summaryrefslogtreecommitdiff
path: root/source4/ntp_signd
diff options
context:
space:
mode:
authorStefan Metzmacher <metze@samba.org>2008-12-03 17:41:09 +0100
committerStefan Metzmacher <metze@samba.org>2008-12-03 17:42:21 +0100
commitfcbf88115c217cfe5090f8d60ab7627681c648c8 (patch)
tree58a743ed5ae52992eeefa73a0a9223e60ec728ea /source4/ntp_signd
parentafa0d6b0b14e0ef2293bd8468ffc1d6330abdb5b (diff)
downloadsamba-fcbf88115c217cfe5090f8d60ab7627681c648c8.tar.gz
samba-fcbf88115c217cfe5090f8d60ab7627681c648c8.tar.bz2
samba-fcbf88115c217cfe5090f8d60ab7627681c648c8.zip
s4: add some useful link and the patch for the ntp_signd support
metze
Diffstat (limited to 'source4/ntp_signd')
-rw-r--r--source4/ntp_signd/README7
-rw-r--r--source4/ntp_signd/ntp-dev-4.2.5p125.diff579
2 files changed, 586 insertions, 0 deletions
diff --git a/source4/ntp_signd/README b/source4/ntp_signd/README
new file mode 100644
index 0000000000..585459b7cb
--- /dev/null
+++ b/source4/ntp_signd/README
@@ -0,0 +1,7 @@
+Here are some pointers to the needed ntp version.
+
+https://support.ntp.org/bugs/show_bug.cgi?id=1028
+
+The patch against ntp-dev-4.2.5p125
+https://support.ntp.org/bugs/attachment.cgi?id=457
+
diff --git a/source4/ntp_signd/ntp-dev-4.2.5p125.diff b/source4/ntp_signd/ntp-dev-4.2.5p125.diff
new file mode 100644
index 0000000000..40669fb3cc
--- /dev/null
+++ b/source4/ntp_signd/ntp-dev-4.2.5p125.diff
@@ -0,0 +1,579 @@
+Only in ntp-samba: autom4te.cache
+Only in ntp-samba: config.h
+Only in ntp-samba: config.log
+Only in ntp-samba: config.status
+Only in ntp-samba/ElectricFence: .deps
+Only in ntp-samba/ElectricFence: Makefile
+Only in ntp-samba: .gcc-warning
+Only in ntp-samba/include/isc: Makefile
+Only in ntp-samba/include: Makefile
+diff -ur ntp-dev-4.2.5p125/include/ntp_config.h ntp-samba/include/ntp_config.h
+--- ntp-dev-4.2.5p125/include/ntp_config.h 2008-07-17 07:20:58.000000000 +1000
++++ ntp-samba/include/ntp_config.h 2008-08-28 21:59:06.000000000 +1000
+@@ -92,6 +92,7 @@
+ int requested_key;
+ int revoke;
+ queue *trusted_key_list;
++ char *ntp_signd_socket;
+ };
+
+ struct filegen_node {
+diff -ur ntp-dev-4.2.5p125/include/ntpd.h ntp-samba/include/ntpd.h
+--- ntp-dev-4.2.5p125/include/ntpd.h 2008-05-18 21:11:28.000000000 +1000
++++ ntp-samba/include/ntpd.h 2008-08-28 21:59:06.000000000 +1000
+@@ -259,6 +259,8 @@
+ extern int config_priority;
+ #endif
+
++extern char const *ntp_signd_socket;
++
+ /* ntp_control.c */
+ extern int num_ctl_traps;
+ extern keyid_t ctl_auth_keyid; /* keyid used for authenticating write requests */
+@@ -471,3 +473,15 @@
+ extern struct refclock *refclock_conf[]; /* refclock configuration table */
+ extern u_char num_refclock_conf;
+ #endif
++
++/* ntp_signd.c */
++#ifdef HAVE_NTP_SIGND
