faraphel/chrony
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nts: support servers specified by IP address

Browse source 
Certificates can include IP addresses as alternative names to enable
clients to verify such certificates without knowing the hostname.

Accept an IP address as a name in the NTS-NTP client and modify the
session code to not set the SNI in this case.
This commit is contained in:
Miroslav Lichvar 2021-01-14 16:31:07 +01:00
parent eb9e6701fd
commit 62389b7e50
2 changed files with 13 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
nts_ke_session.c
View file

@ -225,9 +225,13 @@ create_tls_session(int server_mode, int sock_fd, const char *server_name,
} }
if (!server_mode) { if (!server_mode) {
r = gnutls_server_name_set(session, GNUTLS_NAME_DNS, server_name, strlen(server_name)); assert(server_name);
if (r < 0)
goto error; if (!UTI_IsStringIP(server_name)) {
r = gnutls_server_name_set(session, GNUTLS_NAME_DNS, server_name, strlen(server_name));
if (r < 0)
goto error;
}
flags = 0; flags = 0;

15
nts_ntp_client.c
View file

@ -50,8 +50,11 @@
#define DUMP_IDENTIFIER "NNC0\n" #define DUMP_IDENTIFIER "NNC0\n"
struct NNC_Instance_Record { struct NNC_Instance_Record {
/* Pointer to current address of NTP server */
const IPSockAddr *ntp_address; const IPSockAddr *ntp_address;
/* Address of NTS-KE server */
IPSockAddr nts_address; IPSockAddr nts_address;
/* Hostname or IP address for certificate verification */
char *name; char *name;
NKC_Instance nke; NKC_Instance nke;
@ -119,7 +122,7 @@ NNC_CreateInstance(IPSockAddr *nts_address, const char *name, const IPSockAddr *
inst->ntp_address = ntp_address; inst->ntp_address = ntp_address;
inst->nts_address = *nts_address; inst->nts_address = *nts_address;
inst->name = !UTI_IsStringIP(name) ? Strdup(name) : NULL; inst->name = Strdup(name);
inst->siv = NULL; inst->siv = NULL;
inst->nke = NULL; inst->nke = NULL;
@ -223,12 +226,6 @@ get_cookies(NNC_Instance inst)
return 0; return 0;
} }
if (!inst->name) {
LOG(LOGS_ERR, "Missing name of %s for NTS-KE",
UTI_IPToString(&inst->nts_address.ip_addr));
return 0;
}
inst->nke = NKC_CreateInstance(&inst->nts_address, inst->name); inst->nke = NKC_CreateInstance(&inst->nts_address, inst->name);
inst->nke_attempts++; inst->nke_attempts++;
@ -541,7 +538,7 @@ save_cookies(NNC_Instance inst)
FILE *f; FILE *f;
int i; int i;
if (inst->num_cookies < 1 || !inst->name || !UTI_IsIPReal(&inst->nts_address.ip_addr)) if (inst->num_cookies < 1 || !UTI_IsIPReal(&inst->nts_address.ip_addr))
return; return;
dump_dir = CNF_GetNtsDumpDir(); dump_dir = CNF_GetNtsDumpDir();
@ -623,7 +620,7 @@ load_cookies(NNC_Instance inst)
if (!fgets(line, sizeof (line), f) || strcmp(line, DUMP_IDENTIFIER) != 0 || if (!fgets(line, sizeof (line), f) || strcmp(line, DUMP_IDENTIFIER) != 0 ||
!fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 1 || !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 1 ||
!inst->name || strcmp(words[0], inst->name) != 0 || strcmp(words[0], inst->name) != 0 ||
!fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 1 || !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 1 ||
sscanf(words[0], "%lf", &context_time) != 1 || sscanf(words[0], "%lf", &context_time) != 1 ||
!fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 2 || !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 2 ||