[Git][NTPsec/ntpsec][master] 4 commits: Tweak certificate printout to include SAN:DNS

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Mon Aug 1 09:42:33 UTC 2022



Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
c0c6ac09 by Hal Murray at 2022-07-17T07:03:44-07:00
Tweak certificate printout to include SAN:DNS

- - - - -
26ba857f by Hal Murray at 2022-07-24T15:01:11-07:00
Change refid from DNS to DNS4/DNS6 when DNS works.

You will see them in ntpq -p after DNS works until NTP works.

Same for NTS4 and NTS6.

- - - - -
a5f6bf40 by Hal Murray at 2022-07-24T17:12:10-07:00
Partial fix for #707

Needs more work.  There are 3 types of NTPv1 requests.
  mode == 0 (unspecified)  This is what the RFC calls for.
  mode == Client           Nonstandard, but works.
  mode == sym-active       I don't understand this case.

- - - - -
d0915e05 by Hal Murray at 2022-07-30T20:59:53-07:00
rawstats cleanup, fix #733

It now logs packets that are not used, with their BOGON code.
This lets you see packets that take too long.

- - - - -


8 changed files:

- NEWS.adoc
- docs/decode.adoc
- docs/includes/mon-commands.adoc
- include/ntp.h
- include/ntpd.h
- ntpd/ntp_proto.c
- ntpd/ntp_util.c
- ntpd/nts_client.c


Changes:

=====================================
NEWS.adoc
=====================================
@@ -12,6 +12,13 @@ on user-visible changes.
 
 == Reposatory Head ==
 
+rawstats now logs dropped packets and their BOGON code
+  Only one per request to avoid DoSing the log file
+  This lets you see packets that take too long.
+
+Add 4 or 6 to DNS/NTS RefID tags to indicate that the
+DNS or NTS-KE has succeeded but NTP has not worked yet.
+
 Add --enable-attic (default off)
 
 Works with OpenSSL 3.0


=====================================
docs/decode.adoc
=====================================
@@ -244,6 +244,7 @@ It consists of a number of bits coded in hexadecimal as follows:
 | +0400+ | BOGON11 | +peer_dist+    | distance threshold exceeded
 | +0800+ | BOGON12 | +peer_loop+    | synchronization loop
 | +1000+ | BOGON13 | +peer_unreach+ | unreachable or nonselect
+| +2000+ | BOGON14 | +pkt_oldpkt+   | response took too long
 |==============================================================================
 
 The "Tag" field is the name the source code uses for the status bit.
@@ -266,8 +267,13 @@ and implementation.  Following is the current list:
 | +RATE+ | rate exceeded
 | +TIME+ | association timeout
 | +STEP+ | step time change
-| +DNS+  | DNS lookup in progress
-| +NTS+  | NTS key exchange in progress
+| +DNS+  | Waiting for DNS lookup
+| +DNS4+, +DNS6+  | DNS lookup succeeded, no NTP response yet
+| +NTS+  | Waiting for NTS key exchange
+| +NTS4+, +NTS6+  | NTS-KE succeeded, no NTP response yet
 |==================================================================
 
+The +4+ or +6+ in the 4th position indicates that the +DNS+ or +NTS-KE+
+resulted in an +IPv4+ or +IPv6+ address.
+
 include::includes/footer.adoc[]