++extern void
++send_via_ntp_signd(
++ struct recvbuf *rbufp, /* receive packet pointer */
++ int xmode,
++ keyid_t xkeyid,
++ int flags,
++ struct pkt *xpkt
++ );
++#endif
+diff -ur ntp-dev-4.2.5p125/include/ntp.h ntp-samba/include/ntp.h
+--- ntp-dev-4.2.5p125/include/ntp.h 2008-08-10 22:37:56.000000000 +1000
++++ ntp-samba/include/ntp.h 2008-08-28 21:59:06.000000000 +1000
+@@ -447,6 +447,7 @@
+ #ifdef OPENSSL
+ #define FLAG_ASSOC 0x4000 /* autokey request */
+ #endif /* OPENSSL */
++#define FLAG_ADKEY 0x00010000 /* Authenticated (or wants reply to be authenticated) using AD authentication */
+
+ /*
+ * Definitions for the clear() routine. We use memset() to clear
+Only in ntp-samba/include: ntp.h.orig
+Only in ntp-samba: libtool
+Only in ntp-samba: Makefile
+diff -ur ntp-dev-4.2.5p125/ntpd/Makefile.am ntp-samba/ntpd/Makefile.am
+--- ntp-dev-4.2.5p125/ntpd/Makefile.am 2008-05-18 21:11:29.000000000 +1000
++++ ntp-samba/ntpd/Makefile.am 2008-08-28 21:59:06.000000000 +1000
+@@ -65,7 +65,7 @@
+ ntp_crypto.c ntp_filegen.c \
+ ntp_intres.c ntp_loopfilter.c ntp_monitor.c ntp_peer.c \
+ ntp_proto.c ntp_refclock.c ntp_request.c \
+- ntp_restrict.c ntp_timer.c ntp_util.c \
++ ntp_restrict.c ntp_timer.c ntp_util.c ntp_signd.c \
+ ppsapi_timepps.h \
+ refclock_acts.c refclock_arbiter.c refclock_arc.c refclock_as2201.c \
+ refclock_atom.c refclock_bancomm.c refclock_chronolog.c \
+diff -ur ntp-dev-4.2.5p125/ntpd/ntp_config.c ntp-samba/ntpd/ntp_config.c
+--- ntp-dev-4.2.5p125/ntpd/ntp_config.c 2008-08-10 22:37:54.000000000 +1000
++++ ntp-samba/ntpd/ntp_config.c 2008-08-28 22:03:52.000000000 +1000
+@@ -148,6 +148,7 @@
+ #endif
+
+ const char *config_file;
++const char *ntp_signd_socket;
+ #ifdef HAVE_NETINFO
+ struct netinfo_config_state *config_netinfo = NULL;
+ int check_netinfo = 1;
+@@ -276,6 +277,11 @@
+ my_config.auth.crypto_cmd_list = NULL;
+ my_config.auth.keys = NULL;
+ my_config.auth.keysdir = NULL;
++#ifdef NTP_SIGND_PATH
++ my_config.auth.ntp_signd_socket = NTP_SIGND_PATH;
++#else
++ my_config.auth.ntp_signd_socket = NULL;
++#endif
+ my_config.auth.requested_key = 0;
+ my_config.auth.revoke = 0;
+ my_config.auth.trusted_key_list = NULL;
+@@ -795,6 +801,7 @@
+ { "crypto", T_Crypto, NO_ARG },
+ { "keys", T_Keys, SINGLE_ARG },
+ { "keysdir", T_Keysdir, SINGLE_ARG },
++ { "ntpsigndsocket", T_NtpSignDsocket, SINGLE_ARG },
+ { "requestkey", T_Requestkey, NO_ARG },
+ { "revoke", T_Revoke, NO_ARG },
+ { "trustedkey", T_Trustedkey, NO_ARG },
+@@ -1000,6 +1007,10 @@
+ if (my_config.auth.keysdir)
+ keysdir = my_config.auth.keysdir;
+
++ /* ntp_signd_socket Command */
++ if (my_config.auth.ntp_signd_socket)
++ ntp_signd_socket = my_config.auth.ntp_signd_socket;
++
+ #ifdef OPENSSL
+ if (cryptosw) {
