1Only in ntp-samba: autom4te.cache 2Only in ntp-samba: config.h 3Only in ntp-samba: config.log 4Only in ntp-samba: config.status 5Only in ntp-samba/ElectricFence: .deps 6Only in ntp-samba/ElectricFence: Makefile 7Only in ntp-samba: .gcc-warning 8Only in ntp-samba/include/isc: Makefile 9Only in ntp-samba/include: Makefile 10diff -ur ntp-dev-4.2.5p125/include/ntp_config.h ntp-samba/include/ntp_config.h 11--- ntp-dev-4.2.5p125/include/ntp_config.h 2008-07-17 07:20:58.000000000 +1000 12+++ ntp-samba/include/ntp_config.h 2008-08-28 21:59:06.000000000 +1000 13@@ -92,6 +92,7 @@ 14 int requested_key; 15 int revoke; 16 queue *trusted_key_list; 17+ char *ntp_signd_socket; 18 }; 19 20 struct filegen_node { 21diff -ur ntp-dev-4.2.5p125/include/ntpd.h ntp-samba/include/ntpd.h 22--- ntp-dev-4.2.5p125/include/ntpd.h 2008-05-18 21:11:28.000000000 +1000 23+++ ntp-samba/include/ntpd.h 2008-08-28 21:59:06.000000000 +1000 24@@ -259,6 +259,8 @@ 25 extern int config_priority; 26 #endif 27 28+extern char const *ntp_signd_socket; 29+ 30 /* ntp_control.c */ 31 extern int num_ctl_traps; 32 extern keyid_t ctl_auth_keyid; /* keyid used for authenticating write requests */ 33@@ -471,3 +473,15 @@ 34 extern struct refclock *refclock_conf[]; /* refclock configuration table */ 35 extern u_char num_refclock_conf; 36 #endif 37+ 38+/* ntp_signd.c */ 39+#ifdef HAVE_NTP_SIGND 40+extern void 41+send_via_ntp_signd( 42+ struct recvbuf *rbufp, /* receive packet pointer */ 43+ int xmode, 44+ keyid_t xkeyid, 45+ int flags, 46+ struct pkt *xpkt 47+ ); 48+#endif 49diff -ur ntp-dev-4.2.5p125/include/ntp.h ntp-samba/include/ntp.h 50--- ntp-dev-4.2.5p125/include/ntp.h 2008-08-10 22:37:56.000000000 +1000 51+++ ntp-samba/include/ntp.h 2008-08-28 21:59:06.000000000 +1000 52@@ -447,6 +447,7 @@ 53 #ifdef OPENSSL 54 #define FLAG_ASSOC 0x4000 /* autokey request */ 55 #endif /* OPENSSL */ 56+#define FLAG_ADKEY 0x00010000 /* Authenticated (or wants reply to be authenticated) using AD authentication */ 57 58 /* 59 * Definitions for the clear() routine. We use memset() to clear 60Only in ntp-samba/include: ntp.h.orig 61Only in ntp-samba: libtool 62Only in ntp-samba: Makefile 63diff -ur ntp-dev-4.2.5p125/ntpd/Makefile.am ntp-samba/ntpd/Makefile.am 64--- ntp-dev-4.2.5p125/ntpd/Makefile.am 2008-05-18 21:11:29.000000000 +1000 65+++ ntp-samba/ntpd/Makefile.am 2008-08-28 21:59:06.000000000 +1000 66@@ -65,7 +65,7 @@ 67 ntp_crypto.c ntp_filegen.c \ 68 ntp_intres.c ntp_loopfilter.c ntp_monitor.c ntp_peer.c \ 69 ntp_proto.c ntp_refclock.c ntp_request.c \ 70- ntp_restrict.c ntp_timer.c ntp_util.c \ 71+ ntp_restrict.c ntp_timer.c ntp_util.c ntp_signd.c \ 72 ppsapi_timepps.h \ 73 refclock_acts.c refclock_arbiter.c refclock_arc.c refclock_as2201.c \ 74 refclock_atom.c refclock_bancomm.c refclock_chronolog.c \ 75diff -ur ntp-dev-4.2.5p125/ntpd/ntp_config.c ntp-samba/ntpd/ntp_config.c 76--- ntp-dev-4.2.5p125/ntpd/ntp_config.c 2008-08-10 22:37:54.000000000 +1000 