[Git][NTPsec/ntpsec][master] Add optional second port
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Sun Apr 14 08:11:29 UTC 2024
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
3282d6a4 by Hal Murray at 2024-04-14T01:05:29-07:00
Add optional second port
This might help bypass ISP blocking/filtering of port 123.
Syntax is:
nts port <portnum>
or
extra port <portnum>
If the extra port is configured, traffic to either port will work.
The NTS-KE server will tell the client to use the second port.
No change is necessary on the client if using NTS.
- - - - -
10 changed files:
- docs/includes/misc-options.adoc
- docs/includes/nts-commands.adoc
- include/ntp_config.h
- include/ntpd.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_io.c
- ntpd/ntp_parser.y
- ntpd/nts_server.c
- tests/ntpd/nts_server.c
Changes:
=====================================
docs/includes/misc-options.adoc
=====================================
@@ -214,6 +214,13 @@ the log file.
peer variables and the +clock_var_list+ holds the names of the reference
clock variables.
+[[extra]]+extra+ [+port+ _portnum ]::
+ This is a catchall for various adjustments. There is only one slow now.
++port+ _portnum_;; (same as +nts port+ _portnum_)
+ This opens another port which will be used for NTP+NTS traffic.
+ This might help bypass ISP blocking on port 123. Be sure that
+ your firewall doesn't block traffic arriving on this new port.
+
[[tinker]]+tinker+ [+allan+ _allan_ | +dispersion+ _dispersion_ | +freq+ _freq_ | +huffpuff+ _huffpuff_ | +panic+ _panic_ | +step+ _step_ | +stepback+ _stepback_ | +stepfwd+ _stepfwd_ | +stepout+ _stepout_]::
This command can be used to alter several system variables in very
exceptional circumstances. It should occur in the configuration file
=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -4,7 +4,7 @@ The following command controls NTS authentication. It overrides
normal TLS protocol negotiation, which is not usually necessary.
[[nts]]
-+nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_] [+tlsecdhcurves+ _name_] [tlscipherserverpreference]
++nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_] [+port+ _portnum_] [+tlsecdhcurves+ _name_] [tlscipherserverpreference]
The options are as follows:
@@ -49,6 +49,11 @@ The options are as follows:
+mintls+ and +maxtls+ equal, you can force the TLS version for
testing. Format is as for +mintls+.
++port+ _portnum_:: (same as +extra port+ _portnum_)
+ This opens another port which will be used for NTP+NTS traffic.
+ This might help bypass ISP blocking on port 123. Be sure that
+ your firewall doesn't block traffic arriving on this new port.
+
// https://crypto.stackexchange.com/questions/8964/sending-tls-messages-with-out-encryption-using-openssl-code
+tlsciphersuites+ _string_::
=====================================
include/ntp_config.h
=====================================
@@ -198,6 +198,7 @@ struct config_tree_tag {
addr_opts_fifo *fudge;
attr_val_fifo * rlimit;
+ attr_val_fifo * extra;
attr_val_fifo * tinker;
attr_val_fifo * nts;
attr_val_fifo * enable_opts;
=====================================
include/ntpd.h
=====================================
@@ -122,6 +122,7 @@ extern uint64_t handler_pkts_count(void);
extern uint64_t handler_refrds_count(void);
#endif
extern uptime_t io_timereset;
+extern uint16_t extra_port;
/* ntp_loopfilter.c */
extern void init_loopfilter(void);
=====================================
ntpd/keyword-gen.c
=====================================
@@ -35,6 +35,7 @@ struct key_tok ntp_keywords[] = {
{ "dscp", T_Dscp, FOLLBY_TOKEN },
{ "enable", T_Enable, FOLLBY_TOKEN },
{ "end", T_End, FOLLBY_TOKEN },
+{ "extra", T_Extra, FOLLBY_TOKEN },
{ "filegen", T_Filegen, FOLLBY_TOKEN },
{ "fudge", T_Fudge, FOLLBY_STRING },
{ "io", T_Io, FOLLBY_TOKEN },
@@ -49,6 +50,7 @@ struct key_tok ntp_keywords[] = {
{ "phone", T_Phone, FOLLBY_STRINGS_TO_EOC },
{ "pidfile", T_Pidfile, FOLLBY_STRING },
{ "pool", T_Pool, FOLLBY_STRING },
