[Git][NTPsec/ntpsec][master] 10 commits: Various NTS cleanups
Hal Murray
gitlab at mg.gitlab.com
Fri Mar 1 10:07:36 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
1da64d5c by Hal Murray at 2019-02-27T10:20:31Z
Various NTS cleanups
- - - - -
fb1c7e61 by Hal Murray at 2019-02-27T10:23:24Z
Rename ntpd/ntp_extens.c -> ntpd/nts_extens.c
It only knows about the NTS extensions.
- - - - -
c74eca0e by Hal Murray at 2019-02-28T03:16:20Z
NTS: tweaks to error logging, buffer sizes
- - - - -
19188742 by Hal Murray at 2019-02-28T04:31:10Z
Implement TCP/TLS timeouts (at last)
- - - - -
83314948 by Hal Murray at 2019-02-28T10:45:10Z
Add counters for bad path for NTS-KE client and server
- - - - -
fe973a5d by Hal Murray at 2019-02-28T18:24:25Z
Remove a couple of trailing tabs
- - - - -
dc7bac47 by Hal Murray at 2019-02-28T18:28:24Z
Switch to extension types that Martin Langer is using
- - - - -
d80d7908 by Hal Murray at 2019-02-28T18:40:49Z
Remove skeletons of unused routines
- - - - -
af41b1b6 by Hal Murray at 2019-03-01T10:01:26Z
NTS documentation tweaks
- - - - -
4456e91e by Hal Murray at 2019-03-01T10:04:35Z
NTS now talks to Martin Langer's server.
NTS-KE lengths are body-length
NTP extension lengths include the header word too.
- - - - -
15 changed files:
- INSTALL
- devel/TODO-NTS
- docs/includes/auth-commands.adoc
- include/ntpd.h
- include/nts.h
- ntpclients/ntpq.py
- ntpd/ntp_control.c
- ntpd/ntp_proto.c
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_cookie.c
- ntpd/ntp_extens.c → ntpd/nts_extens.c
- ntpd/nts_server.c
- ntpd/wscript
- tests/ntpd/nts.c
Changes:
=====================================
INSTALL
=====================================
@@ -17,9 +17,8 @@ There are some prerequisites. Libraries need the binary installed
to run and in addition, the development headers installed to build.
We need pthreads (It's optional in POSIX)
-We need OpenSSL >= 1.1.1 ???
-We need libaes_siv - it's not in OpenSSL yet
- https://github.com/dfoxfranke/libaes_siv
+We need OpenSSL >= 1.0.1
+NTS needs TLS1.2 or newer.
=== The short version ===
@@ -46,11 +45,6 @@ huge tail of dependencies and you probably don't want it unless you're
planning to modify the documentation. psutil may require different
packages depending on whether your base Python version is 2 or 3.
-As of February 2019 libaes_siv is not yet packaged anywhere. You
-will need to install it by hand. At some point it will probably
-land in libcrypto, and some time after that this paragraph
-will disappear.
-
=== Details ===
Python 2.x, x >= 6, or Python 3.x, x >= 3::
=====================================
devel/TODO-NTS
=====================================
@@ -2,6 +2,8 @@ multithread msyslog
security level
+thread per instance on NTS-KE server
+
documentation:
HOWTO on NTS
HOWTO on certificates
=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -80,17 +80,20 @@ The options are as follows:
The following options of the +server+ command configure NTS.
+nts+::
- Use Network Time Security for authentication and encryption.
- Request key exchange from the NTP server. If there is an NTS
- key service running in the same host as the NTP server adding this
- option is normally all you need to do.
+ Use Network Time Security (NTS) for authentication. Normally,
+ this is all you have to do to activate the client side of NTS.
+
+ The hostname following the +server+ command is used as the address
+ of the NTS key exchange server (NTS-KE) rather than the address
+ of a NTP server. The NTS-KE exchange defaults to using the same
+ IP Address for the NTP server.
-Note that the server name must match the name on the certificate.
-That is probably a FQDN rather than a short alias that you would
-probably use to talk to an internal server.
+ Note that the server name must match the name on the certificate.
+ That is probably a FQDN rather than a short alias that you would
+ probably use to talk to an internal server.
+ask+ _address_::
- Use Network Time Security for authentication and encryption. Ask
+ Use Network Time Security for authentication. Ask
for a specific NTS server, which may differ from the NTP server.
Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
a URI: that is, the _address_ may be a hostname, an FQDN, an IPv4
=====================================
include/ntpd.h
=====================================
@@ -447,13 +447,7 @@ void nts_init(void); /* Before sandbox() */
void nts_init2(void); /* After sandbox() */
bool nts_probe(struct peer *peer);
bool nts_check(struct peer *peer);
-int nts_client_ke_request(struct ntscfg_t *);
-int nts_server_ke_verify(struct ntscfg_t *);
-int nts_client_ke_verify(struct ntscfg_t *, struct ntsclient_t *);
+
int nts_daily(struct ntscfg_t *);
-int nts_validate(const struct ntscfg_t *, struct ntsclient_t *,
- struct parsed_pkt *);
-int nts_decorate(const struct ntscfg_t *, struct ntsclient_t *,
- uint8_t *, size_t);
#endif /* GUARD_NTPD_H */
=====================================
include/nts.h
=====================================
@@ -8,12 +8,15 @@
#include <stdint.h>
#include <openssl/ssl.h>
+#define NTS_KE_TIMEOUT 3
+
#define NTS_MAX_KEYLEN 64 /* used in cookies */
#define NTS_MAX_COOKIELEN 192 /* see nts_cookie.c */
#define NTS_MAX_COOKIES 8 /* RFC 4.1.6 */
#define NTS_UID_LENGTH 32 /* RFC 5.3 */
#define NTS_UID_MAX_LENGTH 64
+
/* Client side configuration data for an NTS association */
/* part of peer struct */
struct ntscfg_t {
@@ -23,14 +26,6 @@ struct ntscfg_t {
uint32_t expire;
};
-/* We are using AEAD_AES_SIV_CMAC_256, from RFC 5297 */
-#define IANA_AEAD_AES_SIV_CMAC_256 15
-#define IANA_AEAD_AES_SIV_CMAC_384 16
-#define IANA_AEAD_AES_SIV_CMAC_512 17
-#define AEAD_AES_SIV_CMAC_256_KEYLEN 32
-#define AEAD_AES_SIV_CMAC_384_KEYLEN 48
-#define AEAD_AES_SIV_CMAC_512_KEYLEN 64
-
/* Client-side state per connection to server */
struct ntsclient_t {
/* wire connection */
@@ -70,6 +65,19 @@ struct ntsconfig_t {
const char *ca; /* root cert dir/file */
};
+
+/* Only valid for AEAD_AES_SIV_CMAC_nnn
+ * but that's all we use. */
+#define AEAD_CMAC_LNG 16
+
+/* We are using AEAD_AES_SIV_CMAC_256, from RFC 5297 */
+#define IANA_AEAD_AES_SIV_CMAC_256 15
+#define IANA_AEAD_AES_SIV_CMAC_384 16
+#define IANA_AEAD_AES_SIV_CMAC_512 17
+#define AEAD_AES_SIV_CMAC_256_KEYLEN 32
+#define AEAD_AES_SIV_CMAC_384_KEYLEN 48
+#define AEAD_AES_SIV_CMAC_512_KEYLEN 64
+
/* NTS protocol constants */
#define NTS_CRITICAL 0x8000
@@ -140,7 +148,7 @@ bool nts_load_ciphers(SSL_CTX *ctx);
bool nts_load_versions(SSL_CTX *ctx);
int nts_get_key_length(int aead);
-bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen);
+bool nts_make_keys(SSL *ssl, int aead, uint8_t *c2s, uint8_t *s2c, int keylen);
int nts_make_cookie(uint8_t *cookie,
uint16_t aead,
@@ -153,42 +161,47 @@ bool nts_unpack_cookie(uint8_t *cookie, int cookielen,
/* buffer packing/unpacking routines.
