]> git.ipfire.org Git - thirdparty/ntp.git/commitdiff
Many files:
authorHarlan Stenn <stenn@ntp.org>
Fri, 4 Aug 2000 05:31:50 +0000 (05:31 -0000)
committerHarlan Stenn <stenn@ntp.org>
Fri, 4 Aug 2000 05:31:50 +0000 (05:31 -0000)
  * ntpd/ntp_proto.c (peer_xmit): Crypto cleanup
  * ntpd/ntp_crypto.c: Cleanup
  * ntpd/ntp_control.c: Join the club
  * ntpd/ntp_config.c: Call crypto_config() instead; we got rid of
  crypto_flags.
  * include/ntp_crypto.h (CRYPTO_FLAG_ENAB): New crypto flags, rework
  * include/ntp_control.h (CS_FLAGS): Wiggle in.
  * include/ntp.h: Added crypto peer status to struct peer
  From Dave Mills

bk: 398a55463xYnmM_9NOFopVFqJocANw

ChangeLog
include/ntp.h
include/ntp_control.h
include/ntp_crypto.h
ntpd/ntp_config.c
ntpd/ntp_control.c
ntpd/ntp_crypto.c
ntpd/ntp_proto.c

index 9091be3b7d76f8b1b8211c72361ccf3c0c4a7f46..32af661c0a9808eada46d01908d374f12c371c7c 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2000-08-04  Harlan Stenn  <stenn@whimsy.udel.edu>
+
+       * ntpd/ntp_proto.c (peer_xmit): Crypto cleanup
+       * ntpd/ntp_crypto.c: Cleanup
+       * ntpd/ntp_control.c: Join the club
+       * ntpd/ntp_config.c: Call crypto_config() instead; we got rid of
+       crypto_flags.
+       * include/ntp_crypto.h (CRYPTO_FLAG_ENAB): New crypto flags, rework
+       * include/ntp_control.h (CS_FLAGS): Wiggle in.
+       * include/ntp.h: Added crypto peer status to struct peer
+       From Dave Mills
+
 2000-08-03  Harlan Stenn  <stenn@whimsy.udel.edu>
 
        * util/ntp-genkeys.c: Initialize path_keysdir to NTP_KEYSDIR.
index d96cb6566048749e6dedf0fd6c30a1f696587c0c..8b36c73f35c3bdf7026218cd929e514298e042ee 100644 (file)
@@ -283,7 +283,8 @@ struct peer {
         * Variables used by authenticated client
         */
 #ifdef AUTOKEY
-       associd_t assoc;        /* association ID of peer */
+       associd_t assoc;        /* peer association ID */
+       u_int32 crypto;         /* peer status word */
 #ifdef PUBKEY
        struct value pubkey;    /* public key */
        u_char  *keystr;        /* public key file name */
index 766b9bd5bb7d78c33726e4bda2bede04ceadecd4..624925b3ecd26cb3930a780553cfdb71dfbb30a3 100644 (file)
@@ -165,12 +165,13 @@ struct ntp_control {
 #define        CS_STABIL       18
 #define CS_VARLIST     19
 #ifdef PUBKEY
-#define CS_HOST                20
-#define CS_PUBLIC      21
-#define CS_DHPARAMS    22
-#define        CS_REVTIME      23
-#define CS_LEAPTAB     24
-#define CS_TAI         25
+#define CS_FLAGS       20
+#define CS_HOST                21
+#define CS_PUBLIC      22
+#define CS_DHPARAMS    23
+#define        CS_REVTIME      24
+#define CS_LEAPTAB     25
+#define CS_TAI         26
 #define        CS_MAXCODE      CS_TAI
 #else
 #define        CS_MAXCODE      CS_VARLIST
@@ -217,13 +218,14 @@ struct ntp_control {
 #define CP_DISP                36
 #define CP_VARLIST     37
 #ifdef PUBKEY
-#define CP_HOST                38
-#define CP_PUBLIC      39
-#define        CP_SESKEY       40
-#define        CP_SASKEY       41
-#define        CP_INITSEQ      42
-#define        CP_INITKEY      43
-#define        CP_INITTSP      44
+#define CP_FLAGS       38
+#define CP_HOST                39
+#define CP_PUBLIC      40
+#define        CP_SESKEY       41
+#define        CP_SASKEY       42
+#define        CP_INITSEQ      43
+#define        CP_INITKEY      44
+#define        CP_INITTSP      45
 #define        CP_MAXCODE      CP_INITTSP
 #else
 #define        CP_MAXCODE      CP_VARLIST
index 27b2ae2b67996c1599ba260d8b1d58edac9e2586..6297a3b81ad1cc9296a0d3ac117a4c37b49a5908 100644 (file)
@@ -9,29 +9,31 @@
 #include "rsa.h"
 #endif /* PUBKEY */
 
