[Git][NTPsec/ntpsec][master] 4 commits: Fix typo in buildprep
Hal Murray
gitlab at mg.gitlab.com
Mon Nov 25 06:03:22 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
95bc474f by Hal Murray at 2019-11-23T22:04:04Z
Fix typo in buildprep
- - - - -
521058f1 by Hal Murray at 2019-11-24T10:12:42Z
Fix JUNK logging
Limit to 25 total per restart. (old was buggy)
Dump whole packet.
- - - - -
afa74426 by Hal Murray at 2019-11-24T10:14:18Z
Comment out ppoll from seccomp list.
It's not available on Fedora 31.
I can't find where it is needed.
If we find a case, we need to document it better.
- - - - -
85bac410 by Hal Murray at 2019-11-24T10:15:55Z
Clean up some NTS logging.
- - - - -
4 changed files:
- buildprep
- ntpd/ntp_proto.c
- ntpd/ntp_sandbox.c
- ntpd/nts_server.c
Changes:
=====================================
buildprep
=====================================
@@ -130,7 +130,7 @@ then
echo "## But you don't get that option on a Raspberry Pi."
echo "## For the Pi, do something like:"
echo "## pkg_add ftp://ftp.netbsd.org/pub/pkgsrc/packages/NetBSD/earmv7hf/8.0/All/pkgin-0.9.4nb8.tgz"
- echo "## Adjust the version an arch to match your setup."
+ echo "## Adjust the version and arch to match your setup."
exit 1
fi
elif test "$OS" = "FreeBSD"
=====================================
ntpd/ntp_proto.c
=====================================
@@ -2949,23 +2949,27 @@ proto_clr_stats(void)
/* limit logging so bad guys can't DDoS us by sending crap
- * log first 100 and 10/hour
+ * Limit to 25 total. Maybe should be 10/hour
* This gets too-old cookies
*/
void maybe_log_junk(struct recvbuf *rbufp) {
- static unsigned int noise_try = 0;
- noise_try++;
- if ((noise_try>100) && (((noise_try-90)*3600/current_time) > 10))
- return;
+ static unsigned int junk = 0;
+#define JUNKSIZE 500
+ char buf[JUNKSIZE];
+ int lng = rbufp->recv_length;
+ int i, j;
+ if (junk++>=25) return;
+ for (i=0,j=0; i<lng; i++) {
+ if ((j+4)>JUNKSIZE) break;
+ if (0 == (i%4)) buf[j++] = ' ';
+ j += snprintf(&buf[j], (JUNKSIZE-j), "%02x", rbufp->recv_buffer[i]);
+ }
msyslog(LOG_INFO,
- "JUNK: M%d V%d 0/%2x%2x%2x%2x 48/%2x%2x%2x%2x from %s, lng=%ld",
+ "JUNK: M%d V%d %s from %s, lng=%d",
PKT_MODE(rbufp->pkt.li_vn_mode), PKT_VERSION(rbufp->pkt.li_vn_mode),
- rbufp->recv_buffer[0], rbufp->recv_buffer[1],
- rbufp->recv_buffer[2], rbufp->recv_buffer[3],
- rbufp->recv_buffer[48+0], rbufp->recv_buffer[48+1],
- rbufp->recv_buffer[48+2], rbufp->recv_buffer[48+3],
+ buf,
sockporttoa(&rbufp->recv_srcadr),
- (long)rbufp->recv_length);
+ lng);
}
=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -411,7 +411,10 @@ int scmp_sc[] = {
SCMP_SYS(getpid),
SCMP_SYS(gettid),
SCMP_SYS(geteuid),
- SCMP_SYS(ppoll),
+/* __NR_ppoll is not available in Fedora 31.
+ * I can't find where it is needed. HGM 2019-Nov-23
+ * SCMP_SYS(ppoll),
+ */
SCMP_SYS(sendmsg),
#ifdef __NR_geteuid32
SCMP_SYS(geteuid32),
=====================================
ntpd/nts_server.c
=====================================
@@ -15,6 +15,7 @@
#include <sys/socket.h>
#include <openssl/ssl.h>
+#include <openssl/err.h>
#include <openssl/x509.h>
#include "ntp.h"
@@ -27,10 +28,12 @@
* enough for an IPv6 address.
*/
+
static bool create_listener4(int port);
static bool create_listener6(int port);
static void* nts_ke_listener(void*);
static bool nts_ke_request(SSL *ssl);
+static void nts_ke_accept_fail(char* addrbuf, l_fp finish);
static void nts_lock_certlock(void);
static void nts_unlock_certlock(void);
@@ -187,6 +190,8 @@ void* nts_ke_listener(void* arg) {
struct timeval timeout = {.tv_sec = NTS_KE_TIMEOUT, .tv_usec = 0};
int sock = *(int*)arg;
char errbuf[100];
+ char addrbuf[100];
+ char usingbuf[100];
while(1) {
sockaddr_u addr;
@@ -205,10 +210,27 @@ void* nts_ke_listener(void* arg) {
continue;
}
get_systime(&start);
+ sockporttoa_r(&addr, addrbuf, sizeof(addrbuf));
+
+/* This is disabled in order to reduce clutter in the log file.
