From: Dave Hart Date: Sat, 7 Nov 2009 22:46:41 +0000 (+0000) Subject: Fix authenticated ntpdc, broken in p240. X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=60950d14dbd4d9c8daf5010876605b3d29478a45;p=thirdparty%2Fntp.git Fix authenticated ntpdc, broken in p240. bk: 4af5f8d1QSWZBGM0YKmeViv8zId7HA --- diff --git a/ChangeLog b/ChangeLog index 8913a986a1..3ed2cfb940 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ * [Bug 1366] ioctl(TIOCSCTTY, 0) fails on NetBSD *[0-2].* > 3.99.7. * CID 87 dead code in ntpq.c atoascii(). +* Fix authenticated ntpdc, broken in p240. (4.2.5p241-RC) 2009/11/07 Released by Harlan Stenn * html/authopt.html update from Dave Mills. * Remove unused file from sntp/Makefile.am's distribution list. diff --git a/include/ntp.h b/include/ntp.h index 5b2a1c9f04..b60523af1c 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -541,10 +541,10 @@ struct pkt { l_fp rec; /* receive time stamp */ l_fp xmt; /* transmit time stamp */ -#define LEN_PKT_NOMAC 12 * sizeof(u_int32) /* min header length */ -#define MIN_MAC_LEN 1 * sizeof(u_int32) /* crypto_NAK */ -#define MAX_MD5_LEN 5 * sizeof(u_int32) /* MD5 */ -#define MAX_MAC_LEN 6 * sizeof(u_int32) /* SHA */ +#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */ +#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */ +#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */ +#define MAX_MAC_LEN (6 * sizeof(u_int32)) /* SHA */ /* * The length of the packet less MAC must be a multiple of 64 diff --git a/include/ntp_request.h b/include/ntp_request.h index 9ed644c395..6439040716 100644 --- a/include/ntp_request.h +++ b/include/ntp_request.h @@ -134,8 +134,8 @@ struct req_pkt { char data[MAXFILENAME + 48]; /* data area [32 prev](176 byte max) */ /* struct conf_peer must fit */ l_fp tstamp; /* time stamp, for authentication */ - keyid_t keyid; /* encryption key */ - char mac[MAX_MD5_LEN-sizeof(u_int32)]; /* (optional) 8 byte auth code */ + keyid_t keyid; /* (optional) encryption key */ + char mac[MAX_MD5_LEN-sizeof(u_int32)]; /* (optional) auth code */ }; /* @@ -144,8 +144,8 @@ struct req_pkt { */ struct req_pkt_tail { l_fp tstamp; /* time stamp, for authentication */ - keyid_t keyid; /* encryption key */ - char mac[MAX_MD5_LEN-sizeof(u_int32)]; /* (optional) 8 byte auth code */ + keyid_t keyid; /* (optional) encryption key */ + char mac[MAX_MD5_LEN-sizeof(u_int32)]; /* (optional) auth code */ }; /* diff --git a/include/ntp_stdlib.h b/include/ntp_stdlib.h index d078249459..3685f686c9 100644 --- a/include/ntp_stdlib.h +++ b/include/ntp_stdlib.h @@ -158,7 +158,8 @@ extern pset_tod_using set_tod_using; /* ssl_init.c */ #ifdef OPENSSL -extern void ssl_init (void); +extern void ssl_init (void); +extern void ssl_check_version (void); extern int ssl_init_done; #define INIT_SSL() \ do { \ @@ -166,7 +167,7 @@ extern int ssl_init_done; ssl_init(); \ } while (0) #else /* !OPENSSL follows */ -#define INIT_SSL() do {} while (0) +#define INIT_SSL() do {} while (0) #endif /* lib/isc/win32/strerror.c diff --git a/libntp/a_md5encrypt.c b/libntp/a_md5encrypt.c index 3874451975..0b1264e126 100644 --- a/libntp/a_md5encrypt.c +++ b/libntp/a_md5encrypt.c @@ -78,6 +78,7 @@ MD5authdecrypt( #ifdef OPENSSL