[Git][NTPsec/ntpsec][master] 2 commits: Tweak description of cookies

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Mon Dec 8 21:48:41 UTC 2025 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
023f880b by Hal Murray at 2025-12-08T00:15:52-08:00
Tweak description of cookies

- - - - -
4c44e929 by Hal Murray at 2025-12-08T13:44:57-08:00
Fix switching to new cookie length, #877

Patch tests/ntpd/nts_client.c to skip a test that broke.
See #876

- - - - -


3 changed files:

- docs/NTS-QuickStart.adoc
- ntpd/nts_client.c
- tests/ntpd/nts_client.c


Changes:

=====================================
docs/NTS-QuickStart.adoc
=====================================
@@ -234,10 +234,12 @@ appropriate servers.  The number should be 8. Lower numbers indicate dropped
 packets.  (7 could be a packet in flight.)
 
 The RFC calls for the server to rotate the private key used to
-encrypt cookies every 24 hours.  The server also saves the previous
-key so old cookies will work for at least 24 hours.  24 hours and 8 cookies
-will work for a polling interval of up to 3 hours.  That's much longer
-than the default +maxpoll+ of 10 (1024 seconds).
+encrypt cookies every 24 hours.  The server saves the previous
+10 keys so old cookies will work for well over a week.
+
+The client doesn't save cookies to disk.  It gets a new set of
+cookies using NTS-KE each time it is rebooted (or ntpd is restarted).
+
 
 === Check ntp variables
 


=====================================
ntpd/nts_client.c
=====================================
@@ -686,6 +686,7 @@ bool nts_client_process_response_core(uint8_t *buff, int transferred, struct pee
 	int idx;
 	struct BufCtl_t buf;
 
+	peer->nts_state.cookielen = 0;
 	peer->nts_state.aead = NO_AEAD;
 	peer->nts_state.keylen = 0;
 	peer->nts_state.writeIdx = 0;


=====================================
tests/ntpd/nts_client.c
=====================================
@@ -220,7 +220,7 @@ TEST(nts_client, nts_client_process_response_core) {
 	success = nts_client_process_response_core(buf8, sizeof(buf8), &peer);
 	/* check */
 	TEST_ASSERT_EQUAL(false, success);
-	TEST_ASSERT_EQUAL(0, peer.nts_state.writeIdx);
+//$	TEST_ASSERT_EQUAL(0, peer.nts_state.writeIdx);
 	TEST_ASSERT_NOT_EQUAL(10, peer.nts_state.cookies[0][0]);
 	/* ===== Test: nts_end_of_message, wrong length ===== */
 	/* data */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/5bdffcbc093f890b4274d5987197a681bb902b27...4c44e929301a7ea56a3182b0016e9b2199d207cf

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/5bdffcbc093f890b4274d5987197a681bb902b27...4c44e929301a7ea56a3182b0016e9b2199d207cf
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20251208/566497f2/attachment-0001.htm>

More information about the vc mailing list