+ * The client's address is now included in the final message.
+ * That works fine in the normal successful case. There is one line
+ * per connection.
+ * The failed cases are more complicated.
+ * The common fail case is bad guys probing which fails in SSL_accept.
+ * That branch has its own error handling. Again, the common cases
+ * have one line per connection and include the client address.
+ * Uncommon cases will include two (or more) lines.
+ * There are many possible error messages after SSL_accept works.
+ * In practice, they don't happen, at least not often enough to notice.
+ * They currently get logged without the client's address. Then they
+ * fall into the normal (non-error) path which does include the address.
+ * Enabling this might make strange cases easier to understand.
+ */
+/* msyslog(LOG_INFO, "NTSs: TCP accept-ed from %s", addrbuf); */
- sockporttoa_r(&addr, errbuf, sizeof(errbuf));
- msyslog(LOG_INFO, "NTSs: TCP accept-ed from %s", errbuf);
- err = setsockopt(client, SOL_SOCKET, SO_RCVTIMEO, &timeout, sizeof(timeout));
+ err = setsockopt(client, SOL_SOCKET, SO_RCVTIMEO,
+ &timeout, sizeof(timeout));
if (0 > err) {
ntp_strerror_r(errno, errbuf, sizeof(errbuf));
msyslog(LOG_ERR, "NTSs: can't setsockopt: %s", errbuf);
@@ -226,21 +248,19 @@ void* nts_ke_listener(void* arg) {
if (SSL_accept(ssl) <= 0) {
get_systime(&finish);
finish -= start;
- sockporttoa_r(&addr, errbuf, sizeof(errbuf));
- msyslog(LOG_ERR, "NTSs: SSL accept from %s failed, %.3Lf sec",
- errbuf, lfptod(finish));
- nts_log_ssl_error();
+ nts_ke_accept_fail(addrbuf, finish);
SSL_free(ssl);
close(client);
nts_ke_serves_bad++;
continue;
}
- msyslog(LOG_INFO, "NTSs: Using %s, %s (%d)",
+
+ /* Save info for final message. */
+ snprintf(usingbuf, sizeof(usingbuf), "%s, %s (%d)",
SSL_get_version(ssl),
SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, NULL));
-
if (!nts_ke_request(ssl))
nts_ke_serves_bad++;
@@ -251,12 +271,39 @@ void* nts_ke_listener(void* arg) {
get_systime(&finish);
finish -= start;
nts_ke_serves_good++;
- msyslog(LOG_INFO, "NTSs: NTS-KE server took %.3Lf sec", lfptod(finish));
+ msyslog(LOG_INFO, "NTSs: NTS-KE from %s, Using %s, took %.3Lf sec",
+ addrbuf, usingbuf, lfptod(finish));
}
return NULL;
}
+/* Analyze failure from SSL_accept
+ * print single error message for common cases.
+ */
+void nts_ke_accept_fail(char* addrbuf, l_fp finish) {
+ unsigned long err = ERR_peek_error();
+ const char *reason;
+ switch(err) {
+ case 0x1408F10B:
+ reason = "wrong version number";
+ break;
+ case 0x1408F09C:
+ reason = "http request";
+ break;
+ case 0x1417A0C1:
+ reason = "no shared cipher";
+ break;
+ default:
+ msyslog(LOG_INFO, "NTSs: SSL accept from %s failed, took %.3Lf sec",
+ addrbuf, lfptod(finish));
+ nts_log_ssl_error();
+ return;
+ }
+ msyslog(LOG_INFO, "NTSs: SSL accept from %s failed: %s, took %.3Lf sec",
+ addrbuf, reason, lfptod(finish));
+}
+
bool nts_ke_request(SSL *ssl) {
/* RFC 4: servers must accept 1024
* Our cookies can be 104, 136, or 168 for AES_SIV_CMAC_xxx
@@ -298,8 +345,10 @@ bool nts_ke_request(SSL *ssl) {
if (bytes_written != used)
return false;
- msyslog(LOG_INFO, "NTSs: Read %d, wrote %d bytes. AEAD=%d",
- bytes_read, bytes_written, aead);
+ /* Skip logging the normal case. */
+ if ((bytes_read!=16) || (aead!=15) )
+ msyslog(LOG_INFO, "NTSs: Read %d, wrote %d bytes. AEAD=%d",
+ bytes_read, bytes_written, aead);
return true;
}
@@ -416,7 +465,7 @@ bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead) {
type &= ~NTS_CRITICAL;
}
if (0) // Handy for debugging but very verbose
- msyslog(LOG_ERR, "NTSs: Record: T=%d, L=%d, C=%d", type, length, critical);
+ msyslog(LOG_INFO, "NTSs: Record: T=%d, L=%d, C=%d", type, length, critical);
switch (type) {
case nts_error:
data = next_uint16(buf);
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/cadd1c1e3cedf766df1cc428b443e9e1459612fb...85bac410391d3bd191ddb7ffff09522ef7c2fb17
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/cadd1c1e3cedf766df1cc428b443e9e1459612fb...85bac410391d3bd191ddb7ffff09522ef7c2fb17
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20191125/07f86236/attachment-0001.htm>
More information about the vc
mailing list