+/*
+ * Cryptostatus word
+ */
+#define CRYPTO_FLAG_ENAB  0x01 /* crypto enable */
+#define CRYPTO_FLAG_RSA          0x02  /* public/private keys */
+#define CRYPTO_FLAG_DH   0x04  /* agreement parameters */
+#define CRYPTO_FLAG_TAI          0x08  /* leapseconds table */
+
 /*
  * Extension field definitions
  */
 #define CRYPTO_VN      1       /* current protocol version number */
 
 #define CRYPTO_NULL    ((CRYPTO_VN << 8) | 0) /* no operation */
-#define CRYPTO_STAT    ((CRYPTO_VN << 8) | 1) /* reserved */
+#define CRYPTO_STAT    ((CRYPTO_VN << 8) | 1) /* status */
 #define CRYPTO_ASSOC   ((CRYPTO_VN << 8) | 2) /* association ID */
 #define CRYPTO_AUTO    ((CRYPTO_VN << 8) | 3) /* autokey values */
 #define CRYPTO_PRIV    ((CRYPTO_VN << 8) | 4) /* cookie value */
-#define CRYPTO_DHPAR   ((CRYPTO_VN << 8) | 5) /* DH parameters */
-#define CRYPTO_DH      ((CRYPTO_VN << 8) | 6) /* DH public value */
-#define CRYPTO_NAME    ((CRYPTO_VN << 8) | 7) /* RSA public key */
-#define CRYPTO_TAI     ((CRYPTO_VN << 8) | 8) /* TAI offset */
+#define CRYPTO_DHPAR   ((CRYPTO_VN << 8) | 5) /* agreement params */
+#define CRYPTO_DH      ((CRYPTO_VN << 8) | 6) /* public value */
+#define CRYPTO_NAME    ((CRYPTO_VN << 8) | 7) /* host name/pub key */
+#define CRYPTO_TAI     ((CRYPTO_VN << 8) | 8) /* leapseconds table */
 #define CRYPTO_RESP    0x8000                  /* response */
 #define CRYPTO_ERROR   0x4000                  /* error */
 
-/*
- * Cryptoflags
- */
-#define CRYPTO_FLAG_ENAB  0x01 /* enable public key */
-#define CRYPTO_FLAG_TAI          0x02  /* request TAI leapseconds */
-
 #ifdef PUBKEY
 /*
  * Configuration codes
@@ -65,12 +67,12 @@ extern      int     crypto_public   P((struct peer *, u_char *, u_int));
 /*
  * Cryptographic values
  */
-extern int     crypto_flags;
 extern R_DH_PARAMS dh_params;
-extern struct value host;      /* public key/host name */
-extern struct value dhparam;   /* Diffie-Hellman parameters */
-extern struct value dhpub;     /* Diffie-Hellman public value */
-extern struct value tai_leap;  /* TAI leapseconds table */
+extern struct value host;      /* host name/public key */
+extern struct value dhparam;   /* agreement parameters */
+extern struct value dhpub;     /* public value */
+extern struct value tai_leap;  /* leapseconds table */
+extern u_int   crypto_flags;   /* status word */       
 extern u_int   sys_tai;        /* current UTC offset from TAI */
 #endif /* PUBKEY */
 #endif /* AUTOKEY */
index 177d11fb6c14997d6799319416c1758f07816d24..4fd09dcc0b67a407be2f7e7654b2d749f0d89fee 100644 (file)
@@ -919,14 +919,17 @@ getconfig(
                        break;
 
                    case CONFIG_CRYPTO:
-                       crypto_flags |= CRYPTO_FLAG_ENAB;
+                       if (ntokens == 1) {
+                               crypto_config(CRYPTO_CONF_FLAGS , "0");
+                               break;
+                       }
                        for (i = 1; i < ntokens; i++) {
                            int temp;
 
