[Git][NTPsec/ntpsec][master] 4 commits: Adding nts_log_ssl_error, drop ntsd

Thu Feb 14 12:55:20 UTC 2019

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
d8bbaef6 by Hal Murray at 2019-02-14T12:52:51Z
Adding nts_log_ssl_error, drop ntsd

- - - - -
1b3e64c9 by Hal Murray at 2019-02-14T12:52:51Z
Trying to tweak ssl_init

- - - - -
cdac1c8b by Hal Murray at 2019-02-14T12:52:51Z
Added error printout in NTS initialization

- - - - -
7fbc00d5 by Hal Murray at 2019-02-14T12:52:51Z
More tweaks for NTS on NetBSD

- - - - -


7 changed files:

- include/nts.h
- − libntp/ntp_dns.c
- libntp/ssl_init.c
- libntp/wscript
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_server.c


Changes:

=====================================
include/nts.h
=====================================
@@ -117,6 +117,7 @@ extern struct ntsconfig_t ntsconfig;
 
 bool nts_server_init(void);
 bool nts_client_init(void);
+void nts_log_ssl_error(void);
 
 int nts_get_key_length(int aead);
 bool nts_load_ciphers(SSL_CTX *ctx);


=====================================
libntp/ntp_dns.c deleted
=====================================
@@ -1,170 +0,0 @@
-/*
- * Copyright (c) 1983, 1993
- *	The Regents of the University of California.  All rights reserved.
- * Copyright 2015 by the NTPsec project contributors
- * SPDX-License-Identifier: BSD-4-Clause-UC
- */
-
-#include "config.h"
-
-#include <signal.h>
-#include <pthread.h>
-#include <sys/types.h>
-#include <unistd.h>
-
-#ifdef HAVE_RES_INIT
-#include <netinet/in.h>
-#include <arpa/nameser.h>
-#include <resolv.h>
-#endif
-
-#include "ntpd.h"
-#include "ntp_dns.h"
-
-
-/* Notes:
-
-  Only one DNS lookup active at a time
-
-  peer->srcadr holds IPv4/IPv6/UNSPEC flag
-  peer->hmode holds DNS retry time (log 2)
-  FLAG_DNS used in server case to indicate need DNS
-
-  Server can't lookup again after finding an answer
-    answer uses same peer slot, turns off FLAG_DNS
-    srcadr+hmode changed by normal code
-    server can't lookup again if answer stops responding
-  Pool case makes new peer slots, pool slot unchanged
-    so OK for another lookup
-*/
-
-static struct peer* active = NULL;  /* busy flag */
-static pthread_t worker;
-static int gai_rc;
-static struct addrinfo *answer;
-
-static void* dns_lookup(void* arg);
-
-
-bool dns_probe(struct peer* pp)
-{
-	int rc;
-        sigset_t        block_mask, saved_sig_mask;
-	const char	* busy = "";
-
-	/* Comment out the next two lines to get (much) more
-	 * printout when we are busy.
-	 */
-        if (NULL != active)
-		return false;
-
-	if (NULL != active)
-		busy = ", busy";
-	msyslog(LOG_INFO, "DNS: dns_probe: %s, cast_flags:%x, flags:%x%s",
-		pp->hostname, pp->cast_flags, pp->cfg.flags, busy);
-        if (NULL != active)	/* normally redundant */
-		return false;
-
-	active = pp;
-
-        sigfillset(&block_mask);
-        pthread_sigmask(SIG_BLOCK, &block_mask, &saved_sig_mask);
-	rc = pthread_create(&worker, NULL, dns_lookup, pp);
-        if (rc) {
-	  msyslog(LOG_ERR, "DNS: dns_probe: error from pthread_create: %s, %s",
-	      pp->hostname, strerror(rc));
-	  return true;  /* don't try again */
-	}
-        pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);
-
-	return true;
-}
-
-void dns_check(void)
-{
-	int rc;
-	struct addrinfo *ai;
-	DNS_Status status;
-
-	msyslog(LOG_INFO, "DNS: dns_check: processing %s, %x, %x",
-		active->hostname, active->cast_flags, (unsigned int)active->cfg.flags);
-
-	rc = pthread_join(worker, NULL);
-	if (0 != rc) {
-		msyslog(LOG_ERR, "DNS: dns_check: join failed %s", strerror(rc));
-		return;  /* leaves active set */
-	}
-	if (0 != gai_rc) {
-		msyslog(LOG_INFO, "DNS: dns_check: DNS error: %d, %s",
-			gai_rc, gai_strerror(gai_rc));
-		answer = NULL;
-	}
-
-	for (ai = answer; NULL != ai; ai = ai->ai_next) {
-		sockaddr_u sockaddr;
-		memcpy(&sockaddr, ai->ai_addr, ai->ai_addrlen);
-		/* Both dns_take_pool and dns_take_server log something. */
-		// msyslog(LOG_INFO, "DNS: Take %s=>%s",
-		//		socktoa(ai->ai_addr), socktoa(&sockaddr));
-		if (active->cast_flags & MDF_POOL)
-			dns_take_pool(active, &sockaddr);
-		else
-			dns_take_server(active, &sockaddr);
-	}
-
-	switch (gai_rc) {
-		case 0:
-			status = DNS_good;
-			break;
-
-		case EAI_AGAIN:
-			status = DNS_temp;
-			break;
-
-		/* Treat all other errors as permanent.
-		 * Some values from man page weren't in headers.
-		 */
-		default:
-			status = DNS_error;
-	}
-
-	dns_take_status(active, status);
-
-	if (NULL != answer)
-		freeaddrinfo(answer);
-	active = NULL;
-}
-
-/* Beware: no calls to msyslog from here.
- * It's not thread safe.
- * This is the only other thread in ntpd.
- */
-static void* dns_lookup(void* arg)
-{
-	struct peer *pp = (struct peer *) arg;
-	struct addrinfo hints;
-
-#ifdef HAVE_RES_INIT
-	/* Reload DNS servers from /etc/resolv.conf in case DHCP has updated it.
-	 * We only need to do this occasionally, but it's not expensive
-	 * and simpler to do it every time than it is to figure out when
-	 * to do it.
-	 */
-	res_init();
-#endif
-
-	ZERO(hints);
-	hints.ai_protocol = IPPROTO_UDP;
-	hints.ai_socktype = SOCK_DGRAM;
-	hints.ai_family = AF(&pp->srcadr);
-	gai_rc = getaddrinfo(pp->hostname, "ntp", &hints, &answer);
-
-	kill(getpid(), SIGDNS);
-	pthread_exit(NULL);
-
-	/* Prevent compiler warning.
-	 * More portable than an attribute or directive
-	 */
-	return (void *)NULL;
-}
-


