-seconds.py
=====================================
@@ -55,7 +55,7 @@ tai = "40"          # hardwired
 #  # is comment
 #  #$ xxx  Update Date
 #  #@ xxx  Expiration Date
-#  #h SHA1 hash of payload
+#  #h SHA-1 hash of payload
 #
 #  #$       3676924800
 #  #@       3707596800


=====================================
docs/includes/ntpkeygen-body.adoc
=====================================
@@ -14,7 +14,7 @@ in NTP's symmetric key cryptography.
 The program produces a file containing ten pseudo-random printable
 ASCII strings suitable for the MD5 message digest algorithm.
 It also produces an additional ten hex-encoded random bit strings
-suitable for the SHA1 and other message digest algorithms.
+suitable for the SHA-1 and other message digest algorithms.
 
 The keys file must be distributed and stored using secure means
 beyond the scope of NTP itself. The keys can also be used as
@@ -93,7 +93,7 @@ format:
 |====================================================================
 |Field	| Meaning
 |keyno	| Positive integer in the range 1-65,535
-|type	| MD5 or SHA1, type of key
+|type	| Type of key (MD5, SHA-1, AES-CMAC etc.)
 |key	| the actual key, printable ASCII or hex
 |====================================================================
 


=====================================
docs/mode6.adoc
=====================================
@@ -522,11 +522,11 @@ request header fields, then the payload.
 2b. In CMAC mode, a cryptographic hash of the packet header and
 payload with the crypto algorithim using the key.
 
-The cryptographic hash is 16 octets for MD5 and AES and 20 octets for SHA1.
-Longer digests are truncated.
+The cryptographic hash is 16 octets for MD5 ir AES-CMAC and AES and 20
+octets for SHA-1.  Longer digests are truncated.
 
 The key length for AES is 16 bytes.  Longer keys are truncated.  Shorter
-keys are padded with 0s.  MD5 and SHA1 can use any key length.
+keys are padded with 0s.  MD5 and SHA-1 can use any key length.
 
 == Compatibility Notes ==
 


=====================================
docs/warp.adoc
=====================================
@@ -197,7 +197,7 @@ are no longer relevant.
 
 Note that NTPsec has entirely dropped conformance with
 https://tools.ietf.org/html/rfc5905[RFC 5906].  Autokey never quite
-qworked, and the design was unstable enough that if there was ever
+worked, and the design was unstable enough that if there was ever
 actually a time when it fully conformed to its RFC that span must have
 been pretty short.
 
@@ -217,7 +217,7 @@ client (mode 3) packets. Mode 2 (Symmetric Passive) is still distinct
 from mode 3 but its only effect is on initial poll interval.
 
 In figure 8 of section 7.3, 128 bits (16 octets, corresponding to an
-MD5 digest) is not the only possible length for the MAC. This was
+MD5 or AES-CMAC digest) is not the only possible length for the MAC. This was
 a pre-NTPsec change present in NTP Classic versions after 2010.
 
 NTPsec conforms to the


=====================================
include/nts.h
=====================================
@@ -14,7 +14,7 @@
 
 /* Configuration data for an NTS association */
 struct ntscfg_t {
-    char *server;
+    char *server;	/* if NUL, use the peer itself (normal case) */
     uint32_t flags;
     uint32_t expire;
 };


=====================================
ntpclients/ntpkeygen.py
=====================================
@@ -14,7 +14,7 @@ ntpkey_AES_<hostname>.<filestamp>
 AES (128-bit) keys used to compute CMAC mode authentcation
 using shared key cryptography
 
-The file can be edited by hand to support MD5 and SHA1 for
+The file can be edited by hand to support MD5 and SHA-1 for
 old digest mode authentication.
 '''
 


=====================================
ntpclients/ntpleapfetch
=====================================
@@ -280,7 +280,7 @@ INTERVAL=$(( $INTERVAL *1 ))
 # #@ number : the NTP date that the file expires
 # Date (seconds since 1900) leaps : leaps is the # of seconds to add for times >= Date
 # Date lines have comments.
-# #h hex hex hex hex hex is the SHA1 checksum of the data & dates, excluding whitespace w/o leading zeroes
+# #h hex hex hex hex hex is the SHA-1 checksum of the data & dates, excluding whitespace w/o leading zeroes
 
 verifySHA1() {
 
@@ -296,7 +296,7 @@ verifySHA1() {
 
     local DATA="`echo \"$RAW\" | sed -e'/^#h/d' -e's/^#[\$@]//g' | tr -d '[:space:]'`"
 
