ioerror / tlsdate Goto Github PK
View Code? Open in Web Editor NEWsecure parasitic rdate replacement
License: Other
tlsdate's Introduction
tlsdate: secure parasitic rdate replacement tlsdate sets the local clock by securely connecting with TLS to remote servers and extracting the remote time out of the secure handshake. Unlike ntpdate, tlsdate uses TCP, for instance connecting to a remote HTTPS or TLS enabled service, and provides some protection against adversaries that try to feed you malicious time information. On Debian GNU/Linux and related systems, we provide an init.d script that controls the tlsdated daemon. It will notice network changes and regularly invoke tlsdate to keep the clock in sync. Start it like so: /etc/init.d/tlsdate start Here is an example an unprivileged user fetching the remote time: % tlsdate -V -n -H encrypted.google.com Fri Apr 19 17:56:46 PDT 2013 This is an example run - starting as root and dropping to nobody, setting the clock and printing it: % sudo tlsdate -V Fri Apr 19 17:57:49 PDT 2013 Here is an example with a custom host and custom port without verification: % sudo tlsdate --skip-verification -p 80 -H rgnx.net Here is an example where a system may not have any kind of RTC at boot. Do the time warp to restore sanity and do so with a leap of faith: % sudo tlsdate -V -l -t Fri Apr 19 18:08:03 PDT 2013 Some SSL/TLS services do not provide accurate time in their handshake process; tlsdate may also be used to fetch time by processing the HTTP Date headers of HTTP services: % sudo tlsdate -V -l -t -w Wed Oct 30 18:08:46 CET 2013
tlsdate's People
Contributors
Stargazers
Watchers
Forkers
antagonismorg radii grothoff okoeroo redpig stewartsmith crash esnyder sysrqb n0g mikepb abeluck public jlucangelio javantea ln5 xnyhps linkslice npe9 riastradh horseloverfat redteam jwilkins leif aburan28 nmathewson philips glamrock apenwarr h01ger adrelanos clemensg silphire e-wiki dkriegner thunderhelix dentongentry junglefowl fun-alex-alex2006hw vaginessa mscherer cernekee alexeysalmin donnchac jacquard lifthrasiir smustard apilloud sainslie krodyx pawatzaza5 techfanatic suadelabs scarybot iancoolidge lfany orent pebsconsulting akiernan fnordomat torywheelwright tulip rennefeld moneytech agrawal-pulkit usteiner9 evo-eco hixio-mh kernweak 0017031tlsdate's Issues
Configure Travis-CI
tlsdate fails to read cert dir
tlsdate doesn't work at all on Fedora. Not sure why this is distro specifc.
[pid 18729] stat("/home/user/bin/ins/etc/tlsdate/ca-roots//812e17de.0", 0x7fffa91de190) = -1 ENOENT (No such file or directory)
It appears to be looking in the cert dir for the hash.0 format. see man verify:
-CApath directory
A directory of trusted certificates. The certificates should have names of the form: hash.0 or have symbolic links to them of this form
("hash" is the hashed certificate subject name: see the -hash option of the x509 utility). Under Unix the c_rehash script will automatically
create symbolic links to a directory of certificates.
References
twitter convo: https://twitter.com/abelxluck/status/269217932675018752
output: https://gist.github.com/4081217
strace: https://gist.github.com/4081217#file_strace%20_f_f%20_v
Make it compile on OS X
Currently errors out:
configure: error: Your system lacks clock_gettime
Full log:
$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: glibtoolize --copy --force
glibtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `config'.
glibtoolize: copying file `config/ltmain.sh'
glibtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
glibtoolize: copying file `m4/libtool.m4'
glibtoolize: copying file `m4/ltoptions.m4'
glibtoolize: copying file `m4/ltsugar.m4'
glibtoolize: copying file `m4/ltversion.m4'
glibtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/local/Cellar/autoconf/2.69/bin/autoconf --force
autoreconf: running: /usr/local/Cellar/autoconf/2.69/bin/autoheader --force
autoreconf: running: automake --add-missing --copy --force-missing
configure.ac:5: installing 'config/config.guess'
configure.ac:5: installing 'config/config.sub'
configure.ac:9: installing 'config/install-sh'
configure.ac:9: installing 'config/missing'
Makefile.am: installing 'config/depcomp'
autoreconf: Leaving directory `.'
