[Git][NTPsec/ntpsec][master] 6 commits: Fix typo: libnptc.so => libntpc.so
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Fri Jun 21 19:34:45 UTC 2024
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
e49985be by Hal Murray at 2024-05-30T16:56:31-07:00
Fix typo: libnptc.so => libntpc.so
- - - - -
e0db5359 by Hal Murray at 2024-05-30T16:56:31-07:00
Fix warnings from toupper on NetBSD
- upcase[i] = toupper(upcase[i]);
+ upcase[i] = toupper((unsigned char)upcase[i]);
(two places)
Interesting that none of our other compilers complained.
The Linux man page says:
The standards require that the argument c for these functions is either
EOF or a value that is representable in the type unsigned char. If the
argument c is of type char, it must be cast to unsigned char, as in the
following example:
char c;
...
res = toupper((unsigned char) c);
This is necessary because char may be the equivalent signed char, in
which case a byte where the top bit is set would be sign extended when
converting to int, yielding a value that is outside the range of un‐
signed char.
- - - - -
45386dec by Hal Murray at 2024-05-30T16:56:31-07:00
Fix warning in ntpd/refclock_gpsd.c
- } else if (isprint(*sptr)) {
+ } else if (isprint((unsigned char)*sptr)) {
- - - - -
7c8b5fe2 by Hal Murray at 2024-06-13T18:50:59-07:00
Cleanup EVP_MD_CTX_create/destroy
- - - - -
cac206ab by Hal Murray at 2024-06-19T23:51:37-07:00
Fix another FIPS bug
Mode 6 (ntpq server) was using MD5 as a hash to make a cookie.
The fix is simple. Change EVP_md5() to EVP_sha1()
No other systems are using the nature of the hash
so we can change it.
ntpmon is a simple test case.
- - - - -
db7835ca by Hal Murray at 2024-06-19T23:56:49-07:00
Mostly restrict cleanup
Changing RES_DONxxx to RES_NOxxx to match the usage in
the config file.
- - - - -
18 changed files:
- HOWTO-OpenSSL
- README-PYTHON
- attic/digest-find.c
- attic/digest-timing.c
- docs/includes/access-commands.adoc
- include/ntp.h
- libntp/authreadkeys.c
- libntp/macencrypt.c
- libntp/pymodule-mac.c
- libntp/ssl_init.c
- libntp/statestr.c
- ntpd/ntp_config.c
- ntpd/ntp_control.c
- ntpd/ntp_leapsec.c
- ntpd/ntp_proto.c
- ntpd/ntp_restrict.c
- ntpd/refclock_gpsd.c
- tests/libntp/statestr.c
Changes:
=====================================
HOWTO-OpenSSL
=====================================
@@ -3,7 +3,7 @@ That was first supported in OpenSSL 1.1.1
(1.1.1a is broken)
Some OSes/Distros don't support a new enough version of OpenSSL
This file contains notes on how to download, build, and install 3.2.0
-It it should be close for other 3.x.y versions
+It should be close for other 3.x.y versions
It's rough. Don't be surprised by bugs/oversights.
Corrections, clarifications and feedback encouraged.
@@ -80,7 +80,7 @@ time make -j4 |& tee make.log
openssl version -d
./util/shlib_wrap.sh ./apps/openssl version -d
# ./apps/openssl without the wrapper will use the installed libraries
-The above check is broken for openssl-3.2.0-beta1 on Fedora
+The above check is broken for openssl-3.2.0 on Fedora
It works on Ubuntu and FreeBSD.
