[Git][NTPsec/ntpsec][master] 2 commits: Cleanup after broadcast/multicast removal.
Eric S. Raymond
gitlab at mg.gitlab.com
Fri Dec 9 22:56:10 UTC 2016
Eric S. Raymond pushed to branch master at NTPsec / ntpsec
Commits:
e243d32b by Eric S. Raymond at 2016-12-09T17:38:48-05:00
Cleanup after broadcast/multicast removal.
- - - - -
b0661b79 by Eric S. Raymond at 2016-12-09T17:54:58-05:00
Remove dead code and now-unused flag checks associated with bcast/multicast.
- - - - -
9 changed files:
- include/ntp.h
- include/ntpd.h
- ntpd/ntp_config.c
- ntpd/ntp_control.c
- ntpd/ntp_io.c
- ntpd/ntp_parser.y
- ntpd/ntp_peer.c
- ntpd/ntp_proto.c
- ntpd/ntpd.c
Changes:
=====================================
include/ntp.h
=====================================
--- a/include/ntp.h
+++ b/include/ntp.h
@@ -615,11 +615,11 @@ struct pkt {
*/
#define PROTO_BROADCLIENT 1 /* (not used) */
#define PROTO_PRECISION 2 /* (not used) */
-#define PROTO_AUTHENTICATE 3
+#define PROTO_AUTHENTICATE 3 /* (not used) */
#define PROTO_BROADDELAY 4 /* (not used) */
#define PROTO_AUTHDELAY 5
-#define PROTO_MULTICAST_ADD 6
-#define PROTO_MULTICAST_DEL 7
+#define PROTO_MULTICAST_ADD 6 /* (not used) */
+#define PROTO_MULTICAST_DEL 7 /* (not used) */
#define PROTO_NTP 8
#define PROTO_KERNEL 9
#define PROTO_MONITOR 10
@@ -672,6 +672,7 @@ struct pkt {
/*
* Default parameters. We use these in the absence of something better.
+ * (Historical relic - muliticast mode has been removed for security reasons.)
*/
#define INADDR_NTP 0xe0000101 /* NTP multicast address 224.0.1.1 */
@@ -695,28 +696,25 @@ struct mon_data {
/*
* Values for cast_flags in mon_entry and struct peer. mon_entry uses
- * only the first three, MDF_UCAST, MDF_MCAST, and MDF_BCAST.
+ * only MDF_UCAST and MDF_BCAST.
*/
#define MDF_UCAST 0x01 /* unicast client */
-#define MDF_MCAST 0x02 /* multicast server */
+#define MDF_MCAST 0x02 /* multicast server (not used) */
#define MDF_BCAST 0x04 /* broadcast server */
#define MDF_POOL 0x08 /* pool client solicitor */
-#define MDF_ACAST 0x10 /* manycast client solicitor */
+#define MDF_ACAST 0x10 /* manycast client solicitor (not used) */
#define MDF_BCLNT 0x20 /* eph. broadcast/multicast client (not used) */
#define MDF_UCLNT 0x40 /* preemptible manycast or pool client */
/*
- * In the context of struct peer in ntpd, three of the cast_flags bits
+ * In the context of struct peer in ntpd, one cast_flags bit
* represent configured associations which never receive packets, and
- * whose reach is always 0: MDF_BCAST, MDF_MCAST, and MDF_ACAST. The
- * last can be argued as responses are received, but those responses do
- * not affect the MDF_ACAST association's reach register, rather they
- * (may) result in mobilizing ephemeral MDF_ACLNT associations.
+ * whose reach is always 0: MDF_BCAST
*/
-#define MDF_TXONLY_MASK (MDF_BCAST | MDF_MCAST | MDF_ACAST | MDF_POOL)
+#define MDF_TXONLY_MASK (MDF_BCAST | MDF_POOL)
/*
* manycastclient-like solicitor association cast_flags bits
*/
-#define MDF_SOLICIT_MASK (MDF_ACAST | MDF_POOL)
+#define MDF_SOLICIT_MASK MDF_POOL
/*
* Values used with mon_enabled to indicate reason for enabling monitoring
*/
=====================================
include/ntpd.h
=====================================
--- a/include/ntpd.h
+++ b/include/ntpd.h
@@ -186,7 +186,6 @@ extern void init_proto (const bool);
extern void set_sys_tick_precision(double);
extern void proto_config (int, u_long, double);
extern void proto_clr_stats (void);
-extern void proto_dump(FILE *);
/* ntp_refclock.c */
#ifdef REFCLOCK
@@ -398,7 +397,6 @@ extern int sys_minclock; /* minimum candidates */
/*
* Nonspecified system state variables.