+{ "port", T_Port, FOLLBY_TOKEN },
{ "ppspath", T_Ppspath, FOLLBY_STRING },
{ "reset", T_Reset, FOLLBY_TOKEN },
{ "restrict", T_Restrict, FOLLBY_TOKEN },
=====================================
ntpd/ntp_config.c
=====================================
@@ -180,6 +180,7 @@ static void free_config_reset_counters(config_tree *);
static void free_config_rlimit(config_tree *);
static void free_config_setvar(config_tree *);
static void free_config_system_opts(config_tree *);
+static void free_config_extra(config_tree *);
static void free_config_tinker(config_tree *);
static void free_config_nts(config_tree *);
static void free_config_tos(config_tree *);
@@ -238,6 +239,7 @@ static void config_logconfig(config_tree *);
static void config_monitor(config_tree *);
static void config_rlimit(config_tree *);
static void config_system_opts(config_tree *);
+static void config_extra(config_tree *);
static void config_tinker(config_tree *);
static void config_nts(config_tree *);
static void config_tos(config_tree *);
@@ -328,6 +330,7 @@ free_config_tree(
free_config_tos(ptree);
free_config_monitor(ptree);
free_config_access(ptree);
+ free_config_extra(ptree);
free_config_tinker(ptree);
free_config_nts(ptree);
free_config_rlimit(ptree);
@@ -1858,6 +1861,28 @@ config_rlimit(
}
+static void
+config_extra(
+ config_tree *ptree
+ )
+{
+ attr_val * extra;
+
+ extra = HEAD_PFIFO(ptree->extra);
+ for (; extra != NULL; extra = extra->link) {
+ switch (extra->attr) {
+
+ default:
+ INSIST(0);
+ break;
+
+ case T_Port:
+ extra_port = extra->value.i;
+ break;
+ }
+ }
+}
+
static void
config_tinker(
config_tree *ptree
@@ -1978,6 +2003,10 @@ config_nts(
ntsconfig.mintls = estrdup(nts->value.s);
break;
+ case T_Port:
+ extra_port = nts->value.i;
+ break;
+
case T_Tlscipherserverpreference:
ntsconfig.tlscipherserverpreference = true;
break;
@@ -2003,6 +2032,15 @@ free_config_rlimit(
FREE_ATTR_VAL_FIFO(ptree->rlimit);
}
+static void
+free_config_extra(
+ config_tree *ptree
+ )
+{
+ FREE_ATTR_VAL_FIFO(ptree->extra);
+}
+
+
static void
free_config_tinker(
config_tree *ptree
@@ -3015,6 +3053,7 @@ config_ntpd(
config_auth(ptree);
config_tos(ptree);
config_access(ptree); /* before config_peers */
+ config_extra(ptree);
config_tinker(ptree);
config_nts(ptree);
config_rlimit(ptree);
=====================================
ntpd/ntp_io.c
=====================================
@@ -44,6 +44,8 @@
int qos = IPTOS_DSCP_EF; /* QoS RFC 3246 */
+uint16_t extra_port = 0; /* 0 => not used */
+
/*
* NIC rule entry
*/
@@ -213,7 +215,7 @@ static void init_async_notifications (void);
static bool addr_eqprefix (const sockaddr_u *, const sockaddr_u *,
int);
-static int create_sockets (unsigned short);
+static int create_sockets (void);
static void set_reuseaddr (int);
typedef struct remaddr remaddr_t;
@@ -376,7 +378,7 @@ io_open_sockets(void)
/*
* Create the sockets
*/
- create_sockets(NTP_PORT);
+ create_sockets();
init_async_notifications();
@@ -1256,6 +1258,8 @@ interface_update(
return;
new_interface_found = update_interfaces(NTP_PORT, receiver, data);
+ if (extra_port)
+ new_interface_found |= update_interfaces(extra_port, receiver, data);
if (!new_interface_found)
return;
@@ -1685,18 +1689,18 @@ update_interfaces(
* socket for when we don't know where to send
*/
static int
-create_sockets(
- unsigned short port
- )
+create_sockets(void)
{
maxactivefd = 0;
FD_ZERO(&activefds);
- DPRINT(2, ("create_sockets(%d)\n", port));
+ DPRINT(2, ("create_sockets(%d %u)\n", NTP_PORT, extra_port));
- create_wildcards(port);
+ create_wildcards(NTP_PORT);
+ if (extra_port) create_wildcards(extra_port);
- update_interfaces(port, NULL, NULL);
+ update_interfaces(NTP_PORT, NULL, NULL);
+ if (extra_port) update_interfaces(extra_port, NULL, NULL);
/*
* Now that we have opened all the sockets, turn off the reuse
@@ -1795,8 +1799,6 @@ set_excladdruse(
/*
* set_reuseaddr() - set/clear REUSEADDR on all sockets
- * NB possible hole - should we be doing this on broadcast
- * fd's also?