time make test |& tee test.log
@@ -89,8 +89,8 @@ sudo make install |& tee install.log
sudo su
cd /etc/ld.so.conf.d
- echo "/usr/local/ssl/lib" > openssl-3.2.0.conf # 32 bit systems
- echo "/usr/local/ssl/lib64" > openssl-3.2.0.conf # 64 bit systems
+ echo "/usr/local/ssl/lib" > openssl.conf # 32 bit systems
+ echo "/usr/local/ssl/lib64" > openssl.conf # 64 bit systems
# running ldconfig before install doesn't work
ldconfig
=====================================
README-PYTHON
=====================================
@@ -77,7 +77,7 @@ OTOH if you are running into something like:
raise OSError("Can't find %s library" % LIB)
OSError: Can't find ntpc library
-That means that ntpc.py looked for libnptc.so in the usual places and could
+That means that ntpc.py looked for libntpc.so in the usual places and could
not find it. If it is being installed to the wrong location on your platform,
you can correct the install location using: waf configure --libdir= If you
are intentionally installing to a non-default location, you can modify the
=====================================
attic/digest-find.c
=====================================
@@ -101,12 +101,12 @@ main (
}
#endif
/* libntp/macencrypt.c has an ifdef for this */
- ctx = EVP_MD_CTX_create();
+ ctx = EVP_MD_CTX_new();
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
EVP_DigestInit_ex(ctx, md, NULL);
EVP_DigestUpdate(ctx, packet, sizeof(packet));
EVP_DigestFinal_ex(ctx, digest, &length);
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_free(ctx);
printf("%10s %4d %6u\n", digests[i], keytype, length);
}
=====================================
attic/digest-timing.c
=====================================
@@ -38,13 +38,6 @@
#define UNUSED_ARG(arg) ((void)(arg))
-#ifndef EVP_MD_CTX_new
-/* Slightly older version of OpenSSL */
-/* Similar hack in ssl_init.c */
-#define EVP_MD_CTX_new() EVP_MD_CTX_create()
-#define EVP_MD_CTX_free(ctx) EVP_MD_CTX_destroy(ctx)
-#endif
-
/* Get timing for old slower way too. Pre Feb 2018 */
#define DoSLOW 1
=====================================
docs/includes/access-commands.adoc
=====================================
@@ -79,7 +79,10 @@
+noquery+;;
Deny {ntpqman} queries. Time service is not affected.
+noserve+;;
- Deny all packets except {ntpqman} and queries.
+ Deny all packets except {ntpqman} queries.
+ NB: This blocks requests from other clients and responses to your
+ requests. If you are using servers in this IP range, you will need
+ to add +restrict+ slots to let them through.
+notrust+;;
Deny service unless the packet is cryptographically authenticated.
+ntpport+;;
=====================================
include/ntp.h
=====================================
@@ -678,8 +678,8 @@ struct restrict_u_tag {
* through the Mode 6 protocol.
*/
#define RES_IGNORE 0x0001 /* ignore packet */
-#define RES_DONTSERVE 0x0002 /* access denied */
-#define RES_DONTTRUST 0x0004 /* authentication required */
+#define RES_NOSERVE 0x0002 /* access denied */
+#define RES_NOTRUST 0x0004 /* authentication required */
#define RES_VERSION 0x0008 /* version mismatch */
#define RES_NOPEERx 0x0010 /* new association denied */
#define RES_LIMITED 0x0020 /* packet rate exceeded */
@@ -694,7 +694,6 @@ struct restrict_u_tag {
#define RES_FLAKE 0x1000 /* flakeway - drop 10% */
#define RES_NOMRULIST 0x2000 /* mode 6 mrulist denied */
-/* RES_DEFAULT defined in /usr/include/resolv.h */
#define RES_Default (RES_NOQUERY|RES_LIMITED)
/* pythonize-header: start ignoring */
=====================================
libntp/authreadkeys.c
=====================================
@@ -125,11 +125,11 @@ check_digest_mac_length(
length = EVP_MD_get_size(md);
#else
const EVP_MD *md = EVP_get_digestbyname(name);
- EVP_MD_CTX *ctx = EVP_MD_CTX_create();
+ EVP_MD_CTX *ctx = EVP_MD_CTX_new();
unsigned char digest[EVP_MAX_MD_SIZE];
EVP_DigestInit_ex(ctx, md, NULL);
EVP_DigestFinal_ex(ctx, digest, &length);
- EVP_MD_CTX_destroy(ctx);
+ EVP_MD_CTX_free(ctx);
#endif
if (MAX_BARE_MAC_LENGTH < length) {
msyslog(LOG_ERR, "AUTH: authreadkeys: digest for key %u, %s will be truncated.", keyno, name);
=====================================
libntp/macencrypt.c
=====================================
@@ -327,7 +327,7 @@ addr2refid(sockaddr_u *addr)
EVP_MD_free(md5);
#else
if(ctx == NULL) {
- ctx = EVP_MD_CTX_create();
+ ctx = EVP_MD_CTX_new();
}
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* MD5 is not used as a crypto hash here. */
=====================================
libntp/pymodule-mac.c
=====================================
@@ -20,21 +20,18 @@
#include <openssl/evp.h>
#include <openssl/cmac.h>
-/* Slightly older version of OpenSSL */
-/* Similar hack in ssl_init.c and attic/digest-timing.c */
-#ifndef EVP_MD_CTX_new
-#define EVP_MD_CTX_new() EVP_MD_CTX_create()
-#endif
-
// Needed on OpenSSL < 1.1.0
+// I don't think this is needed on modern versions,
+// but I'm leaving this code around for a while in case we do need it.
