[Git][NTPsec/ntpsec][master] 8 commits: Add trap for DDoS amplification
Hal Murray
gitlab at mg.gitlab.com
Sat Apr 11 20:22:46 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
cfab4177 by Hal Murray at 2020-04-10T13:54:51-07:00
Add trap for DDoS amplification
Add arg to maybe_log_junk, drop maybe_log_drop
drop handle_fastxmit
- - - - -
55c546d7 by Hal Murray at 2020-04-10T13:54:51-07:00
Add anti-DDoS amplification trap
CookiePlaceholders must be same size as cookies
- - - - -
4b5511f1 by Hal Murray at 2020-04-10T13:54:51-07:00
Change default restriction to be NOQUERY | LIMITED
- - - - -
12ba7c28 by Hal Murray at 2020-04-10T13:54:51-07:00
Drop attempts at logging dropped packets
There are too many of them. They hide other interesting "junk".
We can get them via tcpdump
- - - - -
ccebe332 by Hal Murray at 2020-04-10T13:54:51-07:00
Implement --disable-nts for use with old OpenSSL
- - - - -
8c566e4c by Hal Murray at 2020-04-10T13:54:51-07:00
Few more tweaks to default restrict
- - - - -
00d36fac by Hal Murray at 2020-04-10T22:14:54-07:00
Tweaks to restrict documentation
- - - - -
51578387 by Hal Murray at 2020-04-11T12:56:31-07:00
Update NEWS, mostly --disable-nts
- - - - -
19 changed files:
- NEWS.adoc
- docs/includes/access-commands.adoc
- include/ntp.h
- libntp/ssl_init.c
- libntp/wscript
- ntpd/ntp_config.c
- ntpd/ntp_control.c
- ntpd/ntp_dns.c
- ntpd/ntp_proto.c
- ntpd/ntp_restrict.c
- ntpd/ntp_timer.c
- ntpd/ntpd.c
- ntpd/nts_extens.c
- ntpd/wscript
- tests/common/tests_main.c
- tests/ntpd/restrict.c
- tests/wscript
- wafhelpers/options.py
- wscript
Changes:
=====================================
NEWS.adoc
=====================================
@@ -12,8 +12,14 @@ on user-visible changes.
== Repository head ==
+The configure step now supports --disable-nts for running
+on systems with older versions of OpenSSL.
+
+The default restrictions now start with noquery and limited
+to reduce the opportunities for being used for DDoS-ing.
+
The draft RFC for NTS has dropped support for TLSv1.2
- We now need OpenSSL version 1.1.1 or newer.
+ We now need OpenSSL version 1.1.1b or newer.
The config keyword +tlsciphers+ has been removed.
Additional filtering and sort options have been added to ntpq/mrulist
=====================================
docs/includes/access-commands.adoc
=====================================
@@ -98,14 +98,24 @@
+version+;;
Deny packets that do not match the current NTP version.
--
-+
+
+Note: A second restrict line with the same address/mask
+does not replace the first one. The flags are merged. Thus:
+
+ restrict bob X
+ restrict bob Y
+
+is the same as
+
+ restrict bob X Y
+
Default restriction list entries with the flags ignore, interface,
ntpport, for each of the local host's interface addresses are inserted
into the table at startup to prevent the server from attempting to
-synchronize to its own time. A default entry is also always present,
-though if it is otherwise unconfigured; no flags are associated with
-the default entry (i.e., everything besides your own NTP server is
-unrestricted).
+synchronize to its own time. A default entry is also always present.
+It has +noquery+ to avoid packet length amplification which can
+be used for DDoS with a forged return address and +limited+ to
+avoid DDoS reflections.
[[unrestrict]]+unrestrict+ _address_[/_cidr_] [+mask+ _mask_] [+flag+ +...+]::
Like a +restrict+ command, but turns off the specified flags rather
@@ -114,4 +124,9 @@ unrestricted).
with matching address and mask. Use only on an address/mask or
CIDR-format address mentioned in a previous +restrict+ statement.
+Note: +unrestrict default+ will not do anything;
+you can't remove the builtin defaults.
+If you want to remove them, use +unrestrict default noquery limited+
+to turn off those flags.