=====================================
docs/includes/mon-commands.adoc
=====================================
@@ -119,42 +119,48 @@ show the offset, delay, dispersion and RMS jitter, all in seconds.
     form to the file generation set named _rawstats_:
 +
 ---------------------------------------------------------------------------------
-56285 54575.160 128.4.1.1 192.168.1.5 3565350574.400229473
-    3565350574.442385200 3565350574.442436000
-    3565350575.154505763 0 4 4 1 8 -21 0.000000 0.000320
-    PPS 0
+59786 36302.768 2610:20:6f15:15::27 2604:a880:1:20::17:5001 3867818701.119346355 3867818701.152009264 3867818701.152010426 3867818702.768490825 0 3 4 1 13 -29 0.000244 0.000488 .NIST. 0 1 2000
 ---------------------------------------------------------------------------------
 +
 [width="100%"]
 |==============================================================================
 |Item                |Units                             |Description
-|56285               |MJD                               |date
-|54575.160           |s                                 |time past midnight
-|128.4.1.1           |IP                                |source address
-|192.168.1.5         |IP                                |destination address
-|3565350574.400229473|NTP s                             |origin timestamp
-|3565350574.442385200|NTP s                             |receive timestamp
-|3565350574.442436000|NTP s                             |transmit timestamp
-|3565350575.154505763|NTP s                             |destination timestamp
+|59786               |MJD                               |date
+|36302.768           |s                                 |time past midnight
+|2610:20:6f15:15::27 |IP                                |source address
+|2604:a880:1:20::17:5001 |IP                            |destination address
+|3867818701.119346355|NTP s                             |origin timestamp
+|3867818701.152009264|NTP s                             |receive timestamp
+|3867818701.152010426|NTP s                             |transmit timestamp
+|3867818702.768490825|NTP s                             |destination timestamp
 |0                   |0: OK, 1: insert pending, 2: delete pending, 3: not synced  |leap warning indicator
-|4                   |4 was current in 2012             |NTP version
+|3                   |4 was current in 2012             |NTP version
 |4                   |3: client, 4: server, 6: ntpq     |mode
 |1                   |1-15, 16: not synced              |stratum
-|8                   |log~2~ seconds                    |poll
-|-21                 |log~2~ seconds                    |precision
-|0.000000            |seconds                           |total roundtrip delay from the remote server to the primary reference clock
-|0.000320            |seconds                           |total dispersion from the remote server to the primary reference clock
-|.PPS.               |IP or text                        |refid, association ID
+|13                  |log~2~ seconds                    |poll
+|-29                 |log~2~ seconds                    |precision
+|0.000244            |seconds                           |total roundtrip delay from the remote server to the primary reference clock
+|0.000488            |seconds                           |total dispersion from the remote server to the primary reference clock
+|.NIST.              |IP or text                        |refid, association ID
 | 0                  |integer                           |lost packets since last response
+| 1                  |integer                           |dropped packets since last request
+| 2000               |hex integer                       |0 if packet accecpted, BOGON flag if packet is discarded
 |==============================================================================
 +
 The first two fields show the date (Modified Julian Day) and time
 (seconds and fraction past UTC midnight). The next two fields show
-the remote peer or clock identification followed by the local address in
-dotted-quad notation. The final four fields show the originate,
+the remote IP Address followed by the local address.
+The next four fields show the originate,
 receive, transmit and final NTP timestamps in order. The timestamp
 values are as received and before processing by the various data
 smoothing and mitigation algorithms.
++
+A packet that is accecpted is logged.
+At most the first dropped packet per request is logged.
+That avoids DDoSing the log file.
++
+The BOGON flags are decoded link:decode.html#flash[here].
+
 +
   +sysstats+;;
     Enables recording of ntpd statistics counters on a periodic basis.


=====================================
include/ntp.h
=====================================
@@ -60,7 +60,7 @@ void ntp_RAND_priv_bytes(unsigned char *buf, int num);
  * NTP protocol parameters.  See section 3.2.6 of the specification.
  */
 #define	NTP_VERSION	4	/* current version number */
-#define	NTP_OLDVERSION	2 	/* oldest credible version */
+#define	NTP_OLDVERSION	1 	/* oldest credible version: see #707 */
 #define	NTP_PORT	123	/* included for non-unix machines */
 #define	NTP_PORTA	"123"	/* or unix without /etc/services */
 
