[Git][NTPsec/ntpsec][stop-CI-for-debian-oldoldstable] 7 commits: NTS: add support for port_negotiation
Matt Selsky
gitlab at mg.gitlab.com
Mon Mar 25 11:42:07 UTC 2019
Matt Selsky pushed to branch stop-CI-for-debian-oldoldstable at NTPsec / ntpsec
Commits:
0bdb9c2b by Hal Murray at 2019-03-24T02:33:33Z
NTS: add support for port_negotiation
- - - - -
0862e576 by Hal Murray at 2019-03-24T06:05:11Z
Add printout of non-standard port numbers
when setting up servers via DNS or NTS
- - - - -
c22aefa6 by Hal Murray at 2019-03-24T06:51:38Z
NTS: Switch to official EXPORTER string
Breaks FreeBSD which is still using OpenSSL 1.1.1a
- - - - -
77031170 by Hal Murray at 2019-03-25T01:20:57Z
Change a few more "ntp" to "123"
Removes dependency on /etc/services (or equiv)
- - - - -
48314488 by Hal Murray at 2019-03-25T03:23:24Z
NTS: add support for server negotiation
- - - - -
a8595a41 by Hal Murray at 2019-03-25T09:24:00Z
NTS: Fix bug that was supposed to limit log clutter
- - - - -
fcd34a57 by Matt Selsky at 2019-03-25T11:41:54Z
Remove CI jobs for Debian "oldoldstable"
"oldoldstable" is two releases behind the current stable release. It's not
supported by upstream so we should not build for it.
And the CI builds for "wheezy" broke today when "oldoldstable"'s repo was moved
from deb.debian.org to archive.debian.org as announced at
https://lists.debian.org/debian-devel-announce/2019/03/msg00006.html
The container images at https://hub.docker.com/_/debian and
https://github.com/debuerreotype/docker-debian-artifacts/blob/3e751c2c2f60037e9231ed94bbd1f95347af2c87/oldoldstable/slim/Dockerfile
have not yet caught up with the new repo location.
- - - - -
5 changed files:
- .gitlab-ci.yml
- libntp/decodenetnum.c
- ntpd/ntp_dns.c
- ntpd/ntp_proto.c
- ntpd/nts_client.c
Changes:
=====================================
.gitlab-ci.yml
=====================================
@@ -96,26 +96,6 @@ alpine-edge-refclocks:
tags:
- gitlab-org
-debian-oldoldstable-basic:
- <<: *job_definition
- image: debian:oldoldstable-slim
- script:
- - apt-get update
- - apt-get install -y netbase bison gcc libssl-dev libcap-dev pps-tools python-dev
- - python ./waf configure build
- tags:
- - gitlab-org
-
-debian-oldoldstable-refclocks:
- <<: *job_definition
- image: debian:oldoldstable-slim
- script:
- - apt-get update
- - apt-get install -y netbase bison gcc libssl-dev libcap-dev pps-tools python-dev
- - python ./waf configure --refclock=all build
- tags:
- - gitlab-org
-
debian-oldstable-basic:
<<: *job_definition
image: debian:oldstable-slim
=====================================
libntp/decodenetnum.c
=====================================
@@ -131,7 +131,7 @@ decodenetnum(
either the IP address or the port is well-formed, but at
least they're unambiguously delimited from each other.
Let getaddrinfo() perform all further validation. */
- retcode = getaddrinfo(ip, port_start == NULL ? "ntp" : port_start,
+ retcode = getaddrinfo(ip, port_start == NULL ? "123" : port_start,
&hints, &ai);
if(retcode) {
return retcode;
=====================================
ntpd/ntp_dns.c
=====================================
@@ -170,7 +170,7 @@ static void* dns_lookup(void* arg)
hints.ai_protocol = IPPROTO_UDP;
hints.ai_socktype = SOCK_DGRAM;
hints.ai_family = AF(&pp->srcadr);
- gai_rc = getaddrinfo(pp->hostname, "ntp", &hints, &answer);
+ gai_rc = getaddrinfo(pp->hostname, "123", &hints, &answer);
}
kill(getpid(), SIGDNS);
=====================================
ntpd/ntp_proto.c
=====================================
@@ -2284,7 +2284,10 @@ dns_take_server(
return;
}
- msyslog(LOG_INFO, "DNS: Server taking: %s", socktoa(rmtadr));
+ if (NTP_PORT == SRCPORT(rmtadr))
+ msyslog(LOG_INFO, "DNS: Server taking: %s", socktoa(rmtadr));
+ else
+ msyslog(LOG_INFO, "DNS: Server taking: %s", sockporttoa(rmtadr));
server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
server->srcadr = *rmtadr;
@@ -2850,7 +2853,7 @@ proto_clr_stats(void)
void maybe_log_junk(struct recvbuf *rbufp) {
static unsigned int noise_try = 0;
noise_try++;
- if ((noise_try>100) && (((noise_try-90)*3600/current_time) < 10))
+ if ((noise_try>100) && (((noise_try-90)*3600/current_time) > 10))
return;
msyslog(LOG_INFO,
"JUNK: M%d V%d 0/%2x%2x%2x%2x 48/%2x%2x%2x%2x from %s, lng=%ld",