+
// end
=====================================
include/ntp.h
=====================================
@@ -704,6 +704,9 @@ struct restrict_u_tag {
#define RES_FLAKE 0x1000 /* flakeway - drop 10% */
#define RES_NOMRULIST 0x2000 /* mode 6 mrulist denied */
+/* RES_DEFAULT defined in resolv.h */
+#define RES_Default (RES_NOQUERY|RES_LIMITED)
+
/* pythonize-header: start ignoring */
/*
=====================================
libntp/ssl_init.c
=====================================
@@ -1,8 +1,5 @@
-/*
- * ssl_init.c Common OpenSSL initialization code for the various
- * programs which use it.
- *
- * Moved from ntpd/ntp_crypto.c crypto_setup()
+/* ssl_init.c Common OpenSSL initialization code
+ * This is needed for crypto as well as NTS
*/
#include "config.h"
@@ -37,8 +34,11 @@ ssl_init(void)
return;
}
+#ifndef DISABLE_NTS
+ OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+#endif
+
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
- SSL_library_init();
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
atexit(&atexit_ssl_cleanup);
=====================================
libntp/wscript
=====================================
@@ -38,13 +38,18 @@ def build(ctx):
if not ctx.env.HAVE_STRLCAT or not ctx.env.HAVE_STRLCPY:
libntp_source_sharable += ["strl_obsd.c"]
+ if ctx.env.DISABLE_NTS:
+ useSSL = ""
+ else:
+ useSSL = "SSL"
+
# C library
ctx(
features="c cstlib",
includes=[ctx.bldnode.parent.abspath(), "../include"],
source=libntp_source + libntp_source_sharable,
target="ntp",
- use="SSL CRYPTO",
+ use="%s CRYPTO" % useSSL,
)
# Loadable Python extension
=====================================
ntpd/ntp_config.c
=====================================
@@ -640,8 +640,13 @@ create_peer_node(
break;
case T_Nts:
+#ifdef DISABLE_NTS
+ msyslog(LOG_ERR, "CONFIG: nts not supported");
+ exit(1);
+#else
my_node->ctl.flags |= (FLAG_NTS | FLAG_LOOKUP);
break;
+#endif
case T_Prefer:
my_node->ctl.flags |= FLAG_PREFER;
@@ -1996,9 +2001,12 @@ config_nts(
switch (nts->attr) {
default:
+#ifdef DISABLE_NTS
+ msyslog(LOG_ERR, "CONFIG: nts not supported");
+ break;
+#else
INSIST(0);
break;
-
case T_Aead:
ntsconfig.aead = estrdup(nts->value.s);
break;
@@ -2038,6 +2046,7 @@ config_nts(
case T_Tlsciphersuites:
ntsconfig.tlsciphersuites = estrdup(nts->value.s);
break;
+#endif
}
}
}
=====================================
ntpd/ntp_control.c
=====================================
@@ -345,6 +345,7 @@ static const struct ctl_var sys_var[] = {
#define CS_K_LOCKCLOCK 105
{ CS_K_LOCKCLOCK, RO, "lockclock" },
+#ifndef DISABLE_NTS
#define CS_nts_client_send 106
{ CS_nts_client_send, RO, "nts_client_send" },
#define CS_nts_client_recv_good 107
@@ -379,6 +380,10 @@ static const struct ctl_var sys_var[] = {
{ CS_nts_ke_probes_bad, RO, "nts_ke_probes_bad" },
#define CS_MRU_HASHSLOTS 121
{ CS_MRU_HASHSLOTS, RO, "mru_hashslots" },
+#else
+#define CS_MRU_HASHSLOTS 106
+ { CS_MRU_HASHSLOTS, RO, "mru_hashslots" },
+#endif
#define CS_MAXCODE ((sizeof(sys_var)/sizeof(sys_var[0])) - 1)
{ 0, EOV, "" }
};
@@ -1976,6 +1981,7 @@ ctl_putsys(
sys_vars.sys_rootdist * MS_PER_S);
break;
+#ifndef DISABLE_NTS
case CS_nts_client_send:
ctl_putuint(sys_var[varid].text, nts_client_send);
break;
@@ -2035,6 +2041,7 @@ ctl_putsys(
case CS_nts_ke_probes_bad:
ctl_putuint(sys_var[varid].text, nts_ke_probes_bad);
break;
+#endif
default:
