[Git][NTPsec/ntpsec][issue-579] 10 commits: Fix for wrong length in response from server

Matt Selsky gitlab at mg.gitlab.com
Mon Mar 25 11:47:27 UTC 2019



Matt Selsky pushed to branch issue-579 at NTPsec / ntpsec


Commits:
afcc8cd2 by Hal Murray at 2019-03-23T14:29:44Z
Fix for wrong length in response from server

- - - - -
760dbaee by Hal Murray at 2019-03-23T15:19:22Z
Add strerror to the multi-thread msyslog list

- - - - -
0bdb9c2b by Hal Murray at 2019-03-24T02:33:33Z
NTS: add support for port_negotiation

- - - - -
0862e576 by Hal Murray at 2019-03-24T06:05:11Z
Add printout of non-standard port numbers
  when setting up servers via DNS or NTS

- - - - -
c22aefa6 by Hal Murray at 2019-03-24T06:51:38Z
NTS: Switch to official EXPORTER string
  Breaks FreeBSD which is still using OpenSSL 1.1.1a

- - - - -
77031170 by Hal Murray at 2019-03-25T01:20:57Z
Change a few more "ntp" to "123"
  Removes dependency on /etc/services (or equiv)

- - - - -
48314488 by Hal Murray at 2019-03-25T03:23:24Z
NTS: add support for server negotiation

- - - - -
a8595a41 by Hal Murray at 2019-03-25T09:24:00Z
NTS: Fix bug that was supposed to limit log clutter

- - - - -
fcd34a57 by Matt Selsky at 2019-03-25T11:41:54Z
Remove CI jobs for Debian "oldoldstable"

"oldoldstable" is two releases behind the current stable release.  It's not
supported by upstream so we should not build for it.

And the CI builds for "wheezy" broke today when "oldoldstable"'s repo was moved
from deb.debian.org to archive.debian.org as announced at
https://lists.debian.org/debian-devel-announce/2019/03/msg00006.html

The container images at https://hub.docker.com/_/debian and
https://github.com/debuerreotype/docker-debian-artifacts/blob/3e751c2c2f60037e9231ed94bbd1f95347af2c87/oldoldstable/slim/Dockerfile
have not yet caught up with the new repo location.

- - - - -
adf4143c by Matt Selsky at 2019-03-25T11:47:05Z
Update Coverity CI build to include all refclocks

Fixes GitLab #579
- - - - -


7 changed files:

- .gitlab-ci.yml
- devel/TODO-NTS
- libntp/decodenetnum.c
- ntpd/ntp_dns.c
- ntpd/ntp_proto.c
- ntpd/nts_client.c
- ntpd/nts_extens.c


Changes:

=====================================
.gitlab-ci.yml
=====================================
@@ -96,26 +96,6 @@ alpine-edge-refclocks:
   tags:
     - gitlab-org
 
-debian-oldoldstable-basic:
-  <<: *job_definition
-  image: debian:oldoldstable-slim
-  script:
-    - apt-get update
-    - apt-get install -y netbase bison gcc libssl-dev libcap-dev pps-tools python-dev
-    - python ./waf configure build
-  tags:
-    - gitlab-org
-
-debian-oldoldstable-refclocks:
-  <<: *job_definition
-  image: debian:oldoldstable-slim
-  script:
-    - apt-get update
-    - apt-get install -y netbase bison gcc libssl-dev libcap-dev pps-tools python-dev
-    - python ./waf configure --refclock=all build
-  tags:
-    - gitlab-org
-
 debian-oldstable-basic:
   <<: *job_definition
   image: debian:oldstable-slim
@@ -578,7 +558,7 @@ gentoo-hardened-refclocks:
 
 coverity-scan:
   script:
-    - ./waf configure
+    - ./waf configure --refclock=all
     - /opt/cov-analysis/bin/cov-build --dir cov-int ./waf build
     - tar czf ntpsec_coverity.tgz cov-int
     - curl --form token=$COVERITY_TOKEN --form email=security at ntpsec.org --form file=@ntpsec_coverity.tgz --form version="$(git rev-parse --short HEAD)" --form description="Automatic submission by gitlab-ci" https://scan.coverity.com/builds?project=ntpsec


