[Git][NTPsec/ntpsec][master] 5 commits: Remove unused code checking that ntp_adjtime worked.
Hal Murray
gitlab at mg.gitlab.com
Thu Mar 26 19:56:16 UTC 2020
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
88991029 by Hal Murray at 2020-03-24T14:46:32-07:00
Remove unused code checking that ntp_adjtime worked.
We now require ntp_adjtime.
Ages ago, there were alternatives.
- - - - -
ae2343ef by Hal Murray at 2020-03-24T14:48:58-07:00
Set SIGSIS catcher in other threads.
- - - - -
f4c1ccd9 by Hal Murray at 2020-03-25T00:20:10-07:00
Check for OpenSSL version > 1.1.1a
That's > rather than >=
There is a fatal bug in 1.1.1a
- - - - -
aa0f3546 by Hal Murray at 2020-03-25T22:52:16-07:00
Remove support for TLSv1.2 (per update to draft RFC)
We now need OpenSSL version 1.1.1 or newer.
The config keyword +tlsciphers+ has been removed.
- - - - -
c54926b0 by Hal Murray at 2020-03-26T03:42:19-07:00
Add another special case error message for TLSv1.2
minimize bloat on server logs
- - - - -
17 changed files:
- NEWS.adoc
- devel/hacking.adoc
- docs/includes/nts-commands.adoc
- include/ntpd.h
- include/nts.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_dns.c
- ntpd/ntp_loopfilter.c
- ntpd/ntp_sandbox.c
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_server.c
- tests/ntpd/nts.c
- tests/ntpd/nts_client.c
- + wafhelpers/openssl.py
- wscript
Changes:
=====================================
NEWS.adoc
=====================================
@@ -12,6 +12,18 @@ on user-visible changes.
== Repository head ==
+The draft RFC for NTS has dropped support for TLSv1.2
+ We now need OpenSSL version 1.1.1 or newer.
+ The config keyword +tlsciphers+ has been removed.
+
+Additional filtering and sort options have been added to ntpq/mrulist
+ Details are in the man page.
+
+Rate limiting has been cleaned up.
+ With "restrict limited", traffic is now limited to
+ an average of 1 packet per second with bursts of 20.
+ (needs doc and maybe config)
+
SIGHUP and hourly checks have been unified. Both now
check for a new log file
check for a new certificate file
=====================================
devel/hacking.adoc
=====================================
@@ -177,11 +177,13 @@ Random isn't cryptographically secure. secure is.
=== Other Packages
We depend on the host distro to provide OpenSSL.
-NTS-KE (key exchange) uses TLS-1.2 or 1.3.
+NTS-KE (key exchange) requires TLSv1.3 or newer.
+That means OpenSSL version 1.1.1 or newer.
Shared key authentication uses their crypto package.
We also use their RAND_bytes().
Note that OpenSSL 1.0.1 is no longer supported. 2020-Feb-17
+Note that OpenSSL 1.1.0 is no longer supported. 2020-Mar-12
We also use waf, libaes_siv, and unity but we have local copies
rather than depending the host distro to provide them.
=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -4,7 +4,7 @@ The following command controls NTS authentication. It overrides
normal TLS protocol negotiation, which is not usually necessary.
[[nts]]
-+nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphers+ _name_] [+tlsciphersuites+ _name_]
++nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_]
The options are as follows:
@@ -45,10 +45,6 @@ The options are as follows:
testing. Format is as for +mintls+.
// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
-+tlsciphers+ _string_::
- An OpenSSL cipher list to configure the allowed ciphers for TLS
- versions up to and including TLS 1.2. A single NULL cipher disables
- encryption and use of certificates.
