Only in ntp-samba: autom4te.cache
Only in ntp-samba: config.h
Only in ntp-samba: config.log
Only in ntp-samba: config.status
Only in ntp-samba/ElectricFence: .deps
Only in ntp-samba/ElectricFence: Makefile
Only in ntp-samba: .gcc-warning
Only in ntp-samba/include/isc: Makefile
Only in ntp-samba/include: Makefile
diff -ur ntp-dev-4.2.5p125/include/ntp_config.h ntp-samba/include/ntp_config.h
--- ntp-dev-4.2.5p125/include/ntp_config.h	2008-07-17 07:20:58.000000000 +1000
+++ ntp-samba/include/ntp_config.h	2008-08-28 21:59:06.000000000 +1000
@@ -92,6 +92,7 @@
     int requested_key;
     int revoke;
     queue *trusted_key_list;
+    char *ntp_signd_socket;
 };
 
 struct filegen_node {
diff -ur ntp-dev-4.2.5p125/include/ntpd.h ntp-samba/include/ntpd.h
--- ntp-dev-4.2.5p125/include/ntpd.h	2008-05-18 21:11:28.000000000 +1000
+++ ntp-samba/include/ntpd.h	2008-08-28 21:59:06.000000000 +1000
@@ -259,6 +259,8 @@
 extern int	config_priority;
 #endif
 
+extern char const *ntp_signd_socket;
+
 /* ntp_control.c */
 extern int	num_ctl_traps;
 extern keyid_t	ctl_auth_keyid;		/* keyid used for authenticating write requests */
@@ -471,3 +473,15 @@
 extern struct refclock *refclock_conf[]; /* refclock configuration table */
 extern u_char	num_refclock_conf;
 #endif
+
+/* ntp_signd.c */
+#ifdef HAVE_NTP_SIGND
+extern void 
+send_via_ntp_signd(
+	struct recvbuf *rbufp,	/* receive packet pointer */
+	int	xmode,
+	keyid_t	xkeyid, 
+	int flags,
+	struct pkt  *xpkt
+	);
+#endif
diff -ur ntp-dev-4.2.5p125/include/ntp.h ntp-samba/include/ntp.h
--- ntp-dev-4.2.5p125/include/ntp.h	2008-08-10 22:37:56.000000000 +1000
+++ ntp-samba/include/ntp.h	2008-08-28 21:59:06.000000000 +1000
@@ -447,6 +447,7 @@
 #ifdef	OPENSSL
 #define FLAG_ASSOC	0x4000	/* autokey request */
 #endif /* OPENSSL */
+#define FLAG_ADKEY      0x00010000      /* Authenticated (or wants reply to be authenticated) using AD authentication */
 
 /*
  * Definitions for the clear() routine.  We use memset() to clear
Only in ntp-samba/include: ntp.h.orig
Only in ntp-samba: libtool
Only in ntp-samba: Makefile
diff -ur ntp-dev-4.2.5p125/ntpd/Makefile.am ntp-samba/ntpd/Makefile.am
--- ntp-dev-4.2.5p125/ntpd/Makefile.am	2008-05-18 21:11:29.000000000 +1000
+++ ntp-samba/ntpd/Makefile.am	2008-08-28 21:59:06.000000000 +1000
@@ -65,7 +65,7 @@
 	ntp_crypto.c ntp_filegen.c \
 	ntp_intres.c ntp_loopfilter.c ntp_monitor.c ntp_peer.c \
 	ntp_proto.c ntp_refclock.c ntp_request.c \
-	ntp_restrict.c ntp_timer.c ntp_util.c \
+	ntp_restrict.c ntp_timer.c ntp_util.c ntp_signd.c \
 	ppsapi_timepps.h \
 	refclock_acts.c refclock_arbiter.c refclock_arc.c refclock_as2201.c \
 	refclock_atom.c refclock_bancomm.c refclock_chronolog.c \
diff -ur ntp-dev-4.2.5p125/ntpd/ntp_config.c ntp-samba/ntpd/ntp_config.c
--- ntp-dev-4.2.5p125/ntpd/ntp_config.c	2008-08-10 22:37:54.000000000 +1000
+++ ntp-samba/ntpd/ntp_config.c	2008-08-28 22:03:52.000000000 +1000
@@ -148,6 +148,7 @@
 #endif
 
