[Git][NTPsec/ntpsec][master] 7 commits: Tweak NTS error printout
Hal Murray
gitlab at mg.gitlab.com
Fri Feb 15 20:21:39 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
dcd38c3a by Hal Murray at 2019-02-14T22:07:39Z
Tweak NTS error printout
- - - - -
29180a4d by Hal Murray at 2019-02-14T22:07:39Z
Tweak NTS init for NetBSD
- - - - -
f0cd6b0d by Hal Murray at 2019-02-14T22:07:39Z
Another tweak for NetBSD
- - - - -
146e3a0e by Hal Murray at 2019-02-14T22:07:39Z
More tweaks to NTS error logging
- - - - -
d9b8a0c7 by Hal Murray at 2019-02-15T10:31:51Z
Tweak error message
- - - - -
5ffa0651 by Hal Murray at 2019-02-15T10:32:18Z
Add sysinfo to seccomp list - needed for new NTS initialization
- - - - -
2831e3b8 by Hal Murray at 2019-02-15T11:55:23Z
Cleanup to ntpd/nts_client.c
- - - - -
5 changed files:
- ntpd/ntp_sandbox.c
- ntpd/ntpd.c
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_server.c
Changes:
=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -366,6 +366,7 @@ int scmp_sc[] = {
#ifdef __NR_time
SCMP_SYS(time), /* not in ARM */
#endif
+ SCMP_SYS(sysinfo),
#ifdef HAVE_TIMER_CREATE
SCMP_SYS(timer_create),
SCMP_SYS(timer_gettime),
=====================================
ntpd/ntpd.c
=====================================
@@ -894,6 +894,8 @@ ntpdmain(
loop_config(LOOP_DRIFTINIT, 0);
report_event(EVNT_SYSRESTART, NULL, NULL);
+ nts_init(); /* NetBSD: open NTS listner before droproot */
+
#ifndef ENABLE_EARLY_DROPROOT
/* drop root privileges */
if (sandbox(droproot, user, group, chrootdir, interface_interval!=0) && interface_interval) {
@@ -906,8 +908,6 @@ ntpdmain(
msyslog(LOG_ERR, "statistics directory %s does not exist or is unwriteable, error %s", statsdir, strerror(errno));
}
- nts_init();
-
mainloop();
/* unreachable, mainloop() never returns */
}
=====================================
ntpd/nts.c
=====================================
@@ -130,9 +130,10 @@ int nts_decorate(const struct ntscfg_t *cfg, struct ntsstate_t *state,
void nts_log_ssl_error(void) {
char buff[256];
int err = ERR_get_error();
+ SSL_load_error_strings(); /* Needed on NetBSD */
while (0 != err) {
ERR_error_string_n(err, buff, sizeof(buff));
- msyslog(LOG_INFO, "NTS: err %s", buff);
+ msyslog(LOG_INFO, "NTS: %s", buff);
err = ERR_get_error();
}
}
=====================================
ntpd/nts_client.c
=====================================
@@ -29,7 +29,8 @@
int open_TCP_socket(const char *hostname);
bool nts_set_cert_search(SSL_CTX *ctx);
-bool process_recv_data(struct peer* peer, SSL *ssl);
+bool nts_client_build_request(struct peer* peer, SSL *ssl);
+bool nts_client_process_response(struct peer* peer, SSL *ssl);
SSL_CTX *client_ctx = NULL;
@@ -93,8 +94,6 @@ bool nts_probe(struct peer * peer) {
SSL *ssl;
int server = 0;
X509 *cert = NULL;
- uint8_t buff[1000];
- int transfered;
if (NULL == client_ctx)
return false;
@@ -131,10 +130,12 @@ bool nts_probe(struct peer * peer) {
// SSL_set_timeout(SSL_get_session(ssl), 2); // FIXME
if (1 != SSL_connect(ssl)) {
msyslog(LOG_INFO, "NTSc: SSL_connect failed");
+ nts_log_ssl_error();
goto bail;
}
if (1 != SSL_do_handshake(ssl)) {
msyslog(LOG_INFO, "NTSc: SSL_do_handshake failed");
+ nts_log_ssl_error();
goto bail;
}
@@ -166,33 +167,10 @@ bool nts_probe(struct peer * peer) {
}
}
-
- {
- struct BufCtl_t buf;
- int used;
- buf.next = buff;
- buf.left = sizeof(buff);
-
- /* 4.1.2 Next Protocol, 0 for NTP */
- nts_append_record_uint16(&buf, NTS_CRITICAL+nts_next_protocol_negotiation, 0);
-
- /* 4.1.5 AEAD Algorithm List
