[Git][NTPsec/ntpsec][master] 3 commits: Fix compiler warning

Hal Murray gitlab at mg.gitlab.com
Thu Feb 7 13:02:07 UTC 2019 

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
de1fb13e by Hal Murray at 2019-02-07T13:01:10Z
Fix compiler warning

- - - - -
7c5b1d09 by Hal Murray at 2019-02-07T13:01:10Z
Fix typo in FLAG_TSTAMP_PPS

- - - - -
ea4d92eb by Hal Murray at 2019-02-07T13:01:10Z
Start of NTS-KE-client - mostly looking for build troubles

- - - - -


6 changed files:

- include/ntp.h
- include/ntpd.h
- + ntpd/nts_client.c
- ntpd/nts_lib.c
- ntpd/wscript
- wscript


Changes:

=====================================
include/ntp.h
=====================================
@@ -395,7 +395,7 @@ struct peer {
 #define	FLAG_NOSELECT	0x0200u	/* never select */
 #define	FLAG_TRUE	0x0400u	/* force truechimer */
 #define	FLAG_DNS	0x0800u	/* needs DNS lookup */
-#define FLAG_TSTAMP_PPS	0x4cd000u	/* PPS source provides absolute timestamp */
+#define FLAG_TSTAMP_PPS	0x1000u	/* PPS source provides absolute timestamp */
 
 /* This is the new, sane way of representing packets. All fields are
    in host byte order, and the fixed-point time fields are just integers,


=====================================
include/ntpd.h
=====================================
@@ -421,6 +421,7 @@ extern const uint8_t	num_refclock_conf;
 #endif
 
 /* nts.c */
+bool nts_probe(struct peer *peer);
 int nts_client_ke_request(struct ntscfg_t *);
 int nts_server_ke_verify(struct ntscfg_t *);
 int nts_client_ke_verify(struct ntscfg_t *, struct ntsstate_t *);


=====================================
ntpd/nts_client.c
=====================================
@@ -0,0 +1,106 @@
+/*
+ * nts_client.c - Network Time Security (NTS) client side support
+ *
+ * Section references are to
+ * https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-15
+ *
+ */
+#include "config.h"
+
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <openssl/ssl.h>
+
+#include "ntp_types.h"
+#include "ntpd.h"
+
+
+int open_TCP_socket(const char *hostname);
+
+bool nts_probe(struct peer * peer) {
+
+  SSL_CTX *ctx;
+  SSL     *ssl;
+  int      server = 0;
+
+  server = open_TCP_socket(peer->hostname);
+  if (-1 == server) return false;
+
+  // No error checking yet.
+  // Ugly since most SSL routines return 1 on success.
+
+// Fedora 29: 0x1010101fL  1.1.1a
+// Fedora 28: 0x1010009fL  1.1.0i
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+  ctx = SSL_CTX_new(TLS_client_method());
+#else
+  ctx = SSL_CTX_new(TLSv1_2_client_method());
+#endif
+
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+  SSL_CTX_set_default_verify_file(ctx);   // Use system root certs
+#else
+  // FIXME
+#endif
+
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+  // FIXME
+  SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+  SSL_CTX_set_max_proto_version(ctx, 0);
+#else
+  // FIXME
+#endif
+
+  ssl = SSL_new(ctx);
+
+  SSL_set_fd(ssl, server);
+  SSL_set_tlsext_host_name(ssl, peer->hostname);
+
+  SSL_free(ssl);
+  close(server);
+  SSL_CTX_free(ctx);
+
+  return false;
+}
+
+int open_TCP_socket(const char *hostname) {
+  struct addrinfo hints;
+  struct addrinfo *answer;
+  int gai_rc, err;
+  int sockfd;
+
+  res_init();
+
+  ZERO(hints);
+  hints.ai_protocol = IPPROTO_TCP;
+  hints.ai_socktype = SOCK_STREAM;
+  hints.ai_family = AF_UNSPEC;
+  gai_rc = getaddrinfo(hostname, "ntp", &hints, &answer);
+  if (0 != gai_rc) {
+    msyslog(LOG_INFO, "DNS: nts_probe: DNS error: %d, %s",
+      gai_rc, gai_strerror(gai_rc));
+    return -1;
+  }
+
+  sockfd = socket(AF_INET, SOCK_STREAM, 0);
+  if (-1 == sockfd) {
+    msyslog(LOG_INFO, "DNS: nts_probe: no socket: %m");
+  } else {
+    // Use first answer
+    err = connect(sockfd, answer->ai_addr, answer->ai_addrlen);
+    if (-1 == err) {
+      msyslog(LOG_INFO, "DNS: nts_probe: can't connect: %m");
+      close(sockfd);
+      sockfd = -1;
+    }
+  }
+
+  freeaddrinfo(answer);
+  return sockfd;
+}
+
+/* end */


