[Git][NTPsec/ntpsec][master] 2 commits: Change aead back to uint16_t
Hal Murray
gitlab at mg.gitlab.com
Wed Mar 13 19:31:17 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
9de73df9 by Hal Murray at 2019-03-12T07:43:21Z
Change aead back to uint16_t
- - - - -
00546db7 by Hal Murray at 2019-03-13T12:25:50Z
NTS: add timing messages, fix NTS-KE to work with IPv6
- - - - -
7 changed files:
- include/nts.h
- include/nts2.h
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_cookie.c
- ntpd/nts_extens.c
- ntpd/nts_server.c
Changes:
=====================================
include/nts.h
=====================================
@@ -48,7 +48,7 @@ struct ntscfg_t {
/* Client-side state per connection to server */
struct ntsclient_t {
/* wire connection */
- int16_t aead; /* AEAD algorithm used on wire */
+ uint16_t aead; /* AEAD algorithm used on wire */
int keylen;
uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN];
/* UID of last request sent - RFC 5.3 */
@@ -66,7 +66,7 @@ struct ntspacket_t {
int uidlen;
uint8_t UID[NTS_UID_MAX_LENGTH];
int needed;
- int aead;
+ uint16_t aead;
int keylen;
uint8_t c2s[NTS_MAX_KEYLEN], s2c[NTS_MAX_KEYLEN];
};
@@ -98,6 +98,7 @@ struct ntsconfig_t {
#define AEAD_AES_SIV_CMAC_256_KEYLEN 32
#define AEAD_AES_SIV_CMAC_384_KEYLEN 48
#define AEAD_AES_SIV_CMAC_512_KEYLEN 64
+#define NO_AEAD 0xffff
/* NTS protocol constants */
=====================================
include/nts2.h
=====================================
@@ -16,18 +16,18 @@ bool nts_load_versions(SSL_CTX *ctx);
void nts_log_ssl_error(void);
-int nts_get_key_length(int16_t aead);
+int nts_get_key_length(uint16_t aead);
int nts_translate_version(const char *arg);
-int16_t nts_string_to_aead(const char* text);
+uint16_t nts_string_to_aead(const char* text);
-bool nts_make_keys(SSL *ssl, int16_t aead,
+bool nts_make_keys(SSL *ssl, uint16_t aead,
uint8_t *c2s, uint8_t *s2c, int keylen);
int nts_make_cookie(uint8_t *cookie,
- int16_t aead,
+ uint16_t aead,
uint8_t *c2s, uint8_t *s2c, int keylen);
bool nts_unpack_cookie(uint8_t *cookie, int cookielen,
- int16_t *aead,
+ uint16_t *aead,
uint8_t *c2s, uint8_t *s2c, int *keylen);
=====================================
ntpd/nts.c
=====================================
@@ -85,7 +85,7 @@ int nts_translate_version(const char *arg) {
}
/* Translate text to AEAD code. -1 for none/error */
-int16_t nts_string_to_aead(const char* text) {
+uint16_t nts_string_to_aead(const char* text) {
if (0 == strcmp( text, "IANA_AEAD_AES_SIV_CMAC_256"))
return AEAD_AES_SIV_CMAC_256;
else if (0 == strcmp( text, "IANA_AEAD_AES_SIV_CMAC_384"))
@@ -97,7 +97,7 @@ int16_t nts_string_to_aead(const char* text) {
}
/* returns key length, 0 if unknown arg */
-int nts_get_key_length(int16_t aead) {
+int nts_get_key_length(uint16_t aead) {
switch (aead) {
case IANA_AEAD_AES_SIV_CMAC_256:
return AEAD_AES_SIV_CMAC_256_KEYLEN;
@@ -135,10 +135,10 @@ bool nts_load_versions(SSL_CTX *ctx) {
bool nts_load_ciphers(SSL_CTX *ctx) {
/* SSL set_ciphers(uites) ignores typos or ciphers it doesn't support.
