From 05b37b28683579a1c545d6a360b55756dcb3acb5 Mon Sep 17 00:00:00 2001 From: otto Date: Sun, 27 Nov 2022 13:19:00 +0000 Subject: [PATCH] Once we are synced, we can validate the certificate in the standard way. ok tb@ --- usr.sbin/ntpd/constraint.c | 32 ++++++++++++++++++++------------ usr.sbin/ntpd/ntp.c | 4 ++-- usr.sbin/ntpd/ntpd.h | 5 +++-- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c index 7729c168c53..f6686fd9b02 100644 --- a/usr.sbin/ntpd/constraint.c +++ b/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.53 2022/01/07 17:14:42 otto Exp $ */ +/* $OpenBSD: constraint.c,v 1.54 2022/11/27 13:19:00 otto Exp $ */ /* * Copyright (c) 2015 Reyk Floeter @@ -66,12 +66,12 @@ void priv_constraint_readquery(struct constraint *, struct ntp_addr_msg *, struct httpsdate * httpsdate_init(const char *, const char *, const char *, - const char *, const u_int8_t *, size_t); + const char *, const u_int8_t *, size_t, int); void httpsdate_free(void *); -int httpsdate_request(struct httpsdate *, struct timeval *); +int httpsdate_request(struct httpsdate *, struct timeval *, int); void *httpsdate_query(const char *, const char *, const char *, const char *, const u_int8_t *, size_t, - struct timeval *, struct timeval *); + struct timeval *, struct timeval *, int); char *tls_readline(struct tls *, size_t *, size_t *, struct timeval *); @@ -151,7 +151,7 @@ constraint_addr_head_clear(struct constraint *cstr) } int -constraint_query(struct constraint *cstr) +constraint_query(struct constraint *cstr, int synced) { time_t now; struct ntp_addr_msg am; @@ -206,6 +206,7 @@ constraint_query(struct constraint *cstr) memset(&am, 0, sizeof(am)); memcpy(&am.a, cstr->addr, sizeof(am.a)); + am.synced = synced; iov[iov_cnt].iov_base = &am; iov[iov_cnt++].iov_len = sizeof(am); @@ -424,7 +425,7 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) /* Run! */ if ((ctx = httpsdate_query(addr, CONSTRAINT_PORT, cstr.addr_head.name, cstr.addr_head.path, - conf->ca, conf->ca_len, &rectv, &xmttv)) == NULL) { + conf->ca, conf->ca_len, &rectv, &xmttv, am.synced)) == NULL) { /* Abort with failure but without warning */ exit(1); } @@ -894,7 +895,7 @@ constraint_check(double val) struct httpsdate * httpsdate_init(const char *addr, const char *port, const char *hostname, - const char *path, const u_int8_t *ca, size_t ca_len) + const char *path, const u_int8_t *ca, size_t ca_len, int synced) { struct httpsdate *httpsdate = NULL; @@ -925,7 +926,10 @@ httpsdate_init(const char *addr, const char *port, const char *hostname, * we do our own certificate validity checking, since the automatic * version is based on our wallclock, which may well be inaccurate... */ - tls_config_insecure_noverifytime(httpsdate->tls_config); + if (!synced) { + log_debug("constraints: skipping time in certificate validation"); + tls_config_insecure_noverifytime(httpsdate->tls_config); + } return (httpsdate); @@ -953,7 +957,7 @@ httpsdate_free(void *arg) } int -httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) +httpsdate_request(struct httpsdate *httpsdate, struct timeval *when, int synced) { char timebuf1[32], timebuf2[32]; size_t outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len; @@ -1030,6 +1034,10 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) if (httpsdate->tls_tm.tm_year == 0) goto fail; + /* If we are synced, we already checked the certificate validity */ + if (synced) + return 0; + /* * Now manually check the validity of the certificate presented in the * TLS handshake, based on the time specified by the server's HTTP Date: @@ -1076,17 +1084,17 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) void * httpsdate_query(const char *addr, const char *port, const char *hostname, const char *path, const u_int8_t *ca, size_t ca_len, - struct timeval *rectv, struct timeval *xmttv) + struct timeval *rectv, struct timeval *xmttv, int synced) { struct httpsdate *httpsdate; struct timeval when; time_t t; if ((httpsdate = httpsdate_init(addr, port, hostname, path, - ca, ca_len)) == NULL) + ca, ca_len, synced)) == NULL) return (NULL); - if (httpsdate_request(httpsdate, &when) == -1) + if (httpsdate_request(httpsdate, &when, synced) == -1) return (NULL); /* Return parsed date as local time */ diff --git a/usr.sbin/ntpd/ntp.c b/usr.sbin/ntpd/ntp.c index 4112ceb4b66..8b3c26f443a 100644 --- a/usr.sbin/ntpd/ntp.c +++ b/usr.sbin/ntpd/ntp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntp.c,v 1.169 2022/03/24 07:37:19 otto Exp $ */ +/* $OpenBSD: ntp.c,v 1.170 2022/11/27 13:19:00 otto Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -327,7 +327,7 @@ ntp_main(struct ntpd_conf *nconf, struct passwd *pw, int argc, char **argv) priv_settime(0, "no valid peers configured"); TAILQ_FOREACH(cstr, &conf->constraints, entry) { - if (constraint_query(cstr) == -1) + if (constraint_query(cstr, conf->status.synced) == -1) continue; } diff --git a/usr.sbin/ntpd/ntpd.h b/usr.sbin/ntpd/ntpd.h index 16a2fe2944d..f294e4c2ccd 100644 --- a/usr.sbin/ntpd/ntpd.h +++ b/usr.sbin/ntpd/ntpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.h,v 1.151 2022/03/24 07:37:19 otto Exp $ */ +/* $OpenBSD: ntpd.h,v 1.152 2022/11/27 13:19:00 otto Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -130,6 +130,7 @@ struct ntp_addr_msg { struct ntp_addr a; size_t namelen; size_t pathlen; + u_int8_t synced; }; struct ntp_status { @@ -381,7 +382,7 @@ void constraint_remove(struct constraint *); void constraint_purge(void); void constraint_reset(void); int constraint_init(struct constraint *); -int constraint_query(struct constraint *); +int constraint_query(struct constraint *, int); int constraint_check(double); void constraint_msg_dns(u_int32_t, u_int8_t *, size_t); void constraint_msg_result(u_int32_t, u_int8_t *, size_t); -- 2.20.1