 const char *config_file;
+const char *ntp_signd_socket;
 #ifdef HAVE_NETINFO
 struct netinfo_config_state *config_netinfo = NULL;
 int check_netinfo = 1;
@@ -276,6 +277,11 @@
 	my_config.auth.crypto_cmd_list = NULL;
 	my_config.auth.keys = NULL;
 	my_config.auth.keysdir = NULL;
+#ifdef NTP_SIGND_PATH
+	my_config.auth.ntp_signd_socket = NTP_SIGND_PATH;
+#else
+	my_config.auth.ntp_signd_socket = NULL;
+#endif
 	my_config.auth.requested_key = 0;
 	my_config.auth.revoke = 0;
 	my_config.auth.trusted_key_list = NULL;
@@ -795,6 +801,7 @@
 	{ "crypto",		T_Crypto,          NO_ARG },
 	{ "keys",		T_Keys,            SINGLE_ARG },
 	{ "keysdir",		T_Keysdir,         SINGLE_ARG },
+	{ "ntpsigndsocket",     T_NtpSignDsocket,  SINGLE_ARG },
 	{ "requestkey",		T_Requestkey,      NO_ARG },
 	{ "revoke",		T_Revoke,          NO_ARG },
 	{ "trustedkey",		T_Trustedkey,      NO_ARG },
@@ -1000,6 +1007,10 @@
 	if (my_config.auth.keysdir)
 		keysdir = my_config.auth.keysdir;
 
+	/* ntp_signd_socket Command */
+	if (my_config.auth.ntp_signd_socket)
+		ntp_signd_socket = my_config.auth.ntp_signd_socket;
+
 #ifdef OPENSSL
 	if (cryptosw) {
 		crypto_setup();
Only in ntp-samba/ntpd: ntp_config.c~
Only in ntp-samba/ntpd: ntp_config.c.orig
diff -ur ntp-dev-4.2.5p125/ntpd/ntp_parser.y ntp-samba/ntpd/ntp_parser.y
--- ntp-dev-4.2.5p125/ntpd/ntp_parser.y	2008-07-17 07:21:06.000000000 +1000
+++ ntp-samba/ntpd/ntp_parser.y	2008-08-28 21:59:06.000000000 +1000
@@ -155,6 +155,7 @@
 %token		T_Novolley
 %token		T_Ntp
 %token		T_Ntpport
+%token		T_NtpSignDsocket
 %token		T_Orphan
 %token		T_Panic
 %token		T_Peer
@@ -432,6 +433,8 @@
                     { my_config.auth.requested_key = $2;  }
 	|	T_Trustedkey integer_list
                     { my_config.auth.trusted_key_list = $2;  }
+	|	T_NtpSignDsocket T_String
+                    { my_config.auth.ntp_signd_socket = $2;  }
 	;
 
 crypto_command_line
diff -ur ntp-dev-4.2.5p125/ntpd/ntp_proto.c ntp-samba/ntpd/ntp_proto.c
--- ntp-dev-4.2.5p125/ntpd/ntp_proto.c	2008-07-17 07:21:02.000000000 +1000
+++ ntp-samba/ntpd/ntp_proto.c	2008-08-28 21:59:06.000000000 +1000
@@ -128,7 +128,7 @@
 static	void	clock_combine	(struct peer **, int);
 static	void	peer_xmit	(struct peer *);
 static	void	fast_xmit	(struct recvbuf *, int, keyid_t,
-				    char *);
+				 char *, int);
 static	void	clock_update	(struct peer *);
 static	int	default_get_precision (void);
 static	int	peer_unfit	(struct peer *);
@@ -311,6 +311,7 @@
 	int	authlen;		/* offset of MAC field */
 	int	is_authentic = 0;	/* cryptosum ok */
 	int	retcode = AM_NOMATCH;	/* match code */
+	int     flags = 0;              /* flags with details about the authentication */
 	keyid_t	skeyid = 0;		/* key IDs */
 	u_int32	opcode = 0;		/* extension field opcode */
 	struct sockaddr_storage *dstadr_sin; /* active runway */
@@ -324,6 +325,8 @@
 	keyid_t	pkeyid = 0, tkeyid = 0;	/* key IDs */
 #endif /* OPENSSL */
 
+	static unsigned char zero_key[16];
+
 	/*
 	 * Monitor the packet and get restrictions. Note that the packet
 	 * length for control and private mode packets must be checked
@@ -480,9 +483,9 @@
 			return;			/* rate exceeded */
 
 		if (hismode == MODE_CLIENT)
-			fast_xmit(rbufp, MODE_SERVER, skeyid, "RATE");
+			fast_xmit(rbufp, MODE_SERVER, skeyid, "RATE", 0);
 		else
-			fast_xmit(rbufp, MODE_ACTIVE, skeyid, "RATE");
+			fast_xmit(rbufp, MODE_ACTIVE, skeyid, "RATE", 0);
 		return;				/* rate exceeded */
 	}
 