*/
-extern bool sys_authenticate; /* requre authentication for config */
extern l_fp sys_authdelay; /* authentication delay */
extern u_long sys_epoch; /* last clock update time */
extern keyid_t sys_private; /* private value for session seed */
=====================================
ntpd/ntp_config.c
=====================================
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -225,13 +225,6 @@ static void free_config_ttl(config_tree *);
static void free_config_unpeers(config_tree *);
static void free_config_vars(config_tree *);
-static void destroy_address_fifo(address_fifo *);
-#define FREE_ADDRESS_FIFO(pf) \
- do { \
- destroy_address_fifo(pf); \
- (pf) = NULL; \
- } while (0)
- void free_all_config_trees(void); /* atexit() */
static void free_config_tree(config_tree *ptree);
static void destroy_restrict_node(restrict_node *my_node);
@@ -1138,25 +1131,6 @@ create_addr_opts_node(
*/
static void
-destroy_address_fifo(
- address_fifo * pfifo
- )
-{
- address_node * addr_node;
-
- if (pfifo != NULL) {
- for (;;) {
- UNLINK_FIFO(addr_node, *pfifo, link);
- if (addr_node == NULL)
- break;
- destroy_address_node(addr_node);
- }
- free(pfifo);
- }
-}
-
-
-static void
config_auth(
config_tree *ptree
)
@@ -2690,18 +2664,12 @@ peer_config(
*/
switch (hmode) {
case MODE_BROADCAST:
-
- if (IS_MCAST(srcadr))
- cast_flags = MDF_MCAST;
- else
- cast_flags = MDF_BCAST;
+ cast_flags = MDF_BCAST;
break;
case MODE_CLIENT:
if (hostname != NULL && SOCK_UNSPEC(srcadr))
cast_flags = MDF_POOL;
- else if (IS_MCAST(srcadr))
- cast_flags = MDF_ACAST;
else
cast_flags = MDF_UCAST;
break;
@@ -2720,7 +2688,7 @@ peer_config(
ctl->flags |= FLAG_CONFIG;
if (mode_ntpdate)
ctl->flags |= FLAG_IBURST;
- if ((MDF_ACAST | MDF_POOL) & cast_flags)
+ if (MDF_POOL & cast_flags)
ctl->flags &= ~FLAG_PREEMPT;
return newpeer(srcadr, hostname, dstadr, hmode, ctl->version,
ctl->minpoll, ctl->maxpoll, ctl->flags,
=====================================
ntpd/ntp_control.c
=====================================
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -697,7 +697,7 @@ ctl_error(
/*
* send packet and bump counters
*/
- if (res_authenticate && sys_authenticate) {
+ if (res_authenticate) {
maclen = authencrypt(res_keyid, (uint32_t *)&rpkt,
CTL_HEADER_LEN);
sendpkt(rmt_addr, lcl_inter, -2, &rpkt, CTL_HEADER_LEN + maclen);
@@ -803,8 +803,7 @@ process_control(
properlen = (properlen + 7) & ~7;
maclen = rbufp->recv_length - properlen;
if ((rbufp->recv_length & 3) == 0 &&
- maclen >= MIN_MAC_LEN && maclen <= MAX_MAC_LEN &&
- sys_authenticate) {
+ maclen >= MIN_MAC_LEN && maclen <= MAX_MAC_LEN) {
res_authenticate = true;
pkid = (void *)((char *)pkt + properlen);
res_keyid = ntohl(*pkid);
@@ -970,7 +969,7 @@ ctl_flushpkt(
(res_opcode & CTL_OP_MASK);
rpkt.count = htons((u_short)dlen);
rpkt.offset = htons((u_short)res_offset);
- if (res_authenticate && sys_authenticate) {
+ if (res_authenticate) {
totlen = sendlen;
/*
* If we are going to authenticate, then there
=====================================
ntpd/ntp_io.c
=====================================
--- a/ntpd/ntp_io.c
+++ b/ntpd/ntp_io.c
@@ -2422,9 +2422,7 @@ read_network_packet(
* put it on the full list and do bookkeeping.
