From: Harlan Stenn <stenn@ntp.org>
Date: Fri, 31 Dec 2010 22:34:44 +0000 (-0500)
Subject: Autokey multiple identity group improvements from Dave Mills
X-Git-Tag: NTP_4_2_7P108~6
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3dbf3cb97481059bb5efe76c6af3d41cb865ff7b;p=thirdparty%2Fntp.git

Autokey multiple identity group improvements from Dave Mills

bk: 4d1e5a84MxbaY-NQMRLNyw3f0F3qaQ
---

diff --git a/ChangeLog b/ChangeLog
index 3eb3375bf..e252605bc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,4 @@
+* Autokey multiple identity group improvements from Dave Mills.
 * [Bug 1768] TIOCFLUSH undefined in linux for refclock_acts.
 (4.2.7p107) 2010/12/31 Released by Harlan Stenn <stenn@ntp.org>
 * [Bug 1764] Palisade driver doesn't build on Linux.
diff --git a/html/authopt.html b/html/authopt.html
index 252e363df..c4e4d4992 100644
--- a/html/authopt.html
+++ b/html/authopt.html
@@ -10,7 +10,9 @@
 color: #FF0000;
  font-weight: bold;
 }
-.style1 {color: #FF0000}
+.style1 {
+	color: #FF0000
+}
 </style>
 </head>
 <body>
@@ -18,7 +20,7 @@ color: #FF0000;
 <img src="pic/alice44.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
 <p>Our resident cryptographer; now you see him, now you don't.</p>
 <p>Last update:
-  <!-- #BeginDate format:En2m -->22-Dec-2010  21:55<!-- #EndDate -->
+  <!-- #BeginDate format:En2m -->31-Dec-2010  6:20<!-- #EndDate -->
   UTC</p>
 <br clear="left">
 <h4>Related Links</h4>
@@ -54,18 +56,19 @@ color: #FF0000;
         key message digest algorithm. Note: If compliance with FIPS 140-2 is required,
         the algorithm must be ether <tt>SHA</tt> or <tt>SHA1</tt>.</dd>
       <dt><tt>host <i>name</i></tt></dt>
-      <dd>Specifies the string used when constructing the names for the host, sign
-        and certificate files generated by the <tt>ntp-keygen</tt> program  with the <tt>-s <i>host</i></tt> option.</dd>
-        <dd><span class="style1">Note: In the latest Autokey version,  this option is deprecated. See the <a href="autokey.html">Autokey Public-Key Authentication</a> page for further information.</span></a>
-      <dt>&nbsp;</dt>
+      <dd>Specifies the Autokey host name of this host.  If this option is not specified, the default name is the string returned by the Unix <tt>gethostname()</tt> routine.</dd>
+      <dd><span class="style1">Note: In the latest Autokey version,  this option has no affect other than to change the Autokey host name.</span></dd>
       <dt><tt>ident <i>group</i></tt></dt>
-      <dd>Specifies the optional string used in retrieving the identity files generated by the <tt>ntp-keygen</tt> program with the <tt>-i <i>group</i></tt> option.</dd>
+      <dd>Specifies the Autokey group name of this host.  If this option is not specified, the default is the empty string.</dd>
+      <dd><span class="style1">Note: In the latest Autokey version,  this option has no affect other than to change the Autokey group name.</span></dd>
       <dt><tt>pw <i>password</i></tt></dt>
-      <dd>Specifies the password to decrypt files previously encrypted by the <tt>ntp-keygen</tt> program with the <tt>-p</tt> option.</dd>
+      <dd>Specifies the password to decrypt files previously encrypted by the <tt>ntp-keygen</tt> program with the <tt>-p</tt> option. If this option is not specified, the default password is the string returned by the Unix <tt>gethostname()</tt> routine. </dd>
       <dt><tt>randfile <i>file</i></tt></dt>
       <dd>Specifies the location of the random seed file used by the OpenSSL library. The defaults are described on the <tt>ntp-keygen</tt> page.</dd>
     </dl>
   </dd>
+  <dt id="keys"><tt>ident <i>group</i></tt></dt>
+  <dd>Specifies the group name for ephemeral associations mobilized by broadcast and symmetric passive modes. See the <a href="autokey.html">Autokey Public-Key Authentication</a> page for further information.</dd>
   <dt id="keys"><tt>keys <i>path</i></tt></dt>
   <dd>Specifies the complete directory path for the  key file containing the key IDs, key types and keys  used by <tt>ntpd</tt>, <tt>ntpq</tt> and <tt>ntpdc</tt> when operating with symmetric key cryptography. This is the same operation as the <tt>-k </tt>command line option. Note that the directory path for Autokey cryptographic media is specified by the <tt>keysdir</tt> command.</dd>
   <dt id="keysdir"><tt>keysdir <i>path</i></tt></dt>
diff --git a/html/confopt.html b/html/confopt.html
index 1be42382e..69f8c8595 100644
--- a/html/confopt.html
+++ b/html/confopt.html
@@ -12,7 +12,7 @@
 Walt Kelly</a>
 <p>The chicken is getting configuration advice.</p>
 <p>Last update:
-	<!-- #BeginDate format:En2m -->16-Dec-2010  0:52<!-- #EndDate -->
+	<!-- #BeginDate format:En2m -->31-Dec-2010  6:22<!-- #EndDate -->
 </p>
 <br clear="left">
 <h4>Related Links</h4>
@@ -64,7 +64,7 @@ Walt Kelly</a>
   <dt><tt>iburst</tt></dt>
 	<dd>When the server is unreachable, send a burst of  packets instead of the usual one.  This option is valid only with the <tt>server</tt> command and type s addresses. It is a recommended option with this command. Additional information about this option is on the <a href="poll.html">Poll Program</a> page.</dd>
     <dt><tt>ident</tt> <em><tt>group</tt></em></dt>
-    <dd>Specify <i><tt>group</tt></i> as the group name for the association. This is used by the identigy scheme described on the <a href="autokey.html">Autokey Public-Key Authenticationn</a> page.</dd>
+    <dd>Specify the group name for the association.  See the <a href="autokey.html">Autokey Public-Key Authentication</a> page for further information.</dd>
   <dt><tt>key</tt> <i><tt>key</tt></i></dt>
   <dd>Send and receive packets authenticated by the symmetric key scheme described in the <a href="authentic.html">Authentication Support</a> page. The <i><tt>key</tt></i> specifies the key identifier with values from 1 to 65534, inclusive. This option is mutually exclusive with the <tt>autokey</tt> option.</dd>	<dt><tt>minpoll <i>minpoll<br>
 	</i></tt><tt>maxpoll <i>maxpoll</i></tt></dt>
diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 2b3e1ae86..aca356675 100644
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -2292,8 +2292,8 @@ ctl_putsys(
 
