/* ntp_crypto.c */
#ifdef OPENSSL
- extern void crypto_recv P((struct peer *, struct recvbuf *));
+ extern int crypto_recv P((struct peer *, struct recvbuf *));
-extern int crypto_xmit P((struct pkt *, struct sockaddr_in *, int, struct exten *, keyid_t));
-extern keyid_t session_key P((struct sockaddr_in *, struct sockaddr_in *, keyid_t, keyid_t, u_long));
+extern int crypto_xmit P((struct pkt *, struct sockaddr_storage *, int, struct exten *, keyid_t));
+extern keyid_t session_key P((struct sockaddr_storage *, struct sockaddr_storage *, keyid_t, keyid_t, u_long));
extern void make_keylist P((struct peer *, struct interface *));
extern void key_expire P((struct peer *));
extern void crypto_update P((void));
)
{
register u_int32 netnum;
- if(IN_CLASSC(netnum))
- netnum &= IN_CLASSC_NET;
- else if (IN_CLASSB(netnum))
- netnum &= IN_CLASSB_NET;
- else /* treat all other like class A */
- netnum &= IN_CLASSA_NET;
- ((struct sockaddr_in*)netaddr)->sin_addr.s_addr = netnum;
- }
+ struct sockaddr_storage *netaddr;
+
+ netaddr = &ssbuf[next_ssbuf++];
+ if (next_ssbuf == NUM_NETOF_BUFS)
+ next_ssbuf = 0;
+ memcpy(netaddr, hostaddr, sizeof(struct sockaddr_storage));
+
+ if(netaddr->ss_family == AF_INET) {
+ netnum = ((struct sockaddr_in*)netaddr)->sin_addr.s_addr;
++
++ /*
++ * We live in a modern CIDR world where the basement nets, which
++ * used to be class A, are now probably associated with each
++ * host address. So, for class-A nets, all bits are significant.
++ */
++ if(IN_CLASSC(netnum))
++ netnum &= IN_CLASSC_NET;
++ else if (IN_CLASSB(netnum))
++ netnum &= IN_CLASSB_NET;
++ ((struct sockaddr_in*)netaddr)->sin_addr.s_addr = netnum;
++ }
+ else if(netaddr->ss_family == AF_INET6) {
+ /* Here we put 0 at the local link address so we get net address */
+ memset(&((struct sockaddr_in6*)netaddr)->sin6_addr.s6_addr[8], 0, 8*sizeof(u_char));
+ }
- /*
- * We live in a modern CIDR world where the basement nets, which
- * used to be class A, are now probably associated with each
- * host address. So, for class-A nets, all bits are significant.
- */
- netnum = num;
- if(IN_CLASSC(netnum))
- netnum &= IN_CLASSC_NET;
- else if (IN_CLASSB(netnum))
- netnum &= IN_CLASSB_NET;
- return netnum;
+ return netaddr;
}
)
{
EVP_PKEY *pkey; /* server public key */
-- EVP_MD_CTX ctx; /* signature context */
++ EVP_mD_CTX ctx; /* signature context */
tstamp_t tstamp; /* timestamp */
tstamp_t fstamp; /* filestamp */
u_int vallen; /* value length */
int authlen; /* offset of MAC field */
int is_authentic; /* cryptosum ok */
keyid_t skeyid; /* cryptographic keys */
- struct sockaddr_in *dstadr_sin; /* active runway */
- struct sockaddr_in mskadr_sin; /* mask for restrict */
+ struct sockaddr_storage *dstadr_sin; /* active runway */
+ struct sockaddr_storage mskadr_sin; /* mask for restrict */
l_fp p_org; /* originate timestamp */
l_fp p_xmt; /* transmit timestamp */
+ int rval; /* cookie snatcher */
#ifdef OPENSSL
keyid_t pkeyid, tkeyid; /* cryptographic keys */
struct autokey *ap; /* autokey structure pointer */
#ifdef DEBUG
if (debug > 2)
printf("receive: at %ld %s<-%s restrict %02x\n",
- current_time, ntoa(&rbufp->dstadr->sin),
- ntoa(&rbufp->recv_srcadr), restrict_mask);
+ current_time, stoa(&rbufp->dstadr->sin),
+ stoa(&rbufp->recv_srcadr), restrict_mask);
#endif
- if (restrict_mask & RES_IGNORE)
+ if (restrict_mask & RES_IGNORE) {
+ sys_restricted++;
return; /* no anything */
-
- pkt = &rbufp->recv_pkt;
- if (PKT_VERSION(pkt->li_vn_mode) == NTP_VERSION) {
- sys_newversionpkt++; /* new version */
- } else if (!(restrict_mask & RES_VERSION) &&
- PKT_VERSION(pkt->li_vn_mode) >= NTP_OLDVERSION) {
- sys_oldversionpkt++; /* old version */
- } else {
- sys_unknownversion++;
- return; /* invalid version */
}
+ pkt = &rbufp->recv_pkt;
hismode = (int)PKT_MODE(pkt->li_vn_mode);
if (hismode == MODE_PRIVATE) {
if (restrict_mask & RES_NOQUERY)
/*
* Danger looms. If this is autokey, go process the
* extension fields. If something goes wrong, abandon
- * ship and restrict further packets.
+ * ship and don't trust subsequent packets.
*/
if (crypto_flags) {
- crypto_recv(peer, rbufp);
- if (peer->flash) {
+ if ((rval = crypto_recv(peer, rbufp)) !=
+ XEVNT_OK) {
unpeer(peer);
- mskadr_sin.sin_addr.s_addr = 0xffffffff;
+ memset((char *)&mskadr_sin, 0,
+ sizeof(struct sockaddr_storage));
+ mskadr_sin.ss_family =
+ rbufp->recv_srcadr.ss_family;
+ if (mskadr_sin.ss_family == AF_INET)
+ GET_INADDR(mskadr_sin) =~(u_int32)0;
+ else
+ memset(&GET_INADDR6(mskadr_sin), 0xff,
+ sizeof(struct in6_addr));
hack_restrict(RESTRICT_FLAGS,
&rbufp->recv_srcadr, &mskadr_sin,
- RESM_NTPONLY, RES_DONTSERVE |
- RES_TIMEOUT);
+ 0, RES_DONTTRUST | RES_TIMEOUT);
+ sys_restricted++;
+ #ifdef DEBUG
+ if (debug)
+ printf(
+ "packet: bad exten %x\n",
+ rval);
+ #endif
}
}
#endif /* OPENSSL */
*/
void
proto_config(
- int item,
- u_long value,
- double dvalue,
+ int item,
+ u_long value,
+ double dvalue
+ struct sockaddr_storage* svalue
)
{
/*
/*
* set default values for RES_LIMIT functionality
*/
- client_limit = 3;
- client_limit_period = 3600;
+ client_limit = 10;
+ client_limit_period = 60;
res_limited_refcnt = 0;
+ res_limited_refcnt6 = 0;
sprintf(bp, "client_limit=%ld", client_limit);
set_sys_var(bp, strlen(bp)+1, RO);
projects / thirdparty / ntp.git / commitdiff