+ crypto_setup();
+Only in ntp-samba/ntpd: ntp_config.c~
+Only in ntp-samba/ntpd: ntp_config.c.orig
+diff -ur ntp-dev-4.2.5p125/ntpd/ntp_parser.y ntp-samba/ntpd/ntp_parser.y
+--- ntp-dev-4.2.5p125/ntpd/ntp_parser.y 2008-07-17 07:21:06.000000000 +1000
++++ ntp-samba/ntpd/ntp_parser.y 2008-08-28 21:59:06.000000000 +1000
+@@ -155,6 +155,7 @@
+ %token T_Novolley
+ %token T_Ntp
+ %token T_Ntpport
++%token T_NtpSignDsocket
+ %token T_Orphan
+ %token T_Panic
+ %token T_Peer
+@@ -432,6 +433,8 @@
+ { my_config.auth.requested_key = $2; }
+ | T_Trustedkey integer_list
+ { my_config.auth.trusted_key_list = $2; }
++ | T_NtpSignDsocket T_String
++ { my_config.auth.ntp_signd_socket = $2; }
+ ;
+
+ crypto_command_line
+diff -ur ntp-dev-4.2.5p125/ntpd/ntp_proto.c ntp-samba/ntpd/ntp_proto.c
+--- ntp-dev-4.2.5p125/ntpd/ntp_proto.c 2008-07-17 07:21:02.000000000 +1000
++++ ntp-samba/ntpd/ntp_proto.c 2008-08-28 21:59:06.000000000 +1000
+@@ -128,7 +128,7 @@
+ static void clock_combine (struct peer **, int);
+ static void peer_xmit (struct peer *);
+ static void fast_xmit (struct recvbuf *, int, keyid_t,
+- char *);
++ char *, int);
+ static void clock_update (struct peer *);
+ static int default_get_precision (void);
+ static int peer_unfit (struct peer *);
+@@ -311,6 +311,7 @@
+ int authlen; /* offset of MAC field */
+ int is_authentic = 0; /* cryptosum ok */
+ int retcode = AM_NOMATCH; /* match code */
++ int flags = 0; /* flags with details about the authentication */
+ keyid_t skeyid = 0; /* key IDs */
+ u_int32 opcode = 0; /* extension field opcode */
+ struct sockaddr_storage *dstadr_sin; /* active runway */
+@@ -324,6 +325,8 @@
+ keyid_t pkeyid = 0, tkeyid = 0; /* key IDs */
+ #endif /* OPENSSL */
+
++ static unsigned char zero_key[16];
++
+ /*
+ * Monitor the packet and get restrictions. Note that the packet
+ * length for control and private mode packets must be checked
+@@ -480,9 +483,9 @@
+ return; /* rate exceeded */
+
+ if (hismode == MODE_CLIENT)
+- fast_xmit(rbufp, MODE_SERVER, skeyid, "RATE");
++ fast_xmit(rbufp, MODE_SERVER, skeyid, "RATE", 0);
+ else
+- fast_xmit(rbufp, MODE_ACTIVE, skeyid, "RATE");
++ fast_xmit(rbufp, MODE_ACTIVE, skeyid, "RATE", 0);
+ return; /* rate exceeded */
+ }
+
+@@ -535,6 +538,7 @@
+ * is zero, acceptable outcomes of y are NONE and OK. If x is
+ * one, the only acceptable outcome of y is OK.
+ */
++
+ if (has_mac == 0) {
+ is_authentic = AUTH_NONE; /* not required */
+ #ifdef DEBUG
+@@ -555,6 +559,25 @@
+ stoa(&rbufp->recv_srcadr), hismode, skeyid,
+ authlen + has_mac, is_authentic);
+ #endif
++
++ /* If the signature is 20 bytes long, the last 16 of
++ * which are zero, then this is a Microsoft client
++ * wanting AD-style authentication of the server's
++ * reply.
