"server ... ident <groupname>" changes from Dave Mills

bk: 4d05bd4at_fjOdC18r4ciTDJOiAbbg

diff --git a/ChangeLog b/ChangeLog
index b1ac77b7f9ce04da2d8f471650cede5f7121cfde..b36e12b897ba645d4ee264b41befdbae4e45e03c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* "server ... ident <groupname>" changes from Dave Mills.
 * Documentation updates from Dave Mills.
 (4.2.7p92) 2010/12/08 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 1743] from 4.2.6p3-RC12: Display timezone offset when showing

diff --git a/include/ntp.h b/include/ntp.h
index d4c56b626210f1588950d9f1b46681415d8f277e..4d4dc47f705c71d14e3ad9dacb16cbf3e306b157 100644 (file)
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -272,6 +272,7 @@ struct peer {
        u_char  last_event;     /* last peer error code */
        u_char  num_events;     /* number of error events */
        u_char  ttl;            /* ttl/refclock mode */
+       char    *ident;         /* group identifier name */
 
        /*
         * Variables used by reference clock support

diff --git a/include/ntp_control.h b/include/ntp_control.h
index 0e94a58c3c83d500bf261e28070fc70d915f01bf..f42254f11157620addd3e9e68d41e1706b5b540b 100644 (file)
--- a/include/ntp_control.h
+++ b/include/ntp_control.h
@@ -261,7 +261,8 @@ struct ntp_control {
 #define        CP_INITKEY              (5 + CP_MAX_NOAUTOKEY)
 #define        CP_INITTSP              (6 + CP_MAX_NOAUTOKEY)
 #define        CP_SIGNATURE            (7 + CP_MAX_NOAUTOKEY)
-#define        CP_MAXCODE              CP_SIGNATURE
+#define        CP_IDENT                (8 + CP_MAX_NOAUTOKEY)
+#define        CP_MAXCODE              CP_IDENT
 #else  /* !AUTOKEY follows */
 #define        CP_MAXCODE              CP_MAX_NOAUTOKEY
 #endif /* !AUTOKEY */

diff --git a/include/ntpd.h b/include/ntpd.h
index 9f4313220041b2ba14b04ee6268400fdc695ec23..51bea6c3a9cc45a37a64b1e8a04254012fd61473 100644 (file)
--- a/include/ntpd.h
+++ b/include/ntpd.h
@@ -186,7 +186,7 @@ extern  void        set_peerdstadr  (struct peer *peer,
 extern struct peer *newpeer    (sockaddr_u *, const char *,
                                 struct interface *, u_char, u_char,
                                 u_char, u_char, u_int, u_char, u_char,
-                                keyid_t);
+                                keyid_t, const char *);
 extern void    peer_all_reset  (void);
 extern void    peer_clr_stats  (void);
 extern struct peer *peer_config(sockaddr_u *, const char *,

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 9ff5a8f113fd79ac917ff6231c8c6167772596e4..eb76de3f0338686084d86f95a197dadda89b3ab3 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -270,8 +270,9 @@ static struct ctl_var peer_var[] = {
        { CP_INITKEY,   RO, "initkey" },        /* 47 */
        { CP_INITTSP,   RO, "timestamp" },      /* 48 */
        { CP_SIGNATURE, RO, "signature" },      /* 49 */
+       { CP_IDENT,     RO, "ident" },          /* 44 */
 #endif /* AUTOKEY */
-       { 0,            EOV, "" }               /* 43/50 */
+       { 0,            EOV, "" }               /* 44/51 */
 };
 