@@ -535,6 +538,7 @@
 	 * is zero, acceptable outcomes of y are NONE and OK. If x is
 	 * one, the only acceptable outcome of y is OK.
 	 */
+
 	if (has_mac == 0) {
 		is_authentic = AUTH_NONE; /* not required */
 #ifdef DEBUG
@@ -555,6 +559,25 @@
 			    stoa(&rbufp->recv_srcadr), hismode, skeyid,
 			    authlen + has_mac, is_authentic);
 #endif
+
+		/* If the signature is 20 bytes long, the last 16 of
+		 * which are zero, then this is a Microsoft client
+		 * wanting AD-style authentication of the server's
+		 * reply.  
+		 *
+		 * This is described in Microsoft's WSPP docs, in MS-SNTP:
+		 * http://msdn.microsoft.com/en-us/library/cc212930.aspx
+		 */
+	} else if (has_mac == MAX_MAC_LEN
+		   && (retcode == AM_FXMIT || retcode == AM_NEWPASS)
+		   && (memcmp(zero_key, (char *)pkt + authlen + 4, MAX_MAC_LEN - 4) == 0)) {
+		
+		/* Don't try to verify the zeros, just set a
+		 * flag and otherwise pretend we never saw the signature */
+		is_authentic = AUTH_NONE;
+		
+		flags = FLAG_ADKEY;
+
 	} else {
 #ifdef OPENSSL
 		/*
@@ -696,9 +719,9 @@
 			if (AUTH(restrict_mask & RES_DONTTRUST,
 			   is_authentic)) {
 				fast_xmit(rbufp, MODE_SERVER, skeyid,
-				    NULL);
+					  NULL, flags);
 			} else if (is_authentic == AUTH_ERROR) {
-				fast_xmit(rbufp, MODE_SERVER, 0, NULL);
+				fast_xmit(rbufp, MODE_SERVER, 0, NULL, 0);
 				sys_badauth++;
 			} else {
 				sys_restricted++;
@@ -733,7 +756,7 @@
 		 * crypto-NAK, as that would not be useful.
 		 */
 		if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic))
-			fast_xmit(rbufp, MODE_SERVER, skeyid, NULL);
+			fast_xmit(rbufp, MODE_SERVER, skeyid, NULL, 0);
 		return;				/* hooray */
 
 	/*
@@ -888,7 +911,7 @@
 		    is_authentic)) {
 #ifdef OPENSSL
 			if (crypto_flags && skeyid > NTP_MAXKEY)
-				fast_xmit(rbufp, MODE_ACTIVE, 0, NULL);
+				fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0);
 #endif /* OPENSSL */
 			sys_restricted++;
 			return;			/* access denied */
@@ -904,7 +927,7 @@
 			 * This is for drat broken Windows clients. See
 			 * Microsoft KB 875424 for preferred workaround.
 			 */
-			fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL);
+			fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL, flags);
 #else /* WINTIME */
 			sys_restricted++;
 #endif /* WINTIME */
@@ -938,6 +961,7 @@
 		}
 		break;
 
+
 	/*
 	 * Process regular packet. Nothing special.
 	 */
@@ -1090,7 +1114,7 @@
 		peer->flash |= TEST5;		/* bad auth */
 		peer->badauth++;
 		if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE)
-			fast_xmit(rbufp, MODE_ACTIVE, 0, NULL);
+			fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0);
 		if (peer->flags & FLAG_PREEMPT) {
 			unpeer(peer);
 			return;
@@ -3159,7 +3183,8 @@
 	struct recvbuf *rbufp,	/* receive packet pointer */
 	int	xmode,		/* receive mode */
 	keyid_t	xkeyid,		/* transmit key ID */
-	char	*mask		/* kiss code */
+	char	*mask,		/* kiss code */
+	int     flags           /* Flags to indicate signing behaviour */
 	)
 {
 	struct pkt xpkt;	/* transmit packet structure */
@@ -3220,6 +3245,19 @@
 		HTONL_FP(&rbufp->recv_time, &xpkt.rec);
 	}
 