77+++ ntp-samba/ntpd/ntp_config.c 2008-08-28 22:03:52.000000000 +1000 78@@ -148,6 +148,7 @@ 79 #endif 80 81 const char *config_file; 82+const char *ntp_signd_socket; 83 #ifdef HAVE_NETINFO 84 struct netinfo_config_state *config_netinfo = NULL; 85 int check_netinfo = 1; 86@@ -276,6 +277,11 @@ 87 my_config.auth.crypto_cmd_list = NULL; 88 my_config.auth.keys = NULL; 89 my_config.auth.keysdir = NULL; 90+#ifdef NTP_SIGND_PATH 91+ my_config.auth.ntp_signd_socket = NTP_SIGND_PATH; 92+#else 93+ my_config.auth.ntp_signd_socket = NULL; 94+#endif 95 my_config.auth.requested_key = 0; 96 my_config.auth.revoke = 0; 97 my_config.auth.trusted_key_list = NULL; 98@@ -795,6 +801,7 @@ 99 { "crypto", T_Crypto, NO_ARG }, 100 { "keys", T_Keys, SINGLE_ARG }, 101 { "keysdir", T_Keysdir, SINGLE_ARG }, 102+ { "ntpsigndsocket", T_NtpSignDsocket, SINGLE_ARG }, 103 { "requestkey", T_Requestkey, NO_ARG }, 104 { "revoke", T_Revoke, NO_ARG }, 105 { "trustedkey", T_Trustedkey, NO_ARG }, 106@@ -1000,6 +1007,10 @@ 107 if (my_config.auth.keysdir) 108 keysdir = my_config.auth.keysdir; 109 110+ /* ntp_signd_socket Command */ 111+ if (my_config.auth.ntp_signd_socket) 112+ ntp_signd_socket = my_config.auth.ntp_signd_socket; 113+ 114 #ifdef OPENSSL 115 if (cryptosw) { 116 crypto_setup(); 117Only in ntp-samba/ntpd: ntp_config.c~ 118Only in ntp-samba/ntpd: ntp_config.c.orig 119diff -ur ntp-dev-4.2.5p125/ntpd/ntp_parser.y ntp-samba/ntpd/ntp_parser.y 120--- ntp-dev-4.2.5p125/ntpd/ntp_parser.y 2008-07-17 07:21:06.000000000 +1000 121+++ ntp-samba/ntpd/ntp_parser.y 2008-08-28 21:59:06.000000000 +1000 122@@ -155,6 +155,7 @@ 123 %token T_Novolley 124 %token T_Ntp 125 %token T_Ntpport 126+%token T_NtpSignDsocket 127 %token T_Orphan 128 %token T_Panic 129 %token T_Peer 130@@ -432,6 +433,8 @@ 131 { my_config.auth.requested_key = $2; } 132 | T_Trustedkey integer_list 133 { my_config.auth.trusted_key_list = $2; } 134+ | T_NtpSignDsocket T_String 135+ { my_config.auth.ntp_signd_socket = $2; } 136 ; 137 138 crypto_command_line 139diff -ur ntp-dev-4.2.5p125/ntpd/ntp_proto.c ntp-samba/ntpd/ntp_proto.c 140--- ntp-dev-4.2.5p125/ntpd/ntp_proto.c 2008-07-17 07:21:02.000000000 +1000 141+++ ntp-samba/ntpd/ntp_proto.c 2008-08-28 21:59:06.000000000 +1000 142@@ -128,7 +128,7 @@ 143 static void clock_combine (struct peer **, int); 144 static void peer_xmit (struct peer *); 145 static void fast_xmit (struct recvbuf *, int, keyid_t, 146- char *); 147+ char *, int); 148 static void clock_update (struct peer *); 149 static int default_get_precision (void); 150 static int peer_unfit (struct peer *); 151@@ -311,6 +311,7 @@ 152 int authlen; /* offset of MAC field */ 153 int is_authentic = 0; /* cryptosum ok */ 154 int retcode = AM_NOMATCH; /* match code */ 155+ int flags = 0; /* flags with details about the authentication */ 156 keyid_t skeyid = 0; /* key IDs */ 157 u_int32 opcode = 0; /* extension field opcode */ 158 struct sockaddr_storage *dstadr_sin; /* active