[Git][NTPsec/ntpsec][master] 2 commits: Don't write drift file in lockclock mode
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Sun Mar 17 06:02:23 UTC 2024
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
2a47bf0a by Hal Murray at 2024-03-12T02:58:13-07:00
Don't write drift file in lockclock mode
- - - - -
11b38824 by Hal Murray at 2024-03-14T01:38:12-07:00
Split out tlscipherserverpreference, fixup #797
- - - - -
9 changed files:
- docs/includes/nts-commands.adoc
- include/nts.h
- include/nts2.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- ntpd/ntp_util.c
- ntpd/nts.c
- ntpd/nts_server.c
Changes:
=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -4,7 +4,7 @@ The following command controls NTS authentication. It overrides
normal TLS protocol negotiation, which is not usually necessary.
[[nts]]
-+nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_] [+tlsecdhcurves+ _name_]
++nts+ [enable|disable] [+mintls+ _version_] [+maxtls+ _version_] [+tlsciphersuites+ _name_] [+tlsecdhcurves+ _name_] [tlscipherserverpreference]
The options are as follows:
@@ -63,6 +63,15 @@ The options are as follows:
An OpenSSL ecdhcurves list to configure the allowed ecdhcurves for
TLS 1.3. A single NULL ecdhcurves disables encryption and use of certificates.
++tlscipherserverpreference+::
+ During TLS connection setup, the client and server have to pick a
+ ciphersuite to use. The client gives the server a list of the ones
+ it supports. The server compares that with its list. The server
+ picks one that is on both lists. Normally, it picks the first one
+ on the client's list that it supports. This option changes that
+ to picking the first one on the servers list that the client supports.
+ [FIXME: Need good URL for best practices]
+
+aead+ _string_::
Specify the crypto algorithm to be used on the wire. The choices
come from RFC 5297. The only options supported are AES_SIV_CMAC_256,
=====================================
include/nts.h
=====================================
@@ -158,6 +158,7 @@ struct ntsconfig_t {
const char *KI; /* file holding K/I for making cookies */
const char *ca; /* root cert dir/file */
const char *aead; /* AEAD algorithms on wire */
+ bool tlscipherserverpreference; /* OpenSSL 3.0 default is client */
};
=====================================
include/nts2.h
=====================================
@@ -21,6 +21,7 @@ bool nts_load_certificate(SSL_CTX *ctx);
void nts_reload_certificate(SSL_CTX *ctx);
bool nts_load_ciphers(SSL_CTX *ctx);
bool nts_load_ecdhcurves(SSL_CTX *ctx);
+bool nts_set_cipher_order(SSL_CTX *ctx);
bool nts_load_versions(SSL_CTX *ctx);
int nts_ssl_read(SSL *ssl, uint8_t *buff, int buff_length);
=====================================
ntpd/keyword-gen.c
=====================================
@@ -206,6 +206,7 @@ struct key_tok ntp_keywords[] = {
{ "maxtls", T_Maxtls, FOLLBY_TOKEN },
{ "tlsciphersuites", T_Tlsciphersuites, FOLLBY_STRING },
{ "tlsecdhcurves", T_Tlsecdhcurves, FOLLBY_STRING },
+{ "tlscipherserverpreference", T_Tlscipherserverpreference, FOLLBY_TOKEN },
};
typedef struct big_scan_state_tag {
=====================================
ntpd/ntp_config.c
=====================================
@@ -1978,6 +1978,10 @@ config_nts(
ntsconfig.mintls = estrdup(nts->value.s);
break;
+ case T_Tlscipherserverpreference:
+ ntsconfig.tlscipherserverpreference = true;
+ break;
+
case T_Tlsciphersuites:
ntsconfig.tlsciphersuites = estrdup(nts->value.s);
break;
=====================================
ntpd/ntp_parser.y
=====================================
@@ -212,6 +212,7 @@
%token <Integer> T_Tinker
%token <Integer> T_Tlsciphersuites
%token <Integer> T_Tlsecdhcurves
+%token <Integer> T_Tlscipherserverpreference
%token <Integer> T_Tos
%token <Integer> T_True
%token <Integer> T_Trustedkey
@@ -1131,6 +1132,8 @@ nts_option
{ $$ = create_attr_ival($1, 0); }
| T_Enable
{ $$ = create_attr_ival($1, 1); }
+ | T_Tlscipherserverpreference
+ { $$ = create_attr_ival($1, 1); }
;
;
=====================================
ntpd/ntp_util.c
=====================================
@@ -184,6 +184,8 @@ write_pidfile(
static void drift_write(char *driftfile, double drift) {
FILE *new;
char tempfile[PATH_MAX];
+ if (loop_data.lockclock)
+ return; /* Don't trash drift file -- we aren't maintaining it */
strlcpy(tempfile, driftfile, sizeof(tempfile));
strlcat(tempfile, "-tmp", sizeof(tempfile));
if ((new = fopen(tempfile, "w")) == NULL) {
@@ -209,7 +211,7 @@ write_stats(void) {
record_use_stats();
record_nts_stats();
record_ntske_stats();
- if (stats_drift_file != 0) {
+ if (stats_drift_file != NULL) {
/*
* When the frequency file is written, initialize the
=====================================
ntpd/nts.c
=====================================
@@ -42,7 +42,8 @@ struct ntsconfig_t ntsconfig = {
.key = NULL,
.KI = NULL,
.ca = NULL,
- .aead = NULL
+ .aead = NULL,
+ .tlscipherserverpreference = false,
};
void nts_log_version(void);
@@ -187,12 +188,7 @@ bool nts_load_ciphers(SSL_CTX *ctx) {
if (NULL == ntsconfig.tlsciphersuites) {
return true;
}
- /* The server picks the ciphers.
- * Default is client preference.
- * This switches to server preference if the admin
- * specifies the valid ciphers. See #797
- */
- SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ /* This used to set server-preference See #797 */
if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
return false;
@@ -223,6 +219,12 @@ bool nts_load_ecdhcurves(SSL_CTX *ctx) {
return true;
}
+bool nts_set_cipher_order(SSL_CTX *ctx) {
+ if (ntsconfig.tlscipherserverpreference)
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ return true;
+}
+
static struct stat certfile_stat;
=====================================
ntpd/nts_server.c
=====================================
@@ -105,6 +105,7 @@ bool nts_server_init(void) {
ok &= nts_load_versions(server_ctx);
ok &= nts_load_ciphers(server_ctx);
ok &= nts_load_ecdhcurves(server_ctx);
+ ok &= nts_set_cipher_order(server_ctx);
if (!ok) {
msyslog(LOG_ERR, "NTSs: Disabling NTS-KE server");
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/e815d37e60903f1709c522d6d5abaf2a0e581f98...11b3882464c2435de1fa2dd89b9ef313aa27f792
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/e815d37e60903f1709c522d6d5abaf2a0e581f98...11b3882464c2435de1fa2dd89b9ef313aa27f792
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20240317/84a11f20/attachment-0001.htm>
More information about the vc
mailing list