[Git][NTPsec/ntpsec][master] Process "nts ca <file/dir>, text on invalid cert messages

[Hal Murray]

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
d6801622 by Hal Murray at 2019-02-12T09:49:41Z
Process "nts ca <file/dir>, text on invalid cert messages

- - - - -


1 changed file:

- ntpd/nts_client.c


Changes:

=====================================
ntpd/nts_client.c
=====================================
@@ -7,6 +7,8 @@
  */
 #include "config.h"
 
+#include <sys/types.h>
+#include <sys/stat.h>
 #include <unistd.h>
 
 #ifdef HAVE_RES_INIT
@@ -25,6 +27,7 @@
 
 
 int open_TCP_socket(const char *hostname);
+void nts_set_cert_search(SSL_CTX *ctx);
 bool process_recv_data(struct peer* peer, SSL *ssl);
 
 // FIXME - hack until we move this to a thread
@@ -85,8 +88,6 @@ bool nts_probe(struct peer * peer) {
   }
 #endif
 
-  SSL_CTX_set_default_verify_paths(ctx);   // Use system root certs
-
   if (NULL != ntsconfig.tlsciphers) {
     if (1 != SSL_CTX_set_cipher_list(ctx, ntsconfig.tlsciphers)) {
       msyslog(LOG_ERR, "NTSc: error setting TLS ciphers");
@@ -100,6 +101,8 @@ bool nts_probe(struct peer * peer) {
   }
 #endif
 
+  nts_set_cert_search(ctx);
+
   ssl = SSL_new(ctx);
   SSL_set_fd(ssl, server);
 
@@ -154,7 +157,8 @@ bool nts_probe(struct peer * peer) {
     if (X509_V_OK == certok) {
       msyslog(LOG_INFO, "NTSc: certificate is valid.");
     } else {
-      msyslog(LOG_ERR, "NTSc: certificate invalid: %d", certok);
+      msyslog(LOG_ERR, "NTSc: certificate invalid: %d=>%s",
+          certok, X509_verify_cert_error_string(certok));
     }
   }
 
@@ -221,7 +225,7 @@ int open_TCP_socket(const char *hostname) {
   hints.ai_protocol = IPPROTO_TCP;
   hints.ai_socktype = SOCK_STREAM;
   hints.ai_family = AF_UNSPEC;
-  gai_rc = getaddrinfo(hostname, "123", &hints, &answer);  // FIXME
+  gai_rc = getaddrinfo(hostname, "443", &hints, &answer);  // FIXME
   if (0 != gai_rc) {
     msyslog(LOG_INFO, "NTSc: nts_probe: DNS error: %d, %s",
       gai_rc, gai_strerror(gai_rc));
@@ -394,6 +398,29 @@ bool process_recv_data(struct peer* peer, SSL *ssl) {
   return true;
 }
 
+void nts_set_cert_search(SSL_CTX *ctx) {
+  struct stat statbuf;
+  if (NULL == ntsconfig.ca) {
+    SSL_CTX_set_default_verify_paths(ctx);   // Use system root certs
+    return;
+  }
+  if (0 == stat(ntsconfig.ca, &statbuf)) {
+    if (S_ISDIR(statbuf.st_mode)) {
+      SSL_CTX_load_verify_locations(ctx, NULL, ntsconfig.ca);
+      return;
+    }
+    if (S_ISREG(statbuf.st_mode)) {
+      SSL_CTX_load_verify_locations(ctx, ntsconfig.ca, NULL);
+      return;
+    }
+    msyslog(LOG_ERR, "NTSc: cert dir/file isn't dir or file: %s. mode 0x%x",
+        ntsconfig.ca, statbuf.st_mode);
+    return;
+  }
+  msyslog(LOG_ERR, "NTSc: can't stat cert dir/file: %s, %m", ntsconfig.ca);
+}
+
+
 /* ********************************** */
 
 // FIXME - hack until we move this to a thread



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/d680162268516f89cebd1516b970b22ec77df657

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/d680162268516f89cebd1516b970b22ec77df657
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190212/aedc79b8/attachment-0001.html>