/* huh? */
=====================================
ntpd/ntp_dns.c
=====================================
@@ -107,11 +107,13 @@ void dns_check(void)
return; /* leaves active set */
}
+#ifndef DISABLE_NTS
if (active->cfg.flags & FLAG_NTS) {
nts_check(active);
active = NULL;
return;
}
+#endif
if (0 != gai_rc) {
msyslog(LOG_INFO, "DNS: dns_check: DNS error: %d, %s",
@@ -181,7 +183,9 @@ static void* dns_lookup(void* arg)
#endif
if (pp->cfg.flags & FLAG_NTS) {
+#ifndef DISABLE_NTS
nts_probe(pp);
+#endif
} else {
ZERO(hints);
hints.ai_protocol = IPPROTO_UDP;
=====================================
ntpd/ntp_proto.c
=====================================
@@ -248,9 +248,10 @@ static double measure_tick_fuzz(void);
static void peer_xmit (struct peer *);
static int peer_unfit (struct peer *);
static double root_distance (struct peer *);
+#ifndef DISABLE_NTS
static void restart_nts_ke (struct peer *);
-static void maybe_log_junk (struct recvbuf *rbuf);
-static void maybe_log_drop (struct recvbuf *rbuf);
+#endif
+static void maybe_log_junk (const char *tag, struct recvbuf *rbuf);
void
set_sys_leap(unsigned char new_sys_leap) {
@@ -487,17 +488,6 @@ static bool check_early_restrictions(
PKT_VERSION(rbufp->recv_buffer[0]) != NTP_VERSION));
}
-static void
-handle_fastxmit(
- struct recvbuf *rbufp,
- unsigned short restrict_mask,
- auth_info* auth
- )
-{
- int xmode =
- PKT_MODE(rbufp->pkt.li_vn_mode) == MODE_ACTIVE ? MODE_PASSIVE : MODE_SERVER;
- fast_xmit(rbufp, xmode, auth, restrict_mask);
-}
static void
handle_procpkt(
@@ -678,6 +668,7 @@ receive(
struct peer *peer = NULL;
unsigned short restrict_mask;
auth_info* auth = NULL; /* !NULL if authenticated */
+ int mode, xmode;
stat_count.sys_received++;
@@ -698,7 +689,6 @@ receive(
restrict_mask = ntp_monitor(rbufp, restrict_mask);
if (restrict_mask & RES_LIMITED) {
stat_count.sys_limitrejected++;
- maybe_log_drop(rbufp);
if(!(restrict_mask & RES_KOD)) { return; }
}
@@ -730,7 +720,8 @@ receive(
return;
}
- if (MODE_SERVER == PKT_MODE(rbufp->pkt.li_vn_mode)) {
+ mode = PKT_MODE(rbufp->pkt.li_vn_mode);
+ if (MODE_SERVER == mode) {
/* Reply to our request:
* Auth check breaks if we findpeer for MODE_CLIENT and
* a site we are using as a server uses us as a server
@@ -780,17 +771,21 @@ receive(
}
}
- switch (PKT_MODE(rbufp->pkt.li_vn_mode)) {
+ switch (mode) {
case MODE_ACTIVE: /* remote site using "peer" in config file */
case MODE_CLIENT: /* Request for us as a server. */
if (rbufp->extens_present
+#ifndef DISABLE_NTS
&& !extens_server_recv(&rbufp->ntspacket,
- rbufp->recv_buffer, rbufp->recv_length)) {
+ rbufp->recv_buffer, rbufp->recv_length)
+#endif
+) {
stat_count.sys_declined++;
- maybe_log_junk(rbufp);
+ maybe_log_junk("EX-REQ", rbufp);
break;
}
- handle_fastxmit(rbufp, restrict_mask, auth);
+ xmode = (mode == MODE_ACTIVE) ? MODE_PASSIVE : MODE_SERVER;
+ fast_xmit(rbufp, xmode, auth, restrict_mask);
stat_count.sys_processed++;
break;
case MODE_SERVER: /* Reply to our request to a server. */
@@ -799,10 +794,14 @@ receive(
break;
}
if ((peer->cfg.flags & FLAG_NTS)
- && (!rbufp->extens_present || !extens_client_recv(peer,
- rbufp->recv_buffer, rbufp->recv_length))) {
+ && (!rbufp->extens_present
+#ifndef DISABLE_NTS
+ || !extens_client_recv(peer,
+ rbufp->recv_buffer, rbufp->recv_length)
+#endif
+)) {
stat_count.sys_declined++;
