[Git][NTPsec/ntpsec][master] More server-side NTS options implemented and documented.

Eric S. Raymond gitlab at mg.gitlab.com
Fri Feb 8 14:15:03 UTC 2019


Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
2b0e1189 by Eric S. Raymond at 2019-02-08T14:14:03Z
More server-side NTS options implemented and documented.

- - - - -


4 changed files:

- docs/includes/auth-commands.adoc
- include/nts.h
- ntpd/ntp_config.c
- ntpd/ntp_parser.y


Changes:

=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -40,6 +40,15 @@ normal TLS protocol negotiation, which is not usually necessary.
 
 The options are as follows:
 
++cert+ _file_::
+  Present the certificate in _file_ as our certificate.
+  This is a default for all client and server connections.
+
++ca+ _location_::
+  Use the file (or directory) specified by _location_ to
+  validate NTS-KE server certificates. This is a default
+  for all client and server connections.
+
 +enable+::
   Enable NTS service. The default.
 
@@ -93,9 +102,12 @@ The following options of the +server+ command configure NTS.
   NTS-KE server.
 
 +cert+ _file_::
-  Present the certificate in _file_ as our client certificate
+  Present the certificate in _file_ as our client certificate,
+  overriding the site default.
 
 +ca+ _location_::
-  Use the file, or directory, specified by _location_ to
-  validate the NTS-KE server certificate.  Do not use any other CA.
+  Use the file, or directory, specified by _location_ to validate the
+  NTS-KE server certificate, overriding the site default.  Do not use
+  any other CA.
+
 // end


=====================================
include/nts.h
=====================================
@@ -15,8 +15,8 @@
 /* Configuration data for an NTS association */
 struct ntscfg_t {
     char *server;	/* if NULL, use the peer itself (normal case) */
-    char *ca;		/* if NULL, use the system default (normal case) */
-    char *cert;		/* if NULL, use the system default (normal case) */
+    char *ca;		/* if NULL, use the site default (normal case) */
+    char *cert;		/* if NULL, use the site default (normal case) */
     uint32_t flags;
     uint32_t expire;
 };
@@ -28,13 +28,15 @@ struct ntsstate_t {
     int cookie_count;
 };
 
-/* Configuration data for an NTS server of client instance */
+/* Configuration data for an NTS server or client instance */
 struct ntsconfig_t {
     bool ntsenable; 		/* enable NTS on this ntpd instance */
     float mintls;		/* minimum TLS version allowed */
     float maxtls;		/* maximum TLS version allowed */
-    char *tlsciphers;	/* allowed TLS 1.2 ciphers */
+    char *tlsciphers;		/* allowed TLS 1.2 ciphers */
     char *tlsciphersuites;	/* allowed TLS 1.3 ciphersuites */
+    char *ca;			/* site default */
+    char *cert;			/* site default */
 };
 
 extern struct ntsconfig_t ntsconfig;


=====================================
ntpd/ntp_config.c
=====================================
@@ -1993,6 +1993,22 @@ config_crypto(
 			INSIST(0);
 			break;
 
+		case T_Ca:
+			ntsconfig.ca = estrdup(crypto->value.s);
+			break;
+
+		case T_Cert:
+			ntsconfig.cert = estrdup(crypto->value.s);
+			break;
+
+		case T_Disable:
+			ntsconfig.ntsenable = false;
+			break;
+
+		case T_Enable:
+			ntsconfig.ntsenable = true;
+			break;
+
 		case T_Maxtls:
 			ntsconfig.maxtls = crypto->value.d;
 			break;
@@ -2008,14 +2024,6 @@ config_crypto(
 		case T_Tlsciphersuites:
 			ntsconfig.tlsciphersuites = estrdup(crypto->value.s);
 			break;
-
-		case T_Enable:
-			ntsconfig.ntsenable = true;
-			break;
-
-		case T_Disable:
-			ntsconfig.ntsenable = false;
-			break;
 		}
 	}
 }


=====================================
ntpd/ntp_parser.y
=====================================
@@ -296,7 +296,8 @@
 %type	<Integer>	tinker_option_keyword
 %type	<Attr_val>	tinker_option
 %type	<Attr_val_fifo>	tinker_option_list
-%type	<Integer>	crypto_option_keyword
+%type	<Integer>	crypto_int_option_keyword
+%type	<Integer>	crypto_string_option_keyword
 %type	<Attr_val>	crypto_option
 %type	<Attr_val_fifo>	crypto_option_list
 %type	<Attr_val>	tos_option
@@ -1122,11 +1123,9 @@ crypto_option_list
 	;
 
 crypto_option
-	:	crypto_option_keyword number
+	:	crypto_int_option_keyword number
 			{ $$ = create_attr_dval($1, $2); }
-	|	T_Tlsciphers T_String
-			{ $$ = create_attr_sval($1, $2); }
-	|	T_Tlsciphersuites T_String
+	|	crypto_string_option_keyword T_String
 			{ $$ = create_attr_sval($1, $2); }
 	|	T_Disable
 			{ $$ = create_attr_ival($1, 0); }
@@ -1134,11 +1133,17 @@ crypto_option
 			{ $$ = create_attr_ival($1, 1); }
 	;
 
-crypto_option_keyword
+crypto_int_option_keyword
 	:	T_Maxtls
 	|	T_Mintls
 	;
 
+crypto_string_option_keyword
+	:	T_Ca
+	|	T_Cert
+	|	T_Tlsciphers
+	|	T_Tlsciphersuites
+
 
 /* Miscellaneous Commands
  * ----------------------



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/2b0e11890d00f4c901477f51ee5ed4943a6165f6

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/2b0e11890d00f4c901477f51ee5ed4943a6165f6
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190208/9bab5ffe/attachment-0001.html>


More information about the vc mailing list