conf: add certset option to NTP sources
Allow the set of trusted certificates to be selected for each NTP source individually.
This commit is contained in:
Miroslav Lichvar
parent
a8bc25e543
commit
cc77b0e9fd
5 changed files with 17 additions and 2 deletions
1
cmdmon.c
1
cmdmon.c
|
|
@ -735,6 +735,7 @@ handle_add_source(CMD_Request *rx_message, CMD_Reply *tx_message)
|
||||||
params.filter_length = ntohl(rx_message->data.ntp_source.filter_length);
|
params.filter_length = ntohl(rx_message->data.ntp_source.filter_length);
|
||||||
params.authkey = ntohl(rx_message->data.ntp_source.authkey);
|
params.authkey = ntohl(rx_message->data.ntp_source.authkey);
|
||||||
params.nts_port = ntohl(rx_message->data.ntp_source.nts_port);
|
params.nts_port = ntohl(rx_message->data.ntp_source.nts_port);
|
||||||
|
params.cert_set = 0;
|
||||||
params.max_delay = UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay);
|
params.max_delay = UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay);
|
||||||
params.max_delay_ratio =
|
params.max_delay_ratio =
|
||||||
UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay_ratio);
|
UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay_ratio);
|
||||||
|
|
|
||||||
|
|
@ -65,6 +65,7 @@ CPS_ParseNTPSourceAdd(char *line, CPS_NTP_Source *src)
|
||||||
src->params.nts = 0;
|
src->params.nts = 0;
|
||||||
src->params.nts_port = SRC_DEFAULT_NTSPORT;
|
src->params.nts_port = SRC_DEFAULT_NTSPORT;
|
||||||
src->params.authkey = INACTIVE_AUTHKEY;
|
src->params.authkey = INACTIVE_AUTHKEY;
|
||||||
|
src->params.cert_set = SRC_DEFAULT_CERTSET;
|
||||||
src->params.max_delay = SRC_DEFAULT_MAXDELAY;
|
src->params.max_delay = SRC_DEFAULT_MAXDELAY;
|
||||||
src->params.max_delay_ratio = SRC_DEFAULT_MAXDELAYRATIO;
|
src->params.max_delay_ratio = SRC_DEFAULT_MAXDELAYRATIO;
|
||||||
src->params.max_delay_dev_ratio = SRC_DEFAULT_MAXDELAYDEVRATIO;
|
src->params.max_delay_dev_ratio = SRC_DEFAULT_MAXDELAYDEVRATIO;
|
||||||
|
|
@ -102,6 +103,9 @@ CPS_ParseNTPSourceAdd(char *line, CPS_NTP_Source *src)
|
||||||
src->params.sel_options |= SRC_SELECT_REQUIRE;
|
src->params.sel_options |= SRC_SELECT_REQUIRE;
|
||||||
} else if (!strcasecmp(cmd, "trust")) {
|
} else if (!strcasecmp(cmd, "trust")) {
|
||||||
src->params.sel_options |= SRC_SELECT_TRUST;
|
src->params.sel_options |= SRC_SELECT_TRUST;
|
||||||
|
} else if (!strcasecmp(cmd, "certset")) {
|
||||||
|
if (sscanf(line, "%"SCNu32"%n", &src->params.cert_set, &n) != 1)
|
||||||
|
return 0;
|
||||||
} else if (!strcasecmp(cmd, "key")) {
|
} else if (!strcasecmp(cmd, "key")) {
|
||||||
if (sscanf(line, "%"SCNu32"%n", &src->params.authkey, &n) != 1 ||
|
if (sscanf(line, "%"SCNu32"%n", &src->params.authkey, &n) != 1 ||
|
||||||
src->params.authkey == INACTIVE_AUTHKEY)
|
src->params.authkey == INACTIVE_AUTHKEY)
|
||||||
|
|
|
||||||
|
|
@ -116,6 +116,12 @@ mechanism. Unlike with the *key* option, the server and client do not need to
|
||||||
share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using
|
share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using
|
||||||
the Transport Layer Security (TLS) protocol to get the keys and cookies
|
the Transport Layer Security (TLS) protocol to get the keys and cookies
|
||||||
required by NTS for authentication of NTP packets.
|
required by NTS for authentication of NTP packets.
