[Git][NTPsec/ntpsec][master] 5 commits: Fix a couple of warning from DPRINT on NetBSD

Hal Murray gitlab at mg.gitlab.com
Tue Feb 19 06:11:33 UTC 2019 

Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
88723e55 by Hal Murray at 2019-02-19T06:10:59Z
Fix a couple of warning from DPRINT on NetBSD

- - - - -
47445ad9 by Hal Murray at 2019-02-19T06:10:59Z
Reject extensions after AEEF block

- - - - -
ad208cae by Hal Murray at 2019-02-19T06:10:59Z
Remove unused srcadr from recvbuf

- - - - -
7783ca05 by Hal Murray at 2019-02-19T06:10:59Z
Add lock for make_cookie

- - - - -
1922e98a by Hal Murray at 2019-02-19T06:10:59Z
Cleanup initialization of ntp_extens

- - - - -


7 changed files:

- devel/TODO-NTS
- include/ntpd.h
- include/recvbuff.h
- ntpd/ntp_extens.c
- ntpd/ntp_io.c
- ntpd/nts_cookie.c
- ntpd/nts_server.c


Changes:

=====================================
devel/TODO-NTS
=====================================
@@ -1,11 +1,10 @@
 flag for require NTS
 
-make_cookie needs to be thread safe
 multithread msyslog
 
 security level
 
-fix seccomp
+test/fix seccomp
 
 show NTS flag via ntpq
   extra credit if we can find a place on the peers display


=====================================
include/ntpd.h
=====================================
@@ -436,6 +436,7 @@ extern const uint8_t	num_refclock_conf;
 #endif
 
 /* ntd_extens.c */
+bool extens_init(void);
 int extens_client_send(struct peer *peer, struct pkt *xpkt);
 bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng);
 


=====================================
include/recvbuff.h
=====================================
@@ -34,10 +34,9 @@
 typedef struct recvbuf recvbuf_t;
 
 struct recvbuf {
-	recvbuf_t *	link;	/* next in list */
-	sockaddr_u	recv_srcadr;
-	sockaddr_u	srcadr;		/* where packet came from */
-	struct netendpt *	dstadr;		/* address pkt arrived on */
+	recvbuf_t *	link;		/* next in list */
+	sockaddr_u	recv_srcadr;	/* where packet came from */
+	struct netendpt *	dstadr;	/* address pkt arrived on */
 	SOCKET		fd;		/* fd on which it was received */
 	l_fp		recv_time;	/* time of arrival */
 	size_t		recv_length;	/* number of octets received */


=====================================
ntpd/ntp_extens.c
=====================================
@@ -41,6 +41,15 @@ enum NtpExtFieldType {
 AES_SIV_CTX* wire_ctx = NULL;  /* need one per thread */
 
 
+bool extens_init(void) {
+    wire_ctx = AES_SIV_CTX_new();
+    if (NULL == wire_ctx) {
+      msyslog(LOG_ERR, "NTS: Can't init wire_ctx");
+      exit(1);
+    }
+    return true;
+}
+
 int extens_client_send(struct peer *peer, struct pkt *xpkt) {
   struct BufCtl_t buf;
   int used, adlength, idx;
@@ -48,15 +57,6 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
   uint8_t *nonce, *packet;
   bool ok;
 
-  // FIXME - need init routine
-  if (NULL == wire_ctx) {
-    wire_ctx = AES_SIV_CTX_new();
-    if (NULL == wire_ctx) {
-      msyslog(LOG_ERR, "NTS: Can't init wire_ctx");
-      exit(1);
-    }
-  }
-
   packet = (uint8_t*)xpkt;
   buf.next = xpkt->exten;
   buf.left = MAX_EXT_LEN;
@@ -113,15 +113,6 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
   uint16_t aead;
   int noncelen, cmaclen;
 
-  // FIXME - need init routine
-  if (NULL == wire_ctx) {
-    wire_ctx = AES_SIV_CTX_new();
-    if (NULL == wire_ctx) {
-      msyslog(LOG_ERR, "NTS: Can't init wire_ctx");
-      exit(1);
-    }
-  }
-
   buf.next = pkt+LEN_PKT_NOMAC;
   buf.left = lng-LEN_PKT_NOMAC;
 
@@ -192,6 +183,8 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
 	  return false;
         buf.next += length;
 	buf.left -= length;
+	if (0 != buf.left)
+	  return false;		/* Reject extens after AEEF block */
         break;
       default:
         if (critical)


=====================================
ntpd/ntp_io.c
=====================================
@@ -2014,12 +2014,12 @@ sendpkt(
 		 * unbound peer - drop request and wait for better
 		 * network conditions
 		 */
-		DPRINT(2, ("sendpkt(dst=%s, len=%d): no interface - IGNORED\n",
+		DPRINT(2, ("sendpkt(dst=%s, len=%u): no interface - IGNORED\n",
 			   socktoa(dest), len));
 		return;
 	}
 
-	DPRINT(2, ("sendpkt(%d, dst=%s, src=%s, len=%d)\n",
+	DPRINT(2, ("sendpkt(%d, dst=%s, src=%s, len=%u)\n",
 		   src->fd, socktoa(dest), socktoa(&src->sin), len));
 
 	cc = sendto(src->fd, pkt, (unsigned int)len, 0,


=====================================
ntpd/nts_cookie.c
=====================================
@@ -18,6 +18,7 @@
 #include <stdbool.h>
 #include <stdint.h>
 #include <string.h>
+#include <pthread.h>
 
 #include <openssl/rand.h>
 #include <aes_siv.h>
@@ -64,6 +65,7 @@ uint8_t K[NTS_MAX_KEYLEN];
 uint32_t I;
 
 AES_SIV_CTX* cookie_ctx;  /* need one per thread */
+pthread_mutex_t cookie_lock = PTHREAD_MUTEX_INITIALIZER;
 
 /* This determines which algorithm we use.
  * Valid choices are 32, 48, and 64
@@ -92,6 +94,11 @@ bool nts_cookie_init(void) {
     msyslog(LOG_ERR, "NTS: Can't init cookie_ctx");
     exit(1);
   }
+// FIXME hack to allow testing
+if (1) {
+  I = 13;
+  for (unsigned int i=0; i<sizeof(K); i++) K[i] = i;
+}
   return OK;
 }
 
@@ -103,6 +110,7 @@ int nts_make_cookie(uint8_t *cookie,
   uint8_t *nonce;
   int used, plainlength;
   bool ok;
+  int err;
 
   // ASSERT(keylen<NTS_MAX_KEYLEN);
   
@@ -110,6 +118,12 @@ int nts_make_cookie(uint8_t *cookie,
   uint32_t temp;      /* keep 4 byte alignment */
   size_t left;
 
+  err = pthread_mutex_lock(&cookie_lock);
+  if (0 != err) {
+    msyslog(LOG_ERR, "ERR: Can't lock cookie_lock: %d", err);
+    exit(2);
+  }
+
   /* collect plaintext
    * separate buffer avoids encrypt in place
    * but costs cache space
@@ -159,6 +173,11 @@ int nts_make_cookie(uint8_t *cookie,
   // ASSERT(length < NTS_MAX_COOKIELEN);
   // Need to encrypt
 
+  err = pthread_mutex_unlock(&cookie_lock);
+  if (0 != err) {
+    msyslog(LOG_ERR, "ERR: Can't unlock cookie_lock: %d", err);
+    exit(2);
+  }
   return used;
 }
 


=====================================
ntpd/nts_server.c
=====================================
@@ -40,6 +40,7 @@ void nts_init(void) {
     if (ntsconfig.ntsenable)
         ok &= nts_server_init();
     ok &= nts_client_init();
+    ok &= extens_init();
     if (!ok) {
       msyslog(LOG_ERR, "NTS: troubles during init.  Bailing.");
       exit(1);



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/b5b2796852a9bfb80e8edf44e9f16b7517a022fa...1922e98a32fa0948c78d67a41badfdaa004d9161

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/b5b2796852a9bfb80e8edf44e9f16b7517a022fa...1922e98a32fa0948c78d67a41badfdaa004d9161
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190219/c4f941e0/attachment-0001.html>

More information about the vc mailing list