*/
static void
set_reuseaddr(
=====================================
ntpd/ntp_parser.y
=====================================
@@ -80,6 +80,7 @@
%token <Integer> T_Drop
%token <Integer> T_Dscp
%token <Integer> T_Expire
+%token <Integer> T_Extra
%token <Integer> T_Ellipsis /* "..." not "ellipsis" */
%token <Integer> T_Enable
%token <Integer> T_End
@@ -177,6 +178,7 @@
%token <Integer> T_Pid
%token <Integer> T_Pidfile
%token <Integer> T_Pool
+%token <Integer> T_Port
%token <Integer> T_Ppspath
%token <Integer> T_Prefer
%token <Integer> T_Protostats
@@ -244,6 +246,9 @@
%type <Integer> limit_option_keyword
%type <Attr_val_fifo> limit_option_list
%type <Integer> enable_disable
+%type <Integer> extra_option_keyword
+%type <Attr_val> extra_option
+%type <Attr_val_fifo> extra_option_list
%type <Attr_val> filegen_option
%type <Attr_val_fifo> filegen_option_list
%type <Integer> filegen_type
@@ -298,6 +303,7 @@
%type <Attr_val> tinker_option
%type <Attr_val_fifo> tinker_option_list
%type <Integer> nts_string_option_keyword
+%type <Integer> nts_number_option_keyword
%type <Attr_val> nts_option
%type <Attr_val_fifo> nts_option_list
%type <Attr_val> tos_option
@@ -350,6 +356,7 @@ command : /* NULL STATEMENT */
| refclock_command
| rlimit_command
| system_option_command
+ | extra_command
| tinker_command
| nts_command
| miscellaneous_command
@@ -1062,6 +1069,38 @@ system_option_local_flag_keyword
: T_Stats
;
+/* Extra Commands
+ * ---------------
+ */
+
+extra_command
+ : T_Extra extra_option_list
+ { CONCAT_G_FIFOS(cfgt.extra, $2); }
+ ;
+
+extra_option_list
+ : extra_option_list extra_option
+ {
+ $$ = $1;
+ APPEND_G_FIFO($$, $2);
+ }
+ | extra_option
+ {
+ $$ = NULL;
+ APPEND_G_FIFO($$, $1);
+ }
+ ;
+
+extra_option
+ : extra_option_keyword number
+ { $$ = create_attr_ival($1, $2); }
+ ;
+
+extra_option_keyword
+ : T_Port
+ ;
+
+
/* Tinker Commands
* ---------------
*/
@@ -1128,12 +1167,16 @@ nts_option_list
nts_option
: nts_string_option_keyword T_String
{ $$ = create_attr_sval($1, $2); }
+ | nts_number_option_keyword number
+ { $$ = create_attr_ival($1, $2); }
| T_Disable
{ $$ = create_attr_ival($1, 0); }
| T_Enable
{ $$ = create_attr_ival($1, 1); }
| T_Tlscipherserverpreference
{ $$ = create_attr_ival($1, 1); }
+ | T_Pool number
+ { $$ = create_attr_ival($1, $2); }
;
;
@@ -1144,11 +1187,15 @@ nts_string_option_keyword
| T_Cert
| T_Cookie
| T_Key
- | T_Tlsciphersuites
- | T_Tlsecdhcurves
| T_Maxtls
| T_Mintls
+ | T_Tlsciphersuites
+ | T_Tlsecdhcurves
+ ;
+nts_number_option_keyword
+ : T_Port
+ ;
/* Miscellaneous Commands
* ----------------------
=====================================
ntpd/nts_server.c
=====================================
@@ -605,6 +605,10 @@ bool nts_ke_setup_send(struct BufCtl_t *buf, int aead,
/* 4.1.5 AEAD Algorithm List */
ke_append_record_uint16(buf, nts_algorithm_negotiation, aead);
+ if (extra_port)
+ ke_append_record_uint16(buf, nts_port_negotiation, extra_port);
+
+
for (int i=0; i<NTS_MAX_COOKIES; i++) {
uint8_t cookie[NTS_MAX_COOKIELEN];
int cookielen = nts_make_cookie(cookie, aead, c2s, s2c, keylen);
=====================================
tests/ntpd/nts_server.c
=====================================
@@ -9,6 +9,9 @@
#include <stdlib.h>
#include <string.h>
+/* Hack to keep linker happy */
+uint16_t extra_port = 0;
+
TEST_GROUP(nts_server);
TEST_SETUP(nts_server) {}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/3282d6a41519e6f85ed6364f4cb5d4bb04c5033d
--
This project does not include diff previews in email notifications.
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/commit/3282d6a41519e6f85ed6364f4cb5d4bb04c5033d
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20240414/c1d875a6/attachment-0001.htm>
More information about the vc
mailing list