From 754097944be27f3efe5fc1792ea8a318e09dc854 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Wed, 21 Apr 2021 09:37:40 +0200 Subject: [PATCH] nts: handle negotiated server as FQDN The NTS RFC requires the recipient of the Server Negotiation NTS-KE record to handle the name as a fully qualified domain name. Add a trailing dot if not present to force the name to be resolved as one. --- doc/chrony.conf.adoc | 3 ++- nts_ke_client.c | 13 ++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc index 1b9e0ab..347f5f2 100644 --- a/doc/chrony.conf.adoc +++ b/doc/chrony.conf.adoc @@ -1651,7 +1651,8 @@ ntsdumpdir @CHRONYVARDIR@ This directory is used also by the <> to save NTS cookies. [[ntsntpserver]]*ntsntpserver* _hostname_:: -This directive specifies the hostname or address of the NTP server(s) which is +This directive specifies the hostname (as a fully qualified domain name) or +address of the NTP server(s) which is provided in the NTS-KE response to the clients. It allows the NTS-KE server to be separated from the NTP server. However, the servers need to share the keys, i.e. external key management needs to be enabled by setting diff --git a/nts_ke_client.c b/nts_ke_client.c index d47a1d1..877d1c8 100644 --- a/nts_ke_client.c +++ b/nts_ke_client.c @@ -53,7 +53,7 @@ struct NKC_Instance_Record { NKE_Context context; NKE_Cookie cookies[NKE_MAX_COOKIES]; int num_cookies; - char server_name[NKE_MAX_RECORD_BODY_LENGTH + 1]; + char server_name[NKE_MAX_RECORD_BODY_LENGTH + 2]; IPSockAddr ntp_address; }; @@ -254,6 +254,17 @@ handle_message(void *arg) if (inst->resolving_name) return 0; if (!UTI_StringToIP(inst->server_name, &inst->ntp_address.ip_addr)) { + int length = strlen(inst->server_name); + + /* Add a trailing dot if not present to force the name to be + resolved as a fully qualified domain name */ + if (length < 1 || length + 1 >= sizeof (inst->server_name)) + return 0; + if (inst->server_name[length - 1] != '.') { + inst->server_name[length] = '.'; + inst->server_name[length + 1] = '\0'; + } + DNS_Name2IPAddressAsync(inst->server_name, name_resolve_handler, inst); inst->resolving_name = 1; }