[Git][NTPsec/ntpsec][issue-579] 3 commits: NTS: add -4, -6 processing for NTS-KE DNS lookup

Matt Selsky gitlab at mg.gitlab.com
Thu Mar 21 13:39:48 UTC 2019 


Matt Selsky pushed to branch issue-579 at NTPsec / ntpsec


Commits:
48ec2f61 by Hal Murray at 2019-03-21T07:25:37Z
NTS: add -4, -6 processing for NTS-KE DNS lookup

- - - - -
12e409aa by Matt Selsky at 2019-03-21T13:19:42Z
Re-sync libaes_siv with upstream to get ct_poison() fix

Use
https://github.com/dfoxfranke/libaes_siv/commit/a58601b312ce4f50c8048cc5ec4f7ee71d83e0a8

Fixes GitLab #578

- - - - -
4e4abdd0 by Matt Selsky at 2019-03-21T13:39:27Z
Update Coverity CI build to include all refclocks

Fixes GitLab #579
- - - - -


6 changed files:

- .gitlab-ci.yml
- libaes_siv/README.md
- libaes_siv/aes_siv.c
- libaes_siv/demo.c
- libaes_siv/tests.c
- ntpd/nts_client.c


Changes:

=====================================
.gitlab-ci.yml
=====================================
@@ -578,7 +578,7 @@ gentoo-hardened-refclocks:
 
 coverity-scan:
   script:
-    - ./waf configure
+    - ./waf configure --refclock=all
     - /opt/cov-analysis/bin/cov-build --dir cov-int ./waf build
     - tar czf ntpsec_coverity.tgz cov-int
     - curl --form token=$COVERITY_TOKEN --form email=security at ntpsec.org --form file=@ntpsec_coverity.tgz --form version="$(git rev-parse --short HEAD)" --form description="Automatic submission by gitlab-ci" https://scan.coverity.com/builds?project=ntpsec


