From: Harlan Stenn <stenn@ntp.org>
Date: Fri, 29 Dec 2017 06:48:21 +0000 (-0800)
Subject: Allow .../N to specify subnet bits for IPs in ntp.keys
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a7d13fdca8054feae1399359e141474dbd58cc61;p=thirdparty%2Fntp.git

Allow .../N to specify subnet bits for IPs in ntp.keys

bk: 5a45e535ESmHS2gelRz_o8Z7enziPA
---

diff --git a/ChangeLog b/ChangeLog
index e887d5d45..bf3f9b10f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -66,6 +66,7 @@
 * When using pkg-config, report --modversion.  HStenn.
 * Clean up libevent configure checks.  HStenn.
 * sntp: show the IP of who sent us a crypto-NAK.  HStenn.
+* Allow .../N to specify subnet bits for IPs in ntp.keys.  HStenn.
 
 ---
 (4.2.8p10) 2017/03/21 Released by Harlan Stenn <stenn@ntp.org>
diff --git a/include/ntp_keyacc.h b/include/ntp_keyacc.h
index 7e6650431..aaed411c3 100644
--- a/include/ntp_keyacc.h
+++ b/include/ntp_keyacc.h
@@ -8,9 +8,11 @@ typedef struct keyaccess KeyAccT;
 struct keyaccess {
 	KeyAccT *	next;
 	sockaddr_u	addr;
+	int		subnetbits;
 };
 
-extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr);
+extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr,
+				int subnetbits);
 extern KeyAccT* keyacc_pop_free(KeyAccT *head);
 extern KeyAccT* keyacc_all_free(KeyAccT *head);
 extern int      keyacc_contains(const KeyAccT *head, const sockaddr_u *addr,
diff --git a/libntp/authkeys.c b/libntp/authkeys.c
index d7af9bcf7..ce9b82021 100644
--- a/libntp/authkeys.c
+++ b/libntp/authkeys.c
@@ -114,13 +114,16 @@ KeyAccT *cache_keyacclist;	/* key access list */
 KeyAccT*
 keyacc_new_push(
 	KeyAccT          * head,
-	const sockaddr_u * addr
+	const sockaddr_u * addr,
+	int		   subnetbits
 	)
 {
 	KeyAccT *	node = emalloc(sizeof(KeyAccT));
 	
 	memcpy(&node->addr, addr, sizeof(sockaddr_u));
+	node->subnetbits = subnetbits;
 	node->next = head;
+
 	return node;
 }
 
diff --git a/libntp/authreadkeys.c b/libntp/authreadkeys.c
index 2ffb19002..f591d4304 100644
--- a/libntp/authreadkeys.c
+++ b/libntp/authreadkeys.c
@@ -5,8 +5,8 @@
 #include <stdio.h>
 #include <ctype.h>
 
-#include "ntpd.h"	/* Only for DPRINTF */
-#include "ntp_fp.h"
+//#include "ntpd.h"	/* Only for DPRINTF */
+//#include "ntp_fp.h"
 #include "ntp.h"
 #include "ntp_syslog.h"
 #include "ntp_stdlib.h"
@@ -297,28 +297,68 @@ authreadkeys(
 		}
 
 		token = nexttok(&line);
-		DPRINTF(0, ("authreadkeys: full access list <%s>\n", (token) ? token : "NULL"));
 		if (token != NULL) {	/* A comma-separated IP access list */
 			char *tp = token;
 
 			while (tp) {
 				char *i;
+				char *snp;	/* subnet text pointer */
+				int snbits;
 				sockaddr_u addr;
 
 				i = strchr(tp, (int)',');
-				if (i)
+				if (i) {
 					*i = '\0';
-				DPRINTF(0, ("authreadkeys: access list:  <%s>\n", tp));
+				}
+				snp = strchr(tp, (int)'/');
+				if (snp) {
+					unsigned u;
+					char *sp;
+
+					*snp++ = '\0';
+					snbits = -1;
+					u = 0;
+					sp = snp;
+
+					while (*sp != '\0') {
+						if (!isdigit((unsigned char)*sp))
+						    break;
+						if (u > 1000)
+						    break;	/* overflow */
+						u = (u << 3) + (u << 1);
+						u += *sp++ - '0';       /* ascii dependent */
+					}
+					if (*sp != '\0') {
+						log_maybe(&nerr,
+							  "authreadkeys: Invalid character in subnet specification for <%s/%s> in key %d",
+							  sp, snp, keyno);
+						goto nextip;
+					}
+				} else {
+					snbits = -1;
+				}
 
 				if (is_ip_address(tp, AF_UNSPEC, &addr)) {
-					next->keyacclist = keyacc_new_push(
-						next->keyacclist, &addr);
+					/* Make sure that snbits is valid for addr */
+					if (   snbits == -1
+					   || (snbits >= 0 &&
+					       (  (IS_IPV4(&addr) && snbits <= 32)
+					       || (IS_IPV6(&addr) && snbits <= 128)))) {
+						next->keyacclist = keyacc_new_push(
+							next->keyacclist, &addr, snbits);
+					} else {
+
+						log_maybe(&nerr,
+							  "authreadkeys: invalid IP address/subnet <%s/%s> for key %d",
+							  tp, snp, keyno);
+					}
 				} else {
 					log_maybe(&nerr,
 						  "authreadkeys: invalid IP address <%s> for key %d",
 						  tp, keyno);
 				}
 
+			nextip:
 				if (i) {
 					tp = i + 1;
 				} else {