[Git][NTPsec/ntpsec][master] 3 commits: Fix compiler warning
Hal Murray
gitlab at mg.gitlab.com
Thu Feb 7 13:02:07 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
de1fb13e by Hal Murray at 2019-02-07T13:01:10Z
Fix compiler warning
- - - - -
7c5b1d09 by Hal Murray at 2019-02-07T13:01:10Z
Fix typo in FLAG_TSTAMP_PPS
- - - - -
ea4d92eb by Hal Murray at 2019-02-07T13:01:10Z
Start of NTS-KE-client - mostly looking for build troubles
- - - - -
6 changed files:
- include/ntp.h
- include/ntpd.h
- + ntpd/nts_client.c
- ntpd/nts_lib.c
- ntpd/wscript
- wscript
Changes:
=====================================
include/ntp.h
=====================================
@@ -395,7 +395,7 @@ struct peer {
#define FLAG_NOSELECT 0x0200u /* never select */
#define FLAG_TRUE 0x0400u /* force truechimer */
#define FLAG_DNS 0x0800u /* needs DNS lookup */
-#define FLAG_TSTAMP_PPS 0x4cd000u /* PPS source provides absolute timestamp */
+#define FLAG_TSTAMP_PPS 0x1000u /* PPS source provides absolute timestamp */
/* This is the new, sane way of representing packets. All fields are
in host byte order, and the fixed-point time fields are just integers,
=====================================
include/ntpd.h
=====================================
@@ -421,6 +421,7 @@ extern const uint8_t num_refclock_conf;
#endif
/* nts.c */
+bool nts_probe(struct peer *peer);
int nts_client_ke_request(struct ntscfg_t *);
int nts_server_ke_verify(struct ntscfg_t *);
int nts_client_ke_verify(struct ntscfg_t *, struct ntsstate_t *);
=====================================
ntpd/nts_client.c
=====================================
@@ -0,0 +1,106 @@
+/*
+ * nts_client.c - Network Time Security (NTS) client side support
+ *
+ * Section references are to
+ * https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-15
+ *
+ */
+#include "config.h"
+
+#include <unistd.h>
+
+#include <netinet/in.h>
+#include <arpa/nameser.h>
+#include <resolv.h>
+
+#include <openssl/ssl.h>
+
+#include "ntp_types.h"
+#include "ntpd.h"
+
+
+int open_TCP_socket(const char *hostname);
+
+bool nts_probe(struct peer * peer) {
+
+ SSL_CTX *ctx;
+ SSL *ssl;
+ int server = 0;
+
+ server = open_TCP_socket(peer->hostname);
+ if (-1 == server) return false;
+
+ // No error checking yet.
+ // Ugly since most SSL routines return 1 on success.
+
+// Fedora 29: 0x1010101fL 1.1.1a
+// Fedora 28: 0x1010009fL 1.1.0i
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ ctx = SSL_CTX_new(TLS_client_method());
+#else
+ ctx = SSL_CTX_new(TLSv1_2_client_method());
+#endif
+
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ SSL_CTX_set_default_verify_file(ctx); // Use system root certs
+#else
+ // FIXME
+#endif
+
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ // FIXME
+ SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
+ SSL_CTX_set_max_proto_version(ctx, 0);
+#else
+ // FIXME
+#endif
+
+ ssl = SSL_new(ctx);
+
+ SSL_set_fd(ssl, server);
+ SSL_set_tlsext_host_name(ssl, peer->hostname);
+
+ SSL_free(ssl);
+ close(server);
+ SSL_CTX_free(ctx);
+
+ return false;
+}
+
+int open_TCP_socket(const char *hostname) {
+ struct addrinfo hints;
+ struct addrinfo *answer;
+ int gai_rc, err;