=====================================
libaes_siv/README.md
=====================================
@@ -84,9 +84,14 @@ To build and install on POSIX-like platforms:
     sudo make install
 ```
 
+NOTE:  Out-of-source builds are allowed, but out-of-source manpage builds
+require a2x's -D option, which may provoke an apparently bogus warning from a2x.
+
 If you want to build on an OS X machine, install the Xcode development
-environment and the command line tools, then use the Homebrew package
-manager https://brew.sh/ to install cmake and OpenSSL:
+environment and the command line tools, then use either the Homebrew package
+manager or the MacPorts package manager to install cmake and OpenSSL.
+
+Homebrew (https://brew.sh/):
 ```
     brew install cmake openssl &&
     cmake -DCMAKE_PREFIX_PATH=/usr/local/opt/openssl . &&
@@ -94,6 +99,14 @@ manager https://brew.sh/ to install cmake and OpenSSL:
     make test &&
     sudo make install
 ```
+MacPorts (https://www.macports.org/):
+```
+    sudo port install cmake openssl &&
+    cmake . &&
+    make &&
+    make test &&
+    sudo make install
+```
 
 To create a native Windows build, you will first need to build
 OpenSSL.  Install Visual Studio, CMake, ActiveState Perl, and NASM, and


=====================================
libaes_siv/aes_siv.c
=====================================
@@ -239,8 +239,13 @@ void AES_SIV_CTX_cleanup(AES_SIV_CTX *ctx) {
 void AES_SIV_CTX_free(AES_SIV_CTX *ctx) {
         if (ctx) {
                 EVP_CIPHER_CTX_free(ctx->cipher_ctx);
-                CMAC_CTX_free(ctx->cmac_ctx_init);
-                CMAC_CTX_free(ctx->cmac_ctx);
+                /* Prior to OpenSSL 1.0.2b, CMAC_CTX_free() crashes on NULL */
+                if (LIKELY(ctx->cmac_ctx_init != NULL)) {
+                        CMAC_CTX_free(ctx->cmac_ctx_init);
+                }
+                if (LIKELY(ctx->cmac_ctx != NULL)) {
+                        CMAC_CTX_free(ctx->cmac_ctx);
+                }
 		OPENSSL_cleanse(&ctx->d, sizeof ctx->d);
                 free(ctx);
         }
@@ -287,7 +292,7 @@ int AES_SIV_Init(AES_SIV_CTX *ctx, unsigned char const *key, size_t key_len) {
         size_t out_len;
         int ret = 0;
 
-        ct_poison(key, sizeof key);
+        ct_poison(key, key_len);
 
         switch (key_len) {
         case 32:


=====================================
libaes_siv/demo.c
=====================================
@@ -164,7 +164,7 @@ int main(int argc, char const* argv[])
     fprintf(stderr, "Invalid key length %zu bytes, must be one of 32, 48, or 64\n", key_len);
     goto fail;
   }
-
+  
   if(load_file(ad_file, &ad, &ad_len) < 0)
   {
     fprintf(stderr, "Could not load associated data file %s : %s\n", ad_file, strerror(errno));
@@ -245,7 +245,7 @@ int main(int argc, char const* argv[])
     perror("fwrite");
     goto fail;
   }
-
+  
   free(plaintext);
   free(key);
   free(ad);


=====================================
libaes_siv/tests.c
=====================================
@@ -70,14 +70,14 @@ static void test_malloc_failure(void) {
         int ret, i=0;
         AES_SIV_CTX *ctx;
 
-#if OPENSSL_VERSION_NUMBER < 0x10100000L
+#if OPENSSL_VERSION_NUMBER < 0x10100000L	
         ret = CRYPTO_set_mem_functions(mock_malloc, realloc, free);
 #else
 	ret = CRYPTO_set_mem_functions(mock_malloc_ex, mock_realloc_ex, mock_free_ex);
 #endif
         assert(ret == 1);
 
-        printf("Test allocation failure:\n" );
+        printf("Test allocation failure cases:\n" );
 
         do {
                 fail_allocation_counter = i++;
@@ -95,7 +95,7 @@ static void test_cleanup_before_free(void) {
 	AES_SIV_CTX_cleanup(ctx);
 	AES_SIV_CTX_free(ctx);
 	printf("OK\n");
-}
+}	
 
 static void test_vector_1(void) {
         const unsigned char key[] = {


=====================================
ntpd/nts_client.c
=====================================
@@ -27,7 +27,7 @@
 #include "nts2.h"
 #include "ntp_dns.h"
 
-int open_TCP_socket(const char *hostname);
+int open_TCP_socket(struct peer* peer);
 bool nts_set_cert_search(SSL_CTX *ctx);
 bool check_certificate(struct peer* peer, SSL *ssl);
 bool nts_client_send_request(struct peer* peer, SSL *ssl);
@@ -101,7 +101,7 @@ bool nts_probe(struct peer * peer) {
   addrOK = false;
   get_systime(&start);
 
-  server = open_TCP_socket(peer->hostname);
+  server = open_TCP_socket(peer);
   if (-1 == server) {
     nts_ke_probes_bad++;
     return false;
@@ -188,7 +188,7 @@ bool nts_check(struct peer *peer) {
   return addrOK;
 }
 
-int open_TCP_socket(const char *hostname) {
+int open_TCP_socket(struct peer *peer) {
   char host[256], port[32];
   char *tmp;
   struct addrinfo hints;
@@ -198,12 +198,12 @@ int open_TCP_socket(const char *hostname) {
   l_fp start, finish;
 
   /* copy avoids dancing around const warnings */
-  strlcpy(host, hostname, sizeof(host));
+  strlcpy(host, peer->hostname, sizeof(host));
 
   ZERO(hints);
   hints.ai_protocol = IPPROTO_TCP;
   hints.ai_socktype = SOCK_STREAM;
-  hints.ai_family = AF_UNSPEC;
+  hints.ai_family = AF(&peer->srcadr);
   tmp = strchr(host, ']');
   if (NULL == tmp) {
     tmp = strchr(host, ':');
@@ -224,13 +224,13 @@ int open_TCP_socket(const char *hostname) {
   gai_rc = getaddrinfo(host, port, &hints, &answer);
   if (0 != gai_rc) {
     msyslog(LOG_INFO, "NTSc: nts_probe: DNS error trying to contact %s: %d, %s",
-      hostname, gai_rc, gai_strerror(gai_rc));
+      peer->hostname, gai_rc, gai_strerror(gai_rc));
     return -1;
   }
   get_systime(&finish);
   finish -= start;
   msyslog(LOG_INFO, "NTSc: DNS lookup of %s took %.3Lf sec",
-    hostname, lfptod(finish));
+    peer->hostname, lfptod(finish));
 
   /* Save first answer for NTP */
   memcpy(&sockaddr, answer->ai_addr, answer->ai_addrlen);



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/87cd0930ed50364cbb73d1d3b54908df1c981089...4e4abdd0257e4230126cdd368ff59a7290fd1d8c

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/87cd0930ed50364cbb73d1d3b54908df1c981089...4e4abdd0257e4230126cdd368ff59a7290fd1d8c
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190321/e59598fc/attachment-0001.html>

More information about the vc mailing list