Add support for MD5 message authentication as described in RFC 5905.
This patch also supports SHA1 authentication.
The key file format is the same file format as used by ntpd.
The configuration file format follows standard Unix conventions
(# comments) with lines consist of the following fields separated by whitespace:
<key identifier, [1,65535]> <SHA1|MD5> <an ASCII string of up to 20 characters|an octet string [a-zA-F0-9] of up to 40 characters>.
https://www.ietf.org/rfc/rfc5905.txt
function old new delta
ntp_init 473 987 +514
hash - 125 +125
recv_and_process_peer_pkt 889 961 +72
packed_usage 33066 33130 +64
ntpd_main 1226 1277 +51
find_key_entry - 29 +29
add_peers 195 207 +12
recv_and_process_client_pkt 509 514 +5
------------------------------------------------------------------------------
(add/remove: 2/0 grow/shrink: 6/0 up/down: 872/0) Total: 872 bytes
Signed-off-by: Brandon P. Enochs <enochs.brandon@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Support the "source-directory" stanza from ifupdown[1]. source-directory
will include all files in the named directory. Similar to the Busybox
version of the "source" stanza, this version of source-directory does
not currently support shell wildcards.
We only check that the stanza starts with "source-dir" as ifupdown does[2].
[1] https://manpages.debian.org/stretch/ifupdown/interfaces.5.en.html#INCLUDING_OTHER_FILES
[2] https://salsa.debian.org/debian/ifupdown/blob/0.8.33/config.c#L498
function old new delta
read_interfaces 1150 1241 +91
Signed-off-by: Brandon Maier <brandon.maier@rockwellcollins.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
The caps were inconsistent: timeout to renew was capped at 20 seconds,
and any renews with timeout <= 60 seconds were forced to broadcast.
function old new delta
udhcpc_main 2683 2680 -3
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Managed to make ntpd on one of my machines to be stuck getting
"root distance too high" all the time, but log is not giving me
more informatin what exactly is happening...
function old new delta
select_and_cluster 1045 1095 +50
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
If fgets() returns incomplete string, we replace NUL with
'\n', and then trim() runs on a non-NUL-terminated buffer.
Prevent that.
While at it, bump buffer from 1k to 2k.
function old new delta
query 519 524 +5
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
On fast network, I've seen "delay:0.002000" shown for all packets,
thus completely losing information on what real delays are.
The new code is careful to not reject packets with tiny delays
if the delay "grows a lot" but is still tiny:
0.000009 is "much larger" than 0.000001 (nine times larger),
but is still very good small delay.
function old new delta
recv_and_process_peer_pkt 863 889 +26
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This means we'll start correcting frequency ~5 minutes after start,
not ~3.5 ones.
With previos settings I still often see largish ~0.7s initial offsets
only about 1/2 corrected before frequency correction kicks in,
resulting in ~200ppm "correction" which is then slowly undone.
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
The "fix fetching of https URLs with http proxy" commit
broke the usual http-to-https redirect:
$ wget http://busybox.net/downloads/busybox-1.29.0.tar.bz2
Connecting to busybox.net (140.211.167.122:80)
Connecting to busybox.net (140.211.167.122:443)
wget: server returned error: HTTP/1.1 400 Bad Request
Fixing...
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
The syntax of public key certificates can be found in RFC 5280 section
4.1. The relevant part of the syntax is the following:
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
... remaining fields omitted ...
}
The version field has a default value of v1. RFC 5280 section 4.1.2.1
says the following:
If only basic fields are present, the version SHOULD be 1 (the value
is omitted from the certificate as the default value); however, the
version MAY be 2 or 3.
To help detect if the version field is present or not, the type of the
version field has an explicit tag of [0]. Due to this tag, if the
version field is present, its encoding will have an identifier octet
that is distinct from that of the serialNumber field.
ITU-T X.690 specifies how a value of such a type should be encoded with
DER. There is a PDF of X.690 freely available from ITU-T. X.690 section
8.1.2 specifies the format of identifier octets which is the first
component of every encoded value. Identifier octets encode the tag of a
type. Bits 8 and 7 encode the tag class. Bit 6 will be 0 if the encoding
is primitive and 1 if the encoding is constructed. Bits 5 to 1 encode
the tag number.
X.690 section 8.14 specifies what the identifier octet should be for
explicitly tagged types. Section 8.14.3 says if implicit tagging is not
used, then the encoding shall be constructed. The version field uses
explicit tagging and not implicit tagging, so its encoding will be
constructed. This means bit 6 of the identifier octet should be 1.
X.690 section 8.14 and Annex A provide examples. Note from their
examples that the notation for tags could look like [APPLICATION 2]
where both the tag class and tag number are given. For this example, the
tag class is 1 (application) and the tag number is 2. For notation like
[0] where the tag class is omitted and only the tag number is given, the
tag class will be context-specific.
Putting this all together, the identifier octet for the DER encoding of
the version field should have a tag class of 2 (context-specific), bit 6
as 1 (constructed), and a tag number of 0.
Signed-off-by: Ivan Abrea <ivan@algosolutions.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Update QoS markers.
Use DSCP AF21 for interactive traffic. DSCP is defined in RFC2474.
Many modern equipment no longer support IPTOS.
Signed-off-by: Codarren Velvindron <codarren@hackers.mu>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This reverts "udhcpc: paranoia when using kernel UDP mode
for sending renew: server ID may be bogus".
Users complain that they do have servers behind routers
(with DHCP relays).
function old new delta
send_packet 168 166 -2
bcast_or_ucast 25 23 -2
udhcp_send_kernel_packet 301 295 -6
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 0/3 up/down: 0/-10) Total: -10 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Kconfig-language.txt was deleted in commit 4fa499a17b back in 2006.
Move to docs/ as suggested by Xabier Oneca:
http://lists.busybox.net/pipermail/busybox/2014-May/080914.html
Also update references to it everywhere.
Signed-off-by: Kartik Agaram <akkartik@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This is to avoid parsing garbage past packet's actual end.
Also const-ize params to a few functions.
function old new delta
d6_run_script_no_option - 12 +12
option_to_env 791 798 +7
d6_run_script 253 255 +2
perform_d6_release 95 93 -2
udhcpc6_main 2596 2592 -4
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 2/2 up/down: 21/-6) Total: 15 bytes
Signed-off-by: David Decotigny <ddecotig@gmail.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