@@ -210,15 +210,16 @@ struct peer_ctl {
 #define BOGON5		0x0010	/* bad authentication */
 #define BOGON6		0x0020	/* bad synch or stratum */
 #define BOGON7		0x0040	/* bad header */
-#define BOGON8		0x0080  /* bad autokey */
-#define BOGON9		0x0100	/* bad crypto */
+#define BOGON8x		0x0080  /* bad autokey -- not used */
+#define BOGON9x		0x0100	/* bad crypto -- not used */
+#define BOGON14		0x2000	/* response took too long */
 #define	PKT_BOGON_MASK	(BOGON1 | BOGON2 | BOGON3 | BOGON4 | BOGON5 |\
-			BOGON6 | BOGON7 | BOGON8 | BOGON9)
+			BOGON6 | BOGON7 | BOGON14)
 /*
  * Peer errors
  */
 #define BOGON10		0x0200	/* peer bad synch or stratum */
-#define	BOGON11		0x0400	/* peer distance exceeded */
+#define BOGON11		0x0400	/* peer distance exceeded */
 #define BOGON12		0x0800	/* peer synchronization loop */
 #define BOGON13		0x1000	/* peer unreacable */
 #define	PEER_BOGON_MASK	(BOGON10 | BOGON11 | BOGON12 | BOGON13)
@@ -310,12 +311,15 @@ struct peer {
 	double	jitter;		/* peer jitter (squares) */
 	double	disp;		/* peer dispersion */
 
+	unsigned int   outcount;    /* packets sent without reply */
+	unsigned int   bogons;      /* bogus packets recvd since last xmit */
+
+	unsigned long	update;     /* receive epoch */
 	/*
 	 * End of clear-to-zero area
 	 */
-	unsigned int   outcount;       /* packets sent without reply */
-	unsigned long	update;		/* receive epoch */
 #define end_clear_to_zero update
+
 	int	unreach;	/* watchdog counter */
 	int	throttle;	/* rate control */
 	uptime_t	outdate;	/* send time last packet */


=====================================
include/ntpd.h
=====================================
@@ -223,11 +223,12 @@ extern	void	record_loop_stats (double, double, double, double, int);
 extern	void	record_clock_stats (struct peer *, const char *);
 extern	int	mprintf_clock_stats(struct peer *, const char *, ...)
 			NTP_PRINTF(2, 3);
-extern	void	record_raw_stats (struct peer *,
-				  int leap, int version, int mode, int stratum,
-				  int ppoll, int precision, double root_delay,
-				  double root_dispersion, refid_t refid,
-				  unsigned int outcount);
+extern	void	record_raw_stats (
+  struct peer *peer,
+  struct recvbuf *rbufp,
+  unsigned int flag,
+  unsigned int outcount);
+
 extern void record_ref_stats(
     const struct peer *peer,
     int     n,              /* Number of samples */


=====================================
ntpd/ntp_proto.c
=====================================
@@ -315,10 +315,10 @@ parse_packet(
 	rbufp->extens_present = false;
 	rbufp->ntspacket.valid = false;
 
-	if(PKT_VERSION(pkt->li_vn_mode) > 4) {
+	if(PKT_VERSION(pkt->li_vn_mode) > NTP_VERSION) {
 		/* Unsupported version */
 		return false;
-	} else if(PKT_VERSION(pkt->li_vn_mode) == 4) {
+	} else if(PKT_VERSION(pkt->li_vn_mode) == MODE_SERVER) {
 		/* Only version 4 packets support extensions. */
 		/* But they also support shared key authentication. */
 		if (recv_length > (LEN_PKT_NOMAC+MAX_MAC_LEN)) {
@@ -458,43 +458,73 @@ static bool check_early_restrictions(
 	      PKT_VERSION(rbufp->recv_buffer[0]) != NTP_VERSION));
 }
 
+/* rawstats_filter
+ * Don't print all rejectioned packets or we could get DoSed.
+ * Print the packet we use.
+ * Print the first rejection.
+ *   In particular, we get to see why a response is rejected.
+ *   Took-too-long, BOGON14 is common.
+ *   This lets us see how long it did take.
+ */
+static void rawstats_filter(
+  struct peer *peer,
+  struct recvbuf *rbufp,
+  unsigned int flag,
+  unsigned int outcount) {
+	peer->flash |= flag;
+	peer->bogons += 1;
+	if (peer->bogons > 1) {
+		/* only print one bogon */
+		return;
+	}
+	record_raw_stats(peer, rbufp, flag, outcount);
+#if 0
+	record_raw_stats(peer,
+			 PKT_LEAP(rbufp->pkt.li_vn_mode),
+			 PKT_VERSION(rbufp->pkt.li_vn_mode),
+			 PKT_MODE(rbufp->pkt.li_vn_mode),
+			 PKT_TO_STRATUM(rbufp->pkt.stratum),
+			 rbufp->pkt.ppoll, rbufp->pkt.precision,
+			 rbufp->pkt.rootdelay, rbufp->pkt.rootdisp,
+			 /* FIXME: this cast is disgusting */
+			 *(const uint32_t*)rbufp->pkt.refid,
+			 outcount);
+#endif
+}
 