- * These aren't NTS specific, but I'll put them here for now.
- * They work with NTP extensions and NTS-KE data streams.
- * names should probably be changed too
+ * NB: The length field in NTP extensions includes the header
+ * while the length field in NTS-KE data streams does not.
+ *
+ * These routines do not handle padding. NTS-KE has no padding.
* NTP extensions are padded to word (4 byte) boundaries.
- * NTS-KE has no padding.
- * Maybe versions with padding should have names starting with ntp_?
- * and use extn rather than record
+ *
* Note that data on the wire is big endian.
* buffer is wire format, not host format.
- * Hal, 2019-Feb-09
*/
/* working finger into a buffer - updated by append/unpack routines */
struct BufCtl_t {
uint8_t *next; /* pointer to next data/space */
- int left; /* data left or space available */
+ int left; /* data left or space available */
};
typedef struct BufCtl_t BufCtl;
-/* maybe should return bool to indicate overflow */
-/* nts_append_record_foo makes whole record with one foo */
-/* ntp_append_foo appends foo to existing partial record */
-void nts_append_record_null(BufCtl* buf, uint16_t type);
-void nts_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data);
-void nts_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length);
+/* xxx_append_record_foo makes whole record with one foo */
+/* append_foo appends foo to existing partial record */
+void ke_append_record_null(BufCtl* buf, uint16_t type);
+void ke_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data);
+void ke_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length);
+
+void ex_append_record_null(BufCtl* buf, uint16_t type);
+void ex_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data);
+void ex_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length);
+
+void ex_append_header(BufCtl* buf, uint16_t type, uint16_t length);
+void append_header(BufCtl* buf, uint16_t type, uint16_t length);
+void append_uint16(BufCtl* buf, uint16_t data);
+void append_bytes(BufCtl* buf, uint8_t *data, int length);
+
+uint16_t ke_next_record(BufCtl* buf, int *length);
+uint16_t ex_next_record(BufCtl* buf, int *length); /* body length */
+uint16_t next_uint16(BufCtl* buf);
+uint16_t next_bytes(BufCtl* buf, uint8_t *data, int length);
-void nts_append_header(BufCtl* buf, uint16_t type, uint16_t length);
-void nts_append_uint16(BufCtl* buf, uint16_t data);
-void nts_append_bytes(BufCtl* buf, uint8_t *data, int length);
-uint16_t nts_next_record(BufCtl* buf, int *length);
-uint16_t nts_next_uint16(BufCtl* buf);
-uint16_t nts_next_bytes(BufCtl* buf, uint8_t *data, int length);
-/* NTS-related system variables */
+/* NTS-related system variables visible via ntpq -c nts */
extern uint64_t nts_client_send;
extern uint64_t nts_client_recv;
extern uint64_t nts_client_recv_bad;
@@ -197,6 +210,8 @@ extern uint64_t nts_server_recv;
extern uint64_t nts_server_recv_bad;
extern uint64_t nts_server_recv_bad;
extern uint64_t nts_ke_serves;
+extern uint64_t nts_ke_serves_bad;
extern uint64_t nts_ke_probes;
+extern uint64_t nts_ke_probes_bad;
#endif /* GUARD_NTS_H */
=====================================
ntpclients/ntpq.py
=====================================
@@ -1498,7 +1498,9 @@ usage: authinfo
("nts_server_recv_bad", "NTS server recvs w error: ", NTP_INT),
("nts_server_send", "NTS server sends: ", NTP_INT),
("nts_ke_probes", "NTS KE probes: ", NTP_INT),
+ ("nts_ke_probes_bad", "NTS KE probes_bad: ", NTP_INT),
("nts_ke_serves", "NTS KE serves: ", NTP_INT),
+ ("nts_ke_serves_bad", "NTS KE serves_bad: ", NTP_INT),
)
self.collect_display(associd=0, variables=ntsinfo, decodestatus=False)
=====================================
ntpd/ntp_control.c
=====================================
@@ -358,8 +358,12 @@ static const struct ctl_var sys_var[] = {
{ CS_nts_server_recv_bad, RO, "nts_server_recv_bad" },
#define CS_nts_ke_serves 112
{ CS_nts_ke_serves, RO, "nts_ke_serves" },
-#define CS_nts_ke_probes 113
+#define CS_nts_ke_serves_bad 113
+ { CS_nts_ke_serves_bad, RO, "nts_ke_serves_bad" },
+#define CS_nts_ke_probes 114
{ CS_nts_ke_probes, RO, "nts_ke_probes" },
+#define CS_nts_ke_probes_bad 115
+ { CS_nts_ke_probes_bad, RO, "nts_ke_probes_bad" },
#define CS_MAXCODE ((sizeof(sys_var)/sizeof(sys_var[0])) - 1)
{ 0, EOV, "" }
};
@@ -1971,10 +1975,18 @@ ctl_putsys(
ctl_putuint(sys_var[varid].text, nts_ke_serves);
break;
+ case CS_nts_ke_serves_bad:
+ ctl_putuint(sys_var[varid].text, nts_ke_serves_bad);
+ break;
+
case CS_nts_ke_probes:
ctl_putuint(sys_var[varid].text, nts_ke_probes);
break;
+ case CS_nts_ke_probes_bad:
+ ctl_putuint(sys_var[varid].text, nts_ke_probes_bad);
+ break;
+
default:
/* huh? */
break;
=====================================
ntpd/ntp_proto.c
=====================================
@@ -715,13 +715,13 @@ receive(
if (NULL == peer) {
stat_count.sys_declined++;
break;
- }
+ }
if (rbufp->extens_present
&& !extens_client_recv(peer,
rbufp->recv_buffer, rbufp->recv_length)) {
stat_count.sys_declined++;
break;
- }
+ }
handle_procpkt(rbufp, peer);
stat_count.sys_processed++;
peer->processed++;
=====================================
ntpd/nts.c
=====================================
@@ -31,57 +31,6 @@ struct ntsconfig_t ntsconfig = {
.ca = NULL
};
-/* By design, there is no per-client-side state on the server */
-
-/*
- * Key exchange support.
