*/
u_int32 crypto_flags = 0x0; /* status word */
int crypto_nid = KEY_TYPE_MD5; /* digest nid */
-char *sys_hostname = NULL; /* host name */
-char *sys_groupname = NULL; /* group name */
+char *sys_hostname = NULL;
+char *sys_groupname = NULL;
+static char *host_filename = NULL; /* host file name */
+static char *ident_filename = NULL; /* group file name */
/*
* Global cryptodata in network byte order
if (vallen == 0 || vallen > MAXHOSTNAME) {
rval = XEVNT_LEN;
break;
-
- } else {
- memcpy(certname, ep->pkt, vallen);
- certname[vallen] = '\0';
}
/*
* found, use that certificate. If not, use the last non
* self-signed certificate.
*/
+ memcpy(certname, ep->pkt, vallen);
+ certname[vallen] = '\0';
xp = yp = NULL;
for (cp = cinfo; cp != NULL; cp = cp->link) {
if (cp->flags & (CERT_PRIV | CERT_ERROR))
*/
peer->crypto |= CRYPTO_FLAG_CERT;
peer->grpkey = yp->grpkey;
- if (peer->ident == NULL)
+ if (peer->ident == NULL || !(peer->crypto &
+ CRYPTO_FLAG_MASK))
peer->crypto |= CRYPTO_FLAG_VRFY;
}
* Initialize structures.
*/
gethostname(hostname, MAXFILENAME);
- if (sys_hostname == NULL)
- sys_hostname = strdup(hostname);
+ if (host_filename != NULL)
+ strcpy(hostname, host_filename);
if (passwd == NULL)
- passwd = sys_hostname;
-
+ passwd = hostname;
memset(&hostval, 0, sizeof(hostval));
memset(&pubkey, 0, sizeof(pubkey));
memset(&tai_leap, 0, sizeof(tai_leap));
filename);
exit (-1);
}
-
- if (sys_groupname == NULL)
- snprintf(filename, MAXFILENAME, "%s", sys_hostname);
- else
- snprintf(filename, MAXFILENAME, "%s@%s", sys_hostname,
- sys_groupname);
- hostval.vallen = htonl(strlen(filename));
- hostval.ptr = strdup(filename);
+ hostval.ptr = strdup(cinfo->subject);
+ hostval.vallen = htonl(strlen(cinfo->subject));
+ sys_hostname = hostval.ptr;
+ if ((ptr = strchr(sys_hostname, (int)'@')) != NULL)
+ sys_groupname = strdup(++ptr);
+ if (ident_filename != NULL)
+ strcpy(hostname, ident_filename);
/*
* Load optional IFF parameters from file
* Set host name (host).
*/
case CRYPTO_CONF_PRIV:
- sys_hostname = emalloc(strlen(cp) + 1);
- strcpy(sys_hostname, cp);
+ host_filename = strdup(cp);
break;
/*
* Set group name (ident).
*/
case CRYPTO_CONF_IDENT:
- sys_groupname = emalloc(strlen(cp) + 1);
- strcpy(sys_groupname, cp);
+ ident_filename = strdup(cp);
break;
/*
static void clock_update (struct peer *);
static int default_get_precision (void);
static int peer_unfit (struct peer *);
+#ifdef AUTOKEY
+static int group_test (char *, char *);
+#endif /* AUTOKEY */
#ifdef WORKER
void pool_name_resolved (int, int, void *, const char *,
const char *, const struct addrinfo *,
const struct addrinfo *);
-#endif
+#endif /* WORKER */
/*
l_fp p_rec; /* receive timestamp */
l_fp p_xmt; /* transmit timestamp */
#ifdef AUTOKEY
+ char hostname[NTP_MAXSTRLEN + 1];
+ char *groupname = NULL;;
struct autokey *ap; /* autokey structure pointer */
int rval; /* cookie snatcher */
keyid_t pkeyid = 0, tkeyid = 0; /* key IDs */
has_mac = rbufp->recv_length - authlen;
while (has_mac != 0) {
u_int32 len;
+#ifdef AUTOKEY
+ struct exten *ep;
+#endif /*AUTOKEY */
if (has_mac % 4 != 0 || has_mac < MIN_MAC_LEN) {
sys_badlength++;
} else {
opcode = ntohl(((u_int32 *)pkt)[authlen / 4]);
- len = opcode & 0xffff;
+ len = opcode & 0xffff;
if (len % 4 != 0 || len < 4 || (int)len +
authlen > rbufp->recv_length) {
sys_badlength++;
return; /* bad length */
}
+#ifdef AUTOKEY
+
+ /*
+ * Extract calling group name for later.