+/* Handle MODE_SERVER, replies to our requests.
+ * Authentication done upstream.
+ */
 static void
 handle_procpkt(
 	struct recvbuf *rbufp,
 	struct peer *peer
 	)
 {
-	int outcount = peer->outcount;
+	unsigned int outcount = peer->outcount;
 
 	peer->flash &= ~PKT_BOGON_MASK;
 
 	/* Duplicate detection */
 	if(rbufp->pkt.xmt == peer->xmt) {
-		peer->flash |= BOGON1;
+		rawstats_filter(peer, rbufp, BOGON1, outcount);
+		peer->oldpkt++;
+		return;
+	}
+	if(outcount == 0) {
+		rawstats_filter(peer, rbufp, BOGON1, outcount);
 		peer->oldpkt++;
 		return;
 	}
 
 	/* Origin timestamp validation */
-	if(PKT_MODE(rbufp->pkt.li_vn_mode) == MODE_SERVER) {
-		if(outcount == 0) {
-			peer->flash |= BOGON1;
-			peer->oldpkt++;
-			return;
-		}
-		if(rbufp->pkt.org == 0) {
-			peer->flash |= BOGON3;
-			peer->bogusorg++;
-			return;
-		} else if(rbufp->pkt.org != peer->org_rand) {
-			peer->flash |= BOGON2;
-			peer->bogusorg++;
-			return;
-		}
-	} else {
-		/* This case should be unreachable. */
-		stat_proto_total.sys_declined++;
+	if(rbufp->pkt.org == 0) {
+		rawstats_filter(peer, rbufp, BOGON3, outcount);
+		peer->bogusorg++;
+		return;
+	} else if(rbufp->pkt.org != peer->org_rand) {
+		rawstats_filter(peer, rbufp, BOGON2, outcount);
+		peer->bogusorg++;
 		return;
 	}
 
@@ -523,13 +553,13 @@ handle_procpkt(
 	if (PKT_LEAP(rbufp->pkt.li_vn_mode) == LEAP_NOTINSYNC ||
 	    PKT_TO_STRATUM(rbufp->pkt.stratum) < sys_floor ||
 	    PKT_TO_STRATUM(rbufp->pkt.stratum) >= sys_ceiling) {
-		peer->flash |= BOGON6;
+		rawstats_filter(peer, rbufp, BOGON6, outcount);
 		return;
 	}
 
 	if(scalbn((double)rbufp->pkt.rootdelay/2.0 + (double)rbufp->pkt.rootdisp, -16) >=
 	   sys_maxdisp) {
-		peer->flash |= BOGON7;
+		rawstats_filter(peer, rbufp, BOGON7, outcount);
 		return;
 	}
 
@@ -565,9 +595,7 @@ handle_procpkt(
 	   makes the desired security invariant easier to verify.
 	*/
 	if(delta > sys_maxdist) {
-	  peer->flash |= BOGON1; /*XXX we should probably allocate a
-				   new bogon bit here rather than
-				   recycling BOGON1. */
+	  rawstats_filter(peer, rbufp, BOGON14, outcount);
 	  peer->oldpkt++;
 	  return;
 	}
@@ -584,23 +612,8 @@ handle_procpkt(
 	peer->xmt = rbufp->pkt.xmt;
 	peer->dst = rbufp->recv_time;
 