- */
-
-/*
- * RFC section 4:
- *- Generate KE request message.
- * - Include Record Types:
- * o NTS Next Protocol Negotiation
- * o AEAD Algorithm Negotiation
- * o <NTP Server Negotiation>
- * o End of Message
- */
-int nts_client_ke_request(struct ntscfg_t *cfg)
-{
- UNUSED_ARG(cfg);
- return 0;
-}
-
-/*
- * RFC section 4:
- * - Verify client request message.
- * - Extract TLS key material.
- * - Generate KE response message.
- * - Include Record Types:
- * o NTS Next Protocol Negotiation
- * o AEAD Algorithm Negotiation
- * o NTP Server Negotiation
- * o New Cookie for NTPv4
- * o <New Cookie for NTPv4>
- * o End of Message
- */
-int nts_server_ke_verify(struct ntscfg_t *cfg)
-{
- UNUSED_ARG(cfg);
- return 0;
-}
-
-/*
- * RFC section 4:
- * - Verify server response message
- * - Extract cookie(s).
- */
-int nts_client_ke_verify(struct ntscfg_t *cfg, struct ntsclient_t *state)
-{
- UNUSED_ARG(cfg);
- UNUSED_ARG(state);
- return 0;
-}
/*
* Daily rotation of server-side master keys.
@@ -92,39 +41,6 @@ int nts_daily(struct ntscfg_t *cfg)
return 0;
}
-/* */
-
-/*
- * Extract and validate NTS validation information from packet
- * extension fields in an incoming request or response. On the server
- * side, the ntscfg and state pointers are expected to be NULL as
- * there is no per-client server state. A nonzero return causes the
- * packet to be discarded.
- */
-int nts_validate(const struct ntscfg_t *cfg, struct ntsclient_t *state,
- struct parsed_pkt *pkt)
-{
- UNUSED_ARG(cfg);
- UNUSED_ARG(pkt);
- UNUSED_ARG(state);
- return 0;
-}
-
-/*
- * Decorate an outgoing client request or server response with packet
- * extension fields carrying NTS information. For a server response,
- * the ntscfg and state pointers are expected to be NULL as there
- * is no per-client server state. Return the count of words appended.
- */
-int nts_decorate(const struct ntscfg_t *cfg, struct ntsclient_t *state,
- uint8_t *extdata, size_t extlen)
-{
- UNUSED_ARG(cfg);
- UNUSED_ARG(extdata);
- UNUSED_ARG(extlen);
- UNUSED_ARG(state);
- return 0;
-}
/*****************************************************/
@@ -141,31 +57,55 @@ void nts_log_ssl_error(void) {
/*****************************************************/
-// 2 byte type, 2 byte length
+/* NB: KE length is body length, Extension length includes header. */
+
+/* 2 byte type, 2 byte length */
#define NTS_KE_HDR_LNG 4
#define NTS_KE_U16_LNG 2
/* Troubles with signed/unsigned compares when using sizeof() */
-void nts_append_record_null(BufCtl* buf, uint16_t type) {
- nts_append_header(buf, type, 0);
+void ke_append_record_null(BufCtl* buf, uint16_t type) {
+ append_header(buf, type, 0);
}
-void nts_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data) {
+void ke_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data) {
if (NTS_KE_HDR_LNG+NTS_KE_U16_LNG > buf->left)
return;
- nts_append_header(buf, type, NTS_KE_U16_LNG);
- nts_append_uint16(buf, data);
+ append_header(buf, type, NTS_KE_U16_LNG);
+ append_uint16(buf, data);
}
-void nts_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length) {
+void ke_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length) {
if (NTS_KE_HDR_LNG+length > buf->left)
return;
- nts_append_header(buf, type, length);
- nts_append_bytes(buf, data, length);
+ append_header(buf, type, length);
+ append_bytes(buf, data, length);
+}
+
+void ex_append_record_null(BufCtl* buf, uint16_t type) {
+ append_header(buf, type, NTS_KE_HDR_LNG);
}
-void nts_append_header(BufCtl* buf, uint16_t type, uint16_t length) {
+void ex_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data) {
+ if (NTS_KE_HDR_LNG+NTS_KE_U16_LNG > buf->left)
+ return;
+ append_header(buf, type, NTS_KE_HDR_LNG+NTS_KE_U16_LNG);
+ append_uint16(buf, data);
+}
+
+void ex_append_record_bytes(BufCtl* buf, uint16_t type, uint8_t *data, int length) {
+ if (NTS_KE_HDR_LNG+length > buf->left)
+ return;
+ append_header(buf, type, NTS_KE_HDR_LNG+length);
+ append_bytes(buf, data, length);
+}
+
+void ex_append_header(BufCtl* buf, uint16_t type, uint16_t length) {
+ append_header(buf, type, NTS_KE_HDR_LNG+length);
+}
+
+void append_header(BufCtl* buf, uint16_t type, uint16_t length) {
uint16_t * ptr = (uint16_t *)buf->next;
if (NTS_KE_HDR_LNG > buf->left)
return;
@@ -176,7 +116,7 @@ void nts_append_header(BufCtl* buf, uint16_t type, uint16_t length) {
/* leaves buf pointing to where data will go */
}
-void nts_append_uint16(BufCtl* buf, uint16_t data) {
+void append_uint16(BufCtl* buf, uint16_t data) {
uint16_t * ptr = (uint16_t *)buf->next;
if (NTS_KE_U16_LNG > buf->left)
return;
@@ -185,7 +125,7 @@ void nts_append_uint16(BufCtl* buf, uint16_t data) {
buf->left -= NTS_KE_U16_LNG;
