[Git][NTPsec/ntpsec][master] Remove Autokey's crypto/revoke/keysdir commands from the yacc parser
Matt Selsky
gitlab at mg.gitlab.com
Tue Jan 31 07:32:58 UTC 2017
Matt Selsky pushed to branch master at NTPsec / ntpsec
Commits:
a2ca51c8 by Matt Selsky at 2017-01-31T02:28:55-05:00
Remove Autokey's crypto/revoke/keysdir commands from the yacc parser
And the related documentation
- - - - -
9 changed files:
- docs/includes/auth-commands.txt
- docs/includes/ntpd-body.txt
- docs/includes/ntpkeygen-body.txt
- include/ntp_config.h
- include/ntpd.h
- ntpd/keyword-gen.c
- ntpd/ntp_config.c
- ntpd/ntp_parser.y
- wafhelpers/configure.py
Changes:
=====================================
docs/includes/auth-commands.txt
=====================================
--- a/docs/includes/auth-commands.txt
+++ b/docs/includes/auth-commands.txt
@@ -7,64 +7,13 @@
RFC 5905. The _key_ argument is the key identifier for a trusted key,
where the value can be in the range 1 to 65,534, inclusive.
-+crypto+ [+cert+ _file_] [+leap+ _file_] [+randfile+ _file_] [+host+ _file_] [+sign+ _file_] [+gq+ _file_] [+gqpar+ _file_] [+iffpar+ _file_] [+mvpar+ _file_] [+pw+ _password_]::
- This command requires the OpenSSL library. It activates public key
- cryptography, selects the message digest and signature encryption
- scheme and loads the required private and public values described
- above. If one or more files are left unspecified, the default names
- are used as described above. Unless the complete path and name of the
- file are specified, the location of a file is relative to the keys
- directory specified in the +keysdir+ command or default
- +{prefixdir}/etc+. Following are the subcommands:
-
- +cert+ _file_;;
- Specifies the location of the required host public certificate file.
- This overrides the link _ntpkey_cert_hostname_ in the keys
- directory.
- +digest+ _digest_;;
- Specify the message digest algorithm, with default MD5. If the
- OpenSSL library is installed, +digest+ can be any message digest
- algorithm supported by the library.
- Note: If compliance with FIPS 140-2 is required, the algorithm
- must be +SHA1+.
- +gqpar+ _file_;;
- Specifies the location of the optional GQ parameters file. This
- overrides the link _ntpkey_gq_hostname_ in the keys directory.
- +host+ _file_;;
- Specifies the location of the required host key file. This overrides
- the link _ntpkey_key_hostname_ in the keys directory.
- +iffpar+ _file_;;
- Specifies the location of the optional IFF parameters file.This
- overrides the link _ntpkey_iff_hostname_ in the keys directory.
- +leap+ _file_;;
- Specifies the location of the optional leapsecond file. This
- overrides the link _ntpkey_leap_ in the keys directory.
- +mvpar+ _file_;;
- Specifies the location of the optional MV parameters file. This
- overrides the link _ntpkey_mv_hostname_ in the keys directory.
- +pw+ _password_;;
- Specifies the password to decrypt files containing private keys and
- identity parameters. This is required only if these files have been
- encrypted.
- +randfile+ _file_;;
- Specifies the location of the random seed file used by the OpenSSL
- library. The defaults are described in the main text above.
- +sign+ _file_;;
- Specifies the location of the optional sign key file. This overrides
- the link _ntpkey_sign_hostname_ in the keys directory. If this file
- is not found, the host key is also the sign key.
-
[[keys]]
+keys+ _keyfile_::
- Specifies the complete path and location of the MD5 key file
+ Specifies the complete path and location of the MD5/SHA1 key file
containing the keys and key identifiers used by {ntpdman},
and {ntpqman} when operating with symmetric-key cryptography.
This is the same operation as the +-k+ command line option.
-+keysdir+ _path_::
- This command specifies the default directory path for cryptographic
- keys, parameters and certificates. The default is +{prefixdir}/etc/+.
-
[[trustedkey]]
+trustedkey+ _key..._ ::
Specifies the key identifiers which are trusted for the purposes of
=====================================
docs/includes/ntpd-body.txt
=====================================
--- a/docs/includes/ntpd-body.txt
+++ b/docs/includes/ntpd-body.txt
@@ -511,7 +511,7 @@ as described in {ntpdconfman}.
|log file |system log |+-l+ |+logfile+
|include file |none |none |+includefile+
|statistics path |+/var/NTP+ |+-s+ |+statsdir+
-|keys path |+{prefixdir}/etc+ |none |+keysdir+
+|keys file |none |+-k+ |+keys+
|===================================================================
[[signals]]
=====================================
docs/includes/ntpkeygen-body.txt
=====================================
--- a/docs/includes/ntpkeygen-body.txt
+++ b/docs/includes/ntpkeygen-body.txt
@@ -39,7 +39,7 @@ root. The recommended procedure is change to the keys directory, usually
Installing the keys as root might not work in NFS-mounted shared file
systems, as NFS clients may not be able to write to the shared keys
directory, even as root. In this case, NFS clients can specify the files
-in another directory such as +/etc+ using the _keysdir_ command.