=====================================
devel/TODO-NTS
=====================================
@@ -1,5 +1,6 @@
 multithread msyslog
   libntp/lib_strbuf.c too
+  strerror
 
 documentation:
   HOWTO on NTS


=====================================
libntp/decodenetnum.c
=====================================
@@ -131,7 +131,7 @@ decodenetnum(
 	   either the IP address or the port is well-formed, but at
 	   least they're unambiguously delimited from each other.
 	   Let getaddrinfo() perform all further validation. */
-	retcode = getaddrinfo(ip, port_start == NULL ? "ntp" : port_start,
+	retcode = getaddrinfo(ip, port_start == NULL ? "123" : port_start,
 		       &hints, &ai);
 	if(retcode) {
 		return retcode;


=====================================
ntpd/ntp_dns.c
=====================================
@@ -170,7 +170,7 @@ static void* dns_lookup(void* arg)
 		hints.ai_protocol = IPPROTO_UDP;
 		hints.ai_socktype = SOCK_DGRAM;
 		hints.ai_family = AF(&pp->srcadr);
-		gai_rc = getaddrinfo(pp->hostname, "ntp", &hints, &answer);
+		gai_rc = getaddrinfo(pp->hostname, "123", &hints, &answer);
 	}
 
 	kill(getpid(), SIGDNS);


=====================================
ntpd/ntp_proto.c
=====================================
@@ -2284,7 +2284,10 @@ dns_take_server(
 		return;
 	}
 
-	msyslog(LOG_INFO, "DNS: Server taking: %s", socktoa(rmtadr));
+	if (NTP_PORT == SRCPORT(rmtadr))
+          msyslog(LOG_INFO, "DNS: Server taking: %s", socktoa(rmtadr));
+        else
+          msyslog(LOG_INFO, "DNS: Server taking: %s", sockporttoa(rmtadr));
 	server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
 
 	server->srcadr = *rmtadr;
@@ -2850,7 +2853,7 @@ proto_clr_stats(void)
 void maybe_log_junk(struct recvbuf *rbufp) {
     static unsigned int noise_try = 0;
     noise_try++;
-    if ((noise_try>100) && (((noise_try-90)*3600/current_time) < 10))
+    if ((noise_try>100) && (((noise_try-90)*3600/current_time) > 10))
       return;
     msyslog(LOG_INFO,
 	"JUNK: M%d V%d 0/%2x%2x%2x%2x 48/%2x%2x%2x%2x from %s, lng=%ld",


=====================================
ntpd/nts_client.c
=====================================
@@ -32,6 +32,7 @@ bool nts_set_cert_search(SSL_CTX *ctx);
 bool check_certificate(struct peer* peer, SSL *ssl);
 bool nts_client_send_request(struct peer* peer, SSL *ssl);
 bool nts_client_process_response(struct peer* peer, SSL *ssl);
+bool nts_server_lookup(char *server, sockaddr_u *addr);
 
 static SSL_CTX *client_ctx = NULL;
 static sockaddr_u sockaddr;
@@ -236,7 +237,8 @@ int open_TCP_socket(struct peer *peer) {
   memcpy(&sockaddr, answer->ai_addr, answer->ai_addrlen);
   msyslog(LOG_INFO, "NTSc: nts_probe connecting to %s:%s => %s",
     host, port, sockporttoa(&sockaddr));
-  SET_PORT(&sockaddr, NTP_PORT);	/* setup default NTP address */
+  /* switch to NTP port in case of server-name:port */
+  SET_PORT(&sockaddr, NTP_PORT);
   sockfd = socket(answer->ai_family, SOCK_STREAM, 0);
   if (-1 == sockfd) {
     msyslog(LOG_INFO, "NTSc: nts_probe: no socket: %s", strerror(errno));
@@ -311,13 +313,14 @@ bool check_certificate(struct peer* peer, SSL *ssl) {
 }
 