}
-void nts_append_bytes(BufCtl* buf, uint8_t *data, int length) {
+void append_bytes(BufCtl* buf, uint8_t *data, int length) {
if (length > buf->left)
return;
memcpy(buf->next, data, length);
@@ -194,7 +134,7 @@ void nts_append_bytes(BufCtl* buf, uint8_t *data, int length) {
}
/* Reads type and length of the next record, and moves cursor to the data */
-uint16_t nts_next_record(BufCtl* buf, int *length) {
+uint16_t ke_next_record(BufCtl* buf, int *length) {
uint16_t *ptr = (uint16_t *)buf->next;
uint16_t type = ntohs(*ptr++);
*length = ntohs(*ptr++);
@@ -203,8 +143,17 @@ uint16_t nts_next_record(BufCtl* buf, int *length) {
return type;
}
+uint16_t ex_next_record(BufCtl* buf, int *length) {
+ uint16_t *ptr = (uint16_t *)buf->next;
+ uint16_t type = ntohs(*ptr++);
+ *length = ntohs(*ptr++)-NTS_KE_HDR_LNG;
+ buf->next += NTS_KE_HDR_LNG;
+ buf->left -= NTS_KE_HDR_LNG;
+ return type;
+}
+
/* Reads a uint16 from the record and advances to the next data */
-uint16_t nts_next_uint16(BufCtl* buf) {
+uint16_t next_uint16(BufCtl* buf) {
uint16_t *ptr = (uint16_t *)buf->next;
uint16_t data = ntohs(*ptr++);
buf->next += NTS_KE_U16_LNG;
@@ -213,7 +162,7 @@ uint16_t nts_next_uint16(BufCtl* buf) {
}
/* Reads a string of bytes from the record and advances to the next data */
-uint16_t nts_next_bytes(BufCtl* buf, uint8_t *data, int length) {
+uint16_t next_bytes(BufCtl* buf, uint8_t *data, int length) {
memcpy(data, buf->next, length);
buf->next += length;
buf->left -= length;
=====================================
ntpd/nts_client.c
=====================================
@@ -57,7 +57,7 @@ bool nts_client_init(void) {
client_ctx = SSL_CTX_new(TLSv1_2_client_method());
#endif
if (NULL == client_ctx) {
- // ?? Happens on NetBSD - says no ciphers
+ /* Happens if no ciphers */
msyslog(LOG_INFO, "NTSs: NULL client_ctx");
nts_log_ssl_error();
return false;
@@ -72,6 +72,7 @@ bool nts_client_init(void) {
#endif
SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_timeout(client_ctx, NTS_KE_TIMEOUT);
ok &= nts_load_versions(client_ctx);
ok &= nts_load_ciphers(client_ctx);
@@ -79,19 +80,14 @@ bool nts_client_init(void) {
if (!ok) {
msyslog(LOG_ERR, "NTSc: Troubles setting up client SSL CTX");
- if (1) {
- msyslog(LOG_ERR, "NTSc: Maybe should bail."); // FIXME
- return true;
- }
- SSL_CTX_free(client_ctx);
- client_ctx = NULL;
- return false;
+ exit(1);
};
return true;
}
bool nts_probe(struct peer * peer) {
+ struct timeval timeout = {.tv_sec = NTS_KE_TIMEOUT, .tv_usec = 0};
SSL *ssl;
int server = 0;
@@ -102,8 +98,12 @@ bool nts_probe(struct peer * peer) {
addrOK = false;
server = open_TCP_socket(peer->hostname);
- if (-1 == server)
+ if (-1 == server) {
+ nts_ke_probes_bad++;
return false;
+ }
+
+ setsockopt(server, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
// FIXME
// Not much error checking yet.
@@ -112,7 +112,6 @@ bool nts_probe(struct peer * peer) {
ssl = SSL_new(client_ctx);
SSL_set_fd(ssl, server);
- // SSL_set_timeout(SSL_get_session(ssl), 2); // FIXME
if (1 != SSL_connect(ssl)) {
msyslog(LOG_INFO, "NTSc: SSL_connect failed");
nts_log_ssl_error();
@@ -144,6 +143,7 @@ bool nts_probe(struct peer * peer) {
if (0 == peer->nts_state.keylen)
goto bail; /* unknown AEAD algorithm */
nts_make_keys(ssl,
+ peer->nts_state.aead,
peer->nts_state.c2s,
peer->nts_state.s2c,
peer->nts_state.keylen);
@@ -151,6 +151,8 @@ bool nts_probe(struct peer * peer) {
addrOK = true;
bail:
+ if (!addrOK)
+ nts_ke_probes_bad++;
SSL_shutdown(ssl);
SSL_free(ssl);
close(server);
@@ -257,7 +259,9 @@ bool check_certificate(struct peer* peer, SSL *ssl) {
if (NULL == cert) {
msyslog(LOG_INFO, "NTSc: No certificate");
- return false;
+ if (!(FLAG_NTS_NOVAL & peer->cfg.flags))
+ return false;
+ return true;
} else {
X509_NAME *certname;
char name[200];
@@ -281,8 +285,7 @@ bool check_certificate(struct peer* peer, SSL *ssl) {
return true;
}
-// FIXME - context shouldn't be magic
-bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen) {
+bool nts_make_keys(SSL *ssl, int aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
// char *label = "EXPORTER-network-time-security/1";
// Subject: [Ntp] [NTS4NTP] info for NTS developers
// From: Martin Langer <mart.langer at ostfalia.de>
@@ -291,6 +294,8 @@ bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen) {
// bug in OpenSSL 1.1.1a
const char *label = "EXPORTER-nts/1";
unsigned char context[5] = {0x00, 0x00, 0x00, 0x0f, 0x00};
+ context[2] = (aead >> 8) & 0xFF;
+ context[3] = aead & 0xFF;
if (1 != SSL_export_keying_material(ssl, c2s, keylen,
label, strlen(label),
context, 5, 1)) {
@@ -320,14 +325,14 @@ bool nts_client_send_request(struct peer* peer, SSL *ssl) {
buf.left = sizeof(buff);
