[Git][NTPsec/ntpsec][master] 3 commits: Fix for #615 - Build troubles on NetBSD

Sun Sep 15 18:07:10 UTC 2019


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
93e789ab by Hal Murray at 2019-09-15T09:26:30Z
Fix for #615 - Build troubles on NetBSD

Note that there are 2 changes to the LIBPATH line:
-        ctx.env.PLATFORM_LIBPATH = ["/usr/lib", "/usr/pkg/lib"]
+        ctx.env.LIBPATH = ["/usr/pkg/lib"]
  The first is to remove /usr/lib
  The second is to remove the PLATFORM_
Both are needed.

/usr/lib has the old version.  It might work if the order was swapped.

I think the PLATFORM_ stuff is leftover from an old old version of waf.
The PLATFORM_INCLUDES works because we explicitly add it in with
things like:
    ctx(
        features="c rtems_trace cprogram",
        includes=[
            ctx.bldnode.parent.abspath(), "../include",
            "%s/host/ntpd/" % ctx.bldnode.parent.abspath(), "."
        ] + ctx.env.PLATFORM_INCLUDES,
...

- - - - -
dbe1c28f by Hal Murray at 2019-09-15T09:34:25Z
Print/check version of OpenSSL library used at run time.

- - - - -
6c7e92a6 by Hal Murray at 2019-09-15T09:35:52Z
Fix potential buffer overrun in nts_client.c ALPN checking

- - - - -


3 changed files:

- ntpd/nts.c
- ntpd/nts_client.c
- wscript


Changes:

=====================================
ntpd/nts.c
=====================================
@@ -47,6 +47,22 @@ struct ntsconfig_t ntsconfig = {
 
 void nts_init(void) {
 	bool ok = true;
+#if (OPENSSL_VERSION_NUMBER > 0x101000afL)
+	unsigned long buildVersion = OPENSSL_VERSION_NUMBER;
+	msyslog(LOG_INFO, "INIT: %s, %lx",
+		OpenSSL_version(OPENSSL_VERSION),
+		OpenSSL_version_num());
+	/* Assuming we are built with 1.1.1c
+         *   This allows running with 1.1.1d
+	 *   It won't allow running with 1.0.0x
+	 * Maybe we should reject trying to run with 1.2.1x
+	 */
+	if (buildVersion > OpenSSL_version_num()) {
+		msyslog(LOG_ERR, "INIT: running with old OpenSSL library: %lx, %lx, bailing",
+			buildVersion, OpenSSL_version_num());
+		exit(1);
+	}
+#endif
 	if (ntsconfig.ntsenable) {
 		ok &= nts_server_init();
 	}


=====================================
ntpd/nts_client.c
=====================================
@@ -395,7 +395,14 @@ bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
 			hostname, SSL_get_version(ssl));
 		return bad;
 	}
-	strlcpy(buff, (const char*)data, sizeof(buff));	/* NUL terminate */
+	if (sizeof(buff) <= len) {
+		/* Broken or malicious server */
+		msyslog(LOG_DEBUG, "NTSc: Very long ALPN from %s (%u)",
+			hostname, len);
+		return bad;
+	}
+	memcpy(buff, data, len);
+	buff[len] = '\0';
 	for (i=0; i<len; i++) {
 		if (!isgraph(buff[i])) {
 			buff[i] = '*'; /* fix non-printing crap */
@@ -404,7 +411,8 @@ bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
 	/* For now, we only support one version.
 	 * This gets more complicated when version 2 arrives. */
 	if (0 != strcmp((const char*)data, "ntske/1")) {
-		msyslog(LOG_DEBUG, "NTSc: Strange ALPN returned: %s (%u)", buff, len);
+		msyslog(LOG_DEBUG, "NTSc: Strange ALPN returned: %s (%u) from %s",
+			buff, len, hostname);
 		return bad;
 	}
         msyslog(LOG_DEBUG, "NTSc: Good ALPN from: %s", hostname);


=====================================
wscript
=====================================
@@ -547,9 +547,10 @@ int main(int argc, char **argv) {
     if ctx.env.DEST_OS in ["freebsd", "openbsd"]:
         ctx.env.PLATFORM_INCLUDES = ["/usr/local/include"]
         ctx.env.PLATFORM_LIBPATH = ["/usr/local/lib"]
-    elif ctx.env.DEST_OS == "netbsd":
-        ctx.env.PLATFORM_INCLUDES = ["/usr/pkg/include"]
-        ctx.env.PLATFORM_LIBPATH = ["/usr/lib", "/usr/pkg/lib"]
+    elif ctx.env.DEST_OS == "netbsd" and os.path.isdir("/usr/pkg/include"):
+        ctx.env.INCLUDES = ["/usr/pkg/include"]
+        ctx.env.LIBPATH = ["/usr/pkg/lib"]
+        ctx.env.LDFLAGS += ["-rpath=/usr/pkg/lib"]
     elif ctx.env.DEST_OS == "win32":
         ctx.load("msvc")
     elif ctx.env.DEST_OS == "darwin":



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6e32ec1ae3d2e5acd3175d61e2487462660e6e45...6c7e92a63992974e8e3f52066d8b61b399f1ad8c

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/6e32ec1ae3d2e5acd3175d61e2487462660e6e45...6c7e92a63992974e8e3f52066d8b61b399f1ad8c
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190915/8e2ae3ff/attachment-0001.htm>
