[Git][NTPsec/ntpsec][master] Various changes related to TLS options.

Eric S. Raymond gitlab at mg.gitlab.com
Sun Feb 3 20:59:24 UTC 2019


Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
f8bf5450 by Eric S. Raymond at 2019-02-03T20:58:48Z
Various changes related to TLS options.

- - - - -


7 changed files:

- docs/includes/auth-commands.adoc
- include/nts.h
- libntp/authreadkeys.c
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/nts.c


Changes:

=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -36,7 +36,7 @@ The following command controls NTS authentication. It overrides
 normal TLS protocol negotiation, which is not usually necessary.
 
 [[crypto]]
-+crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+enclair+] [+cipher+ _name_]
++crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
 
 The options are as follows:
 
@@ -48,16 +48,15 @@ The options are as follows:
   Set the highest allowable TLS version to negotiate. By setting
   mintls and maxtls equal you can force the TLS version for testing.
 
-+enclair+ _bool_::
-  Turning this on disables crypto. Code requiring installed
-  certificates is bypassed.  Useful for testing if you have a
-  cooperating implementation on the other end that can also
-  disable crypto. {ntsdman} will do this.
-
-+cipher+ _name_::
-  Disable normal cipher negotiation, forcing one by name. Intended
-  for testing.
+// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
++tlsciphers+ _string_::
+   An OpenSSL cipher list to configure the allowed ciphers for TLS
+   versions up to and including TLS 1.2. An empty string disables encryption.
 
++tlsciphersuites+ _string_::
+   An OpenSSL ciphersuite list to configure the allowed ciphersuites for
+   TLS 1.3. An empty string disables encryption.
+   
 The following options of the +server+ command configure NTS.
 
 +nts+::
@@ -71,7 +70,7 @@ The following options of the +server+ command configure NTS.
   for a specific NTS server, which may differ from the NTP server.
   Conforms to RFC3896 section 3.2.2 prescription for the Host part of
   a URI: that is, the +address_ may be a hostname, a FQDN, an IPv4
-  numeric address, an IPv6 numeric addresa (in square brackets).
+  numeric address, an IPv6 numeric address (in square brackets).
   Address may have the suffix +:port+ to specify a UDP port.
 
 +require+ 'address'::


=====================================
include/nts.h
=====================================
@@ -14,8 +14,8 @@
 
 extern float mintls;		/* minimum TLS version allowed */
 extern float maxtls;		/* maximum TLS version allowed */
-extern bool enclair;		/* if on, disable TLS and talk en clair */
-extern char *cipher;		/* force cipher; NULL for negotiation */
+extern char *tlsciphers;	/* allowed TLS 1.2 ciphers */
+extern char *tlsciphersuites;	/* allowed TLS 1.3 ciphersuites */
 
 /* Configuration data for an NTS association */
 struct ntscfg_t {


=====================================
libntp/authreadkeys.c
=====================================
@@ -119,10 +119,10 @@ check_cmac_mac_length(
     size_t length = 0;
     char key[EVP_MAX_KEY_LENGTH];  /* garbage is OK */
     CMAC_CTX *ctx;
-    const EVP_CIPHER *cipher = EVP_get_cipherbyname(name);
+    const EVP_CIPHER *cmac_cipher = EVP_get_cipherbyname(name);
 
     ctx = CMAC_CTX_new();
-    CMAC_Init(ctx, key, EVP_CIPHER_key_length(cipher), cipher, NULL);
+    CMAC_Init(ctx, key, EVP_CIPHER_key_length(cmac_cipher), cmac_cipher, NULL);
     CMAC_Final(ctx, mac, &length);
     CMAC_CTX_free(ctx);
 
