[Git][NTPsec/ntpsec][master] NTS: Implement server-specific CA file/dir
Hal Murray
gitlab at mg.gitlab.com
Tue Apr 2 08:35:33 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
666fa478 by Hal Murray at 2019-04-02T08:34:26Z
NTS: Implement server-specific CA file/dir
- - - - -
3 changed files:
- docs/includes/auth-commands.adoc
- ntpd/ntp_proto.c
- ntpd/nts_client.c
Changes:
=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -132,7 +132,7 @@ The following options of the +server+ command configure NTS.
Present the certificate in _file_ as our client certificate,
overriding the site default.
-+ca+ _location_:: (not implemented)
++ca+ _location_::
Use the file, or directory, specified by _location_ to validate the
NTS-KE server certificate, overriding the site default. Do not use
any other CA.
=====================================
ntpd/ntp_proto.c
=====================================
@@ -2848,6 +2848,7 @@ proto_clr_stats(void)
/* limit logging so bad guys can't DDoS us by sending crap
* log first 100 and 10/hour
+ * This gets too-old cookies
*/
void maybe_log_junk(struct recvbuf *rbufp) {
=====================================
ntpd/nts_client.c
=====================================
@@ -27,8 +27,9 @@
#include "nts2.h"
#include "ntp_dns.h"
+SSL_CTX* make_ssl_client_ctx(const char *filename);
int open_TCP_socket(struct peer *peer, const char *hostname);
-bool nts_set_cert_search(SSL_CTX *ctx);
+bool nts_set_cert_search(SSL_CTX *ctx, const char *filename);
void set_hostname(SSL *ssl, const char *hostname);
bool check_certificate(SSL *ssl, struct peer *peer);
bool nts_client_send_request(SSL *ssl, struct peer *peer);
@@ -51,40 +52,8 @@ static bool addrOK;
// FreeBSD 11: 0x100020ffL 1.0.2o-freebsd
bool nts_client_init(void) {
- bool ok = true;
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
- client_ctx = SSL_CTX_new(TLS_client_method());
-#else
- OpenSSL_add_all_ciphers(); // FIXME needed on NetBSD
- client_ctx = SSL_CTX_new(TLSv1_2_client_method());
-#endif
- if (NULL == client_ctx) {
- /* Happens if no ciphers */
- msyslog(LOG_INFO, "NTSs: NULL client_ctx");
- nts_log_ssl_error();
- return false;
- }
-
-#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
- {
- // 4., ALPN, RFC 7301
- static unsigned char alpn [] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
- SSL_CTX_set_alpn_protos(client_ctx, alpn, sizeof(alpn));
- }
-#endif
-
- SSL_CTX_set_session_cache_mode(client_ctx, SSL_SESS_CACHE_OFF);
- SSL_CTX_set_timeout(client_ctx, NTS_KE_TIMEOUT);
-
- ok &= nts_load_versions(client_ctx);
- ok &= nts_load_ciphers(client_ctx);
- ok &= nts_set_cert_search(client_ctx);
-
- if (!ok) {
- msyslog(LOG_ERR, "NTSc: Troubles setting up client SSL CTX");
- exit(1);
- };
+ client_ctx = make_ssl_client_ctx(ntsconfig.ca);
return true;
}
@@ -139,7 +108,14 @@ bool nts_probe(struct peer * peer) {
// Not much error checking yet.
// Ugly since most SSL routines return 1 on success.
- ssl = SSL_new(client_ctx);
+ if (NULL == peer->cfg.nts_cfg.ca)
+ ssl = SSL_new(client_ctx);
+ else {
+ SSL_CTX *ctx;
+ ctx = make_ssl_client_ctx(peer->cfg.nts_cfg.ca);
+ ssl = SSL_new(ctx);
+ SSL_CTX_free(ctx);
+ }
set_hostname(ssl, hostname);
SSL_set_fd(ssl, server);
@@ -212,6 +188,46 @@ bool nts_check(struct peer *peer) {
return addrOK;
}
+SSL_CTX* make_ssl_client_ctx(const char * filename) {
+ bool ok = true;
+ SSL_CTX *ctx;
+
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ ctx = SSL_CTX_new(TLS_client_method());
+#else
+ OpenSSL_add_all_ciphers(); // FIXME needed on NetBSD
+ ctx = SSL_CTX_new(TLSv1_2_client_method());
+#endif
+ if (NULL == ctx) {
+ /* Happens if no ciphers */
+ msyslog(LOG_ERR, "NTSc: NULL ctx");
+ nts_log_ssl_error();
+ exit(1);
+ }
+
+#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
+ {
+ // 4., ALPN, RFC 7301
+ static unsigned char alpn [] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
+ SSL_CTX_set_alpn_protos(ctx, alpn, sizeof(alpn));
+ }
+#endif
+
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+ SSL_CTX_set_timeout(ctx, NTS_KE_TIMEOUT);
+
+ ok &= nts_load_versions(ctx);
+ ok &= nts_load_ciphers(ctx);
+ ok &= nts_set_cert_search(ctx, filename);
+
+ if (!ok) {
+ msyslog(LOG_ERR, "NTSc: Troubles setting up client SSL CTX");
+ exit(1);
+ };
+
+ return ctx;
+}
+
int open_TCP_socket(struct peer *peer, const char *hostname) {
char host[256], port[32];
char *tmp;
@@ -554,26 +570,26 @@ bool nts_client_process_response(SSL *ssl, struct peer* peer) {
return true;
}
-bool nts_set_cert_search(SSL_CTX *ctx) {
+bool nts_set_cert_search(SSL_CTX *ctx, const char *filename) {
struct stat statbuf;
- if (NULL == ntsconfig.ca) {
+ if (NULL == filename) {
msyslog(LOG_INFO, "NTSc: Using system default root certificates.");
SSL_CTX_set_default_verify_paths(ctx); // Use system root certs
return true;
}
- if (0 == stat(ntsconfig.ca, &statbuf)) {
+ if (0 == stat(filename, &statbuf)) {
if (S_ISDIR(statbuf.st_mode)) {
- msyslog(LOG_INFO, "NTSc: Using dir %s for root certificates.", ntsconfig.ca);
- SSL_CTX_load_verify_locations(ctx, NULL, ntsconfig.ca);
+ msyslog(LOG_INFO, "NTSc: Using dir %s for root certificates.", filename);
+ SSL_CTX_load_verify_locations(ctx, NULL, filename);
return true;
}
if (S_ISREG(statbuf.st_mode)) {
- msyslog(LOG_INFO, "NTSc: Using file %s for root certificates.", ntsconfig.ca);
- SSL_CTX_load_verify_locations(ctx, ntsconfig.ca, NULL);
+ msyslog(LOG_INFO, "NTSc: Using file %s for root certificates.", filename);
+ SSL_CTX_load_verify_locations(ctx, filename, NULL);
return true;
}
msyslog(LOG_ERR, "NTSc: cert dir/file isn't dir or file: %s. mode 0x%x",
- ntsconfig.ca, statbuf.st_mode);
+ filename, statbuf.st_mode);
return false;
}
msyslog(LOG_ERR, "NTSc: can't stat cert dir/file: %s, %s", ntsconfig.ca, strerror(errno));
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/666fa478493c36bd4aa242f7a19b5b7795df2954
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/666fa478493c36bd4aa242f7a19b5b7795df2954
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190402/ef7c6b7e/attachment-0001.html>
More information about the vc
mailing list