[Git][NTPsec/ntpsec][master] 2 commits: Fix bogus port number in NTS-KE connecting message
Hal Murray
gitlab at mg.gitlab.com
Fri Jul 31 22:07:58 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
22ce4f3e by Hal Murray at 2020-07-23T17:29:26-07:00
Fix bogus port number in NTS-KE connecting message
- - - - -
56b0dc8d by Hal Murray at 2020-07-31T15:06:13-07:00
Add error checking for root cert file/dir
- - - - -
1 changed file:
- ntpd/nts_client.c
Changes:
=====================================
ntpd/nts_client.c
=====================================
@@ -36,6 +36,7 @@
SSL_CTX* make_ssl_client_ctx(const char *filename);
int open_TCP_socket(struct peer *peer, const char *hostname);
+struct addrinfo * find_best_addr(struct addrinfo *answer);
bool connect_TCP_socket(int sockfd, struct addrinfo *addr);
bool nts_set_cert_search(SSL_CTX *ctx, const char *filename);
void set_hostname(SSL *ssl, struct peer *peer, const char *hostname);
@@ -48,26 +49,18 @@ bool nts_client_process_response_core(uint8_t *buff, int transferred, struct pee
bool nts_server_lookup(char *server, sockaddr_u *addr, int af);
static SSL_CTX *client_ctx = NULL;
+
+/* Ugly global variables passed from worker thread back to main thread. */
static sockaddr_u sockaddr;
static bool addrOK;
-// Fedora 30: 0x1010104fL 1.1.1d
-// Fedora 29: 0x1010102fL 1.1.1b
-// Fedora 28: 0x1010009fL 1.1.0i
-// Debian 10: 0x1010104fL 1.1.1d
-// Debian 9: 0x101000afL 1.1.0j
-// Debian 8: 0x1000114fL 1.0.1t
-// CentOS 7: 0x100020bfL 1.0.2k
-// CentOS 6: 0x1000105fL 1.0.1e
-// NetBSD 8: 0x100020bfL 1.0.2k
-// NetBSD 7: 0x1000115fL 1.0.1u (1.0.2s via pkgin)
-// FreeBSD 12: 0x1010101fL 1.1.1a-freebsd
-// FreeBSD 11: 0x100020ffL 1.0.2o-freebsd
bool nts_client_init(void) {
client_ctx = make_ssl_client_ctx(ntsconfig.ca);
+
+/* Ugly global variables passed from worker thread back to main thread. */
return true;
}
@@ -249,7 +242,7 @@ int open_TCP_socket(struct peer *peer, const char *hostname) {
char errbuf[100];
char *tmp;
struct addrinfo hints;
- struct addrinfo *answer;
+ struct addrinfo *answer, *worker;
int gai_rc;
int sockfd;
struct timespec start, finish;
@@ -290,24 +283,27 @@ int open_TCP_socket(struct peer *peer, const char *hostname) {
msyslog(LOG_INFO, "NTSc: DNS lookup of %s took %.3f sec",
hostname, tspec_to_d(finish));
- /* Save first answer for NTP
- * setup default NTP port now
- * in case of server-name:port later on
+ /* Use first answer
+ * sockaddr is global for NTP address
+ * also use as temp for printing here
*/
- memcpy(&sockaddr, answer->ai_addr, answer->ai_addrlen);
- SET_PORT(&sockaddr, NTP_PORT);
-
+ worker = find_best_addr(answer);
+ memcpy(&sockaddr, worker->ai_addr, worker->ai_addrlen);
sockporttoa_r(&sockaddr, errbuf, sizeof(errbuf));
msyslog(LOG_INFO, "NTSc: connecting to %s:%s => %s",
host, port, errbuf);
- sockfd = socket(answer->ai_family, SOCK_STREAM, 0);
+ /* setup default NTP port now
+ * in case of server-name:port later on
+ */
+ SET_PORT(&sockaddr, NTP_PORT);
+ sockfd = socket(worker->ai_family, SOCK_STREAM, 0);
if (-1 == sockfd) {
ntp_strerror_r(errno, errbuf, sizeof(errbuf));
msyslog(LOG_INFO, "NTSc: open_TCP_socket: no socket: %s", errbuf);
} else {
/* Use first IP Address */
- if (!connect_TCP_socket(sockfd, answer)) {
+ if (!connect_TCP_socket(sockfd, worker)) {
close(sockfd);
sockfd = -1;
}
@@ -318,6 +314,12 @@ int open_TCP_socket(struct peer *peer, const char *hostname) {
}
+struct addrinfo *find_best_addr(struct addrinfo *answer) {
+ /* default to first one */
+ return(answer);
+}
+
+
/* This kludgery is needed to get a sane timeout.
* The default is unspecified but long.
* On Linux, man connect gets man 2 which doesn't mention O_NONBLOCK
@@ -714,13 +716,23 @@ bool nts_set_cert_search(SSL_CTX *ctx, const char *filename) {
}
if (0 == stat(filename, &statbuf)) {
if (S_ISDIR(statbuf.st_mode)) {
+ if (1 != SSL_CTX_load_verify_locations(
+ ctx, NULL, filename)) {
+ msyslog(LOG_INFO, "NTSc: Can't use %s as dir for root certificates.", filename);
+ nts_log_ssl_error();
+ return false;
+ }
msyslog(LOG_INFO, "NTSc: Using dir %s for root certificates.", filename);
- SSL_CTX_load_verify_locations(ctx, NULL, filename);
return true;
}
if (S_ISREG(statbuf.st_mode)) {
+ if (1 != SSL_CTX_load_verify_locations(
+ ctx, filename, NULL)) {
+ msyslog(LOG_INFO, "NTSc: Can't use %s as file for root certificates.", filename);
+ nts_log_ssl_error();
+ return false;
+ }
msyslog(LOG_INFO, "NTSc: Using file %s for root certificates.", filename);
- SSL_CTX_load_verify_locations(ctx, filename, NULL);
return true;
}
msyslog(LOG_ERR, "NTSc: cert dir/file isn't dir or file: %s. mode 0x%x",
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/6f72d3bfb0614b24219e69d990d3701393eb92ae...56b0dc8dd3f3b857458983db5af60ed999d4374a
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/6f72d3bfb0614b24219e69d990d3701393eb92ae...56b0dc8dd3f3b857458983db5af60ed999d4374a
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200731/23897599/attachment-0001.htm>
More information about the vc
mailing list