EVP_MD_CTX ctx; #else + MD5_CTX md5; #endif /* OPENSSL */ /* @@ -86,7 +87,7 @@ MD5authdecrypt( * was created. */ #ifdef OPENSSL - INIT_SSL(NULL); + INIT_SSL(); EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen); EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length); @@ -117,7 +118,6 @@ addr2refid(sockaddr_u *addr) u_char digest[20]; u_int32 addr_refid; #ifdef OPENSSL - const EVP_MD * digest_type; EVP_MD_CTX ctx; u_int len; #else diff --git a/libntp/authkeys.c b/libntp/authkeys.c index 043e428398..9c32e09f36 100644 --- a/libntp/authkeys.c +++ b/libntp/authkeys.c @@ -149,15 +149,14 @@ authhavekey( */ authkeyuncached++; sk = key_hash[KEYHASH(keyno)]; - while (sk != 0) { + while (sk != NULL) { if (keyno == sk->keyid) { if (sk->type == 0) { authkeynotfound++; return (0); } + break; } - break; - sk = sk->next; } @@ -165,7 +164,7 @@ authhavekey( * If the key is not found, or if it is found but not trusted, * the key is not considered found. */ - if (sk == 0) { + if (sk == NULL) { authkeynotfound++; return (0); diff --git a/libntp/authreadkeys.c b/libntp/authreadkeys.c index 9c9ad27295..38f25b2b68 100644 --- a/libntp/authreadkeys.c +++ b/libntp/authreadkeys.c @@ -160,7 +160,7 @@ authreadkeys( "authreadkeys: invalid type for key %d", keyno); continue; } - keytype = KEY_TYPE_MD5 + keytype = KEY_TYPE_MD5; #endif /* OPENSSL */ keystr = token; diff --git a/libntp/ssl_init.c b/libntp/ssl_init.c index 13efa50ec8..73c94a61aa 100644 --- a/libntp/ssl_init.c +++ b/libntp/ssl_init.c @@ -25,6 +25,16 @@ ssl_init(void) if (ssl_init_done) return; + ERR_load_crypto_strings(); + OpenSSL_add_all_algorithms(); + + ssl_init_done = 1; +} + + +void +ssl_check_version(void) +{ if ((SSLeay() ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) { msyslog(LOG_ERR, "OpenSSL version mismatch. Built against %lx, you have %lx", @@ -34,9 +44,7 @@ ssl_init(void) OPENSSL_VERSION_NUMBER, SSLeay()); exit (-1); } - ERR_load_crypto_strings(); - OpenSSL_add_all_algorithms(); - ssl_init_done = 1; + INIT_SSL(); } #endif /* OPENSSL */ diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index 5154c6ec65..7a32ddc384 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -738,7 +738,7 @@ process_control( res_authenticate = 0; res_keyid = 0; res_authokay = 0; - req_count = (int)htons(pkt->count); + req_count = (int)ntohs(pkt->count); datanotbinflag = 0; datalinelen = 0; datapt = rpkt.data; diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c index a6b4bc689b..609e8528cc 100644 --- a/ntpd/ntp_crypto.c +++ b/ntpd/ntp_crypto.c @@ -3677,6 +3677,7 @@ crypto_setup(void) "crypto_setup: spurious crypto command"); return; } + ssl_check_version(); /* * Load required random seed file and seed the random number @@ -3685,7 +3686,6 @@ crypto_setup(void) * depending on the system. Wiggle the contents a bit and write * it back so the sequence does not repeat when we next restart. */ - INIT_SSL(); if (!RAND_status()) { if (rand_file == NULL) { RAND_file_name(filename, sizeof(filename)); @@ -3699,7 +3699,8 @@ crypto_setup(void) if ((bytes = RAND_load_file(randfile, -1)) == 0) { msyslog(LOG_ERR, - "cypto_setup: random seed file %s missing", randfile); + "crypto_setup: random seed file %s