From: Harlan Stenn Date: Mon, 13 Dec 2010 06:29:30 +0000 (-0500) Subject: "server ... ident " changes from Dave Mills X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bc4f7fe17ecb4cd5f9ed8efe4a44eda2f8a4711d;p=thirdparty%2Fntp.git "server ... ident " changes from Dave Mills bk: 4d05bd4at_fjOdC18r4ciTDJOiAbbg --- diff --git a/ChangeLog b/ChangeLog index b1ac77b7f9..b36e12b897 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,4 @@ +* "server ... ident " changes from Dave Mills. * Documentation updates from Dave Mills. (4.2.7p92) 2010/12/08 Released by Harlan Stenn * [Bug 1743] from 4.2.6p3-RC12: Display timezone offset when showing diff --git a/include/ntp.h b/include/ntp.h index d4c56b6262..4d4dc47f70 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -272,6 +272,7 @@ struct peer { u_char last_event; /* last peer error code */ u_char num_events; /* number of error events */ u_char ttl; /* ttl/refclock mode */ + char *ident; /* group identifier name */ /* * Variables used by reference clock support diff --git a/include/ntp_control.h b/include/ntp_control.h index 0e94a58c3c..f42254f111 100644 --- a/include/ntp_control.h +++ b/include/ntp_control.h @@ -261,7 +261,8 @@ struct ntp_control { #define CP_INITKEY (5 + CP_MAX_NOAUTOKEY) #define CP_INITTSP (6 + CP_MAX_NOAUTOKEY) #define CP_SIGNATURE (7 + CP_MAX_NOAUTOKEY) -#define CP_MAXCODE CP_SIGNATURE +#define CP_IDENT (8 + CP_MAX_NOAUTOKEY) +#define CP_MAXCODE CP_IDENT #else /* !AUTOKEY follows */ #define CP_MAXCODE CP_MAX_NOAUTOKEY #endif /* !AUTOKEY */ diff --git a/include/ntpd.h b/include/ntpd.h index 9f43132200..51bea6c3a9 100644 --- a/include/ntpd.h +++ b/include/ntpd.h @@ -186,7 +186,7 @@ extern void set_peerdstadr (struct peer *peer, extern struct peer *newpeer (sockaddr_u *, const char *, struct interface *, u_char, u_char, u_char, u_char, u_int, u_char, u_char, - keyid_t); + keyid_t, const char *); extern void peer_all_reset (void); extern void peer_clr_stats (void); extern struct peer *peer_config(sockaddr_u *, const char *, diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index 9ff5a8f113..eb76de3f03 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -270,8 +270,9 @@ static struct ctl_var peer_var[] = { { CP_INITKEY, RO, "initkey" }, /* 47 */ { CP_INITTSP, RO, "timestamp" }, /* 48 */ { CP_SIGNATURE, RO, "signature" }, /* 49 */ + { CP_IDENT, RO, "ident" }, /* 44 */ #endif /* AUTOKEY */ - { 0, EOV, "" } /* 43/50 */ + { 0, EOV, "" } /* 44/51 */ }; @@ -319,6 +320,7 @@ static u_char def_peer_var[] = { CP_SIGNATURE, CP_VALID, CP_INITSEQ, + CP_IDENT, #endif /* AUTOKEY */ 0 }; @@ -1997,7 +1999,7 @@ ctl_putpeer( case CP_HOST: if (p->subject != NULL) ctl_putstr(peer_var[id].text, p->subject, - strlen(p->subject)); + strlen(p->subject)); break; case CP_VALID: /* not used */ @@ -2012,6 +2014,14 @@ ctl_putpeer( ctl_putfs(peer_var[CP_INITTSP].text, ntohl(p->recval.tstamp)); break; + + case CP_IDENT: + if (p->ident != NULL) + ctl_putstr(peer_var[id].text, p->ident, + strlen(p->ident)); + break; + + #endif /* AUTOKEY */ } } diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c index 3930c34982..e484fe0c30 100644 --- a/ntpd/ntp_crypto.c +++ b/ntpd/ntp_crypto.c @@ -1627,7 +1627,7 @@ crypto_ident( */ if (peer->crypto & CRYPTO_FLAG_IFF) { snprintf(filename, MAXFILENAME, "ntpkey_iffpar_%s", - peer->issuer); + peer->ident); peer->ident_pkey = crypto_key(filename, NULL, &peer->srcadr); if (peer->ident_pkey != NULL) @@ -1635,7 +1635,7 @@ crypto_ident( } if (peer->crypto & CRYPTO_FLAG_GQ) { snprintf(filename, MAXFILENAME, "ntpkey_gqpar_%s", - peer->issuer); + peer->ident); peer->ident_pkey = crypto_key(filename, NULL, &peer->srcadr); if (peer->ident_pkey != NULL) @@ -1643,15 +1643,13 @@ crypto_ident( } if (peer->crypto & CRYPTO_FLAG_MV) { snprintf(filename, MAXFILENAME, "ntpkey_mvpar_%s", - peer->issuer); + peer->ident); peer->ident_pkey = crypto_key(filename, NULL, &peer->srcadr); if (peer->ident_pkey != NULL) return (CRYPTO_MV); } - msyslog(LOG_NOTICE, - "crypto_ident: no identity parameters found for group %s", - peer->issuer); + report_event(XEVNT_ID, peer, NULL); return (CRYPTO_NULL); } @@ -3157,20 +3155,15 @@ cert_hike( if (!(yp->flags & CERT_TRUST)) return (XEVNT_OK); - peer->grpkey = yp->grpkey; - peer->crypto |= CRYPTO_FLAG_CERT; - if (!(peer->crypto & CRYPTO_FLAG_MASK)) - peer->crypto |= CRYPTO_FLAG_VRFY | - CRYPTO_FLAG_PROV; - /* * If the server has an an identity scheme, fetch the * identity credentials. If not, the identity is * verified only by the trusted certificate. The next * signature will set the server proventic. */ - if (!(peer->crypto & CRYPTO_FLAG_MASK) || - sys_groupname == NULL) + peer->crypto |= CRYPTO_FLAG_CERT; + peer->grpkey = yp->grpkey; + if (peer->ident == NULL) peer->crypto |= CRYPTO_FLAG_VRFY; } @@ -3800,21 +3793,6 @@ crypto_setup(void) } hostval.vallen = htonl(strlen(cinfo->subject)); hostval.ptr = cinfo->subject; - - /* - * If trusted certificate, the subject name must match the group - * name. - */ - if (cinfo->flags & CERT_TRUST) { - if (sys_groupname == NULL) { - sys_groupname = hostval.ptr; - } else if (strcmp(hostval.ptr, sys_groupname) != 0) { - msyslog(LOG_ERR, - "crypto_setup: trusted certificate name %s does not match group name %s", - (char *)hostval.ptr, sys_groupname); - exit (-1); - } - } if (sys_groupname != NULL) { /* diff --git a/ntpd/ntp_peer.c b/ntpd/ntp_peer.c index 4f2f78b38f..280ffa07bb 100644 --- a/ntpd/ntp_peer.c +++ b/ntpd/ntp_peer.c @@ -565,7 +565,7 @@ peer_config( if ((MDF_ACAST | MDF_POOL) & cast_flags) flags &= ~FLAG_PREEMPT; return newpeer(srcadr, hostname, dstadr, hmode, version, - minpoll, maxpoll, flags, cast_flags, ttl, key); + minpoll, maxpoll, flags, cast_flags, ttl, key, group); } /* @@ -763,7 +763,8 @@ newpeer( u_int flags, u_char cast_flags, u_char ttl, - keyid_t key + keyid_t key, + const char * group ) { struct peer *peer; @@ -893,6 +894,7 @@ newpeer( #endif /* AUTOKEY */ peer->ttl = (u_char)ttl; peer->keyid = key; + peer->ident = group; peer->precision = sys_precision; peer->hpoll = peer->minpoll; if (cast_flags & MDF_ACAST) diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index 12f1a04e3c..9a89910ca2 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -841,7 +841,7 @@ receive( if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr, MODE_CLIENT, hisversion, NTP_MINDPOLL, NTP_MAXDPOLL, FLAG_PREEMPT, MDF_UCAST | MDF_UCLNT, 0, - skeyid)) == NULL) { + skeyid, NULL)) == NULL) { sys_declined++; return; /* ignore duplicate */ } @@ -923,7 +923,7 @@ receive( if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr, MODE_BCLIENT, hisversion, pkt->ppoll, pkt->ppoll, 0, 0, 0, - skeyid)) == NULL) { + skeyid, NULL)) == NULL) { sys_restricted++; return; /* ignore duplicate */ @@ -943,7 +943,7 @@ receive( */ if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr, MODE_CLIENT, hisversion, pkt->ppoll, - pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid)) == + pkt->ppoll, FLAG_IBURST, MDF_BCLNT, 0, skeyid, NULL)) == NULL) { sys_restricted++; return; /* ignore