/* 4.1.2 Next Protocol, 0 for NTP */
- nts_append_record_uint16(&buf, NTS_CRITICAL+nts_next_protocol_negotiation, 0);
+ ke_append_record_uint16(&buf, NTS_CRITICAL+nts_next_protocol_negotiation, 0);
/* 4.1.5 AEAD Algorithm List
- * AEAD_AES_SIV_CMAC_256 is the only one for now */
- nts_append_record_uint16(&buf, nts_algorithm_negotiation, AEAD_AES_SIV_CMAC_256);
+ * AEAD_AES_SIV_CMAC_256 is the only one for now */ // FIXME
+ ke_append_record_uint16(&buf, nts_algorithm_negotiation, AEAD_AES_SIV_CMAC_256);
/* 4.1.1: End, Critical */
- nts_append_record_null(&buf, NTS_CRITICAL+nts_end_of_message);
+ ke_append_record_null(&buf, NTS_CRITICAL+nts_end_of_message);
used = sizeof(buff)-buf.left;
if (used >= (int)(sizeof(buff)-10)) {
@@ -338,19 +343,21 @@ bool nts_client_send_request(struct peer* peer, SSL *ssl) {
transferred = SSL_write(ssl, buff, used);
if (used != transferred) {
msyslog(LOG_ERR, "NTSc: write failed: %d, %d, %m", used, transferred);
+ nts_log_ssl_error();
return false;
}
return true;
}
bool nts_client_process_response(struct peer* peer, SSL *ssl) {
- uint8_t buff[2000];
+ uint8_t buff[2048]; /* RFC 4. says SHOULD be 65K */
int transferred, idx;
struct BufCtl_t buf;
transferred = SSL_read(ssl, buff, sizeof(buff));
if (0 > transferred) {
msyslog(LOG_ERR, "NTSc: read failed: %d, %m", transferred);
+ nts_log_ssl_error();
return false;
}
msyslog(LOG_ERR, "NTSc: read %d bytes", transferred);
@@ -368,7 +375,7 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
bool critical = false;
int length;
- type = nts_next_record(&buf, &length);
+ type = ke_next_record(&buf, &length);
if (NTS_CRITICAL & type) {
critical = true;
type &= ~NTS_CRITICAL;
@@ -377,13 +384,13 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
msyslog(LOG_ERR, "NTSc: Record: T=%d, L=%d, C=%d", type, length, critical);
switch (type) {
case nts_error:
- data = nts_next_uint16(&buf);
+ data = next_uint16(&buf);
if (sizeof(data) != length)
msyslog(LOG_ERR, "NTSc: wrong length on error: %d", length);
msyslog(LOG_ERR, "NTSc: error: %d", data);
return false;
case nts_next_protocol_negotiation:
- data = nts_next_uint16(&buf);
+ data = next_uint16(&buf);
if ((sizeof(data) != length) || (data != 0)) {
msyslog(LOG_ERR, "NTSc: NPN-Wrong length or bad data: %d, %d",
length, data);
@@ -391,7 +398,7 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
}
break;
case nts_algorithm_negotiation:
- data = nts_next_uint16(&buf);
+ data = next_uint16(&buf);
if ((sizeof(data) != length) || (data != AEAD_AES_SIV_CMAC_256)) {
msyslog(LOG_ERR, "NTSc: AN-Wrong length or bad data: %d, %d",
length, data);
@@ -416,7 +423,7 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
msyslog(LOG_ERR, "NTSc: Extra cookie ignored.");
break;
}
- nts_next_bytes(&buf, (uint8_t*)&peer->nts_state.cookies[idx], length);
+ next_bytes(&buf, (uint8_t*)&peer->nts_state.cookies[idx], length);
peer->nts_state.writeIdx++;
peer->nts_state.writeIdx = peer->nts_state.writeIdx % NTS_MAX_COOKIES;
peer->nts_state.count++;
=====================================
ntpd/nts_cookie.c
=====================================
@@ -151,8 +151,6 @@ int nts_make_cookie(uint8_t *cookie,
RAND_bytes(finger, NONCE_LENGTH);
finger += NONCE_LENGTH;
- // require(AD_LENGTH==finger-cookie);
-
used = finger-cookie;
left = NTS_MAX_COOKIELEN-used;
=====================================
ntpd/ntp_extens.c → ntpd/nts_extens.c
=====================================
@@ -37,13 +37,15 @@ uint64_t nts_server_send = 0;
uint64_t nts_server_recv = 0;
uint64_t nts_server_recv_bad = 0;
uint64_t nts_ke_serves = 0;
+uint64_t nts_ke_serves_bad = 0;
uint64_t nts_ke_probes = 0;
+uint64_t nts_ke_probes_bad = 0;
enum NtpExtFieldType {
- Unique_Identifier = 10,
- NTS_Cookie = 11,
- NTS_Cookie_Placeholder = 12,
- NTS_AEEF = 13 /* Authenticated and Encrypted Extension Fields */
+ Unique_Identifier = 0x104,
+ NTS_Cookie = 0x204,
+ NTS_Cookie_Placeholder = 0x304,
+ NTS_AEEF = 0x404 /* Authenticated and Encrypted Extension Fields */
};
AES_SIV_CTX* wire_ctx = NULL; /* need one per thread */
@@ -71,12 +73,12 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
/* UID */
RAND_bytes(peer->nts_state.UID, NTS_UID_LENGTH);
- nts_append_record_bytes(&buf, Unique_Identifier,
+ ex_append_record_bytes(&buf, Unique_Identifier,
peer->nts_state.UID, NTS_UID_LENGTH);
/* cookie */
idx = peer->nts_state.readIdx++;
- nts_append_record_bytes(&buf, NTS_Cookie,
+ ex_append_record_bytes(&buf, NTS_Cookie,
peer->nts_state.cookies[idx], peer->nts_state.cookielen);
peer->nts_state.readIdx = peer->nts_state.readIdx % NTS_MAX_COOKIES;
peer->nts_state.count--;
@@ -84,7 +86,7 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
// Need more cookies?