+tlsciphersuites+ _string_::
An OpenSSL ciphersuite list to configure the allowed ciphersuites for
=====================================
include/ntpd.h
=====================================
@@ -456,4 +456,10 @@ bool nts_probe(struct peer *peer);
bool nts_check(struct peer *peer);
void nts_timer(void);
+/* ntp_sandbox.c */
+#ifdef HAVE_SECCOMP_H
+void setup_SIGSYS_trap(void);
+#endif
+
+
#endif /* GUARD_NTPD_H */
=====================================
include/nts.h
=====================================
@@ -133,16 +133,15 @@ struct ntspacket_t {
/* Configuration data for an NTS server or client instance */
struct ntsconfig_t {
- bool ntsenable; /* enable NTS KE server on this ntpd */
+ bool ntsenable; /* enable NTS KE server on this ntpd */
const char * mintls; /* minimum TLS version allowed */
const char * maxtls; /* maximum TLS version allowed */
- const char *tlsciphers; /* allowed TLS 1.2 ciphers */
const char *tlsciphersuites;/* allowed TLS 1.3 ciphersuites */
- const char *cert; /* file holding server certificate key */
- const char *key; /* file holding server private key */
+ const char *cert; /* file holding server certificate key */
+ const char *key; /* file holding server private key */
const char *KI; /* file holding K/I for making cookies */
const char *ca; /* root cert dir/file */
- const char *aead; /* AEAD algorithms on wire */
+ const char *aead; /* AEAD algorithms on wire */
};
=====================================
ntpd/keyword-gen.c
=====================================
@@ -207,7 +207,6 @@ struct key_tok ntp_keywords[] = {
{ "ca", T_Ca, FOLLBY_TOKEN },
{ "mintls", T_Mintls, FOLLBY_TOKEN },
{ "maxtls", T_Maxtls, FOLLBY_TOKEN },
-{ "tlsciphers", T_Tlsciphers, FOLLBY_STRING },
{ "tlsciphersuites", T_Tlsciphersuites, FOLLBY_STRING },
};
=====================================
ntpd/ntp_config.c
=====================================
@@ -2035,10 +2035,6 @@ config_nts(
ntsconfig.mintls = estrdup(nts->value.s);
break;
- case T_Tlsciphers:
- ntsconfig.tlsciphers = estrdup(nts->value.s);
- break;
-
case T_Tlsciphersuites:
ntsconfig.tlsciphersuites = estrdup(nts->value.s);
break;
=====================================
ntpd/ntp_dns.c
=====================================
@@ -166,6 +166,10 @@ static void* dns_lookup(void* arg)
struct peer *pp = (struct peer *) arg;
struct addrinfo hints;
+#ifdef HAVE_SECCOMP_H
+ setup_SIGSYS_trap(); /* enable trap for this thread */
+#endif
+
#ifdef HAVE_RES_INIT
/* Reload DNS servers from /etc/resolv.conf in case DHCP has updated it.
* We only need to do this occasionally, but it's not expensive
=====================================
ntpd/ntp_loopfilter.c
=====================================
@@ -175,12 +175,6 @@ static double sys_mindly; /* huff-n'-puff filter min delay */
/* Emacs cc-mode goes nuts if we split the next line... */
#define MOD_BITS (MOD_OFFSET | MOD_MAXERROR | MOD_ESTERROR | \
MOD_STATUS | MOD_TIMECONST)
-#ifdef SIGSYS
-static void pll_trap (int); /* configuration trap */
-static struct sigaction sigsys; /* current sigaction status */
-static struct sigaction newsigsys; /* new sigaction status */
-static sigjmp_buf env; /* environment var. for pll_trap() */
-#endif /* SIGSYS */
static void
sync_status(const char *what, int ostatus, int nstatus) {
@@ -1066,34 +1060,9 @@ start_kern_loop(void)
ntv.maxerror = sys_maxdisp;
ntv.esterror = sys_maxdisp;
ntv.constant = clkstate.sys_poll; /* why is it that here constant is unconditionally set to sys_poll, whereas elsewhere is is modified depending on nanosecond vs. microsecond kernel? */
-#ifdef SIGSYS
- /*
- * Use sigsetjmp() to save state and then call ntp_adjtime(); if
- * it fails, then pll_trap() will set pll_control false before
- * returning control using siglogjmp().