                            temp = matchkey(tokens[i++], crypto_keywords);
                            if (i > ntokens - 1) {
                                msyslog(LOG_ERR,
-                                   "crypto: missing file name");
+                                   "crypto: missing argument");
                                errflg++;
                                break;
                            }
index 18c1f26e4b65f1f76844b28f42d5cdb026450cfd..4c40fd74f85ac0a3fa53d375aaf63148a4cf3a27 100644 (file)
@@ -114,12 +114,13 @@ static struct ctl_var sys_var[] = {
        { CS_STABIL,    RO, "stability" },      /* 18 */
        { CS_VARLIST,   RO, "sys_var_list" },   /* 19 */
 #ifdef PUBKEY
-       { CS_HOST,      RO, "hostname" },       /* 20 */
-       { CS_PUBLIC,    RO, "publickey" },      /* 21 */
-       { CS_DHPARAMS,  RO, "params" },         /* 22 */
-       { CS_REVTIME,   RO, "refresh"},         /* 23 */
-       { CS_LEAPTAB,   RO, "leaptable" },      /* 24 */
-       { CS_TAI,       RO, "tai"},             /* 25 */
+       { CS_FLAGS,     RO, "flags" },          /* 20 */
+       { CS_HOST,      RO, "hostname" },       /* 21 */
+       { CS_PUBLIC,    RO, "publickey" },      /* 22 */
+       { CS_DHPARAMS,  RO, "params" },         /* 23 */
+       { CS_REVTIME,   RO, "refresh"},         /* 24 */
+       { CS_LEAPTAB,   RO, "leaptable" },      /* 25 */
+       { CS_TAI,       RO, "tai"},             /* 26 */
 #endif /* PUBKEY */
        { 0,            EOV,    ""  }
 };
@@ -150,6 +151,7 @@ static      u_char def_sys_var[] = {
        CS_COMPLIANCE,
        CS_STABIL,
 #ifdef PUBKEY
+       CS_FLAGS,
        CS_HOST,
        CS_DHPARAMS,
        CS_REVTIME,
@@ -202,13 +204,14 @@ static struct ctl_var peer_var[] = {
        { CP_DISP,      PADDING,"" },       /* 36 */
        { CP_VARLIST,   RO, "peer_var_list" }, /* 37 */
 #ifdef PUBKEY
-       { CP_HOST,      RO, "hostname" },       /* 38 */
-       { CP_PUBLIC,    RO, "publickey" },      /* 39 */
-       { CP_SESKEY,    RO, "pcookie" },        /* 40 */
-       { CP_SASKEY,    RO, "hcookie" },        /* 41 */
-       { CP_INITSEQ,   RO, "initsequence" },   /* 42 */
-       { CP_INITKEY,   RO, "initkey" },        /* 43 */
-       { CP_INITTSP,   RO, "timestamp" },      /* 44 */
+       { CP_FLAGS,     RO, "flags" },          /* 38 */
+       { CP_HOST,      RO, "hostname" },       /* 39 */
+       { CP_PUBLIC,    RO, "publickey" },      /* 40 */
+       { CP_SESKEY,    RO, "pcookie" },        /* 41 */
+       { CP_SASKEY,    RO, "hcookie" },        /* 42 */
+       { CP_INITSEQ,   RO, "initsequence" },   /* 43 */
+       { CP_INITKEY,   RO, "initkey" },        /* 44 */
+       { CP_INITTSP,   RO, "timestamp" },      /* 45 */
 #endif /* PUBKEY */
        { 0,            EOV,    ""  }
 };
@@ -248,6 +251,7 @@ static u_char def_peer_var[] = {
        CP_FILTOFFSET,
        CP_FILTERROR,
 #ifdef PUBKEY
+       CP_FLAGS,
        CP_HOST,
        CP_SESKEY,
        CP_INITSEQ,
@@ -272,7 +276,7 @@ static struct ctl_var clock_var[] = {
        { CC_FUDGETIME2, RO,    "fudgetime2" }, /* 8 */
        { CC_FUDGEVAL1, RO, "stratum" },    /* 9 */
        { CC_FUDGEVAL2, RO, "refid" },  /* 10 */
-       { CC_FLAGS, RO, "flags" },  /* 11 */
+       { CC_FLAGS,     RO, "flags" },  /* 11 */
        { CC_DEVICE,    RO, "device" }, /* 12 */
        { CC_VARLIST,   RO, "clock_var_list" },/* 13 */
        { 0,            EOV,    ""  }
@@ -1316,6 +1320,12 @@ ctl_putsys(
                break;
 