-	record_raw_stats(peer,
-			 /* What we want to be reporting is values in
-			    the packet, not the values in the peer
-			    structure, but when we reach here they're
-			    the same thing. Passing the values in the
-			    peer structure is a convenience, because
-			    they're already in the l_fp format that
-			    record_raw_stats() expects. */
-			 PKT_LEAP(rbufp->pkt.li_vn_mode),
-			 PKT_VERSION(rbufp->pkt.li_vn_mode),
-			 PKT_MODE(rbufp->pkt.li_vn_mode),
-			 PKT_TO_STRATUM(rbufp->pkt.stratum),
-			 rbufp->pkt.ppoll, rbufp->pkt.precision,
-			 rbufp->pkt.rootdelay, rbufp->pkt.rootdisp,
-			 /* FIXME: this cast is disgusting */
-			 *(const uint32_t*)rbufp->pkt.refid,
-			 outcount);
+	/* Record good packet */
+	record_raw_stats(peer, rbufp, 0, outcount);
 
 	/* If either burst mode is armed, enable the burst.
 	 * Compute the headway for the next packet and delay if
@@ -757,6 +770,7 @@ receive(
 		stat_proto_total.sys_processed++;
 		break;
 	    case MODE_SERVER:  /* Reply to our request to a server. */
+/* FIXME: Where is the shared key case tested? */
 		if ((peer->cfg.flags & FLAG_NTS)
 		     && (!rbufp->extens_present
 #ifndef DISABLE_NTS
@@ -2159,6 +2173,7 @@ peer_xmit(
 
 	peer->sent++;
         peer->outcount++;
+        peer->bogons = 0;
 	peer->throttle += (1 << peer->cfg.minpoll) - 2;
 	DPRINT(1, ("transmit: at %u %s->%s mode %d keyid %08x len %u\n",
 		   current_time, peer->dstadr ?
@@ -2247,6 +2262,13 @@ fast_xmit(
 		 * reftime to make sure the reftime isn't later than
 		 * the transmit/receive times.
 		 */
+		/* Note: This returns the same data for all versions.
+		 * Currently, the mode is always Server.
+		 * The version is copied from the request.
+		 * There are minor differences between v3 and v4.
+		 * So far, nobody cares.
+		 * Note: There is significant v1 traffic.  See #707
+		 */
 		xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_vars.sys_leap,
 		    PKT_VERSION(rbufp->pkt.li_vn_mode), MODE_SERVER);
 		xpkt.stratum = STRATUM_TO_PKT(sys_vars.sys_stratum);
@@ -2366,6 +2388,25 @@ dns_take_server(
 
 	server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
 	server->srcadr = *rmtadr;
+	{ /* HACK: fixup refid to show progress */
+	char tag[REFIDLEN];
+	if (server->cfg.flags & FLAG_NTS) {
+		memcpy(tag, "NTS?", REFIDLEN);
+	} else {
+		memcpy(tag, "DNS?", REFIDLEN);
+	}
+	switch(AF(rmtadr)) {
+	  case AF_INET:
+		tag[REFIDLEN-1] = '4';
+		break;
+	  case AF_INET6:
+		tag[REFIDLEN-1] = '6';
+		break;
+	  default:
+		break;
+	}
+	memcpy(&server->refid, tag, REFIDLEN);
+	}
 	peer_add_hash(server);
 	restrict_source(server);
 


=====================================
ntpd/ntp_util.c
=====================================
@@ -518,46 +518,60 @@ mprintf_clock_stats(
  * source IP address (old format) or drivername(unit) (new format)
  * destination peer address
  * t1 t2 t3 t4 timestamps
- * various other local statistics
+ * various other chunks of the packet
  */
 void
 record_raw_stats(
-	struct peer *peer,
-	int	leap,
-	int	version,
-	int	mode,
-	int	stratum,
-	int	ppoll,
-	int	precision,
-	double	root_delay,	/* seconds */
-	double	root_dispersion,/* seconds */
-	refid_t	refid,
-	unsigned int	outcount
-	)
+  struct peer *peer,
+  struct recvbuf *rbufp,
+  unsigned int flag,
+  unsigned int outcount)
 {
 	struct timespec	now;
 	const sockaddr_u *dstaddr = peer->dstadr ? &peer->dstadr->sin : NULL;
+	/* This lies.  It shows the time we sent it rather than the
+	 * data from the packet which was probably random.
+	 * See data minimization in peer_xmit()
+	 * That's what code processing rawstats expects.
+	 */
 	l_fp	t1 = peer->org_ts;	/* originate timestamp */
-	l_fp	t2 = peer->rec;		/* receive timestamp */
-	l_fp	t3 = peer->xmt;		/* transmit timestamp */
-	l_fp	t4 = peer->dst;		/* destination timestamp */
+	l_fp	t2 = rbufp->pkt.rec;	/* receive timestamp */
+	l_fp	t3 = rbufp->pkt.xmt;	/* transmit timestamp */
+	l_fp	t4 = rbufp->recv_time;	/* destination timestamp */
+	int	stratum;
+	refid_t refid = *(const uint32_t*)rbufp->pkt.refid;
+	double rootdelay, rootdisp;
 