 	case CS_HOST:
 		if (sys_hostname != NULL)
-			ctl_putstr(sys_var[CS_HOST].text, sys_hostname,
-			    strlen(sys_hostname));
+			ctl_putstr(sys_var[CS_HOST].text, hostval.ptr,
+			    strlen(hostval.ptr));
 		break;
 
 	case CS_IDENT:
diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c
index 2d616a968..21bb6f37d 100644
--- a/ntpd/ntp_crypto.c
+++ b/ntpd/ntp_crypto.c
@@ -3647,7 +3647,8 @@ crypto_setup(void)
 {
 	struct pkey_info *pinfo; /* private/public key */
 	char	filename[MAXFILENAME]; /* file name buffer */
-	char *	randfile;
+	char	hostname[MAXFILENAME]; /* host name buffer */
+	char	*randfile;
 	char	statstr[NTP_MAXSTRLEN]; /* statistics for filegen */
 	l_fp	seed;		/* crypto PRNG seed as NTP timestamp */
 	u_int	len;
@@ -3703,13 +3704,12 @@ crypto_setup(void)
 	/*
 	 * Initialize structures.
 	 */
-	if (sys_hostname == NULL) {
-		gethostname(filename, MAXFILENAME);
-		sys_hostname = emalloc(strlen(filename) + 1);
-		strcpy(sys_hostname, filename);
-	}
+	gethostname(hostname, MAXFILENAME);
+	if (sys_hostname == NULL)
+		sys_hostname = strdup(hostname);
 	if (passwd == NULL)
 		passwd = sys_hostname;
+
 	memset(&hostval, 0, sizeof(hostval));
 	memset(&pubkey, 0, sizeof(pubkey));
 	memset(&tai_leap, 0, sizeof(tai_leap));
@@ -3720,7 +3720,7 @@ crypto_setup(void)
 	 * as we know it ends. The host key also becomes the default
 	 * sign key. 
 	 */
-	snprintf(filename, MAXFILENAME, "ntpkey_host_%s", sys_hostname);
+	snprintf(filename, MAXFILENAME, "ntpkey_host_%s", hostname);
 	pinfo = crypto_key(filename, passwd, NULL);
 	if (pinfo == NULL) {
 		msyslog(LOG_ERR,
@@ -3751,14 +3751,14 @@ crypto_setup(void)
 	 * Load optional sign key from file "ntpkey_sign_<hostname>". If
 	 * available, it becomes the sign key.
 	 */
-	snprintf(filename, MAXFILENAME, "ntpkey_sign_%s", sys_hostname);
+	snprintf(filename, MAXFILENAME, "ntpkey_sign_%s", hostname);
 	pinfo = crypto_key(filename, passwd, NULL); if (pinfo != NULL)
 	 	sign_pkey = pinfo->pkey;
 
