Miroslav Lichvar pushed to branch master at chrony / chrony
Commits: 2adda9c1 by Miroslav Lichvar at 2024-09-26T12:45:44+02:00 nts: construct key exporter context When the NTS client and server negotiated use of AES-128-GCM-SIV keys, the keys exported from the TLS session and used for authentication and encryption of NTP messages do not comply to RFC8915. The exporter context value specified in the section 5.1 of RFC8915 function is incorrect. It is a hardcoded string which contains 15 (AES-SIV-CMAC-256) instead of 30 (AES-128-GCM-SIV). This causes chrony to not interoperate with NTS implementations that follow RFC8915 correctly. (At this time, there doesn't seem to be another implementation with AES-128-GCM-SIV support yet.) Replace the string with a proper construction of the exporter context from a specified AEAD ID and next protocol. Keep using the incorrect AEAD ID for AES-128-GCM-SIV to not break compatibility with existing chrony servers and clients. A new NTS-KE record will be added to negotiate the compliant exporter context. Reported-by: Martin Mayer <martin.ma...@m2-it-solutions.de> - - - - - 07078654 by Miroslav Lichvar at 2024-09-26T16:04:01+02:00 nts: negotiate compliant export of AES-128-GCM-SIV keys Add client and server support for a new NTS-KE record to negotiate use of the compliant key exporter context with the AES-128-GCM-SIV AEAD as specified here: https://chrony-project.org/doc/spec/nts-compliant-128gcm.html - - - - - 689605b6 by Miroslav Lichvar at 2024-10-03T15:02:03+02:00 nts: switch client to compliant key exporter on NTS NAK Implement a fallback for the NTS-NTP client to switch to the compliant AES-128-GCM-SIV exporter context when the server is using the compliant context, but does not support the new NTS-KE record negotiating its use, assuming it can respond with an NTS NAK to the request authenticated with the incorrect key. Export both sets of keys when processing the NTS-KE response. If an NTS NAK is the only valid response from the server after the last NTS-KE session, switch to the keys exported with the compliant context for the following requests instead of dropping all cookies and restarting NTS-KE. Don't switch back to the original keys if an NTS NAK is received again. - - - - - f5cd79d2 by Miroslav Lichvar at 2024-10-03T15:02:16+02:00 nts: check TLS session in NKSN_GetKeys() Make sure the TLS session is not NULL in NKSN_GetKeys() before trying to export the keys in case some future code tried to call the function outside of the NTS-KE message handler. - - - - - 79a790e6 by Miroslav Lichvar at 2024-10-03T15:02:16+02:00 test: improve nts_ke_client unit test - - - - - 42fbf416 by Miroslav Lichvar at 2024-10-03T16:09:53+02:00 nts: make server and client AEAD algorithms configurable Add ntsaeads directive to specify a list of AEAD algorithms enabled for NTS. The list is shared between the server and client. For the client it also specifies the order of priority. The default is "30 15", matching the previously hardcoded preference of AES-128-GCM-SIV (30) over AES-SIV-CMAC-256 (15). - - - - - 16 changed files: - conf.c - conf.h - doc/chrony.conf.adoc - nts_ke.h - nts_ke_client.c - nts_ke_client.h - nts_ke_server.c - nts_ke_session.c - nts_ke_session.h - nts_ntp_client.c - siv.h - test/simulation/139-nts - test/unit/nts_ke_client.c - test/unit/nts_ke_server.c - test/unit/nts_ke_session.c - test/unit/nts_ntp_client.c View it on GitLab: https://gitlab.com/chrony/chrony/-/compare/113d1134d14e9b5dd8133b934eb853aa7f4f7e38...42fbf4168612a5e320e5e7b03013d2f5425ea285 -- View it on GitLab: https://gitlab.com/chrony/chrony/-/compare/113d1134d14e9b5dd8133b934eb853aa7f4f7e38...42fbf4168612a5e320e5e7b03013d2f5425ea285 You're receiving this email because of your account on gitlab.com.