mercury:tlsdate mikepb$ ./configure
checking build system type... x86_64-apple-darwin12.2.1
checking host system type... x86_64-apple-darwin12.2.1
checking target system type... x86_64-apple-darwin12.2.1
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking minix/config.h usability... no
checking minix/config.h presence... no
checking for minix/config.h... no
checking whether it is safe to define __EXTENSIONS__... yes
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... config/install-sh -c -d
checking for gawk... no
checking for mawk... no
checking for nawk... no
checking for awk... awk
checking whether make sets $(MAKE)... yes
checking for style of include used by make... GNU
checking how to create a ustar tar archive... gnutar
checking dependency style of gcc... gcc3
checking how to print strings... printf
checking for a sed that does not truncate output... /usr/bin/sed
checking for fgrep... /usr/bin/grep -F
checking for ld used by gcc... /usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld
checking if the linker (/usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm
checking the name lister (/usr/bin/nm) interface... BSD nm
checking whether ln -s works... yes
checking the maximum length of command line arguments... 196608
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking how to convert x86_64-apple-darwin12.2.1 file names to x86_64-apple-darwin12.2.1 format... func_convert_file_noop
checking how to convert x86_64-apple-darwin12.2.1 file names to toolchain format... func_convert_file_noop
checking for /usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld option to reload object files... -r
checking for objdump... no
checking how to recognize dependent libraries... pass_all
checking for dlltool... no
checking how to associate runtime and link libraries... printf %s\n
checking for ar... ar
checking for archiver @FILE support... no
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm output from gcc object... ok
checking for sysroot... no
checking for mt... no
checking if : is a manifest tool... no
checking for dsymutil... dsymutil
checking for nmedit... nmedit
checking for lipo... lipo
checking for otool... otool
checking for otool64... no
checking for -single_module linker flag... yes
checking for -exported_symbols_list linker flag... yes
checking for -force_load linker flag... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fno-common -DPIC
checking if gcc PIC flag -fno-common -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld) supports shared libraries... yes
checking dynamic linker characteristics... darwin12.2.1 dyld
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking whether the -Werror option is usable... yes
checking for simple visibility declarations... yes
checking whether make supports nested variables... yes
checking openssl/ssl.h usability... yes
checking openssl/ssl.h presence... yes
checking for openssl/ssl.h... yes
checking arpa/inet.h usability... yes
checking arpa/inet.h presence... yes
checking for arpa/inet.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking grp.h usability... yes
checking grp.h presence... yes
checking for grp.h... yes
checking openssl/bio.h usability... yes
checking openssl/bio.h presence... yes
checking for openssl/bio.h... yes
checking openssl/err.h usability... yes
checking openssl/err.h presence... yes
checking for openssl/err.h... yes
checking openssl/evp.h usability... yes
checking openssl/evp.h presence... yes
checking for openssl/evp.h... yes
checking pwd.h usability... yes
checking pwd.h presence... yes
checking for pwd.h... yes
checking for stdint.h... (cached) yes
checking stdio.h usability... yes
checking stdio.h presence... yes
checking for stdio.h... yes
checking for stdlib.h... (cached) yes
checking sys/mman.h usability... yes
checking sys/mman.h presence... yes
checking for sys/mman.h... yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for sys/types.h... (cached) yes
checking sys/wait.h usability... yes
checking sys/wait.h presence... yes
checking for sys/wait.h... yes
checking time.h usability... yes
checking time.h presence... yes
checking for time.h... yes
checking for unistd.h... (cached) yes
checking for setresuid... no
checking for gettimeofday... yes
checking for clock_gettime in -lrt... no
configure: error: Your system lacks clock_gettime
tlsdate-helper.c uses uninitialized variable
in src/tlsdate-helper.c's main() function, warp_time is used uninitialized.
first here:
if (timewarp)
{
verb ("V: RECENT_COMPILE_DATE is %lu.%06lu\n",
(unsigned long) CLOCK_SEC(&warp_time),
(unsigned long) CLOCK_USEC(&warp_time));
...
Then, if timewarp and setclock are both false, warp_time will still be uninitialized here:
if (((unsigned long) CLOCK_SEC(&start_time)) < ((unsigned long) CLOCK_SEC(&warp_time)))
Plan 9 code is missing headers from the repo
I attemped to compile the source on 9front System.. there is a file which was perhaps not checked into the repo. Maybe @npe9 can address this.
sigma% mk
touch config.h
pcc -DHAVE_TIME_H -D_PLAN9_SOURCE -D_REENTRANT_SOURCE -D_BSD_EXTENSION -D_SUSV2_SOURCE -D_POSIX_SOURCE -I. ./src/util-plan9.c ./src/proxy-bio-plan9.c ./src/tlsdate-helper-plan9.c /$objtype/lib/ape/libssl.a /$objtype/lib/ape/libcrypto.a
/usr/mischief/tlsdate/./src/proxy-bio-plan9.c:419[stdin:6646] function args not checked: BIO_f_proxy
cpp: ./src/tlsdate-helper-plan9.c:86 Could not find include file "src/compat/clock-plan9.h"
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:172[stdin:75690] function args not checked: BIO_new_proxy
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1099[stdin:76599] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1100[stdin:76600] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1103[stdin:76603] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1130[stdin:76617] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1136[stdin:76623] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1137[stdin:76624] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1139[stdin:76626] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1139[stdin:76626] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1145[stdin:76632] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1149[stdin:76636] structure not fully declared tlsdate_time
/usr/mischief/tlsdate/./src/tlsdate-helper-plan9.c:1150[stdin:76637] structure not fully declared tlsdate_time
too many errors
pcc: 8c: cpp 38152: errors
mk: pcc -DHAVE_TIME_H -D_PLAN9_SOURCE ... : exit status=rc 38144: pcc 38146: 8c: cpp 38152: errors
Ensure tlsdate builds on all Debian supported plaforms
It looks like we fail to build on Hurd and BSD based Debian systems:
https://buildd.debian.org/status/package.php?p=tlsdate
Feature request: a more robust --leap
Currently, tlsdate --leap still fails when time is out of certificate range due to failing SSL handshake (error 9). --timewarp helps, but it's not robust. --skip-verification still works, though (if I understand correctly, by using the original tlsdate idea of extracting the time from server hello). Verification is important, of course, but most users are not subject to MITM. So how about temporarily setting the clock to the value it would be set to with --skip_verification, and then reverting if verification fails?