 #ifdef PUBKEY
+       case CS_FLAGS:
+               if (crypto_flags)
+                       ctl_puthex(sys_var[CS_FLAGS].text,
+                           crypto_flags);
+               break;
+
        case CS_HOST:
                ctl_putstr(sys_var[CS_HOST].text, sys_hostname,
                        strlen(sys_hostname));
@@ -1570,6 +1580,11 @@ ctl_putpeer(
                }
                break;
 #ifdef PUBKEY
+       case CP_FLAGS:
+               if (peer->crypto)
+                       ctl_puthex(peer_var[CP_FLAGS].text, peer->crypto);
+               break;
+
        case CP_HOST:
                if (peer->keystr != NULL)
                        ctl_putstr(peer_var[CP_HOST].text, peer->keystr,
index d676f461da370c1567287047336213b6fefd0e86..06b7819f8662f5e32d040543668bcecaa6b0679b 100644 (file)
  *                                           =   signature   =
  *                                           |               |
  *                                           +---------------+
+ *                                           CRYPTO_DHPAR rsp
  *                                           CRYPTO_DH rsp
  *                                           CRYPTO_NAME rsp
  *                                           CRYPTO_TAI rsp
  *                                           
- *   CRYPTO_PUBL  1  -    offer/select
+ *   CRYPTO_STAT  1  -    offer/select
  *   CRYPTO_ASSOC 2  8    association ID
  *   CRYPTO_AUTO  3  88   autokey values
- *   CRYPTO_PRIV  4  84   cookie values
+ *   CRYPTO_PRIV  4  84   cookie value
  *   CRYPTO_DHPAR 5  220  agreement parameters
  *   CRYPTO_DH    6  152  public value
  *   CRYPTO_NAME  7  460  host name/public key
  *   carry the association ID of the sender.
  */
 
+/*
+ * Global cryptodata in host byte order.
+ */
+u_int  crypto_flags;           /* status word */
+u_int  sys_tai;                /* current UTC offset from TAI */
+
 #ifdef PUBKEY
 /*
  * Cryptodefines
@@ -88,12 +95,6 @@ struct value dhparam;                /* agreement parameters */
 struct value dhpub;            /* public value */
 struct value tai_leap;         /* leapseconds table */
 
-/*
- * Global cryptodata in host byte order.
- */
-int    crypto_flags;           /* flags that wave cryptically */
-u_int  sys_tai;                /* current UTC offset from TAI */
-
 /*
  * Cryptotypes
  */
@@ -338,13 +339,20 @@ crypto_recv(
                switch (code) {
 
                /*
-                * Install association ID. This is used in broadcast
-                * client mode only.
+                * Install association ID and status word.
                 */
                case CRYPTO_ASSOC | CRYPTO_RESP:
-                       if (!(peer->flags & FLAG_AUTOKEY) &&
-                           ntohl(pkt[i + 1]) != 0)
+                       if (peer->flags & FLAG_AUTOKEY)
+                               break;
+                       if (ntohl(pkt[i + 1]) != 0)
                                peer->assoc = ntohl(pkt[i + 1]);
+                       peer->crypto = ntohl(pkt[i + 2]);
+#ifdef DEBUG
+                       if (debug)
+                               printf(
+                                   "crypto_recv: flags %x\n",
+                                   peer->crypto);
+#endif
                        break;
 
