[Git][NTPsec/ntpsec][master] 2 commits: Initialize rest of sigaction arg for SIGPIPE
Hal Murray
gitlab at mg.gitlab.com
Tue Feb 12 04:43:49 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
a092ceca by Hal Murray at 2019-02-11T20:28:10Z
Initialize rest of sigaction arg for SIGPIPE
Thanks valgrind.
- - - - -
b4f55578 by Hal Murray at 2019-02-12T03:55:01Z
Minor cleanups to NTS code
- - - - -
4 changed files:
- include/nts_lib.h
- ntpd/ntpd.c
- ntpd/nts_client.c
- ntpd/nts_server.c
Changes:
=====================================
include/nts_lib.h
=====================================
@@ -45,9 +45,9 @@ typedef struct {
#define CRITICAL 0x8000
enum record_type {
- end_of_message = 0,
- next_protocol_negotiation = 1,
- error = 2,
+ end_of_message = 0, /* CRITICAL */
+ next_protocol_negotiation = 1, /* CRITICAL */
+ error = 2, /* CRITICAL */
warning = 3,
algorithm_negotiation = 4,
new_cookie = 5,
=====================================
ntpd/ntpd.c
=====================================
@@ -629,6 +629,8 @@ ntpdmain(
/* Ignore SIGPIPE - from OpenSSL */
sa.sa_handler = SIG_IGN;
+ sigemptyset(&sa.sa_mask);
+ sa.sa_flags = SA_RESTART;
sigaction(SIGPIPE, &sa, NULL);
/*
=====================================
ntpd/nts_client.c
=====================================
@@ -27,6 +27,12 @@
int open_TCP_socket(const char *hostname);
bool process_recv_data(struct peer* peer, SSL *ssl);
+// FIXME - hack until we move this to a thread
+void HackBlockSignals(void);
+void HackUnblockSignals(void);
+
+
+
bool nts_probe(struct peer * peer) {
SSL_CTX *ctx;
@@ -36,10 +42,16 @@ bool nts_probe(struct peer * peer) {
uint8_t buff[1000];
int transfered;
+ HackBlockSignals();
+
server = open_TCP_socket(peer->hostname);
- if (-1 == server) return false;
+ if (-1 == server) {
+ HackUnblockSignals();
+ return false;
+ }
- // No error checking yet.
+ // FIXME
+ // Not much error checking yet.
// Ugly since most SSL routines return 1 on success.
// Fedora 29: 0x1010101fL 1.1.1a
@@ -109,26 +121,19 @@ bool nts_probe(struct peer * peer) {
msyslog(LOG_ERR, "NTSc: can't check hostname/certificate");
#endif
- SSL_connect(ssl);
- SSL_do_handshake(ssl);
-
- switch (SSL_version(ssl)) {
-#ifdef TLS1_3_VERSION
- case TLS1_3_VERSION:
- msyslog(LOG_INFO, "NTSc: Using TLS1.3");
- break;
-#endif
- case TLS1_2_VERSION:
- msyslog(LOG_INFO, "NTSc: Using TLS1.2");
- break;
- default:
- msyslog(LOG_INFO, "NTSc: Strange version: %d, \"%s\"",
- SSL_version(ssl), SSL_get_version(ssl));
- break;
- }
+ // SSL_set_timeout(SSL_get_session(ssl), 2); // FIXME
+ if (1 != SSL_connect(ssl)) {
+ msyslog(LOG_INFO, "NTSc: SSL_connect failed");
+ goto bail;
+ }
+ if (1 != SSL_do_handshake(ssl)) {
+ msyslog(LOG_INFO, "NTSc: SSL_do_handshake failed");
+ goto bail;
+ }
/* This may be clutter, but this is how to do it. */
- msyslog(LOG_INFO, "NTSc: Using %s with %d secret bits",
+ msyslog(LOG_INFO, "NTSc: Using %s, %s with %d secret bits",
+ SSL_get_version(ssl),
SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, NULL));
@@ -161,7 +166,7 @@ bool nts_probe(struct peer * peer) {
buf.left = sizeof(buff);
/* 4.1.2 Next Protocol, 0 for NTP */
- nts_append_record_uint16(&buf, next_protocol_negotiation, 0);
+ nts_append_record_uint16(&buf, CRITICAL+next_protocol_negotiation, 0);
/* 4.1.5 AEAD Algorithm List
* AEAD_AES_SIV_CMAC_256 is the only one for now */
@@ -196,6 +201,7 @@ bail:
SSL_free(ssl);
close(server);
SSL_CTX_free(ctx);
+ HackUnblockSignals();
return false;
}
@@ -232,7 +238,7 @@ int open_TCP_socket(const char *hostname) {
// Use first answer
err = connect(sockfd, answer->ai_addr, answer->ai_addrlen);
if (-1 == err) {
- msyslog(LOG_INFO, "NTSc: nts_probe: can't connect: %m");
+ msyslog(LOG_INFO, "NTSc: nts_probe: connect failed: %m");
close(sockfd);
sockfd = -1;
}
@@ -388,4 +394,25 @@ bool process_recv_data(struct peer* peer, SSL *ssl) {
return true;
}
+/* ********************************** */
+
+// FIXME - hack until we move this to a thread
+static sigset_t blockMask, runMask;
+
+void HackBlockSignals(void) {
+ sigemptyset(&blockMask);
+ sigaddset(&blockMask, SIGALRM);
+ sigaddset(&blockMask, MOREDEBUGSIG);
+ sigaddset(&blockMask, LESSDEBUGSIG);
+ sigaddset(&blockMask, SIGINT);
+ sigaddset(&blockMask, SIGQUIT);
+ sigaddset(&blockMask, SIGTERM);
+ sigaddset(&blockMask, SIGHUP);
+ pthread_sigmask(SIG_BLOCK, &blockMask, &runMask);
+}
+
+void HackUnblockSignals(void) {
+ pthread_sigmask(SIG_SETMASK, &runMask, NULL);
+}
+
/* end */
=====================================
ntpd/nts_server.c
=====================================
@@ -108,6 +108,7 @@ void* nts_ke_listener(void* arg) {
close(client);
continue;
}
+ SSL_set_timeout(SSL_get_session(ssl), 2); // FIXME
msyslog(LOG_INFO, "NTSs: SSL accept-ed from %s",
socktoa((sockaddr_u *)&addr));
msyslog(LOG_INFO, "NTSs: Using TLS version %s, cipher %s with %d secret bits",
@@ -115,6 +116,7 @@ void* nts_ke_listener(void* arg) {
SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, NULL));
+
nts_ke_request(ssl);
SSL_shutdown(ssl);
@@ -147,7 +149,7 @@ void nts_ke_request(SSL *ssl) {
nts_make_keys(ssl, c2s, s2c, keylen);
/* 4.1.2 Next Protocol, 0 for NTP */
- nts_append_record_uint16(&buf, next_protocol_negotiation, 0);
+ nts_append_record_uint16(&buf, CRITICAL+next_protocol_negotiation, 0);
/* 4.1.5 AEAD Algorithm List */
nts_append_record_uint16(&buf, algorithm_negotiation, aead);
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9fcfb4e46e8ef74db25c32577cc20caee2cfa714...b4f55578e0adae34c7b2b22c1b2e604ad77b62bc
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/9fcfb4e46e8ef74db25c32577cc20caee2cfa714...b4f55578e0adae34c7b2b22c1b2e604ad77b62bc
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190212/a91d0190/attachment-0001.html>
More information about the vc
mailing list