+// HGM: 2024-Jun-11
static void init_ssl(void) {
- static bool init_done = false;
- if (init_done) {
- return;
- }
- init_done = true;
- OpenSSL_add_all_ciphers();
- OpenSSL_add_all_digests();
+// static bool init_done = false;
+// if (init_done) {
+// return;
+// }
+// init_done = true;
+// OpenSSL_add_all_ciphers();
+// OpenSSL_add_all_digests();
}
/* xx = ntp.ntpc.checkname(name)
@@ -50,7 +47,7 @@ int do_checkname(const char *name)
strlcpy(upcase, name, sizeof(upcase));
for (int i=0; upcase[i]!=0; i++) {
- upcase[i] = toupper(upcase[i]);
+ upcase[i] = toupper((unsigned char)upcase[i]);
}
digest = EVP_get_digestbyname(upcase);
@@ -96,7 +93,7 @@ void do_mac(char *name,
strlcpy(upcase, name, sizeof(upcase));
for (int i=0; upcase[i]!=0; i++) {
- upcase[i] = toupper(upcase[i]);
+ upcase[i] = toupper((unsigned char)upcase[i]);
}
digest = EVP_get_digestbyname(upcase);
=====================================
libntp/ssl_init.c
=====================================
@@ -17,13 +17,7 @@
#include <openssl/cmac.h>
#endif
-#ifndef EVP_MD_CTX_new
-/* Slightly older version of OpenSSL */
-/* Similar hack in macencrypt.c and attic/digest-timing.c */
-#define EVP_MD_CTX_new() EVP_MD_CTX_create()
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifdef LIBRESSL_VERSION_NUMBER
static void atexit_ssl_cleanup(void);
#endif
@@ -48,7 +42,7 @@ ssl_init(void)
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS|OPENSSL_INIT_LOAD_CRYPTO_STRINGS|OPENSSL_INIT_ADD_ALL_CIPHERS|OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
#endif
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifdef LIBRESSL_VERSION_NUMBER
OpenSSL_add_all_digests();
OpenSSL_add_all_ciphers();
atexit(&atexit_ssl_cleanup);
@@ -113,7 +107,7 @@ ssl_init(void)
}
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
+#ifdef LIBRESSL_VERSION_NUMBER
static void
atexit_ssl_cleanup(void)
{
=====================================
libntp/statestr.c
=====================================
@@ -173,16 +173,16 @@ static const struct codestring res_match_bits[] = {
* Restriction access bits
*/
static const struct codestring res_access_bits[] = {
- { RES_IGNORE, "ignore" },
- { RES_DONTSERVE, "noserve" },
- { RES_DONTTRUST, "notrust" },
- { RES_NOQUERY, "noquery" },
- { RES_NOMODIFY, "nomodify" },
- { RES_NOPEERx, "nopeer" },
- { RES_LIMITED, "limited" },
- { RES_VERSION, "version" },
- { RES_KOD, "kod" },
- { RES_FLAKE, "flake" },
+ { RES_IGNORE, "ignore" },
+ { RES_NOSERVE, "noserve" },
+ { RES_NOTRUST, "notrust" },
+ { RES_NOQUERY, "noquery" },
+ { RES_NOMODIFY, "nomodify" },
+ { RES_NOPEERx, "nopeer" },
+ { RES_LIMITED, "limited" },
+ { RES_VERSION, "version" },
+ { RES_KOD, "kod" },
+ { RES_FLAKE, "flake" },
/* not used with getcode(), no terminating entry needed */
};
=====================================
ntpd/ntp_config.c
=====================================
@@ -1644,7 +1644,7 @@ config_access(
break;
case T_Noserve:
- flags |= RES_DONTSERVE;
+ flags |= RES_NOSERVE;
break;
case T_Notrap:
@@ -1652,7 +1652,7 @@ config_access(
break;
case T_Notrust:
- flags |= RES_DONTTRUST;
+ flags |= RES_NOTRUST;
break;
case T_Version:
=====================================
ntpd/ntp_control.c
=====================================
@@ -2559,8 +2559,31 @@ static uint32_t derive_nonce(
uint8_t digest[EVP_MAX_MD_SIZE];
uint32_t extract;
} d;
- EVP_MD_CTX *ctx;
- unsigned int len;
+
+ static EVP_MD_CTX *ctx;
+ static const EVP_MD *evp;
+ unsigned int len;
+
+ if (NULL == ctx) {
+ ctx = EVP_MD_CTX_new();
+ if (NULL == ctx) {
+ msyslog(LOG_ERR, "ERR: EVP_MD_CTX_new() failed");
+ exit(1);
+ }
+ }
+
+ if (NULL == evp) {
+ /* EVP_md5() doesn't work on FIPS systems.
+ * Check here in case EVP_sha1() gets demoted.
+ * This is making a cookie which is only checked by
+ * this system so the details of how it is made don't matter.
+ */
+ evp = EVP_sha1();
+ if (NULL == evp) {
+ msyslog(LOG_ERR, "ERR: EVP_sha1() failed");
+ exit(1);
+ }
+ }
if (current_time >= next_salt_update) {
ntp_RAND_bytes(&salt[0], sizeof(salt));
@@ -2569,8 +2592,7 @@ static uint32_t derive_nonce(
(long long)next_salt_update);
}
- ctx = EVP_MD_CTX_create();
- EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+ EVP_DigestInit_ex(ctx, evp, NULL);
EVP_DigestUpdate(ctx, salt, sizeof(salt));
EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i));
EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f));
@@ -2583,7 +2605,6 @@ static uint32_t derive_nonce(
EVP_DigestUpdate(ctx, &NSRCPORT(addr), sizeof(NSRCPORT(addr)));
EVP_DigestUpdate(ctx, salt, sizeof(salt));
EVP_DigestFinal_ex(ctx, d.digest, &len);
- EVP_MD_CTX_destroy(ctx);
return d.extract;
}
=====================================
ntpd/ntp_leapsec.c
=====================================
@@ -943,7 +943,7 @@ leapsec_validate(
char line[50];
int hlseen = -1;
- mdctx = EVP_MD_CTX_create();
+ mdctx = EVP_MD_CTX_new();
EVP_DigestInit_ex(mdctx, EVP_sha1(), NULL);
while (get_line(func, farg, line, sizeof(line))) {
if (!strncmp(line, "#h", 2)) {
@@ -957,7 +957,7 @@ leapsec_validate(
}
}
EVP_DigestFinal_ex(mdctx, ldig.hv, NULL);
- EVP_MD_CTX_destroy(mdctx);
+ EVP_MD_CTX_free(mdctx);
if (0 > hlseen) {
return LSVALID_NOHASH;
=====================================
ntpd/ntp_proto.c
=====================================
@@ -428,7 +428,7 @@ i_require_authentication(
unsigned short restrict_mask
)
{
- bool restrict_notrust = restrict_mask & RES_DONTTRUST;
+ bool restrict_notrust = restrict_mask & RES_NOTRUST;
bool peer_has_key = peer != NULL && peer->cfg.peerkey != 0;
return restrict_notrust || peer_has_key;
@@ -452,21 +452,25 @@ static bool is_kod(
/* Check the restrictions which can be checked just based on the source
IP address and the first byte of the packet, namely RES_IGNORE,
- RES_FLAKE, RES_NOQUERY, RES_DONTSERVE, and RES_VERSION. */
+ RES_FLAKE, RES_NOQUERY, RES_NOSERVE, and RES_VERSION. */