- * AEAD_AES_SIV_CMAC_256 is the only one for now */
- nts_append_record_uint16(&buf, nts_algorithm_negotiation, AEAD_AES_SIV_CMAC_256);
-
- /* 4.1.1: End, Critical */
- nts_append_record_null(&buf, NTS_CRITICAL+nts_end_of_message);
-
- used = sizeof(buff)-buf.left;
- transfered = SSL_write(ssl, buff, used);
- if (used != transfered) {
- msyslog(LOG_ERR, "NTSc: write failed: %d, %d, %m", used, transfered);
- goto bail;
- }
-
- process_recv_data(peer, ssl);
-
- }
+ if (!nts_client_build_request(peer, ssl))
+ goto bail;
+ if (!nts_client_process_response(peer, ssl))
+ goto bail;
// FIXME
/* We are using AEAD_AES_SIV_CMAC_256, from RFC 5297
@@ -250,6 +228,7 @@ int open_TCP_socket(const char *hostname) {
return sockfd;
}
+// FIXME - context shouldn't be magic
bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen) {
// char *label = "EXPORTER-network-time-security/1";
// Subject: [Ntp] [NTS4NTP] info for NTS developers
@@ -262,16 +241,16 @@ bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen) {
label, strlen(label),
context, 5, 1)) {
msyslog(LOG_ERR, "NTS: Error making c2s\n");
+ nts_log_ssl_error();
return false;
- // ERR_print_errors_fp(stderr);
}
context[4] = 0x01;
if (1 != SSL_export_keying_material(ssl, s2c, keylen,
label, strlen(label),
context, 5, 1)) {
msyslog(LOG_ERR, "NTS: Error making s2c\n");
+ nts_log_ssl_error();
return false;
- // ERR_print_errors_fp(stderr);
}
// Hack for debugging - obviously not good for security
msyslog(LOG_INFO, "NTS: C2S %02x %02x %02x %02x %02x\n",
@@ -281,7 +260,41 @@ bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen) {
return true;
}
-bool process_recv_data(struct peer* peer, SSL *ssl) {
+bool nts_client_build_request(struct peer* peer, SSL *ssl) {
+ uint8_t buff[1000];
+ int used, transfered;
+ struct BufCtl_t buf;
+
+ UNUSED_ARG(peer);
+
+ buf.next = buff;
+ buf.left = sizeof(buff);
+
+ /* 4.1.2 Next Protocol, 0 for NTP */
+ nts_append_record_uint16(&buf, NTS_CRITICAL+nts_next_protocol_negotiation, 0);
+
+ /* 4.1.5 AEAD Algorithm List
+ * AEAD_AES_SIV_CMAC_256 is the only one for now */
+ nts_append_record_uint16(&buf, nts_algorithm_negotiation, AEAD_AES_SIV_CMAC_256);
+
+ /* 4.1.1: End, Critical */
+ nts_append_record_null(&buf, NTS_CRITICAL+nts_end_of_message);
+
+ used = sizeof(buff)-buf.left;
+ if (used >= (int)(sizeof(buff)-10)) {
+ msyslog(LOG_ERR, "NTSc: write failed: %d, %ld, %m",
+ used, (long)sizeof(buff));
+ return false;
+ }
+ transfered = SSL_write(ssl, buff, used);
+ if (used != transfered) {
+ msyslog(LOG_ERR, "NTSc: write failed: %d, %d, %m", used, transfered);
+ return false;
+ }
+ return true;
+}
+
+bool nts_client_process_response(struct peer* peer, SSL *ssl) {
uint8_t buff[2000];
int transfered, idx;
struct BufCtl_t buf;
=====================================
ntpd/nts_server.c
=====================================
@@ -122,7 +122,8 @@ void* nts_ke_listener(void* arg) {
SSL_set_fd(ssl, client);
if (SSL_accept(ssl) <= 0) {
- msyslog(LOG_ERR, "NTSs: SSL accept failed: %m");
+ msyslog(LOG_ERR, "NTSs: SSL accept failed");
+ nts_log_ssl_error();
close(client);
continue;
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/7b62c4bd8d47a14ed279f1e4183a3452b3c0dd6b...2831e3b889c34c62dc00cb639b341ac93b479d03
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/7b62c4bd8d47a14ed279f1e4183a3452b3c0dd6b...2831e3b889c34c62dc00cb639b341ac93b479d03
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190215/5dcddd55/attachment-0001.html>
More information about the vc
mailing list