From: Harlan Stenn Date: Fri, 4 Aug 2000 05:31:50 +0000 (-0000) Subject: Many files: X-Git-Tag: NTP_4_0_99_M~233 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4cc2f8ab87325c7afb3ee054fb79e1ad56bf1ea8;p=thirdparty%2Fntp.git Many files: * ntpd/ntp_proto.c (peer_xmit): Crypto cleanup * ntpd/ntp_crypto.c: Cleanup * ntpd/ntp_control.c: Join the club * ntpd/ntp_config.c: Call crypto_config() instead; we got rid of crypto_flags. * include/ntp_crypto.h (CRYPTO_FLAG_ENAB): New crypto flags, rework * include/ntp_control.h (CS_FLAGS): Wiggle in. * include/ntp.h: Added crypto peer status to struct peer From Dave Mills bk: 398a55463xYnmM_9NOFopVFqJocANw --- diff --git a/ChangeLog b/ChangeLog index 9091be3b7d..32af661c0a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2000-08-04 Harlan Stenn + + * ntpd/ntp_proto.c (peer_xmit): Crypto cleanup + * ntpd/ntp_crypto.c: Cleanup + * ntpd/ntp_control.c: Join the club + * ntpd/ntp_config.c: Call crypto_config() instead; we got rid of + crypto_flags. + * include/ntp_crypto.h (CRYPTO_FLAG_ENAB): New crypto flags, rework + * include/ntp_control.h (CS_FLAGS): Wiggle in. + * include/ntp.h: Added crypto peer status to struct peer + From Dave Mills + 2000-08-03 Harlan Stenn * util/ntp-genkeys.c: Initialize path_keysdir to NTP_KEYSDIR. diff --git a/include/ntp.h b/include/ntp.h index d96cb65660..8b36c73f35 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -283,7 +283,8 @@ struct peer { * Variables used by authenticated client */ #ifdef AUTOKEY - associd_t assoc; /* association ID of peer */ + associd_t assoc; /* peer association ID */ + u_int32 crypto; /* peer status word */ #ifdef PUBKEY struct value pubkey; /* public key */ u_char *keystr; /* public key file name */ diff --git a/include/ntp_control.h b/include/ntp_control.h index 766b9bd5bb..624925b3ec 100644 --- a/include/ntp_control.h +++ b/include/ntp_control.h @@ -165,12 +165,13 @@ struct ntp_control { #define CS_STABIL 18 #define CS_VARLIST 19 #ifdef PUBKEY -#define CS_HOST 20 -#define CS_PUBLIC 21 -#define CS_DHPARAMS 22 -#define CS_REVTIME 23 -#define CS_LEAPTAB 24 -#define CS_TAI 25 +#define CS_FLAGS 20 +#define CS_HOST 21 +#define CS_PUBLIC 22 +#define CS_DHPARAMS 23 +#define CS_REVTIME 24 +#define CS_LEAPTAB 25 +#define CS_TAI 26 #define CS_MAXCODE CS_TAI #else #define CS_MAXCODE CS_VARLIST @@ -217,13 +218,14 @@ struct ntp_control { #define CP_DISP 36 #define CP_VARLIST 37 #ifdef PUBKEY -#define CP_HOST 38 -#define CP_PUBLIC 39 -#define CP_SESKEY 40 -#define CP_SASKEY 41 -#define CP_INITSEQ 42 -#define CP_INITKEY 43 -#define CP_INITTSP 44 +#define CP_FLAGS 38 +#define CP_HOST 39 +#define CP_PUBLIC 40 +#define CP_SESKEY 41 +#define CP_SASKEY 42 +#define CP_INITSEQ 43 +#define CP_INITKEY 44 +#define CP_INITTSP 45 #define CP_MAXCODE CP_INITTSP #else #define CP_MAXCODE CP_VARLIST diff --git a/include/ntp_crypto.h b/include/ntp_crypto.h index 27b2ae2b67..6297a3b81a 100644 --- a/include/ntp_crypto.h +++ b/include/ntp_crypto.h @@ -9,29 +9,31 @@ #include "rsa.h" #endif /* PUBKEY */ +/* + * Cryptostatus word + */ +#define CRYPTO_FLAG_ENAB 0x01 /* crypto enable */ +#define CRYPTO_FLAG_RSA 0x02 /* public/private keys */ +#define CRYPTO_FLAG_DH 0x04 /* agreement parameters */ +#define CRYPTO_FLAG_TAI 0x08 /* leapseconds table */ + /* * Extension field definitions */ #define CRYPTO_VN 1 /* current protocol version number */ #define CRYPTO_NULL ((CRYPTO_VN << 8) | 0) /* no operation */ -#define CRYPTO_STAT ((CRYPTO_VN << 8) | 1) /* reserved */ +#define CRYPTO_STAT ((CRYPTO_VN << 8) | 1) /* status */ #define CRYPTO_ASSOC ((CRYPTO_VN << 8) | 2) /* association ID */ #define CRYPTO_AUTO ((CRYPTO_VN << 8) | 3) /* autokey values */ #define CRYPTO_PRIV ((CRYPTO_VN << 8) | 4) /* cookie value */ -#define CRYPTO_DHPAR ((CRYPTO_VN << 8) | 5) /* DH parameters */ -#define CRYPTO_DH ((CRYPTO_VN << 8) | 6) /* DH public value */ -#define CRYPTO_NAME ((CRYPTO_VN << 8) | 7) /* RSA public key */ -#define CRYPTO_TAI ((CRYPTO_VN << 8) | 8) /* TAI offset */ +#define CRYPTO_DHPAR ((CRYPTO_VN << 8) | 5) /* agreement params */ +#define CRYPTO_DH ((CRYPTO_VN << 8) | 6) /* public value */ +#define CRYPTO_NAME ((CRYPTO_VN << 8) | 7) /* host name/pub key */ +#define CRYPTO_TAI ((CRYPTO_VN << 8) | 8) /* leapseconds table */ #define CRYPTO_RESP 0x8000 /* response */ #define CRYPTO_ERROR 0x4000 /* error */ -/* - * Cryptoflags - */ -#define CRYPTO_FLAG_ENAB 0x01 /* enable public key */ -#define CRYPTO_FLAG_TAI 0x02 /* request TAI leapseconds */ - #ifdef PUBKEY /* * Configuration codes @@ -65,12 +67,12 @@ extern int crypto_public P((struct peer *, u_char *, u_int)); /* * Cryptographic values */ -extern int crypto_flags; extern R_DH_PARAMS dh_params; -extern struct value host; /* public key/host name */ -extern struct value dhparam; /* Diffie-Hellman parameters */ -extern struct value dhpub; /* Diffie-Hellman public value */ -extern struct value tai_leap; /* TAI leapseconds table */ +extern struct value host; /* host name/public key */ +extern struct value dhparam; /* agreement parameters */ +extern struct value dhpub; /* public value */ +extern struct value tai_leap; /* leapseconds table */ +extern u_int crypto_flags; /* status word */ extern u_int sys_tai; /* current UTC offset from TAI */ #endif /* PUBKEY */ #endif /* AUTOKEY */ diff --git a/ntpd/ntp_config.c b/ntpd/ntp_config.c index 177d11fb6c..4fd09dcc0b 100644 --- a/ntpd/ntp_config.c +++ b/ntpd/ntp_config.c @@ -919,14 +919,17 @@ getconfig( break; case CONFIG_CRYPTO: - crypto_flags |= CRYPTO_FLAG_ENAB; + if (ntokens == 1) { + crypto_config(CRYPTO_CONF_FLAGS , "0"); + break; + } for (i = 1; i < ntokens; i++) { int temp; temp = matchkey(tokens[i++], crypto_keywords); if (i > ntokens - 1) { msyslog(LOG_ERR, - "crypto: missing file name"); + "crypto: missing argument"); errflg++; break; } diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index 18c1f26e4b..4c40fd74f8 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -114,12 +114,13 @@ static struct ctl_var sys_var[] = { { CS_STABIL, RO, "stability" }, /* 18 */ { CS_VARLIST, RO, "sys_var_list" }, /* 19 */ #ifdef PUBKEY - { CS_HOST, RO, "hostname" }, /* 20 */ - { CS_PUBLIC, RO, "publickey" }, /* 21 */ - { CS_DHPARAMS, RO, "params" }, /* 22 */ - { CS_REVTIME, RO, "refresh"}, /* 23 */ - { CS_LEAPTAB, RO, "leaptable" }, /* 24 */ - { CS_TAI, RO, "tai"}, /* 25 */ + { CS_FLAGS, RO, "flags" }, /* 20 */ + { CS_HOST, RO, "hostname" }, /* 21 */ + { CS_PUBLIC, RO, "publickey" }, /* 22 */ + { CS_DHPARAMS, RO, "params" }, /* 23 */ + { CS_REVTIME, RO, "refresh"}, /* 24 */ + { CS_LEAPTAB, RO, "leaptable" }, /* 25 */ + { CS_TAI, RO, "tai"}, /* 26 */ #endif /* PUBKEY */ { 0, EOV, "" } }; @@ -150,6 +151,7 @@ static u_char def_sys_var[] = { CS_COMPLIANCE, CS_STABIL, #ifdef PUBKEY + CS_FLAGS, CS_HOST, CS_DHPARAMS, CS_REVTIME, @@ -202,13 +204,14 @@ static struct ctl_var peer_var[] = { { CP_DISP, PADDING,"" }, /* 36 */ { CP_VARLIST, RO, "peer_var_list" }, /* 37 */ #ifdef PUBKEY - { CP_HOST, RO, "hostname" }, /* 38 */ - { CP_PUBLIC, RO, "publickey" }, /* 39 */ - { CP_SESKEY, RO, "pcookie" }, /* 40 */ - { CP_SASKEY, RO, "hcookie" }, /* 41 */ - { CP_INITSEQ, RO, "initsequence" }, /* 42 */ - { CP_INITKEY, RO, "initkey" }, /* 43 */ - { CP_INITTSP, RO, "timestamp" }, /* 44 */ + { CP_FLAGS, RO, "flags" }, /* 38 */ + { CP_HOST, RO, "hostname" }, /* 39 */ + { CP_PUBLIC, RO, "publickey" }, /* 40 */ + { CP_SESKEY, RO, "pcookie" }, /* 41 */ + { CP_SASKEY, RO, "hcookie" }, /* 42 */ + { CP_INITSEQ, RO, "initsequence" }, /* 43 */ + { CP_INITKEY, RO, "initkey" }, /* 44 */ + { CP_INITTSP, RO, "timestamp" }, /* 45 */ #endif /* PUBKEY */ { 0, EOV, "" } }; @@ -248,6 +251,7 @@ static u_char def_peer_var[] = { CP_FILTOFFSET, CP_FILTERROR, #ifdef PUBKEY + CP_FLAGS, CP_HOST, CP_SESKEY, CP_INITSEQ, @@ -272,7 +276,7 @@ static struct ctl_var clock_var[] = { { CC_FUDGETIME2, RO, "fudgetime2" }, /* 8 */ { CC_FUDGEVAL1, RO, "stratum" }, /* 9 */ { CC_FUDGEVAL2, RO, "refid" }, /* 10 */ - { CC_FLAGS, RO, "flags" }, /* 11 */ + { CC_FLAGS, RO, "flags" }, /* 11 */ { CC_DEVICE, RO, "device" }, /* 12 */ { CC_VARLIST, RO, "clock_var_list" },/* 13 */ { 0, EOV, "" } @@ -1316,6 +1320,12 @@ ctl_putsys( break; #ifdef PUBKEY + case CS_FLAGS: + if (crypto_flags) + ctl_puthex(sys_var[CS_FLAGS].text, + crypto_flags); + break; + case CS_HOST: ctl_putstr(sys_var[CS_HOST].text, sys_hostname, strlen(sys_hostname)); @@ -1570,6 +1580,11 @@ ctl_putpeer( } break; #ifdef PUBKEY + case CP_FLAGS: + if (peer->crypto) + ctl_puthex(peer_var[CP_FLAGS].text, peer->crypto); + break; + case CP_HOST: if (peer->keystr != NULL) ctl_putstr(peer_var[CP_HOST].text, peer->keystr, diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c index d676f461da..06b7819f86 100644 --- a/ntpd/ntp_crypto.c +++ b/ntpd/ntp_crypto.c @@ -39,14 +39,15 @@ * = signature = * | | * +---------------+ + * CRYPTO_DHPAR rsp * CRYPTO_DH rsp * CRYPTO_NAME rsp * CRYPTO_TAI rsp * - * CRYPTO_PUBL 1 - offer/select + * CRYPTO_STAT 1 - offer/select * CRYPTO_ASSOC 2 8 association ID * CRYPTO_AUTO 3 88 autokey values - * CRYPTO_PRIV 4 84 cookie values + * CRYPTO_PRIV 4 84 cookie value * CRYPTO_DHPAR 5 220 agreement parameters * CRYPTO_DH 6 152 public value * CRYPTO_NAME 7 460 host name/public key @@ -56,6 +57,12 @@ * carry the association ID of the sender. */ +/* + * Global cryptodata in host byte order. + */ +u_int crypto_flags; /* status word */ +u_int sys_tai; /* current UTC offset from TAI */ + #ifdef PUBKEY /* * Cryptodefines @@ -88,12 +95,6 @@ struct value dhparam; /* agreement parameters */ struct value dhpub; /* public value */ struct value tai_leap; /* leapseconds table */ -/* - * Global cryptodata in host byte order. - */ -int crypto_flags; /* flags that wave cryptically */ -u_int sys_tai; /* current UTC offset from TAI */ - /* * Cryptotypes */ @@ -338,13 +339,20 @@ crypto_recv( switch (code) { /* - * Install association ID. This is used in broadcast - * client mode only. + * Install association ID and status word. */ case CRYPTO_ASSOC | CRYPTO_RESP: - if (!(peer->flags & FLAG_AUTOKEY) && - ntohl(pkt[i + 1]) != 0) + if (peer->flags & FLAG_AUTOKEY) + break; + if (ntohl(pkt[i + 1]) != 0) peer->assoc = ntohl(pkt[i + 1]); + peer->crypto = ntohl(pkt[i + 2]); +#ifdef DEBUG + if (debug) + printf( + "crypto_recv: flags %x\n", + peer->crypto); +#endif break; /* @@ -538,6 +546,7 @@ crypto_recv( break; } peer->flash &= ~TEST10; + crypto_flags |= CRYPTO_FLAG_DH; /* * Initialize agreement parameters and extension @@ -550,9 +559,6 @@ crypto_recv( dhparam.vallen = vp->vallen; if (dhparam.ptr != NULL) free(dhparam.ptr); - if (dhparam.sig == NULL) - dhparam.sig = emalloc(private_key.bits / - 8); pp = emalloc(temp); dhparam.ptr = (u_char *)pp; memcpy(pp, vp->pkt, temp); @@ -565,6 +571,9 @@ crypto_recv( if (dh_private != NULL) free(dh_private); dh_private = emalloc(dh_keyLen); + if (dhparam.sig == NULL) + dhparam.sig = emalloc(private_key.bits / + 8); /* * Initialize public value extension field. @@ -583,7 +592,9 @@ crypto_recv( /* * Verify public value and compute agreed key in - * symmetric modes. + * symmetric modes. If the filestamp is later than the + * current value, we abandon and refill the agreement + * parameters. */ case CRYPTO_DH: peer->cmmd = ntohl(pkt[i]); @@ -627,6 +638,9 @@ crypto_recv( */ if (rval != RV_OK) { temp = 0; + } else if (ntohl(vp->fstamp) > dhparam.fstamp) { + rval = RV_FSP; + crypto_flags &= ~CRYPTO_FLAG_DH; } else { rval = R_ComputeDHAgreedKey(dh_key, (u_char *)&pkt[i + 5], dh_private, @@ -772,6 +786,8 @@ crypto_recv( break; } peer->flash &= ~TEST10; + crypto_flags |= CRYPTO_FLAG_TAI; + sys_tai = temp / 4 + TAI_1972 - 1; /* * Initialize leapseconds table and extension @@ -787,7 +803,6 @@ crypto_recv( tai_leap.sig = emalloc(private_key.bits / 8); memcpy(tai_leap.ptr, vp->pkt, temp); - sys_tai = temp / 4 + TAI_1972 - 1; crypto_agree(); break; #endif /* PUBKEY */ @@ -853,10 +868,11 @@ crypto_xmit( switch (opcode) { /* - * Exchange association IDs. This is used in broadcast server - * mode and is a no-op here. + * Send association ID and status word. */ case CRYPTO_ASSOC | CRYPTO_RESP: + xpkt[i + 2] = htonl(crypto_flags); + len += 4; break; /* @@ -915,15 +931,15 @@ crypto_xmit( break; +#ifdef PUBKEY /* * The following commands and responses work only when public- * key cryptography has been configured. If configured, but * disabled due to no crypto command in the configuration