- */
- newsigsys.sa_handler = pll_trap;
- newsigsys.sa_flags = 0;
- if (sigaction(SIGSYS, &newsigsys, &sigsys)) {
- msyslog(LOG_ERR, "ERR: sigaction() trap SIGSYS: %s", strerror(errno));
- clock_ctl.pll_control = false;
- } else {
- if (sigsetjmp(env, 1) == 0) {
- if ((ntp_adj_ret = ntp_adjtime_ns(&ntv)) != 0) {
- ntp_adjtime_error_handler(__func__, &ntv, ntp_adj_ret, errno, false, false, __LINE__ - 1);
- }
- }
- if (sigaction(SIGSYS, &sigsys, NULL)) {
- msyslog(LOG_ERR,
- "ERR: sigaction() restore SIGSYS: %s", strerror(errno));
- clock_ctl.pll_control = false;
- }
- }
-#else /* SIGSYS */
if ((ntp_adj_ret = ntp_adjtime_ns(&ntv)) != 0) {
ntp_adjtime_error_handler(__func__, &ntv, ntp_adj_ret, errno, false, false, __LINE__ - 1);
}
-#endif /* SIGSYS */
/*
* Save the result status and light up an external clock
@@ -1311,23 +1280,3 @@ loop_config(
}
}
-
-#if defined(SIGSYS)
-/*
- * _trap - trap processor for undefined syscalls
- *
- * This nugget is called by the kernel when the SYS_ntp_adjtime()
- * syscall bombs because the silly thing has not been implemented in
- * the kernel. In this case the phase-lock loop is emulated by
- * the stock adjtime() syscall and a lot of indelicate abuse.
- */
-static void
-pll_trap(
- int arg
- )
-{
- UNUSED_ARG(arg);
- clock_ctl.pll_control = false;
- siglongjmp(env, 1);
-}
-#endif /* SIGSYS */
=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -13,6 +13,7 @@
#include <errno.h>
#include <signal.h>
+#include "ntpd.h"
#include "ntp_assert.h"
#ifdef ENABLE_DROPROOT
@@ -272,7 +273,7 @@ getgroup:
#endif
scmp_filter_ctx ctx = seccomp_init(MY_SCMP_ACT);
- signal_no_reset1(SIGSYS, catchTrap);
+ setup_SIGSYS_trap();
if (NULL == ctx) {
msyslog(LOG_ERR, "INIT: sandbox: seccomp_init() failed: %s", strerror(errno));
@@ -477,6 +478,13 @@ int scmp_sc[] = {
}
#ifdef HAVE_SECCOMP_H
+
+/* New threads default to kill on SIGSYS */
+void setup_SIGSYS_trap(void) {
+ signal_no_reset1(SIGSYS, catchTrap);
+}
+
+
/*
* catchTrap - get here if something missing from list above
* (or a bad guy finds a way in)
=====================================
ntpd/nts.c
=====================================
@@ -33,7 +33,6 @@ struct ntsconfig_t ntsconfig = {
.ntsenable = false,
.mintls = NULL,
.maxtls = NULL,
- .tlsciphers = NULL,
.tlsciphersuites = NULL,
.cert = NULL,
.key = NULL,
@@ -75,27 +74,21 @@ void nts_init2(void) {
}
}
-/* There are 3 cases:
- * 1: old, log build version
- * 2: new, match, log version
- * 3: new, mismatch, log both build and run
+/* There are 2 cases:
+ * 1: match, log version
+ * 2: mismatch, log both build and run
*/
void nts_log_version(void) {
unsigned long buildVersion = OPENSSL_VERSION_NUMBER;
-#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
- /* Case 1 */
- msyslog(LOG_INFO, "INIT: %s, %lx",
- OPENSSL_VERSION_TEXT, buildVersion);
-#else
const char * text = OpenSSL_version(OPENSSL_VERSION);
bool match = (buildVersion == OpenSSL_version_num()) &&
(0 == strcmp(OPENSSL_VERSION_TEXT, text));
if (match) {