- maybe_log_junk(rbufp);
+ maybe_log_junk("EX-REP", rbufp);
break;
}
peer->received++;
@@ -2175,12 +2174,14 @@ peer_xmit(
* 3) none
*/
if (FLAG_NTS & peer->cfg.flags) {
+#ifndef DISABLE_NTS
if (0 < peer->nts_state.count)
sendlen += extens_client_send(peer, &xpkt);
else {
restart_nts_ke(peer); /* out of cookies */
return;
}
+#endif
} else if (0 != peer->cfg.peerkey) {
auth_info *auth = authlookup(peer->cfg.peerkey, true);
if (NULL == auth) {
@@ -2349,10 +2350,20 @@ fast_xmit(
sendlen = LEN_PKT_NOMAC;
clock_gettime(CLOCK_REALTIME, &start);
if (rbufp->ntspacket.valid) {
+#ifndef DISABLE_NTS
sendlen += extens_server_send(&rbufp->ntspacket, &xpkt);
+#endif
} else if (NULL != auth) {
sendlen += (size_t)authencrypt(auth, (uint32_t *)&xpkt, (int)sendlen);
}
+ if (sendlen > rbufp->recv_length) {
+ /* About to send a response that is bigger than the request.
+ * That can be used for DDoS amplification, so don't do that.
+ * This shouldn't happen, but check here in case of a bug.
+ */
+ maybe_log_junk("DDoS", rbufp); /* needs a counter */
+ return;
+ }
sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, &xpkt, (int)sendlen);
clock_gettime(CLOCK_REALTIME, &finish);
sys_authdelay = tspec_to_d(sub_tspec(finish, start));
@@ -2526,6 +2537,7 @@ void dns_take_status(struct peer* peer, DNS_Status status) {
peer->nextdate = current_time + (1U << hpoll);
}
+#ifndef DISABLE_NTS
/* NTS out of cookies
* Beware of clutter in NTS-KE server logs
* There are actually several cases:
@@ -2546,6 +2558,7 @@ static void restart_nts_ke(struct peer *peer) {
peer->nextdate = current_time + (1U << hpoll);
peer->cfg.flags |= FLAG_LOOKUP;
};
+#endif
/*
* dns_try_again
@@ -2563,7 +2576,6 @@ void dns_try_again(void) {
}
-
/*
* local_refid(peer) - check peer refid to avoid selecting peers
* currently synced to this ntpd.
@@ -2966,7 +2978,7 @@ proto_clr_stats(void)
/* limit logging so bad guys can't DDoS us by sending crap */
-void maybe_log_junk(struct recvbuf *rbufp) {
+void maybe_log_junk(const char *tag, struct recvbuf *rbufp) {
static float junk_limit = 2.0; /* packets per hour */
static float junk_score = 0; /* score, packets/hour */
static float junk_decay = 2.0; /* hours, exponential decay time */
@@ -2994,8 +3006,8 @@ void maybe_log_junk(struct recvbuf *rbufp) {
junk_score += 1.0/junk_decay; /* only count the ones we print */
msyslog(LOG_INFO,
- "JUNK: Count=%ld Print=%ld, Score=%.3f, M%d V%d from %s, lng=%d",
- junk_count, junk_print, junk_score,
+ "%s: Count=%ld Print=%ld, Score=%.3f, M%d V%d from %s, lng=%d",
+ tag, junk_count, junk_print, junk_score,
PKT_MODE(rbufp->pkt.li_vn_mode), PKT_VERSION(rbufp->pkt.li_vn_mode),
sockporttoa(&rbufp->recv_srcadr), lng);
for (i=0,j=0; i<lng; i++) {
@@ -3004,49 +3016,6 @@ void maybe_log_junk(struct recvbuf *rbufp) {
j += snprintf(&buf[j], (JUNKSIZE-j), "%02x", rbufp->recv_buffer[i]);
}
msyslog(LOG_INFO,
- "JUNK: %s", buf);
-}
-
-
-void maybe_log_drop(struct recvbuf *rbufp) {
- static float drop_limit = 2.0; /* packets per hour */
- static float drop_score = 0; /* score, packets/hour */
- static float drop_decay = 2.0; /* hours, exponential decay time */
- static l_fp drop_last = 0; /* time of last attempted print */
- static long drop_count = 0; /* total count */
- static long drop_print = 0; /* printed count */
-#define DROPSIZE 500
- char buf[DROPSIZE];