[patch] Show Time (-V) + Don't set clock (-n)
Please see http://abaddon.unfix.org/tmp/showclock_nosetclock.patch :)
(don't want to fork a repo for this and no clue otherwise how to publish something simple like this ;)
tlsdated on archlinux
root ~ $ tlsdated -v
wait for child attempt 0
wait for child attempt 1
child exited with 0
synced rtc to sysclock
open failed: No such file or directory
^Cwhich file/directory is this trying to access?
is this supposed to fork to the background?
makefile is using "=" instead of "?=" so setting the environment variables won't properly override
This prevents me from simply overriding things like PACKAGE_BUGREPORT= or TLSDATE_CA_ROOTS=
All those values should be set using "?="
Allow non-forking daemon
It would be nice if tlsdated had an option (-n is common) to run in foreground. This is useful for init systems which do service supervision such as runit (it also can be used for systemd with `Type=simple~).
default make parameters is "quiet" and hiding compiler flags
don't build with verbose set to 0, so we only see:
make[1]: Entering directory `/home/paul/rpmbuild/BUILD/tlsdate-0.0.7'
CC src/compat/src_compat_libtlsdate_compat_la-clock-hurd.lo
CC src/src_tlsdate-tlsdate.o
CC src/src_tlsdate_helper-tlsdate-helper.o
CC src/src_tlsdate_helper-proxy-bio.o
CC src/src_tlsdate_helper-util.o
This makes it much harder to see if any CFLAGS are missing or getting dropped.
This can be fixed by specifying --disable-silent-rules to configure, but in my opinion the default should be verbose.
No hostname validation
The hostname of the server tlsdate is connecting to is not validated. This can be seen for example by connecting to google.com using an ip address: tlsdate -H 74.125.227.115:443
The server's certificate is verified against a user supplied trust store. However, the Common Name on the certficate (or a Subject Alternative Name) is not validated against the (user-entered) hostname tlsdate is connecting to.
Therefore, a given trusted certificate (such as one signed by Verisign) will always successfully pass the verification regardless of the domain it was actually signed for.
There's some sample code to validate the hostname here (see post_connection_check() ):
www.cs.odu.edu/~cs772/fall10/lectures/ssl_programmingNSwOEx.html
Good luck!
TLS does not handle wildcards in certificates
Test case: fedoraproject.org:
paul@thinkpad:~/rpmbuild/BUILD/tlsdate-0.0.7/src$ tlsdate -v -n -H fedoraproject.org
V: tlsdate version 0.0.6
V: We were called with the following arguments:
V: validate SSL certificates host = fedoraproject.org:443
V: time is currently 1367952115.492267784
V: local clock time is less than RECENT_COMPILE_DATE
V: using TLSv1_client_method()
V: Using OpenSSL for SSL
V: opening socket to fedoraproject.org:443
V: certificate verification passed
V: commonName mismatch! Expected: fedoraproject.org - received: .fedoraproject.org
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: Inspecting 'fedoraproject.org' for possible wildcard match against '.fedoraproject.org'
V: label found; total label count: 3
V: Found wildcard in at start of provided certificate name
V: Attempting match of 'fedoraproject' against ''
V: Forced match of 'fedoraproject' against ''
V: NULL label; no wildcard here
V: wildcard match failure of fedoraproject.org against *.fedoraproject.org
V: subjectAltName found but not matched: *.fedoraproject.org, type: DNS
V: subjectAltName matched: fedoraproject.org, type: DNS
V: hostname verification passed
V: public key is ready for inspection
V: key type: EVP_PKEY_RSA
V: keybits: 4096
V: key length appears safe
V: server time 1367952114 (difference is about 1 s) was fetched in 286 ms
WARNINGS=all,error not set for linux
WARNINGS=all,error not set for linux
Fix all `make test` warnings before next release
CC src/tlsdated-unittest.o
src/tlsdated-unittest.c: In function ‘mock_platform_sync_and_save’:
src/tlsdated-unittest.c:290:3: warning: implicit declaration of function ‘sync_and_save’
CC src/util.o
make[2]: src/tlsdated_unittest' is up to date. make[2]:src/proxy-bio_unittest' is up to date.
CC src/event-unittest.o
src/event-unittest.c: In function ‘every’:
src/event-unittest.c:8:2: warning: implicit declaration of function ‘time’
src/event-unittest.c: In function ‘fdread’:
src/event-unittest.c:24:7: warning: ignoring return value of ‘write’, declared with attribute warn_unused_result
tlsdate not honouring PATH / absolute paths
In Makefile.am there is,
@{ echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \
echo '#define TLSDATE_CONFIG "$(sysconfdir)/ca-roots/"'; \
echo '#define TLSDATE_CERTFILE "$(sysconfdir)/tlsdate/ca-roots/tlsdate-ca-roots.conf"'; \
echo '#define TLSDATE_CONF_DIR "$(sysconfdir)/tlsdate/"'; \
echo '#define TLSDATE_HELPER "$(bindir)/tlsdate-helper"'; \
echo '#define TLSDATE "$(bindir)/tlsdate"'; \
echo '#define TLSDATED "$(bindir)/tlsdated"'; \
echo '#define TLSDATE_DBUS_ANNOUNCE "$(bindir)/tlsdate-dbus-announce"'; \
} | sed '/""/d' > $@-t
Whilst it's common to set a prefix to let the user decide the install location, the binaries should honour PATH over absolute paths in binaries.