 	/*
 	 * Load required certificate from file "ntpkey_cert_<hostname>".
 	 */
-	snprintf(filename, MAXFILENAME, "ntpkey_cert_%s", sys_hostname);
+	snprintf(filename, MAXFILENAME, "ntpkey_cert_%s", hostname);
 	cinfo = crypto_cert(filename);
 	if (cinfo == NULL) {
 		msyslog(LOG_ERR,
@@ -3781,37 +3781,42 @@ crypto_setup(void)
 		    filename);
 		exit (-1);
 	}
-	hostval.vallen = htonl(strlen(cinfo->subject));
-	hostval.ptr = cinfo->subject;
+printf("xxx %s %s\n", sys_hostname, sys_groupname);
+
 	if (sys_groupname == NULL)
-		sys_groupname = sys_hostname;
+		snprintf(filename, MAXFILENAME, "%s", sys_hostname);
+	else
+		snprintf(filename, MAXFILENAME, "%s@%s", sys_hostname,
+		    sys_groupname);
+	hostval.vallen = htonl(strlen(filename));
+	hostval.ptr = strdup(filename);
 
 	/*
 	 * Load optional IFF parameters from file
-	 * "ntpkey_iffkey_<groupname>".
+	 * "ntpkey_iffkey_<hostname>".
 	 */
 	snprintf(filename, MAXFILENAME, "ntpkey_iffkey_%s",
-	    sys_groupname);
+	    hostname);
 	iffkey_info = crypto_key(filename, passwd, NULL);
 	if (iffkey_info != NULL)
 		crypto_flags |= CRYPTO_FLAG_IFF;
 
 	/*
 	 * Load optional GQ parameters from file
-	 * "ntpkey_gqkey_<groupname>".
+	 * "ntpkey_gqkey_<hostname>".
 	 */
 	snprintf(filename, MAXFILENAME, "ntpkey_gqkey_%s",
-	    sys_groupname);
+	    hostname);
 	gqkey_info = crypto_key(filename, passwd, NULL);
 	if (gqkey_info != NULL)
 		crypto_flags |= CRYPTO_FLAG_GQ;
 
 	/*
 	 * Load optional MV parameters from file
-	 * "ntpkey_mvkey_<groupname>".
+	 * "ntpkey_mvkey_<hostname>".
 	 */
 	snprintf(filename, MAXFILENAME, "ntpkey_mvkey_%s",
-	    sys_groupname);
+	    hostname);
 	mvkey_info = crypto_key(filename, passwd, NULL);
 	if (mvkey_info != NULL)
 		crypto_flags |= CRYPTO_FLAG_MV;
@@ -3821,7 +3826,7 @@ crypto_setup(void)
 	 */
 	crypto_flags |= CRYPTO_FLAG_ENAB | (cinfo->nid << 16);
 	snprintf(statstr, NTP_MAXSTRLEN,
-	    "setup 0x%x host %s %s", crypto_flags, sys_hostname,
+	    "setup 0x%x host %s %s", crypto_flags, hostname,
 	    OBJ_nid2ln(cinfo->nid));
 	record_crypto_stats(NULL, statstr);
 #ifdef DEBUG
diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c
index a08872ab6..6375ce01c 100644
--- a/util/ntp-keygen.c
+++ b/util/ntp-keygen.c
@@ -416,21 +416,16 @@ main(
 					else if (strcmp(pathbuf,
 					    "Private") == 0)
 						exten = EXT_KEY_PRIVATE;
-					if (groupname == NULL)
-						groupname = ptr + 3;
+					if (certname == NULL)
+						certname = ptr + 3;
 				}
 			}
 		}
 	}
 	if (scheme == NULL)
 		scheme = "RSA-MD5";
-	if (groupname == NULL)
-		groupname = hostname;
 	fprintf(stderr, "Using host %s group %s\n", hostname,
 	    groupname);
-	if ((iffkey || gqkey || mvkey) && exten == NULL)
-		fprintf(stderr,
-		    "Warning: identity files may not be useful with a nontrusted certificate.\n");
 #endif	/* AUTOKEY */
 
 	/*
@@ -2054,7 +2049,7 @@ fheader	(
 		perror("Write");
 		exit (-1);
 	}
-	sprintf(linkname, "ntpkey_%s_%s", ulink, owner);
+	sprintf(linkname, "ntpkey_%s_%s", ulink, hostname);
 	remove(linkname);
 	temp = symlink(filename, linkname);
 	if (temp < 0)