From: Harlan Stenn Date: Fri, 28 Jun 2002 05:35:26 +0000 (-0400) Subject: Cleanup from Dave. X-Git-Tag: NTP_4_1_73~134^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c867a6be25dce644232c5877bd1ed5ac190af30a;p=thirdparty%2Fntp.git Cleanup from Dave. bk: 3d1bf59eoyH1S-Vl3dSH2gZYNTT9pA --- diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c index 1d8efe4354..c7fcb0793a 100644 --- a/ntpd/ntp_control.c +++ b/ntpd/ntp_control.c @@ -1472,18 +1472,19 @@ ctl_putpeer( case CP_REFID: if (peer->flags & FLAG_REFCLOCK) { if (peer->stratum > 0) - ctl_putadr(peer_var[CP_REFID].text, - peer->refid); + ctl_putadr(peer_var[CP_REFID].text, + peer->refid); else - ctl_putid(peer_var[CP_REFID].text, - (char *)&peer->refid); + ctl_putid(peer_var[CP_REFID].text, + (char *)&peer->refid); } else { - if (peer->stratum > 1) - ctl_putadr(peer_var[CP_REFID].text, - peer->refid); + if (peer->stratum > 1 && peer->stratum < + STRATUM_UNSPEC) + ctl_putadr(peer_var[CP_REFID].text, + peer->refid); else - ctl_putid(peer_var[CP_REFID].text, - (char *)&peer->refid); + ctl_putid(peer_var[CP_REFID].text, + (char *)&peer->refid); } break; diff --git a/ntpd/ntp_crypto.c b/ntpd/ntp_crypto.c index 9521b199c4..489febec6c 100644 --- a/ntpd/ntp_crypto.c +++ b/ntpd/ntp_crypto.c @@ -1091,11 +1091,10 @@ crypto_xmit( char certname[MAX_HOSTLEN + 1]; /* subject name buffer */ u_char statstr[NTP_MAXSTRLEN]; /* statistics for filegen */ u_int vallen; + u_int len; struct value vtemp; associd_t associd; int rval; - u_int len; - u_int32 temp32; keyid_t tcookie; /* @@ -1119,17 +1118,6 @@ crypto_xmit( * the identity schemes are compatible to save tears later on. */ case CRYPTO_ASSOC | CRYPTO_RESP: - temp32 = ntohl(fp->fstamp); - -printf("xxx %x %x\n", temp32, crypto_flags); - - if (!((crypto_flags & temp32 & CRYPTO_FLAG_PRIV) || - (crypto_flags & temp32 & CRYPTO_FLAG_IFF) || - (crypto_flags & temp32 & CRYPTO_FLAG_GQ) || - !(crypto_flags & (CRYPTO_FLAG_PRIV | - CRYPTO_FLAG_IFF | CRYPTO_FLAG_GQ)))) - rval = XEVNT_ID; - case CRYPTO_ASSOC: len += crypto_send(fp, &hostval); if (crypto_time() == 0) diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index fb5e5be78c..9841f07149 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -635,8 +635,8 @@ receive( * immediately. */ if (crypto_flags && ((restrict_mask & (RES_DONTSERVE | - RES_LIMITED | RES_NOPEER)) || (sys_authenticate && - !is_authentic))) + RES_LIMITED | RES_NOPEER | RES_DEMOBILIZE)) || + (sys_authenticate && !is_authentic))) return; peer2 = findmanycastpeer(rbufp); @@ -663,16 +663,24 @@ receive( /* * This is the first packet received from a symmetric * active peer. First, make sure the packet is - * authentic. If so, mobilize a symmetric passive - * association. We should figure out how to avoid - * mobilizing associations when the identity schemes are - * incompatible. + * authentic. Send a kiss-of-death packet if we have + * been kissed by a frog. Drop the packet if other + * restrictions or bum authentic. Otherwise, crank up a + * passive association. */ - if ((restrict_mask & (RES_DONTSERVE | RES_LIMITED | - RES_NOPEER)) || (has_mac && sys_authenticate && - !is_authentic)) { - fast_xmit(rbufp, MODE_PASSIVE, 0, - restrict_mask); + if (restrict_mask & RES_DEMOBILIZE) { + if (has_mac && sys_authenticate && + !is_authentic) + fast_xmit(rbufp, MODE_PASSIVE, 0, + restrict_mask); + else + fast_xmit(rbufp, MODE_PASSIVE, skeyid, + restrict_mask); + return; + + } else if ((restrict_mask & (RES_DONTSERVE | + RES_LIMITED | RES_NOPEER)) || (has_mac && + sys_authenticate && !is_authentic)) { return; } peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr, @@ -693,8 +701,8 @@ receive( * association. */ if ((restrict_mask & (RES_DONTSERVE | RES_LIMITED | - RES_NOPEER)) || (sys_authenticate && - !is_authentic) || !sys_bclient) + RES_NOPEER | RES_DEMOBILIZE)) || + (sys_authenticate && !is_authentic) || !sys_bclient) return; peer = newpeer(&rbufp->recv_srcadr, rbufp->dstadr, @@ -728,7 +736,8 @@ receive( case AM_PROCPKT: /* - * Happiness and nothing broke. Earn some revenue. + * Here be active, passive, server and broadcast packets + * and nothing broke. Earn some revenue. */ break; @@ -1127,6 +1136,35 @@ process_packet( p_org = peer->rec; pstratum = PKT_TO_STRATUM(pkt->stratum); + /* + * A kiss-of-death (kod) packet is returned by a server in case + * the client is denied access. It consists of the client + * request packet with the leap bits indicating never + * synchronized, stratum zero and reference ID field the ASCII + * string "DENY". If the packet originate timestamp matches the + * association transmit timestamp the kod is legitimate. If the + * peer leap bits indicate never synchronized, this must be + * access deny and the association is disabled; otherwise this + * must be a limit reject. In either case a naughty message is + * forced to the system log. + */ + if (pleap == LEAP_NOTINSYNC && pstratum >= STRATUM_UNSPEC && + memcmp(&pkt->refid, "DENY", 4) == 0) { + if (peer->leap == LEAP_NOTINSYNC) { /* test 4 */ + peer->stratum = STRATUM_UNSPEC; + peer->flash |= TEST4; /* denied */ + memcpy(&peer->refid, &pkt->refid, 4); + msyslog(LOG_INFO, "access denied"); + } else { + msyslog(LOG_INFO, "limit reject"); + } +#if DEBUG + if (debug) + printf("packet: kissed by a frog\n"); +#endif + return; + } + /* * Test for unsynchronized server. */ @@ -1156,31 +1194,6 @@ process_packet( return; } - /* - * A kiss-of-death (kod) packet is returned by a server in case - * the client is denied access. It consists of the client - * request packet with the leap bits indicating never - * synchronized, stratum zero and reference ID field the ASCII - * string "DENY". If the packet originate timestamp matches the - * association transmit timestamp the kod is legitimate. If the - * peer leap bits indicate never synchronized, this must be - * access deny and the association is disabled; otherwise this - * must be a limit reject. In either case a naughty message is - * forced to the system log. - */ - if (pleap == LEAP_NOTINSYNC && pstratum >= STRATUM_UNSPEC && - memcmp(&pkt->refid, "DENY", 4) == 0) { - if (peer->leap == LEAP_NOTINSYNC) { /* test 4 */ - peer->stratum = STRATUM_UNSPEC; - peer->flash |= TEST4; /* denied */ - memcpy(&peer->refid, &pkt->refid, 4); - msyslog(LOG_INFO, "access denied"); - } else { - msyslog(LOG_INFO, "limit reject"); - } - return; - } - /* * Test for valid peer data (tests 6-8) */ @@ -2660,18 +2673,21 @@ fast_xmit( /* * If the caller is restricted, return a kiss-of-death packet; - * otherwise, smooch politely. + * otherwise, just drop it. */ if (mask & (RES_DONTSERVE | RES_LIMITED)) { - if (!(mask & RES_DEMOBILIZE)) { + if (!(mask & RES_DEMOBILIZE)) return; - } else { - xpkt.li_vn_mode = - PKT_LI_VN_MODE(LEAP_NOTINSYNC, - PKT_VERSION(rpkt->li_vn_mode), xmode); - xpkt.stratum = STRATUM_UNSPEC; - memcpy(&xpkt.refid, "DENY", 4); - } + + xpkt.li_vn_mode = PKT_LI_VN_MODE(LEAP_NOTINSYNC, + PKT_VERSION(rpkt->li_vn_mode), xmode); + xpkt.stratum = STRATUM_UNSPEC; + memcpy(&xpkt.refid, "DENY", 4); +#if DEBUG + if (debug) + printf( + "fast_xmit: kiss-of-death packet sent\n"); +#endif } else { xpkt.li_vn_mode = PKT_LI_VN_MODE(sys_leap, PKT_VERSION(rpkt->li_vn_mode), xmode);