[Git][NTPsec/ntpsec][master] 4 commits: Add Copyright notice
Hal Murray
gitlab at mg.gitlab.com
Thu Oct 31 18:04:46 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
fe73b441 by Hal Murray at 2019-10-31T08:55:16Z
Add Copyright notice
- - - - -
d75a09ef by Hal Murray at 2019-10-31T11:08:51Z
Fix logging hostname/null bug in dns_probe
- - - - -
8d46d290 by Hal Murray at 2019-10-31T17:31:38Z
Tweak comment - ntpd/nts_cookie.c
- - - - -
74308fa2 by Hal Murray at 2019-10-31T17:32:28Z
Tweaks to NTS checking hostname in certs
- - - - -
5 changed files:
- ntpd/ntp_dns.c
- ntpd/nts_client.c
- ntpd/nts_cookie.c
- ntpd/nts_extens.c
- ntpd/nts_server.c
Changes:
=====================================
ntpd/ntp_dns.c
=====================================
@@ -51,6 +51,7 @@ bool dns_probe(struct peer* pp)
int rc;
sigset_t block_mask, saved_sig_mask;
const char * busy = "";
+ const char *hostname = pp->hostname;
/* Comment out the next two lines to get (much) more
* printout when we are busy.
@@ -61,8 +62,12 @@ bool dns_probe(struct peer* pp)
if (NULL != active) {
busy = ", busy";
}
+ if (NULL == hostname) {
+ hostname = socktoa(&pp->srcadr);
+ }
+
msyslog(LOG_INFO, "DNS: dns_probe: %s, cast_flags:%x, flags:%x%s",
- pp->hostname, pp->cast_flags, pp->cfg.flags, busy);
+ hostname, pp->cast_flags, pp->cfg.flags, busy);
if (NULL != active) /* normally redundant */
return false;
@@ -73,7 +78,8 @@ bool dns_probe(struct peer* pp)
rc = pthread_create(&worker, NULL, dns_lookup, pp);
if (rc) {
msyslog(LOG_ERR, "DNS: dns_probe: error from pthread_create: %s, %s",
- pp->hostname, strerror(rc));
+ hostname, strerror(rc));
+ pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);
return true; /* don't try again */
}
pthread_sigmask(SIG_SETMASK, &saved_sig_mask, NULL);
=====================================
ntpd/nts_client.c
=====================================
@@ -47,14 +47,16 @@ static SSL_CTX *client_ctx = NULL;
static sockaddr_u sockaddr;
static bool addrOK;
+// Fedora 30: 0x1010104fL 1.1.1d
// Fedora 29: 0x1010102fL 1.1.1b
// Fedora 28: 0x1010009fL 1.1.0i
+// Debian 10: 0x1010104fL 1.1.1d
// Debian 9: 0x101000afL 1.1.0j
// Debian 8: 0x1000114fL 1.0.1t
// CentOS 7: 0x100020bfL 1.0.2k
// CentOS 6: 0x1000105fL 1.0.1e
// NetBSD 8: 0x100020bfL 1.0.2k
-// NetBSD 7: 0x1000115fL 1.0.1u
+// NetBSD 7: 0x1000115fL 1.0.1u (1.0.2s via pkgin)
// FreeBSD 12: 0x1010101fL 1.1.1a-freebsd
// FreeBSD 11: 0x100020ffL 1.0.2o-freebsd
@@ -332,17 +334,20 @@ void set_hostname(SSL *ssl, const char *hostname) {
// https://wiki.openssl.org/index.php/Hostname_validation
#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS);
SSL_set1_host(ssl, host);
msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
#elif (OPENSSL_VERSION_NUMBER > 0x1000200fL)
- {
- X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
- if (1 != X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
- msyslog(LOG_ERR, "NTSc: troubles setting hostflags");
- }
- SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
+ { /* enable automatic hostname checks */
+ X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
+ X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_WILDCARDS);
+ if (1 != X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
+ msyslog(LOG_ERR, "NTSc: troubles setting hostflags");
+ }
+ SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
}
#else
+ /* Versions prior to 1.0.2 did not perform hostname validation */
UNUSED_ARG(ssl);
msyslog(LOG_ERR, "NTSc: can't check hostname/certificate");
#endif
@@ -378,9 +383,6 @@ bool check_certificate(SSL *ssl, struct peer* peer) {
return false;
}
}
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
- msyslog(LOG_DEBUG, "NTSc: matched cert host: %s", SSL_get0_peername(ssl));
-#endif
return true;
}
=====================================
ntpd/nts_cookie.c
=====================================
@@ -8,11 +8,12 @@
*
* This follows section 6, Suggested Format for NTS Cookies
* It uses AEAD_AES_SIV_CMAC_256/384/512 from RFC 5297
- * It is currently a stand-alone library
- * but will probably migrate to OpenSSL/libcrypto.
- *
* The selection is done by the key length.
*
+ * We use the implementation in libaes_siv by Daniel Franke (Akamai)
+ * There is a similar implementation in OpenSSL (or soon will be)
+ * It has a slightly different API. See libaes_siv/README.md
+ *
*/
#include "config.h"
=====================================
ntpd/nts_extens.c
=====================================
@@ -1,5 +1,7 @@
/*
* ntp_extens.c - Network Time Protocol (NTP) extension processing
+ * Copyright 2019 by the NTPsec project contributors
+ * SPDX-License-Identifier: BSD-4-Clause-UC
*
* NB: This module is working with the wire format packet.
* It must do byte swapping.
=====================================
ntpd/nts_server.c
=====================================
@@ -1,5 +1,7 @@
/*
* nts_server.c - Network Time Security (NTS) server side support
+ * Copyright 2019 by the NTPsec project contributors
+ * SPDX-License-Identifier: BSD-4-Clause-UC
*
* Section references are to
* https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp-15
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6225fc91d48fdc4801a31c054a9ce5d410b0b0cf...74308fa20545ae1b34708ec06e38ea244dda7c54
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6225fc91d48fdc4801a31c054a9ce5d410b0b0cf...74308fa20545ae1b34708ec06e38ea244dda7c54
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20191031/a04031d0/attachment-0001.htm>
More information about the vc
mailing list