[Git][NTPsec/ntpsec][master] Move init and utility routines from nts_server to nts
Hal Murray
gitlab at mg.gitlab.com
Tue Mar 12 03:53:27 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
0ad9604d by Hal Murray at 2019-03-12T03:00:40Z
Move init and utility routines from nts_server to nts
- - - - -
5 changed files:
- include/nts.h
- include/nts2.h
- ntpd/nts.c
- ntpd/nts_server.c
- tests/ntpd/nts.c
Changes:
=====================================
include/nts.h
=====================================
@@ -16,6 +16,17 @@
#define NTS_KE_TIMEOUT 3
+bool nts_server_init(void);
+bool nts_client_init(void);
+bool nts_cookie_init(void);
+bool nts_server_init2(void); /* after sandbox */
+bool nts_cookie_init2(void);
+
+
+
+
+
+
#define NTS_MAX_KEYLEN 64 /* used in cookies */
#define NTS_MAX_COOKIELEN 192 /* see nts_cookie.c */
#define NTS_MAX_COOKIES 8 /* RFC 4.1.6 */
=====================================
include/nts2.h
=====================================
@@ -10,20 +10,18 @@
#include <openssl/ssl.h>
-
-bool nts_server_init(void);
-bool nts_client_init(void);
-bool nts_cookie_init(void);
-bool nts_cookie_init2(void); /* after sandbox */
-void nts_log_ssl_error(void);
-
+bool nts_load_certificate(SSL_CTX *ctx);
bool nts_load_ciphers(SSL_CTX *ctx);
bool nts_load_versions(SSL_CTX *ctx);
+void nts_log_ssl_error(void);
+
int nts_get_key_length(int16_t aead);
+int nts_translate_version(const char *arg);
int16_t nts_string_to_aead(const char* text);
-bool nts_make_keys(SSL *ssl, int16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen);
+bool nts_make_keys(SSL *ssl, int16_t aead,
+ uint8_t *c2s, uint8_t *s2c, int keylen);
int nts_make_cookie(uint8_t *cookie,
int16_t aead,
=====================================
ntpd/nts.c
=====================================
@@ -36,9 +36,54 @@ struct ntsconfig_t ntsconfig = {
};
+/*****************************************************/
+
+void nts_init(void) {
+ bool ok = true;
+ if (ntsconfig.ntsenable) {
+ ok &= nts_server_init();
+ }
+ ok &= nts_client_init();
+ ok &= nts_cookie_init();
+ ok &= extens_init();
+ if (!ok) {
+ msyslog(LOG_ERR, "NTS: troubles during init. Bailing.");
+ exit(1);
+ }
+}
+
+void nts_init2(void) {
+ bool ok = true;
+ if (ntsconfig.ntsenable) {
+ ok &= nts_server_init2();
+ ok &= nts_cookie_init2();
+ }
+ if (!ok) {
+ msyslog(LOG_ERR, "NTS: troubles during init2. Bailing.");
+ exit(1);
+ }
+}
/*****************************************************/
+/* 0 is default, -1 is error */
+int nts_translate_version(const char *arg) {
+ if (NULL == arg)
+ return 0;
+ if (0 == strcmp(arg, "TLS1.2"))
+ return TLS1_2_VERSION;
+ if (0 == strcmp(arg, "TLS1.3")) {
+#ifdef TLS1_3_VERSION
+ return TLS1_3_VERSION;
+#else
+ msyslog(LOG_ERR, "NTS: TLS1.3 not supported by this version of OpenSSL.");
+ return -1;
+#endif
+ }
+ msyslog(LOG_ERR, "NTS: unrecognized version string: %s.", arg);
+ return -1;
+}
+
/* Translate text to AEAD code. -1 for none/error */
int16_t nts_string_to_aead(const char* text) {
if (0 == strcmp( text, "IANA_AEAD_AES_SIV_CMAC_256"))
@@ -51,6 +96,106 @@ int16_t nts_string_to_aead(const char* text) {
return -1;
}
+/* returns key length, 0 if unknown arg */
+int nts_get_key_length(int16_t aead) {
+ switch (aead) {
+ case IANA_AEAD_AES_SIV_CMAC_256:
+ return AEAD_AES_SIV_CMAC_256_KEYLEN;
+ case IANA_AEAD_AES_SIV_CMAC_384:
+ return AEAD_AES_SIV_CMAC_384_KEYLEN;
+ case IANA_AEAD_AES_SIV_CMAC_512:
+ return AEAD_AES_SIV_CMAC_512_KEYLEN;
+ default:
+ return 0;
+ }
+}
+
+
+/*****************************************************/
+
+bool nts_load_versions(SSL_CTX *ctx) {
+ int minver, maxver;
+ minver = nts_translate_version(ntsconfig.mintls);
+ maxver = nts_translate_version(ntsconfig.maxtls);
+ if ((-1 == minver) || (-1 == maxver))
+ return false;
+#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ if(0 == minver) minver = TLS1_2_VERSION; // 3.
