[Git][NTPsec/ntpsec][master] Deleted 4 commits: Delete "enclair" in favor of 'cipher "null"'

Eric S. Raymond gitlab at mg.gitlab.com
Sun Feb 3 20:42:13 UTC 2019


Eric S. Raymond pushed to branch master at NTPsec / ntpsec


WARNING: The push did not contain any new commits, but force pushed to delete the commits and changes below.


Deleted commits:
25f1b48e by Eric S. Raymond at 2019-02-03T18:49:20Z
Delete "enclair" in favor of 'cipher "null"'

- - - - -
93ea0a5b by Eric S. Raymond at 2019-02-03T19:34:53Z
Line disciple typo fix.

- - - - -
0390a6ec by Matt Selsky at 2019-02-03T19:43:27Z
Remove final references to 'enclair'

- - - - -
d5697ae3 by Eric S. Raymond at 2019-02-03T19:52:38Z
Merge  a typo fix.

- - - - -


9 changed files:

- docs/includes/auth-commands.adoc
- include/ntp_tty.h
- include/nts.h
- libntp/authreadkeys.c
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/nts.c
- ntpd/refclock_modem.c


Changes:

=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -36,7 +36,7 @@ The following command controls NTS authentication. It overrides
 normal TLS protocol negotiation, which is not usually necessary.
 
 [[crypto]]
-+crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+enclair+] [+cipher+ _name_]
++crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+cipher+ _name_]
 
 The options are as follows:
 
@@ -48,16 +48,15 @@ The options are as follows:
   Set the highest allowable TLS version to negotiate. By setting
   mintls and maxtls equal you can force the TLS version for testing.
 
-+enclair+ _bool_::
-  Turning this on disables crypto. Code requiring installed
-  certificates is bypassed.  Useful for testing if you have a
-  cooperating implementation on the other end that can also
-  disable crypto. {ntsdman} will do this.
-
-+cipher+ _name_::
-  Disable normal cipher negotiation, forcing one by name. Intended
-  for testing.
+// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
++tlsciphers+ _string_::
+   An OpenSSL cipher list to configure the allowed ciphers for TLS
+   versions up to and including TLS 1.2. An empty string disables encryption.
 
++tlsciphersuites+ _string_::
+   An OpenSSL ciphersuite list to configure the allowed ciphersuites for
+   TLS 1.3. An empty string disables encryption.
+   
 The following options of the +server+ command configure NTS.
 
 +nts+::
@@ -71,7 +70,7 @@ The following options of the +server+ command configure NTS.
   for a specific NTS server, which may differ from the NTP server.
   Conforms to RFC3896 section 3.2.2 prescription for the Host part of
   a URI: that is, the +address_ may be a hostname, a FQDN, an IPv4
-  numeric address, an IPv6 numeric addresa (in square brackets).
+  numeric address, an IPv6 numeric address (in square brackets).
   Address may have the suffix +:port+ to specify a UDP port.
 
 +require+ 'address'::


=====================================
include/ntp_tty.h
=====================================
@@ -17,18 +17,18 @@
 #endif
 
 /*
- * Line discipline flags.  The depredated ones required line discipline
+ * Line discipline flags.  The deprecated ones required line discipline
  * or streams modules to be installed/loaded in the kernel and are now
  * ignored.  Leave the LDISC_CLK and other deprecated symbols defined
  * until 2013 or 2014 to avoid complicating the use of newer drivers on
  * older ntpd, which is often as easy as dropping in the refclock *.c.
  */
 #define LDISC_STD	0x000	/* standard */
-#define LDISC_CLK	0x001	/* depredated tty_clk \n */
-#define LDISC_CLKPPS	0x002	/* depredated tty_clk \377 */
-#define LDISC_ACTS	0x004	/* depredated tty_clk #* */
-#define LDISC_CHU	0x008	/* depredated */
-#define LDISC_PPS	0x010	/* depredated */
+#define LDISC_CLK	0x001	/* deprecated tty_clk \n */
+#define LDISC_CLKPPS	0x002	/* deprecated tty_clk \377 */
+#define LDISC_MODEM	0x004	/* deprecated tty_clk #* */
+#define LDISC_CHU	0x008	/* deprecated */
+#define LDISC_PPS	0x010	/* deprecated */
 #define LDISC_RAW	0x020	/* raw binary */
 #define	LDISC_REMOTE	0x080	/* remote mode */
 #define	LDISC_7O1	0x100	/* 7-bit, odd parity for Z3801A */


=====================================
include/nts.h
=====================================
@@ -14,8 +14,13 @@
 
 extern float mintls;		/* minimum TLS version allowed */
 extern float maxtls;		/* maximum TLS version allowed */
+<<<<<<< HEAD
 extern bool enclair;		/* if on, disable TLS and talk en clair */
+extern char *tlsciphers;	/* allowed TLS 1.2 ciphers */
+extern char *tlsciphersuites;	/* allowed TLS 1.3 ciphersuites */
+=======
 extern char *cipher;		/* force cipher; NULL for negotiation */
+>>>>>>> 0390a6ec28dcaa7371819f7c8e004f959937429e
 
