diff options
Diffstat (limited to 'include')
| -rw-r--r-- | include/Makefile.in | 1 | ||||
| -rw-r--r-- | include/isc/Makefile.in | 1 | ||||
| -rw-r--r-- | include/ntp.h | 68 | ||||
| -rw-r--r-- | include/ntp_calendar.h | 23 | ||||
| -rw-r--r-- | include/ntp_config.h | 21 | ||||
| -rw-r--r-- | include/ntp_fp.h | 1 | ||||
| -rw-r--r-- | include/ntp_keyacc.h | 8 | ||||
| -rw-r--r-- | include/ntp_request.h | 9 | ||||
| -rw-r--r-- | include/ntp_stdlib.h | 4 | ||||
| -rw-r--r-- | include/ntpd.h | 42 | ||||
| -rw-r--r-- | include/recvbuff.h | 5 | ||||
| -rw-r--r-- | include/ssl_applink.c | 22 |
12 files changed, 140 insertions, 65 deletions
diff --git a/include/Makefile.in b/include/Makefile.in index ebab2b508dd48..15a1e869996d8 100644 --- a/include/Makefile.in +++ b/include/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/include/isc/Makefile.in b/include/isc/Makefile.in index e3bee1ed332a2..192fe0867c12b 100644 --- a/include/isc/Makefile.in +++ b/include/isc/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/include/ntp.h b/include/ntp.h index 323135da4a893..fb739c756848e 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -553,11 +553,13 @@ struct pkt { l_fp rec; /* receive time stamp */ l_fp xmt; /* transmit time stamp */ -#define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */ -#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */ -#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */ -#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */ +#define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */ +#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */ +#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */ +#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */ #define MAX_MAC_LEN (6 * sizeof(u_int32)) /* SHA */ +#define KEY_MAC_LEN sizeof(u_int32) /* key ID in MAC */ +#define MAX_MDG_LEN (MAX_MAC_LEN-KEY_MAC_LEN) /* max. digest len */ /* * The length of the packet less MAC must be a multiple of 64 @@ -822,11 +824,12 @@ typedef struct res_addr6_tag { typedef struct restrict_u_tag restrict_u; struct restrict_u_tag { - restrict_u * link; /* link to next entry */ - u_int32 count; /* number of packets matched */ - u_short flags; /* accesslist flags */ - u_short mflags; /* match flags */ - u_long expire; /* valid until time */ + restrict_u * link; /* link to next entry */ + u_int32 count; /* number of packets matched */ + u_short rflags; /* restrict (accesslist) flags */ + u_short mflags; /* match flags */ + short ippeerlimit; /* IP peer limit */ + u_long expire; /* valid until time */ union { /* variant starting here */ res_addr4 v4; res_addr6 v6; @@ -837,28 +840,40 @@ struct restrict_u_tag { #define V6_SIZEOF_RESTRICT_U (offsetof(restrict_u, u) \ + sizeof(res_addr6)) +typedef struct r4addr_tag r4addr; +struct r4addr_tag { + u_short rflags; /* match flags */ + short ippeerlimit; /* IP peer limit */ +}; + +char *build_iflags(u_int32 flags); +char *build_mflags(u_short mflags); +char *build_rflags(u_short rflags); + /* - * Access flags + * Restrict (Access) flags (rflags) */ #define RES_IGNORE 0x0001 /* ignore packet */ #define RES_DONTSERVE 0x0002 /* access denied */ #define RES_DONTTRUST 0x0004 /* authentication required */ #define RES_VERSION 0x0008 /* version mismatch */ #define RES_NOPEER 0x0010 /* new association denied */ -#define RES_LIMITED 0x0020 /* packet rate exceeded */ +#define RES_NOEPEER 0x0020 /* new ephemeral association denied */ +#define RES_LIMITED 0x0040 /* packet rate exceeded */ #define RES_FLAGS (RES_IGNORE | RES_DONTSERVE |\ RES_DONTTRUST | RES_VERSION |\ - RES_NOPEER | RES_LIMITED) + RES_NOPEER | RES_NOEPEER | RES_LIMITED) -#define RES_NOQUERY 0x0040 /* mode 6/7 packet denied */ -#define RES_NOMODIFY 0x0080 /* mode 6/7 modify denied */ -#define RES_NOTRAP 0x0100 /* mode 6/7 set trap denied */ -#define RES_LPTRAP 0x0200 /* mode 6/7 low priority trap */ +#define RES_NOQUERY 0x0080 /* mode 6/7 packet denied */ +#define RES_NOMODIFY 0x0100 /* mode 6/7 modify denied */ +#define RES_NOTRAP 0x0200 /* mode 6/7 set trap denied */ +#define RES_LPTRAP 0x0400 /* mode 6/7 low priority trap */ -#define RES_KOD 0x0400 /* send kiss of death packet */ -#define RES_MSSNTP 0x0800 /* enable MS-SNTP authentication */ -#define RES_FLAKE 0x1000 /* flakeway - drop 10% */ -#define RES_NOMRULIST 0x2000 /* mode 6 mrulist denied */ +#define RES_KOD 0x0800 /* send kiss of death packet */ +#define RES_MSSNTP 0x1000 /* enable MS-SNTP authentication */ +#define RES_FLAKE 0x2000 /* flakeway - drop 10% */ +#define RES_NOMRULIST 0x4000 /* mode 6 mrulist denied */ +#define RES_UNUSED 0x8000 /* Unused flag bits */ #define RES_ALLFLAGS (RES_FLAGS | RES_NOQUERY | \ RES_NOMODIFY | RES_NOTRAP | \ @@ -867,7 +882,7 @@ struct restrict_u_tag { RES_NOMRULIST) /* - * Match flags + * Match flags (mflags) */ #define RESM_INTERFACE 0x1000 /* this is an interface */ #define RESM_NTPONLY 0x2000 /* match source port 123 */ @@ -876,10 +891,13 @@ struct restrict_u_tag { /* * Restriction configuration ops */ -#define RESTRICT_FLAGS 1 /* add flags to restrict entry */ -#define RESTRICT_UNFLAG 2 /* remove flags from restrict entry */ -#define RESTRICT_REMOVE 3 /* remove a restrict entry */ -#define RESTRICT_REMOVEIF 4 /* remove an interface restrict entry */ +typedef enum +restrict_ops { + RESTRICT_FLAGS = 1, /* add rflags to restrict entry */ + RESTRICT_UNFLAG, /* remove rflags from restrict entry */ + RESTRICT_REMOVE, /* remove a restrict entry */ + RESTRICT_REMOVEIF, /* remove an interface restrict entry */ +} restrict_op; /* * Endpoint structure for the select algorithm diff --git a/include/ntp_calendar.h b/include/ntp_calendar.h index 6f36c0777aba6..41c58797b2c78 100644 --- a/include/ntp_calendar.h +++ b/include/ntp_calendar.h @@ -382,6 +382,29 @@ ntpcal_weekday_le(int32_t /* rdn */, int32_t /* dow */); extern int32_t ntpcal_weekday_lt(int32_t /* rdn */, int32_t /* dow */); + +/* + * handling of base date spec + */ +extern int32_t +basedate_eval_buildstamp(void); + +extern int32_t +basedate_eval_string(const char *str); + +extern int32_t +basedate_set_day(int32_t dayno); + +extern uint32_t +basedate_get_day(void); + +extern time_t +basedate_get_eracenter(void); + +extern time_t +basedate_get_erabase(void); + + /* * Additional support stuff for Ed Rheingold's calendrical calculations */ diff --git a/include/ntp_config.h b/include/ntp_config.h index bd8f595d94f30..dac933a177642 100644 --- a/include/ntp_config.h +++ b/include/ntp_config.h @@ -54,7 +54,15 @@ typedef struct int_range_tag { int last; } int_range; -/* Structure for storing an attribute-value pair */ +/* generic list node */ +typedef struct any_node_tag any_node; +struct any_node_tag { + any_node * link; +}; + +typedef DECL_FIFO_ANCHOR(any_node) any_node_fifo; + +/* Structure for storing an attribute-value pair */ typedef struct attr_val_tag attr_val; struct attr_val_tag { attr_val * link; @@ -102,8 +110,9 @@ struct restrict_node_tag { restrict_node * link; address_node * addr; address_node * mask; - int_fifo * flags; + int_fifo * flag_tok_fifo; int line_no; + short ippeerlimit; }; typedef DECL_FIFO_ANCHOR(restrict_node) restrict_fifo; @@ -267,8 +276,12 @@ typedef struct settrap_parms_tag { const char * token_name(int token); /* generic fifo routines for structs linked by 1st member */ -void* append_gen_fifo(void *fifo, void *entry); +typedef