[Git][NTPsec/ntpsec][master] Implement and document TLS 'cipher' option.

Eric S. Raymond gitlab at mg.gitlab.com
Sun Feb 3 11:27:29 UTC 2019 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
9bee2988 by Eric S. Raymond at 2019-02-03T11:24:40Z
Implement and document TLS 'cipher' option.

- - - - -


7 changed files:

- devel/nts.adoc
- docs/includes/auth-commands.adoc
- include/nts.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/nts.c


Changes:

=====================================
devel/nts.adoc
=====================================
@@ -232,12 +232,12 @@ and intermediate certificate bundles without a full daemon restart.
 
 == NTS Configuration parameters (client side) ==
 
-*min-tls*:: This is not per-server but for all client sessions.  Must
-be at least 1.2. Bumped at crypto emergencies.
+Options now implemented in the config parser are now described in
+docs/includes/auth-commands.txt
 
-To avoid having to configure TLS versions you accept beyond this, he
-right (and conformant) thing is to do is honor a global min-tls
-option, then just use the most recent version at or above it your TLS 
+To avoid having to hand-configure TLS versions, the right (and
+conformant) thing is to do is honor the global mintls and maxtls
+options, then just use the most recent version at or above it your TLS
 library and the remote both support. If the remote can't cope, you
 abort.
 
@@ -245,9 +245,6 @@ To avoid having to hand-configure ciphers offered to the remote, we
 can initially have a list of common known-good ones wired in.
 Eventually, look into how openssl-ciphers does this and autoconfigure.
 
-Per-server options now implemented in the config parser are now
-described in docs/includes/assoc-options.txt
-
 == NTS-KE Server Configuration parameters ==
 
 == TLS Options ==


=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -36,7 +36,7 @@ The following command controls NTS authentication. It overrides
 normal TLS protocol negotiation, which is not usually necessary.
 
 [[crypto]]
-+crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+enclair+]
++crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+enclair+] [+cipher+ _name_]
 
 The options are as follows:
 
@@ -54,6 +54,10 @@ The options are as follows:
   cooperating implementation on the other end that can also
   disable crypto. {ntsdman} will do this.
 
++cipher+ _name_::
+  Disable normal cipher negotiation, forcing one by name. Intended
+  for testing.
+
 The following options of the +server+ command configure NTS.
 
 +nts+::


=====================================
include/nts.h
=====================================
@@ -15,6 +15,7 @@
 extern float mintls;		/* minimum TLS version allowed */
 extern float maxtls;		/* maximum TLS version allowed */
 extern bool enclair;		/* if on, disable TLS and talk en clair */
+extern char *cipher;		/* force cipher; NULL for negotiation */
 
 /* Configuration data for an NTS association */
 struct ntscfg_t {


=====================================
ntpd/keyword-gen.c
=====================================
@@ -207,6 +207,7 @@ struct key_tok ntp_keywords[] = {
 { "mintls",		T_Mintls,		FOLLBY_TOKEN },
 { "maxtls",		T_Maxtls,		FOLLBY_TOKEN },
 { "enclair",		T_Enclair,		FOLLBY_TOKEN },
+{ "cipher",		T_Cipher,		FOLLBY_STRING },
 };
 
 typedef struct big_scan_state_tag {


=====================================
ntpd/ntp_config.c
=====================================
@@ -2004,6 +2004,10 @@ config_crypto(
 		case T_Enclair:
 			enclair = (bool)crypto->value.i;
 			break;
+
+		case T_Cipher:
+			cipher = estrdup(crypto->value.s);
+			break;
 		}
 	}
 }


=====================================
ntpd/ntp_parser.y
=====================================
@@ -69,6 +69,7 @@
 %token	<Integer>	T_Cohort
 %token	<Integer>	T_ControlKey
 %token	<Integer>	T_Crypto
+%token	<Integer>	T_Cipher
 %token	<Integer>	T_Ctl
 %token	<Integer>	T_Day
 %token	<Integer>	T_Default
@@ -1125,6 +1126,8 @@ crypto_option
 			{ $$ = create_attr_dval($1, $2); }
 	|	T_Enclair boolean
 			{ $$ = create_attr_ival($1, 1); }
+	|	T_Cipher T_String
+			{ $$ = create_attr_sval($1, $2); }
 	;
 
 crypto_option_keyword


=====================================
ntpd/nts.c
=====================================
@@ -18,6 +18,7 @@
 float mintls = 1.2;		/* minimum TLS version allowed */
 float maxtls;			/* maximum TLS version allowed */
 bool enclair;			/* if on, disable TLS and talk en clair */
+char *cipher;			/* force cipher; NULL for negotiation */
 
 /* By design, there is no per-client-side state on the server */
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/9bee29881bf43860040ae4a6fb753cbca7859ed5

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/9bee29881bf43860040ae4a6fb753cbca7859ed5
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190203/84c08fa1/attachment-0001.html>

More information about the vc mailing list