Fincer
/
openntpd-openbsd
mirror of https://github.com/Fincer/openntpd-openbsd
1
0
Fork 0
Code Issues 0 Projects 0 Releases 61 Wiki Activity
Browse Source

Harden TLS for ntpd constraints - stop disabling server name verification, 

ensure that we load the CA certificates and use tls_connect_servername()
so that we can verify the server we are connecting to (even though we've
already resolved the hostname). Also add additional warnings for TLS
connect and TLS write failures so that we know what is happening and why.
Lack of server name verification also reported by Luis M. Merino
<luismiguelmerino at gmail dot com> - thanks!
ok deraadt@ reyk@
OPENBSD_6_0
jsing 8 years ago
parent
1b0ee9eb88
commit
f819d84119
1 changed files with 13 additions and 11 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +13
    -11
      src/usr.sbin/ntpd/constraint.c

+ 13
- 11
src/usr.sbin/ntpd/constraint.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.27 2016/05/06 16:49:46 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.28 2016/05/21 13:46:10 jsing Exp $ */
/* /*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -292,12 +292,12 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
if (setpriority(PRIO_PROCESS, 0, 0) == -1) if (setpriority(PRIO_PROCESS, 0, 0) == -1)
log_warn("could not set priority"); log_warn("could not set priority");
/* Init TLS and load cert before chroot() */
/* Init TLS and load CA certs before chroot() */
if (tls_init() == -1) if (tls_init() == -1)
fatalx("tls_init"); fatalx("tls_init");
if ((conf->ca = tls_load_file(CONSTRAINT_CA, if ((conf->ca = tls_load_file(CONSTRAINT_CA,
&conf->ca_len, NULL)) == NULL) &conf->ca_len, NULL)) == NULL)
log_warnx("constraint certificate verification turned off");
fatalx("failed to load constraint ca");
if (chroot(pw_dir) == -1) if (chroot(pw_dir) == -1)
fatal("chroot"); fatal("chroot");
@ -821,9 +821,6 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0) if (tls_config_set_ciphers(httpsdate->tls_config, "compat") != 0)
goto fail; goto fail;
/* XXX we have to pre-resolve, so name and host are not equal */
tls_config_insecure_noverifyname(httpsdate->tls_config);
if (ca == NULL || ca_len == 0) if (ca == NULL || ca_len == 0)
tls_config_insecure_noverifycert(httpsdate->tls_config); tls_config_insecure_noverifycert(httpsdate->tls_config);
else else
@ -867,9 +864,10 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
if (tls_configure(httpsdate->tls_ctx, httpsdate->tls_config) == -1) if (tls_configure(httpsdate->tls_ctx, httpsdate->tls_config) == -1)
goto fail; goto fail;
if (tls_connect(httpsdate->tls_ctx,
httpsdate->tls_addr, httpsdate->tls_port) == -1) {
log_debug("tls failed: %s: %s", httpsdate->tls_addr,
if (tls_connect_servername(httpsdate->tls_ctx, httpsdate->tls_addr,
httpsdate->tls_port, httpsdate->tls_hostname) == -1) {
log_warnx("tls connect failed: %s (%s): %s",
httpsdate->tls_addr, httpsdate->tls_hostname,
tls_error(httpsdate->tls_ctx)); tls_error(httpsdate->tls_ctx));
goto fail; goto fail;
} }
@ -880,8 +878,12 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
ret = tls_write(httpsdate->tls_ctx, buf, len); ret = tls_write(httpsdate->tls_ctx, buf, len);
if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT) if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT)
continue; continue;
if (ret < 0)
if (ret < 0) {
log_warnx("tls write failed: %s (%s): %s",
httpsdate->tls_addr, httpsdate->tls_hostname,
tls_error(httpsdate->tls_ctx));
goto fail; goto fail;
}
buf += ret; buf += ret;
len -= ret; len -= ret;
} }
@ -916,8 +918,8 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
free(line); free(line);
} }
return (0); return (0);
fail: fail:
httpsdate_free(httpsdate); httpsdate_free(httpsdate);
return (-1); return (-1);


Write Preview
Loading…
Cancel
Save