[Git][NTPsec/ntpsec][master] 2 commits: Tweaks to NTS server list in docs/NTS-QuickStart.adoc
Hal Murray
gitlab at mg.gitlab.com
Wed Jul 10 10:33:21 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
a8775d3d by Hal Murray at 2019-07-10T06:21:11Z
Tweaks to NTS server list in docs/NTS-QuickStart.adoc
- - - - -
075b7730 by Hal Murray at 2019-07-10T09:44:04Z
Fix cookie length check, Issue #600
- - - - -
2 changed files:
- docs/NTS-QuickStart.adoc
- ntpd/nts_cookie.c
Changes:
=====================================
docs/NTS-QuickStart.adoc
=====================================
@@ -24,15 +24,21 @@ Append the keyword `nts` to the end of your `server`
lines. Do these only for servers that speak NTS. As of
June 2019, the following should work:
+Public NTP servers supporting NTS:
+
+------------------------------------------------------------
+server time.cloudflare.com:1234 nts # TLS1.3 only
+------------------------------------------------------------
+
+Development machines, so there may be gaps in availability:
+
------------------------------------------------------------
server ntpmon.dcs1.biz nts
server pi4.rellim.com nts
server ntp1.glypnod.com nts
server ntp2.glypnod.com nts
-server time.cloudflare.com:1234 nts
------------------------------------------------------------
-These are development machines, so uptime may be gaps in availability.
Note that you must use the same host name that was used to create
the server's certificate. IP Addresses will not work.
=====================================
ntpd/nts_cookie.c
=====================================
@@ -55,7 +55,7 @@
* 64 => 512
*/
-/* Max length:
+/* NTS_MAX_COOKIELEN:
* 4 I
* 16 N
* 16 CMAC
@@ -64,6 +64,10 @@
* 64 S2C NTS_MAX_KEYLEN
* ------
* 168
+ *
+ * That's the max length for our cookies.
+ * Round up a bit in case another implementation uses more.
+ * #define is in include/nts.h
*/
/* cookies use same AEAD algorithms as wire */
@@ -263,7 +267,7 @@ int nts_make_cookie(uint8_t *cookie,
nts_cookie_make++;
- INSIST(keylen < NTS_MAX_KEYLEN);
+ INSIST(keylen <= NTS_MAX_KEYLEN);
/* collect plaintext
* separate buffer avoids encrypt in place
@@ -314,7 +318,7 @@ int nts_make_cookie(uint8_t *cookie,
}
used += left;
- INSIST(used < NTS_MAX_COOKIELEN);
+ INSIST(used <= NTS_MAX_COOKIELEN);
return used;
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/bf123f62a4f2cb0b20fc4fba31bb0c4ca262a9d9...075b77303c0a8565cc48a8545a79f711756c33ed
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/bf123f62a4f2cb0b20fc4fba31bb0c4ca262a9d9...075b77303c0a8565cc48a8545a79f711756c33ed
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190710/d138e2a1/attachment-0001.htm>
More information about the vc
mailing list