runway */ 159@@ -324,6 +325,8 @@ 160 keyid_t pkeyid = 0, tkeyid = 0; /* key IDs */ 161 #endif /* OPENSSL */ 162 163+ static unsigned char zero_key[16]; 164+ 165 /* 166 * Monitor the packet and get restrictions. Note that the packet 167 * length for control and private mode packets must be checked 168@@ -480,9 +483,9 @@ 169 return; /* rate exceeded */ 170 171 if (hismode == MODE_CLIENT) 172- fast_xmit(rbufp, MODE_SERVER, skeyid, "RATE"); 173+ fast_xmit(rbufp, MODE_SERVER, skeyid, "RATE", 0); 174 else 175- fast_xmit(rbufp, MODE_ACTIVE, skeyid, "RATE"); 176+ fast_xmit(rbufp, MODE_ACTIVE, skeyid, "RATE", 0); 177 return; /* rate exceeded */ 178 } 179 180@@ -535,6 +538,7 @@ 181 * is zero, acceptable outcomes of y are NONE and OK. If x is 182 * one, the only acceptable outcome of y is OK. 183 */ 184+ 185 if (has_mac == 0) { 186 is_authentic = AUTH_NONE; /* not required */ 187 #ifdef DEBUG 188@@ -555,6 +559,25 @@ 189 stoa(&rbufp->recv_srcadr), hismode, skeyid, 190 authlen + has_mac, is_authentic); 191 #endif 192+ 193+ /* If the signature is 20 bytes long, the last 16 of 194+ * which are zero, then this is a Microsoft client 195+ * wanting AD-style authentication of the server's 196+ * reply. 197+ * 198+ * This is described in Microsoft's WSPP docs, in MS-SNTP: 199+ * http://msdn.microsoft.com/en-us/library/cc212930.aspx 200+ */ 201+ } else if (has_mac == MAX_MAC_LEN 202+ && (retcode == AM_FXMIT || retcode == AM_NEWPASS) 203+ && (memcmp(zero_key, (char *)pkt + authlen + 4, MAX_MAC_LEN - 4) == 0)) { 204+ 205+ /* Don't try to verify the zeros, just set a 206+ * flag and otherwise pretend we never saw the signature */ 207+ is_authentic = AUTH_NONE; 208+ 209+ flags = FLAG_ADKEY; 210+ 211 } else { 212 #ifdef OPENSSL 213 /* 214@@ -696,9 +719,9 @@ 215 if (AUTH(restrict_mask & RES_DONTTRUST, 216 is_authentic)) { 217 fast_xmit(rbufp, MODE_SERVER, skeyid, 218- NULL); 219+ NULL, flags); 220 } else if (is_authentic == AUTH_ERROR) { 221- fast_xmit(rbufp, MODE_SERVER, 0, NULL); 222+ fast_xmit(rbufp, MODE_SERVER, 0, NULL, 0); 223 sys_badauth++; 224 } else { 225 sys_restricted++; 226@@ -733,7 +756,7 @@ 227 * crypto-NAK, as that would not be useful. 228 */ 229 if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) 230- fast_xmit(rbufp, MODE_SERVER, skeyid, NULL); 231+ fast_xmit(rbufp, MODE_SERVER, skeyid, NULL, 0); 232 return; /* hooray */ 233 234 /* 235@@ -888,7 +911,7 @@ 236 is_authentic)) { 237 #ifdef OPENSSL 238 if (crypto_flags && skeyid > NTP_MAXKEY) 239- fast_xmit(rbufp, MODE_ACTIVE, 0, NULL); 240+ fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0); 241 #endif /* OPENSSL */ 242 sys_restricted++; 243 return; /* access denied */ 244@@ -904,7 +927,7 @@ 245 * This is for drat broken Windows clients. See 246 * Microsoft KB 875424 for preferred workaround. 