ChangeLog, ntp_proto.c, ntp_resolver.c:

  * ntpd/ntp_resolver.c (ntp_res): Authenticate the keyid.

bk: 38d05e57pqu_Ck4h_DGFOQr7JcejsQ

diff --git a/ChangeLog b/ChangeLog
index 34499f6dfa4c4cb4ca9eb572a81b5fa9882daf79..106acebc338d1a6ee39a8b3a58cb9dc71252c151 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 2000-03-15  Harlan Stenn  <stenn@whimsy.udel.edu>
 
+       * ntpd/ntp_resolver.c (ntp_res): Authenticate the keyid.
+
        * ntpd/ntp_crypto.c (crypto_line): Fix definition
        (crypto_read): Ditto.
 

diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c
index 7c1142a660a8a98cd478976d7058b029d1fa3039..fa0f517810ff52ee1b13b620692100208f816f7a 100644 (file)
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -524,7 +524,7 @@ receive(
                 * to it. If something goes wrong, carefully pry the new
                 * association away and return its marbles to the candy
                 * store.
-               */
+                */
                peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr,
                    MODE_CLIENT, PKT_VERSION(pkt->li_vn_mode),
                    NTP_MINDPOLL, NTP_MAXDPOLL, 0, skeyid);
@@ -578,6 +578,17 @@ receive(
                        break;
                peer->flags |= FLAG_MCAST1 | FLAG_MCAST2 | FLAG_BURST;
                peer->hmode = MODE_CLIENT;
+
+               /*
+                * Crank up the resolver to fetch the canonical name and
+                * hope it lands before the protocol gets wound up.
+                */
+
+printf("bcst resolve %08x, %d\n", peer->srcadr.sin_addr.s_addr,
+    peer->associd);
+
+               ntp_res_send(NULL, NULL, peer->srcadr.sin_addr.s_addr,
+                   peer->associd);
                break;
 
        case AM_POSSBCL:
@@ -1243,7 +1254,8 @@ clock_filter(
         * Compute the offset, delay, variance (squares) and error
         * bound. The offset, delay and variance are weighted by the
         * reciprocal of distance and normalized. The error bound is
-        * weighted exponentially.
+        * weighted exponentially. When no acceptable samples remain in
+        * the shift register, quietly tiptoe home.
         */
        off = dly = var = dsp = dtemp = 0;
        for (i = NTP_SHIFT - 1; i >= 0; i--) {
@@ -1259,6 +1271,8 @@ clock_filter(
                            SQUARE(distance[i]);
                }
        }
+       if (dtemp == 0)
+               return;
        peer->delay = dly / dtemp;
        peer->variance = min(var / SQUARE(dtemp), MAXDISPERSE);
        peer->disp = min(dsp, MAXDISPERSE);

diff --git a/ntpd/ntp_resolver.c b/ntpd/ntp_resolver.c
index 601cc6bca6ae4c3600ced2d6cecca460a11e5cb2..114ef78e61cb9b00b92db40c1eac2b7439a8fc15 100644 (file)
--- a/ntpd/ntp_resolver.c
+++ b/ntpd/ntp_resolver.c
@@ -217,6 +217,15 @@ ntp_res(void)
        }
 #endif
 
+       /* check out auth stuff */
+       if (sys_authenticate) {
+               if (!authistrusted(req_keyid)) {
+                       msyslog(LOG_ERR, "invalid request keyid %08x",
+                           req_keyid );
+                       exit(1);
+               }
+       }
+
        /*
         * Make a first cut at resolving the bunch
         */