=====================================
ntpd/nts_lib.c
=====================================
@@ -24,9 +24,9 @@ uint8_t *upf(void *src, void *dest, size_t n) {
 int nts_record_parse(record_bits *in) {
 	in->bit = upf(in->record, &in->now, sizeof(uint16_t));
 
-	if (0x80 & in->record[0]) {
+	if (0x80 & in->record[0]) {          // FIXME
 		in->critical = true;
-		in->now &= htons(~0x8000);
+		in->now &= htons(0x7FFF);    // FIXME
 	}
 	in->record_type = ntohs(in->now);
 


=====================================
ntpd/wscript
=====================================
@@ -57,6 +57,7 @@ def build(ctx):
         "ntp_restrict.c",
         "ntp_util.c",
         "nts.c",
+        "nts_client.c",
         "nts_lib.c",
     ]
 
@@ -65,7 +66,7 @@ def build(ctx):
         includes=ctx.env.PLATFORM_INCLUDES,
         source=libntpd_source,
         target="libntpd_obj",
-        use="CRYPTO",
+        use="SSL CRYPTO",
     )
 
     ctx(
@@ -124,7 +125,7 @@ def build(ctx):
         source=ntpd_source,
         target="ntpd",
         use="libntpd_obj ntp M parse RT CAP SECCOMP PTHREAD NTPD "
-            "CRYPTO DNS_SD %s SOCKET NSL SCF" % use_refclock,
+            "SSL CRYPTO DNS_SD %s SOCKET NSL SCF" % use_refclock,
     )
 
     ntsd_source = [


=====================================
wscript
=====================================
@@ -594,11 +594,21 @@ int main(int argc, char **argv) {
     for header, sizeof in sorted(sizeofs, key=lambda x: x[1:]):
         check_sizeof(ctx, header, sizeof)
 
+    # Check via pkg-config first, then fall back to a direct search
+    if not ctx.check_cfg(
+        package='libssl', uselib_store='SSL',
+        args=['libcrypto', '--cflags', '--libs'],
+        msg="Checking for OpenSSL/libssl (via pkg-config)",
+        define_name='', mandatory=False,
+    ):
+        ctx.check_cc(msg="Checking for OpenSSL's ssl library",
+                     lib="ssl", mandatory=True)
+
     # Check via pkg-config first, then fall back to a direct search
     if not ctx.check_cfg(
         package='libcrypto', uselib_store='CRYPTO',
         args=['libcrypto', '--cflags', '--libs'],
-        msg="Checking for OpenSSL (via pkg-config)",
+        msg="Checking for OpenSSL/libcrypto (via pkg-config)",
         define_name='', mandatory=False,
     ):
         ctx.check_cc(msg="Checking for OpenSSL's crypto library",



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3fea9b1e24fd51c549c553920a7a9d88c9dc8ec9...ea4d92ebf26a650f1fab2a463dac4edaf1cad81a

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3fea9b1e24fd51c549c553920a7a9d88c9dc8ec9...ea4d92ebf26a650f1fab2a463dac4edaf1cad81a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190207/04237c0d/attachment-0001.html>

More information about the vc mailing list