247 */ 248- fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL); 249+ fast_xmit(rbufp, MODE_PASSIVE, skeyid, NULL, flags); 250 #else /* WINTIME */ 251 sys_restricted++; 252 #endif /* WINTIME */ 253@@ -938,6 +961,7 @@ 254 } 255 break; 256 257+ 258 /* 259 * Process regular packet. Nothing special. 260 */ 261@@ -1090,7 +1114,7 @@ 262 peer->flash |= TEST5; /* bad auth */ 263 peer->badauth++; 264 if (hismode == MODE_ACTIVE || hismode == MODE_PASSIVE) 265- fast_xmit(rbufp, MODE_ACTIVE, 0, NULL); 266+ fast_xmit(rbufp, MODE_ACTIVE, 0, NULL, 0); 267 if (peer->flags & FLAG_PREEMPT) { 268 unpeer(peer); 269 return; 270@@ -3159,7 +3183,8 @@ 271 struct recvbuf *rbufp, /* receive packet pointer */ 272 int xmode, /* receive mode */ 273 keyid_t xkeyid, /* transmit key ID */ 274- char *mask /* kiss code */ 275+ char *mask, /* kiss code */ 276+ int flags /* Flags to indicate signing behaviour */ 277 ) 278 { 279 struct pkt xpkt; /* transmit packet structure */ 280@@ -3220,6 +3245,19 @@ 281 HTONL_FP(&rbufp->recv_time, &xpkt.rec); 282 } 283 284+ if (flags & FLAG_ADKEY) { 285+#ifdef HAVE_NTP_SIGND 286+ get_systime(&xmt_tx); 287+ if (mask == NULL) { 288+ HTONL_FP(&xmt_tx, &xpkt.xmt); 289+ } 290+ send_via_ntp_signd(rbufp, xmode, xkeyid, flags, &xpkt); 291+#endif 292+ /* If we don't have the support, drop the packet on the floor. 293+ An all zero sig is compleatly bogus anyway */ 294+ return; 295+ } 296+ 297 /* 298 * If the received packet contains a MAC, the transmitted packet 299 * is authenticated and contains a MAC. If not, the transmitted 300@@ -3252,7 +3290,7 @@ 301 * source-destination-key ID combination. 302 */ 303 #ifdef OPENSSL 304- if (xkeyid > NTP_MAXKEY) { 305+ if (!(flags & FLAG_ADKEY) && (xkeyid > NTP_MAXKEY)) { 306 keyid_t cookie; 307 308 /* 309@@ -3284,8 +3322,10 @@ 310 if (mask == NULL) { 311 HTONL_FP(&xmt_tx, &xpkt.xmt); 312 } 313+ 314 authlen = authencrypt(xkeyid, (u_int32 *)&xpkt, sendlen); 315 sendlen += authlen; 316+ 317 #ifdef OPENSSL 318 if (xkeyid > NTP_MAXKEY) 319 authtrust(xkeyid, 0); 320Only in ntp-samba/ntpd: ntp_signd.c 321Only in ntp-dev-4.2.5p125/ntpdc: nl.pl 322Only in ntp-samba/scripts: calc_tickadj 323Only in ntp-samba/scripts: checktime 324Only in ntp-samba/scripts: freq_adj 325Only in ntp-samba/scripts: html2man 326Only in ntp-samba/scripts: Makefile 327Only in ntp-samba/scripts: mkver 328Only in ntp-samba/scripts: ntpsweep 329Only in ntp-samba/scripts: ntptrace 330Only in ntp-samba/scripts: ntpver 331Only in ntp-samba/scripts: ntp-wait 332Only in ntp-samba/scripts: plot_summary 333Only in ntp-samba/scripts: summary 334Only in ntp-samba: stamp-h1 335--- /dev/null 2008-08-25 07:28:22.036002925 +1000 336+++ ntp-samba/ntpd/ntp_signd.c 2008-08-28 21:59:06.000000000 +1000 337@@ -0,0 +1,242 @@ 338+/* Copyright 2008, Red Hat, Inc. 339+ Copyright 2008, Andrew Tridgell. 340+ Licenced under the same terms as NTP itself. 