+ */
+ if ((opcode & 0x3fff0000) == CRYPTO_ASSOC &&
+ sys_groupname != NULL) {
+ ep = (struct exten *)&((u_int32 *)pkt)[authlen / 4];
+ memmove(hostname, &ep->pkt, ntohl(ep->vallen));
+ hostname[ntohl(ep->vallen)] = '\0';
+ groupname = strchr(hostname, '@');
+ if (groupname == NULL)
+ return;
+
+ else
+ groupname++;
+ }
+#endif /* AUTOKEY */
authlen += len;
has_mac -= len;
}
return; /* not enabled */
}
+#ifdef AUTOKEY
+ /*
+ * Do not respond if not the same groupl;
+ */
+ if (group_test(groupname, NULL)) {
+ sys_declined++;
+ return;
+ }
+#endif /* AUTOKEY */
+
/*
* Do not respond if we are not synchronized or our
* stratum is greater than the manycaster or the
* the guy is already here, don't fire up a duplicate.
*/
case AM_MANYCAST:
+
+#ifdef AUTOKEY
+ /*
+ * Do not respond if not the same groupl;
+ */
+ if (group_test(groupname, NULL)) {
+ sys_declined++;
+ return;
+ }
+#endif /* AUTOKEY */
if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
sys_restricted++;
return; /* not enabled */
* kiss any frogs here.
*/
case AM_NEWBCL:
+
+#ifdef AUTOKEY
+ /*
+ * Do not respond if not the same groupl;
+ */
+ if (group_test(groupname, sys_ident)) {
+ sys_declined++;
+ return;
+ }
+#endif /* AUTOKEY */
if (sys_bclient == 0) {
sys_restricted++;
return; /* not enabled */
*/
if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
rbufp->dstadr, MODE_CLIENT, hisversion, pkt->ppoll,
- pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid, sys_ident)) ==
- NULL) {
+ pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid,
+ sys_ident)) == NULL) {
sys_restricted++;
return; /* ignore duplicate */
}
* mobilize a passive association. If not, kiss the frog.
*/
case AM_NEWPASS:
+
+#ifdef AUTOKEY
+ /*
+ * Do not respond if not the same groupl;
+ */
+ if (group_test(groupname, sys_ident)) {
+ sys_declined++;
+ return;
+ }
+#endif /* AUTOKEY */
if (!AUTH(sys_authenticate | (restrict_mask &
(RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
*/
if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll,
- NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid, sys_ident)) == NULL) {
+ NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid,
+ sys_ident)) == NULL) {
sys_declined++;
return; /* ignore duplicate */
}
* Process regular packet. Nothing special.
*/
case AM_PROCPKT:
+
+#ifdef AUTOKEY
+ /*
+ * Do not respond if not the same groupl;
+ */
+ if (group_test(groupname, peer->ident)) {
+ sys_declined++;
+ return;
+ }
+#endif /* AUTOKEY */
break;
/*
*/
if (!peer->crypto)
exten = crypto_args(peer, CRYPTO_ASSOC,
- peer->associd, sys_hostname);
+ peer->associd, hostval.ptr);
else if (!(peer->crypto & CRYPTO_FLAG_CERT))
exten = crypto_args(peer, CRYPTO_CERT,
peer->associd, peer->issuer);
else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
exten = crypto_args(peer, CRYPTO_SIGN,
- peer->associd, sys_hostname);
+ peer->associd, hostval.ptr);
else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
exten = crypto_args(peer, CRYPTO_LEAP,
peer->associd, NULL);
*/
if (!peer->crypto)
exten = crypto_args(peer, CRYPTO_ASSOC,
- peer->associd, sys_hostname);
+ peer->associd, hostval.ptr);
else if (!(peer->crypto & CRYPTO_FLAG_CERT))
exten = crypto_args(peer, CRYPTO_CERT,
peer->associd, peer->issuer);
else if (!(peer->crypto & CRYPTO_FLAG_SIGN))
exten = crypto_args(peer, CRYPTO_SIGN,
- peer->associd, sys_hostname);
+ peer->associd, hostval.ptr);
else if (!(peer->crypto & CRYPTO_FLAG_LEAP))
exten = crypto_args(peer, CRYPTO_LEAP,
peer->associd, NULL);
}
+#ifdef AUTOKEY
+ /*
+ * group_test - test if this is the same group
+ *
+ * host assoc return action
+ * none none 0 mobilize *
+ * none group 0 mobilize *
+ * group none 0 mobilize *
+ * group group 1 mobilize
+ * group different 2 ignore
+ * * ignore if notrust
+ */
+int group_test(
+ char *group,
+ char *ident
+ )
+{
+ if (group == NULL)
+ return (0);
+
+ if (strcmp(group, sys_groupname) == 0)
+ return (0);
+
+ if (ident == NULL)
+ return (1);
+
+ if (strcmp(group, ident) == 0)
+ return (0);
+
+ return (1);
+}
+#endif /* AUTOKEY */
+
#ifdef WORKER
void
pool_name_resolved(
projects / thirdparty / ntp.git / commitdiff