                /*
@@ -538,6 +546,7 @@ crypto_recv(
                                break;
                        }
                        peer->flash &= ~TEST10;
+                       crypto_flags |= CRYPTO_FLAG_DH;
 
                        /*
                         * Initialize agreement parameters and extension
@@ -550,9 +559,6 @@ crypto_recv(
                        dhparam.vallen = vp->vallen;
                        if (dhparam.ptr != NULL)
                                free(dhparam.ptr);
-                       if (dhparam.sig == NULL)
-                               dhparam.sig = emalloc(private_key.bits /
-                                   8);
                        pp = emalloc(temp);
                        dhparam.ptr = (u_char *)pp;
                        memcpy(pp, vp->pkt, temp);
@@ -565,6 +571,9 @@ crypto_recv(
                        if (dh_private != NULL)
                                free(dh_private);
                        dh_private = emalloc(dh_keyLen);
+                       if (dhparam.sig == NULL)
+                               dhparam.sig = emalloc(private_key.bits /
+                                   8);
 
                        /*
                         * Initialize public value extension field.
@@ -583,7 +592,9 @@ crypto_recv(
 
                /*
                 * Verify public value and compute agreed key in
-                * symmetric modes. 
+                * symmetric modes. If the filestamp is later than the
+                * current value, we abandon and refill the agreement
+                * parameters.
                 */
                case CRYPTO_DH:
                        peer->cmmd = ntohl(pkt[i]);
@@ -627,6 +638,9 @@ crypto_recv(
                         */
                        if (rval != RV_OK) {
                                temp = 0;
+                       } else if (ntohl(vp->fstamp) > dhparam.fstamp) {
+                               rval = RV_FSP;
+                               crypto_flags &= ~CRYPTO_FLAG_DH;
                        } else {
                                rval = R_ComputeDHAgreedKey(dh_key,
                                    (u_char *)&pkt[i + 5], dh_private,
@@ -772,6 +786,8 @@ crypto_recv(
                                break;
                        }
                        peer->flash &= ~TEST10;
+                       crypto_flags |= CRYPTO_FLAG_TAI;
+                       sys_tai = temp / 4 + TAI_1972 - 1;
 
                        /*
                         * Initialize leapseconds table and extension
@@ -787,7 +803,6 @@ crypto_recv(
                                tai_leap.sig =
                                    emalloc(private_key.bits / 8);
                        memcpy(tai_leap.ptr, vp->pkt, temp);
-                       sys_tai = temp / 4 + TAI_1972 - 1;
                        crypto_agree();
                        break;
 #endif /* PUBKEY */
@@ -853,10 +868,11 @@ crypto_xmit(
        switch (opcode) {
 
        /*
-        * Exchange association IDs. This is used in broadcast server
-        * mode and is a no-op here.
+        * Send association ID and status word.
         */
        case CRYPTO_ASSOC | CRYPTO_RESP:
+               xpkt[i + 2] = htonl(crypto_flags);
+               len += 4;
                break;
 
        /*
@@ -915,15 +931,15 @@ crypto_xmit(
                break;
 
 
+#ifdef PUBKEY
        /*
         * The following commands and responses work only when public-
         * key cryptography has been configured. If configured, but
         * disabled due to no crypto command in the configuration file,
         * they are ignored and an error response is returned.
         */
-#ifdef PUBKEY
        /*
-        * Send agreenebt parameters, timestamp and signature.
+        * Send agreement parameters, timestamp and signature.
         */
        case CRYPTO_DHPAR | CRYPTO_RESP:
                if (!crypto_flags) {
@@ -1108,6 +1124,7 @@ crypto_setup(void)
                    "crypto: public/private key files mismatch");
                exit (-1);
        }
+       crypto_flags |= CRYPTO_FLAG_RSA;
 