=====================================
libntp/ssl_init.c
=====================================
@@ -9,6 +9,7 @@
 #include "ntp_stdlib.h"
 
 #include <stdbool.h>
+#include <openssl/ssl.h>
 #include <openssl/evp.h>
 #include <openssl/cmac.h>
 
@@ -33,6 +34,7 @@ ssl_init(void)
 		return;
 
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+	SSL_library_init();
 	OpenSSL_add_all_digests();
 	OpenSSL_add_all_ciphers();
 	atexit(&atexit_ssl_cleanup);


=====================================
libntp/wscript
=====================================
@@ -49,7 +49,7 @@ def build(ctx):
         includes=includes,
         source=libntp_source + libntp_source_sharable,
         target="ntp",
-        use="CRYPTO",
+        use="SSL CRYPTO",
     )
 
     # Loadable Python extension


=====================================
ntpd/nts.c
=====================================
@@ -14,6 +14,7 @@
 #include "config.h"
 
 #include <arpa/inet.h>
+#include <openssl/err.h>
 
 #include "ntp_types.h"
 #include "ntpd.h"
@@ -126,6 +127,18 @@ int nts_decorate(struct ntscfg_t *cfg, struct ntsstate_t *state,
 
 /*****************************************************/
 
+void nts_log_ssl_error(void) {
+  char buff[256];
+  int err = ERR_get_error();
+  while (0 != err) {
+    ERR_error_string_n(err, buff, sizeof(buff));
+    msyslog(LOG_INFO, "NTS: err %s", buff);
+    err = ERR_get_error();
+  }
+}
+
+/*****************************************************/
+
 // 2 byte type, 2 byte length
 #define NTS_KE_HDR_LNG 4
 #define NTS_KE_DATA2_LNG 2


=====================================
ntpd/nts_client.c
=====================================
@@ -47,11 +47,19 @@ SSL_CTX *client_ctx = NULL;
 
 bool nts_client_init(void) {
   bool     ok = true;
+
 #if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
   client_ctx = SSL_CTX_new(TLS_client_method());
 #else
+  OpenSSL_add_all_ciphers();  // FIXME needed on NetBSD
   client_ctx = SSL_CTX_new(TLSv1_2_client_method());
 #endif
+  if (NULL == client_ctx) {
+    // ?? Happens on NetBSD - says no ciphers
+    msyslog(LOG_INFO, "NTSs: NULL client_ctx");
+    nts_log_ssl_error();
+    return false;
+  }
 
 #if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
   {


=====================================
ntpd/nts_server.c
=====================================
@@ -57,8 +57,15 @@ bool nts_server_init(void) {
 #if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
     server_ctx = SSL_CTX_new(TLS_server_method());
 #else
+    OpenSSL_add_all_ciphers();  // FIXME needed on NetBSD
     server_ctx = SSL_CTX_new(TLSv1_2_server_method());
 #endif
+    if (NULL == server_ctx) {
+      // ?? Happens on NetBSD - says no ciphers
+      msyslog(LOG_INFO, "NTSs: NULL server_ctx");
+      nts_log_ssl_error();
+      return false;
+    }
 
     SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
 



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/e1471d825ccf0547b4c91238dbe5b48c7c8092cb...7fbc00d578c8bfe6a9c7a07b5dc7987a3f826c5a

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/e1471d825ccf0547b4c91238dbe5b48c7c8092cb...7fbc00d578c8bfe6a9c7a07b5dc7987a3f826c5a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190214/7e111260/attachment-0001.html>
