From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Thu, 18 Feb 2021 16:18:15 +0000 (+0100)
Subject: conf: add certset option to NTP sources
X-Git-Tag: 4.1-pre1~50
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc77b0e9fd0853627a6322398de05fe3f52bf609;p=thirdparty%2Fchrony.git

conf: add certset option to NTP sources

Allow the set of trusted certificates to be selected for each NTP
source individually.
---

diff --git a/cmdmon.c b/cmdmon.c
index b8224dee..6222f601 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -735,6 +735,7 @@ handle_add_source(CMD_Request *rx_message, CMD_Reply *tx_message)
   params.filter_length = ntohl(rx_message->data.ntp_source.filter_length);
   params.authkey = ntohl(rx_message->data.ntp_source.authkey);
   params.nts_port = ntohl(rx_message->data.ntp_source.nts_port);
+  params.cert_set = 0;
   params.max_delay = UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay);
   params.max_delay_ratio =
     UTI_FloatNetworkToHost(rx_message->data.ntp_source.max_delay_ratio);
diff --git a/cmdparse.c b/cmdparse.c
index 33ee834c..95d89532 100644
--- a/cmdparse.c
+++ b/cmdparse.c
@@ -65,6 +65,7 @@ CPS_ParseNTPSourceAdd(char *line, CPS_NTP_Source *src)
   src->params.nts = 0;
   src->params.nts_port = SRC_DEFAULT_NTSPORT;
   src->params.authkey = INACTIVE_AUTHKEY;
+  src->params.cert_set = SRC_DEFAULT_CERTSET;
   src->params.max_delay = SRC_DEFAULT_MAXDELAY;
   src->params.max_delay_ratio = SRC_DEFAULT_MAXDELAYRATIO;
   src->params.max_delay_dev_ratio = SRC_DEFAULT_MAXDELAYDEVRATIO;
@@ -102,6 +103,9 @@ CPS_ParseNTPSourceAdd(char *line, CPS_NTP_Source *src)
       src->params.sel_options |= SRC_SELECT_REQUIRE;
     } else if (!strcasecmp(cmd, "trust")) {
       src->params.sel_options |= SRC_SELECT_TRUST;
+    } else if (!strcasecmp(cmd, "certset")) {
+      if (sscanf(line, "%"SCNu32"%n", &src->params.cert_set, &n) != 1)
+        return 0;
     } else if (!strcasecmp(cmd, "key")) {
       if (sscanf(line, "%"SCNu32"%n", &src->params.authkey, &n) != 1 ||
           src->params.authkey == INACTIVE_AUTHKEY)
diff --git a/doc/chrony.conf.adoc b/doc/chrony.conf.adoc
index ece42eb8..b62577c2 100644
--- a/doc/chrony.conf.adoc
+++ b/doc/chrony.conf.adoc
@@ -116,6 +116,12 @@ mechanism. Unlike with the *key* option, the server and client do not need to
 share a key in a key file. NTS has a Key Establishment (NTS-KE) protocol using
 the Transport Layer Security (TLS) protocol to get the keys and cookies
 required by NTS for authentication of NTP packets.
+*certset* _ID_:::
+This option specifies which set of trusted certificates should be used to verify
+the server's certificate when the *nts* option is enabled. Sets of certificates
+can be specified with the <<ntstrustedcerts,*ntstrustedcerts*>> directive. The
+default set is 0, which by default contains certificates of the system's
+default trusted certificate authorities.
 *maxdelay* _delay_:::
 *chronyd* uses the network round-trip delay to the server to determine how
 accurate a particular measurement is likely to be. Long round-trip delays
@@ -759,7 +765,9 @@ The optional _set-ID_ argument is a number in the range 0 through 2^32-1, which
 selects the set of certificates where certificates from the specified file
 or directory are added. The default ID is 0, which is a set containing the
 system's default trusted CAs (unless the *nosystemcert* directive is present).
-All other sets are empty by default.
+All other sets are empty by default. A set of certificates can be selected for
+verification of an NTS server by the *certset* option in the *server* or *pool*
+directive.
 +
 This directive can be used multiple times to specify one or more sets of
 trusted certificates, each containing certificates from one or more files
diff --git a/ntp_core.c b/ntp_core.c
index f7b4c1c1..f4b0f1ca 100644
--- a/ntp_core.c
+++ b/ntp_core.c
@@ -571,7 +571,7 @@ NCR_CreateInstance(NTP_Remote_Address *remote_addr, NTP_Source_Type type,
     nts_address.ip_addr = remote_addr->ip_addr;
     nts_address.port = params->nts_port;
 
-    result->auth = NAU_CreateNtsInstance(&nts_address, name, 0,
+    result->auth = NAU_CreateNtsInstance(&nts_address, name, params->cert_set,
                                          result->remote_addr.port);
   } else if (params->authkey != INACTIVE_AUTHKEY) {
     result->auth = NAU_CreateSymmetricInstance(params->authkey);
diff --git a/srcparams.h b/srcparams.h
index 52901381..81ad8895 100644
--- a/srcparams.h
+++ b/srcparams.h
@@ -55,6 +55,7 @@ typedef struct {
   int nts;
   int nts_port;
   uint32_t authkey;
+  uint32_t cert_set;
   double max_delay;
   double max_delay_ratio;
   double max_delay_dev_ratio;
@@ -77,6 +78,7 @@ typedef struct {
 #define SRC_DEFAULT_MAXSAMPLES (-1)
 #define SRC_DEFAULT_ASYMMETRY 1.0
 #define SRC_DEFAULT_NTSPORT 4460
+#define SRC_DEFAULT_CERTSET 0
 #define INACTIVE_AUTHKEY 0
 
 /* Flags for source selection */