- /* Case 2 */
+ /* Case 1 */
msyslog(LOG_INFO, "INIT: %s, %lx",
OPENSSL_VERSION_TEXT, buildVersion);
} else {
- /* Case 3 */
+ /* Case 2 */
msyslog(LOG_INFO, "INIT: Built with %s, %lx",
OPENSSL_VERSION_TEXT, buildVersion);
msyslog(LOG_INFO, "INIT: Running with %s, %lx",
@@ -106,7 +99,6 @@ void nts_log_version(void) {
exit(1);
}
}
-#endif
}
/*****************************************************/
@@ -123,17 +115,10 @@ int nts_translate_version(const char *arg) {
if (NULL == arg) {
return 0;
}
- if (0 == strcmp(arg, "TLS1.2"))
- return TLS1_2_VERSION;
if (0 == strcmp(arg, "TLS1.3")) {
-#ifdef TLS1_3_VERSION
return TLS1_3_VERSION;
-#else
- msyslog(LOG_ERR, "NTS: TLS1.3 not supported by this version of OpenSSL.");
- return -1;
-#endif
}
- msyslog(LOG_ERR, "NTS: unrecognized version string: %s.", arg);
+ msyslog(LOG_ERR, "NTS: TLS unrecognized version string: %s.", arg);
return -1;
}
@@ -174,25 +159,9 @@ bool nts_load_versions(SSL_CTX *ctx) {
maxver = nts_translate_version(ntsconfig.maxtls);
if ((-1 == minver) || (-1 == maxver))
return false;
-#if (OPENSSL_VERSION_NUMBER == 0x1010101fL)
- if (0 == maxver) {
- msyslog(LOG_INFO, "NTS: Using TLS1.2 to avoid bug in OpenSSL 1.1.1a.");
- maxver = TLS1_2_VERSION;
- }
-#endif
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
- if(0 == minver) minver = TLS1_2_VERSION; // 3.
+ if(0 == minver) minver = TLS1_3_VERSION; // 3.
SSL_CTX_set_min_proto_version(ctx, minver);
SSL_CTX_set_max_proto_version(ctx, maxver);
-#else
- /* TLS 1.2 was added in 1.0.1, 14 Mar 2012
- * HGM hasn't seen anything older. 2019-Oct-26
- * versions older than 1.1.0 don't support min/max version requests.
- * That's OK, since we don't want anything older than 1.2 and
- * they don't support anything newer. */
-#define NO_OLD_VERSIONS SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1|SSL_OP_NO_TLSv1_1
- SSL_CTX_set_options(ctx, NO_OLD_VERSIONS);
-#endif
return true;
}
@@ -202,25 +171,13 @@ bool nts_load_ciphers(SSL_CTX *ctx) {
* the ciphers to see what it took.
* We could make a dummy SSL, read the list, then free it.
*/
- if (NULL != ntsconfig.tlsciphers) {
- if (1 != SSL_CTX_set_cipher_list(ctx, ntsconfig.tlsciphers)) {
- msyslog(LOG_ERR, "NTS: troubles setting ciphers.");
- return false;
- } else {
- msyslog(LOG_INFO, "NTS: set ciphers.");
- }
- }
if (NULL != ntsconfig.tlsciphersuites) {
-#ifdef TLS1_3_VERSION
if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
return false;
} else {
msyslog(LOG_INFO, "NTS: set ciphersuites.");
}
-#else
- msyslog(LOG_ERR, "NTS: ciphersuites not supported on this version of OpenSSL.");
-#endif
}
return true;
}
=====================================
ntpd/nts_client.c
=====================================
@@ -213,12 +213,7 @@ SSL_CTX* make_ssl_client_ctx(const char * filename) {
bool ok = true;
SSL_CTX *ctx;
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
ctx = SSL_CTX_new(TLS_client_method());
-#else
- // OpenSSL_add_all_ciphers(); // Maybe was needed on NetBSD ??