+ SSL_CTX_set_min_proto_version(ctx, minver);
+ SSL_CTX_set_max_proto_version(ctx, maxver);
+#else
+ /* Older versions of OpenSSL don't support min/max version requests.
+ * * That's OK, since we don't want anything older than 1.2 and
+ * * they don't support anything newer. */
+ SSL_CTX_set_options(ctx, NO_OLD_VERSIONS);
+#endif
+ return true;
+}
+
+bool nts_load_ciphers(SSL_CTX *ctx) {
+ /* SSL set_ciphers(uites) ignores typos or ciphers it doesn't support.
+ * * There is no SSL_CTX_get_cipher_list, so we can't easily read back
+ * * the ciphers to see what it took.
+ * * We could make a dummy SSL, read the list, then free it.
+ * */
+ if (NULL != ntsconfig.tlsciphers) {
+ if (1 != SSL_CTX_set_cipher_list(ctx, ntsconfig.tlsciphers)) {
+ msyslog(LOG_ERR, "NTS: troubles setting ciphers.");
+ return false;
+ } else {
+ msyslog(LOG_INFO, "NTS: set ciphers.");
+ }
+ }
+ if (NULL != ntsconfig.tlsciphersuites) {
+#ifdef TLS1_3_VERSION
+ if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
+ msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
+ return false;
+ } else {
+ msyslog(LOG_INFO, "NTS: set ciphersuites.");
+ }
+#else
+ msyslog(LOG_ERR, "NTS: ciphersuites not supported on this version of OpenSSL.");
+#endif
+ }
+ return true;
+}
+
+
+bool nts_load_certificate(SSL_CTX *ctx) {
+ const char *cert = NTS_CERT_FILE;
+ const char *key = NTS_KEY_FILE;
+
+ if (NULL != ntsconfig.cert)
+ cert = ntsconfig.cert;
+ if (NULL != ntsconfig.key)
+ key = ntsconfig.key;
+
+ if (1 != SSL_CTX_use_certificate_chain_file(ctx, cert)) {
+ msyslog(LOG_ERR, "NTSs: can't load certificate (chain) from %s", cert);
+ nts_log_ssl_error();
+ return false;
+ } else {
+ msyslog(LOG_ERR, "NTSs: loaded certificate (chain) from %s", cert);
+ }
+ if (1 != SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
+ msyslog(LOG_ERR, "NTSs: can't load private key from %s", key);
+ nts_log_ssl_error();
+ return false;
+ } else {
+ msyslog(LOG_ERR, "NTSs: loaded private key from %s", key);
+ }
+
+ if (1 != SSL_CTX_check_private_key(ctx)) {
+ msyslog(LOG_ERR, "NTSs: Private Key doesn't work ******");
+ return false;
+ } else {
+ msyslog(LOG_INFO, "NTSs: Private Key OK");
+ }
+ return true;
+}
+
+
void nts_log_ssl_error(void) {
char buff[256];
int err = ERR_get_error();
=====================================
ntpd/nts_server.c
=====================================
@@ -22,12 +22,10 @@
#include "nts2.h"
-static bool nts_load_certificate(SSL_CTX *ctx);
static int create_listener(int port, int family);
static void* nts_ke_listener(void*);
static bool nts_ke_request(SSL *ssl);
-static int nts_translate_version(const char *arg);
-bool nts_server_init2(void);
+
static SSL_CTX *server_ctx = NULL;
static int listner4_sock = -1;
@@ -40,32 +38,6 @@ uint64_t nts_ke_probes = 0;
uint64_t nts_ke_probes_bad = 0;
-void nts_init(void) {
- bool ok = true;
- if (ntsconfig.ntsenable) {
- ok &= nts_server_init();
- }
- ok &= nts_client_init();
- ok &= nts_cookie_init();
- ok &= extens_init();
- if (!ok) {
- msyslog(LOG_ERR, "NTS: troubles during init. Bailing.");
- exit(1);
- }
-}
-
-void nts_init2(void) {
- bool ok = true;
- if (ntsconfig.ntsenable) {
- ok &= nts_server_init2();
- ok &= nts_cookie_init2();
- }
- if (!ok) {
- msyslog(LOG_ERR, "NTS: troubles during init2. Bailing.");
- exit(1);
- }
-}
-
bool nts_server_init(void) {
bool ok = true;
@@ -103,7 +75,6 @@ bool nts_server_init(void) {
SSL_CTX_get_security_level(server_ctx));
#endif
-
listner4_sock = create_listener(NTS_KE_PORT, AF_INET);
if (listner4_sock < 0) return false;
listner6_sock = create_listener(NTS_KE_PORT, AF_INET6);
@@ -307,118 +278,5 @@ int create_listener(int port, int family) {
return sock;
}
-/* returns key length, 0 if unknown arg */
-int nts_get_key_length(int16_t aead) {
- switch (aead) {
- case IANA_AEAD_AES_SIV_CMAC_256:
- return AEAD_AES_SIV_CMAC_256_KEYLEN;
- case IANA_AEAD_AES_SIV_CMAC_384:
- return AEAD_AES_SIV_CMAC_384_KEYLEN;
- case IANA_AEAD_AES_SIV_CMAC_512:
- return AEAD_AES_SIV_CMAC_512_KEYLEN;
- default:
- return 0;
- }
-}
-
-bool nts_load_versions(SSL_CTX *ctx) {
- int minver, maxver;
- minver = nts_translate_version(ntsconfig.mintls);
- maxver = nts_translate_version(ntsconfig.maxtls);
- if ((-1 == minver) || (-1 == maxver))
- return false;
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
- if(0 == minver) minver = TLS1_2_VERSION; // 3.