 	if (!stats_control)
 		return;
 
 	clock_gettime(CLOCK_REALTIME, &now);
 	filegen_setup(&rawstats, now.tv_sec);
-	if (rawstats.fp != NULL) {
-		fprintf(rawstats.fp, "%s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s %u\n",
-		    timespec_to_MJDtime(&now),
-		    peerlabel(peer), dstaddr ?  socktoa(dstaddr) : "-",
-		    ulfptoa(t1, 9), ulfptoa(t2, 9),
-		    ulfptoa(t3, 9), ulfptoa(t4, 9),
-		    leap, version, mode, stratum, ppoll, precision,
-		    root_delay, root_dispersion, refid_str(refid, stratum),
-		    outcount);
-		fflush(rawstats.fp);
-	}
+	if (rawstats.fp == NULL) return;
+
+	/* copy of PKT_TO_STRATUM from ntp_proto.c */
+	stratum = rbufp->pkt.stratum;
+	if (stratum == STRATUM_PKT_UNSPEC) stratum = STRATUM_UNSPEC;
+
+	rootdelay = scalbn((double)rbufp->pkt.rootdelay, -16);
+	rootdisp = scalbn((double)rbufp->pkt.rootdisp, -16);
+
+	fprintf(rawstats.fp, "%s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s %u %u %x\n",
+	    timespec_to_MJDtime(&now),
+	    peerlabel(peer), dstaddr ?  socktoa(dstaddr) : "-",
+	    ulfptoa(t1, 9), ulfptoa(t2, 9),
+	    ulfptoa(t3, 9), ulfptoa(t4, 9),
+	    PKT_LEAP(rbufp->pkt.li_vn_mode),
+	    PKT_VERSION(rbufp->pkt.li_vn_mode),
+	    PKT_MODE(rbufp->pkt.li_vn_mode),
+	    stratum,
+	    rbufp->pkt.ppoll,
+	    rbufp->pkt.precision,
+	    rootdelay,
+	    rootdisp,
+	    refid_str(refid, stratum),
+	    outcount, peer->bogons, flag);
+	fflush(rawstats.fp);
 }
 
 /*


=====================================
ntpd/nts_client.c
=====================================
@@ -316,7 +316,7 @@ int open_TCP_socket(struct peer *peer, const char *hostname) {
 
 struct addrinfo *find_best_addr(struct addrinfo *answer) {
 	/* default to first one */
-        return(answer);
+	return(answer);
 }
 
 
@@ -327,7 +327,7 @@ struct addrinfo *find_best_addr(struct addrinfo *answer) {
  */
 bool connect_TCP_socket(int sockfd, struct addrinfo *addr) {
 	char errbuf[100];
-        int err;
+	int err;
 	fd_set fdset;
 	struct timeval timeout;
 	int so_error;
@@ -369,7 +369,7 @@ bool connect_TCP_socket(int sockfd, struct addrinfo *addr) {
 		return false;
 	}
 
-        if (0 != so_error) {
+	if (0 != so_error) {
 		ntp_strerror_r(so_error, errbuf, sizeof(errbuf));
 		msyslog(LOG_INFO, "NTSc: connect_TCP_socket: connect failed: %s", errbuf);
 		return false;
@@ -413,35 +413,69 @@ void set_hostname(SSL *ssl, const char *hostname) {
 
 bool check_certificate(SSL *ssl, struct peer* peer) {
 	X509 *cert = SSL_get_peer_certificate(ssl);
+	X509_NAME *certname;
+	GENERAL_NAMES *gens;
+	char name[200];
+	int certok;
+	int numgens = 0;
 