for (int i=peer->nts_state.count+1; i<NTS_MAX_COOKIES; i++) {
- nts_append_header(&buf, NTS_Cookie_Placeholder, peer->nts_state.cookielen);
+ ex_append_header(&buf, NTS_Cookie_Placeholder, peer->nts_state.cookielen);
memset(buf.next, 0, peer->nts_state.cookielen);
buf.next += peer->nts_state.cookielen;
buf.left -= peer->nts_state.cookielen;
@@ -92,9 +94,9 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
/* AEAD */
adlength = buf.next-packet;
- nts_append_header(&buf, NTS_AEEF, NTP_EX_U16_LNG*2+NONCE_LENGTH+CMAC_LENGTH);
- nts_append_uint16(&buf, NONCE_LENGTH);
- nts_append_uint16(&buf, CMAC_LENGTH);
+ ex_append_header(&buf, NTS_AEEF, NTP_EX_U16_LNG*2+NONCE_LENGTH+CMAC_LENGTH);
+ append_uint16(&buf, NONCE_LENGTH);
+ append_uint16(&buf, CMAC_LENGTH);
nonce = buf.next;
RAND_bytes(nonce, NONCE_LENGTH);
buf.next += NONCE_LENGTH;
@@ -147,7 +149,7 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
uint8_t *nonce, *cmac;
bool ok;
- type = nts_next_record(&buf, &length);
+ type = ex_next_record(&buf, &length);
if (length&3 || length > buf.left || length < 0)
return false;
if (NTS_CRITICAL & type) {
@@ -159,7 +161,7 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
if (length > NTS_UID_MAX_LENGTH)
return false;
ntspacket->uidlen = length;
- nts_next_bytes(&buf, ntspacket->UID, length);
+ next_bytes(&buf, ntspacket->UID, length);
break;
case NTS_Cookie:
if (sawcookie)
@@ -189,8 +191,8 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
/* Additional data is up to this exten. */
/* backup over header */
adlength = buf.next-NTP_EX_HDR_LNG-pkt;
- noncelen = nts_next_uint16(&buf);
- cmaclen = nts_next_uint16(&buf);
+ noncelen = next_uint16(&buf);
+ cmaclen = next_uint16(&buf);
if (noncelen & 3)
return false; /* would require padding */
if (CMAC_LENGTH != cmaclen)
@@ -256,7 +258,7 @@ int extens_server_send(struct ntspacket_t *ntspacket, struct pkt *xpkt) {
/* UID */
if (0 < ntspacket->uidlen)
- nts_append_record_bytes(&buf, Unique_Identifier,
+ ex_append_record_bytes(&buf, Unique_Identifier,
ntspacket->UID, ntspacket->uidlen);
adlength = buf.next-packet; /* up to here is Additional Data */
@@ -265,9 +267,9 @@ int extens_server_send(struct ntspacket_t *ntspacket, struct pkt *xpkt) {
plainleng = ntspacket->needed*(NTP_EX_HDR_LNG+cookielen);
/* length of whole AEEF header */
aeadlen = NTP_EX_U16_LNG*2+NONCE_LENGTH+CMAC_LENGTH + plainleng;
- nts_append_header(&buf, NTS_AEEF, aeadlen);
- nts_append_uint16(&buf, NONCE_LENGTH);
- nts_append_uint16(&buf, plainleng);
+ ex_append_header(&buf, NTS_AEEF, aeadlen);
+ append_uint16(&buf, NONCE_LENGTH);
+ append_uint16(&buf, plainleng);
nonce = buf.next;
RAND_bytes(nonce, NONCE_LENGTH);
@@ -280,12 +282,12 @@ int extens_server_send(struct ntspacket_t *ntspacket, struct pkt *xpkt) {
buf.left -= CMAC_LENGTH;
plaintext = buf.next; /* encrypt in place */
- nts_append_record_bytes(&buf, NTS_Cookie,
+ ex_append_record_bytes(&buf, NTS_Cookie,
cookie, cookielen);
for (int i=1; i<ntspacket->needed; i++) {
nts_make_cookie(cookie, ntspacket->aead,
ntspacket->c2s, ntspacket->s2c, ntspacket->keylen);
- nts_append_record_bytes(&buf, NTS_Cookie,
+ ex_append_record_bytes(&buf, NTS_Cookie,
cookie, cookielen);
}
@@ -336,7 +338,7 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
size_t outlen;
bool ok;
- type = nts_next_record(&buf, &length);
+ type = ex_next_record(&buf, &length);
if (length&3 || length > buf.left || length < 0)
return false;
if (NTS_CRITICAL & type) {
@@ -369,8 +371,8 @@ bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng) {
break;
case NTS_AEEF:
adlength = buf.next-NTP_EX_HDR_LNG-pkt; /* backup over header */
- noncelen = nts_next_uint16(&buf);
- outlen = nts_next_uint16(&buf);
+ noncelen = next_uint16(&buf);
+ outlen = next_uint16(&buf);
if (noncelen&3 || outlen&3)
return false; /* else round up */
nonce = buf.next;
=====================================
ntpd/nts_server.c
=====================================
@@ -29,7 +29,7 @@ int nts_ke_port = 123;
static bool nts_load_certificate(SSL_CTX *ctx);
static int create_listener(int port, int family);
static void* nts_ke_listener(void*);
-static void nts_ke_request(SSL *ssl);
+static bool nts_ke_request(SSL *ssl);
static int nts_translate_version(const char *arg);
bool nts_server_init2(void);
@@ -73,7 +73,7 @@ bool nts_server_init(void) {
server_ctx = SSL_CTX_new(TLSv1_2_server_method());
#endif
if (NULL == server_ctx) {
- // ?? Happens on NetBSD - says no ciphers
+ /* Happens if no ciphers */
msyslog(LOG_INFO, "NTSs: NULL server_ctx");
nts_log_ssl_error();
return false;
@@ -127,6 +127,7 @@ bool nts_server_init2(void) {
}
void* nts_ke_listener(void* arg) {
+ struct timeval timeout = {.tv_sec = NTS_KE_TIMEOUT, .tv_usec = 0};
int sock = *(int*)arg;
while(1) {
@@ -144,9 +145,10 @@ void* nts_ke_listener(void* arg) {
}
nts_ke_serves++;
msyslog(LOG_INFO, "NTSs: TCP accept-ed from %s",
- socktoa((sockaddr_u *)&addr));
+ sockporttoa((sockaddr_u *)&addr));
+ setsockopt(client, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
- /* This could/should go in a new thread. */ // FIXME
+ /* For high volume servers, this should go in a new thread. */
ssl = SSL_new(server_ctx);
SSL_set_fd(ssl, client);
@@ -154,18 +156,17 @@ void* nts_ke_listener(void* arg) {