++ *
++ * This is described in Microsoft's WSPP docs, in MS-SNTP:
++ * http://msdn.microsoft.com/en-us/library/cc212930.aspx
++ */
++ } else if (has_mac == MAX_MAC_LEN
++ && (retcode == AM_FXMIT || retcode == AM_NEWPASS)
++ && (memcmp(zero_key, (char *)pkt + authlen + 4, MAX_MAC_LEN - 4) == 0)) {
++
++ /* Don't try to verify the zeros, just set a
++ * flag and otherwise pretend we never saw the signature */
++ is_authentic = AUTH_NONE;
++
++ flags = FLAG_ADKEY;
++
+ } else {
+ #ifdef OPENSSL
+ /*
+@@ -696,9 +719,9 @@
+ if (AUTH(restrict_mask & RES_DONTTRUST,
+ is_authentic)) {
+ fast_xmit(rbufp, MODE_SERVER, skeyid,
+- NULL);
++ NULL, flags);
+ } else if (is_authentic == AUTH_ERROR) {
+- fast_xmit(rbufp, MODE_SERVER, 0, NULL);
++ fast_xmit(rbufp, MODE_SERVER, 0, NULL, 0);
+ sys_badauth++;
+ } else {
+ sys_restricted++;
+@@ -733,7 +756,7 @@
+ * crypto-NAK, as that would not be useful.
+ */
+ if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic))
+- fast_xmit(rbufp, MODE_SERVER, skeyid, NULL);
++ fast_xmit(rbufp, MODE_SERVER, skeyid, NULL, 0);
+ return; /* hooray */
+
+ /*
+@@ -888,7 +911,7 @@
+ is_authentic)) {
+ #ifdef OPENSSL
+ if (crypto_flags && skeyid > NTP_MAXKEY)
+- fast_xmit(rbufp, MODE_ACTIVE, 0, NULL);
++ fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0);
+ #endif /* OPENSSL */
+ sys_restricted++;
+ return; /* access denied */
+@@ -904,7 +927,7 @@
+ * This is for drat broken Windows clients. See
+ * Microsoft KB 875424 for preferred workaround.
+ */
+- fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL);
++ fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL, flags);
+ #else /* WINTIME */
+ sys_restricted++;
+ #endif /* WINTIME */
+@@ -938,6 +961,7 @@
+ }
+ break;
+
++
+ /*
+ * Process regular packet. Nothing special.
+ */
+@@ -1090,7 +1114,7 @@
+ peer->flash |= TEST5; /* bad auth */
+ peer->badauth++;
+ if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
+- fast_xmit(rbufp, MODE_ACTIVE, 0, NULL);
++ fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0);
+ if (peer->flags & FLAG_PREEMPT) {
+ unpeer(peer);
+ return;
+@@ -3159,7 +3183,8 @@
+ struct recvbuf *rbufp, /* receive packet pointer */
+ int xmode, /* receive mode */
+ keyid_t xkeyid, /* transmit key ID */
+- char *mask /* kiss code */
++ char *mask, /* kiss code */
++ int flags /* Flags to indicate signing behaviour */
+ )
+ {
+ struct pkt xpkt; /* transmit packet structure */
+@@ -3220,6 +3245,19 @@
+ HTONL_FP(&rbufp->recv_time, &xpkt.rec);
+ }
+
++ if (flags & FLAG_ADKEY) {
++#ifdef HAVE_NTP_SIGND
++ get_systime(&xmt_tx);
++ if (mask == NULL) {
++ HTONL_FP(&xmt_tx, &xpkt.xmt);
++ }
++ send_via_ntp_signd(rbufp, xmode, xkeyid, flags, &xpkt);
++#endif
++ /* If we don't have the support, drop the packet on the floor.
++ An all zero sig is compleatly bogus anyway */
++ return;
++ }
++
+ /*
+ * If the received packet contains a MAC, the transmitted packet
+ * is authenticated and contains a MAC. If not, the transmitted
+@@ -3252,7 +3290,7 @@
+ * source-destination-key ID combination.