Same applies for the CONF_DIR etc. path. They can, especially during testing, be relative to the current working dir.
Possible NULL dereference
[src/proxy-polarssl.c:34]: (error) Possible null pointer dereference: ctx - otherwise it is redundant to check if ctx is null at line 37
[src/proxy-polarssl.c:91]: (error) Possible null pointer dereference: ctx - otherwise it is redundant to check if ctx is null at line 94
"ctx" is dereferenced and then checked if is NULL afterwards. The fix is quite simple to just assign ctx->port to port_n after the null check
make signed releases
as i see the only possible way to get a tarball is letting github create one for a tag. can you sign releases somehow? at the moment when you get the sources you have no idea if they have been tampered with. that is the state for many github projects, i dont know if there is a good solution for that, integration of sigs or so. thanks
use of strchrnul and fmemopen blocking Android port
Android's libc implementation (bionic) does not include strchrnul() nor fmemopen(), both required functions introduced by the config file support (677a136).
The implementation of strchrnul is trivial (I've provided one below), however femopen()'s isn't. It is currently used for the config file parsing unit tests.
I'm not sure what the best solution is here. We could
- disable config unit tests when compiling for Android -> not ideal,
- not use
fmemopen-> would require fundamental refactoring of the unit test, - provide implementation of
fmemopen(a BSD one here, one for Android here) -> lots of code to maintain, or - add --disable option to autoconf for conf files -> requires heavy refactoring
Note regarding number 2: I considered replacing fmemopen with a wrapper around tmpfile, but there is no global /tmp dir on Android, hence this won't work either.
Thoughts?
static char *strchrnul(const char *s, int c)
{
char * matched_char = strchr(s, c);
if (matched_char == NULL) {
matched_char = (char*) s + strlen(s);
}
return matched_char;
}Extra Features to allow use in Anonymity-centric distro (Whonix)
Hi Jacob. This is not a bug report but kind of a feature request/ roadmap of nice to have features so it can be used as a replacement for our current bash, curl based timesyncing solution in Whonix. Your code is excellent quality and pays a lot of attention to security and makes use of such mechanisms. That's why i'm eager to see it in our distro.
Current Blockers:
*does not distribute trust as sdwdate does #112
*does not support hooks for user notifications about state of network time synchronization -> users shouldn't use the internet in Whonix-Workstation before network time synchronization finished, and timesync is informing users about this -> implementing notifications would be difficult or require patching tlsdate
*does not gradually adjust as sdwdate does with Slow Clock Adjuster https://github.com/Whonix/Whonix/issues/169 (sclockadj) https://github.com/Whonix/sdwdate/blob/master/usr/lib/sclockadj
Nothing is urgent, take your time but please keep it in mind. Thanks.
tlsdated is no longer built
tlsdated is not build at all. make does not give an error either, so this suggests various problems in the makefile
Issues building a debian package
I am attempting to follow the instructions in Hacking.md, and am having issues building a debian package on Debian Wheezy (amd64):
$ ./autogen.sh && ./configure && make debian_orig
...
CC src/tlsdated.o
../src/tlsdated.c:41:23: fatal error: src/event.h: No such file or directory
compilation terminated.
make[3]: *** [src/tlsdated.o] Error 1
make[3]: Leaving directory `/root/tlsdate/tlsdate/tlsdate-0.0.7/_build'
make[2]: *** [all] Error 2
make[2]: Leaving directory `/root/tlsdate/tlsdate/tlsdate-0.0.7/_build'
make[1]: *** [distcheck] Error 1
make[1]: Leaving directory `/root/tlsdate/tlsdate'
make: *** [debian_orig] Error 2
I am able to work around this by adding
noinst_HEADERS+= src/event.h
to src/include.am, however, it would appear that the project's official CI has no issues building on Debian wheezy. Can anyone suggest where I may be going wrong? Autoconf/Automake versions included, in case this is an issue with one of those:
$ dpkg -l autoconf automake
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-===============================================-============================-============================-===================================================================================================
ii autoconf 2.69-1 all automatic configure script builder
ii automake 1:1.11.6-1 all Tool for generating GNU Standards-compliant Makefiles
Missing AppArmor permissions
These results are from an Ubuntu 12.04 machine.
The AppArmor profile shipped with tlsdate do not seem sufficient, either from the .deb in Debian's archives, or from a source build, if the AppArmor profiles are loaded.
