[Git][NTPsec/ntpsec][master] More work on NTS-KE
Hal Murray
gitlab at mg.gitlab.com
Wed Feb 13 04:36:47 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
69404606 by Hal Murray at 2019-02-13T03:27:02Z
More work on NTS-KE
- - - - -
6 changed files:
- docs/includes/auth-commands.adoc
- include/nts.h
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/nts.c
- ntpd/nts_server.c
Changes:
=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -42,18 +42,20 @@ The options are as follows:
+cert+ _file_::
Present the certificate in _file_ as our certificate.
- This is a default for all client and server connections.
+
++key+ _file_::
+ Read the private key to our certificate from _file_.
+ca+ _location_::
Use the file (or directory) specified by _location_ to
- validate NTS-KE server certificates. This is a default
- for all client and server connections.
+ validate NTS-KE server certificates instead of the system
+ default root certificates.
+enable+::
- Enable NTS key service. The default.
+ Enable NTS-KE server. The default.
+disable+::
- Disable NTS service.
+ Disable NTS-KE server.
+mintls+ _number_::
Set the lowest allowable TLS version to negotiate. Will be useful in
=====================================
include/nts.h
=====================================
@@ -44,13 +44,14 @@ struct ntsstate_t {
/* Configuration data for an NTS server or client instance */
struct ntsconfig_t {
- bool ntsenable; /* enable NTS key service on this ntpd */
+ bool ntsenable; /* enable NTS KE server on this ntpd */
float mintls; /* minimum TLS version allowed */
float maxtls; /* maximum TLS version allowed */
- char *tlsciphers; /* allowed TLS 1.2 ciphers */
- char *tlsciphersuites; /* allowed TLS 1.3 ciphersuites */
- char *ca; /* site default */
- char *cert; /* site default */
+ const char *tlsciphers; /* allowed TLS 1.2 ciphers */
+ const char *tlsciphersuites;/* allowed TLS 1.3 ciphersuites */
+ const char *cert; /* server certificate key */
+ const char *key; /* server private key */
+ const char *ca; /* root cert dir/file */
};
/* NTS protocol constants */
=====================================
ntpd/ntp_config.c
=====================================
@@ -2009,6 +2009,10 @@ config_nts(
ntsconfig.ntsenable = true;
break;
+ case T_Key:
+ ntsconfig.key = estrdup(nts->value.s);
+ break;
+
case T_Maxtls:
ntsconfig.maxtls = nts->value.d;
break;
=====================================
ntpd/ntp_parser.y
=====================================
@@ -1140,6 +1140,7 @@ nts_int_option_keyword
nts_string_option_keyword
: T_Ca
| T_Cert
+ | T_Key
| T_Tlsciphers
| T_Tlsciphersuites
=====================================
ntpd/nts.c
=====================================
@@ -24,8 +24,9 @@ struct ntsconfig_t ntsconfig = {
.maxtls = 0,
.tlsciphers = NULL,
.tlsciphersuites = NULL,
- .ca = NULL,
- .cert = NULL
+ .cert = NULL,
+ .key = NULL,
+ .ca = NULL
};
/* By design, there is no per-client-side state on the server */
=====================================
ntpd/nts_server.c
=====================================
@@ -20,9 +20,14 @@
#include "ntp_stdlib.h"
#include "nts.h"
+/* default file names */
+#define NTS_CERT_FILE "/etc/ntp/cert-chain.pem"
+#define NTS_KEY_FILE "/etc/ntp/key.pem"
+
static int create_listener(int port);
static void* nts_ke_listener(void*);
static void nts_ke_request(SSL *ssl);
+static void nts_load_certificate(SSL_CTX *ctx);
int nts_ke_port = 123;
@@ -53,20 +58,7 @@ void nts_start_server(void) {
SSL_CTX_get_security_level(ctx));
#endif
- if (1 != SSL_CTX_use_certificate_chain_file(ctx, "/etc/ntp/cert-chain.pem")) {
- // FIXME log SSL errors
- msyslog(LOG_ERR, "NTSs: can't load cert-chain");
- }
-
- if (1 != SSL_CTX_use_PrivateKey_file(ctx, "/etc/ntp/key.pem", SSL_FILETYPE_PEM)) {
- // FIXME log SSL errors
- msyslog(LOG_ERR, "NTSs: can't load private key");
- }
- if (1 != SSL_CTX_check_private_key(ctx)) {
- msyslog(LOG_ERR, "NTSs: Private Key doesn't work ******");
- } else {
- msyslog(LOG_INFO, "NTSs: Private Key OK");
- }
+ nts_load_certificate(ctx);
sigfillset(&block_mask);
pthread_sigmask(SIG_BLOCK, &block_mask, &saved_sig_mask);
@@ -228,4 +220,34 @@ int make_cookie(uint8_t *cookie,
}
+void nts_load_certificate(SSL_CTX *ctx) {
+ const char *cert = NTS_CERT_FILE;
+ const char *key = NTS_KEY_FILE;
+
+ if (NULL != ntsconfig.cert)
+ cert = ntsconfig.cert;
+ if (NULL != ntsconfig.key)
+ key = ntsconfig.key;
+
+ if (1 != SSL_CTX_use_certificate_chain_file(ctx, cert)) {
+ // FIXME log SSL errors
+ msyslog(LOG_ERR, "NTSs: can't load certicicate (chain) from %s", cert);
+ } else {
+ msyslog(LOG_ERR, "NTSs: loaded certicicate (chain) from %s", cert);
+ }
+
+ if (1 != SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
+ // FIXME log SSL errors
+ msyslog(LOG_ERR, "NTSs: can't load private key from %s", key);
+ } else {
+ msyslog(LOG_ERR, "NTSs: loaded private key from %s", key);
+ }
+
+ if (1 != SSL_CTX_check_private_key(ctx)) {
+ msyslog(LOG_ERR, "NTSs: Private Key doesn't work ******");
+ } else {
+ msyslog(LOG_INFO, "NTSs: Private Key OK");
+ }
+}
+
/* end */
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/69404606cd60e78c34acb14e02cbc371bd3ab8c4
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/69404606cd60e78c34acb14e02cbc371bd3ab8c4
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190213/75be4ad3/attachment-0001.html>
More information about the vc
mailing list