[Git][NTPsec/ntpsec][master] 2 commits: Initialize rest of sigaction arg for SIGPIPE

Hal Murray gitlab at mg.gitlab.com
Tue Feb 12 04:43:49 UTC 2019


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
a092ceca by Hal Murray at 2019-02-11T20:28:10Z
Initialize rest of sigaction arg for SIGPIPE
Thanks valgrind.

- - - - -
b4f55578 by Hal Murray at 2019-02-12T03:55:01Z
Minor cleanups to NTS code

- - - - -


4 changed files:

- include/nts_lib.h
- ntpd/ntpd.c
- ntpd/nts_client.c
- ntpd/nts_server.c


Changes:

=====================================
include/nts_lib.h
=====================================
@@ -45,9 +45,9 @@ typedef struct {
 
 #define CRITICAL 0x8000
 enum record_type {
-  end_of_message = 0,
-  next_protocol_negotiation = 1,
-  error = 2,
+  end_of_message = 0,			/* CRITICAL */
+  next_protocol_negotiation = 1,	/* CRITICAL */
+  error = 2,				/* CRITICAL */
   warning = 3,
   algorithm_negotiation = 4,
   new_cookie = 5,


=====================================
ntpd/ntpd.c
=====================================
@@ -629,6 +629,8 @@ ntpdmain(
 
 	/* Ignore SIGPIPE - from OpenSSL */
 	sa.sa_handler = SIG_IGN;
+	sigemptyset(&sa.sa_mask);
+	sa.sa_flags = SA_RESTART;
  	sigaction(SIGPIPE, &sa, NULL);
 
 	/*


=====================================
ntpd/nts_client.c
=====================================
@@ -27,6 +27,12 @@
 int open_TCP_socket(const char *hostname);
 bool process_recv_data(struct peer* peer, SSL *ssl);
 
+// FIXME - hack until we move this to a thread
+void HackBlockSignals(void);
+void HackUnblockSignals(void);
+
+
+
 bool nts_probe(struct peer * peer) {
 
   SSL_CTX *ctx;
@@ -36,10 +42,16 @@ bool nts_probe(struct peer * peer) {
   uint8_t  buff[1000];
   int      transfered;
 
+  HackBlockSignals();
+
   server = open_TCP_socket(peer->hostname);
-  if (-1 == server) return false;
+  if (-1 == server) {
+    HackUnblockSignals();
+    return false;
+  }
 
-  // No error checking yet.
+  // FIXME
+  // Not much error checking yet.
   // Ugly since most SSL routines return 1 on success.
 
 // Fedora 29:  0x1010101fL  1.1.1a
@@ -109,26 +121,19 @@ bool nts_probe(struct peer * peer) {
   msyslog(LOG_ERR, "NTSc: can't check hostname/certificate");
 #endif
 
-  SSL_connect(ssl);
-  SSL_do_handshake(ssl);
-
-  switch (SSL_version(ssl)) {
-#ifdef TLS1_3_VERSION
-    case TLS1_3_VERSION:
-      msyslog(LOG_INFO, "NTSc: Using TLS1.3");
-      break;
-#endif
-    case TLS1_2_VERSION:
-      msyslog(LOG_INFO, "NTSc: Using TLS1.2");
-      break;
-    default:
-      msyslog(LOG_INFO, "NTSc: Strange version: %d, \"%s\"",
-        SSL_version(ssl), SSL_get_version(ssl));
-      break;
-    }
+  // SSL_set_timeout(SSL_get_session(ssl), 2);  // FIXME
+  if (1 != SSL_connect(ssl)) {
+    msyslog(LOG_INFO, "NTSc: SSL_connect failed");
+    goto bail;
+  }
+  if (1 != SSL_do_handshake(ssl)) {
+    msyslog(LOG_INFO, "NTSc: SSL_do_handshake failed");
+    goto bail;
+  }
 
