[Git][NTPsec/ntpsec][master] 2 commits: Don't write drift file in lockclock mode

Hal Murray (@hal.murray) gitlab at mg.gitlab.com
Sun Mar 17 06:02:23 UTC 2024 


Hal Murray pushed to branch master at NTPsec / ntpsec


Commits:
2a47bf0a by Hal Murray at 2024-03-12T02:58:13-07:00
Don't write drift file in lockclock mode

- - - - -
11b38824 by Hal Murray at 2024-03-14T01:38:12-07:00
Split out tlscipherserverpreference, fixup #797

- - - - -


9 changed files:

- docs/includes/nts-commands.adoc
- include/nts.h
- include/nts2.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/ntp_util.c
- ntpd/nts.c
- ntpd/nts_server.c


Changes:

=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -4,7 +4,7 @@ The following command controls NTS authentication. It overrides
 normal TLS protocol negotiation, which is not usually necessary.
 
 [[nts]]
-+nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_] [+tlsecdhcurves+ _name_]
++nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_] [+tlsecdhcurves+ _name_] [tlscipherserverpreference]
 
 The options are as follows:
 
@@ -63,6 +63,15 @@ The options are as follows:
    An OpenSSL ecdhcurves list to configure the allowed ecdhcurves for
    TLS 1.3.  A single NULL ecdhcurves disables encryption and use of certificates.
 
++tlscipherserverpreference+::
+   During TLS connection setup, the client and server have to pick a
+   ciphersuite to use.  The client gives the server a list of the ones
+   it supports.  The server compares that with its list.  The server
+   picks one that is on both lists.  Normally, it picks the first one
+   on the client's list that it supports.  This option changes that
+   to picking the first one on the servers list that the client supports.
+   [FIXME: Need good URL for best practices]
+
 +aead+ _string_::
    Specify the crypto algorithm to be used on the wire.  The choices
    come from RFC 5297.  The only options supported are AES_SIV_CMAC_256,


=====================================
include/nts.h
=====================================
@@ -158,6 +158,7 @@ struct ntsconfig_t {
 	const char *KI;		/* file holding K/I for making cookies */
 	const char *ca;		/* root cert dir/file */
 	const char *aead;	/* AEAD algorithms on wire */
+	bool tlscipherserverpreference;  /* OpenSSL 3.0 default is client */
 };
 
 


=====================================
include/nts2.h
=====================================
@@ -21,6 +21,7 @@ bool nts_load_certificate(SSL_CTX *ctx);
 void nts_reload_certificate(SSL_CTX *ctx);
 bool nts_load_ciphers(SSL_CTX *ctx);
 bool nts_load_ecdhcurves(SSL_CTX *ctx);
+bool nts_set_cipher_order(SSL_CTX *ctx);
 bool nts_load_versions(SSL_CTX *ctx);
 
 int nts_ssl_read(SSL *ssl, uint8_t *buff, int buff_length);


=====================================
ntpd/keyword-gen.c
=====================================
@@ -206,6 +206,7 @@ struct key_tok ntp_keywords[] = {
 { "maxtls",		T_Maxtls,		FOLLBY_TOKEN },
 { "tlsciphersuites",	T_Tlsciphersuites,	FOLLBY_STRING },
 { "tlsecdhcurves",	T_Tlsecdhcurves,	FOLLBY_STRING },
+{ "tlscipherserverpreference",	T_Tlscipherserverpreference,	FOLLBY_TOKEN },
 };
 
 typedef struct big_scan_state_tag {


=====================================
ntpd/ntp_config.c
=====================================
@@ -1978,6 +1978,10 @@ config_nts(
 			ntsconfig.mintls = estrdup(nts->value.s);
 			break;
 
+		case T_Tlscipherserverpreference:
+			ntsconfig.tlscipherserverpreference = true;
+			break;
+
 		case T_Tlsciphersuites:
 			ntsconfig.tlsciphersuites = estrdup(nts->value.s);
 			break;


=====================================
ntpd/ntp_parser.y
=====================================
@@ -212,6 +212,7 @@
 %token	<Integer>	T_Tinker
 %token	<Integer>	T_Tlsciphersuites
 %token	<Integer>	T_Tlsecdhcurves
+%token	<Integer>	T_Tlscipherserverpreference
 %token	<Integer>	T_Tos
 %token	<Integer>	T_True
 %token	<Integer>	T_Trustedkey
@@ -1131,6 +1132,8 @@ nts_option
 			{ $$ = create_attr_ival($1, 0); }
 	|	T_Enable
 			{ $$ = create_attr_ival($1, 1); }
+	|	T_Tlscipherserverpreference
+			{ $$ = create_attr_ival($1, 1); }
 	;
 
 	;


=====================================
ntpd/ntp_util.c
=====================================
@@ -184,6 +184,8 @@ write_pidfile(
 static void drift_write(char *driftfile, double drift) {
 	FILE *new;
 	char tempfile[PATH_MAX];
+	if (loop_data.lockclock)
+	    return;	/* Don't trash drift file -- we aren't maintaining it */
 	strlcpy(tempfile, driftfile, sizeof(tempfile));
 	strlcat(tempfile, "-tmp", sizeof(tempfile));
 	if ((new = fopen(tempfile, "w")) == NULL) {
@@ -209,7 +211,7 @@ write_stats(void) {
 	record_use_stats();
 	record_nts_stats();
 	record_ntske_stats();
-	if (stats_drift_file != 0) {
+	if (stats_drift_file != NULL) {
 
 		/*
 		 * When the frequency file is written, initialize the


=====================================
ntpd/nts.c
=====================================
@@ -42,7 +42,8 @@ struct ntsconfig_t ntsconfig = {
 	.key = NULL,
 	.KI = NULL,
 	.ca = NULL,
-	.aead = NULL
+	.aead = NULL,
+	.tlscipherserverpreference = false,
 };
 
 void nts_log_version(void);
@@ -187,12 +188,7 @@ bool nts_load_ciphers(SSL_CTX *ctx) {
 	if (NULL == ntsconfig.tlsciphersuites) {
 		return true;
 	}
-	/* The server picks the ciphers.
-	 *  Default is client preference.
-	 *  This switches to server preference if the admin
-	 *  specifies the valid ciphers.  See #797
-	 */
-	SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+	/*  This used to set server-preference See #797 */
 	if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
 		msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
 		return false;
@@ -223,6 +219,12 @@ bool nts_load_ecdhcurves(SSL_CTX *ctx) {
 	return true;
 }
 
+bool nts_set_cipher_order(SSL_CTX *ctx) {
+	if (ntsconfig.tlscipherserverpreference)
+		SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+	return true;
+}
+
 
 static struct stat certfile_stat;
 


=====================================
ntpd/nts_server.c
=====================================
@@ -105,6 +105,7 @@ bool nts_server_init(void) {
 	ok &= nts_load_versions(server_ctx);
 	ok &= nts_load_ciphers(server_ctx);
 	ok &= nts_load_ecdhcurves(server_ctx);
+	ok &= nts_set_cipher_order(server_ctx);
 
 	if (!ok) {
 		msyslog(LOG_ERR, "NTSs: Disabling NTS-KE server");



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/e815d37e60903f1709c522d6d5abaf2a0e581f98...11b3882464c2435de1fa2dd89b9ef313aa27f792

-- 
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/e815d37e60903f1709c522d6d5abaf2a0e581f98...11b3882464c2435de1fa2dd89b9ef313aa27f792
You're receiving this email because of your account on gitlab.com.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20240317/84a11f20/attachment-0001.htm>

More information about the vc mailing list