+	if (flags & FLAG_ADKEY) {
+#ifdef HAVE_NTP_SIGND
+		get_systime(&xmt_tx);
+		if (mask == NULL) {
+			HTONL_FP(&xmt_tx, &xpkt.xmt);
+		}
+		send_via_ntp_signd(rbufp, xmode, xkeyid, flags, &xpkt);
+#endif
+		/* If we don't have the support, drop the packet on the floor.  
+		   An all zero sig is compleatly bogus anyway */
+		return;
+	}
+
 	/*
 	 * If the received packet contains a MAC, the transmitted packet
 	 * is authenticated and contains a MAC. If not, the transmitted
@@ -3252,7 +3290,7 @@
 	 * source-destination-key ID combination.
 	 */
 #ifdef OPENSSL
-	if (xkeyid > NTP_MAXKEY) {
+	if (!(flags & FLAG_ADKEY) && (xkeyid > NTP_MAXKEY)) {
 		keyid_t cookie;
 
 		/*
@@ -3284,8 +3322,10 @@
 	if (mask == NULL) {
 		HTONL_FP(&xmt_tx, &xpkt.xmt);
 	}
+
 	authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen);
 	sendlen += authlen;
+
 #ifdef OPENSSL
 	if (xkeyid > NTP_MAXKEY)
 		authtrust(xkeyid, 0);
Only in ntp-samba/ntpd: ntp_signd.c
Only in ntp-dev-4.2.5p125/ntpdc: nl.pl
Only in ntp-samba/scripts: calc_tickadj
Only in ntp-samba/scripts: checktime
Only in ntp-samba/scripts: freq_adj
Only in ntp-samba/scripts: html2man
Only in ntp-samba/scripts: Makefile
Only in ntp-samba/scripts: mkver
Only in ntp-samba/scripts: ntpsweep
Only in ntp-samba/scripts: ntptrace
Only in ntp-samba/scripts: ntpver
Only in ntp-samba/scripts: ntp-wait
Only in ntp-samba/scripts: plot_summary
Only in ntp-samba/scripts: summary
Only in ntp-samba: stamp-h1
--- /dev/null	2008-08-25 07:28:22.036002925 +1000
+++ ntp-samba/ntpd/ntp_signd.c	2008-08-28 21:59:06.000000000 +1000
@@ -0,0 +1,242 @@
+/* Copyright 2008, Red Hat, Inc.
+   Copyright 2008, Andrew Tridgell.
+   Licenced under the same terms as NTP itself. 
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#ifdef HAVE_NTP_SIGND
+
+#include "ntpd.h"
+#include "ntp_io.h"
+#include "ntp_stdlib.h"
+#include "ntp_unixtime.h"
+#include "ntp_control.h"
+#include "ntp_string.h"
+
+#include <stdio.h>
+#include <stddef.h>
+#ifdef HAVE_LIBSCF_H
+#include <libscf.h>
+#include <unistd.h>
+#endif /* HAVE_LIBSCF_H */
+
+#include <sys/un.h>
+
+/* socket routines by tridge - from junkcode.samba.org */
+
+/*
+  connect to a unix domain socket
+*/
+static int 
+ux_socket_connect(const char *name)
+{
+	int fd;
+        struct sockaddr_un addr;
+	if (!name) {
+		return -1;
+	}
+
+        memset(&addr, 0, sizeof(addr));
+        addr.sun_family = AF_UNIX;
+        strncpy(addr.sun_path, name, sizeof(addr.sun_path));
+
+	fd = socket(AF_UNIX, SOCK_STREAM, 0);
+	if (fd == -1) {
+		return -1;
+	}
+	
+	if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) {
+		close(fd);
+		return -1;
+	}
+
+	return fd;
+}
+
+
+/*
+  keep writing until its all sent
+*/
+static int 
+write_all(int fd, const void *buf, size_t len)
+{
+	size_t total = 0;
+	while (len) {
+		int n = write(fd, buf, len);
+		if (n <= 0) return total;
+		buf = n + (char *)buf;
+		len -= n;
+		total += n;
+	}
+	return total;
+}
+
+/*
+  keep reading until its all read
+*/
+static int 
+read_all(int fd, void *buf, size_t len)
+{
+	size_t total = 0;
+	while (len) {
+		int n = read(fd, buf, len);
+		if (n <= 0) return total;
+		buf = n + (char *)buf;
+		len -= n;
+		total += n;
+	}
+	return total;
+}
+
+/*
+  send a packet in length prefix format
+*/
+static int 
+send_packet(int fd, const char *buf, uint32_t len)
+{
+	uint32_t net_len = htonl(len);
+	if (write_all(fd, &net_len, sizeof(net_len)) != sizeof(net_len)) return -1;
+	if (write_all(fd, buf, len) != len) return -1;	
+	return 0;
+}
+
+/*
+  receive a packet in length prefix format
+*/
+static int 
+recv_packet(int fd, char **buf, uint32_t *len)
+{
