[Git][NTPsec/ntpsec][master] 3 commits: Tweak OpenSSL version logging

Tue Oct 29 08:48:58 UTC 2019


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
b0ede9b3 by Hal Murray at 2019-10-28T00:01:51Z
Tweak OpenSSL version logging

- - - - -
01008f6f by Hal Murray at 2019-10-29T08:44:15Z
Another try at squashing a warning from NetBSD 8

- - - - -
7fb3de6e by Hal Murray at 2019-10-29T08:44:57Z
Append NUL to hostname when copied from NTS-KE server.

Provoked by Netnod's server announcement.
I guess that option doesn't get used much.

- - - - -


3 changed files:

- ntpd/ntp_control.c
- ntpd/nts.c
- ntpd/nts_client.c


Changes:

=====================================
ntpd/ntp_control.c
=====================================
@@ -2602,14 +2602,16 @@ ctl_getitem(
 	numctlbadpkts++;
 	NLOG(NLOG_SYSEVENT)
 	    if (quiet_until <= current_time) {
+		    unsigned int port = SRCPORT(rmt_addr);
 		    quiet_until = current_time + 300;
-	/* The cast on SRCPORT is required to suppress a warning on NetBSD 8.0
-	 * http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53618
+	/* The port variable above suppresses a warning on NetBSD 8.0
+	 * http://gnats.netbsd.org/cgi-bin/query-pr-single.pl?number=53619
+	 * A cast on SRCPORT without the dummy variable didn't work.
 	 */
 		    msyslog(LOG_WARNING,
-			    "Possible 'ntpdx' exploit from %s#%" PRIu16
+			    "Possible 'ntpdx' exploit from %s#%u"
                             " (possibly spoofed)",
-			    socktoa(rmt_addr), (uint16_t)SRCPORT(rmt_addr));
+			    socktoa(rmt_addr), port);
 	    }
 	reqpt = reqend; /* never again for this packet! */
 	return NULL;


=====================================
ntpd/nts.c
=====================================
@@ -42,27 +42,13 @@ struct ntsconfig_t ntsconfig = {
 	.aead = NULL
 };
 
+void nts_log_version(void);
 
 /*****************************************************/
 
 void nts_init(void) {
 	bool ok = true;
-#if (OPENSSL_VERSION_NUMBER > 0x101000afL)
-	unsigned long buildVersion = OPENSSL_VERSION_NUMBER;
-	msyslog(LOG_INFO, "INIT: %s, %lx",
-		OpenSSL_version(OPENSSL_VERSION),
-		OpenSSL_version_num());
-	/* Assuming we are built with 1.1.1c
-         *   This allows running with 1.1.1d
-	 *   It won't allow running with 1.0.0x
-	 * Maybe we should reject trying to run with 1.2.1x
-	 */
-	if (buildVersion > OpenSSL_version_num()) {
-		msyslog(LOG_ERR, "INIT: running with old OpenSSL library: %lx, %lx, bailing",
-			buildVersion, OpenSSL_version_num());
-		exit(1);
-	}
-#endif
+	nts_log_version();
 	if (ntsconfig.ntsenable) {
 		ok &= nts_server_init();
 	}
@@ -87,6 +73,40 @@ void nts_init2(void) {
 	}
 }
 
+/* There are 3 cases:
+ *  1: old, log build version
+ *  2: new, match, log version
+ *  3: new, mismatch, log both build and run
+ */
+void nts_log_version(void) {
+	unsigned long buildVersion = OPENSSL_VERSION_NUMBER;
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+	/* Case 1 */
+	msyslog(LOG_INFO, "INIT: %s, %lx",
+		OPENSSL_VERSION_TEXT, buildVersion);
+#else
+	const char * text = OpenSSL_version(OPENSSL_VERSION);
+	bool match = (buildVersion == OpenSSL_version_num()) &&
+		(0 == strcmp(OPENSSL_VERSION_TEXT, text));
+	if (match) {
+		/* Case 2 */
+		msyslog(LOG_INFO, "INIT: %s, %lx",
+			OPENSSL_VERSION_TEXT, buildVersion);
+	} else {
+                /* Case 3 */
+		msyslog(LOG_INFO, "INIT: Built with %s, %lx",
+			OPENSSL_VERSION_TEXT, buildVersion);
+		msyslog(LOG_INFO, "INIT: Running with %s, %lx",
+			OpenSSL_version(OPENSSL_VERSION),
+			OpenSSL_version_num());
+		if (buildVersion > OpenSSL_version_num()) {
+			msyslog(LOG_ERR, "INIT: Old OpenSSL library, bailing");
+			exit(1);
+		}
+	}
+#endif
+}
+
 /*****************************************************/
 
 /* 0 is default, -1 is error */
@@ -156,7 +176,9 @@ bool nts_load_versions(SSL_CTX *ctx) {
 	SSL_CTX_set_min_proto_version(ctx, minver);
 	SSL_CTX_set_max_proto_version(ctx, maxver);
 #else
-	/* Older versions of OpenSSL don't support min/max version requests.
+	/* TLS 1.2 was added in 1.0.1, 14 Mar 2012
+	 * HGM hasn't seen anything older.  2019-Oct-26
+	 * versions older than 1.1.0  don't support min/max version requests.
 	 * That's OK, since we don't want anything older than 1.2 and
 	 * they don't support anything newer. */
 #define NO_OLD_VERSIONS SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1


=====================================
ntpd/nts_client.c
=====================================
@@ -601,11 +601,12 @@ bool nts_client_process_response_core(uint8_t *buff, int transferred, struct pee
 			peer->nts_state.count++;
 			break;
 		    case nts_server_negotiation:
-			if (MAX_SERVER < length) {
+			if (MAX_SERVER < (length+1)) {
 				msyslog(LOG_ERR, "NTSc: server string too long %d.", length);
 				return false;
 			}
 			next_bytes(&buf, (uint8_t *)server, length);
+			server[length] = '\0';
 			/* save port in case port specified before server */
 			port = SRCPORT(&sockaddr);
 			if (!nts_server_lookup(server, &sockaddr))



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/0da207f5702e9ebf3d09a9ca7d30bed71b695b7c...7fb3de6ee9a88cda7910f697a6002dc3e78f5a7b

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/0da207f5702e9ebf3d09a9ca7d30bed71b695b7c...7fb3de6ee9a88cda7910f697a6002dc3e78f5a7b
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20191029/2c32dd44/attachment-0001.htm>