 
@@ -319,6 +320,7 @@ static u_char def_peer_var[] = {
        CP_SIGNATURE,
        CP_VALID,
        CP_INITSEQ,
+       CP_IDENT,
 #endif /* AUTOKEY */
        0
 };
@@ -1997,7 +1999,7 @@ ctl_putpeer(
        case CP_HOST:
                if (p->subject != NULL)
                        ctl_putstr(peer_var[id].text, p->subject,
-                                  strlen(p->subject));
+                           strlen(p->subject));
                break;
 
        case CP_VALID:          /* not used */
@@ -2012,6 +2014,14 @@ ctl_putpeer(
                ctl_putfs(peer_var[CP_INITTSP].text,
                          ntohl(p->recval.tstamp));
                break;
+
+       case CP_IDENT:
+               if (p->ident != NULL)
+                       ctl_putstr(peer_var[id].text, p->ident,
+                           strlen(p->ident));
+               break;
+
+               
 #endif /* AUTOKEY */
        }
 }

diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c
index 3930c34982e679ae9ffa5321bfca85f143ef1f7c..e484fe0c308bea6928c97068a2f253e0e337a8ff 100644 (file)
--- a/ntpd/ntp_crypto.c
+++ b/ntpd/ntp_crypto.c
@@ -1627,7 +1627,7 @@ crypto_ident(
         */
        if (peer->crypto & CRYPTO_FLAG_IFF) {
                snprintf(filename, MAXFILENAME, "ntpkey_iffpar_%s",
-                   peer->issuer);
+                   peer->ident);
                peer->ident_pkey = crypto_key(filename, NULL,
                    &peer->srcadr);
                if (peer->ident_pkey != NULL)
@@ -1635,7 +1635,7 @@ crypto_ident(
        }
        if (peer->crypto & CRYPTO_FLAG_GQ) {
                snprintf(filename, MAXFILENAME, "ntpkey_gqpar_%s",
-                   peer->issuer);
+                   peer->ident);
                peer->ident_pkey = crypto_key(filename, NULL,
                    &peer->srcadr);
                if (peer->ident_pkey != NULL)
@@ -1643,15 +1643,13 @@ crypto_ident(
        }
        if (peer->crypto & CRYPTO_FLAG_MV) {
                snprintf(filename, MAXFILENAME, "ntpkey_mvpar_%s",
-                   peer->issuer);
+                   peer->ident);
                peer->ident_pkey = crypto_key(filename, NULL,
                    &peer->srcadr);
                if (peer->ident_pkey != NULL)
                        return (CRYPTO_MV);
        }
-       msyslog(LOG_NOTICE,
-           "crypto_ident: no identity parameters found for group %s",
-           peer->issuer);
+       report_event(XEVNT_ID, peer, NULL);
        return (CRYPTO_NULL);
 }
 
@@ -3157,20 +3155,15 @@ cert_hike(
                if (!(yp->flags & CERT_TRUST))
                        return (XEVNT_OK);
 
-               peer->grpkey = yp->grpkey;
-               peer->crypto |= CRYPTO_FLAG_CERT;
-               if (!(peer->crypto & CRYPTO_FLAG_MASK))
-                       peer->crypto |= CRYPTO_FLAG_VRFY |
-                           CRYPTO_FLAG_PROV;
-
                /*
                 * If the server has an an identity scheme, fetch the
                 * identity credentials. If not, the identity is
                 * verified only by the trusted certificate. The next
                 * signature will set the server proventic.
                 */
-               if (!(peer->crypto & CRYPTO_FLAG_MASK) ||
-                   sys_groupname == NULL)
+               peer->crypto |= CRYPTO_FLAG_CERT;
+               peer->grpkey = yp->grpkey;
+               if (peer->ident == NULL)
                        peer->crypto |= CRYPTO_FLAG_VRFY;
        }
 
@@ -3800,21 +3793,6 @@ crypto_setup(void)
        }
        hostval.vallen = htonl(strlen(cinfo->subject));
        hostval.ptr = cinfo->subject;
-
-       /*
-        * If trusted certificate, the subject name must match the group
-        * name.
-        */
-       if (cinfo->flags & CERT_TRUST) {
-               if (sys_groupname == NULL) {
-                       sys_groupname = hostval.ptr;
-               } else if (strcmp(hostval.ptr, sys_groupname) != 0) {
-                       msyslog(LOG_ERR,
-                           "crypto_setup: trusted certificate name %s does not match group name %s",
-                           (char *)hostval.ptr, sys_groupname);
-                       exit (-1);
-               }
-       }
        if (sys_groupname != NULL) {
 