When these profiles are loaded, all attempts at running tlsdate result in the following:
~$ tlsdate -V -n -H google.com
SSL connection failed
child process failed in SSL handshake
Switching /usr/bin/tlsdate to 'complain' mode (with "aa-complain /usr/bin/tlsdate") revealed the following (and allowed tlsdate to work):
type=1400 audit(1368052814.761:46): apparmor="DENIED" operation="open" parent=2347 profile="/usr/bin/tlsdate" name="/proc/meminfo" pid=2348 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052814.765:47): apparmor="DENIED" operation="open" parent=2347 profile="/usr/bin/tlsdate" name="/run/resolvconf/resolv.conf" pid=2348 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052814.765:48): apparmor="DENIED" operation="open" parent=2347 profile="/usr/bin/tlsdate" name="/run/resolvconf/resolv.conf" pid=2348 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052826.729:49): apparmor="DENIED" operation="open" parent=2517 profile="/usr/bin/tlsdate" name="/proc/meminfo" pid=2518 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052826.729:50): apparmor="DENIED" operation="open" parent=2517 profile="/usr/bin/tlsdate" name="/run/resolvconf/resolv.conf" pid=2518 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052826.729:51): apparmor="DENIED" operation="open" parent=2517 profile="/usr/bin/tlsdate" name="/run/resolvconf/resolv.conf" pid=2518 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052833.945:52): apparmor="DENIED" operation="open" parent=2621 profile="/usr/bin/tlsdate" name="/run/resolvconf/resolv.conf" pid=2622 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
type=1400 audit(1368052833.945:53): apparmor="DENIED" operation="open" parent=2621 profile="/usr/bin/tlsdate" name="/run/resolvconf/resolv.conf" pid=2622 comm="tlsdate-helper" requested_mask="r" denied_mask="r" fsuid=65534 ouid=0
The resolv.conf makes a fair amount of sense, since recent linux versions have changed that over to a symlink, but I'm not sure where the read to /proc/meminfo comes from.
A subjectAltName wildcard match failure shouldn't prevent matching of other subjectAltName
This code:
if (!strcasecmp(nval->name, "DNS"))
{
ok = check_wildcard_match_rfc2595(host, nval->value);
break;
}should be something like:
if (!strcasecmp(nval->name, "DNS"))
{
if (check_wildcard_match_rfc2595(host, nval->value))
{
ok = 1;
break;
}
}Right now:
# tlsdate -nvV -H google.com
V: tlsdate version 0.0.4
V: We were called with the following arguments:
V: validate SSL certificates host = google.com:443
V: time is currently 1355159780.421949535
V: time is greater than RECENT_COMPILE_DATE
V: using TLSv1_client_method()
V: opening socket to google.com:443
V: certificate verification passed
V: commonName mismatch! Expected: google.com - received: *.google.com
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: Inspecting 'google.com' for possible wildcard match against '*.google.com'
V: label found; total label count: 1
V: label found; total label count: 2
V: label found; total label count: 3
V: Found wildcard in at start of provided certificate name
V: Attempting match of 'google' against '*'
V: Forced match of 'google' against '*'
V: NULL label; no wildcard here
V: wildcard match failure of google.com against *.google.com
hostname verification failed for host google.com!
child process failed in SSL handshake
The problem is apparently that subjectAltName=google.com comes after subjectAltName=*.google.com.
# curl -v -x "" -I https://google.com/
[snip]
* Server certificate:
* subject: C=US; ST=California; L=Mountain View; O=Google Inc; CN=*.google.com
* start date: 2012-11-21 10:09:04 GMT
* expire date: 2013-06-07 19:43:27 GMT
* subjectAltName: google.com matched
* issuer: C=US; O=Google Inc; CN=Google Internet Authority
* SSL certificate verify ok.
And what's with str[n]dup's all over the place? strpbrk() is non-destructive.
Build Failure on Fedora 17
make[3]: Entering directory /var/lib/jenkins/jobs/matrix-tlsdate/workspace/label/fedora-17/tlsdate-0.0.1/_build/src/compat' CC clock-linux.lo CCLD libtlsdate_compat.la make[3]: Leaving directory/var/lib/jenkins/jobs/matrix-tlsdate/workspace/label/fedora-17/tlsdate-0.0.1/_build/src/compat'
make[3]: Entering directory /var/lib/jenkins/jobs/matrix-tlsdate/workspace/label/fedora-17/tlsdate-0.0.1/_build/src' CC tlsdate_routeup-routeup.o CC tlsdate_routeup-util.o ../../src/util.c:12:18: fatal error: util.h: No such file or directory compilation terminated. ../../src/routeup.c:22:21: fatal error: routeup.h: No such file or directory compilation terminated. make[3]: *** [tlsdate_routeup-util.o] Error 1 make[3]: *** Waiting for unfinished jobs.... make[3]: *** [tlsdate_routeup-routeup.o] Error 1 make[3]: Leaving directory/var/lib/jenkins/jobs/matrix-tlsdate/workspace/label/fedora-17/tlsdate-0.0.1/_build/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory /var/lib/jenkins/jobs/matrix-tlsdate/workspace/label/fedora-17/tlsdate-0.0.1/_build/src' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory/var/lib/jenkins/jobs/matrix-tlsdate/workspace/label/fedora-17/tlsdate-0.0.1/_build'
make: *** [distcheck] Error 1
Build step 'Use builders from another project' marked build as failure
[WARNINGS] Skipping publisher since build result is FAILURE
Notifying upstream projects of job completion
Loading slave statistic
Slave statistic loaded
Finished: FAILURE
Feature request: accept host and its IP as parameter
To avoid triggering DNS requests, while still verifying hostname via a cert, it would be great if tlsdate had an option to receive hostname and its pinned IP(s). E.g.:
tlsdate -H torproject.org/82.195.75.101/86.59.30.40
An IP would then be picked randomly. On the other hand, maybe it's too complex for something that can be implemented via /etc/hosts or a dedicated SOCKS proxy.
Tag a new release?