+ */
+ #ifdef OPENSSL
+- if (xkeyid > NTP_MAXKEY) {
++ if (!(flags & FLAG_ADKEY) && (xkeyid > NTP_MAXKEY)) {
+ keyid_t cookie;
+
+ /*
+@@ -3284,8 +3322,10 @@
+ if (mask == NULL) {
+ HTONL_FP(&xmt_tx, &xpkt.xmt);
+ }
++
+ authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
+ sendlen += authlen;
++
+ #ifdef OPENSSL
+ if (xkeyid > NTP_MAXKEY)
+ authtrust(xkeyid, 0);
+Only in ntp-samba/ntpd: ntp_signd.c
+Only in ntp-dev-4.2.5p125/ntpdc: nl.pl
+Only in ntp-samba/scripts: calc_tickadj
+Only in ntp-samba/scripts: checktime
+Only in ntp-samba/scripts: freq_adj
+Only in ntp-samba/scripts: html2man
+Only in ntp-samba/scripts: Makefile
+Only in ntp-samba/scripts: mkver
+Only in ntp-samba/scripts: ntpsweep
+Only in ntp-samba/scripts: ntptrace
+Only in ntp-samba/scripts: ntpver
+Only in ntp-samba/scripts: ntp-wait
+Only in ntp-samba/scripts: plot_summary
+Only in ntp-samba/scripts: summary
+Only in ntp-samba: stamp-h1
+--- /dev/null 2008-08-25 07:28:22.036002925 +1000
++++ ntp-samba/ntpd/ntp_signd.c 2008-08-28 21:59:06.000000000 +1000
+@@ -0,0 +1,242 @@
++/* Copyright 2008, Red Hat, Inc.
++ Copyright 2008, Andrew Tridgell.
++ Licenced under the same terms as NTP itself.
++ */
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
++#ifdef HAVE_NTP_SIGND
++
++#include "ntpd.h"
++#include "ntp_io.h"
++#include "ntp_stdlib.h"
++#include "ntp_unixtime.h"
++#include "ntp_control.h"
++#include "ntp_string.h"
++
++#include <stdio.h>
++#include <stddef.h>
++#ifdef HAVE_LIBSCF_H
++#include <libscf.h>
++#include <unistd.h>
++#endif /* HAVE_LIBSCF_H */
++
++#include <sys/un.h>
++
++/* socket routines by tridge - from junkcode.samba.org */
++
++/*
++ connect to a unix domain socket
++*/
++static int
++ux_socket_connect(const char *name)
++{
++ int fd;
++ struct sockaddr_un addr;
++ if (!name) {
++ return -1;
++ }
++
++ memset(&addr, 0, sizeof(addr));
++ addr.sun_family = AF_UNIX;
++ strncpy(addr.sun_path, name, sizeof(addr.sun_path));
++
++ fd = socket(AF_UNIX, SOCK_STREAM, 0);
++ if (fd == -1) {
++ return -1;
++ }
++
++ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
++ close(fd);
++ return -1;
++ }
++
++ return fd;
++}
++
++
++/*
++ keep writing until its all sent
++*/
++static int
++write_all(int fd, const void *buf, size_t len)
++{
++ size_t total = 0;
++ while (len) {
++ int n = write(fd, buf, len);
++ if (n <= 0) return total;
++ buf = n + (char *)buf;
++ len -= n;
++ total += n;
++ }
++ return total;
++}
++
++/*
++ keep reading until its all read
++*/
++static int
++read_all(int fd, void *buf, size_t len)
++{
++ size_t total = 0;
++ while (len) {
++ int n = read(fd, buf, len);
++ if (n <= 0) return total;
++ buf = n + (char *)buf;
++ len -= n;
++ total += n;
++ }
++ return total;
++}
++
++/*
++ send a packet in length prefix format
++*/
++static int
++send_packet(int fd, const char *buf, uint32_t len)
++{
++ uint32_t net_len = htonl(len);
++ if (write_all(fd, &net_len, sizeof(net_len)) != sizeof(net_len)) return -1;
++ if (write_all(fd, buf, len) != len) return -1;
++ return 0;
++}
++
++/*
++ receive a packet in length prefix format
++*/
++static int
++recv_packet(int fd, char **buf, uint32_t *len)
++{
++ if (read_all(fd, len, sizeof(*len)) != sizeof(*len)) return -1;
++ *len = ntohl(*len);
++ (*buf) = malloc(*len);
++ if (!*buf) {
++ return -1;
++ }
++ if (read_all(fd, *buf, *len) != *len) {
++ free(*buf);
++ return -1;
++ }
++ return 0;
++}
++
++void
++send_via_ntp_signd(
++ struct recvbuf *rbufp, /* receive packet pointer */
++ int xmode,
++ keyid_t xkeyid,
++ int flags,
++ struct pkt *xpkt
++ )
++{
++
++ /* We are here because it was detected that the client
++ * sent an all-zero signature, and we therefore know
++ * it's windows trying to talk to an AD server
++ *
++ * Because we don't want to dive into Samba's secrets
++ * database just to find the long-term kerberos key
++ * that is re-used as the NTP key, we instead hand the
++ * packet over to Samba to sign, and return to us.