file, * they are ignored and an error response is returned. */ -#ifdef PUBKEY /* - * Send agreenebt parameters, timestamp and signature. + * Send agreement parameters, timestamp and signature. */ case CRYPTO_DHPAR | CRYPTO_RESP: if (!crypto_flags) { @@ -1108,6 +1124,7 @@ crypto_setup(void) "crypto: public/private key files mismatch"); exit (-1); } + crypto_flags |= CRYPTO_FLAG_RSA; /* * Assemble public key and host name in network byte order. @@ -1482,6 +1499,7 @@ crypto_dh( dh_keyLen = primelen / 2; dh_private = emalloc(dh_keyLen); dhparam.sig = emalloc(private_key.bits / 8); + crypto_flags |= CRYPTO_FLAG_DH; /* * Initialize public value extension field. @@ -1604,6 +1622,7 @@ crypto_tai( *pp++ = htonl(leapsec[i]); } tai_leap.sig = emalloc(private_key.bits / 8); + crypto_flags |= CRYPTO_FLAG_TAI; sys_tai = len / 4 + TAI_1972 - 1; @@ -1737,6 +1756,7 @@ crypto_config( strcpy(keysdir, cp); break; } + crypto_flags |= CRYPTO_FLAG_ENAB; } # else int ntp_crypto_bs_pubkey; diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index c230ed0e15..d986a2e914 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -2000,8 +2000,13 @@ peer_xmit( sendlen, (peer->cmmd >> 16) | CRYPTO_RESP, peer->hcookie, peer->associd); - if (!crypto_flags && peer->pcookie.tstamp == - 0 && sys_leap != LEAP_NOTINSYNC) + if (!peer->crypto) + sendlen += crypto_xmit((u_int32 *)&xpkt, + sendlen, CRYPTO_ASSOC, + peer->hcookie, peer->assoc); + else if (!crypto_flags && + peer->pcookie.tstamp == 0 && sys_leap != + LEAP_NOTINSYNC) sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_PRIV, peer->hcookie, peer->assoc); @@ -2010,7 +2015,8 @@ peer_xmit( sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_NAME, peer->hcookie, peer->assoc); - else if (crypto_flags && dhparam.vallen == 0) + else if (crypto_flags && !(crypto_flags & + CRYPTO_FLAG_DH)) sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_DHPAR, peer->hcookie, peer->assoc); @@ -2042,7 +2048,7 @@ peer_xmit( peer->hcookie, peer->associd); #ifdef PUBKEY - else if (crypto_flags & CRYPTO_FLAG_TAI && + else if (peer->crypto & CRYPTO_FLAG_TAI && sys_tai == 0) sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_TAI, peer->hcookie, @@ -2067,14 +2073,18 @@ peer_xmit( sendlen, (peer->cmmd >> 16) | CRYPTO_RESP, peer->hcookie, peer->associd); + if (!peer->crypto) + sendlen += crypto_xmit((u_int32 *)&xpkt, + sendlen, CRYPTO_ASSOC, + peer->hcookie, peer->assoc); #ifdef PUBKEY - if (crypto_flags && peer->pubkey.ptr == NULL) + else if (crypto_flags && peer->pubkey.ptr == + NULL) sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_NAME, peer->hcookie, peer->assoc); - else #endif /* PUBKEY */ - if (peer->pcookie.tstamp == 0) + else if (peer->pcookie.tstamp == 0) sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_PRIV, peer->hcookie, peer->assoc); @@ -2084,7 +2094,7 @@ peer_xmit( sendlen, CRYPTO_AUTO, peer->hcookie, peer->assoc); #ifdef PUBKEY - else if (crypto_flags & CRYPTO_FLAG_TAI && + else if (peer->crypto & CRYPTO_FLAG_TAI && sys_tai == 0) sendlen += crypto_xmit((u_int32 *)&xpkt, sendlen, CRYPTO_TAI, peer->hcookie,