 	if (NULL == cert) {
 		msyslog(LOG_INFO, "NTSc: No certificate");
 		if (!(FLAG_NTS_NOVAL & peer->cfg.flags))
 			return false;
 		return true;
+	}
+
+	certname = X509_get_subject_name(cert);
+	X509_NAME_oneline(certname, name, sizeof(name));
+	msyslog(LOG_INFO, "NTSc: certificate subject name: %s", name);
+	certname = X509_get_issuer_name(cert);
+	X509_NAME_oneline(certname, name, sizeof(name));
+	msyslog(LOG_INFO, "NTSc: certificate issuer name: %s", name);
+	/* print SAN:DNS strings */
+	gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
+	if (gens) {
+	  char buff[150];
+	  numgens = sk_GENERAL_NAME_num(gens);
+	  buff[0] = 0;
+	  for (int i = 0; i<numgens; i++) {
+	    const GENERAL_NAME *gen;
+	    const char *dnsname;
+	    unsigned int len;
+	    gen = sk_GENERAL_NAME_value(gens, i);
+	    if (gen->type != GEN_DNS)
+	      continue;
+	    // string is NUL terminated but may have internal NULs
+	    len = (unsigned int)ASN1_STRING_length(gen->d.ia5);
+	    dnsname = (const char *)ASN1_STRING_get0_data(gen->d.ia5);
+	    if (0 != buff[0])
+	      strlcat(buff, ", ", sizeof(buff));
+	    strlcat(buff, dnsname, sizeof(buff));
+	    if (len != strlen(dnsname))
+	      strlcat(buff, "??", sizeof(buff));
+	  }
+	  msyslog(LOG_INFO, "NTSc: SAN:DNS %s", buff);
+	  GENERAL_NAMES_free(gens);
+	}
+	if (0 == numgens) {
+	  const char *peername = SSL_get0_peername(ssl);
+	  msyslog(LOG_INFO, "NTSc: matching with subject:CN %s", peername);
+	} else if (1 > numgens) {
+	  const char *peername = SSL_get0_peername(ssl);
+	  msyslog(LOG_INFO, "NTSc: matching with SAN:DNS: %s", peername);
+	}
+	X509_free(cert);
+	certok = SSL_get_verify_result(ssl);
+	if (X509_V_OK == certok) {
+		msyslog(LOG_INFO, "NTSc: certificate is valid.");
 	} else {
-		X509_NAME *certname;
-		char name[200];
-		int certok;
-		certname = X509_get_subject_name(cert);
-		X509_NAME_oneline(certname, name, sizeof(name));
-		msyslog(LOG_INFO, "NTSc: certificate subject name: %s", name);
-		certname = X509_get_issuer_name(cert);
-		X509_NAME_oneline(certname, name, sizeof(name));
-		msyslog(LOG_INFO, "NTSc: certificate issuer name: %s", name);
-		X509_free(cert);
-		certok = SSL_get_verify_result(ssl);
-		if (X509_V_OK == certok) {
-			msyslog(LOG_INFO, "NTSc: certificate is valid.");
-		} else {
-			msyslog(LOG_ERR, "NTSc: certificate invalid: %d=>%s",
-				certok, X509_verify_cert_error_string(certok));
-			if (FLAG_NTS_NOVAL & peer->cfg.flags) {
-				msyslog(LOG_INFO, "NTSc: noval - accepting invalid cert.");
-				return true;
-			}
-			return false;
+		msyslog(LOG_ERR, "NTSc: certificate invalid: %d=>%s",
+			certok, X509_verify_cert_error_string(certok));
+		if (FLAG_NTS_NOVAL & peer->cfg.flags) {
+			msyslog(LOG_INFO, "NTSc: noval - accepting invalid cert.");
+			return true;
 		}
+		return false;
 	}
 	return true;
 }



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/64e2c355ac601b57eebec75a13da40e7d47fbf54...d0915e05f5b6f950c8a6ad7bd69b5333465e2fe4

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/64e2c355ac601b57eebec75a13da40e7d47fbf54...d0915e05f5b6f950c8a6ad7bd69b5333465e2fe4
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20220801/c75fa917/attachment-0001.htm>


More information about the vc mailing list