duplicate */ @@ -1004,7 +1004,7 @@ receive( */ if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll, - NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid)) == NULL) { + NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid, NULL)) == NULL) { sys_declined++; return; /* ignore duplicate */ } diff --git a/util/ntp-keygen.c b/util/ntp-keygen.c index 5dcb05b38e..a088394cde 100644 --- a/util/ntp-keygen.c +++ b/util/ntp-keygen.c @@ -270,6 +270,7 @@ main( passwd2 = NULL; gettimeofday(&tv, 0); epoch = tv.tv_sec; + fstamp = epoch + JAN_1970; { int optct = optionProcess(&ntp_keygenOptions, argc, argv); @@ -469,7 +470,7 @@ main( readlink(filename, filename, sizeof(filename)); fprintf(stderr, "Using sign key %s\n", filename); - } else if (pkey_host != NULL) { + } else { pkey_sign = pkey_host; fprintf(stderr, "Using host key as sign key\n"); } @@ -502,7 +503,6 @@ main( if (pkey_gqkey != NULL && HAVE_OPT(ID_KEY)) { RSA *rsa; - epoch = fstamp - JAN_1970; sprintf(filename, "ntpkey_gqpar_%s.%u", groupname, fstamp); fprintf(stderr, "Writing GQ parameters %s to stdout\n", @@ -567,7 +567,6 @@ main( if (pkey_iffkey != NULL && HAVE_OPT(ID_KEY)) { DSA *dsa; - epoch = fstamp - JAN_1970; sprintf(filename, "ntpkey_iffpar_%s.%u", groupname, fstamp); fprintf(stderr, "Writing IFF parameters %s to stdout\n", @@ -591,7 +590,6 @@ main( if (pkey_iffkey != NULL && passwd2 != NULL) { DSA *dsa; - epoch = fstamp - JAN_1970; sprintf(filename, "ntpkey_iffkey_%s.%u", groupname, fstamp); fprintf(stderr, "Writing IFF keys %s to stdout\n", @@ -631,7 +629,6 @@ main( * associated with client key 1. */ if (pkey_mvkey != NULL && HAVE_OPT(ID_KEY)) { - epoch = fstamp - JAN_1970; sprintf(filename, "ntpkey_mvpar_%s.%u", groupname, fstamp); fprintf(stderr, "Writing MV parameters %s to stdout\n", @@ -650,7 +647,6 @@ main( * Write the encrypted MV server keys to the stdout stream. */ if (pkey_mvkey != NULL && passwd2 != NULL) { - epoch = fstamp - JAN_1970; sprintf(filename, "ntpkey_mvkey_%s.%u", groupname, fstamp); fprintf(stderr, "Writing MV keys %s to stdout\n", @@ -666,16 +662,8 @@ main( } /* - * Don't generate a certificate if no host keys or extracting - * encrypted or nonencrypted keys to the standard output stream. - */ - if (pkey_host == NULL || HAVE_OPT(ID_KEY) || passwd2 != NULL) - exit (0); - - /* - * Decode the digest/signature scheme. If trusted, set the - * subject and issuer names to the group name; if not set both - * to the host name. + * Decode the digest/signature scheme and create the + * certificate. Do this every time we run the program. */ ectx = EVP_get_digestbyname(scheme); if (ectx == NULL) { @@ -684,10 +672,7 @@ main( scheme); exit (-1); } - if (exten == NULL) - x509(pkey_sign, ectx, grpkey, exten, certname); - else - x509(pkey_sign, ectx, grpkey, exten, groupname); + x509(pkey_sign, ectx, grpkey, exten, certname); #endif /* AUTOKEY */ exit (0); } @@ -1809,7 +1794,7 @@ x509 ( const EVP_MD *md, /* generic digest algorithm */ char *gqpub, /* identity extension (hex string) */ char *exten, /* private cert extension */ - char *name /* subject/issuer namd */ + char *name /* subject/issuer name */ ) { X509 *cert; /* X509 certificate */ @@ -2053,8 +2038,7 @@ fheader ( char linkname[MAXFILENAME]; /* link name */ int temp; - sprintf(filename, "ntpkey_%s_%s.%lu", file, owner, epoch + - JAN_1970); + sprintf(filename, "ntpkey_%s_%s.%u", file, owner, fstamp); if ((str = fopen(filename, "w")) == NULL) { perror("Write"); exit (-1);