- * * There is no SSL_CTX_get_cipher_list, so we can't easily read back
- * * the ciphers to see what it took.
- * * We could make a dummy SSL, read the list, then free it.
- * */
+ * There is no SSL_CTX_get_cipher_list, so we can't easily read back
+ * the ciphers to see what it took.
+ * We could make a dummy SSL, read the list, then free it.
+ */
if (NULL != ntsconfig.tlsciphers) {
if (1 != SSL_CTX_set_cipher_list(ctx, ntsconfig.tlsciphers)) {
msyslog(LOG_ERR, "NTS: troubles setting ciphers.");
=====================================
ntpd/nts_client.c
=====================================
@@ -90,13 +90,15 @@ bool nts_client_init(void) {
bool nts_probe(struct peer * peer) {
struct timeval timeout = {.tv_sec = NTS_KE_TIMEOUT, .tv_usec = 0};
SSL *ssl;
- int server = 0;
+ int server;
+ l_fp start, finish;
if (NULL == client_ctx)
return false;
nts_ke_probes++;
addrOK = false;
+ get_systime(&start);
server = open_TCP_socket(peer->hostname);
if (-1 == server) {
@@ -160,6 +162,12 @@ bail:
SSL_free(ssl);
close(server);
+ get_systime(&finish);
+ finish -= start;
+ msyslog(LOG_INFO, "NTSc: NTS-KE req to %s took %.3Lf sec, %s",
+ peer->hostname, lfptod(finish),
+ addrOK? "OK" : "fail");
+
return addrOK;
}
@@ -180,6 +188,7 @@ int open_TCP_socket(const char *hostname) {
struct addrinfo *answer;
int gai_rc, err;
int sockfd;
+ l_fp start, finish;
/* copy avoids dancing around const warnings */
strlcpy(host, hostname, sizeof(host));
@@ -203,19 +212,25 @@ int open_TCP_socket(const char *hostname) {
*tmp++ = 0;
strlcpy(port, tmp, sizeof(port));
}
+
+ get_systime(&start);
gai_rc = getaddrinfo(host, port, &hints, &answer);
if (0 != gai_rc) {
msyslog(LOG_INFO, "NTSc: nts_probe: DNS error trying to contact %s: %d, %s",
hostname, gai_rc, gai_strerror(gai_rc));
return -1;
}
+ get_systime(&finish);
+ finish -= start;
+ msyslog(LOG_INFO, "NTSc: DNS lookup of %s took %.3Lf sec",
+ hostname, lfptod(finish));
/* Save first answer for NTP */
memcpy(&sockaddr, answer->ai_addr, answer->ai_addrlen);
msyslog(LOG_INFO, "NTSc: nts_probe connecting to %s:%s => %s",
host, port, sockporttoa(&sockaddr));
SET_PORT(&sockaddr, NTP_PORT); /* setup default NTP address */
- sockfd = socket(AF_INET, SOCK_STREAM, 0);
+ sockfd = socket(answer->ai_family, SOCK_STREAM, 0);
if (-1 == sockfd) {
msyslog(LOG_INFO, "NTSc: nts_probe: no socket: %s", strerror(errno));
} else {
@@ -288,7 +303,7 @@ bool check_certificate(struct peer* peer, SSL *ssl) {
return true;
}
-bool nts_make_keys(SSL *ssl, int16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
+bool nts_make_keys(SSL *ssl, uint16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
// char *label = "EXPORTER-network-time-security/1";
// Subject: [Ntp] [NTS4NTP] info for NTS developers
// From: Martin Langer <mart.langer at ostfalia.de>
@@ -321,7 +336,7 @@ bool nts_client_send_request(struct peer* peer, SSL *ssl) {
uint8_t buff[1000];
int used, transferred;
struct BufCtl_t buf;
- int16_t aead = -1;
+ uint16_t aead = NO_AEAD;
UNUSED_ARG(peer);
@@ -333,11 +348,11 @@ bool nts_client_send_request(struct peer* peer, SSL *ssl) {
/* 4.1.5 AEAD Algorithm List */
// FIXME should be : separated list
