[Git][NTPsec/ntpsec][master] 2 commits: Connect the NTS Stubs to the packet processing.

Eric S. Raymond gitlab at mg.gitlab.com
Tue Jan 29 19:38:54 UTC 2019 

Eric S. Raymond pushed to branch master at NTPsec / ntpsec


Commits:
3918cc0a by Eric S. Raymond at 2019-01-29T19:35:21Z
Connect the NTS Stubs to the packet processing.

- - - - -
521435e7 by Eric S. Raymond at 2019-01-29T19:38:38Z
Sometimes you wonder why the compiler didn't throw an error.

- - - - -


6 changed files:

- include/ntp.h
- include/ntpd.h
- include/nts.h
- ntpd/ntp_io.c
- ntpd/ntp_proto.c
- ntpd/nts.c


Changes:

=====================================
include/ntp.h
=====================================
@@ -14,6 +14,7 @@
 #include "ntp_lists.h"
 #include "ntp_stdlib.h"
 #include "ntp_net.h"
+#include "nts.h"
 
 extern int32_t ntp_random (void);
 extern uint64_t ntp_random64 (void);
@@ -253,6 +254,7 @@ struct peer {
 	uint8_t	cast_flags;	/* additional flags */
 	uint8_t	last_event;	/* last peer error code */
 	uint8_t	num_events;	/* number of error events */
+	struct ntspeer_t nts;	/* per-peer Network Time Security state */
 
 	/*
 	 * Variables used by reference clock support


=====================================
include/ntpd.h
=====================================
@@ -420,6 +420,14 @@ extern struct refclock * const refclock_conf[];
 extern const uint8_t	num_refclock_conf;
 #endif
 
+/* nts.c */
+int nts_client_ke_request(void);
+int nts_server_ke_verify(void);
+int nts_client_ke_verify(struct ntspeer_t *);
+int nts_daily(void);
+int nts_validate(struct parsed_pkt *, struct ntspeer_t *);
+int nts_decorate(uint32_t *, size_t, struct ntspeer_t *);
+
 /* ntp_util.c */
 extern char * refid_dump(refid_t, int);
 


=====================================
include/nts.h
=====================================
@@ -4,13 +4,14 @@
 #ifndef NTS_H
 #define NTS_H
 
-struct nts_client_t;
+#define NTS_MAX_COOKIES	8	/* RFC 4.1.6 */
+#define NTS_COOKIELEN	128	/* placeholder - see RFC 6 */
 
-int nts_client_ke_request(void);
-int nts_server_ke_verify(void);
-int nts_client_ke_verify(struct nts_client_t *);
-int nts_daily(void);
-int nts_validate(struct parsed_pkt *, struct nts_client_t *);
-int nts_decorate(struct parsed_pkt *, struct nts_client_t *);
+/* Client-side state per connection to server */
+struct ntspeer_t {
+    /* we treat an empty cookie string as a sentinel */
+    char cookies[NTS_MAX_COOKIES][NTS_COOKIELEN];
+    int current_cookie;
+};
 
 #endif	/* NTS_H */


=====================================
ntpd/ntp_io.c
=====================================
@@ -394,7 +394,7 @@ interface_dump(const endpt *itf)
 	sockaddr_dump(&itf->mask);
 	printf("name = %s\n", itf->name);
 	printf("flags = 0x%08x\n", itf->flags);
-	printf("addr_refid = %s\n", refid_dump(itf->addr_refid));
+	printf("addr_refid = %s\n", refid_dump(itf->addr_refid, 2));
 	printf("received = %ld\n", itf->received);
 	printf("sent = %ld\n", itf->sent);
 	printf("notsent = %ld\n", itf->notsent);


=====================================
ntpd/ntp_proto.c
=====================================
@@ -68,7 +68,6 @@ static inline l_fp_w htonl_fp(l_fp lfp) {
 #define	CLEAR_TO_ZERO(p)	((char *)&((p)->clear_to_zero))
 #define	END_CLEAR_TO_ZERO(p)	((char *)&((p)->end_clear_to_zero))
 #define	LEN_CLEAR_TO_ZERO(p)	(END_CLEAR_TO_ZERO(p) - CLEAR_TO_ZERO(p))
-
 /*
  * traffic shaping parameters
  */
@@ -684,7 +683,7 @@ receive(
 		goto done;
 	}
 
-/* FIXME: This is lots more cleanup to do in this area. */
+	/* FIXME: This is lots more cleanup to do in this area. */
 
 	restrict_mask = restrictions(&rbufp->recv_srcadr);
 
@@ -786,10 +785,18 @@ receive(
 	switch (PKT_MODE(rbufp->pkt.li_vn_mode)) {
 	    case MODE_ACTIVE:  /* remote site using "peer" in config file */
 	    case MODE_CLIENT:  /* Request for us as a server. */
+		if (nts_validate(&rbufp->pkt, NULL) != 0) {
+			stat_count.sys_declined++;
+			break;
+		}
 		handle_fastxmit(rbufp, restrict_mask, auth);
 		stat_count.sys_processed++;
 		break;
-	    case MODE_SERVER:  /* Reply to our request. */
+	    case MODE_SERVER:  /* Reply to our request to a server. */
+		if (peer == NULL || nts_validate(&rbufp->pkt, &peer->nts) != 0) {
+		    stat_count.sys_declined++;
+		    break;
+		}	
 		handle_procpkt(rbufp, peer);
 		stat_count.sys_processed++;
 		peer->processed++;
@@ -2129,6 +2136,8 @@ peer_xmit(
 	xpkt.xmt = htonl_fp(peer->org_rand);	/* out in xmt, back in org */
 