msyslog(LOG_ERR, "NTSs: SSL accept failed");
nts_log_ssl_error();
close(client);
+ nts_ke_serves_bad++;
continue;
}
- SSL_set_timeout(SSL_get_session(ssl), 2); // FIXME
- msyslog(LOG_INFO, "NTSs: SSL accept-ed from %s",
- socktoa((sockaddr_u *)&addr));
- msyslog(LOG_INFO, "NTSs: Using TLS version %s, cipher %s with %d secret bits",
+ msyslog(LOG_INFO, "NTSs: Using %s, %s (%d)",
SSL_get_version(ssl),
SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, NULL));
- nts_ke_request(ssl);
+ if (!nts_ke_request(ssl))
+ nts_ke_serves_bad++;
SSL_shutdown(ssl);
SSL_free(ssl);
@@ -174,8 +175,8 @@ void* nts_ke_listener(void* arg) {
return NULL;
}
-void nts_ke_request(SSL *ssl) {
- uint8_t buff[1000];
+bool nts_ke_request(SSL *ssl) {
+ uint8_t buff[1024]; /* RFC 4. */
int bytes_read, bytes_written;
uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN];
uint8_t cookie[NTS_MAX_COOKIELEN];
@@ -185,8 +186,9 @@ void nts_ke_request(SSL *ssl) {
bytes_read = SSL_read(ssl, buff, sizeof(buff));
if (0 >= bytes_read) {
- msyslog(LOG_INFO, "NTSs: SSL_read error");
- return;
+ msyslog(LOG_INFO, "NTSs: SSL_read error: %m");
+ nts_log_ssl_error();
+ return false;
}
// FIXME Ignore request for now
@@ -195,31 +197,32 @@ void nts_ke_request(SSL *ssl) {
buf.next = buff;
buf.left = sizeof(buff);
keylen = nts_get_key_length(aead);
- nts_make_keys(ssl, c2s, s2c, keylen);
+ nts_make_keys(ssl, aead, c2s, s2c, keylen);
/* 4.1.2 Next Protocol, 0 for NTP */
- nts_append_record_uint16(&buf, NTS_CRITICAL+nts_next_protocol_negotiation, 0);
+ ke_append_record_uint16(&buf, NTS_CRITICAL+nts_next_protocol_negotiation, 0);
/* 4.1.5 AEAD Algorithm List */
- nts_append_record_uint16(&buf, nts_algorithm_negotiation, aead);
+ ke_append_record_uint16(&buf, nts_algorithm_negotiation, aead);
for (int i=0; i<NTS_MAX_COOKIES; i++) {
cookielen = nts_make_cookie(cookie, aead, c2s, s2c, keylen);
- nts_append_record_bytes(&buf, nts_new_cookie, cookie, cookielen);
+ ke_append_record_bytes(&buf, nts_new_cookie, cookie, cookielen);
}
/* 4.1.1: End, Critical */
- nts_append_record_null(&buf, NTS_CRITICAL+nts_end_of_message);
+ ke_append_record_null(&buf, NTS_CRITICAL+nts_end_of_message);
used = sizeof(buff)-buf.left;
bytes_written = SSL_write(ssl, buff, used);
if (bytes_written != used) {
- msyslog(LOG_INFO, "NTSs: SSL_write error");
- return;
+ msyslog(LOG_INFO, "NTSs: SSL_write error: %m");
+ nts_log_ssl_error();
+ return false;
}
msyslog(LOG_INFO, "NTSs: Returned %d bytes", bytes_written);
- return;
+ return true;
}
int create_listener(int port, int family) {
@@ -384,16 +387,16 @@ bool nts_load_certificate(SSL_CTX *ctx) {
key = ntsconfig.key;
if (1 != SSL_CTX_use_certificate_chain_file(ctx, cert)) {
- // FIXME log SSL errors
msyslog(LOG_ERR, "NTSs: can't load certificate (chain) from %s", cert);
+ nts_log_ssl_error();
return false;
} else {
msyslog(LOG_ERR, "NTSs: loaded certificate (chain) from %s", cert);
}
if (1 != SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
- // FIXME log SSL errors
msyslog(LOG_ERR, "NTSs: can't load private key from %s", key);
+ nts_log_ssl_error();
return false;
} else {
msyslog(LOG_ERR, "NTSs: loaded private key from %s", key);
=====================================
ntpd/wscript
=====================================
@@ -52,7 +52,6 @@ def build(ctx):
libntpd_source = [
"ntp_control.c",
- "ntp_extens.c",
"ntp_filegen.c",
"ntp_leapsec.c",
"ntp_monitor.c", # Needed by the restrict code
@@ -63,6 +62,7 @@ def build(ctx):
"nts_server.c",
"nts_client.c",
"nts_cookie.c",
+ "nts_extens.c",
]
ctx(
=====================================
tests/ntpd/nts.c
=====================================
@@ -11,14 +11,14 @@ TEST_SETUP(nts) {}
TEST_TEAR_DOWN(nts) {}
-TEST(nts, nts_append_record_null) {
+TEST(nts, ke_append_record_null) {
// Setup
uint8_t buf[128];
BufCtl cursor;
cursor.next = buf;
cursor.left = 128;
// Run test
- nts_append_record_null(&cursor, 0xFA7E);
+ ke_append_record_null(&cursor, 0xFA7E);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[0], 0xFA);
TEST_ASSERT_EQUAL_UINT8(buf[1], 0x7E);
@@ -28,7 +28,7 @@ TEST(nts, nts_append_record_null) {
TEST_ASSERT_EQUAL_INT(cursor.left, 124);
}
-TEST(nts, nts_append_record_uint16) {
+TEST(nts, ke_append_record_uint16) {
// Test change
// Setup
uint8_t buf[16] = {0, 0, 0, 0, 0, 0, 0, 0,
@@ -37,7 +37,7 @@ TEST(nts, nts_append_record_uint16) {
cursor.next = buf;
cursor.left = 16;
// Run test
- nts_append_record_uint16(&cursor, 0xCAFE, 0x1234);
+ ke_append_record_uint16(&cursor, 0xCAFE, 0x1234);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[0], 0xCA);
TEST_ASSERT_EQUAL_UINT8(buf[1], 0xFE);
@@ -49,14 +49,14 @@ TEST(nts, nts_append_record_uint16) {
// Setup
cursor.left = 0;
// Run test
- nts_append_record_uint16(&cursor, 0xCAFE, 0x1234);
+ ke_append_record_uint16(&cursor, 0xCAFE, 0x1234);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[4], 0);
TEST_ASSERT_POINTERS_EQUAL(cursor.next, &buf[4]);
TEST_ASSERT_EQUAL_INT(cursor.left, 0);
}
-TEST(nts, nts_append_record_bytes) {
+TEST(nts, ke_append_record_bytes) {
// Test change
// Setup
uint8_t buf[16] = {0, 0, 0, 0, 0, 0, 0, 0,
@@ -66,7 +66,7 @@ TEST(nts, nts_append_record_bytes) {
cursor.left = 16;
uint8_t data[6] = {0, 1, 2, 3, 4, 5};
// Run test
- nts_append_record_bytes(&cursor, 0xCAFE, data, 6);