*/
rb->dstadr = itf;
- rb->cast_flags = (uint8_t)(((rb->dstadr->flags &
- INT_MCASTOPEN) && rb->fd == rb->dstadr->fd) ? MDF_MCAST
- : rb->fd == rb->dstadr->bfd ? MDF_BCAST : MDF_UCAST);
+ rb->cast_flags = (uint8_t)(rb->fd == rb->dstadr->bfd ? MDF_BCAST : MDF_UCAST);
rb->fd = fd;
#ifdef USE_PACKET_TIMESTAMP
/* pick up a network time stamp if possible */
@@ -2685,8 +2683,7 @@ select_peerinterface(
*/
if (IS_PEER_REFCLOCK(peer)) {
ep = loopback_interface;
- } else if (peer->cast_flags &
- (MDF_BCLNT | MDF_ACAST | MDF_MCAST | MDF_BCAST)) {
+ } else if (peer->cast_flags & MDF_BCAST) {
ep = findbcastinter(srcadr);
if (ep != NULL)
DPRINTF(4, ("Found *-cast interface %s for address %s\n",
=====================================
ntpd/ntp_parser.y
=====================================
--- a/ntpd/ntp_parser.y
+++ b/ntpd/ntp_parser.y
@@ -1082,8 +1082,7 @@ system_option
;
system_option_flag_keyword
- : T_Auth
- | T_Calibrate
+ : T_Calibrate
| T_Kernel
| T_Monitor
| T_Ntp
=====================================
ntpd/ntp_peer.c
=====================================
--- a/ntpd/ntp_peer.c
+++ b/ntpd/ntp_peer.c
@@ -216,12 +216,8 @@ findexistingpeer_addr(
/*
* start_peer is included so we can locate instances of the
* same peer through different interfaces in the hash table.
- * Without MDF_BCLNT, a match requires the same mode and remote
- * address. MDF_BCLNT associations start out as MODE_CLIENT
- * if broadcastdelay is not specified, and switch to
- * MODE_BCLIENT after estimating the one-way delay. Duplicate
- * associations are expanded in definition to match any other
- * MDF_BCLNT with the same srcadr (remote, unicast address).
+ * A match requires the same mode and remote
+ * address.
*/
if (NULL == start_peer)
peer = peer_hash[NTP_HASH_ADDR(addr)];
@@ -232,9 +228,7 @@ findexistingpeer_addr(
DPRINTF(3, ("%s %s %d %d 0x%x 0x%x ", sockporttoa(addr),
sockporttoa(&peer->srcadr), mode, peer->hmode,
(u_int)cast_flags, (u_int)peer->cast_flags));
- if ((-1 == mode || peer->hmode == mode ||
- ((MDF_BCLNT & peer->cast_flags) &&
- (MDF_BCLNT & cast_flags))) &&
+ if ((-1 == mode || peer->hmode == mode) &&
ADDR_PORT_EQ(addr, &peer->srcadr)) {
DPRINTF(3, ("found.\n"));
break;
@@ -571,7 +565,6 @@ peer_refresh_interface(
)
{
endpt * niface;
- endpt * piface;
niface = select_peerinterface(p, &p->srcadr, NULL);
@@ -595,16 +588,7 @@ peer_refresh_interface(
DPRINTF(4, ("<NONE>\n"));
}
- piface = p->dstadr;
set_peerdstadr(p, niface);
- if (p->dstadr != NULL) {
- /*
- * clear crypto if we change the local address
- */
- if (p->dstadr != piface && !(MDF_ACAST & p->cast_flags)
- && MODE_BROADCAST != p->pmode)
- peer_clear(p, "XFAC", false);
- }
}
@@ -761,9 +745,7 @@ newpeer(
peer->keyid = key;
peer->precision = sys_precision;
peer->hpoll = peer->minpoll;
- if (cast_flags & MDF_ACAST)
- peer_clear(peer, "ACST", initializing);
- else if (cast_flags & MDF_POOL)
+ if (cast_flags & MDF_POOL)
peer_clear(peer, "POOL", initializing);
else if (cast_flags & MDF_BCAST)
peer_clear(peer, "BCST", initializing);
=====================================
ntpd/ntp_proto.c
=====================================
--- a/ntpd/ntp_proto.c
+++ b/ntpd/ntp_proto.c
@@ -74,7 +74,6 @@ bool leap_sec_in_progress;
/*
* Nonspecified system state variables
*/
-bool sys_authenticate; /* require authentication for config */
l_fp sys_authdelay; /* authentication delay */
double sys_offset; /* current local clock offset */
double sys_mindisp = MINDISPERSE; /* minimum distance (s) */
@@ -403,8 +402,7 @@ i_require_authentication(
bool peer_has_key = peer != NULL && peer->keyid != 0;
bool wants_association =
PKT_MODE(pkt->li_vn_mode) == MODE_BROADCAST ||
- (peer == NULL && PKT_MODE(pkt->li_vn_mode == MODE_ACTIVE)) ||
- (peer != NULL && peer->cast_flags & MDF_ACAST);
+ (peer == NULL && PKT_MODE(pkt->li_vn_mode == MODE_ACTIVE));
bool restrict_nopeer =
(restrict_mask & RES_NOPEER) &&
wants_association;
@@ -803,7 +801,7 @@ receive(
handle_manycast(rbufp, restrict_mask, pkt, peer, authenticated);
break;
default:
- /* Everything else is for broadcast or multicast modes,
+ /* Everything else is for broadcast modes,
which are a security nightmare. So they go to the
bit bucket until this improves.