+	if (read_all(fd, len, sizeof(*len)) != sizeof(*len)) return -1;
+	*len = ntohl(*len);
+	(*buf) = malloc(*len);
+	if (!*buf) {
+		return -1;
+	}
+	if (read_all(fd, *buf, *len) != *len) {
+		free(*buf);
+		return -1;
+	}
+	return 0;
+}
+
+void 
+send_via_ntp_signd(
+	struct recvbuf *rbufp,	/* receive packet pointer */
+	int	xmode,
+	keyid_t	xkeyid, 
+	int flags,
+	struct pkt  *xpkt
+	)
+{
+	
+	/* We are here because it was detected that the client
+	 * sent an all-zero signature, and we therefore know
+	 * it's windows trying to talk to an AD server
+	 *
+	 * Because we don't want to dive into Samba's secrets
+	 * database just to find the long-term kerberos key
+	 * that is re-used as the NTP key, we instead hand the
+	 * packet over to Samba to sign, and return to us.
+	 *
+	 * The signing method Samba will use is described by
+	 * Microsoft in MS-SNTP, found here:
+	 * http://msdn.microsoft.com/en-us/library/cc212930.aspx
+	 */
+	
+	int fd, sendlen;
+	struct samba_key_in {
+		uint32_t version;
+		uint32_t op;
+		uint32_t packet_id;
+		uint32_t key_id_le;
+		struct pkt pkt;
+	} samba_pkt;
+	
+	struct samba_key_out {
+		uint32_t version;
+		uint32_t op;
+		uint32_t packet_id;
+		struct pkt pkt;
+	} samba_reply;
+	
+	char full_socket[256];
+
+	char *reply = NULL;
+	uint32_t reply_len;
+	
+	memset(&samba_pkt, 0, sizeof(samba_pkt));
+	samba_pkt.op = 0; /* Sign message */
+	/* This will be echoed into the reply - a different
+	 * impelementation might want multiple packets
+	 * awaiting signing */
+
+	samba_pkt.packet_id = 1;
+
+	/* Swap the byte order back - it's actually little
+	 * endian on the wire, but it was read above as
+	 * network byte order */
+	samba_pkt.key_id_le = htonl(xkeyid);
+	samba_pkt.pkt = *xpkt;
+
+	snprintf(full_socket, sizeof(full_socket), "%s/socket", ntp_signd_socket);
+
+	fd = ux_socket_connect(full_socket);
+	/* Only continue with this if we can talk to Samba */
+	if (fd != -1) {
+		/* Send old packet to Samba, expect response */
+		/* Packet to Samba is quite simple: 
+		   All values BIG endian except key ID as noted
+		   [packet size as BE] - 4 bytes
+		   [protocol version (0)] - 4 bytes
+		   [packet ID] - 4 bytes
+		   [operation (sign message=0)] - 4 bytes
+		   [key id] - LITTLE endian (as on wire) - 4 bytes
+		   [message to sign] - as marshalled, without signature
+		*/
+			
+		if (send_packet(fd, (char *)&samba_pkt, offsetof(struct samba_key_in, pkt) + LEN_PKT_NOMAC) != 0) {
+			/* Huh?  could not talk to Samba... */
+			close(fd);
+			return;
+		}
+			
+		if (recv_packet(fd, &reply, &reply_len) != 0) {
+			if (reply) {
+				free(reply);
+			}
+			close(fd);
+			return;
+		}
+		/* Return packet is also simple: 
+		   [packet size] - network byte order - 4 bytes
+		   [protocol version (0)] network byte order - - 4 bytes
+		   [operation (signed success=3, failure=4)] network byte order - - 4 byte
+		   (optional) [signed message] - as provided before, with signature appended
+		*/
+			
+		if (reply_len <= sizeof(samba_reply)) {
+			memcpy(&samba_reply, reply, reply_len);
+			if (ntohl(samba_reply.op) == 3 && reply_len >  offsetof(struct samba_key_out, pkt)) {
+				sendlen = reply_len - offsetof(struct samba_key_out, pkt);
+				xpkt = &samba_reply.pkt;
+				sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, xpkt, sendlen);
+#ifdef DEBUG
+				if (debug)
+					printf(
+						"transmit ntp_signd packet: at %ld %s->%s mode %d keyid %08x len %d\n",
+						current_time, ntoa(&rbufp->dstadr->sin),
+						ntoa(&rbufp->recv_srcadr), xmode, xkeyid, sendlen);
+#endif
+			}
+		}
+		
+		if (reply) {
+			free(reply);
+		}
+		close(fd);
+		
+	}
+}
+#endif