- ctx = SSL_CTX_new(TLSv1_2_client_method());
-#endif
if (NULL == ctx) {
/* Happens if no ciphers */
msyslog(LOG_ERR, "NTSc: NULL ctx");
@@ -226,13 +221,11 @@ SSL_CTX* make_ssl_client_ctx(const char * filename) {
return NULL;
}
-#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
{
// 4., ALPN, RFC 7301
static unsigned char alpn [] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
SSL_CTX_set_alpn_protos(ctx, alpn, sizeof(alpn));
}
-#endif
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(ctx, NTS_KE_TIMEOUT); /* session lifetime */
@@ -406,28 +399,10 @@ void set_hostname(SSL *ssl, struct peer *peer, const char *hostname) {
}
// https://wiki.openssl.org/index.php/Hostname_validation
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
UNUSED_ARG(peer);
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS);
SSL_set1_host(ssl, host);
msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
-#elif (OPENSSL_VERSION_NUMBER > 0x1000200fL)
- if (FLAG_NTS_NOVAL & peer->cfg.flags)
- return;
- { /* enable automatic hostname checks */
- X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
- X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_WILDCARDS);
- if (1 != X509_VERIFY_PARAM_set1_host(param, host, strlen(host))) {
- msyslog(LOG_ERR, "NTSc: troubles setting hostflags");
- }
- SSL_set_verify(ssl, SSL_VERIFY_PEER, NULL);
- }
-#else
- /* Versions prior to 1.0.2 did not perform hostname validation */
- UNUSED_ARG(ssl);
- UNUSED_ARG(peer);
- msyslog(LOG_ERR, "NTSc: can't check hostname/certificate");
-#endif
}
@@ -468,17 +443,10 @@ bool check_certificate(SSL *ssl, struct peer* peer) {
bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
UNUSED_ARG(peer);
-#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
const unsigned char *data;
unsigned int len;
SSL_get0_alpn_selected(ssl, &data, &len);
if (0 == len) {
- /* This happens when talking to old/TLSv1.2 systems. */
- if (TLS1_2_VERSION == SSL_version(ssl)) {
- msyslog(LOG_DEBUG, "NTSc: No ALPN from %s, TLSv1.2",
- hostname);
- return true;
- }
msyslog(LOG_DEBUG, "NTSc: No ALPN from %s (%s)",
hostname, SSL_get_version(ssl));
return false;
@@ -505,10 +473,6 @@ bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
}
msyslog(LOG_DEBUG, "NTSc: Good ALPN from %s", hostname);
-#else
- UNUSED_ARG(ssl);
- UNUSED_ARG(hostname);
-#endif
return true;
}
=====================================
ntpd/nts_server.c
=====================================
@@ -17,10 +17,6 @@
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509.h>
-/* Old OpenSSL 1.0.2 doesn't have sslerr.h */
-#ifndef SSL_R_WRONG_VERSION_NUMBER
-#include <openssl/sslerr.h>
-#endif
#include "ntp.h"
#include "ntpd.h"
@@ -58,7 +54,6 @@ uint64_t nts_ke_serves_bad = 0;
uint64_t nts_ke_probes_good = 0;
uint64_t nts_ke_probes_bad = 0;
-#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
static int alpn_select_cb(SSL *ssl,
const unsigned char **out,
unsigned char *outlen,
@@ -92,7 +87,6 @@ static int alpn_select_cb(SSL *ssl,
return SSL_TLSEXT_ERR_NOACK;
}
-#endif
bool nts_server_init(void) {
bool ok = true;
@@ -100,12 +94,7 @@ bool nts_server_init(void) {
msyslog(LOG_INFO, "NTSs: starting NTS-KE server listening on port %d",
NTS_KE_PORT);
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
server_ctx = SSL_CTX_new(TLS_server_method());
-#else
- // OpenSSL_add_all_ciphers(); // maybe was needed on NetBSD ??
