[Git][NTPsec/ntpsec][master] 4 commits: Add Copyright notice

Hal Murray gitlab at mg.gitlab.com
Thu Oct 31 18:04:46 UTC 2019



Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
fe73b441 by Hal Murray at 2019-10-31T08:55:16Z
Add Copyright notice

- - - - -
d75a09ef by Hal Murray at 2019-10-31T11:08:51Z
Fix logging hostname/null bug in dns_probe

- - - - -
8d46d290 by Hal Murray at 2019-10-31T17:31:38Z
Tweak comment - ntpd/nts_cookie.c

- - - - -
74308fa2 by Hal Murray at 2019-10-31T17:32:28Z
Tweaks to NTS checking hostname in certs

- - - - -


5 changed files:

- ntpd/ntp_dns.c
- ntpd/nts_client.c
- ntpd/nts_cookie.c
- ntpd/nts_extens.c
- ntpd/nts_server.c


Changes:

=====================================
ntpd/ntp_dns.c
=====================================
@@ -51,6 +51,7 @@ bool dns_probe(struct peer* pp)
 	int rc;
         sigset_t        block_mask, saved_sig_mask;
 	const char	* busy = "";
+	const char	*hostname = pp->hostname;
 
 	/* Comment out the next two lines to get (much) more
 	 * printout when we are busy.
@@ -61,8 +62,12 @@ bool dns_probe(struct peer* pp)
 	if (NULL != active) {
 		busy = ", busy";
 	}
+	if (NULL == hostname) {
+		hostname = socktoa(&pp->srcadr);
+	}
+
 	msyslog(LOG_INFO, "DNS: dns_probe: %s, cast_flags:%x, flags:%x%s",
-		pp->hostname, pp->cast_flags, pp->cfg.flags, busy);
+		hostname, pp->cast_flags, pp->cfg.flags, busy);
         if (NULL != active)	/* normally redundant */
 		return false;
 
@@ -73,7 +78,8 @@ bool dns_probe(struct peer* pp)
 	rc = pthread_create(&worker, NULL, dns_lookup, pp);
         if (rc) {
 	  msyslog(LOG_ERR, "DNS: dns_probe: error from pthread_create: %s, %s",
-	      pp->hostname, strerror(rc));
+	      hostname, strerror(rc));
+          pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);
 	  return true;  /* don't try again */
 	}
         pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);


=====================================
ntpd/nts_client.c
=====================================
@@ -47,14 +47,16 @@ static SSL_CTX *client_ctx = NULL;
 static sockaddr_u sockaddr;
 static bool addrOK;
 
+// Fedora 30:  0x1010104fL  1.1.1d
 // Fedora 29:  0x1010102fL  1.1.1b
 // Fedora 28:  0x1010009fL  1.1.0i
+// Debian 10:  0x1010104fL  1.1.1d
 // Debian 9:   0x101000afL  1.1.0j
 // Debian 8:   0x1000114fL  1.0.1t
 // CentOS 7:   0x100020bfL  1.0.2k
 // CentOS 6:   0x1000105fL  1.0.1e
 // NetBSD 8:   0x100020bfL  1.0.2k
-// NetBSD 7:   0x1000115fL  1.0.1u
+// NetBSD 7:   0x1000115fL  1.0.1u (1.0.2s via pkgin)
 // FreeBSD 12: 0x1010101fL  1.1.1a-freebsd
 // FreeBSD 11: 0x100020ffL  1.0.2o-freebsd
 
@@ -332,17 +334,20 @@ void set_hostname(SSL *ssl, const char *hostname) {
 
 // https://wiki.openssl.org/index.php/Hostname_validation
 #if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+	SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS);
 	SSL_set1_host(ssl, host);
 	msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
 #elif (OPENSSL_VERSION_NUMBER > 0x1000200fL)
-	{
-		X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
-		if (1 != X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
-			msyslog(LOG_ERR, "NTSc: troubles setting hostflags");
-		}
-		SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+	{  /* enable automatic hostname checks */
+	X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
+	X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_WILDCARDS);
+	if (1 != X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
+		msyslog(LOG_ERR, "NTSc: troubles setting hostflags");
+	}
+	SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
 	}
 #else
+	/*  Versions prior to 1.0.2 did not perform hostname validation */
 	UNUSED_ARG(ssl);
 	msyslog(LOG_ERR, "NTSc: can't check hostname/certificate");
 #endif
@@ -378,9 +383,6 @@ bool check_certificate(SSL *ssl, struct peer* peer) {
 				return false;
 		}
 	}
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
-	msyslog(LOG_DEBUG, "NTSc: matched cert host: %s", SSL_get0_peername(ssl));
-#endif
 	return true;
 }
 


=====================================
ntpd/nts_cookie.c
=====================================
@@ -8,11 +8,12 @@
  *
  * This follows section 6, Suggested Format for NTS Cookies
  * It uses AEAD_AES_SIV_CMAC_256/384/512 from RFC 5297
- * It is currently a stand-alone library
- * but will probably migrate to OpenSSL/libcrypto.
- *
  * The selection is done by the key length.
  *
+ * We use the implementation in libaes_siv by Daniel Franke (Akamai)
+ * There is a similar implementation in OpenSSL (or soon will be)
+ * It has a slightly different API.  See libaes_siv/README.md
+ *
  */
 
 #include "config.h"


=====================================
ntpd/nts_extens.c
=====================================
@@ -1,5 +1,7 @@
 /*
  * ntp_extens.c - Network Time Protocol (NTP) extension processing
+ * Copyright 2019 by the NTPsec project contributors
+ * SPDX-License-Identifier: BSD-4-Clause-UC
  *
  * NB: This module is working with the wire format packet.
  *     It must do byte swapping.


=====================================
ntpd/nts_server.c
=====================================
@@ -1,5 +1,7 @@
 /*
  * nts_server.c - Network Time Security (NTS) server side support
+ * Copyright 2019 by the NTPsec project contributors
+ * SPDX-License-Identifier: BSD-4-Clause-UC
  *
  * Section references are to
  * https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-15



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6225fc91d48fdc4801a31c054a9ce5d410b0b0cf...74308fa20545ae1b34708ec06e38ea244dda7c54

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6225fc91d48fdc4801a31c054a9ce5d410b0b0cf...74308fa20545ae1b34708ec06e38ea244dda7c54
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20191031/a04031d0/attachment-0001.htm>


More information about the vc mailing list