*/
@@ -837,7 +835,7 @@ transmit(
* In broadcast mode the poll interval is never changed from
* minpoll.
*/
- if (peer->cast_flags & (MDF_BCAST | MDF_MCAST)) {
+ if (peer->cast_flags & MDF_BCAST) {
peer->outdate = current_time;
if (sys_leap != LEAP_NOTINSYNC)
peer_xmit(peer);
@@ -846,36 +844,6 @@ transmit(
}
/*
- * In manycast mode we start with unity ttl. The ttl is
- * increased by one for each poll until either sys_maxclock
- * servers have been found or the maximum ttl is reached. When
- * sys_maxclock servers are found we stop polling until one or
- * more servers have timed out or until less than sys_minclock
- * associations turn up. In this case additional better servers
- * are dragged in and preempt the existing ones. Once every
- * sys_beacon seconds we are to transmit unconditionally, but
- * this code is not quite right -- peer->unreach counts polls
- * and is being compared with sys_beacon, so the beacons happen
- * every sys_beacon polls.
- */
- if (peer->cast_flags & MDF_ACAST) {
- peer->outdate = current_time;
- if (peer->unreach > sys_beacon) {
- peer->unreach = 0;
- peer->ttl = 0;
- peer_xmit(peer);
- } else if (sys_survivors < sys_minclock ||
- peer_associations < sys_maxclock) {
- if (peer->ttl < (uint32_t)sys_ttlmax)
- peer->ttl++;
- peer_xmit(peer);
- }
- peer->unreach++;
- poll_update(peer, hpoll);
- return;
- }
-
- /*
* Pool associations transmit unicast solicitations when there
* are less than a hard limit of 2 * sys_maxclock associations,
* and either less than sys_minclock survivors or less than
@@ -2795,7 +2763,6 @@ init_proto(const bool verbose)
get_systime(&dummy);
sys_survivors = 0;
sys_manycastserver = 0;
- sys_authenticate = true;
sys_stattime = current_time;
orphwait = current_time + sys_orphwait;
proto_clr_stats();
@@ -2830,10 +2797,6 @@ proto_config(
/*
* enable and disable commands - arguments are Boolean.
*/
- case PROTO_AUTHENTICATE: /* authentication (auth) */
- sys_authenticate = (bool)value;
- break;
-
#ifdef REFCLOCK
case PROTO_CAL: /* refclock calibrate (calibrate) */
cal_enable = value;
@@ -2949,8 +2912,3 @@ proto_clr_stats(void)
sys_kodsent = 0;
}
-void proto_dump(FILE *fp)
-{
- /* must cover at least anything that can be set on the command line */
- fprintf(fp, "%sable auth;\n", sys_authenticate ? "en" : "dis");
-}
=====================================
ntpd/ntpd.c
=====================================
--- a/ntpd/ntpd.c
+++ b/ntpd/ntpd.c
@@ -792,7 +792,6 @@ ntpdmain(
/* use this to test if option setting gives expected results */
if (dumpopts) {
- proto_dump(stdout);
if (explicit_config)
fprintf(stdout, "conffile \"%s\";\n", explicit_config);
fprintf(stdout, "#debug = %d\n", debug);
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/765281897cb1f6ebe17d0a2562e2efe360469981...b0661b79d54ba3e2a76d88c50d5c77447f0129f0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntpsec.org/pipermail/vc/attachments/20161209/ca7c774c/attachment.html>
More information about the vc
mailing list