- server_ctx = SSL_CTX_new(TLSv1_2_server_method());
-#endif
if (NULL == server_ctx) {
/* Happens if no ciphers */
msyslog(LOG_INFO, "NTSs: NULL server_ctx");
@@ -113,10 +102,7 @@ bool nts_server_init(void) {
return false;
}
-#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
SSL_CTX_set_alpn_select_cb(server_ctx, alpn_select_cb, NULL);
-#endif
-
SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
SSL_CTX_set_timeout(server_ctx, NTS_KE_TIMEOUT); /* session lifetime */
@@ -131,10 +117,8 @@ bool nts_server_init(void) {
return false;
};
-#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
msyslog(LOG_INFO, "NTSs: OpenSSL security level is %d",
SSL_CTX_get_security_level(server_ctx));
-#endif
ok &= create_listener4(NTS_KE_PORT);
ok &= create_listener6(NTS_KE_PORT);
@@ -211,6 +195,10 @@ void* nts_ke_listener(void* arg) {
char addrbuf[100];
char usingbuf[100];
+#ifdef HAVE_SECCOMP_H
+ setup_SIGSYS_trap(); /* enable trap for this thread */
+#endif
+
while(1) {
sockaddr_u addr;
socklen_t len = sizeof(addr);
@@ -310,6 +298,8 @@ void nts_ke_accept_fail(char* addrbuf, double sec) {
msg = "http request";
if (ERR_LIB_SSL == lib && SSL_R_NO_SHARED_CIPHER == reason)
msg = "no shared cipher";
+ if (ERR_LIB_SSL == lib && SSL_R_UNSUPPORTED_PROTOCOL == reason)
+ msg = "unsupported protocol (TLSv1.2?)";
if (NULL == msg) {
msyslog(LOG_INFO, "NTSs: SSL accept from %s failed, took %.3f sec",
addrbuf, sec);
=====================================
tests/ntpd/nts.c
=====================================
@@ -16,12 +16,7 @@ TEST_TEAR_DOWN(nts) {}
TEST(nts, nts_translate_version) {
TEST_ASSERT_EQUAL_INT32(0, nts_translate_version(NULL));
- TEST_ASSERT_EQUAL_INT32(TLS1_2_VERSION, nts_translate_version("TLS1.2"));
-#ifdef TLS1_3_VERSION
TEST_ASSERT_EQUAL_INT32(TLS1_3_VERSION, nts_translate_version("TLS1.3"));
-#else
- TEST_ASSERT_EQUAL_INT32(-1, nts_translate_version("TLS1.3"));
-#endif
TEST_ASSERT_EQUAL_INT32(-1, nts_translate_version("blah"));
}
=====================================
tests/ntpd/nts_client.c
=====================================
@@ -260,6 +260,13 @@ TEST(nts_client, nts_client_process_response_core) {
}
/* Hacks to keep linker happy */
+
+#ifdef HAVE_SECCOMP_H
+void setup_SIGSYS_trap(void) {
+ return; /* dummy to keep linker happy */
+}
+#endif
+
void dns_take_server(struct peer *a, sockaddr_u *b) {
UNUSED_ARG(a);
UNUSED_ARG(b);
=====================================
wafhelpers/openssl.py
=====================================
@@ -0,0 +1,22 @@
+SNIP_OPENSSL_VERSION_CHECK = """
+#include <openssl/opensslv.h>
+
+#if OPENSSL_VERSION_NUMBER <= 0x1010101fL
+#error OpenSSL must be at least 1.1.1b
+#error 1.1.1 needed for TLSv1.3
+#error 1.1.1a has a fatal bug
+#endif
+
+int main(void) {
+ return 0;
+}
+"""
+
+
+def check_SSL_version(ctx):
+ ctx.check_cc(
+ comment="OpenSSL support",
+ fragment=SNIP_OPENSSL_VERSION_CHECK,
+ includes=ctx.env.PLATFORM_INCLUDES,
+ msg="Checking for OpenSSL > 1.1.1a",
+ )
=====================================
wscript
=====================================
@@ -817,6 +817,10 @@ int main(int argc, char **argv) {
msg("WARNING: This system has a 32-bit time_t.")
msg("WARNING: Your ntpd will fail on 2038-01-19T03:14:07Z.")
+ # We need TLS 1.3 which isn't supported by older versions of OpenSSL
+ from wafhelpers.openssl import check_SSL_version
+ check_SSL_version(ctx)
+
# before write_config()
droproot_type = ""
if ctx.is_defined("HAVE_LINUX_CAPABILITY"):
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/9cecf01e72d9c9777f42b706a8cb98f6e75a5190...c54926b0fb1f819d3830b46a4a76f0c6d796158f
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/9cecf01e72d9c9777f42b706a8cb98f6e75a5190...c54926b0fb1f819d3830b46a4a76f0c6d796158f
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20200326/7e77f6aa/attachment-0001.htm>
More information about the vc
mailing list