[Git][NTPsec/ntpsec][master] 4 commits: Tweaks to NTS logging.
Hal Murray
gitlab at mg.gitlab.com
Sun Feb 24 06:00:44 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
1ebdc812 by Hal Murray at 2019-02-24T01:34:31Z
Tweaks to NTS logging.
- - - - -
ddeef38f by Hal Murray at 2019-02-24T01:34:31Z
Tweaks to NTS logging
- - - - -
cc737a6e by Hal Murray at 2019-02-24T01:34:31Z
Add accept to seccomp OK list
- - - - -
9bb3234c by Hal Murray at 2019-02-24T05:59:11Z
NTS KE now listening on IPv6
- - - - -
5 changed files:
- include/ntpd.h
- ntpd/ntp_sandbox.c
- ntpd/ntpd.c
- ntpd/nts_client.c
- ntpd/nts_server.c
Changes:
=====================================
include/ntpd.h
=====================================
@@ -443,7 +443,8 @@ int extens_server_send(struct ntspacket_t *ntspacket, struct pkt *xpkt);
bool extens_client_recv(struct peer *peer, uint8_t *pkt, int lng);
/* nts.c */
-void nts_init(void);
+void nts_init(void); /* Before sandbox() */
+void nts_init2(void); /* After sandbox() */
bool nts_probe(struct peer *peer);
int nts_client_ke_request(struct ntscfg_t *);
int nts_server_ke_verify(struct ntscfg_t *);
=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -297,6 +297,7 @@ int scmp_sc[] = {
#endif
#endif /* ENABLE_EARLY_DROPROOT */
+ SCMP_SYS(accept),
SCMP_SYS(access),
SCMP_SYS(adjtimex),
SCMP_SYS(bind),
=====================================
ntpd/ntpd.c
=====================================
@@ -894,7 +894,7 @@ ntpdmain(
loop_config(LOOP_DRIFTINIT, 0);
report_event(EVNT_SYSRESTART, NULL, NULL);
- nts_init(); /* NetBSD: open NTS listener before droproot */
+ nts_init(); /* Before droproot */
#ifndef ENABLE_EARLY_DROPROOT
/* drop root privileges */
@@ -904,6 +904,8 @@ ntpdmain(
}
#endif
+ nts_init2(); /* Before droproot */
+
if (access(statsdir, W_OK) != 0) {
msyslog(LOG_ERR, "statistics directory %s does not exist or is unwriteable, error %s", statsdir, strerror(errno));
}
=====================================
ntpd/nts_client.c
=====================================
@@ -204,13 +204,13 @@ int open_TCP_socket(const char *hostname) {
hints.ai_family = AF_UNSPEC;
gai_rc = getaddrinfo(hostname, PORT, &hints, &answer); // FIXME
if (0 != gai_rc) {
- msyslog(LOG_INFO, "NTSc: nts_probe: DNS error: %d, %s",
- gai_rc, gai_strerror(gai_rc));
+ msyslog(LOG_INFO, "NTSc: nts_probe: DNS error trying to contact %s: %d, %s",
+ hostname, gai_rc, gai_strerror(gai_rc));
return -1;
}
memcpy(&sockaddr, answer->ai_addr, answer->ai_addrlen);
- msyslog(LOG_INFO, "NTSc: nts_probe connecting to %s=%s, port %s",
+ msyslog(LOG_INFO, "NTSc: nts_probe connecting to %s=%s:%s",
hostname, socktoa(&sockaddr), PORT);
sockfd = socket(AF_INET, SOCK_STREAM, 0);
if (-1 == sockfd) {
@@ -253,11 +253,6 @@ bool nts_make_keys(SSL *ssl, uint8_t *c2s, uint8_t *s2c, int keylen) {
nts_log_ssl_error();
return false;
}
- // Hack for debugging - obviously not good for security
- msyslog(LOG_INFO, "NTS: C2S %02x %02x %02x %02x %02x\n",
- c2s[0], c2s[1], c2s[2], c2s[3], c2s[4]);
- msyslog(LOG_INFO, "NTS: S2C %02x %02x %02x %02x %02x\n",
- s2c[0], s2c[1], s2c[2], s2c[3], s2c[4]);
return true;
}
@@ -413,15 +408,18 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