|
||||||
|
*certset* _ID_:::
|
||||||
|
This option specifies which set of trusted certificates should be used to verify
|
||||||
|
the server's certificate when the *nts* option is enabled. Sets of certificates
|
||||||
|
can be specified with the <<ntstrustedcerts,*ntstrustedcerts*>> directive. The
|
||||||
|
default set is 0, which by default contains certificates of the system's
|
||||||
|
default trusted certificate authorities.
|
||||||
*maxdelay* _delay_:::
|
*maxdelay* _delay_:::
|
||||||
*chronyd* uses the network round-trip delay to the server to determine how
|
*chronyd* uses the network round-trip delay to the server to determine how
|
||||||
accurate a particular measurement is likely to be. Long round-trip delays
|
accurate a particular measurement is likely to be. Long round-trip delays
|
||||||
|
|
@ -759,7 +765,9 @@ The optional _set-ID_ argument is a number in the range 0 through 2^32-1, which
|
||||||
selects the set of certificates where certificates from the specified file
|
selects the set of certificates where certificates from the specified file
|
||||||
or directory are added. The default ID is 0, which is a set containing the
|
or directory are added. The default ID is 0, which is a set containing the
|
||||||
system's default trusted CAs (unless the *nosystemcert* directive is present).
|
system's default trusted CAs (unless the *nosystemcert* directive is present).
|
||||||
All other sets are empty by default.
|
All other sets are empty by default. A set of certificates can be selected for
|
||||||
|
verification of an NTS server by the *certset* option in the *server* or *pool*
|
||||||
|
directive.
|
||||||
+
|
+
|
||||||
This directive can be used multiple times to specify one or more sets of
|
This directive can be used multiple times to specify one or more sets of
|
||||||
trusted certificates, each containing certificates from one or more files
|
trusted certificates, each containing certificates from one or more files
|
||||||
|
|
|
||||||
|
|
@ -571,7 +571,7 @@ NCR_CreateInstance(NTP_Remote_Address *remote_addr, NTP_Source_Type type,
|
||||||
nts_address.ip_addr = remote_addr->ip_addr;
|
nts_address.ip_addr = remote_addr->ip_addr;
|
||||||
nts_address.port = params->nts_port;
|
nts_address.port = params->nts_port;
|
||||||
|
|
||||||
result->auth = NAU_CreateNtsInstance(&nts_address, name, 0,
|
result->auth = NAU_CreateNtsInstance(&nts_address, name, params->cert_set,
|
||||||
result->remote_addr.port);
|
result->remote_addr.port);
|
||||||
} else if (params->authkey != INACTIVE_AUTHKEY) {
|
} else if (params->authkey != INACTIVE_AUTHKEY) {
|
||||||
result->auth = NAU_CreateSymmetricInstance(params->authkey);
|
result->auth = NAU_CreateSymmetricInstance(params->authkey);
|
||||||
|
|
|
||||||
|
|
@ -55,6 +55,7 @@ typedef struct {
|
||||||
int nts;
|
int nts;
|
||||||
int nts_port;
|
int nts_port;
|
||||||
uint32_t authkey;
|
uint32_t authkey;
|
||||||
|
uint32_t cert_set;
|
||||||
double max_delay;
|
double max_delay;
|
||||||
double max_delay_ratio;
|
double max_delay_ratio;
|
||||||
double max_delay_dev_ratio;
|
double max_delay_dev_ratio;
|
||||||
|
|
@ -77,6 +78,7 @@ typedef struct {
|
||||||
#define SRC_DEFAULT_MAXSAMPLES (-1)
|
#define SRC_DEFAULT_MAXSAMPLES (-1)
|
||||||
#define SRC_DEFAULT_ASYMMETRY 1.0
|
#define SRC_DEFAULT_ASYMMETRY 1.0
|
||||||
#define SRC_DEFAULT_NTSPORT 4460
|
#define SRC_DEFAULT_NTSPORT 4460
|
||||||
|
#define SRC_DEFAULT_CERTSET 0
|
||||||
#define INACTIVE_AUTHKEY 0
|
#define INACTIVE_AUTHKEY 0
|
||||||
|
|
||||||
/* Flags for source selection */
|
/* Flags for source selection */
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue