TEST_F(authkeysTest, AddTrustedKeys) { const keyid_t KEYNO1 = 5; const keyid_t KEYNO2 = 8; AddTrustedKey(KEYNO1); AddTrustedKey(KEYNO2); EXPECT_TRUE(authistrusted(KEYNO1)); EXPECT_TRUE(authistrusted(KEYNO2)); }
void test_AddTrustedKeys(void) { const keyid_t KEYNO1 = 5; const keyid_t KEYNO2 = 8; AddTrustedKey(KEYNO1); AddTrustedKey(KEYNO2); TEST_ASSERT_TRUE(authistrusted(KEYNO1)); TEST_ASSERT_TRUE(authistrusted(KEYNO2)); }
TEST_F(authkeysTest, AddUntrustedKey) { const keyid_t KEYNO = 3; AddUntrustedKey(KEYNO); EXPECT_FALSE(authistrusted(KEYNO)); }
void test_AddUntrustedKey(void) { const keyid_t KEYNO = 3; AddUntrustedKey(KEYNO); TEST_ASSERT_FALSE(authistrusted(KEYNO)); }
/* * sendrequest - format and send a request packet * * Historically, ntpdc has used a fixed-size request packet regardless * of the actual payload size. When authenticating, the timestamp, key * ID, and digest have been placed just before the end of the packet. * With the introduction in late 2009 of support for authenticated * ntpdc requests using larger 20-octet digests (vs. 16 for MD5), we * come up four bytes short. * * To maintain interop while allowing for larger digests, the behavior * is unchanged when using 16-octet digests. For larger digests, the * timestamp, key ID, and digest are placed immediately following the * request payload, with the overall packet size variable. ntpd can * distinguish 16-octet digests by the overall request size being * REQ_LEN_NOMAC + 4 + 16 with the auth bit enabled. When using a * longer digest, that request size should be avoided. * * With the form used with 20-octet and larger digests, the timestamp, * key ID, and digest are located by ntpd relative to the start of the * packet, and the size of the digest is then implied by the packet * size. */ static int sendrequest( int implcode, int reqcode, int auth, u_int qitems, size_t qsize, char *qdata ) { struct req_pkt qpkt; size_t datasize; size_t reqsize; u_long key_id; l_fp ts; l_fp * ptstamp; int maclen; char * pass; memset(&qpkt, 0, sizeof(qpkt)); qpkt.rm_vn_mode = RM_VN_MODE(0, 0, 0); qpkt.implementation = (u_char)implcode; qpkt.request = (u_char)reqcode; datasize = qitems * qsize; if (datasize && qdata != NULL) { memcpy(qpkt.data, qdata, datasize); qpkt.err_nitems = ERR_NITEMS(0, qitems); qpkt.mbz_itemsize = MBZ_ITEMSIZE(qsize); } else { qpkt.err_nitems = ERR_NITEMS(0, 0); qpkt.mbz_itemsize = MBZ_ITEMSIZE(qsize); /* allow for optional first item */ } if (!auth || (keyid_entered && info_auth_keyid == 0)) { qpkt.auth_seq = AUTH_SEQ(0, 0); return sendpkt(&qpkt, req_pkt_size); } if (info_auth_keyid == 0) { key_id = getkeyid("Keyid: "); if (!key_id) { fprintf(stderr, "Invalid key identifier\n"); return 1; } info_auth_keyid = key_id; } if (!authistrusted(info_auth_keyid)) { pass = getpass_keytype(info_auth_keytype); if ('\0' == pass[0]) { fprintf(stderr, "Invalid password\n"); return 1; } authusekey(info_auth_keyid, info_auth_keytype, (u_char *)pass); authtrust(info_auth_keyid, 1); } qpkt.auth_seq = AUTH_SEQ(1, 0); if (info_auth_hashlen > 16) { /* * Only ntpd which expects REQ_LEN_NOMAC plus maclen * octets in an authenticated request using a 16 octet * digest (that is, a newer ntpd) will handle digests * larger than 16 octets, so for longer digests, do * not attempt to shorten the requests for downlevel * ntpd compatibility. */ if (REQ_LEN_NOMAC != req_pkt_size) return 1; reqsize = REQ_LEN_HDR + datasize + sizeof(*ptstamp); /* align to 32 bits */ reqsize = (reqsize + 