void (*fifo_deleter)(void*); +void * destroy_gen_fifo(void *fifo, fifo_deleter func); +void * append_gen_fifo(void *fifo, void *entry); void * concat_gen_fifos(void *first, void *second); +#define DESTROY_G_FIFO(pf, func) \ + ((pf) = destroy_gen_fifo((pf), (fifo_deleter)(func))) #define APPEND_G_FIFO(pf, pe) \ ((pf) = append_gen_fifo((pf), (pe))) #define CONCAT_G_FIFOS(first, second) \ @@ -288,11 +301,13 @@ attr_val *create_attr_ival(int attr, int value); attr_val *create_attr_uval(int attr, u_int value); attr_val *create_attr_rangeval(int attr, int first, int last); attr_val *create_attr_sval(int attr, const char *s); +void destroy_attr_val(attr_val *node); filegen_node *create_filegen_node(int filegen_token, attr_val_fifo *options); string_node *create_string_node(char *str); restrict_node *create_restrict_node(address_node *addr, address_node *mask, + short ippeerlimit, int_fifo *flags, int line_no); int_node *create_int_node(int val); addr_opts_node *create_addr_opts_node(address_node *addr, diff --git a/include/ntp_fp.h b/include/ntp_fp.h index b5d28205541b3..2782ebfe921ac 100644 --- a/include/ntp_fp.h +++ b/include/ntp_fp.h @@ -364,6 +364,7 @@ extern void init_systime (void); extern void get_systime (l_fp *); extern int step_systime (double); extern int adj_systime (double); +extern int clamp_systime (void); extern struct tm * ntp2unix_tm (u_int32 ntp, int local); diff --git a/include/ntp_keyacc.h b/include/ntp_keyacc.h index 7e66504312288..f497b62c5465f 100644 --- a/include/ntp_keyacc.h +++ b/include/ntp_keyacc.h @@ -8,12 +8,18 @@ typedef struct keyaccess KeyAccT; struct keyaccess { KeyAccT * next; sockaddr_u addr; + unsigned int subnetbits; }; -extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr); +extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr, + unsigned int subnetbits); extern KeyAccT* keyacc_pop_free(KeyAccT *head); extern KeyAccT* keyacc_all_free(KeyAccT *head); extern int keyacc_contains(const KeyAccT *head, const sockaddr_u *addr, int res_on_empty_list); +/* public for testability: */ +extern int keyacc_amatch(const sockaddr_u *,const sockaddr_u *, + unsigned int mbits); + #endif /* NTP_KEYACC_H */ diff --git a/include/ntp_request.h b/include/ntp_request.h index c750b7750a7a7..d05a67f753828 100644 --- a/include/ntp_request.h +++ b/include/ntp_request.h @@ -141,7 +141,7 @@ struct req_pkt { req_data_u u; /* data area */ l_fp tstamp; /* time stamp, for authentication */ keyid_t keyid; /* (optional) encryption key */ - char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */ + char mac[MAX_MDG_LEN]; /* (optional) auth code */ }; /* @@ -151,7 +151,7 @@ struct req_pkt { struct req_pkt_tail { l_fp tstamp; /* time stamp, for authentication */ keyid_t keyid; /* (optional) encryption key */ - char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */ + char mac[MAX_MDG_LEN]; /* (optional) auth code */ }; /* MODE_PRIVATE request packet header length before optional items. */ @@ -513,6 +513,8 @@ struct info_sys_stats { u_int32 badauth; /* bad authentication */ u_int32 received; /* packets received */ u_int32 limitrejected; /* rate exceeded */ + u_int32 lamport; /* Lamport violations */ + u_int32 tsrounding; /* Timestamp rounding errors */ }; @@ -652,7 +654,7 @@ struct info_restrict { u_int32 addr; /* match address */ u_int32 mask; /* match mask */ u_int32 count; /* number of packets matched */ - u_short flags; /* restrict flags */ + u_short rflags; /* restrict flags */ u_short mflags; /* match flags */ u_int v6_flag; /* is this v6 or not */ u_int unused1; /* unused, padding for addr6 */ @@ -667,6 +669,7 @@ struct info_restrict { struct conf_restrict { u_int32 addr; /* match address */ u_int32 mask; /* match mask */ + short ippeerlimit; /* ip peer limit */ u_short flags; /* restrict flags */ u_short mflags; /* match flags */ u_int v6_flag; /* is this v6 or not */ diff --git a/include/ntp_stdlib.h b/include/ntp_stdlib.h index a4e857425ff1d..889c3b25ef421 100644 --- a/include/ntp_stdlib.h +++ b/include/ntp_stdlib.h @@ -97,8 +97,8 @@ extern void auth_prealloc_symkeys(int); extern int ymd2yd (int, int, int); /* a_md5encrypt.c */ -extern int MD5authdecrypt (int, const u_char *, u_int32 *, size_t, size_t); -extern size_t MD5authencrypt (int, const u_char *, u_int32 *, size_t); +extern int MD5authdecrypt (int, const u_char *, size_t, u_int32 *, size_t, size_t); +extern size_t MD5authencrypt (int, const u_char *, size_t, u_int32 *, size_t); extern void MD5auth_setkey (keyid_t, int, const u_char *, size_t, KeyAccT *c); extern u_int32 addr2refid (sockaddr_u *); diff --git a/include/ntpd.h b/include/ntpd.h index f944235cd6d20..6a5128ce0832e 100644 --- a/include/ntpd.h +++ b/include/ntpd.h @@ -168,19 +168,19 @@ extern void mon_clearinterface(endpt *interface); /* ntp_peer.c */ extern void init_peer (void); extern struct peer *findexistingpeer(sockaddr_u *, const char *, - struct peer *, int, u_char); + struct peer *, int, u_char, int *); extern struct peer *findpeer (struct recvbuf *, int, int *); extern struct peer *findpeerbyassoc(associd_t); extern void set_peerdstadr (struct peer *, endpt *); -extern struct peer *newpeer (sockaddr_u *, const char *, - endpt *, u_char, u_char, - u_char, u_char, u_int, u_char, u_int32, +extern struct peer *newpeer (sockaddr_u *, const char *, endpt *, + int, u_char, u_char, u_char, u_char, + u_int, u_char, u_int32, keyid_t, const char *); extern void peer_all_reset (void); extern void peer_clr_stats (void); -extern struct peer *peer_config(sockaddr_u *, const char *, - endpt *, u_char, u_char, - u_char, u_char, u_int, u_int32, +extern struct peer *peer_config(sockaddr_u *, const char *, endpt *, + int, u_char, u_char, u_char, u_char, + u_int, u_int32, keyid_t, const char *); extern void peer_reset (struct peer *); extern void refresh_all_peerinterfaces(void); @@ -257,10 +257,11 @@ extern void reset_auth_stats(void); /* ntp_restrict.c */ extern void init_restrict (void); -extern u_short restrictions (sockaddr_u *); -extern void hack_restrict (int, sockaddr_u *, sockaddr_u *, - u_short, u_short, u_long); +extern void restrictions (sockaddr_u *, r4addr *); +extern void hack_restrict (restrict_op, sockaddr_u *, sockaddr_u *, + short, u_short, u_short, u_long); extern void restrict_source (sockaddr_u *, int, u_long); +extern void dump_restricts (void); /* ntp_timer.c */ extern void init_timer (void); @@ -288,7 +289,7 @@ extern void record_loop_stats (double, double, double, double, int); extern void record_clock_stats (sockaddr_u *, const char *); extern int mprintf_clock_stats(sockaddr_u *, const char *, ...) NTP_PRINTF(2, 3); -extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int ppoll, int precision, double root_delay, double root_dispersion, u_int32 refid); +extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int ppoll, int precision, double root_delay, double root_dispersion, u_int32 refid, int len, u_char *extra); extern void check_leap_file (int is_daily_check, u_int32 ntptime, const time_t * systime); extern void record_crypto_stats (sockaddr_u *, const char *); #ifdef DEBUG @@ -500,18 +501,19 @@ extern u_int sys_ttlmax; /* max ttl mapping vector index */ /* * Statistics counters */ -extern u_long sys_stattime; /* time since reset */ -extern u_long sys_received; /* packets received */ -extern u_long sys_processed; /* packets for this host */ -extern