 
+	sendlen += nts_decorate(xpkt.exten, sizeof(xpkt.exten), &peer->nts);
+
 	/*
 	 * If the peer (aka server) was configured with a key, authenticate
 	 * the packet.  Else, the packet is not authenticated.
@@ -2286,6 +2295,7 @@ fast_xmit(
 		xpkt.xmt = htonl_fp(xmt_tx);
 	}
 
+
 #ifdef ENABLE_MSSNTP
 	if (flags & RES_MSSNTP) {
 		keyid_t keyid = 0;
@@ -2295,6 +2305,7 @@ fast_xmit(
 	}
 #endif /* ENABLE_MSSNTP */
 
+
 	/*
 	 * If the received packet contains a MAC, the transmitted packet
 	 * is authenticated and contains a MAC. If not, the transmitted
@@ -2302,6 +2313,7 @@ fast_xmit(
 	 */
 	sendlen = LEN_PKT_NOMAC;
 	if (NULL == auth) {
+		sendlen += nts_decorate(xpkt.exten, sizeof(xpkt.exten), NULL);
 		sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, &xpkt, (int)sendlen);
 		DPRINT(1, ("transmit: at %u %s->%s mode %d len %zu\n",
 			   current_time, socktoa(&rbufp->dstadr->sin),
@@ -2316,6 +2328,7 @@ fast_xmit(
 	 * cryptosum.
 	 */
 	get_systime(&xmt_tx);
+	sendlen += nts_decorate(xpkt.exten, sizeof(xpkt.exten), NULL);
 	sendlen += (size_t)authencrypt(auth, (uint32_t *)&xpkt, (int)sendlen);
 	sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, &xpkt, (int)sendlen);
 	get_systime(&xmt_ty);


=====================================
ntpd/nts.c
=====================================
@@ -5,7 +5,7 @@
  * https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-15
  *
  * This module exposes mostly functions and structure pointers (not
- * structures) so that the NTS implementation can be sealed off deom
+ * structures) so that the NTS implementation can be sealed off from
  * the rest of the code. It supports both the client and server sides.
  *
  * The exception is client configuration, for which various bits have
@@ -13,18 +13,7 @@
  */
 #include "config.h"
 #include "ntp_types.h"
-#include "ntp.h"
-#include "nts.h"
-
-#define NTS_COOKIES	8	/* RFC 4.1.6 */
-#define NTS_COOKIELEN	128	/* placeholder - see RFC 6 */
-
-/* Client-side state per connection to server */
-struct nts_client_t {
-    /* we treat an empty cookie string as a sentinel */
-    char cookies[NTS_COOKIES][NTS_COOKIELEN];
-    int current_cookie;
-};
+#include "ntpd.h"
 
 /* By design, there is no per-client-side state on the server */
 
@@ -71,9 +60,9 @@ int nts_server_ke_verify(void)
  * - Verify server response message
  * - Extract cookie(s). 
  */
-int nts_client_ke_verify(struct nts_client_t *nts_client)
+int nts_client_ke_verify(struct ntspeer_t *ntspeer)
 {
-	UNUSED_ARG(nts_client);
+	UNUSED_ARG(ntspeer);
 	return 0;
 }
 
@@ -90,27 +79,28 @@ int nts_daily(void)
 /*
  * Extract and validate NTS validation information from packet
  * extension fields in an incoming request or response.  On the server
- * side, the nts_client pointer is expected to be NULL as there is no
- * per-client server state.
+ * side, the ntspeer pointer is expected to be NULL as there is no
+ * per-client server state.  A nonzero return causes the packet to be
+ * discarded.
  */
-int nts_validate(struct parsed_pkt *pkt, struct nts_client_t *nts_client)
+int nts_validate(struct parsed_pkt *pkt, struct ntspeer_t *ntspeer)
 {
 	UNUSED_ARG(pkt);
-	UNUSED_ARG(nts_client);
+	UNUSED_ARG(ntspeer);
 	return 0;
 }
 
 /*
  * Decorate an outgoing client request or server response with packet
  * extension fields carrying NTS information.  For a server reponse,
- * the nts_client pointer is expected to be NULL as there is no
- * per-client server state.
+ * the ntspeer pointer is expected to be NULL as there is no
+ * per-client server state.  Return the count of words appended.
  */
-int nts_decorate(struct parsed_pkt *pkt, struct nts_client_t *nts_client)
+int nts_decorate(uint32_t *extdata, size_t extlen, struct ntspeer_t *ntspeer)
 {
-	UNUSED_ARG(pkt);
-	UNUSED_ARG(nts_client);
-	return 0;
+	UNUSED_ARG(extdata);
+	UNUSED_ARG(extlen);
+	UNUSED_ARG(ntspeer);
 }
 
 /* end */



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/5367f15fa83420ac3f65651ed077e4c0a8011eaa...521435e73fda81880ee995f39607c34126e1db54

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/5367f15fa83420ac3f65651ed077e4c0a8011eaa...521435e73fda81880ee995f39607c34126e1db54
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190129/e06cd416/attachment-0001.html>

More information about the vc mailing list