        /*
         * Assemble public key and host name in network byte order.
@@ -1482,6 +1499,7 @@ crypto_dh(
        dh_keyLen = primelen / 2;
        dh_private = emalloc(dh_keyLen);
        dhparam.sig = emalloc(private_key.bits / 8);
+       crypto_flags |= CRYPTO_FLAG_DH;
 
        /*
         * Initialize public value extension field.
@@ -1604,6 +1622,7 @@ crypto_tai(
                *pp++ = htonl(leapsec[i]);
        }
        tai_leap.sig = emalloc(private_key.bits / 8);
+       crypto_flags |= CRYPTO_FLAG_TAI;
        sys_tai = len / 4 + TAI_1972 - 1;
 
 
@@ -1737,6 +1756,7 @@ crypto_config(
                strcpy(keysdir, cp);
                break;
        }
+       crypto_flags |= CRYPTO_FLAG_ENAB;
 }
 # else
 int ntp_crypto_bs_pubkey;
index c230ed0e15dfc35394b8f88a0474cd9765b4fc0f..d986a2e9140f3789cc78d0969411830a23606050 100644 (file)
@@ -2000,8 +2000,13 @@ peer_xmit(
                                    sendlen, (peer->cmmd >> 16) |
                                    CRYPTO_RESP, peer->hcookie,
                                    peer->associd);
-                       if (!crypto_flags && peer->pcookie.tstamp ==
-                           0 && sys_leap != LEAP_NOTINSYNC)
+                       if (!peer->crypto)
+                               sendlen += crypto_xmit((u_int32 *)&xpkt,
+                                   sendlen, CRYPTO_ASSOC,
+                                   peer->hcookie, peer->assoc);
+                       else if (!crypto_flags &&
+                           peer->pcookie.tstamp == 0 && sys_leap !=
+                           LEAP_NOTINSYNC)
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_PRIV, peer->hcookie,
                                    peer->assoc);
@@ -2010,7 +2015,8 @@ peer_xmit(
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_NAME, peer->hcookie,
                                    peer->assoc);
-                       else if (crypto_flags && dhparam.vallen == 0)
+                       else if (crypto_flags && !(crypto_flags &
+                           CRYPTO_FLAG_DH))
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_DHPAR,
                                    peer->hcookie, peer->assoc);
@@ -2042,7 +2048,7 @@ peer_xmit(
                                    peer->hcookie,
                                    peer->associd);
 #ifdef PUBKEY
-                       else if (crypto_flags & CRYPTO_FLAG_TAI &&
+                       else if (peer->crypto & CRYPTO_FLAG_TAI &&
                            sys_tai == 0)
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_TAI, peer->hcookie,
@@ -2067,14 +2073,18 @@ peer_xmit(
                                    sendlen, (peer->cmmd >> 16) |
                                    CRYPTO_RESP, peer->hcookie,
                                    peer->associd);
+                       if (!peer->crypto)
+                               sendlen += crypto_xmit((u_int32 *)&xpkt,
+                                   sendlen, CRYPTO_ASSOC,
+                                   peer->hcookie, peer->assoc);
 #ifdef PUBKEY
-                       if (crypto_flags && peer->pubkey.ptr == NULL)
+                       else if (crypto_flags && peer->pubkey.ptr ==
+                           NULL)
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_NAME, peer->hcookie,
                                    peer->assoc);
-                       else
 #endif /* PUBKEY */
-                       if (peer->pcookie.tstamp == 0)
+                       else if (peer->pcookie.tstamp == 0)
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_PRIV, peer->hcookie,
                                    peer->assoc);
@@ -2084,7 +2094,7 @@ peer_xmit(
                                    sendlen, CRYPTO_AUTO, peer->hcookie,
                                    peer->assoc);
 #ifdef PUBKEY
-                       else if (crypto_flags & CRYPTO_FLAG_TAI &&
+                       else if (peer->crypto & CRYPTO_FLAG_TAI &&
                            sys_tai == 0)
                                sendlen += crypto_xmit((u_int32 *)&xpkt,
                                    sendlen, CRYPTO_TAI, peer->hcookie,