[Git][NTPsec/ntpsec][master] First pass at NTS client checking ALPN string from server.
Hal Murray
gitlab at mg.gitlab.com
Sat Aug 24 20:38:34 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
7897d008 by Hal Murray at 2019-08-24T20:37:59Z
First pass at NTS client checking ALPN string from server.
- - - - -
1 changed file:
- ntpd/nts_client.c
Changes:
=====================================
ntpd/nts_client.c
=====================================
@@ -9,6 +9,7 @@
*/
#include "config.h"
+#include <ctype.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
@@ -34,6 +35,7 @@ int open_TCP_socket(struct peer *peer, const char *hostname);
bool nts_set_cert_search(SSL_CTX *ctx, const char *filename);
void set_hostname(SSL *ssl, const char *hostname);
bool check_certificate(SSL *ssl, struct peer *peer);
+bool check_aead(SSL *ssl, struct peer *peer, const char *hostname);
bool nts_client_send_request(SSL *ssl, struct peer *peer);
bool nts_client_process_response(SSL *ssl, struct peer *peer);
bool nts_client_process_response_core(uint8_t *buff, int transferred, struct peer* peer);
@@ -139,6 +141,8 @@ bool nts_probe(struct peer * peer) {
if (!check_certificate(ssl, peer))
goto bail;
+ if (!check_aead(ssl, peer, hostname))
+ goto bail;
if (!nts_client_send_request(ssl, peer))
goto bail;
@@ -376,6 +380,42 @@ bool check_certificate(SSL *ssl, struct peer* peer) {
return true;
}
+bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
+ UNUSED_ARG(peer);
+#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
+ bool bad = true; /* Always return OK for now. */
+ const unsigned char *data;
+ unsigned int len;
+ unsigned int i;
+ char buff [100];
+ SSL_get0_alpn_selected(ssl, &data, &len);
+ if (0 == len) {
+ /* This happens when talking to old/TLSv1.2 systems. */
+ msyslog(LOG_DEBUG, "NTSc: No ALPN from %s (%s)",
+ hostname, SSL_get_version(ssl));
+ return bad;
+ }
+ strlcpy(buff, (const char*)data, sizeof(buff)); /* NUL terminate */
+ for (i=0; i<len; i++) {
+ if (!isgraph(buff[i])) {
+ buff[i] = '*'; /* fix non-printing crap */
+ }
+ }
+ /* For now, we only support one version.
+ * This gets more complicated when version 2 arrives. */
+ if (0 != strcmp((const char*)data, "ntske/1")) {
+ msyslog(LOG_DEBUG, "NTSc: Strange ALPN returned: %s (%u)", buff, len);
+ return bad;
+ }
+ msyslog(LOG_DEBUG, "NTSc: Good ALPN from: %s", hostname);
+
+#else
+ UNUSED_ARG(ssl);
+ UNUSED_ARG(hostname);
+#endif
+ return true;
+}
+
bool nts_make_keys(SSL *ssl, uint16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
// There is a bug in OpenSSL 1.1.1a
// Until Mar-23, we were using:
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7897d00857277033315add46eb581a32993535e3
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/7897d00857277033315add46eb581a32993535e3
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190824/80b816be/attachment-0001.htm>
More information about the vc
mailing list