[Git][NTPsec/ntpsec][master] 3 commits: Fix for #580 (not checking length from cookie file)

Hal Murray gitlab at mg.gitlab.com
Thu Mar 21 00:55:01 UTC 2019 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
a99200cc by Hal Murray at 2019-03-20T23:10:27Z
Fix for #580 (not checking length from cookie file)

- - - - -
83830442 by Hal Murray at 2019-03-20T23:11:25Z
Fix for #581 (unnecessary NULL check after deref in handle_procpkt)

- - - - -
9ceda5cc by Hal Murray at 2019-03-20T23:47:15Z
Add nts cookie <filename> config option

- - - - -


6 changed files:

- docs/includes/auth-commands.adoc
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/ntp_proto.c
- ntpd/nts_cookie.c


Changes:

=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -51,6 +51,11 @@ The options are as follows:
   validate NTS-KE server certificates instead of the system
   default root certificates.
 
++cookie+ _location_::
+  Use the file (or directory) specified by _location_ to
+  store the keys used to make and decode cookies.  The default
+  is _/var/lib/ntp/nts-keys_.
+
 +enable+::
   Enable NTS-KE server.
   When enabled, _cert_ and _key_ are required.
@@ -103,7 +108,7 @@ The following options of the +server+ command configure NTS.
   That is probably a FQDN rather than a short alias that you would
   probably use to talk to an internal server.
 
-+ask+ _address_::
++ask+ _address_:: (not implemented)
   Use Network Time Security for authentication.  Ask
   for a specific NTS server, which may differ from the NTP server.
   Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
@@ -111,7 +116,7 @@ The following options of the +server+ command configure NTS.
   numeric address, or an IPv6 numeric address (in square brackets).
   The address may have the suffix +:port+ to specify a UDP port.
 
-+require+ _address_::
++require+ _address_:: (not implemented)
   Use Network Time Security for authentication and encryption.
   Require a specific NTS server, which may differ from the NTP server.
   Address syntax is as for +ask+.
@@ -119,15 +124,15 @@ The following options of the +server+ command configure NTS.
 +noval+::
   Do not validate the server certificate.
 
-+expire+::
++expire+:: (not implemented)
   How long to use a secured NTP association before rekeying with the
   NTS-KE server.
 
-+cert+ _file_::
++cert+ _file_:: (not implemented)
   Present the certificate in _file_ as our client certificate,
   overriding the site default.
 
-+ca+ _location_::
++ca+ _location_:: (not implemented)
   Use the file, or directory, specified by _location_ to validate the
   NTS-KE server certificate, overriding the site default.  Do not use
   any other CA.


=====================================
ntpd/keyword-gen.c
=====================================
@@ -28,6 +28,7 @@ struct key_tok ntp_keywords[] = {
 { "bias",		T_Bias,			FOLLBY_TOKEN },
 { "baud",		T_Baud,			FOLLBY_TOKEN },
 { "clock",		T_Clock,		FOLLBY_STRING },
+{ "cookie",		T_Cookie,		FOLLBY_TOKEN },
 { "ctl",		T_Ctl,			FOLLBY_TOKEN },
 { "disable",		T_Disable,		FOLLBY_TOKEN },
 { "driftfile",		T_Driftfile,		FOLLBY_STRING },


=====================================
ntpd/ntp_config.c
=====================================
@@ -2009,6 +2009,10 @@ config_nts(
 			ntsconfig.cert = estrdup(nts->value.s);
 			break;
 
+		case T_Cookie:
+			ntsconfig.KI = estrdup(nts->value.s);
+			break;
+
 		case T_Disable:
 			ntsconfig.ntsenable = false;
 			break;


=====================================
ntpd/ntp_parser.y
=====================================
@@ -68,6 +68,7 @@
 %token	<Integer>	T_Clock
 %token	<Integer>	T_Clockstats
 %token	<Integer>	T_Cohort
+%token	<Integer>	T_Cookie
 %token	<Integer>	T_ControlKey
 %token	<Integer>	T_Ctl
 %token	<Integer>	T_Day
@@ -1138,6 +1139,7 @@ nts_string_option_keyword
 	:	T_Aead
 	|	T_Ca
 	|	T_Cert
+	|	T_Cookie
 	|	T_Key
 	|	T_Tlsciphers
 	|	T_Tlsciphersuites


=====================================
ntpd/ntp_proto.c
=====================================
@@ -419,9 +419,6 @@ handle_procpkt(
 {
 	int outcount = peer->outcount;
 
-	/* Shouldn't happen, but include this for safety. */
-	if(peer == NULL) { return; }
-
 	peer->flash &= ~PKT_BOGON_MASK;
 
 	/* Duplicate detection */


=====================================
ntpd/nts_cookie.c
=====================================
@@ -161,6 +161,8 @@ bool nts_read_cookie_keys(void) {
   if (1 != fscanf(in, "T: %lu\n", &templ)) goto bail;
   K_time = templ;
   if (1 != fscanf(in, "L: %d\n", &K_length)) goto bail;
+  if (NTS_MAX_KEYLEN < K_length) goto bail;
+  // FIXME check K_length is 32, 48, or 64
   if (1 != fscanf(in, "I: %u\n", &I)) goto bail;
   if (0 != fscanf(in, "K: ")) goto bail;
   for (int i=0; i< K_length; i++) {



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/565b64e8c56b11e9347fdb0a82936e9236591256...9ceda5cc629be2cec319d876997e6fa1f816d3d2

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/565b64e8c56b11e9347fdb0a82936e9236591256...9ceda5cc629be2cec319d876997e6fa1f816d3d2
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190321/0d32721d/attachment-0001.html>

More information about the vc mailing list