- SSL_CTX_set_min_proto_version(ctx, minver);
- SSL_CTX_set_max_proto_version(ctx, maxver);
-#else
- /* Older versions of OpenSSL don't support min/max version requests.
- * That's OK, since we don't want anything older than 1.2 and
- * they don't support anything newer. */
- SSL_CTX_set_options(ctx, NO_OLD_VERSIONS);
-#endif
- return true;
-}
-
-/* 0 is default, -1 is error */
-int nts_translate_version(const char *arg) {
- if (NULL == arg)
- return 0;
- if (0 == strcmp(arg, "TLS1.2"))
- return TLS1_2_VERSION;
- if (0 == strcmp(arg, "TLS1.3")) {
-#ifdef TLS1_3_VERSION
- return TLS1_3_VERSION;
-#else
- msyslog(LOG_ERR, "NTS: TLS1.3 not supported by this version of OpenSSL.");
- return -1;
-#endif
- }
- msyslog(LOG_ERR, "NTS: unrecognized version string: %s.", arg);
- return -1;
-}
-
-bool nts_load_ciphers(SSL_CTX *ctx) {
- /* SSL set_ciphers(uites) ignores typos or ciphers it doesn't support.
- * There is no SSL_CTX_get_cipher_list, so we can't easily read back
- * the ciphers to see what it took.
- * We could make a dummy SSL, read the list, then free it.
- */
- if (NULL != ntsconfig.tlsciphers) {
- if (1 != SSL_CTX_set_cipher_list(ctx, ntsconfig.tlsciphers)) {
- msyslog(LOG_ERR, "NTS: troubles setting ciphers.");
- return false;
- } else {
- msyslog(LOG_INFO, "NTS: set ciphers.");
- }
- }
- if (NULL != ntsconfig.tlsciphersuites) {
-#ifdef TLS1_3_VERSION
- if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
- msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
- return false;
- } else {
- msyslog(LOG_INFO, "NTS: set ciphersuites.");
- }
-#else
- msyslog(LOG_ERR, "NTS: ciphersuites not supported on this version of OpenSSL.");
-#endif
- }
- return true;
-}
-
-bool nts_load_certificate(SSL_CTX *ctx) {
- const char *cert = NTS_CERT_FILE;
- const char *key = NTS_KEY_FILE;
-
- if (NULL != ntsconfig.cert)
- cert = ntsconfig.cert;
- if (NULL != ntsconfig.key)
- key = ntsconfig.key;
-
- if (1 != SSL_CTX_use_certificate_chain_file(ctx, cert)) {
- msyslog(LOG_ERR, "NTSs: can't load certificate (chain) from %s", cert);
- nts_log_ssl_error();
- return false;
- } else {
- msyslog(LOG_ERR, "NTSs: loaded certificate (chain) from %s", cert);
- }
-
- if (1 != SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM)) {
- msyslog(LOG_ERR, "NTSs: can't load private key from %s", key);
- nts_log_ssl_error();
- return false;
- } else {
- msyslog(LOG_ERR, "NTSs: loaded private key from %s", key);
- }
-
- if (1 != SSL_CTX_check_private_key(ctx)) {
- msyslog(LOG_ERR, "NTSs: Private Key doesn't work ******");
- return false;
- } else {
- msyslog(LOG_INFO, "NTSs: Private Key OK");
- }
- return true;
-}
/* end */
=====================================
tests/ntpd/nts.c
=====================================
@@ -1,3 +1,4 @@
+#include "ntpd.h"
#include "nts.h"
#include "nts2.h"
#include "unity.h"
@@ -234,6 +235,16 @@ TEST(nts, next_bytes) {
TEST_ASSERT_EQUAL_INT(cursor.left, 8);
}
+/* Hacks to keep linker happy after moving nts_init to nts.c */
+bool nts_server_init (void) { return true; }
+bool nts_client_init (void) { return true; }
+bool nts_cookie_init (void) { return true; }
+bool nts_server_init2 (void) { return true; }
+bool nts_cookie_init2 (void) { return true; }
+bool extens_init (void) { return true; }
+
+
+
TEST_GROUP_RUNNER(nts) {
RUN_TEST_CASE(nts, ke_append_record_null);
RUN_TEST_CASE(nts, ke_append_record_uint16);
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/0ad9604d17ef72d9b68dd6cb56219f4a280a077b
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/0ad9604d17ef72d9b68dd6cb56219f4a280a077b
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190312/bee3f26d/attachment-0001.html>
More information about the vc
mailing list