bool nts_set_cert_search(SSL_CTX *ctx) {
struct stat statbuf;
if (NULL == ntsconfig.ca) {
+ msyslog(LOG_INFO, "NTSc: Using system default root certificates.");
SSL_CTX_set_default_verify_paths(ctx); // Use system root certs
return true;
}
if (0 == stat(ntsconfig.ca, &statbuf)) {
if (S_ISDIR(statbuf.st_mode)) {
+ msyslog(LOG_INFO, "NTSc: Using dir %s for root certificates.", ntsconfig.ca);
SSL_CTX_load_verify_locations(ctx, NULL, ntsconfig.ca);
return true;
}
if (S_ISREG(statbuf.st_mode)) {
+ msyslog(LOG_INFO, "NTSc: Using file %s for root certificates.", ntsconfig.ca);
SSL_CTX_load_verify_locations(ctx, ntsconfig.ca, NULL);
return true;
}
=====================================
ntpd/nts_server.c
=====================================
@@ -27,12 +27,15 @@
int nts_ke_port = 123;
static bool nts_load_certificate(SSL_CTX *ctx);
-static int create_listener(int port);
+static int create_listener(int port, int family);
static void* nts_ke_listener(void*);
static void nts_ke_request(SSL *ssl);
static int nts_translate_version(const char *arg);
+bool nts_server_init2(void);
static SSL_CTX *server_ctx = NULL;
+static int listner4_sock = -1;
+static int listner6_sock = -1;
void nts_init(void) {
bool ok = true;
@@ -47,10 +50,17 @@ void nts_init(void) {
}
}
+void nts_init2(void) {
+ bool ok = true;
+ if (ntsconfig.ntsenable)
+ ok &= nts_server_init2();
+ if (!ok) {
+ msyslog(LOG_ERR, "NTS: troubles during init2. Bailing.");
+ exit(1);
+ }
+}
+
bool nts_server_init(void) {
- pthread_t worker;
- sigset_t block_mask, saved_sig_mask;
- int rc;
bool ok = true;
msyslog(LOG_INFO, "NTSs: starting NTS-KE server listening on port %d",
@@ -87,11 +97,29 @@ bool nts_server_init(void) {
SSL_CTX_get_security_level(server_ctx));
#endif
+
+ listner4_sock = create_listener(nts_ke_port, AF_INET);
+ if (listner4_sock < 0) return false;
+ listner6_sock = create_listener(nts_ke_port, AF_INET6);
+ if (listner6_sock < 0) return false;
+
+ return true;
+}
+
+bool nts_server_init2(void) {
+ pthread_t worker;
+ sigset_t block_mask, saved_sig_mask;
+ int rc;
+
sigfillset(&block_mask);
pthread_sigmask(SIG_BLOCK, &block_mask, &saved_sig_mask);
- rc = pthread_create(&worker, NULL, nts_ke_listener, server_ctx);
+ rc = pthread_create(&worker, NULL, nts_ke_listener, &listner4_sock);
+ if (rc) {
+ msyslog(LOG_ERR, "NTSs: nts_start_server4: error from pthread_create: %m");
+ }
+ rc = pthread_create(&worker, NULL, nts_ke_listener, &listner6_sock);
if (rc) {
- msyslog(LOG_ERR, "NTSs: nts_start_server: error from pthread_create: %m");
+ msyslog(LOG_ERR, "NTSs: nts_start_server6: error from pthread_create: %m");
}
pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);
@@ -99,12 +127,7 @@ bool nts_server_init(void) {
}
void* nts_ke_listener(void* arg) {
- SSL_CTX *ctx = (SSL_CTX *)arg;
- int sock;
-
- // FIXME - need IPv6 too
- sock = create_listener(nts_ke_port);
- if (sock < 0) return NULL;
+ int sock = *(int*)arg;
while(1) {
struct sockaddr addr;
@@ -114,6 +137,9 @@ void* nts_ke_listener(void* arg) {
int client = accept(sock, &addr, &len);
if (client < 0) {
msyslog(LOG_ERR, "NTSs: TCP accept failed: %m");
+ if (EBADF == errno)
+ return NULL;
+ sleep(1); /* avoid log clutter on bug */
