[Git][NTPsec/ntpsec][master] mintls/maxtls option processing.
Eric S. Raymond
gitlab at mg.gitlab.com
Sun Feb 3 03:41:46 UTC 2019
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
486d777c by Eric S. Raymond at 2019-02-03T03:41:37Z
mintls/maxtls option processing.
- - - - -
6 changed files:
- include/ntp_config.h
- include/nts.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/nts.c
Changes:
=====================================
include/ntp_config.h
=====================================
@@ -196,6 +196,7 @@ struct config_tree_tag {
addr_opts_fifo *fudge;
attr_val_fifo * rlimit;
attr_val_fifo * tinker;
+ attr_val_fifo * crypto;
attr_val_fifo * enable_opts;
attr_val_fifo * disable_opts;
=====================================
include/nts.h
=====================================
@@ -12,6 +12,9 @@
#define FLAG_NTS_REQ 0x04u /* NTS, ask for specified server */
#define FLAG_NTS_NOVAL 0x08u /* do not validate the server certificate */
+extern float mintls; /* minimum TLS version allowed */
+extern float maxtls; /* force this version for testing */
+
/* Configuration data for an NTS association */
struct ntscfg_t {
char *server; /* if NULL, use the peer itself (normal case) */
=====================================
ntpd/keyword-gen.c
=====================================
@@ -203,6 +203,9 @@ struct key_tok ntp_keywords[] = {
{ "expire", T_Expire, FOLLBY_TOKEN },
{ "cert", T_Cert, FOLLBY_TOKEN },
{ "ca", T_Ca, FOLLBY_TOKEN },
+{ "crypto", T_Crypto, FOLLBY_TOKEN },
+{ "mintls", T_Mintls, FOLLBY_TOKEN },
+{ "maxtls", T_Maxtls, FOLLBY_TOKEN },
};
typedef struct big_scan_state_tag {
=====================================
ntpd/ntp_config.c
=====================================
@@ -209,6 +209,7 @@ static void free_config_rlimit(config_tree *);
static void free_config_setvar(config_tree *);
static void free_config_system_opts(config_tree *);
static void free_config_tinker(config_tree *);
+static void free_config_crypto(config_tree *);
static void free_config_tos(config_tree *);
static void free_config_unpeers(config_tree *);
static void free_config_vars(config_tree *);
@@ -266,6 +267,7 @@ static void config_monitor(config_tree *);
static void config_rlimit(config_tree *);
static void config_system_opts(config_tree *);
static void config_tinker(config_tree *);
+static void config_crypto(config_tree *);
static void config_tos(config_tree *);
static void config_logfile(config_tree *);
static void config_vars(config_tree *);
@@ -355,6 +357,7 @@ free_config_tree(
free_config_monitor(ptree);
free_config_access(ptree);
free_config_tinker(ptree);
+ free_config_crypto(ptree);
free_config_rlimit(ptree);
free_config_system_opts(ptree);
free_config_logconfig(ptree);
@@ -1975,6 +1978,33 @@ config_tinker(
}
}
+static void
+config_crypto(
+ config_tree *ptree
+ )
+{
+ attr_val * crypto;
+
+ crypto = HEAD_PFIFO(ptree->crypto);
+ for (; crypto != NULL; crypto = crypto->link) {
+ switch (crypto->attr) {
+
+ default:
+ INSIST(0);
+ break;
+
+ case T_Maxtls:
+ maxtls = crypto->value.d
+ break;
+
+ case T_Mintls:
+ mintls = crypto->value.d
+ break;
+
+ }
+ }
+}
+
static void
free_config_rlimit(
@@ -1993,6 +2023,15 @@ free_config_tinker(
}
+static void
+free_config_crypto(
+ config_tree *ptree
+ )
+{
+ FREE_ATTR_VAL_FIFO(ptree->crypto);
+}
+
+
/*
* config_nic_rules - apply interface listen/ignore/drop items
*/
@@ -2974,6 +3013,7 @@ config_ntpd(
config_tos(ptree);
config_access(ptree);
config_tinker(ptree);
+ config_crypto(ptree);
config_rlimit(ptree);
config_system_opts(ptree);
config_logconfig(ptree);
=====================================
ntpd/ntp_parser.y
=====================================
@@ -68,6 +68,7 @@
%token <Integer> T_Clockstats
%token <Integer> T_Cohort
%token <Integer> T_ControlKey
+%token <Integer> T_Crypto
%token <Integer> T_Ctl
%token <Integer> T_Day
%token <Integer> T_Default
@@ -132,6 +133,7 @@
%token <Integer> T_Maxdist
%token <Integer> T_Maxmem
%token <Integer> T_Maxpoll
+%token <Integer> T_Maxtls
%token <Integer> T_Mdnstries
%token <Integer> T_Mem
%token <Integer> T_Memlock
@@ -142,6 +144,7 @@
%token <Integer> T_Minimum
%token <Integer> T_Minpoll
%token <Integer> T_Minsane
+%token <Integer> T_Mintls
%token <Integer> T_Mode
%token <Integer> T_Monitor
%token <Integer> T_Month
@@ -291,6 +294,9 @@
%type <Integer> tinker_option_keyword
%type <Attr_val> tinker_option
%type <Attr_val_fifo> tinker_option_list
+%type <Integer> crypto_option_keyword
+%type <Attr_val> crypto_option
+%type <Attr_val_fifo> crypto_option_list
%type <Attr_val> tos_option
%type <Integer> tos_option_dbl_keyword
%type <Integer> tos_option_int_keyword
@@ -341,6 +347,7 @@ command : /* NULL STATEMENT */
| rlimit_command
| system_option_command
| tinker_command
+ | crypto_command
| miscellaneous_command
;
@@ -1090,6 +1097,39 @@ tinker_option_keyword
;
+/* Crypto Commands
+ * ---------------
+ */
+
+crypto_command
+ : T_Crypto crypto_option_list
+ { CONCAT_G_FIFOS(cfgt.crypto, $2); }
+ ;
+
+crypto_option_list
+ : crypto_option_list crypto_option
+ {
+ $$ = $1;
+ APPEND_G_FIFO($$, $2);
+ }
+ | crypto_option
+ {
+ $$ = NULL;
+ APPEND_G_FIFO($$, $1);
+ }
+ ;
+
+crypto_option
+ : crypto_option_keyword number
+ { $$ = create_attr_dval($1, $2); }
+ ;
+
+crypto_option_keyword
+ : T_Maxtls
+ | T_Mintls
+ ;
+
+
/* Miscellaneous Commands
* ----------------------
*/
=====================================
ntpd/nts.c
=====================================
@@ -15,6 +15,9 @@
#include "ntp_types.h"
#include "ntpd.h"
+float mintls = 1.2; /* minimum TLS version allowed */
+float maxtls; /* force this version for testing */
+
/* By design, there is no per-client-side state on the server */
/*
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/486d777c3f06def6b36dd15c81d56567dd186dca
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/486d777c3f06def6b36dd15c81d56567dd186dca
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190203/6745d413/attachment-0001.html>
More information about the vc
mailing list