[Git][NTPsec/ntpsec][master] Cookies now getting through

Hal Murray gitlab at mg.gitlab.com
Mon Feb 11 05:26:59 UTC 2019 

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
72c3c450 by Hal Murray at 2019-02-11T05:25:48Z
Cookies now getting through

- - - - -


4 changed files:

- include/nts.h
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_server.c


Changes:

=====================================
include/nts.h
=====================================
@@ -97,6 +97,7 @@ void nts_append_bytes(BufCtl* buf, uint8_t *data, int length);
 
 uint16_t nts_next_record(BufCtl* buf, int *length);
 uint16_t nts_next_uint16(BufCtl* buf);
+uint16_t nts_next_bytes(BufCtl* buf, uint8_t *data, int length);
 
 
 #endif /* GUARD_NTS_H */


=====================================
ntpd/nts.c
=====================================
@@ -132,7 +132,7 @@ int nts_decorate(struct ntscfg_t *cfg, struct ntsstate_t *state,
 /* Troubles with signed/unsigned compares when using sizeof() */
 
 void nts_append_record_null(BufCtl* buf, uint16_t type) {
-  nts_append_header(buf, type, NTS_KE_DATA2_LNG);
+  nts_append_header(buf, type, 0);
 }
 
 void nts_append_record_uint16(BufCtl* buf, uint16_t type, uint16_t data) {
@@ -182,18 +182,25 @@ uint16_t nts_next_record(BufCtl* buf, int *length) {
   uint16_t *ptr = (uint16_t *)buf->next;
   uint16_t type = ntohs(*ptr++);
   *length = ntohs(*ptr++);
-  buf->next += sizeof(type)+sizeof(*length);
-  buf->left -= sizeof(type)+sizeof(*length);
+  buf->next += NTS_KE_HDR_LNG;
+  buf->left -= NTS_KE_HDR_LNG;
   return type;
 }
 
 uint16_t nts_next_uint16(BufCtl* buf) {
   uint16_t *ptr = (uint16_t *)buf->next;
   uint16_t data = ntohs(*ptr++);
-  buf->next += sizeof(data);
-  buf->left -= sizeof(data);
+  buf->next += NTS_KE_DATA2_LNG;
+  buf->left -= NTS_KE_DATA2_LNG;
   return data;
 }
 
+uint16_t nts_next_bytes(BufCtl* buf, uint8_t *data, int length) {
+  memcpy(data, buf->next, length);
+  buf->next += length;
+  buf->left -= length;
+  return length;
+}
+
 
 /* end */


=====================================
ntpd/nts_client.c
=====================================
@@ -45,11 +45,13 @@ bool nts_probe(struct peer * peer) {
 // Fedora 29:  0x1010101fL  1.1.1a
 // Fedora 28:  0x1010009fL  1.1.0i
 // Debian 9:   0x101000afL  1.1.0j
+// Debian 8:   0x1000114fL  1.0.1t
 // CentOS 7:   0x100020bfL  1.0.2k
 // CentOS 6:   0x1000105fL  1.0.1e
 // NetBSD 8:   0x100020bfL  1.0.2k
 // NetBSD 7:   0x1000115fL  1.0.1u
 // FreeBSD 12: 0x1010101fL  1.1.1a-freebsd
+// FreeBSD 11: 0x100020ffL  1.0.2o-freebsd
 #if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
   ctx = SSL_CTX_new(TLS_client_method());
   SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);  // FIXME
@@ -63,6 +65,14 @@ bool nts_probe(struct peer * peer) {
   SSL_CTX_set_options(ctx, NO_OLD_VERSIONS);
 #endif
 
+#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
+  {
+  // 4., ALPN, RFC 7301
+  static unsigned char alpn [] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
+  SSL_CTX_set_alpn_protos(ctx, alpn, sizeof(alpn));
+  }
+#endif
+
   SSL_CTX_set_default_verify_paths(ctx);   // Use system root certs
 