- if ((-1 == aead) && (NULL != peer->cfg.nts_cfg.aead))
+ if ((NO_AEAD == aead) && (NULL != peer->cfg.nts_cfg.aead))
aead = nts_string_to_aead(peer->cfg.nts_cfg.aead);
- if ((-1 == aead) && (NULL != ntsconfig.aead))
+ if ((NO_AEAD == aead) && (NULL != ntsconfig.aead))
aead = nts_string_to_aead(ntsconfig.aead);
- if (-1 == aead)
+ if (NO_AEAD == aead)
aead = AEAD_AES_SIV_CMAC_256;
ke_append_record_uint16(&buf, nts_algorithm_negotiation, aead);
@@ -372,7 +387,7 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
}
msyslog(LOG_ERR, "NTSc: read %d bytes", transferred);
- peer->nts_state.aead = -1;
+ peer->nts_state.aead = NO_AEAD;
peer->nts_state.keylen = 0;
peer->nts_state.writeIdx = 0;
peer->nts_state.readIdx = 0;
@@ -465,7 +480,7 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
} /* while */
// FIXME lots of other checks
- if (-1 == peer->nts_state.aead) {
+ if (NO_AEAD == peer->nts_state.aead) {
msyslog(LOG_ERR, "NTSc: No AEAD algorithim.");
return false;
}
=====================================
ntpd/nts_cookie.c
=====================================
@@ -235,7 +235,7 @@ bool nts_write_cookie_keys(void) {
/* returns actual length */
int nts_make_cookie(uint8_t *cookie,
- int16_t aead,
+ uint16_t aead,
uint8_t *c2s, uint8_t *s2c, int keylen) {
uint8_t plaintext[NTS_MAX_COOKIELEN];
uint8_t *nonce;
@@ -315,7 +315,7 @@ int nts_make_cookie(uint8_t *cookie,
/* can't decrypt in place - that would trash the unauthenticated packet */
bool nts_unpack_cookie(uint8_t *cookie, int cookielen,
- int16_t *aead,
+ uint16_t *aead,
uint8_t *c2s, uint8_t *s2c, int *keylen) {
uint8_t *finger;
=====================================
ntpd/nts_extens.c
=====================================
@@ -124,7 +124,7 @@ int extens_client_send(struct peer *peer, struct pkt *xpkt) {
bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
struct BufCtl_t buf;
- int16_t aead;
+ uint16_t aead;
int noncelen, cmaclen;
bool sawcookie, sawAEEF;
=====================================
ntpd/nts_server.c
=====================================
@@ -111,6 +111,7 @@ void* nts_ke_listener(void* arg) {
struct sockaddr addr;
uint len = sizeof(addr);
SSL *ssl;
+ l_fp start, finish;
int client = accept(sock, &addr, &len);
if (client < 0) {
@@ -121,6 +122,7 @@ void* nts_ke_listener(void* arg) {
continue;
}
nts_ke_serves++;
+ get_systime(&start);
msyslog(LOG_INFO, "NTSs: TCP accept-ed from %s",
sockporttoa((sockaddr_u *)&addr));
setsockopt(client, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
@@ -148,6 +150,11 @@ void* nts_ke_listener(void* arg) {
SSL_shutdown(ssl);
SSL_free(ssl);
close(client);
+
+ get_systime(&finish);
+ finish -= start;
+ msyslog(LOG_INFO, "NTSs: NTS-KE server took %.3Lf sec", lfptod(finish));
+
}
return NULL;
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/ceebdffefbe573f9588697bb1072010dd8d194a1...00546db7d87300957b4dc0c917841bd61d058147
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/ceebdffefbe573f9588697bb1072010dd8d194a1...00546db7d87300957b4dc0c917841bd61d058147
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190313/e5a77c4a/attachment-0001.html>
More information about the vc
mailing list