Fw: [Git][NTPsec/ntpsec][master] Use ALPN for the NTS server.

Tue, 25 Jun 2019 14:10:40 -0700 

Yo Hal!

> Hal Murray pushed to branch master at NTPsec / ntpsec

+  for (i = 0; i < inlen; i += in[i]) {
+    if (in[i] == alpn[0] && !memcmp(&in[i+1], &alpn[1], alpn[0])) {

Buffer overrun!

alpn[0] is always 7, so the length of the memcmp() is always 7.

i can be 0 to (inlen - 1).

When i is (ilen - 1) the buffer in[] will be overrun by 7.

Maybe not normally, but eassy for a malicious user packet.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
        g...@rellim.com  Tel:+1 541 382 8588

            Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
Title: GitLab

Hal Murray pushed to branch master at NTPsec / ntpsec

Commits:

  • 8eecdfb8
    by Christer Weinigel at 2019-06-25T17:00:33Z 
    Use ALPN for the NTS server.

The NTS draft requires the use of ALPN for protocol negotiation.
Add support for ALPN to nts_server.c

1 changed file:

Changes:

  • ntpd/nts_server.c
    ... ... @@ -47,6 +47,31 @@ uint64_t nts_ke_serves_bad = 0;
    47 47 
     uint64_t nts_ke_probes_good = 0;
    48 48 
     uint64_t nts_ke_probes_bad = 0;
    49 49
    50 
    +#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
    51 
    +static int alpn_select_cb(SSL *ssl,
    52 
    +			  const unsigned char **out,
    53 
    +			  unsigned char *outlen,
    54 
    +			  const unsigned char *in,
    55 
    +			  unsigned int inlen,
    56 
    +			  void *arg)
    57 
    +{
    58 
    +  static const unsigned char alpn[] = { 7, 'n', 't', 's', 'k', 'e', '/', '1' };
    59 
    +  unsigned i;
    60 
    +
    61 
    +  (void)ssl;
    62 
    +  (void)arg;
    63 
    +
    64 
    +  for (i = 0; i < inlen; i += in[i]) {
    65 
    +    if (in[i] == alpn[0] && !memcmp(&in[i+1], &alpn[1], alpn[0])) {
    66 
    +      *outlen = in[i];
    67 
    +      *out = &in[i+1];
    68 
    +      return SSL_TLSEXT_ERR_OK;
    69 
    +    }
    70 
    +  }
    71 
    +
    72 
    +  return SSL_TLSEXT_ERR_NOACK;
    73 
    +}
    74 
    +#endif
    50 75
    51 76 
     bool nts_server_init(void) {
    52 77 
         bool ok = true;
    ... ... @@ -67,6 +92,10 @@ bool nts_server_init(void) {
    67 92 
           return false;
    68 93 
         }
    69 94
    95 
    +#if (OPENSSL_VERSION_NUMBER > 0x1000200fL)
    96 
    +    SSL_CTX_set_alpn_select_cb(server_ctx, alpn_select_cb, NULL);
    97 
    +#endif
    98 
    +
    70 99 
         SSL_CTX_set_session_cache_mode(server_ctx, SSL_SESS_CACHE_OFF);
    71 100
    72 101 
         ok &= nts_load_versions(server_ctx);


    • View it on GitLab.
    You're receiving this email because of your account on gitlab.com. If you'd like to receive fewer emails, you can adjust your notification settings. 

    _______________________________________________
vc mailing list
v...@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/vc

    Attachment: pgpfQ7Z7GQ1dC.pgp
    Description: OpenPGP digital signature

    _______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel

    Reply via email to