continue;
}
nts_ke_serves++;
@@ -121,7 +147,7 @@ void* nts_ke_listener(void* arg) {
socktoa((sockaddr_u *)&addr));
/* This could/should go in a new thread. */ // FIXME
- ssl = SSL_new(ctx);
+ ssl = SSL_new(server_ctx);
SSL_set_fd(ssl, client);
if (SSL_accept(ssl) <= 0) {
@@ -145,6 +171,7 @@ void* nts_ke_listener(void* arg) {
SSL_free(ssl);
close(client);
}
+return NULL;
}
void nts_ke_request(SSL *ssl) {
@@ -195,29 +222,74 @@ void nts_ke_request(SSL *ssl) {
return;
}
-int create_listener(int port) {
- int sock;
+int create_listener(int port, int family) {
+ int sock = -1;
struct sockaddr_in addr;
-
- addr.sin_family = AF_INET;
- addr.sin_port = htons(port);
- addr.sin_addr.s_addr = htonl(INADDR_ANY);
-
- sock = socket(AF_INET, SOCK_STREAM, 0);
- if (sock < 0) {
- msyslog(LOG_ERR, "NTSs: Can't create socket: %m");
- return -1;
- }
-
- if (bind(sock, (struct sockaddr*)&addr, sizeof(addr)) < 0) {
- msyslog(LOG_ERR, "NTSs: can't bind: %m");
- return -1;
+ struct sockaddr_in6 addr6;
+ int on = 1;
+ int err;
+
+ switch (family) {
+ case AF_INET:
+ addr.sin_family = AF_INET;
+ addr.sin_port = htons(port);
+ addr.sin_addr.s_addr= htonl(INADDR_ANY);
+ sock = socket(AF_INET, SOCK_STREAM, 0);
+ if (sock < 0) {
+ msyslog(LOG_ERR, "NTSs: Can't create socket4: %m");
+ return -1;
+ }
+ err = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
+ if (0 > err) {
+ msyslog(LOG_ERR, "NTSs: can't setsockopt4: %m");
+ return -1;
+ }
+ err = bind(sock, (struct sockaddr*)&addr, sizeof(addr));
+ if (0 > err) {
+ msyslog(LOG_ERR, "NTSs: can't bind4: %m");
+ return -1;
+ }
+ if (listen(sock, 6) < 0) {
+ msyslog(LOG_ERR, "NTSs: can't listen4: %m");
+ return -1;
+ }
+ msyslog(LOG_INFO, "NTSs: listen4 worked");
+ break;
+ case AF_INET6:
+ addr6.sin6_family = AF_INET6;
+ addr6.sin6_port = htons(port);
+ addr6.sin6_addr = in6addr_any;
+ sock = socket(AF_INET6, SOCK_STREAM, 0);
+ if (sock < 0) {
+ msyslog(LOG_ERR, "NTSs: Can't create socket6: %m");
+ return -1;
+ }
+ /* Hack to keep IPV6 from listening on IPV4 too */
+ err = setsockopt(sock, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on));
+ if (0 > err) {
+ msyslog(LOG_ERR, "NTSs: can't setsockopt6only: %m");
+ return -1;
+ }
+ err = setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
+ if (0 > err) {
+ msyslog(LOG_ERR, "NTSs: can't setsockopt6: %m");
+ return -1;
+ }
+ err = bind(sock, (struct sockaddr*)&addr6, sizeof(addr6));
+ if (0 > err) {
+ msyslog(LOG_ERR, "NTSs: can't bind6: %m");
+ return -1;
+ }
+ if (listen(sock, 6) < 0) {
+ msyslog(LOG_ERR, "NTSs: can't listen6: %m");
+ return -1;
+ }
+ msyslog(LOG_INFO, "NTSs: listen6 worked");
+ break;
+ default:
+ break;
}
- if (listen(sock, 1) < 0) {
- msyslog(LOG_ERR, "NTSs: can't listen: %m");
- return -1;
- }
return sock;
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/b37266847d01ca32003c97ec9bbdb7c2f78a9976...9bb3234ceb79ccec3cdc1feb66006bb42b7a3b2f
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/b37266847d01ca32003c97ec9bbdb7c2f78a9976...9bb3234ceb79ccec3cdc1feb66006bb42b7a3b2f
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190224/85ac65a8/attachment-0001.html>
More information about the vc
mailing list