341+ */ 342+#ifdef HAVE_CONFIG_H 343+#include <config.h> 344+#endif 345+ 346+#ifdef HAVE_NTP_SIGND 347+ 348+#include "ntpd.h" 349+#include "ntp_io.h" 350+#include "ntp_stdlib.h" 351+#include "ntp_unixtime.h" 352+#include "ntp_control.h" 353+#include "ntp_string.h" 354+ 355+#include <stdio.h> 356+#include <stddef.h> 357+#ifdef HAVE_LIBSCF_H 358+#include <libscf.h> 359+#include <unistd.h> 360+#endif /* HAVE_LIBSCF_H */ 361+ 362+#include <sys/un.h> 363+ 364+/* socket routines by tridge - from junkcode.samba.org */ 365+ 366+/* 367+ connect to a unix domain socket 368+*/ 369+static int 370+ux_socket_connect(const char *name) 371+{ 372+ int fd; 373+ struct sockaddr_un addr; 374+ if (!name) { 375+ return -1; 376+ } 377+ 378+ memset(&addr, 0, sizeof(addr)); 379+ addr.sun_family = AF_UNIX; 380+ strncpy(addr.sun_path, name, sizeof(addr.sun_path)); 381+ 382+ fd = socket(AF_UNIX, SOCK_STREAM, 0); 383+ if (fd == -1) { 384+ return -1; 385+ } 386+ 387+ if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) == -1) { 388+ close(fd); 389+ return -1; 390+ } 391+ 392+ return fd; 393+} 394+ 395+ 396+/* 397+ keep writing until its all sent 398+*/ 399+static int 400+write_all(int fd, const void *buf, size_t len) 401+{ 402+ size_t total = 0; 403+ while (len) { 404+ int n = write(fd, buf, len); 405+ if (n <= 0) return total; 406+ buf = n + (char *)buf; 407+ len -= n; 408+ total += n; 409+ } 410+ return total; 411+} 412+ 413+/* 414+ keep reading until its all read 415+*/ 416+static int 417+read_all(int fd, void *buf, size_t len) 418+{ 419+ size_t total = 0; 420+ while (len) { 421+ int n = read(fd, buf, len); 422+ if (n <= 0) return total; 423+ buf = n + (char *)buf; 424+ len -= n; 425+ total += n; 426+ } 427+ return total; 428+} 429+ 430+/* 431+ send a packet in length prefix format 432+*/ 433+static int 434+send_packet(int fd, const char *buf, uint32_t len) 435+{ 436+ uint32_t net_len = htonl(len); 437+ if (write_all(fd, &net_len, sizeof(net_len)) != sizeof(net_len)) return -1; 438+ if (write_all(fd, buf, len) != len) return -1; 439+ return 0; 440+} 441+ 442+/* 443+ receive a packet in length prefix format 444+*/ 445+static int 446+recv_packet(int fd, char **buf, uint32_t *len) 447+{ 448+ if (read_all(fd, len, sizeof(*len)) != sizeof(*len)) return -1; 449+ *len = ntohl(*len); 450+ (*buf) = malloc(*len); 451+ if (!*buf) { 452+ return -1; 453+ } 454+ if (read_all(fd, *buf, *len) != *len) { 455+ free(*buf); 456+ return -1; 457+ } 458+ return 0; 459+} 460+ 461+void 462+send_via_ntp_signd( 463+ struct recvbuf *rbufp, /* receive packet pointer */ 464+ int xmode, 465+ keyid_t xkeyid, 466+ int flags, 467+ struct pkt *xpkt 468+ ) 469+{ 470+ 471+ /* We are here because it was detected that the client 472+ * sent an all-zero signature, and we therefore know 473+ * it's windows trying to talk to an AD server 474+ * 475+ * Because we don't want to dive into Samba's secrets 476+ * database just to find the long-term kerberos key 477+ * that is re-used as the NTP key, we instead hand the 478+ * packet over to Samba to sign, and return to us. 479+ * 480+ * The signing method Samba will use is described by 481+ * Microsoft in