3) & ~3; } else reqsize = req_pkt_size; ptstamp = (void *)((char *)&qpkt + reqsize); ptstamp--; get_systime(&ts); L_ADD(&ts, &delay_time); HTONL_FP(&ts, ptstamp); maclen = authencrypt(info_auth_keyid, (void *)&qpkt, reqsize); if (!maclen) { fprintf(stderr, "Key not found\n"); return 1; } else if (maclen != (info_auth_hashlen + sizeof(keyid_t))) { fprintf(stderr, "%d octet MAC, %lu expected with %lu octet digest\n", maclen, (u_long)(info_auth_hashlen + sizeof(keyid_t)), (u_long)info_auth_hashlen); return 1; } return sendpkt(&qpkt, reqsize + maclen); }
void ntp_intres(void) { FILE *in; #ifdef SYS_WINNT DWORD rc; #else int rc; struct timeval tv; fd_set fdset; int time_left; #endif #ifdef DEBUG if (debug > 1) { msyslog(LOG_INFO, "NTP_INTRES running"); } #endif /* check out auth stuff */ if (sys_authenticate) { if (!authistrusted(req_keyid)) { msyslog(LOG_ERR, "invalid request keyid %08x", req_keyid ); resolver_exit(1); } } /* * Read the configuration info * {this is bogus, since we are forked, but it is easier * to keep this code - gdt} */ if ((in = fopen(req_file, "r")) == NULL) { msyslog(LOG_ERR, "can't open configuration file %s: %m", req_file); resolver_exit(1); } readconf(in, req_file); (void) fclose(in); #ifdef DEBUG if (!debug) #endif if (unlink(req_file)) msyslog(LOG_WARNING, "unable to remove intres request file %s, %m", req_file); /* * Set up the timers to do first shot immediately. */ resolve_timer = 0; resolve_value = MINRESOLVE; config_timer = CONFIG_TIME; for (;;) { checkparent(); if (resolve_timer == 0) { /* * Sleep a little to make sure the network is completely up */ sleep(SLEEPTIME); doconfigure(1); /* prepare retry, in case there's more work to do */ resolve_timer = resolve_value; #ifdef DEBUG if (debug > 2) msyslog(LOG_INFO, "resolve_timer: 0->%d", resolve_timer); #endif if (resolve_value < MAXRESOLVE) resolve_value <<= 1; config_timer = CONFIG_TIME; } else if (config_timer == 0) { /* MB: in which case would this be required ? */ doconfigure(0); /* MB: should we check now if we could exit, similar to the code above? */ config_timer = CONFIG_TIME; #ifdef DEBUG if (debug > 2) msyslog(LOG_INFO, "config_timer: 0->%d", config_timer); #endif } if (confentries == NULL) resolver_exit(0); /* done */ #ifdef SYS_WINNT rc = WaitForSingleObject(ResolverEventHandle, 1000 * ALARM_TIME); /* in milliseconds */ if ( rc == WAIT_OBJECT_0 ) { /* signaled by the main thread */ resolve_timer = 0; /* retry resolving immediately */ continue; } if ( rc != WAIT_TIMEOUT ) /* not timeout: error */ resolver_exit(1); #else /* not SYS_WINNT */ /* Bug 1386: fork() in NetBSD leaves timers running. */ /* So we need to retry select on EINTR */ time_left = ALARM_TIME; while (time_left > 0) { tv.tv_sec = time_left; tv.tv_usec = 0; FD_ZERO(&fdset); FD_SET(resolver_pipe_fd[0], &fdset); rc = select(resolver_pipe_fd[0] + 1, &fdset, (fd_set *)0, (fd_set *)0, &tv); if (rc == 0) /* normal timeout */ break; if (rc > 0) { /* parent process has written to the pipe */ read(resolver_pipe_fd[0], (char *)&rc, sizeof(rc)); /* make pipe empty */ resolve_timer = 0; /* retry resolving immediately */ break; } if ( rc < 0 ) { /* select() returned error */ if (errno == EINTR) { /* Timer went off */ time_left -= (1<<EVENT_TIMEOUT); continue; /* try again */ } msyslog(LOG_ERR, "ntp_intres: Error from select: %s", strerror(errno)); resolver_exit(1); } } #endif /* normal timeout, keep on waiting */ if (config_timer > 0) config_timer--; if (resolve_timer > 0) resolve_timer--; } }