=====================================
ntpd/nts_client.c
=====================================
@@ -32,6 +32,7 @@ bool nts_set_cert_search(SSL_CTX *ctx);
bool check_certificate(struct peer* peer, SSL *ssl);
bool nts_client_send_request(struct peer* peer, SSL *ssl);
bool nts_client_process_response(struct peer* peer, SSL *ssl);
+bool nts_server_lookup(char *server, sockaddr_u *addr);
static SSL_CTX *client_ctx = NULL;
static sockaddr_u sockaddr;
@@ -236,7 +237,8 @@ int open_TCP_socket(struct peer *peer) {
memcpy(&sockaddr, answer->ai_addr, answer->ai_addrlen);
msyslog(LOG_INFO, "NTSc: nts_probe connecting to %s:%s => %s",
host, port, sockporttoa(&sockaddr));
- SET_PORT(&sockaddr, NTP_PORT); /* setup default NTP address */
+ /* switch to NTP port in case of server-name:port */
+ SET_PORT(&sockaddr, NTP_PORT);
sockfd = socket(answer->ai_family, SOCK_STREAM, 0);
if (-1 == sockfd) {
msyslog(LOG_INFO, "NTSc: nts_probe: no socket: %s", strerror(errno));
@@ -311,13 +313,14 @@ bool check_certificate(struct peer* peer, SSL *ssl) {
}
bool nts_make_keys(SSL *ssl, uint16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
- // char *label = "EXPORTER-network-time-security/1";
+ // There is a bug in OpenSSL 1.1.1a
+ // Until Mar-23, we were using:
+ // const char *label = "EXPORTER-nts/1";
// Subject: [Ntp] [NTS4NTP] info for NTS developers
// From: Martin Langer <mart.langer at ostfalia.de>
// Date: Tue, 15 Jan 2019 11:40:13 +0100
// https://mailarchive.ietf.org/arch/msg/ntp/nkc-9n6XOPt5Glgi_ueLvuD9EfY
- // bug in OpenSSL 1.1.1a
- const char *label = "EXPORTER-nts/1";
+ const char *label = "EXPORTER-network-time-security/1";
// FIXME, first 2 bytes, next protocol ID (0)
unsigned char context[5] = {0x00, 0x00, 0x00, 0x0f, 0x00};
context[2] = (aead >> 8) & 0xFF;
@@ -403,9 +406,11 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
buf.next = buff;
buf.left = transferred;
while (buf.left > 0) {
- uint16_t type, data;
+ uint16_t type, data, port;
bool critical = false;
int length, keylength;
+#define MAX_SERVER 100
+ char server[MAX_SERVER];
type = ke_next_record(&buf, &length);
if (NTS_CRITICAL & type) {
@@ -464,6 +469,25 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
peer->nts_state.writeIdx = peer->nts_state.writeIdx % NTS_MAX_COOKIES;
peer->nts_state.count++;
break;
+ case nts_server_negotiation:
+ if (MAX_SERVER < length) {
+ msyslog(LOG_ERR, "NTSc: server string too long %d.", length);
+ return false;
+ }
+ next_bytes(&buf, (uint8_t *)server, length);
+ /* save port in case port specified before server */
+ port = SRCPORT(&sockaddr);
+ if (!nts_server_lookup(server, &sockaddr))
+ return false;
+ SET_PORT(&sockaddr, port);
+ msyslog(LOG_ERR, "NTSc: Using server %s=>%s", server, socktoa(&sockaddr));
+ break;
+ case nts_port_negotiation:
+ // FIXME check length
+ port = next_uint16(&buf);
+ SET_PORT(&sockaddr, port);
+ msyslog(LOG_ERR, "NTSc: Using port %d", port);
+ break;
case nts_end_of_message:
if ((0 != length) || !critical) {
msyslog(LOG_ERR, "NTSc: EOM-Wrong length or not Critical: %d, %d",
@@ -526,4 +550,33 @@ bool nts_set_cert_search(SSL_CTX *ctx) {
return false;
}
+bool nts_server_lookup(char *server, sockaddr_u *addr) {
+ struct addrinfo hints;
+ struct addrinfo *answer;
+ int gai_rc;
+
+ ZERO(hints);
+ hints.ai_protocol = IPPROTO_UDP;
+ hints.ai_socktype = SOCK_DGRAM;
+ hints.ai_family = AF_UNSPEC;
+
+ gai_rc = getaddrinfo(server, "123", &hints, &answer);
+ if (0 != gai_rc) {
+ msyslog(LOG_INFO, "NTSc: nts_probe: DNS error trying to lookup %s: %d, %s",
+ server, gai_rc, gai_strerror(gai_rc));
+ return false;
+ }
+
+ if (NULL == answer)
+ return false;
+
+ if (sizeof(sockaddr_u) >= answer->ai_addrlen)
+ memcpy(addr, answer->ai_addr, answer->ai_addrlen);
+
+ freeaddrinfo(answer);
+
+ return true;
+
+}
+
/* end */
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3a7bbdaf10d3bb590ffca6aa9649174eed4120bb...fcd34a578373eeacd99f52e60e90f12570109776
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/3a7bbdaf10d3bb590ffca6aa9649174eed4120bb...fcd34a578373eeacd99f52e60e90f12570109776
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190325/f1ea813d/attachment-0001.html>
More information about the vc
mailing list