[Git][NTPsec/ntpsec][master] Added ntsenable global.
Eric S. Raymond
gitlab at mg.gitlab.com
Fri Feb 8 12:57:46 UTC 2019
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
90a30f7f by Eric S. Raymond at 2019-02-08T12:57:14Z
Added ntsenable global.
- - - - -
6 changed files:
- devel/ntpv5.adoc
- docs/includes/auth-commands.adoc
- include/nts.h
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/nts.c
Changes:
=====================================
devel/ntpv5.adoc
=====================================
@@ -59,8 +59,8 @@ v5 packets by setting the high three bits.
A difficulty with this approach is that some firewalls and routers are
known to silently discard RFC7822 extension blocks as a way of
-preventing DoS attacks; this would create propagation issues
-difficult to diagnose.
+preventing DoS attacks. However, by checking the mark described in the
+previos paragraph, an ntpd can at least detect this.
=== NTPNG
=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -36,10 +36,16 @@ The following command controls NTS authentication. It overrides
normal TLS protocol negotiation, which is not usually necessary.
[[crypto]]
-+crypto+ [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
++crypto+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
The options are as follows:
++enable+::
+ Enable NTS service. The default.
+
++disable+::
+ Disable NTS service.
+
+mintls+ _number_::
Set the lowest allowable TLS version to negotiate. Will be useful in
the wake of a TLS compromise.
=====================================
include/nts.h
=====================================
@@ -12,6 +12,7 @@
#define FLAG_NTS_REQ 0x04u /* NTS, ask for specified server */
#define FLAG_NTS_NOVAL 0x08u /* do not validate the server certificate */
+extern bool ntsenable; /* enable NTS on this ntpd instance */
extern float mintls; /* minimum TLS version allowed */
extern float maxtls; /* maximum TLS version allowed */
extern char *tlsciphers; /* allowed TLS 1.2 ciphers */
=====================================
ntpd/ntp_config.c
=====================================
@@ -2008,6 +2008,14 @@ config_crypto(
case T_Tlsciphersuites:
tlsciphersuites = estrdup(crypto->value.s);
break;
+
+ case T_Enable:
+ ntsenable = true;
+ break;
+
+ case T_Disable:
+ ntsenable = false;
+ break;
}
}
}
=====================================
ntpd/ntp_parser.y
=====================================
@@ -1128,6 +1128,10 @@ crypto_option
{ $$ = create_attr_sval($1, $2); }
| T_Tlsciphersuites T_String
{ $$ = create_attr_sval($1, $2); }
+ | T_Disable
+ { $$ = create_attr_ival($1, 0); }
+ | T_Enable
+ { $$ = create_attr_ival($1, 1); }
;
crypto_option_keyword
=====================================
ntpd/nts.c
=====================================
@@ -15,6 +15,7 @@
#include "ntp_types.h"
#include "ntpd.h"
+bool ntsenable = true; /* enable NTS on this ntpd instance */
float mintls = 1.2; /* minimum TLS version allowed */
float maxtls; /* maximum TLS version allowed */
char *tlsciphers; /* allowed TLS 1.2 ciphers */
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/90a30f7fab343731262d3a8948b2272acdb7de4e
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/90a30f7fab343731262d3a8948b2272acdb7de4e
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190208/0b0f9b30/attachment-0001.html>
More information about the vc
mailing list