MS-SNTP, found here: 482+ * http://msdn.microsoft.com/en-us/library/cc212930.aspx 483+ */ 484+ 485+ int fd, sendlen; 486+ struct samba_key_in { 487+ uint32_t version; 488+ uint32_t op; 489+ uint32_t packet_id; 490+ uint32_t key_id_le; 491+ struct pkt pkt; 492+ } samba_pkt; 493+ 494+ struct samba_key_out { 495+ uint32_t version; 496+ uint32_t op; 497+ uint32_t packet_id; 498+ struct pkt pkt; 499+ } samba_reply; 500+ 501+ char full_socket[256]; 502+ 503+ char *reply = NULL; 504+ uint32_t reply_len; 505+ 506+ memset(&samba_pkt, 0, sizeof(samba_pkt)); 507+ samba_pkt.op = 0; /* Sign message */ 508+ /* This will be echoed into the reply - a different 509+ * impelementation might want multiple packets 510+ * awaiting signing */ 511+ 512+ samba_pkt.packet_id = 1; 513+ 514+ /* Swap the byte order back - it's actually little 515+ * endian on the wire, but it was read above as 516+ * network byte order */ 517+ samba_pkt.key_id_le = htonl(xkeyid); 518+ samba_pkt.pkt = *xpkt; 519+ 520+ snprintf(full_socket, sizeof(full_socket), "%s/socket", ntp_signd_socket); 521+ 522+ fd = ux_socket_connect(full_socket); 523+ /* Only continue with this if we can talk to Samba */ 524+ if (fd != -1) { 525+ /* Send old packet to Samba, expect response */ 526+ /* Packet to Samba is quite simple: 527+ All values BIG endian except key ID as noted 528+ [packet size as BE] - 4 bytes 529+ [protocol version (0)] - 4 bytes 530+ [packet ID] - 4 bytes 531+ [operation (sign message=0)] - 4 bytes 532+ [key id] - LITTLE endian (as on wire) - 4 bytes 533+ [message to sign] - as marshalled, without signature 534+ */ 535+ 536+ if (send_packet(fd, (char *)&samba_pkt, offsetof(struct samba_key_in, pkt) + LEN_PKT_NOMAC) != 0) { 537+ /* Huh? could not talk to Samba... */ 538+ close(fd); 539+ return; 540+ } 541+ 542+ if (recv_packet(fd, &reply, &reply_len) != 0) { 543+ if (reply) { 544+ free(reply); 545+ } 546+ close(fd); 547+ return; 548+ } 549+ /* Return packet is also simple: 550+ [packet size] - network byte order - 4 bytes 551+ [protocol version (0)] network byte order - - 4 bytes 552+ [operation (signed success=3, failure=4)] network byte order - - 4 byte 553+ (optional) [signed message] - as provided before, with signature appended 554+ */ 555+ 556+ if (reply_len <= sizeof(samba_reply)) { 557+ memcpy(&samba_reply, reply, reply_len); 558+ if (ntohl(samba_reply.op) == 3 && reply_len > offsetof(struct samba_key_out, pkt)) { 559+ sendlen = reply_len - offsetof(struct samba_key_out, pkt); 560+ xpkt = &samba_reply.pkt; 561+ sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, 0, xpkt, sendlen); 562+#ifdef DEBUG 563+ if (debug) 564+ printf( 565+ "transmit ntp_signd packet: at %ld %s->%s mode %d keyid %08x len %d\n", 566+ current_time, ntoa(&rbufp->dstadr->sin), 567+ ntoa(&rbufp->recv_srcadr), xmode, xkeyid, sendlen); 568+#endif 569+ } 570+ } 571+ 572+ if (reply) { 573+ free(reply); 574+ } 575+ close(fd); 576+ 577+ } 578+} 579+#endif 580