- int lng = rbufp->recv_length;
- int i, j;
-
- drop_count++;
- if (0 == drop_last) {
- /* first time */
- drop_last = rbufp->recv_time;
- } else {
- l_fp interval_fp = rbufp->recv_time - drop_last;
- float since_last = ldexpf(interval_fp, -32)/3600.0;
- drop_last = rbufp->recv_time;
- drop_score *= expf(-since_last/drop_decay);
- if (drop_limit < drop_score)
- return;
- }
- drop_print++;
- drop_score += 1.0/drop_decay; /* only count the ones we print */
-
- rbufp->pkt.li_vn_mode = rbufp->recv_buffer[0]; /* no parse_packet() yet */
- msyslog(LOG_INFO,
- "DROP: Count=%ld Print=%ld, Score=%.3f, M%d V%d from %s, lng=%d",
- drop_count, drop_print, drop_score,
- PKT_MODE(rbufp->pkt.li_vn_mode), PKT_VERSION(rbufp->pkt.li_vn_mode),
- sockporttoa(&rbufp->recv_srcadr), lng);
- for (i=0,j=0; i<lng; i++) {
- if ((j+4)>DROPSIZE) break;
- if (0 == (i%4)) buf[j++] = ' ';
- j += snprintf(&buf[j], (DROPSIZE-j), "%02x", rbufp->recv_buffer[i]);
- }
- msyslog(LOG_INFO,
- "DROP: %s", buf);
+ "%s: %s", tag, buf);
}
=====================================
ntpd/ntp_restrict.c
=====================================
@@ -154,8 +154,15 @@ init_restrict(void)
* behavior as but reversed implementation compared to the docs.
*
*/
+
LINK_SLIST(rstrct.restrictlist4, &restrict_def4, link);
LINK_SLIST(rstrct.restrictlist6, &restrict_def6, link);
+ restrict_def4.flags = RES_Default;
+ restrict_def6.flags = RES_Default;
+ if (RES_Default & RES_LIMITED) {
+ inc_res_limited();
+ inc_res_limited();
+ }
restrictcount = 2;
}
=====================================
ntpd/ntp_timer.c
=====================================
@@ -280,7 +280,9 @@ timer(void)
if (hour_timer <= current_time) {
hour_timer += SECSPERHR;
write_stats();
+#ifndef DISABLE_NTS
nts_timer();
+#endif
check_logfile();
if (leapf_timer <= current_time) {
leapf_timer += SECSPERDAY;
=====================================
ntpd/ntpd.c
=====================================
@@ -861,7 +861,9 @@ main(
loop_config(LOOP_DRIFTINIT, 0);
report_event(EVNT_SYSRESTART, NULL, NULL);
+#ifndef DISABLE_NTS
nts_init(); /* Before droproot */
+#endif
#ifndef ENABLE_EARLY_DROPROOT
/* drop root privileges */
@@ -871,7 +873,9 @@ main(
}
#endif
+#ifndef DISABLE_NTS
nts_init2(); /* After droproot */
+#endif
if (access(statsdir, W_OK) != 0) {
msyslog(LOG_ERR, "statistics directory %s does not exist or is unwriteable, error %s", statsdir, strerror(errno));
@@ -950,7 +954,9 @@ static void mainloop(void)
check_logfile();
check_leap_file(false, time(NULL));
+#ifndef DISABLE_NTS
check_cert_file();
+#endif
dns_try_again();
}
=====================================
ntpd/nts_extens.c
=====================================
@@ -130,6 +130,7 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
uint16_t aead;
int noncelen, cmaclen;
bool sawcookie, sawAEEF;
+ int cookielen; /* cookie and placeholder(s) */
nts_server_recv_bad++; /* assume bad, undo if OK */
@@ -137,6 +138,7 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
buf.left = lng-LEN_PKT_NOMAC;
sawcookie = sawAEEF = false;
+ cookielen = 0;
ntspacket->uidlen = 0;
ntspacket->needed = 0;
@@ -165,9 +167,18 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
next_bytes(&buf, ntspacket->UID, length);
break;
case NTS_Cookie:
+ /* cookies and placeholders must be the same length
+ * in order to avoid amplification attacks.
+ */
if (sawcookie) {
return false; /* second cookie */
}
+ if (0 == cookielen) {
+ cookielen = length;
+ }
+ else if (length != cookielen) {
+ return false;
+ }
ok = nts_unpack_cookie(buf.next, length, &aead, ntspacket->c2s,
ntspacket->s2c, &ntspacket->keylen);
if (!ok) {
@@ -180,7 +191,12 @@ bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
ntspacket->aead = aead;
break;
case NTS_Cookie_Placeholder:
- /* doesn't check length */
+ if (0 == cookielen) {
+ cookielen = length;
+ }
+ else if (length != cookielen) {
+ return false;
+ }
ntspacket->needed++;
buf.next += length;
buf.left -= length;
=====================================
ntpd/wscript
=====================================
@@ -51,6 +51,10 @@ def build(ctx):
"ntp_recvbuff.c",
"ntp_restrict.c",
"ntp_util.c",
+ ]
+
+ if not ctx.env.DISABLE_NTS:
+ libntpd_source += [
"nts.c",
"nts_server.c",
"nts_client.c",
@@ -117,6 +121,11 @@ def build(ctx):
ctx.bldnode.parent.find_node("host/ntpd/ntp_parser.tab.c")
]
+ if ctx.env.DISABLE_NTS:
+ useSSL = ""
+ else:
+ useSSL = "SSL"
+
ctx(
features="c rtems_trace cprogram",
includes=[
@@ -126,7 +135,7 @@ def build(ctx):
source=ntpd_source,
target="ntpd",
use="libntpd_obj ntp M parse RT CAP SECCOMP PTHREAD NTPD "
- "SSL CRYPTO DNS_SD %s SOCKET NSL SCF" % use_refclock,
+ "%s CRYPTO DNS_SD %s SOCKET NSL SCF" % (useSSL, use_refclock),
)
ctx.manpage(8, "ntpd-man.adoc")
=====================================
tests/common/tests_main.c
=====================================
@@ -71,12 +71,14 @@ static void RunAllTests(void)
RUN_TEST_GROUP(leapsec);
RUN_TEST_GROUP(hackrestrict);
RUN_TEST_GROUP(recvbuff);
+#ifndef DISABLE_NTS
RUN_TEST_GROUP(nts);
RUN_TEST_GROUP(nts_client);
RUN_TEST_GROUP(nts_server);
RUN_TEST_GROUP(nts_cookie);
RUN_TEST_GROUP(nts_extens);
#endif
+#endif
}
=====================================
tests/ntpd/restrict.c
=====================================
@@ -62,6 +62,8 @@ TEST(hackrestrict, RestrictionsAreEmptyAfterInit) {
memset(rl4, 0, sizeof(restrict_u));
memset(rl6, 0, sizeof(restrict_u));
+ rl4->flags = RES_Default;
+ rl6->flags = RES_Default;
TEST_ASSERT_EQUAL(rl4->hitcount, rstrct.restrictlist4->hitcount);
TEST_ASSERT_EQUAL(rl4->flags, rstrct.restrictlist4->flags);
@@ -85,7 +87,7 @@ TEST(hackrestrict, ReturnsCorrectDefaultRestrictions) {
unsigned short retval = restrictions(&sockaddr);
- TEST_ASSERT_EQUAL(0, retval);
+ TEST_ASSERT_EQUAL(RES_Default, retval);
}
@@ -103,7 +105,7 @@ TEST(hackrestrict, HackingDefaultRestriction) {
sockaddr_u sockaddr = create_sockaddr_u(54321, "111.123.251.124");
- TEST_ASSERT_EQUAL(flags, restrictions(&sockaddr));
+ TEST_ASSERT_EQUAL(RES_Default|flags, restrictions(&sockaddr));
}
@@ -113,7 +115,7 @@ TEST(hackrestrict, CantRemoveDefaultEntry) {
hack_restrict(RESTRICT_REMOVE, &resaddr, &resmask, 0, 0, 0);
- TEST_ASSERT_EQUAL(0, restrictions(&resaddr));
+ TEST_ASSERT_EQUAL(RES_Default, restrictions(&resaddr));
}
=====================================
tests/wscript
=====================================
@@ -92,12 +92,16 @@ def build(ctx):
"ntpd/leapsec.c",
"ntpd/restrict.c",
"ntpd/recvbuff.c",
+ ] + common_source
+
+ if not ctx.env.DISABLE_NTS:
+ ntpd_source += [
"ntpd/nts.c",
"ntpd/nts_client.c",
"ntpd/nts_server.c",
"ntpd/nts_cookie.c",
"ntpd/nts_extens.c",
- ] + common_source
+ ]
ctx.ntp_test(
defines=unity_config + ["TEST_NTPD=1"],
=====================================
wafhelpers/options.py
=====================================
@@ -12,6 +12,8 @@ def options_cmd(ctx, config):
default=False, help="Enable debugging code")
grp.add_option('--enable-debug-gdb', action='store_true',
default=False, help="Enable GDB debugging symbols")
+ grp.add_option('--disable-nts', action='store_true',
+ default=False, help="Disable NTS.")
grp.add_option('--disable-droproot', action='store_true',
default=False, help="Disable dropping root.")
grp.add_option('--enable-early-droproot', action='store_true',
=====================================
wscript
=====================================
@@ -579,14 +579,15 @@ int main(int argc, char **argv) {
for header, sizeof in sorted(sizeofs, key=lambda x: x[1:]):
check_sizeof(ctx, header, sizeof)
- # Check via pkg-config first, then fall back to a direct search
- if not ctx.check_cfg(
- package='libssl', uselib_store='SSL',
- args=['libssl', '--cflags', '--libs'],
- msg="Checking for OpenSSL/libssl (via pkg-config)",
- define_name='', mandatory=False,
- ):
- ctx.check_cc(msg="Checking for OpenSSL's ssl library",
+ if not ctx.env.DISABLE_NTS:
+ # Check via pkg-config first, then fall back to a direct search
+ if not ctx.check_cfg(
+ package='libssl', uselib_store='SSL',
+ args=['libssl', '--cflags', '--libs'],
+ msg="Checking for OpenSSL/libssl (via pkg-config)",
+ define_name='', mandatory=False,
+ ):
+ ctx.check_cc(msg="Checking for OpenSSL's ssl library",
lib="ssl", mandatory=True)
# Check via pkg-config first, then fall back to a direct search
@@ -740,6 +741,11 @@ int main(int argc, char **argv) {
comment="Enable MS-SNTP extensions "
" https://msdn.microsoft.com/en-us/library/cc212930.aspx")
+ if ctx.options.disable_nts:
+ ctx.env.DISABLE_NTS = True
+ ctx.define("DISABLE_NTS", 1,
+ comment="Disable NTS")
+
if not ctx.options.disable_droproot:
ctx.define("ENABLE_DROPROOT", 1,
comment="Drop root after initialising")
@@ -819,9 +825,10 @@ int main(int argc, char **argv) {
msg("WARNING: This system has a 32-bit time_t.")
msg("WARNING: Your ntpd will fail on 2038-01-19T03:14:07Z.")
- # We need TLS 1.3 which isn't supported by older versions of OpenSSL
- from wafhelpers.openssl import check_SSL_version
- check_SSL_version(ctx)
+ if not ctx.env.DISABLE_NTS:
+ # We need TLS 1.3 which isn't supported by older versions of OpenSSL
+ from wafhelpers.openssl import check_SSL_version
+ check_SSL_version(ctx)
# before write_config()
if ctx.is_defined("HAVE_LINUX_CAPABILITY"):
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/df2ad9b7d2ef615a3e36ab05ff43f197e55d8e3c...51578387b87ed487022c16eebef12d5073286c3b
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/df2ad9b7d2ef615a3e36ab05ff43f197e55d8e3c...51578387b87ed487022c16eebef12d5073286c3b
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200411/cdaa1d2a/attachment-0001.htm>
More information about the vc
mailing list