++ *
++ * The signing method Samba will use is described by
++ * Microsoft in MS-SNTP, found here:
++ * http://msdn.microsoft.com/en-us/library/cc212930.aspx
++ */
++
++ int fd, sendlen;
++ struct samba_key_in {
++ uint32_t version;
++ uint32_t op;
++ uint32_t packet_id;
++ uint32_t key_id_le;
++ struct pkt pkt;
++ } samba_pkt;
++
++ struct samba_key_out {
++ uint32_t version;
++ uint32_t op;
++ uint32_t packet_id;
++ struct pkt pkt;
++ } samba_reply;
++
++ char full_socket[256];
++
++ char *reply = NULL;
++ uint32_t reply_len;
++
++ memset(&samba_pkt, 0, sizeof(samba_pkt));
++ samba_pkt.op = 0; /* Sign message */
++ /* This will be echoed into the reply - a different
++ * impelementation might want multiple packets
++ * awaiting signing */
++
++ samba_pkt.packet_id = 1;
++
++ /* Swap the byte order back - it's actually little
++ * endian on the wire, but it was read above as
++ * network byte order */
++ samba_pkt.key_id_le = htonl(xkeyid);
++ samba_pkt.pkt = *xpkt;
++
++ snprintf(full_socket, sizeof(full_socket), "%s/socket", ntp_signd_socket);
++
++ fd = ux_socket_connect(full_socket);
++ /* Only continue with this if we can talk to Samba */
++ if (fd != -1) {
++ /* Send old packet to Samba, expect response */
++ /* Packet to Samba is quite simple:
++ All values BIG endian except key ID as noted
++ [packet size as BE] - 4 bytes
++ [protocol version (0)] - 4 bytes
++ [packet ID] - 4 bytes
++ [operation (sign message=0)] - 4 bytes
++ [key id] - LITTLE endian (as on wire) - 4 bytes
++ [message to sign] - as marshalled, without signature
++ */
++
++ if (send_packet(fd, (char *)&samba_pkt, offsetof(struct samba_key_in, pkt) + LEN_PKT_NOMAC) != 0) {
++ /* Huh? could not talk to Samba... */
++ close(fd);
++ return;
++ }
++
++ if (recv_packet(fd, &reply, &reply_len) != 0) {
++ if (reply) {
++ free(reply);
++ }
++ close(fd);
++ return;
++ }
++ /* Return packet is also simple:
++ [packet size] - network byte order - 4 bytes
++ [protocol version (0)] network byte order - - 4 bytes
++ [operation (signed success=3, failure=4)] network byte order - - 4 byte
++ (optional) [signed message] - as provided before, with signature appended
++ */
++
++ if (reply_len <= sizeof(samba_reply)) {
++ memcpy(&samba_reply, reply, reply_len);
++ if (ntohl(samba_reply.op) == 3 && reply_len > offsetof(struct samba_key_out, pkt)) {
++ sendlen = reply_len - offsetof(struct samba_key_out, pkt);
++ xpkt = &samba_reply.pkt;
++ sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, xpkt, sendlen);
++#ifdef DEBUG
++ if (debug)
++ printf(
++ "transmit ntp_signd packet: at %ld %s->%s mode %d keyid %08x len %d\n",
++ current_time, ntoa(&rbufp->dstadr->sin),
++ ntoa(&rbufp->recv_srcadr), xmode, xkeyid, sendlen);
++#endif
++ }
++ }
++
++ if (reply) {
++ free(reply);
++ }
++ close(fd);
++
++ }
++}
++#endif