missing", + randfile); exit (-1); } get_systime(&seed); diff --git a/ntpd/ntp_intres.c b/ntpd/ntp_intres.c index 45ee089c85..be8d24e21c 100644 --- a/ntpd/ntp_intres.c +++ b/ntpd/ntp_intres.c @@ -830,7 +830,7 @@ request( } #ifndef SYS_WINNT - n = recv(sockfd, (char *)&reqpkt, REQ_LEN_MAC, 0); + n = recv(sockfd, (char *)&reqpkt, sizeof(reqpkt), 0); if (n <= 0) { if (n < 0) { msyslog(LOG_ERR, "recv() fails: %m"); @@ -839,7 +839,7 @@ request( continue; } #else /* Overlapped I/O used on non-blocking sockets on Windows NT */ - ret = ReadFile((HANDLE)sockfd, (char *)&reqpkt, (DWORD)REQ_LEN_MAC, + ret = ReadFile((HANDLE)sockfd, (char *)&reqpkt, sizeof(reqpkt), NULL, (LPOVERLAPPED)&overlap); if ((ret == FALSE) && (GetLastError() != ERROR_IO_PENDING)) { msyslog(LOG_ERR, "ReadFile() fails: %m"); diff --git a/ntpd/ntp_request.c b/ntpd/ntp_request.c index 3130a8d73c..e9b0952cb1 100644 --- a/ntpd/ntp_request.c +++ b/ntpd/ntp_request.c @@ -554,15 +554,16 @@ process_private( if (proc->needs_auth && sys_authenticate) { l_fp ftmp; double dtemp; - - if (rbufp->recv_length < (int)((REQ_LEN_HDR + + + if (rbufp->recv_length < (REQ_LEN_HDR + (INFO_ITEMSIZE(inpkt->mbz_itemsize) * - INFO_NITEMS(inpkt->err_nitems)) - + sizeof(struct req_pkt_tail)))) { + INFO_NITEMS(inpkt->err_nitems)) + + sizeof(*tailinpkt))) { req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); - } - tailinpkt = (struct req_pkt_tail *)((char *)&rbufp->recv_pkt + - rbufp->recv_length - sizeof(struct req_pkt_tail)); + return; + } + tailinpkt = (void *)((char *)&rbufp->recv_pkt + + rbufp->recv_length - sizeof(*tailinpkt)); /* * If this guy is restricted from doing this, don't let him diff --git a/ntpdc/ntpdc.c b/ntpdc/ntpdc.c index f8e2e6a2e4..d789aa9bc4 100644 --- a/ntpdc/ntpdc.c +++ b/ntpdc/ntpdc.c @@ -923,25 +923,23 @@ sendrequest( qpkt.auth_seq = AUTH_SEQ(0, 0); return sendpkt((char *)&qpkt, req_pkt_size); } else { - l_fp ts; - int maclen = 0; - char *pass = "\0"; - struct req_pkt_tail *qpktail; - - qpktail = (struct req_pkt_tail *)((char *)&qpkt + req_pkt_size - + MAX_MAC_LEN - sizeof(struct req_pkt_tail)); + u_long key_id; + l_fp ts; + l_fp * ptstamp; + int maclen; + char * pass; if (info_auth_keyid == 0) { if (((struct conf_peer *)qpkt.data)->keyid > 0) info_auth_keyid = ((struct conf_peer *)qpkt.data)->keyid; else { - maclen = getkeyid("Keyid: "); - if (maclen == 0) { + key_id = getkeyid("Keyid: "); + if (key_id == 0) { (void) fprintf(stderr, "Invalid key identifier\n"); return 1; } - info_auth_keyid = maclen; + info_auth_keyid = key_id; } } if (!authistrusted(info_auth_keyid)) { @@ -958,7 +956,9 @@ sendrequest( qpkt.auth_seq = AUTH_SEQ(1, 0); get_systime(&ts); L_ADD(&ts, &delay_time); - HTONL_FP(&ts, &qpktail->tstamp); + ptstamp = (void *)((char *)&qpkt + req_pkt_size + - sizeof(qpkt.tstamp)); + HTONL_FP(&ts, ptstamp); maclen = authencrypt(info_auth_keyid, (u_int32 *)&qpkt, req_pkt_size); if (maclen == 0) { diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c index bb1062d3e3..61eba4d5f6 100644 --- a/util/ntp-keygen.c +++ b/util/ntp-keygen.c @@ -256,7 +256,7 @@ main( #endif #ifdef OPENSSL - INIT_SSL(); + ssl_check_version(); fprintf(stderr, "Using OpenSSL version %lx\n", SSLeay()); #endif /* OPENSSL */