[Git][NTPsec/ntpsec][issue-579] 4 commits: Fix for #580 (not checking length from cookie file)
Matt Selsky
gitlab at mg.gitlab.com
Thu Mar 21 06:46:33 UTC 2019
Matt Selsky pushed to branch issue-579 at NTPsec / ntpsec
Commits:
a99200cc by Hal Murray at 2019-03-20T23:10:27Z
Fix for #580 (not checking length from cookie file)
- - - - -
83830442 by Hal Murray at 2019-03-20T23:11:25Z
Fix for #581 (unnecessary NULL check after deref in handle_procpkt)
- - - - -
9ceda5cc by Hal Murray at 2019-03-20T23:47:15Z
Add nts cookie <filename> config option
- - - - -
87cd0930 by Matt Selsky at 2019-03-21T06:46:20Z
Update Coverity CI build to include all refclocks
Fixes GitLab #579
- - - - -
7 changed files:
- .gitlab-ci.yml
- docs/includes/auth-commands.adoc
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/ntp_proto.c
- ntpd/nts_cookie.c
Changes:
=====================================
.gitlab-ci.yml
=====================================
@@ -578,7 +578,7 @@ gentoo-hardened-refclocks:
coverity-scan:
script:
- - ./waf configure
+ - ./waf configure --refclock=all
- /opt/cov-analysis/bin/cov-build --dir cov-int ./waf build
- tar czf ntpsec_coverity.tgz cov-int
- curl --form token=$COVERITY_TOKEN --form email=security at ntpsec.org --form file=@ntpsec_coverity.tgz --form version="$(git rev-parse --short HEAD)" --form description="Automatic submission by gitlab-ci" https://scan.coverity.com/builds?project=ntpsec
=====================================
docs/includes/auth-commands.adoc
=====================================
@@ -51,6 +51,11 @@ The options are as follows:
validate NTS-KE server certificates instead of the system
default root certificates.
++cookie+ _location_::
+ Use the file (or directory) specified by _location_ to
+ store the keys used to make and decode cookies. The default
+ is _/var/lib/ntp/nts-keys_.
+
+enable+::
Enable NTS-KE server.
When enabled, _cert_ and _key_ are required.
@@ -103,7 +108,7 @@ The following options of the +server+ command configure NTS.
That is probably a FQDN rather than a short alias that you would
probably use to talk to an internal server.
-+ask+ _address_::
++ask+ _address_:: (not implemented)
Use Network Time Security for authentication. Ask
for a specific NTS server, which may differ from the NTP server.
Conforms to RFC 3896 section 3.2.2 prescription for the Host part of
@@ -111,7 +116,7 @@ The following options of the +server+ command configure NTS.
numeric address, or an IPv6 numeric address (in square brackets).
The address may have the suffix +:port+ to specify a UDP port.
-+require+ _address_::
++require+ _address_:: (not implemented)
Use Network Time Security for authentication and encryption.
Require a specific NTS server, which may differ from the NTP server.
Address syntax is as for +ask+.
@@ -119,15 +124,15 @@ The following options of the +server+ command configure NTS.
+noval+::
Do not validate the server certificate.
-+expire+::
++expire+:: (not implemented)
How long to use a secured NTP association before rekeying with the
NTS-KE server.
-+cert+ _file_::
++cert+ _file_:: (not implemented)
Present the certificate in _file_ as our client certificate,
overriding the site default.
-+ca+ _location_::
++ca+ _location_:: (not implemented)
Use the file, or directory, specified by _location_ to validate the
NTS-KE server certificate, overriding the site default. Do not use
any other CA.
=====================================
ntpd/keyword-gen.c
=====================================
@@ -28,6 +28,7 @@ struct key_tok ntp_keywords[] = {
{ "bias", T_Bias, FOLLBY_TOKEN },
{ "baud", T_Baud, FOLLBY_TOKEN },
{ "clock", T_Clock, FOLLBY_STRING },
+{ "cookie", T_Cookie, FOLLBY_TOKEN },
{ "ctl", T_Ctl, FOLLBY_TOKEN },
{ "disable", T_Disable, FOLLBY_TOKEN },
{ "driftfile", T_Driftfile, FOLLBY_STRING },
=====================================
ntpd/ntp_config.c
=====================================
@@ -2009,6 +2009,10 @@ config_nts(
ntsconfig.cert = estrdup(nts->value.s);
break;
+ case T_Cookie:
+ ntsconfig.KI = estrdup(nts->value.s);
+ break;
+
case T_Disable:
ntsconfig.ntsenable = false;
break;
=====================================
ntpd/ntp_parser.y
=====================================
@@ -68,6 +68,7 @@
%token <Integer> T_Clock
%token <Integer> T_Clockstats
%token <Integer> T_Cohort
+%token <Integer> T_Cookie
%token <Integer> T_ControlKey
%token <Integer> T_Ctl
%token <Integer> T_Day
@@ -1138,6 +1139,7 @@ nts_string_option_keyword
: T_Aead
| T_Ca
| T_Cert
+ | T_Cookie
| T_Key
| T_Tlsciphers
| T_Tlsciphersuites
=====================================
ntpd/ntp_proto.c
=====================================
@@ -419,9 +419,6 @@ handle_procpkt(
{
int outcount = peer->outcount;
- /* Shouldn't happen, but include this for safety. */
- if(peer == NULL) { return; }
-
peer->flash &= ~PKT_BOGON_MASK;
/* Duplicate detection */
=====================================
ntpd/nts_cookie.c
=====================================
@@ -161,6 +161,8 @@ bool nts_read_cookie_keys(void) {
if (1 != fscanf(in, "T: %lu\n", &templ)) goto bail;
K_time = templ;
if (1 != fscanf(in, "L: %d\n", &K_length)) goto bail;
+ if (NTS_MAX_KEYLEN < K_length) goto bail;
+ // FIXME check K_length is 32, 48, or 64
if (1 != fscanf(in, "I: %u\n", &I)) goto bail;
if (0 != fscanf(in, "K: ")) goto bail;
for (int i=0; i< K_length; i++) {
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/5217cfb26eacde59a0544edca756bc61f57d8947...87cd0930ed50364cbb73d1d3b54908df1c981089
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/5217cfb26eacde59a0544edca756bc61f57d8947...87cd0930ed50364cbb73d1d3b54908df1c981089
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190321/bcdab4fc/attachment-0001.html>
More information about the vc
mailing list