It has been 8 months since the last tag. Can you tag a new release so I can easily pull in all of the fixes into a package? :)
Compilation warning
gcc (Debian 4.7.1-7) 4.7.1
src/proxy-bio-unittest.c: In function ‘need_out_bytes’:
src/proxy-bio-unittest.c:38:5: warning: stack protector not protecting local variables: variable length buffer [-Wstack-protector]
It's in the unit test so not that bad but I'm not sure how to fix this....
TODO (6): skew the clock rather than slamming it
Shouldn't a switch for tlsdate to use adjtime() instead of settimeofday(), and then calling tlsdate from tlsdated with this switch after the first successful time update be enough to fulfill this TODO item? There is also adjtimex(), but that's probably an overkill for anything but the real McCoy NTP.
tlsdate --timewarp ignores --dont-set-clock
This should be either noted in the manual, or instead timewarping should be disabled when --dont-set-clock is enabled (and a warning printed perhaps).
Fails to build on Ubuntu precise
$ uname -a
Linux precise 3.2.0-40-virtual #64-Ubuntu SMP Mon Mar 25 21:42:18 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
$ dpkg -l autoconf automake autotools-dev libtool
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-========================-========================-================================================================
ii autoconf 2.68-1ubuntu2 automatic configure script builder
ii automake 1:1.11.3-1ubuntu2 Tool for generating GNU Standards-compliant Makefiles
ii autotools-dev 20120210.1ubuntu1 Update infrastructure for config.{guess,sub} files
ii libtool 2.4.2-1ubuntu1 Generic library support script
$ ./autogen.sh
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
autoreconf: configure.ac: tracing
autoreconf: running: libtoolize --install --copy --force
libtoolize: putting auxiliary files in AC_CONFIG_AUX_DIR, `config'.
libtoolize: copying file `config/config.guess'
libtoolize: copying file `config/config.sub'
libtoolize: copying file `config/install-sh'
libtoolize: copying file `config/ltmain.sh'
libtoolize: putting macros in AC_CONFIG_MACRO_DIR, `m4'.
libtoolize: copying file `m4/libtool.m4'
libtoolize: copying file `m4/ltoptions.m4'
libtoolize: copying file `m4/ltsugar.m4'
libtoolize: copying file `m4/ltversion.m4'
libtoolize: copying file `m4/lt~obsolete.m4'
autoreconf: running: /usr/bin/autoconf --force
configure.ac:30: error: possibly undefined macro: AC_DEFINE_UNQUOTED
If this token and others are legitimate, please use m4_pattern_allow.
See the Autoconf documentation.
configure.ac:45: error: possibly undefined macro: AC_MSG_CHECKING
configure.ac:46: error: possibly undefined macro: AC_ARG_WITH
configure.ac:47: error: possibly undefined macro: AS_HELP_STRING
configure.ac:50: error: possibly undefined macro: AS_CASE
configure.ac:59: error: possibly undefined macro: AS_IF
configure.ac:65: error: possibly undefined macro: AC_DEFINE
configure.ac:125: error: possibly undefined macro: AC_MSG_ERROR
configure.ac:299: error: possibly undefined macro: AC_MSG_RESULT
autoreconf: /usr/bin/autoconf failed with exit status: 1
make install always installs ca-roots, even if specifying your own
I don't want tlsdate to install any roots. I'm pointing teh cert-dir and cert_data to my own existing certificate bundle. But make install installs its own private CA store copy at that location.
tlsdated(1) man page is unclear about tlsdate command after "--"
The man page should say that [tlsdate command] includes e.g. /usr/bin/tlsdate (i.e., argv[0]).
Shell injection in rmrf
The function rmrf() in ./src/tlsdated-unittest.c contains a shell injection. Though it isn't exploitable, it seems like something I don't want to compile and run. It seems fairly easy to accidentally add rmrf("/") or something like that as the code is written.
int rmrf(char *dir) {
char buf[256];
snprintf(buf, sizeof(buf), "rm -rf %s", dir);
return system(buf);
}By commenting out the call to system and adding a printf, I was able to find that the calls would have been:
system("rm -rf /tmp/tlsdated-unit-YDqTh3");
system("rm -rf /tmp/tlsdated-unit-vzZxQ9");
Build failure on Ubuntu 12.04
CC util.o
../../src/tlsdate-helper.c:78:28: fatal error: tlsdate-helper.h: No such file or directory
compilation terminated.
../../src/util.c:12:18: fatal error: util.h: No such file or directory
compilation terminated.
../../src/util.c:12:18: fatal error: util.h: No such file or directory
compilation terminated.
../../src/util.c:12:18: fatal error: util.h: No such file or directory
compilation terminated.
CCLD tlsdate
make[3]: *** [tlsdate-helper.o] Error 1
make[3]: *** Waiting for unfinished jobs....
../../src/routeup.c:22:21: fatal error: routeup.h: No such file or directory
compilation terminated.
../../src/routeup.c:22:21: fatal error: routeup.h: No such file or directory
compilation terminated.
../../src/routeup.c:22:21: fatal error: routeup.h: No such file or directory
compilation terminated.
In file included from ../../src/tlsdated-unittest.c:13:0:
../../src/tlsdated.c:32:21: fatal error: routeup.h: No such file or directory
compilation terminated.
