nts: support servers specified by IP address

Certificates can include IP addresses as alternative names to enable
clients to verify such certificates without knowing the hostname.

Accept an IP address as a name in the NTS-NTP client and modify the
session code to not set the SNI in this case.

diff --git a/nts_ke_session.c b/nts_ke_session.c
index ac27f84d9ad92285a70ce7a3edb8c34c3272309f..a7f042ac4fd976eac7eaa979ba5b212c205509c7 100644 (file)
--- a/nts_ke_session.c
+++ b/nts_ke_session.c
@@ -225,9 +225,13 @@ create_tls_session(int server_mode, int sock_fd, const char *server_name,
   }
 
   if (!server_mode) {
-    r = gnutls_server_name_set(session, GNUTLS_NAME_DNS, server_name, strlen(server_name));
-    if (r < 0)
-      goto error;
+    assert(server_name);
+
+    if (!UTI_IsStringIP(server_name)) {
+      r = gnutls_server_name_set(session, GNUTLS_NAME_DNS, server_name, strlen(server_name));
+      if (r < 0)
+        goto error;
+    }
 
     flags = 0;
 

diff --git a/nts_ntp_client.c b/nts_ntp_client.c
index 361b76fe71605a9b3b7391d9e148336c1f351cb0..cbedf0beb93cc482d1a9b4c5f8c4c0b69455d665 100644 (file)
--- a/nts_ntp_client.c
+++ b/nts_ntp_client.c
@@ -50,8 +50,11 @@
 #define DUMP_IDENTIFIER "NNC0\n"
 
 struct NNC_Instance_Record {
+  /* Pointer to current address of NTP server */
   const IPSockAddr *ntp_address;
+  /* Address of NTS-KE server */
   IPSockAddr nts_address;
+  /* Hostname or IP address for certificate verification */
   char *name;
 
   NKC_Instance nke;
@@ -119,7 +122,7 @@ NNC_CreateInstance(IPSockAddr *nts_address, const char *name, const IPSockAddr *
 
   inst->ntp_address = ntp_address;
   inst->nts_address = *nts_address;
-  inst->name = !UTI_IsStringIP(name) ? Strdup(name) : NULL;
+  inst->name = Strdup(name);
   inst->siv = NULL;
   inst->nke = NULL;
 
@@ -223,12 +226,6 @@ get_cookies(NNC_Instance inst)
       return 0;
     }
 
-    if (!inst->name) {
-      LOG(LOGS_ERR, "Missing name of %s for NTS-KE",
-          UTI_IPToString(&inst->nts_address.ip_addr));
-      return 0;
-    }
-
     inst->nke = NKC_CreateInstance(&inst->nts_address, inst->name);
 
     inst->nke_attempts++;
@@ -541,7 +538,7 @@ save_cookies(NNC_Instance inst)
   FILE *f;
   int i;
 
-  if (inst->num_cookies < 1 || !inst->name || !UTI_IsIPReal(&inst->nts_address.ip_addr))
+  if (inst->num_cookies < 1 || !UTI_IsIPReal(&inst->nts_address.ip_addr))
     return;
 
   dump_dir = CNF_GetNtsDumpDir();
@@ -623,7 +620,7 @@ load_cookies(NNC_Instance inst)
 
   if (!fgets(line, sizeof (line), f) || strcmp(line, DUMP_IDENTIFIER) != 0 ||
       !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 1 ||
-        !inst->name || strcmp(words[0], inst->name) != 0 ||
+        strcmp(words[0], inst->name) != 0 ||
       !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 1 ||
         sscanf(words[0], "%lf", &context_time) != 1 ||
       !fgets(line, sizeof (line), f) || UTI_SplitString(line, words, MAX_WORDS) != 2 ||