+ int sockfd;
+
+ res_init();
+
+ ZERO(hints);
+ hints.ai_protocol = IPPROTO_TCP;
+ hints.ai_socktype = SOCK_STREAM;
+ hints.ai_family = AF_UNSPEC;
+ gai_rc = getaddrinfo(hostname, "ntp", &hints, &answer);
+ if (0 != gai_rc) {
+ msyslog(LOG_INFO, "DNS: nts_probe: DNS error: %d, %s",
+ gai_rc, gai_strerror(gai_rc));
+ return -1;
+ }
+
+ sockfd = socket(AF_INET, SOCK_STREAM, 0);
+ if (-1 == sockfd) {
+ msyslog(LOG_INFO, "DNS: nts_probe: no socket: %m");
+ } else {
+ // Use first answer
+ err = connect(sockfd, answer->ai_addr, answer->ai_addrlen);
+ if (-1 == err) {
+ msyslog(LOG_INFO, "DNS: nts_probe: can't connect: %m");
+ close(sockfd);
+ sockfd = -1;
+ }
+ }
+
+ freeaddrinfo(answer);
+ return sockfd;
+}
+
+/* end */
=====================================
ntpd/nts_lib.c
=====================================
@@ -24,9 +24,9 @@ uint8_t *upf(void *src, void *dest, size_t n) {
int nts_record_parse(record_bits *in) {
in->bit = upf(in->record, &in->now, sizeof(uint16_t));
- if (0x80 & in->record[0]) {
+ if (0x80 & in->record[0]) { // FIXME
in->critical = true;
- in->now &= htons(~0x8000);
+ in->now &= htons(0x7FFF); // FIXME
}
in->record_type = ntohs(in->now);
=====================================
ntpd/wscript
=====================================
@@ -57,6 +57,7 @@ def build(ctx):
"ntp_restrict.c",
"ntp_util.c",
"nts.c",
+ "nts_client.c",
"nts_lib.c",
]
@@ -65,7 +66,7 @@ def build(ctx):
includes=ctx.env.PLATFORM_INCLUDES,
source=libntpd_source,
target="libntpd_obj",
- use="CRYPTO",
+ use="SSL CRYPTO",
)
ctx(
@@ -124,7 +125,7 @@ def build(ctx):
source=ntpd_source,
target="ntpd",
use="libntpd_obj ntp M parse RT CAP SECCOMP PTHREAD NTPD "
- "CRYPTO DNS_SD %s SOCKET NSL SCF" % use_refclock,
+ "SSL CRYPTO DNS_SD %s SOCKET NSL SCF" % use_refclock,
)
ntsd_source = [
=====================================
wscript
=====================================
@@ -594,11 +594,21 @@ int main(int argc, char **argv) {
for header, sizeof in sorted(sizeofs, key=lambda x: x[1:]):
check_sizeof(ctx, header, sizeof)
+ # Check via pkg-config first, then fall back to a direct search
+ if not ctx.check_cfg(
+ package='libssl', uselib_store='SSL',
+ args=['libcrypto', '--cflags', '--libs'],
+ msg="Checking for OpenSSL/libssl (via pkg-config)",
+ define_name='', mandatory=False,
+ ):
+ ctx.check_cc(msg="Checking for OpenSSL's ssl library",
+ lib="ssl", mandatory=True)
+
# Check via pkg-config first, then fall back to a direct search
if not ctx.check_cfg(
package='libcrypto', uselib_store='CRYPTO',
args=['libcrypto', '--cflags', '--libs'],
- msg="Checking for OpenSSL (via pkg-config)",
+ msg="Checking for OpenSSL/libcrypto (via pkg-config)",
define_name='', mandatory=False,
):
ctx.check_cc(msg="Checking for OpenSSL's crypto library",
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3fea9b1e24fd51c549c553920a7a9d88c9dc8ec9...ea4d92ebf26a650f1fab2a463dac4edaf1cad81a
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3fea9b1e24fd51c549c553920a7a9d88c9dc8ec9...ea4d92ebf26a650f1fab2a463dac4edaf1cad81a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190207/04237c0d/attachment-0001.html>
More information about the vc
mailing list