@@ -174,8 +174,8 @@ check_cmac_key_length(
 	char *name,
 	char *key,
 	int keylength) {
-    const EVP_CIPHER *cipher = EVP_get_cipherbyname(name);
-    int len = EVP_CIPHER_key_length(cipher);
+    const EVP_CIPHER *cmac_cipher = EVP_get_cipherbyname(name);
+    int len = EVP_CIPHER_key_length(cmac_cipher);
     int i;
 
     if (len < keylength) {


=====================================
ntpd/keyword-gen.c
=====================================
@@ -206,8 +206,8 @@ struct key_tok ntp_keywords[] = {
 { "crypto",		T_Crypto,		FOLLBY_TOKEN },
 { "mintls",		T_Mintls,		FOLLBY_TOKEN },
 { "maxtls",		T_Maxtls,		FOLLBY_TOKEN },
-{ "enclair",		T_Enclair,		FOLLBY_TOKEN },
-{ "cipher",		T_Cipher,		FOLLBY_STRING },
+{ "tlsciphers",		T_Tlsciphers,		FOLLBY_STRING },
+{ "tlsciphersuites",	T_Tlsciphersuites,	FOLLBY_STRING },
 };
 
 typedef struct big_scan_state_tag {


=====================================
ntpd/ntp_config.c
=====================================
@@ -2001,12 +2001,12 @@ config_crypto(
 		    	mintls = crypto->value.d;
 			break;
 
-		case T_Enclair:
-			enclair = (bool)crypto->value.i;
+		case T_Tlsciphers:
+			tlsciphers = estrdup(crypto->value.s);
 			break;
 
-		case T_Cipher:
-			cipher = estrdup(crypto->value.s);
+		case T_Tlsciphersuites:
+			tlsciphersuites = estrdup(crypto->value.s);
 			break;
 		}
 	}


=====================================
ntpd/ntp_parser.y
=====================================
@@ -69,7 +69,6 @@
 %token	<Integer>	T_Cohort
 %token	<Integer>	T_ControlKey
 %token	<Integer>	T_Crypto
-%token	<Integer>	T_Cipher
 %token	<Integer>	T_Ctl
 %token	<Integer>	T_Day
 %token	<Integer>	T_Default
@@ -80,7 +79,6 @@
 %token	<Integer>	T_Driftfile
 %token	<Integer>	T_Drop
 %token	<Integer>	T_Dscp
-%token	<Integer>	T_Enclair
 %token	<Integer>	T_Expire
 %token	<Integer>	T_Ellipsis	/* "..." not "ellipsis" */
 %token	<Integer>	T_Enable
@@ -212,6 +210,8 @@
 %token	<Integer>	T_Timer
 %token	<Integer>	T_Timingstats
 %token	<Integer>	T_Tinker
+%token	<Integer>	T_Tlsciphers
+%token	<Integer>	T_Tlsciphersuites
 %token	<Integer>	T_Tos
 %token	<Integer>	T_True
 %token	<Integer>	T_Trustedkey
@@ -1124,9 +1124,9 @@ crypto_option_list
 crypto_option
 	:	crypto_option_keyword number
 			{ $$ = create_attr_dval($1, $2); }
-	|	T_Enclair boolean
-			{ $$ = create_attr_ival($1, 1); }
-	|	T_Cipher T_String
+	|	T_Tlsciphers T_String
+			{ $$ = create_attr_sval($1, $2); }
+	|	T_Tlsciphersuites T_String
 			{ $$ = create_attr_sval($1, $2); }
 	;
 


=====================================
ntpd/nts.c
=====================================
@@ -17,8 +17,8 @@
 
 float mintls = 1.2;		/* minimum TLS version allowed */
 float maxtls;			/* maximum TLS version allowed */
-bool enclair;			/* if on, disable TLS and talk en clair */
-char *cipher;			/* force cipher; NULL for negotiation */
+char *tlsciphers;		/* allowed TLS 1.2 ciphers */
+char *tlsciphersuites;		/* allowed TLS 1.3 ciphersuites */
 
 /* By design, there is no per-client-side state on the server */
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/f8bf54508650cba9f1559e0f587be81682e26de6

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/f8bf54508650cba9f1559e0f587be81682e26de6
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190203/1b4918e0/attachment-0001.html>


More information about the vc mailing list