+in another directory such as +/etc+ using the _keys_ command.
WARNING: +ntpkeygen+ uses the system randomness source. On a POSIX
system this is usually /dev/urandom. Immediately after a reboot, on any
=====================================
include/ntp_config.h
=====================================
--- a/include/ntp_config.h
+++ b/include/ntp_config.h
@@ -133,11 +133,7 @@ typedef DECL_FIFO_ANCHOR(unpeer_node) unpeer_fifo;
typedef struct auth_node_tag auth_node;
struct auth_node_tag {
int control_key;
- int cryptosw;
- attr_val_fifo * crypto_cmd_list;
char * keys;
- char * keysdir;
- int revoke;
attr_val_fifo * trusted_key_list;
char * ntp_signd_socket;
};
=====================================
include/ntpd.h
=====================================
--- a/include/ntpd.h
+++ b/include/ntpd.h
@@ -50,7 +50,6 @@
/* ntp_config.c */
#define TAI_1972 10 /* initial TAI offset (s) */
-extern char *keysdir; /* crypto keys and leaptable directory */
extern const char *getconfig (const char *);
extern void readconfig(const char *);
=====================================
ntpd/keyword-gen.c
=====================================
--- a/ntpd/keyword-gen.c
+++ b/ntpd/keyword-gen.c
@@ -68,11 +68,8 @@ struct key_tok ntp_keywords[] = {
/* authentication_command */
{ "controlkey", T_ControlKey, FOLLBY_TOKEN },
{ "requestkey", T_Requestkey, FOLLBY_TOKEN }, /* dummy */
-{ "crypto", T_Crypto, FOLLBY_TOKEN },
{ "keys", T_Keys, FOLLBY_STRING },
-{ "keysdir", T_Keysdir, FOLLBY_STRING },
{ "ntpsigndsocket", T_NtpSignDsocket, FOLLBY_STRING },
-{ "revoke", T_Revoke, FOLLBY_TOKEN },
{ "trustedkey", T_Trustedkey, FOLLBY_TOKEN },
/* IPv4/IPv6 protocol override flag */
{ "-4", T_Ipv4_flag, FOLLBY_TOKEN },
@@ -92,11 +89,6 @@ struct key_tok ntp_keywords[] = {
{ "subtype", T_Subtype, FOLLBY_TOKEN },
{ "ttl", T_Ttl, FOLLBY_TOKEN },
{ "version", T_Version, FOLLBY_TOKEN },
-/* crypto_command */
-{ "host", T_Host, FOLLBY_STRING },
-{ "pw", T_Pw, FOLLBY_STRING },
-{ "randfile", T_Randfile, FOLLBY_STRING },
-{ "digest", T_Digest, FOLLBY_STRING },
/*** MONITORING COMMANDS ***/
/* stat */
{ "clockstats", T_Clockstats, FOLLBY_TOKEN },
=====================================
ntpd/ntp_config.c
=====================================
--- a/ntpd/ntp_config.c
+++ b/ntpd/ntp_config.c
@@ -157,8 +157,6 @@ extern int yydebug; /* ntp_parser.c (.y) */
config_tree cfgt; /* Parser output stored here */
struct config_tree_tag *cfg_tree_history; /* History of configs */
char *sys_phone[MAXPHONE] = {NULL}; /* ACTS phone numbers */
-char default_keysdir[] = NTP_KEYSDIR;
-char *keysdir = default_keysdir; /* crypto keys directory */
static char default_ntp_signd_socket[] =
#ifdef MSSNTP_PATH
@@ -192,7 +190,6 @@ bool old_config_style = true; /* A boolean flag, which when set,
* format with a newline at the end of
* every command is being used
*/
-int cryptosw; /* crypto command called */
extern char *stats_drift_file; /* name of the driftfile */
@@ -330,11 +327,6 @@ free_auth_node(
ptree->auth.keys = NULL;
}
- if (ptree->auth.keysdir) {
- free(ptree->auth.keysdir);
- ptree->auth.keysdir = NULL;
- }
-
if (ptree->auth.ntp_signd_socket) {
free(ptree->auth.ntp_signd_socket);
ptree->auth.ntp_signd_socket = NULL;
@@ -1138,14 +1130,6 @@ config_auth(
int i;
int count;
- /* Keysdir Command */
- if (ptree->auth.keysdir) {
- if (keysdir != default_keysdir)
- free(keysdir);
- keysdir = estrdup(ptree->auth.keysdir);
- }
-
-
/* ntp_signd_socket Command */
if (ptree->auth.ntp_signd_socket) {
if (ntp_signd_socket != default_ntp_signd_socket)
@@ -1219,8 +1203,6 @@ free_config_auth(
config_tree *ptree
)
{
- destroy_attr_val_fifo(ptree->auth.crypto_cmd_list);
- ptree->auth.crypto_cmd_list = NULL;
destroy_attr_val_fifo(ptree->auth.trusted_key_list);