   if (NULL != ntsconfig.tlsciphers) {
@@ -175,7 +185,7 @@ bool nts_probe(struct peer * peer) {
   /* We are using AEAD_AES_SIV_CMAC_256, from RFC 5297
    * There are no alternatives and no clean API yet.
    */
-  peer->nts_state.keylen = get_key_length(AEAD_AES_SIV_CMAC_256_KEYLEN);
+  peer->nts_state.keylen = get_key_length(AEAD_AES_SIV_CMAC_256);
   nts_make_keys(ssl,
     peer->nts_state.c2s,
     peer->nts_state.s2c,
@@ -205,7 +215,7 @@ int open_TCP_socket(const char *hostname) {
   hints.ai_protocol = IPPROTO_TCP;
   hints.ai_socktype = SOCK_STREAM;
   hints.ai_family = AF_UNSPEC;
-  gai_rc = getaddrinfo(hostname, "8123", &hints, &answer);  // FIXME
+  gai_rc = getaddrinfo(hostname, "123", &hints, &answer);  // FIXME
   if (0 != gai_rc) {
     msyslog(LOG_INFO, "NTSc: nts_probe: DNS error: %d, %s",
       gai_rc, gai_strerror(gai_rc));
@@ -293,6 +303,8 @@ bool process_recv_data(struct peer* peer, SSL *ssl) {
       critical = true;
       type &= ~CRITICAL;
     }
+    if (0) // Handy for debugging but very verbose
+      msyslog(LOG_ERR, "NTSc: Record: T=%d, L=%d, C=%d", type, length, critical);
     switch (type) {
       case error:
         data = nts_next_uint16(&buf);
@@ -327,22 +339,17 @@ bool process_recv_data(struct peer* peer, SSL *ssl) {
         if (length != peer->nts_state.cookie_length) {
           msyslog(LOG_ERR, "NTSc: Cookie length mismatch %d, %d.",
             length, peer->nts_state.cookie_length);
-          break;
           return false;
         }
         idx = peer->nts_state.next_cookie;
+        nts_next_bytes(&buf, (uint8_t*)&peer->nts_state.cookies[idx], length);
         if (NTS_MAX_COOKIES <= peer->nts_state.cookie_count) {
-          msyslog(LOG_ERR, "NTSc: Extra cookie ignored.");
-          buf.next += length;
-          buf.left -= length;
+          msyslog(LOG_ERR, "NTSc: Extra cookie.");
           break;
         }
-        memcpy(&peer->nts_state.cookies[idx], buf.next, length);
         peer->nts_state.valid[idx] = true;
         peer->nts_state.next_cookie++;
         peer->nts_state.cookie_count++;
-        buf.next += length;
-        buf.left -= length;
         break;
       case end_of_message:
         if ((0 != length) || !critical) {
@@ -354,6 +361,7 @@ bool process_recv_data(struct peer* peer, SSL *ssl) {
           msyslog(LOG_ERR, "NTSc: EOM not at end: %d", buf.left);
           return false;
         }
+       // FIXME check for no more
         break;
       default:
         msyslog(LOG_ERR, "NTSc: received strange type: T=%d, C=%d, L=%d",


=====================================
ntpd/nts_server.c
=====================================
@@ -149,7 +149,7 @@ void nts_ke_request(SSL *ssl) {
     /* 4.1.2 Next Protocol, 0 for NTP */
     nts_append_record_uint16(&buf, next_protocol_negotiation, 0);
     /* 4.1.5 AEAD Algorithm List */
-    nts_append_record_uint16(&buf, algorithm_negotiation, AEAD_AES_SIV_CMAC_256);
+    nts_append_record_uint16(&buf, algorithm_negotiation, aead);
 
     for (int i=0; i<NTS_MAX_COOKIES; i++) {
       cookielen = make_cookie(cookie, aead, c2s, s2c, keylen);
@@ -161,7 +161,7 @@ void nts_ke_request(SSL *ssl) {
     used = sizeof(buff)-buf.left;
 
     bytes_written = SSL_write(ssl, buff, used);
-    if (bytes_written != bytes_read) {
+    if (bytes_written != used) {
         msyslog(LOG_INFO, "NTSs: SSL_write error");
         return;
     }
@@ -207,6 +207,7 @@ int get_key_length(int aead) {
   }
 }
 
+// FIXME - this is a total hack to test pack/unpack
 /* returns actual length */
 int make_cookie(uint8_t *cookie,
   uint16_t aead,



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/72c3c450ab85a9146bbc121a56e9e6519f4029e1

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/72c3c450ab85a9146bbc121a56e9e6519f4029e1
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190211/ed5698d8/attachment-0001.html>

More information about the vc mailing list