                /*

diff --git a/ntpd/ntp_peer.c b/ntpd/ntp_peer.c
index 4f2f78b38ffecd9fb2c4ddbfa3a4ac08678befa4..280ffa07bbaabea9360a3489df48e7ed177bc8f3 100644 (file)
--- a/ntpd/ntp_peer.c
+++ b/ntpd/ntp_peer.c
@@ -565,7 +565,7 @@ peer_config(
        if ((MDF_ACAST | MDF_POOL) & cast_flags)
                flags &= ~FLAG_PREEMPT;
        return newpeer(srcadr, hostname, dstadr, hmode, version,
-                      minpoll, maxpoll, flags, cast_flags, ttl, key);
+           minpoll, maxpoll, flags, cast_flags, ttl, key, group);
 }
 
 /*
@@ -763,7 +763,8 @@ newpeer(
        u_int   flags,
        u_char  cast_flags,
        u_char  ttl,
-       keyid_t key
+       keyid_t key,
+       const char * group
        )
 {
        struct peer *peer;
@@ -893,6 +894,7 @@ newpeer(
 #endif /* AUTOKEY */
        peer->ttl = (u_char)ttl;
        peer->keyid = key;
+       peer->ident = group;
        peer->precision = sys_precision;
        peer->hpoll = peer->minpoll;
        if (cast_flags & MDF_ACAST)

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 12f1a04e3cf289db566b5316c797f9641fd16f23..9a89910ca27e2dc7f959a143331bc0b1d62cd490 100644 (file)
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -841,7 +841,7 @@ receive(
                if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
                    rbufp->dstadr, MODE_CLIENT, hisversion, NTP_MINDPOLL,
                    NTP_MAXDPOLL, FLAG_PREEMPT, MDF_UCAST | MDF_UCLNT, 0,
-                   skeyid)) == NULL) {
+                   skeyid, NULL)) == NULL) {
                        sys_declined++;
                        return;                 /* ignore duplicate  */
                }
@@ -923,7 +923,7 @@ receive(
                        if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
                            rbufp->dstadr, MODE_BCLIENT, hisversion,
                            pkt->ppoll, pkt->ppoll, 0, 0, 0,
-                           skeyid)) == NULL) {
+                           skeyid, NULL)) == NULL) {
                                sys_restricted++;
                                return;         /* ignore duplicate */
 
@@ -943,7 +943,7 @@ receive(
                 */
                if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
                    rbufp->dstadr, MODE_CLIENT, hisversion, pkt->ppoll,
-                   pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid)) ==
+                   pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid, NULL)) ==
                    NULL) {
                        sys_restricted++;
                        return;                 /* ignore duplicate */
@@ -1004,7 +1004,7 @@ receive(
                 */
                if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
                    rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll,
-                   NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid)) == NULL) {
+                   NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid, NULL)) == NULL) {
                        sys_declined++;
                        return;                 /* ignore duplicate */
                }

diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c
index 5dcb05b38e61dfa0c9fc3c4716d0f8d5a07cf1f1..a088394cde59b8a96dc0380d1a8d0cbd885257f9 100644 (file)
--- a/util/ntp-keygen.c
+++ b/util/ntp-keygen.c
@@ -270,6 +270,7 @@ main(
        passwd2 = NULL;
        gettimeofday(&tv, 0);
        epoch = tv.tv_sec;
+       fstamp = epoch + JAN_1970;
 