+/* return true to reject packet */
static bool check_early_restrictions(
struct recvbuf const* rbufp,
unsigned short restrict_mask
)
{
- return (restrict_mask & RES_IGNORE) ||
- ((restrict_mask & RES_FLAKE) &&
- (double)random() / RAND_MAX < .1) ||
- (restrict_mask & (is_control_packet(rbufp) ? RES_NOQUERY : RES_DONTSERVE)) ||
- rbufp->recv_length < 1 ||
- ((restrict_mask & RES_VERSION) &&
- (rbufp->recv_length < 1 ||
- PKT_VERSION(rbufp->recv_buffer[0]) != NTP_VERSION));
+ if (rbufp->recv_length < 1) // FIXME: should be earlier and bigger
+ return(true);
+ int mode = PKT_MODE(rbufp->recv_buffer[0]);
+ return (
+ (restrict_mask & RES_IGNORE) ||
+ ((restrict_mask & RES_FLAKE) && (double)random() / RAND_MAX < .1) ||
+ ((restrict_mask & RES_NOQUERY) && (MODE_CONTROL == mode)) ||
+ ((restrict_mask & RES_NOSERVE) && (MODE_CONTROL != mode)) ||
+ ((restrict_mask & RES_VERSION) &&
+ (PKT_VERSION(rbufp->recv_buffer[0]) != NTP_VERSION))
+ );
}
/* rawstats_filter
=====================================
ntpd/ntp_restrict.c
=====================================
@@ -656,7 +656,7 @@ restrict_source(
}
auth = (0 != peer->cfg.peerkey);
nts = peer->cfg.flags & FLAG_NTS;
- if (RES_DONTTRUST & res->flags && !auth && !nts) {
+ if (RES_NOTRUST & res->flags && !auth && !nts) {
/* needs authentication, but this slot doesn't have any */
need_poke = true;
}
=====================================
ntpd/refclock_gpsd.c
=====================================
@@ -2181,7 +2181,7 @@ log_data(
/* replace with two \ */
*dptr++ = '\\';
*dptr++ = '\\';
- } else if (isprint(*sptr)) {
+ } else if (isprint((unsigned char)*sptr)) {
*dptr++ = *sptr;
} else {
dptr += snprintf(dptr, dtop - dptr, "\\%#.2x",
=====================================
tests/libntp/statestr.c
=====================================
@@ -24,7 +24,10 @@ TEST(statestr, ResMatchFlags) {
// res_access_flags()
TEST(statestr, ResAccessFlags) {
- TEST_ASSERT_EQUAL_STRING("notrust", res_access_flags(RES_DONTTRUST));
+ TEST_ASSERT_EQUAL_STRING("notrust", res_access_flags(RES_NOTRUST));
+}
+TEST(statestr, ResAccessFlags2) {
+ TEST_ASSERT_EQUAL_STRING("noserve", res_access_flags(RES_NOSERVE));
}
// k_st_flags()
@@ -63,6 +66,7 @@ TEST(statestr, ClockCodeUnknown) {
TEST_GROUP_RUNNER(statestr) {
RUN_TEST_CASE(statestr, ResMatchFlags);
RUN_TEST_CASE(statestr, ResAccessFlags);
+ RUN_TEST_CASE(statestr, ResAccessFlags2);
RUN_TEST_CASE(statestr, KSTFlags);
RUN_TEST_CASE(statestr, StatusToA);
RUN_TEST_CASE(statestr, PeerRestart);
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/c70554001cd5d719976589418339e6921ac7c150...db7835cace596b47dfc246ec01f543cdf4bc74fa
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/c70554001cd5d719976589418339e6921ac7c150...db7835cace596b47dfc246ec01f543cdf4bc74fa
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20240621/153d8ca6/attachment-0001.htm>
More information about the vc
mailing list