../../src/tlsdated.c:32:21: fatal error: routeup.h: No such file or directory
compilation terminated.
make[3]: *** [util.o] Error 1
make[3]: *** [tlsdated-util.o] Error 1
make[3]: *** [tlsdate_routeup-util.o] Error 1
make[3]: *** [routeup.o] Error 1
make[3]: *** [tlsdated-routeup.o] Error 1
make[3]: *** [tlsdate_routeup-routeup.o] Error 1
make[3]: *** [tlsdated-unittest.o] Error 1
make[3]: *** [tlsdated-tlsdated.o] Error 1
make[3]: Leaving directory /home/jenkins/workspace/matrix-tlsdate/label/ubuntu-12.04/tlsdate-0.0.1/_build/src' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory/home/jenkins/workspace/matrix-tlsdate/label/ubuntu-12.04/tlsdate-0.0.1/_build/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/jenkins/workspace/matrix-tlsdate/label/ubuntu-12.04/tlsdate-0.0.1/_build'
make: *** [distcheck] Error 1
Build step 'Use builders from another project' marked build as failure
[WARNINGS] Skipping publisher since build result is FAILURE
Notifying upstream projects of job completion
Loading slave statistic
Slave statistic loaded
Finished: FAILURE
Daemonizing with systemd
referencing this with issue #123
the problem still exists
tlsdated[14644]: pgrp_enter() failed: Operation not permitted
systemd[1]: tlsdate.service: main process exited, code=exited, status=1/FAILURE
running once with tlsdate working fine, while running the daemon manually with tlsdated says
Can't open netlink socket: Success
[1] 13993 exit 1 tlsdated -v
giving an exit code of 1 but the daemon runs and works like expected, little confusing the message given there.
PS. As i wrote in the the other closed issue, running a daemon with systemd worked in the 0.0.6 tagged version.
Wlidcard matching is performed against proxy IP when using proxy
# tlsdate -nvV -H encrypted.google.com -x ${http_proxy}
V: tlsdate version 0.0.4
V: We were called with the following arguments:
V: validate SSL certificates host = encrypted.google.com:443
V: time is currently 1355158560.922025716
V: time is greater than RECENT_COMPILE_DATE
V: using TLSv1_client_method()
V: opening socket to 127.0.0.1:8118
V: certificate verification passed
V: commonName mismatch! Expected: encrypted.google.com - received: *.google.com
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: found non subjectAltName extension
V: Inspecting '127.0.0.1' for possible wildcard match against '*.google.com'
V: label found; total label count: 1
V: label found; total label count: 2
V: label found; total label count: 3
V: Found wildcard in at start of provided certificate name
V: Attempting match of '127' against '*'
V: Forced match of '127' against '*'
V: Attempting match of '0' against 'google'
V: Attempting match of '0.1' against 'com'
V: remaining labels do not match!
V: wildcard match failure of 127.0.0.1 against *.google.com
hostname verification failed for host 127.0.0.1!
child process failed in SSL handshake
rwx permissions in save_disk_timestamp
The function save_disk_timestamp creates a file with user read, write and execute permissions. The execute permission is unnecessary because it is guaranteed to be a file with the time_t in it.
if ((fd = open (tmp, O_WRONLY | O_CREAT | O_NOFOLLOW | O_TRUNC,
S_IRWXU)) < 0)
{
pinfo ("open failed");
return;
}The proper permission is S_IRUSR | S_IWUSR.
Similarly the function write_time in src/tlsdated-unittest.c creates a file with user read, write and execute permissions.
int write_time(const char *path, time_t time) {
int fd = open(path, O_WRONLY | O_TRUNC | O_CREAT, 0700);I'm happy to submit a patch or pull request if you like.
Proper syslog usage
tlsdated does not call openlog(3), thus all syslog messages appear as "user". It should use openlog(3) with LOG_DAEMON (and possibly LOG_PID), so the messages end up in the correct file. logat() should probably take a level argument to differentiate debugging, informative and error messages.
make clean and make distclean seem to run configure instead of cleaning up
paul@thinkpad:~/git/tlsdate (master)$ make clean
/bin/sh ./config.status --recheck
running CONFIG_SHELL=/bin/sh /bin/sh ./configure --no-create --no-recursion
checking build system type... x86_64-unknown-linux-gnu
[....]
Feature request: different steady_state_interval in tlsdated before/after setting clock for the first time
tlsdated reacts to netlink events with clock synchronization attempts. Unfortunately, this is often not enough to detect when a timing source might become available. An example would be using a wireless captive portal, where network becomes unfiltered once the user has registered via a web interface.
The -a switch (steady_state_interval) with a short parameter could remedy this, but constantly attempting to sync with a time source is undesirable. It would be much better if tlsdated could aggressively try to sync with a source until it succeeds, and then fall back to “normal” behavior. I.e, two -a switches for two phases. Maybe even use netlink events only for the first phase.
distributed trust
From the Tails Time Syncing Design page.
HTP source pools
What sources should be trusted? [...]
The HTP pools used by Tails are based on stable and reliable webservers that get great amounts of traffic. They are categorized into three different pools according to their members relationship to the members in the other pools; any member in a one pool should be unlikely to share logs (or other identifying data), or to agree to send fake time information, with a member from the the other pools. The pools are as follows:
- The "pal" pool are run by groups that are likely to take great care of their visitors' privacy.
- The "foe" pool are managed by adversaries of the "pal" pool.
- The "neutral" pool members have a neutral relationship to both the "pal" and "foe" pool.