        {
                int optct = optionProcess(&ntp_keygenOptions, argc, argv);
@@ -469,7 +470,7 @@ main(
                        readlink(filename, filename, sizeof(filename));
                        fprintf(stderr, "Using sign key %s\n",
                            filename);
-               } else if (pkey_host != NULL) {
+               } else {
                        pkey_sign = pkey_host;
                        fprintf(stderr, "Using host key as sign key\n");
                }
@@ -502,7 +503,6 @@ main(
        if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) {
                RSA     *rsa;
 
-               epoch = fstamp - JAN_1970;
                sprintf(filename, "ntpkey_gqpar_%s.%u", groupname,
                    fstamp);
                fprintf(stderr, "Writing GQ parameters %s to stdout\n",
@@ -567,7 +567,6 @@ main(
        if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) {
                DSA     *dsa;
 
-               epoch = fstamp - JAN_1970;
                sprintf(filename, "ntpkey_iffpar_%s.%u", groupname,
                    fstamp);
                fprintf(stderr, "Writing IFF parameters %s to stdout\n",
@@ -591,7 +590,6 @@ main(
        if (pkey_iffkey != NULL && passwd2 != NULL) {
                DSA     *dsa;
 
-               epoch = fstamp - JAN_1970;
                sprintf(filename, "ntpkey_iffkey_%s.%u", groupname,
                    fstamp);
                fprintf(stderr, "Writing IFF keys %s to stdout\n",
@@ -631,7 +629,6 @@ main(
         * associated with client key 1.
         */
        if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) {
-               epoch = fstamp - JAN_1970;
                sprintf(filename, "ntpkey_mvpar_%s.%u", groupname,
                    fstamp);
                fprintf(stderr, "Writing MV parameters %s to stdout\n",
@@ -650,7 +647,6 @@ main(
         * Write the encrypted MV server keys to the stdout stream.
         */
        if (pkey_mvkey != NULL && passwd2 != NULL) {
-               epoch = fstamp - JAN_1970;
                sprintf(filename, "ntpkey_mvkey_%s.%u", groupname,
                    fstamp);
                fprintf(stderr, "Writing MV keys %s to stdout\n",
@@ -666,16 +662,8 @@ main(
        }
 
        /*
-        * Don't generate a certificate if no host keys or extracting
-        * encrypted or nonencrypted keys to the standard output stream.
-        */
-       if (pkey_host == NULL || HAVE_OPT(ID_KEY) || passwd2 != NULL)
-               exit (0);
-
-       /*
-        * Decode the digest/signature scheme. If trusted, set the
-        * subject and issuer names to the group name; if not set both
-        * to the host name.
+        * Decode the digest/signature scheme and create the
+        * certificate. Do this every time we run the program.
         */
        ectx = EVP_get_digestbyname(scheme);
        if (ectx == NULL) {
@@ -684,10 +672,7 @@ main(
                    scheme);
                        exit (-1);
        }
-       if (exten == NULL)
-               x509(pkey_sign, ectx, grpkey, exten, certname);
-       else
-               x509(pkey_sign, ectx, grpkey, exten, groupname);
+       x509(pkey_sign, ectx, grpkey, exten, certname);
 #endif /* AUTOKEY */
        exit (0);
 }
@@ -1809,7 +1794,7 @@ x509      (
        const EVP_MD *md,       /* generic digest algorithm */
        char    *gqpub,         /* identity extension (hex string) */
        char    *exten,         /* private cert extension */
-       char    *name           /* subject/issuer namd */
+       char    *name           /* subject/issuer name */
        )
 {
        X509    *cert;          /* X509 certificate */
@@ -2053,8 +2038,7 @@ fheader   (
        char    linkname[MAXFILENAME]; /* link name */
        int     temp;
 
-       sprintf(filename, "ntpkey_%s_%s.%lu", file, owner, epoch +
-           JAN_1970);
+       sprintf(filename, "ntpkey_%s_%s.%u", file, owner, fstamp); 
        if ((str = fopen(filename, "w")) == NULL) {
                perror("Write");
                exit (-1);