 bool nts_make_keys(SSL *ssl, uint16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
-  // char *label = "EXPORTER-network-time-security/1";
+  // There is a bug in OpenSSL 1.1.1a
+  // Until Mar-23, we were using:
+  //    const char *label = "EXPORTER-nts/1";
   // Subject: [Ntp] [NTS4NTP] info for NTS developers
   // From: Martin Langer <mart.langer at ostfalia.de>
   // Date: Tue, 15 Jan 2019 11:40:13 +0100
   // https://mailarchive.ietf.org/arch/msg/ntp/nkc-9n6XOPt5Glgi_ueLvuD9EfY
-  // bug in OpenSSL 1.1.1a
-  const char *label = "EXPORTER-nts/1";
+  const char *label = "EXPORTER-network-time-security/1";
   // FIXME, first 2 bytes, next protocol ID (0)
   unsigned char context[5] = {0x00, 0x00, 0x00, 0x0f, 0x00};
   context[2] = (aead >> 8) & 0xFF;
@@ -403,9 +406,11 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
   buf.next = buff;
   buf.left = transferred;
   while (buf.left > 0) {
-    uint16_t type, data;
+    uint16_t type, data, port;
     bool critical = false;
     int length, keylength;
+#define MAX_SERVER 100
+    char server[MAX_SERVER];
 
     type = ke_next_record(&buf, &length);
     if (NTS_CRITICAL & type) {
@@ -464,6 +469,25 @@ bool nts_client_process_response(struct peer* peer, SSL *ssl) {
         peer->nts_state.writeIdx = peer->nts_state.writeIdx % NTS_MAX_COOKIES;
         peer->nts_state.count++;
         break;
+      case nts_server_negotiation:
+        if (MAX_SERVER < length) {
+          msyslog(LOG_ERR, "NTSc: server string too long %d.", length);
+          return false;
+        }
+        next_bytes(&buf, (uint8_t *)server, length);
+        /* save port in case port specified before server */
+        port = SRCPORT(&sockaddr);
+        if (!nts_server_lookup(server, &sockaddr))
+          return false;
+        SET_PORT(&sockaddr, port);
+        msyslog(LOG_ERR, "NTSc: Using server %s=>%s", server, socktoa(&sockaddr));
+        break;
+      case nts_port_negotiation:
+        // FIXME check length
+        port = next_uint16(&buf);
+        SET_PORT(&sockaddr, port);
+        msyslog(LOG_ERR, "NTSc: Using port %d", port);
+        break;
       case nts_end_of_message:
         if ((0 != length) || !critical) {
           msyslog(LOG_ERR, "NTSc: EOM-Wrong length or not Critical: %d, %d",
@@ -526,4 +550,33 @@ bool nts_set_cert_search(SSL_CTX *ctx) {
   return false;
 }
 
+bool nts_server_lookup(char *server, sockaddr_u *addr) {
+  struct addrinfo hints;
+  struct addrinfo *answer;
+  int gai_rc;
+
+  ZERO(hints);
+  hints.ai_protocol = IPPROTO_UDP;
+  hints.ai_socktype = SOCK_DGRAM;
+  hints.ai_family = AF_UNSPEC;
+
+  gai_rc = getaddrinfo(server, "123", &hints, &answer);
+  if (0 != gai_rc) {
+    msyslog(LOG_INFO, "NTSc: nts_probe: DNS error trying to lookup %s: %d, %s",
+      server, gai_rc, gai_strerror(gai_rc));
+    return false;
+  }
+
+  if (NULL == answer)
+    return false;
+
+  if (sizeof(sockaddr_u) >= answer->ai_addrlen)
+    memcpy(addr, answer->ai_addr, answer->ai_addrlen);
+
+  freeaddrinfo(answer);
+
+  return true;
+
+}
+
 /* end */


=====================================
ntpd/nts_extens.c
=====================================
@@ -265,7 +265,7 @@ int extens_server_send(struct ntspacket_t *ntspacket, struct pkt *xpkt) {
   aeadlen = NTP_EX_U16_LNG*2+NONCE_LENGTH+CMAC_LENGTH + plainleng;
   ex_append_header(&buf, NTS_AEEF, aeadlen);
   append_uint16(&buf, NONCE_LENGTH);
-  append_uint16(&buf, plainleng);
+  append_uint16(&buf, plainleng+CMAC_LENGTH);
 
   nonce = buf.next;
   RAND_bytes(nonce, NONCE_LENGTH);



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6187b4239cd0aaf227d63c3aa4755c19a4e87221...adf4143ca07d712820eabcd41b7b4df114ff246e

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6187b4239cd0aaf227d63c3aa4755c19a4e87221...adf4143ca07d712820eabcd41b7b4df114ff246e
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190325/07ceef33/attachment-0001.html>


More information about the vc mailing list