 /* Configuration data for an NTS association */
 struct ntscfg_t {


=====================================
libntp/authreadkeys.c
=====================================
@@ -119,10 +119,10 @@ check_cmac_mac_length(
     size_t length = 0;
     char key[EVP_MAX_KEY_LENGTH];  /* garbage is OK */
     CMAC_CTX *ctx;
-    const EVP_CIPHER *cipher = EVP_get_cipherbyname(name);
+    const EVP_CIPHER *cmac_cipher = EVP_get_cipherbyname(name);
 
     ctx = CMAC_CTX_new();
-    CMAC_Init(ctx, key, EVP_CIPHER_key_length(cipher), cipher, NULL);
+    CMAC_Init(ctx, key, EVP_CIPHER_key_length(cmac_cipher), cmac_cipher, NULL);
     CMAC_Final(ctx, mac, &length);
     CMAC_CTX_free(ctx);
 
@@ -174,8 +174,8 @@ check_cmac_key_length(
 	char *name,
 	char *key,
 	int keylength) {
-    const EVP_CIPHER *cipher = EVP_get_cipherbyname(name);
-    int len = EVP_CIPHER_key_length(cipher);
+    const EVP_CIPHER *cmac_cipher = EVP_get_cipherbyname(name);
+    int len = EVP_CIPHER_key_length(cmac_cipher);
     int i;
 
     if (len < keylength) {


=====================================
ntpd/keyword-gen.c
=====================================
@@ -206,8 +206,8 @@ struct key_tok ntp_keywords[] = {
 { "crypto",		T_Crypto,		FOLLBY_TOKEN },
 { "mintls",		T_Mintls,		FOLLBY_TOKEN },
 { "maxtls",		T_Maxtls,		FOLLBY_TOKEN },
-{ "enclair",		T_Enclair,		FOLLBY_TOKEN },
-{ "cipher",		T_Cipher,		FOLLBY_STRING },
+{ "tlsciphers",		T_Tlsciphers,		FOLLBY_STRING },
+{ "tlsciphersuites",	T_Tlsciphersuites,	FOLLBY_STRING },
 };
 
 typedef struct big_scan_state_tag {


=====================================
ntpd/ntp_config.c
=====================================
@@ -2001,12 +2001,12 @@ config_crypto(
 		    	mintls = crypto->value.d;
 			break;
 
-		case T_Enclair:
-			enclair = (bool)crypto->value.i;
+		case T_Tlsciphers:
+			tlsciphers = estrdup(crypto->value.s);
 			break;
 
-		case T_Cipher:
-			cipher = estrdup(crypto->value.s);
+		case T_Tlsciphersuites:
+			tlsciphersuites = estrdup(crypto->value.s);
 			break;
 		}
 	}


=====================================
ntpd/ntp_parser.y
=====================================
@@ -69,7 +69,6 @@
 %token	<Integer>	T_Cohort
 %token	<Integer>	T_ControlKey
 %token	<Integer>	T_Crypto
-%token	<Integer>	T_Cipher
 %token	<Integer>	T_Ctl
 %token	<Integer>	T_Day
 %token	<Integer>	T_Default
@@ -80,7 +79,6 @@
 %token	<Integer>	T_Driftfile
 %token	<Integer>	T_Drop
 %token	<Integer>	T_Dscp
-%token	<Integer>	T_Enclair
 %token	<Integer>	T_Expire
 %token	<Integer>	T_Ellipsis	/* "..." not "ellipsis" */
 %token	<Integer>	T_Enable
@@ -212,6 +210,8 @@
 %token	<Integer>	T_Timer
 %token	<Integer>	T_Timingstats
 %token	<Integer>	T_Tinker
+%token	<Integer>	T_Tlsciphers
+%token	<Integer>	T_Tlsciphersuites
 %token	<Integer>	T_Tos
 %token	<Integer>	T_True
 %token	<Integer>	T_Trustedkey
@@ -1124,9 +1124,9 @@ crypto_option_list
 crypto_option
 	:	crypto_option_keyword number
 			{ $$ = create_attr_dval($1, $2); }
-	|	T_Enclair boolean
-			{ $$ = create_attr_ival($1, 1); }
-	|	T_Cipher T_String
+	|	T_Tlsciphers T_String
+			{ $$ = create_attr_sval($1, $2); }
+	|	T_Tlsciphersuites T_String
 			{ $$ = create_attr_sval($1, $2); }
 	;
 


=====================================
ntpd/nts.c
=====================================
@@ -17,8 +17,8 @@
 
 float mintls = 1.2;		/* minimum TLS version allowed */
 float maxtls;			/* maximum TLS version allowed */
-bool enclair;			/* if on, disable TLS and talk en clair */
-char *cipher;			/* force cipher; NULL for negotiation */
+char *tlsciphers;		/* allowed TLS 1.2 ciphers */
+char *tlsciphersuites;		/* allowed TLS 1.3 ciphersuites */
 
 /* By design, there is no per-client-side state on the server */
 


=====================================
ntpd/refclock_modem.c
=====================================
@@ -515,7 +515,7 @@ modem_timeout(
 		snprintf(device, sizeof(device), DEVICE, up->unit);
 		fd = refclock_open(peer->cfg.path ? peer->cfg.path : device,
 				   peer->cfg.baud ? peer->cfg.baud : SPEED232,
-				   LDISC_ACTS | LDISC_RAW | LDISC_REMOTE);
+				   LDISC_MODEM | LDISC_RAW | LDISC_REMOTE);
 		if (fd < 0) {
 			msyslog(LOG_ERR, "REFCLOCK: modem: open fails %m");
 			return;



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9bee29881bf43860040ae4a6fb753cbca7859ed5...d5697ae3d69a6da1648858dafc443d71cf6438a8

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9bee29881bf43860040ae4a6fb753cbca7859ed5...d5697ae3d69a6da1648858dafc443d71cf6438a8
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190203/b4123840/attachment-0001.html>


More information about the vc mailing list