+ ke_append_record_bytes(&cursor, 0xCAFE, data, 6);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[0], 0xCA);
TEST_ASSERT_EQUAL_UINT8(buf[1], 0xFE);
@@ -82,14 +82,14 @@ TEST(nts, nts_append_record_bytes) {
// Setup
cursor.left = 0;
// Run test
- nts_append_record_bytes(&cursor, 0xCAFE, data, 6);
+ ke_append_record_bytes(&cursor, 0xCAFE, data, 6);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[8], 0);
TEST_ASSERT_POINTERS_EQUAL(cursor.next, &buf[8]);
TEST_ASSERT_EQUAL_INT(cursor.left, 0);
}
-TEST(nts, nts_append_header) {
+TEST(nts, append_header) {
// Test change
// Setup
uint8_t buf[16];
@@ -97,7 +97,7 @@ TEST(nts, nts_append_header) {
cursor.next = buf;
cursor.left = 16;
// Run test
- nts_append_header(&cursor, 0xFADE, 0x1234);
+ append_header(&cursor, 0xFADE, 0x1234);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[0], 0xFA);
TEST_ASSERT_EQUAL_UINT8(buf[1], 0xDE);
@@ -110,14 +110,14 @@ TEST(nts, nts_append_header) {
// Setup
cursor.left = 0;
// Run test
- nts_append_header(&cursor, 0xFEED, 0xABCD);
+ append_header(&cursor, 0xFEED, 0xABCD);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[4], 0);
TEST_ASSERT_POINTERS_EQUAL(cursor.next, &buf[4]);
TEST_ASSERT_EQUAL_INT(cursor.left, 0);
}
-TEST(nts, nts_append_uint16) {
+TEST(nts, append_uint16) {
// Test change
// Setup
uint8_t buf[16] = {0, 0, 0, 0, 0, 0, 0, 0,
@@ -126,7 +126,7 @@ TEST(nts, nts_append_uint16) {
cursor.next = buf;
cursor.left = 16;
// Run test
- nts_append_uint16(&cursor, 0x1234);
+ append_uint16(&cursor, 0x1234);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[0], 0x12);
TEST_ASSERT_EQUAL_UINT8(buf[1], 0x34);
@@ -136,14 +136,14 @@ TEST(nts, nts_append_uint16) {
// Setup
cursor.left = 0;
// Run test
- nts_append_uint16(&cursor, 0x5678);
+ append_uint16(&cursor, 0x5678);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[2], 0);
TEST_ASSERT_POINTERS_EQUAL(cursor.next, &buf[2]);
TEST_ASSERT_EQUAL_INT(cursor.left, 0);
}
-TEST(nts, nts_append_bytes) {
+TEST(nts, append_bytes) {
// Test change
// Setup
uint8_t buf[16] = {0, 0, 0, 0, 0, 0, 0, 0,
@@ -153,7 +153,7 @@ TEST(nts, nts_append_bytes) {
cursor.left = 16;
uint8_t data[6] = {0, 1, 2, 3, 4, 5};
// Run test
- nts_append_bytes(&cursor, data, 6);
+ append_bytes(&cursor, data, 6);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[0], 0);
TEST_ASSERT_EQUAL_UINT8(buf[1], 1);
@@ -167,14 +167,14 @@ TEST(nts, nts_append_bytes) {
// Setup
cursor.left = 0;
// Run test
- nts_append_bytes(&cursor, data, 6);
+ append_bytes(&cursor, data, 6);
// Check
TEST_ASSERT_EQUAL_UINT8(buf[6], 0);
TEST_ASSERT_POINTERS_EQUAL(cursor.next, &buf[6]);
TEST_ASSERT_EQUAL_INT(cursor.left, 0);
}
-TEST(nts, nts_next_record) {
+TEST(nts, ke_next_record) {
// Setup
uint8_t buf[16] = {0xFA, 0xCE, 0, 4, 0xFF, 0xEE, 0xDD, 0xCC,
0, 0, 0, 0, 0, 0, 0, 0};
@@ -184,7 +184,7 @@ TEST(nts, nts_next_record) {
int length;
uint16_t type;
// Run test
- type = nts_next_record(&cursor, &length);
+ type = ke_next_record(&cursor, &length);
// Check
TEST_ASSERT_EQUAL_INT(length, 4);
TEST_ASSERT_EQUAL_INT(type, 0xFACE);
@@ -192,7 +192,7 @@ TEST(nts, nts_next_record) {
TEST_ASSERT_EQUAL_INT(cursor.left, 12);
}
-TEST(nts, nts_next_uint16) {
+TEST(nts, next_uint16) {
// Setup
uint8_t buf[16] = {0xFA, 0xCE, 0, 4, 0xFF, 0xEE, 0xDD, 0xCC,
0, 0, 0, 0, 0, 0, 0, 0};
@@ -201,14 +201,14 @@ TEST(nts, nts_next_uint16) {
cursor.left = 16;
uint16_t data;
// Run test
- data = nts_next_uint16(&cursor);
+ data = next_uint16(&cursor);
// Check
TEST_ASSERT_EQUAL_UINT8(data, 0xFACE);
TEST_ASSERT_POINTERS_EQUAL(cursor.next, &buf[2]);
TEST_ASSERT_EQUAL_INT(cursor.left, 14);
}
-TEST(nts, nts_next_bytes) {
+TEST(nts, next_bytes) {
// Setup
uint8_t buf[16] = {0xFA, 0xCE, 0, 4, 0xFF, 0xEE, 0xDD, 0xCC,
0, 0, 0, 0, 0, 0, 0, 0};
@@ -218,7 +218,7 @@ TEST(nts, nts_next_bytes) {
uint8_t data[8];
uint16_t length;
// Run test
- length = nts_next_bytes(&cursor, data, 8);
+ length = next_bytes(&cursor, data, 8);
// Check
TEST_ASSERT_EQUAL_INT(length, 8);
TEST_ASSERT_EQUAL_UINT8(data[0], 0xFA);
@@ -234,13 +234,13 @@ TEST(nts, nts_next_bytes) {
}
TEST_GROUP_RUNNER(nts) {
- RUN_TEST_CASE(nts, nts_append_record_null);
- RUN_TEST_CASE(nts, nts_append_record_uint16);
- RUN_TEST_CASE(nts, nts_append_record_bytes);
- RUN_TEST_CASE(nts, nts_append_header);
- RUN_TEST_CASE(nts, nts_append_uint16);
- RUN_TEST_CASE(nts, nts_append_bytes);
- RUN_TEST_CASE(nts, nts_next_record);
- RUN_TEST_CASE(nts, nts_next_uint16);
- RUN_TEST_CASE(nts, nts_next_bytes);
+ RUN_TEST_CASE(nts, ke_append_record_null);
+ RUN_TEST_CASE(nts, ke_append_record_uint16);
+ RUN_TEST_CASE(nts, ke_append_record_bytes);
+ RUN_TEST_CASE(nts, append_header);
+ RUN_TEST_CASE(nts, append_uint16);
+ RUN_TEST_CASE(nts, append_bytes);
+ RUN_TEST_CASE(nts, ke_next_record);
+ RUN_TEST_CASE(nts, next_uint16);
+ RUN_TEST_CASE(nts, next_bytes);
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/1d101eada1c4e30975fe4ad8c519f2665a3f3b70...4456e91e7c3ffb89ad19f49b514c55d82f677ec1
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/1d101eada1c4e30975fe4ad8c519f2665a3f3b70...4456e91e7c3ffb89ad19f49b514c55d82f677ec1
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190301/86e13d37/attachment-0001.html>
More information about the vc
mailing list