-    # Compute the SHA1 hash of the data, removing the marker and filename
+    # Compute the SHA-1 hash of the data, removing the marker and filename
     # Computed in binary mode, which shouldn't matter since whitespace
     # has been removed
     # shasum/sha1sum comes in several flavors;


=====================================
ntpclients/ntpq.py
=====================================
@@ -746,7 +746,10 @@ usage: ntpversion [version number]
         "set key type to use for authenticated requests"
         if not line:
             self.say("Keytype: %s\n" % self.session.keytype)
-        elif line not in "DSA, MD4, MD5, MDC2, RIPEMD160, SHA1":
+        elif line not in "DSA, MD4, MD5, MDC2, RIPEMD160, SHA-1, AES-CMAC":
+            # Above list is somewhat bogus. All but oldest versions of NTPsec
+            # will cheerfully use any 16- or 20-bit MAC supported by libcrypto;
+            # NTP Classic will probably barf on AES-CMAC.
             self.warn("Keytype %s is not supported by ntpd.\n" % line)
         elif line not in hashlib.algorithms_available:
             self.warn("Keytype %s is not supported by ntpq.\n" % line)
@@ -756,7 +759,7 @@ usage: ntpversion [version number]
     def help_keytype(self):
         self.say("""\
 function: set key type to use for authenticated requests, one of:
-    DSA, MD4, MD5, MDC2, RIPEMD160, SHA1
+    DSA, MD4, MD5, MDC2, RIPEMD160, SHA-1, AES-CMAC
 usage: keytype [digest-name]
 """)
 


=====================================
ntpd/ntp_leapsec.h
=====================================
@@ -28,7 +28,7 @@ typedef struct leap_table leap_table_t;
 
 /* Validate a stream containing a leap second file in the NIST / NTPD
  * format that can also be loaded via 'leapsec_load()'. This uses
- * the SHA1 hash and preprocessing as described in the NIST leapsecond
+ * the SHA-1 hash and preprocessing as described in the NIST leapsecond
  * file.
  */
 #define LSVALID_GOODHASH	1	/* valid signature         */


=====================================
ntpd/ntp_util.c
=====================================
@@ -309,7 +309,7 @@ stats_config(
 	/*
 	 * Read leapseconds file.
 	 *
-	 * Note: Currently a leap file without SHA1 signature is
+	 * Note: Currently a leap file without SHA-1 signature is
 	 * accepted, but if there is a signature line, the signature
 	 * must be valid or the file is rejected.
 	 */
@@ -690,7 +690,7 @@ record_proto_stats(
  * Returns: n/a
  *
  * Note: This loads a new leapfile on the fly. Currently a leap file
- * without SHA1 signature is accepted, but if there is a signature line,
+ * without SHA-1 signature is accepted, but if there is a signature line,
  * the signature must be valid or the file is rejected.
  */
 void


=====================================
pylib/packet.py
=====================================
@@ -131,7 +131,8 @@ direction.
 
 The RFC 5905 diagram is slightly out of date in that the digest header assumes
 a 128-bit (16-octet) MD5 hash, but it is also possible for the field to be a
-160-bit (20-octet) SHA1 hash.
+128-bit AES_CMAC hash or 160-bit (20-octet) SHA-1 hash.  NTPsec will
+support any 128- or 160-bit MAC type in lincrypto.
 
 An extension field consists of a 16-bit network-order type field
 length, followed by a 16-bit network-order payload length in octets,


=====================================
tests/pylib/test_packet.py
=====================================
@@ -243,14 +243,14 @@ class TestSyncPacket(unittest.TestCase):
         except ntpp.SyncException as e:
             errored = e.message
         self.assertEqual(errored, "Packet is a runt")
-        # Test with extension, MD5 or SHA1, 20
+        # Test with extension, MD5 or SHA-1, 20
         mac = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09" \
               "\x0A\x0B\x0C\x0D\x0E\x0F\x10\x11\x12\x13"
         data2 = data + ext + mac
         cls = self.target(data2)
         self.assertEqual(cls.mac, ntp.poly.polybytes(mac))
         self.assertEqual(cls.extension, ntp.poly.polybytes(ext + mac))
-        # Test with extension, MD5 or SHA1, 24
+        # Test with extension, MD5 or SHA-1, 24
         mac += "\x14\x15\x16\x17"
         data2 = data + ext + mac
         cls = self.target(ntp.poly.polybytes(data2))



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/09a3ecda4802b610fe6d79011ca52581a509a4d1

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/09a3ecda4802b610fe6d79011ca52581a509a4d1
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190202/6c786f19/attachment-0001.html>


More information about the vc mailing list