DWS/chrony
1
0
Fork 0
mirror of https://gitlab.com/chrony/chrony.git synced 2026-01-20 21:00:20 -05:00
Code Issues Packages Projects Releases Wiki Activity

nts: add support for multiple sets of trusted certificates

Browse Source 
Modify the session, NTS-KE, and NTS-NTP code to support multiple sets of
trusted certificates and identify the sets by a 32-bit ID.
This commit is contained in:
Miroslav Lichvar
2021-02-18 16:53:36 +01:00
parent f650b8c515
commit 6615bb1b78
14 changed files with 72 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
nts_ke_client.c
View File

@@ -44,6 +44,7 @@
struct NKC_Instance_Record {
char *name;
IPSockAddr address;
NKSN_Credentials credentials;
NKSN_Instance session;
int destroying;
int got_response;
@@ -58,8 +59,8 @@ struct NKC_Instance_Record {
/* ================================================== */
static NKSN_Credentials client_credentials = NULL;
static int client_credentials_refs = 0;
static NKSN_Credentials default_credentials = NULL;
static int default_credentials_refs = 0;
/* ================================================== */
@@ -266,9 +267,10 @@ handle_message(void *arg)
/* ================================================== */
NKC_Instance
NKC_CreateInstance(IPSockAddr *address, const char *name)
NKC_CreateInstance(IPSockAddr *address, const char *name, uint32_t cert_set)
{
const char **trusted_certs;
uint32_t *certs_ids;
NKC_Instance inst;
int n_certs;
@@ -282,11 +284,24 @@ NKC_CreateInstance(IPSockAddr *address, const char *name)
inst->got_response = 0;
n_certs = CNF_GetNtsTrustedCertsPaths(&trusted_certs);
certs_ids = MallocArray(uint32_t, n_certs);
memset(certs_ids, 0, sizeof (uint32_t) * n_certs);
/* Share the credentials with other client instances */
if (!client_credentials)
client_credentials = NKSN_CreateClientCertCredentials(trusted_certs, n_certs);
client_credentials_refs++;
/* Share the credentials among clients using the default set of trusted
certificates, which likely contains most certificates */
if (cert_set == 0) {
if (!default_credentials)
default_credentials = NKSN_CreateClientCertCredentials(trusted_certs, certs_ids,
n_certs, cert_set);
inst->credentials = default_credentials;
if (default_credentials)
default_credentials_refs++;
} else {
inst->credentials = NKSN_CreateClientCertCredentials(trusted_certs, certs_ids,
n_certs, cert_set);
}
Free(certs_ids);
return inst;
}
@@ -300,10 +315,16 @@ NKC_DestroyInstance(NKC_Instance inst)
Free(inst->name);
client_credentials_refs--;
if (client_credentials_refs <= 0 && client_credentials) {
NKSN_DestroyCertCredentials(client_credentials);
client_credentials = NULL;
if (inst->credentials) {
if (inst->credentials == default_credentials) {
default_credentials_refs--;
if (default_credentials_refs <= 0) {
NKSN_DestroyCertCredentials(default_credentials);
default_credentials = NULL;
}
} else {
NKSN_DestroyCertCredentials(inst->credentials);
}
}
/* If the asynchronous resolver is running, let the handler free
@@ -329,7 +350,7 @@ NKC_Start(NKC_Instance inst)
inst->got_response = 0;
if (!client_credentials) {
if (!inst->credentials) {
DEBUG_LOG("Missing client credentials");
return 0;
}
@@ -351,7 +372,7 @@ NKC_Start(NKC_Instance inst)
}
/* Start an NTS-KE session */
if (!NKSN_StartSession(inst->session, sock_fd, label, client_credentials, CLIENT_TIMEOUT)) {
if (!NKSN_StartSession(inst->session, sock_fd, label, inst->credentials, CLIENT_TIMEOUT)) {
SCK_CloseSocket(sock_fd);
return 0;
}