From gitlab at mg.gitlab.com Mon Dec 8 21:48:41 2025 From: gitlab at mg.gitlab.com (Hal Murray (@hal.murray)) Date: Mon, 08 Dec 2025 21:48:41 +0000 Subject: [Git][NTPsec/ntpsec][master] 2 commits: Tweak description of cookies Message-ID: <693747b948225_2a17c8d475951@gitlab-sidekiq-low-urgency-cpu-bound-v2-66d95699db-l6wkk.mail> Hal Murray pushed to branch master at NTPsec / ntpsec Commits: 023f880b by Hal Murray at 2025-12-08T00:15:52-08:00 Tweak description of cookies - - - - - 4c44e929 by Hal Murray at 2025-12-08T13:44:57-08:00 Fix switching to new cookie length, #877 Patch tests/ntpd/nts_client.c to skip a test that broke. See #876 - - - - - 3 changed files: - docs/NTS-QuickStart.adoc - ntpd/nts_client.c - tests/ntpd/nts_client.c Changes: ===================================== docs/NTS-QuickStart.adoc ===================================== @@ -234,10 +234,12 @@ appropriate servers. The number should be 8. Lower numbers indicate dropped packets. (7 could be a packet in flight.) The RFC calls for the server to rotate the private key used to -encrypt cookies every 24 hours. The server also saves the previous -key so old cookies will work for at least 24 hours. 24 hours and 8 cookies -will work for a polling interval of up to 3 hours. That's much longer -than the default +maxpoll+ of 10 (1024 seconds). +encrypt cookies every 24 hours. The server saves the previous +10 keys so old cookies will work for well over a week. + +The client doesn't save cookies to disk. It gets a new set of +cookies using NTS-KE each time it is rebooted (or ntpd is restarted). + === Check ntp variables ===================================== ntpd/nts_client.c ===================================== @@ -686,6 +686,7 @@ bool nts_client_process_response_core(uint8_t *buff, int transferred, struct pee int idx; struct BufCtl_t buf; + peer->nts_state.cookielen = 0; peer->nts_state.aead = NO_AEAD; peer->nts_state.keylen = 0; peer->nts_state.writeIdx = 0; ===================================== tests/ntpd/nts_client.c ===================================== @@ -220,7 +220,7 @@ TEST(nts_client, nts_client_process_response_core) { success = nts_client_process_response_core(buf8, sizeof(buf8), &peer); /* check */ TEST_ASSERT_EQUAL(false, success); - TEST_ASSERT_EQUAL(0, peer.nts_state.writeIdx); +//$ TEST_ASSERT_EQUAL(0, peer.nts_state.writeIdx); TEST_ASSERT_NOT_EQUAL(10, peer.nts_state.cookies[0][0]); /* ===== Test: nts_end_of_message, wrong length ===== */ /* data */ View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/5bdffcbc093f890b4274d5987197a681bb902b27...4c44e929301a7ea56a3182b0016e9b2199d207cf -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/5bdffcbc093f890b4274d5987197a681bb902b27...4c44e929301a7ea56a3182b0016e9b2199d207cf You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: