[Git][NTPsec/ntpsec][master] Check for TLS1.3 support in OpenSSL, instead of hardcoding a mimmum version

Mon Apr 20 22:55:27 UTC 2020


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
cdaf1f9a by Matt Selsky at 2020-04-20T18:20:56-04:00
Check for TLS1.3 support in OpenSSL, instead of hardcoding a mimmum version

Don't check for OpenSSL release number directly since distro vendors may have
backported fixes without changing the OpenSSL "release" version.

Also, specifically blacklist OpenSSL 1.1.1a since it has a known bug in the
value of the TLS13_MAX_LABEL_LEN macro that causes our exporter string to fail,
when it should succeed. If we encounter 1.1.1a at build time, we bail. If we
encounter 1.1.1a at runtime, we also bail.

- - - - -


4 changed files:

- ntpd/nts.c
- ntpd/nts_client.c
- wafhelpers/openssl.py
- wscript


Changes:

=====================================
ntpd/nts.c
=====================================
@@ -99,6 +99,14 @@ void nts_log_version(void) {
 			exit(1);
 		}
 	}
+	/*
+	 * If the runtime OpenSSL is 1.1.1a, then bail, since we'll run into errors with the
+	 * TLSv1.3 maximum label length
+	 */
+	if (OpenSSL_version_num() == 0x1010101fL) {
+		msyslog(LOG_ERR, "INIT: OpenSSL 1.1.1a has a maximum label length bug, bailing");
+		exit(1);
+	}
 }
 
 /*****************************************************/


=====================================
ntpd/nts_client.c
=====================================
@@ -477,13 +477,6 @@ bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
 }
 
 bool nts_make_keys(SSL *ssl, uint16_t aead, uint8_t *c2s, uint8_t *s2c, int keylen) {
-	// There is a bug in OpenSSL 1.1.1a
-	// Until Mar-23, we were using:
-	//    const char *label = "EXPORTER-nts/1";
-	// Subject: [Ntp] [NTS4NTP] info for NTS developers
-	// From: Martin Langer <mart.langer at ostfalia.de>
-	// Date: Tue, 15 Jan 2019 11:40:13 +0100
-	// https://mailarchive.ietf.org/arch/msg/ntp/nkc-9n6XOPt5Glgi_ueLvuD9EfY	// NB: 1.1.1 works and is shipped with Ubuntu 18.04.4 LTS Bionic
 	const char *label = "EXPORTER-network-time-security";
 	unsigned char context[5];
 	context[0] = (nts_protocol_NTP >> 8) & 0xFF;


=====================================
wafhelpers/openssl.py
=====================================
@@ -1,10 +1,29 @@
-SNIP_OPENSSL_VERSION_CHECK = """
+SNIP_LIBSSL_TLS13_CHECK = """
+#include <openssl/tls1.h>
+
+#ifndef TLS1_3_VERSION
+#error OpenSSL must have support for TLSv1.3
+#endif
+
+int main(void) {
+    return 0;
+}
+"""
+
+
+def check_libssl_tls13(ctx):
+    ctx.check_cc(
+      fragment=SNIP_LIBSSL_TLS13_CHECK,
+      use="SSL",
+      msg="Checking for OpenSSL with TLSv1.3 support",
+    )
+
+
+SNIP_OPENSSL_BAD_VERSION_CHECK = """
 #include <openssl/opensslv.h>
 
-#if OPENSSL_VERSION_NUMBER <= 0x1010101fL
-#error OpenSSL must be at least 1.1.1b
-#error  1.1.1 needed for TLSv1.3
-#error  1.1.1a has a fatal bug
+#if OPENSSL_VERSION_NUMBER == 0x1010101fL
+#error OpenSSL version must not be 1.1.1a
 #endif
 
 int main(void) {
@@ -13,10 +32,9 @@ int main(void) {
 """
 
 
-def check_SSL_version(ctx):
+def check_openssl_bad_version(ctx):
     ctx.check_cc(
-      comment="OpenSSL support",
-      fragment=SNIP_OPENSSL_VERSION_CHECK,
+      fragment=SNIP_OPENSSL_BAD_VERSION_CHECK,
       use="SSL",
-      msg="Checking for OpenSSL > 1.1.1a",
-     )
+      msg="Checking for OpenSSL != 1.1.1a",
+    )


=====================================
wscript
=====================================
@@ -826,9 +826,9 @@ int main(int argc, char **argv) {
                 msg("WARNING: Your ntpd will fail on 2038-01-19T03:14:07Z.")
 
     if not ctx.env.DISABLE_NTS:
-      # We need TLS 1.3 which isn't supported by older versions of OpenSSL
-      from wafhelpers.openssl import check_SSL_version
-      check_SSL_version(ctx)
+      from wafhelpers.openssl import check_libssl_tls13, check_openssl_bad_version
+      check_libssl_tls13(ctx)
+      check_openssl_bad_version(ctx)
 
     # before write_config()
     if ctx.is_defined("HAVE_LINUX_CAPABILITY"):



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/cdaf1f9a8191dce903af3aef7313d2fd87a336ad

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/cdaf1f9a8191dce903af3aef7313d2fd87a336ad
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200420/35a97725/attachment-0001.htm>