   /* This may be clutter, but this is how to do it. */
-  msyslog(LOG_INFO, "NTSc: Using %s with %d secret bits",
+  msyslog(LOG_INFO, "NTSc: Using %s, %s with %d secret bits",
+    SSL_get_version(ssl),
     SSL_get_cipher_name(ssl),
     SSL_get_cipher_bits(ssl, NULL));
 
@@ -161,7 +166,7 @@ bool nts_probe(struct peer * peer) {
     buf.left = sizeof(buff);
 
     /* 4.1.2 Next Protocol, 0 for NTP */
-    nts_append_record_uint16(&buf, next_protocol_negotiation, 0);
+    nts_append_record_uint16(&buf, CRITICAL+next_protocol_negotiation, 0);
 
     /* 4.1.5 AEAD Algorithm List
      * AEAD_AES_SIV_CMAC_256 is the only one for now */
@@ -196,6 +201,7 @@ bail:
   SSL_free(ssl);
   close(server);
   SSL_CTX_free(ctx);
+  HackUnblockSignals();
 
   return false;
 }
@@ -232,7 +238,7 @@ int open_TCP_socket(const char *hostname) {
     // Use first answer
     err = connect(sockfd, answer->ai_addr, answer->ai_addrlen);
     if (-1 == err) {
-      msyslog(LOG_INFO, "NTSc: nts_probe: can't connect: %m");
+      msyslog(LOG_INFO, "NTSc: nts_probe: connect failed: %m");
       close(sockfd);
       sockfd = -1;
     }
@@ -388,4 +394,25 @@ bool process_recv_data(struct peer* peer, SSL *ssl) {
   return true;
 }
 
+/* ********************************** */
+
+// FIXME - hack until we move this to a thread
+static sigset_t blockMask, runMask;
+
+void HackBlockSignals(void) {
+  sigemptyset(&blockMask);
+  sigaddset(&blockMask, SIGALRM);
+  sigaddset(&blockMask, MOREDEBUGSIG);
+  sigaddset(&blockMask, LESSDEBUGSIG);
+  sigaddset(&blockMask, SIGINT);
+  sigaddset(&blockMask, SIGQUIT);
+  sigaddset(&blockMask, SIGTERM);
+  sigaddset(&blockMask, SIGHUP);
+  pthread_sigmask(SIG_BLOCK, &blockMask, &runMask);
+}
+
+void HackUnblockSignals(void) {
+  pthread_sigmask(SIG_SETMASK, &runMask, NULL);
+}
+
 /* end */


=====================================
ntpd/nts_server.c
=====================================
@@ -108,6 +108,7 @@ void* nts_ke_listener(void* arg) {
             close(client);
             continue;
         }
+        SSL_set_timeout(SSL_get_session(ssl), 2);  // FIXME
         msyslog(LOG_INFO, "NTSs: SSL accept-ed from %s",
             socktoa((sockaddr_u *)&addr));
         msyslog(LOG_INFO, "NTSs: Using TLS version %s, cipher %s with %d secret bits",
@@ -115,6 +116,7 @@ void* nts_ke_listener(void* arg) {
             SSL_get_cipher_name(ssl),
             SSL_get_cipher_bits(ssl, NULL));
 
+
         nts_ke_request(ssl);
 
         SSL_shutdown(ssl);
@@ -147,7 +149,7 @@ void nts_ke_request(SSL *ssl) {
     nts_make_keys(ssl, c2s, s2c, keylen);
 
     /* 4.1.2 Next Protocol, 0 for NTP */
-    nts_append_record_uint16(&buf, next_protocol_negotiation, 0);
+    nts_append_record_uint16(&buf, CRITICAL+next_protocol_negotiation, 0);
     /* 4.1.5 AEAD Algorithm List */
     nts_append_record_uint16(&buf, algorithm_negotiation, aead);
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9fcfb4e46e8ef74db25c32577cc20caee2cfa714...b4f55578e0adae34c7b2b22c1b2e604ad77b62bc

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9fcfb4e46e8ef74db25c32577cc20caee2cfa714...b4f55578e0adae34c7b2b22c1b2e604ad77b62bc
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190212/a91d0190/attachment-0001.html>


More information about the vc mailing list