The pools are listed in config/chroot local-includes/etc/default/htpdate.
Basically, Tails htpdate pick three random servers (one from each pool), and then build the mediate of the three advertised dates.
Could you please add such a feature to tlsdate as well?
Port to NetBSD
We should build from a tar.gz produced from make dist on NetBSD 6.0.1 and above.
configure error related to dbus
checking user/group to drop privs to... nobody:nogroup
./configure: line 13018: syntax error near unexpected token DBUS,' ./configure: line 13018: PKG_CHECK_MODULES(DBUS, dbus-1,'
Feature request: round-robin between multiple hosts
tlsdated can receive several -H arguments, which it can then pass in round-robin fashion to tlsdate. Or perhaps it can stick to the one for which tlsdate is successful, and proceed in round-robin for failures. If clock skewing is implemented, care probably needs to be taken to slam the clock only once (not for each new server).
Errors launching tlsdated with systemd
I tried launching tlsdated with systemd under Arch Linux using the latest git revision (and the packaging stuff as per https://aur.archlinux.org/packages/tlsdate). It fails launching tlsdate.
The relevant part in tlsdate.service:
[Service]
Type=simple
EnvironmentFile=/etc/conf.d/tlsdate
ExecStart=/usr/bin/tlsdated
My journal says:
tlsdated[23334]: pgrp_enter() failed: Operation not permitted
Output from strace (where it should be launching tlsdate):
3189 execve("", ["", "-H", "www.ptb.de", "-p", "443", "-x", "none", "-v"], [/* 7 vars */] <unfinished ...>
3186 clone( <unfinished ...>
3189 <... execve resumed> ) = -1 ENOENT (No such file or directory)
So for some reason, opts->argv[0] seems to be an empty string (from what I gather looking at tlsdated.c).
What worked was launching it using a bash script
ExecStart=/bin/bash /tmp/launch.sh
Deterministic builds for Debian GNU/*
The tlsdate debian-master branch should produce a deterministic build.
The current status isn't so hot:
We probably need to modify the build scripts for tlsdate to define a single variable differently:
COMPILATE_DATE=$(shell date -u --date="dpkg-parsechangelog -SDate" +%s)
More documentation on this process and the idea behind the reproducible builds process in Debian can be found on the wiki: https://wiki.debian.org/ReproducibleBuilds
This is a really important goal and we should hit it for the next release.
Can't open netlink socket: No such file or directory
tlsdate from master exits immediately and leaves behind a couple of processes.
localhost core # tlsdated -v
can't open conf file '/etc/tlsdate/tlsdated.conf': No such file or directory
started up, loaded config file
open(/var/cache/tlsdated/timestamp) failed: No such file or directory
can't load time file
sysclock 1383223688, no cached time
Can't open netlink socket: No such file or directory
localhost core # ps aux | grep tlsdate
root 1049 0.0 0.0 12400 252 pts/0 S 12:48 0:00 tlsdated -v
root 1050 0.0 0.0 12400 264 pts/0 S 12:48 0:00 tlsdated -v
When I investigate with strace it seems to change the timing a bit and the parent process doesn't exit:
$ strace -f -o /tmp/log /usr/sbin/tlsdate -v
Can't open netlink socket: No such file or directory
$ ps aux | grep tlsdate
root 1033 0.0 0.1 4908 1032 tty1 S+ 12:45 0:00 strace -f -o /tmp/foobar /usr/sbin/tlsdated
root 1037 0.0 0.0 12400 256 tty1 S 12:45 0:00 /usr/sbin/tlsdated
root 1038 0.0 0.0 12400 256 tty1 S 12:45 0:00 /usr/sbin/tlsdated
Happy to help debug further. I ended up using an older release because I couldn't figure out what was going wrong from looking at the code and the strace together.
/etc/init.d/tlsdate script
It is mentioned in the README but it is not part of the repository, right?
So here is my cheap knockoff as a starting point
#! /bin/sh
### BEGIN INIT INFO
# Provides: tlsdated
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop:
# Short-Description: tlsdate secure parasitic rdate replacement
### END INIT INFO
set -e
. /lib/lsb/init-functions
test -x /usr/local/bin/tlsdated || exit 0
export PATH="${PATH:+$PATH:}/usr/sbin:/sbin:/usr/local/bin"
case "$1" in
start)
log_daemon_msg "Starting TLSdated" "tlsdated" || true
if start-stop-daemon --start -b --quiet --oknodo --pidfile /var/run/tlsdated.pid --exec /usr/local/bin/tlsdated ; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
stop)
log_daemon_msg "Stopping TLSdated" "tlsdated" || true
if start-stop-daemon --stop --quiet --oknodo --pidfile /var/run/tlsdated.pid; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
reload|force-reload|restart)
log_daemon_msg "Restarting TLSdated" "tlsdated" || true
if start-stop-daemon --stop --signal 1 --quiet --oknodo --pidfile /var/run/tlsdated.pid --exec /usr/local/bin/tlsdated; then
log_end_msg 0 || true
else
log_end_msg 1 || true
fi
;;
status)
status_of_proc -p /var/run/tlsdated.pid /usr/local/bin/tlsdated tlsdated && exit 0 || exit $?
;;
*)
log_action_msg "Usage: /etc/init.d/tlsdate {start|stop|restart|status}" || true
exit 1
esac
exit 0Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.