Ordinarily, the <tt>ntp.keys</tt> file is generated by
the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can
be constructed and edited using an ordinary text editor.</p>
- <p> Each line of the keys file consists of three or four fields: a key
- ID in the range 1 to 65,535, inclusive, a key type, a message digest
- key consisting of a printable ASCII string less than 40 characters or
- a 40-character hex digit string, and an optional comma-separated list
- of IPs that are allowed to serve time. If the OpenSSL library is
- installed, the key type can be any message digest algorithm supported
- by the library. If the OpenSSL library is not installed, the only
+ <p> Each line of the keys file consists of three or four fields: a
+ key ID in the range 1 to 65,535, inclusive, a key type, a
+ message digest key consisting of a printable ASCII string up to
+ 20 characters or a hex digit string with more than 20
+ characters, and an optional comma-separated list of IPs that are
+ allowed to serve time. If the OpenSSL library is installed, the
+ key type can be any message digest algorithm supported by the
+ library. If the OpenSSL library is not installed, the only
permitted key type is MD5.</p>
<table>
<caption style="caption-side: bottom;">
<dt><tt>quit</tt></dt>
<dd>Exit <tt>ntpdc</tt>.</dd>
<dt><tt>passwd</tt></dt>
- <dd>This command prompts you to type in a password (which will not be echoed) which will be used to authenticate configuration requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful.</dd>
+ <dd>This command prompts you to type in a password (which will not be echoed) which will be used to authenticate configuration requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful.
+ It follows the same rules as a password entry in the keys file of <tt>ntpd</tt>.</dd>
<dt><tt>timeout <i>milliseconds</i></tt></dt>
<dd>Specify a timeout period for responses to server queries. The default is about 8000 milliseconds. Note that since <tt>ntpdc</tt> retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set.</dd>
</dl>
<dt id="ntpversion"><tt>ntpversion 1 | 2 | 3 | 4</tt></dt>
<dd>Sets the NTP version number which <tt>ntpq</tt> claims in packets. Defaults to 2, Note that mode-6 control messages (and modes, for that matter) didn't exist in NTP version 1.</dd>
<dt id="passwd"><tt>passwd</tt></dt>
- <dd>This command prompts for a password to authenticate requests. The password must correspond to the key ID configured in <tt>ntp.conf</tt> for this purpose.</dd>
+ <dd>This command prompts for a password to authenticate requests. The password must correspond to the key ID configured in <tt>ntp.conf</tt> for this purpose.
+ It follows the same rules as a password entry in the keys file of <tt>ntpd</tt>.</dd>
<dt id="quit"><tt>quit</tt></dt>
<dd>Exit <tt>ntpq</tt>.</dd>
<dt id="raw"><tt>raw</tt></dt>
typedef void (*ctrl_c_fn)(void);
/* authkeys.c */
-#define AUTHPWD_UNSPEC 0
-#define AUTHPWD_PLAIN 1
-#define AUTHPWD_HEX 2
+#define AUTHPWD_MAXSECLEN 64 /* max. length of secret blob */
+
+enum AuthPwdEnc {
+ AUTHPWD_UNSPEC, /* format unspecified, length used for discrimination */
+ AUTHPWD_PLAIN, /* plain text, used as is */
+ AUTHPWD_HEX /* hex-encoded string */
+};
extern void auth_delkeys (void);
extern int auth_havekey (keyid_t);
-extern size_t authdecodepw (u_char *dst, size_t dstlen, const char *src, int fmt);
+extern size_t authdecodepw (u_char *dst, size_t dstlen, const char *src, enum AuthPwdEnc);
extern int authdecrypt (keyid_t, u_int32 *, size_t, size_t);
extern size_t authencrypt (keyid_t, u_int32 *, size_t);
extern int authhavekey (keyid_t);
)
{
KeyAccT * node = emalloc(sizeof(KeyAccT));
-
+
memcpy(&node->addr, addr, sizeof(sockaddr_u));
node->subnetbits = subnetbits;
node->next = head;
* other checks if we find object identity. But that use case is
* too rare to care for it.
*/
-
+
/* 2nd check: Address families must be the same. */
if (AF(a1) != AF(a2))
return FALSE;
cache_keyacclist = NULL;
for (alloc = authallocs; alloc != NULL; alloc = next_alloc) {
next_alloc = alloc->link;
- free(alloc->mem);
+ free(alloc->mem);
}
authfreekeys = NULL;
authnumfreekeys = 0;
authcache_flush_id(sk->keyid);
keyacc_all_free(sk->keyacclist);
-
+
bucket = &key_hash[KEYHASH(sk->keyid)];
if (sk->secret != NULL) {
memset(sk->secret, '\0', sk->secretsize);
* There are two conditions remaining. Either it does not
* exist and is to be trusted or it does exist and is or is
* not to be trusted.
- */
+ */
if (sk != NULL) {
/*
* Key exists. If it is to be trusted, say so and update
return (KEY_TRUSTED & sk->flags) &&
keyacc_contains(sk->keyacclist, sau, TRUE);
}
-
+
authkeynotfound++;
- return FALSE;
+ return FALSE;
}
/* Note: There are two locations below where 'strncpy()' is used. While
{
symkey * sk;
u_char * secret;
-
+
DEBUG_ENSURE(keytype <= USHRT_MAX);
DEBUG_ENSURE(secretsize < 4 * 1024);
/*
printf("%02x", secret[j]);
}
printf("\n");
- }
+ }
#endif
}
)
{
static const char hex[] = "00112233445566778899AaBbCcDdEeFf";
-
+
size_t srclen = strlen(src);
size_t reslen = (srclen >> 1) + (srclen & 1);
u_char tmp;
if (reslen > dstlen) {
errno = ENOMEM;
reslen = (size_t)-1;
- } else {
+ } else {
for (j = 0; j < srclen; ++j) {
tmp = *(const unsigned char*)(src + j);
ptr = strchr(hex, tmp);
u_char * dst,
size_t dstlen,
const char * src,
- int fmt
+ enum AuthPwdEnc enc
)
{
size_t reslen;
-
+
if ( !(dst && dstlen && src)) {
errno = EINVAL;
reslen = (size_t)-1;
} else {
- switch (fmt) {
+ switch (enc) {
case AUTHPWD_UNSPEC:
if (strlen(src) <= 20)
reslen = pwdecode_plain(dst, dstlen, src);
keyid_t keyno;
int keytype;
char buf[512]; /* lots of room for line */
- u_char keystr[64]; /* Bug 2537 */
+ u_char keystr[AUTHPWD_MAXSECLEN];
size_t len;
u_int nerr;
KeyDataT *list = NULL;
)
{
size_t len;
- u_char buf[64];
-
+ u_char buf[AUTHPWD_MAXSECLEN];
+
len = authdecodepw(buf, sizeof(buf), (const char*)str,
AUTHPWD_UNSPEC);
if (len < 1 || len > sizeof(buf))
return 0;
-
+
MD5auth_setkey(keyno, keytype, buf, len, NULL);
memset(buf, 0, sizeof(buf));
return 1;
projects / thirdparty / ntp.git / commitdiff