ptree->auth.trusted_key_list = NULL;
}
=====================================
ntpd/ntp_parser.y
=====================================
--- a/ntpd/ntp_parser.y
+++ b/ntpd/ntp_parser.y
@@ -64,12 +64,10 @@
%token <Integer> T_Clockstats
%token <Integer> T_Cohort
%token <Integer> T_ControlKey
-%token <Integer> T_Crypto
%token <Integer> T_Cryptostats
%token <Integer> T_Ctl
%token <Integer> T_Day
%token <Integer> T_Default
-%token <Integer> T_Digest
%token <Integer> T_Disable
%token <Integer> T_Discard
%token <Integer> T_Dispersion
@@ -93,7 +91,6 @@
%token <Integer> T_Freq
%token <Integer> T_Fudge
%token <Integer> T_Holdover
-%token <Integer> T_Host
%token <Integer> T_Huffpuff
%token <Integer> T_Iburst
%token <Integer> T_Ignore
@@ -113,7 +110,6 @@
%token <Integer> T_Kernel
%token <Integer> T_Key
%token <Integer> T_Keys
-%token <Integer> T_Keysdir
%token <Integer> T_Kod
%token <Integer> T_Mssntp
%token <Integer> T_Leapfile
@@ -176,15 +172,12 @@
%token <Integer> T_Preempt
%token <Integer> T_Prefer
%token <Integer> T_Protostats
-%token <Integer> T_Pw
-%token <Integer> T_Randfile
%token <Integer> T_Rawstats
%token <Integer> T_Refclock
%token <Integer> T_Refid
%token <Integer> T_Requestkey
%token <Integer> T_Reset
%token <Integer> T_Restrict
-%token <Integer> T_Revoke
%token <Integer> T_Rlimit
%token <Integer> T_Saveconfigdir
%token <Integer> T_Server
@@ -237,9 +230,6 @@
%type <Integer> client_type
%type <Integer> counter_set_keyword
%type <Int_fifo> counter_set_list
-%type <Attr_val> crypto_command
-%type <Attr_val_fifo> crypto_command_list
-%type <Integer> crypto_str_keyword
%type <Attr_val> discard_option
%type <Integer> discard_option_keyword
%type <Attr_val_fifo> discard_option_list
@@ -519,23 +509,14 @@ other_mode_command
authentication_command
: T_ControlKey T_Integer
{ cfgt.auth.control_key = $2; }
- | T_Crypto crypto_command_list
- {
- cfgt.auth.cryptosw++;
- CONCAT_G_FIFOS(cfgt.auth.crypto_cmd_list, $2);
- }
| T_Keys T_String
{ cfgt.auth.keys = $2; }
- | T_Keysdir T_String
- { cfgt.auth.keysdir = $2; }
| T_Requestkey T_Integer
{
msyslog(LOG_WARNING,
"requestkey is a no-op because "
"ntpdc has been removed.");
}
- | T_Revoke T_Integer
- { cfgt.auth.revoke = $2; }
| T_Trustedkey integer_list_range
{
cfgt.auth.trusted_key_list = $2;
@@ -549,37 +530,6 @@ authentication_command
{ cfgt.auth.ntp_signd_socket = $2; }
;
-crypto_command_list
- : /* empty list */
- { $$ = NULL; }
- | crypto_command_list crypto_command
- {
- $$ = $1;
- APPEND_G_FIFO($$, $2);
- }
- ;
-
-crypto_command
- : crypto_str_keyword T_String
- { $$ = create_attr_sval($1, $2); }
- | T_Revoke T_Integer
- {
- $$ = NULL;
- cfgt.auth.revoke = $2;
- msyslog(LOG_WARNING,
- "'crypto revoke %d' is deprecated, "
- "please use 'revoke %d' instead.",
- cfgt.auth.revoke, cfgt.auth.revoke);
- }
- ;
-
-crypto_str_keyword
- : T_Host
- | T_Pw
- | T_Randfile
- | T_Digest
- ;
-
/* Orphan Mode Commands
* --------------------
=====================================
wafhelpers/configure.py
=====================================
--- a/wafhelpers/configure.py
+++ b/wafhelpers/configure.py
@@ -314,8 +314,6 @@ def cmd_configure(ctx, config):
for header, sizeof in sorted(sizeofs, key=lambda x: x[1:]):
check_sizeof(ctx, header, sizeof)
- ctx.define("NTP_KEYSDIR", "%s/etc" % ctx.env.PREFIX,
- comment="NTP key file directory")
ctx.define("GETSOCKNAME_SOCKLEN_TYPE", "socklen_t", quote=False,
comment="socklen type")
ctx.define("DFLT_RLIMIT_STACK", 50, comment="Default stack size")
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/a2ca51c89f4dfc8d8ea6741ca57f4b1f88fdaf3a
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170131/603abc89/attachment.html>
More information about the vc
mailing list