u_long sys_restricted; /* restricted packets */ -extern u_long sys_newversion; /* current version */ -extern u_long sys_oldversion; /* old version */ -extern u_long sys_restricted; /* access denied */ -extern u_long sys_badlength; /* bad length or format */ extern u_long sys_badauth; /* bad authentication */ +extern u_long sys_badlength; /* bad length or format */ extern u_long sys_declined; /* declined */ -extern u_long sys_limitrejected; /* rate exceeded */ extern u_long sys_kodsent; /* KoD sent */ +extern u_long sys_lamport; /* Lamport violation */ +extern u_long sys_limitrejected; /* rate exceeded */ +extern u_long sys_newversion; /* current version */ +extern u_long sys_oldversion; /* old version */ +extern u_long sys_processed; /* packets for this host */ +extern u_long sys_received; /* packets received */ +extern u_long sys_restricted; /* access denied */ +extern u_long sys_stattime; /* time since reset */ +extern u_long sys_tsrounding; /* timestamp rounding errors */ /* ntp_request.c */ extern keyid_t info_auth_keyid; /* keyid used to authenticate requests */ diff --git a/include/recvbuff.h b/include/recvbuff.h index fa2d9ccc41bff..42597153eea2a 100644 --- a/include/recvbuff.h +++ b/include/recvbuff.h @@ -39,9 +39,10 @@ extern HANDLE get_recv_buff_event(void); /* * the maximum length NTP packet contains the NTP header, one Autokey * request, one Autokey response and the MAC. Assuming certificates don't - * get too big, the maximum packet length is set arbitrarily at 1000. + * get too big, the maximum packet length is set arbitrarily at 1200. + * (was 1000, but that bumps on 2048 RSA keys) */ -#define RX_BUFF_SIZE 1000 /* hail Mary */ +#define RX_BUFF_SIZE 1200 /* hail Mary */ typedef struct recvbuf recvbuf_t; diff --git a/include/ssl_applink.c b/include/ssl_applink.c index e57cabdb56711..693380f010512 100644 --- a/include/ssl_applink.c +++ b/include/ssl_applink.c @@ -27,10 +27,10 @@ #endif #ifdef WRAP_DBG_MALLOC -void *wrap_dbg_malloc(size_t s, const char *f, int l); -void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l); -void wrap_dbg_free(void *p); -void wrap_dbg_free_ex(void *p, const char *f, int l); +static void *wrap_dbg_malloc(size_t s, const char *f, int l); +static void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l); +static void wrap_dbg_free(void *p); +static void wrap_dbg_free_ex(void *p, const char *f, int l); #endif @@ -42,17 +42,21 @@ void ssl_applink(void) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L + # ifdef WRAP_DBG_MALLOC CRYPTO_set_mem_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free_ex); # else OPENSSL_malloc_init(); # endif -#else + +# else + # ifdef WRAP_DBG_MALLOC CRYPTO_set_mem_ex_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free); # else CRYPTO_malloc_init(); # endif + #endif /* OpenSSL version cascade */ } #else /* !OPENSSL || !SYS_WINNT */ @@ -66,7 +70,7 @@ ssl_applink(void) * for DEBUG malloc/realloc/free (lacking block type). * Simple wrappers convert. */ -void *wrap_dbg_malloc(size_t s, const char *f, int l) +static void *wrap_dbg_malloc(size_t s, const char *f, int l) { void *ret; @@ -74,7 +78,7 @@ void *wrap_dbg_malloc(size_t s, const char *f, int l) return ret; } -void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l) +static void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l) { void *ret; @@ -82,12 +86,12 @@ void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l) return ret; } -void wrap_dbg_free(void *p) +static void wrap_dbg_free(void *p) { _free_dbg(p, _NORMAL_BLOCK); } -void wrap_dbg_free_ex(void *p, const char *f, int l) +static void wrap_dbg_free_ex(void *p, const char *f, int l) { (void)f; (void)l; |