1 files changed, 669 insertions, 0 deletions
diff --git a/ntpd/ntp_restrict.c b/ntpd/ntp_restrict.c
new file mode 100644
index 0000000..6e75667
--- /dev/null
+++ b/ntpd/ntp_restrict.c
@@ -0,0 +1,669 @@
+/*
+ * ntp_restrict.c - determine host restrictions
+ */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <stdio.h>
+#include <sys/types.h>
+
+#include "ntpd.h"
+#include "ntp_if.h"
+#include "ntp_lists.h"
+#include "ntp_stdlib.h"
+#include "ntp_assert.h"
+
+/*
+ * This code keeps a simple address-and-mask list of hosts we want
+ * to place restrictions on (or remove them from). The restrictions
+ * are implemented as a set of flags which tell you what the host
+ * can't do. There is a subroutine entry to return the flags. The
+ * list is kept sorted to reduce the average number of comparisons
+ * and make sure you get the set of restrictions most specific to
+ * the address.
+ *
+ * The algorithm is that, when looking up a host, it is first assumed
+ * that the default set of restrictions will apply. It then searches
+ * down through the list. Whenever it finds a match it adopts the
+ * match's flags instead. When you hit the point where the sorted
+ * address is greater than the target, you return with the last set of
+ * flags you found. Because of the ordering of the list, the most
+ * specific match will provide the final set of flags.
+ *
+ * This was originally intended to restrict you from sync'ing to your
+ * own broadcasts when you are doing that, by restricting yourself from
+ * your own interfaces. It was also thought it would sometimes be useful
+ * to keep a misbehaving host or two from abusing your primary clock. It
+ * has been expanded, however, to suit the needs of those with more
+ * restrictive access policies.
+ */
+/*
+ * We will use two lists, one for IPv4 addresses and one for IPv6
+ * addresses. This is not protocol-independant but for now I can't
+ * find a way to respect this. We'll check this later... JFB 07/2001
+ */
+#define MASK_IPV6_ADDR(dst, src, msk)					\
+	do {								\
+		int idx;						\
+		for (idx = 0; idx < COUNTOF((dst)->s6_addr); idx++) {	\
+			(dst)->s6_addr[idx] = (src)->s6_addr[idx]	\
+					      & (msk)->s6_addr[idx];	\
+		}							\
+	} while (0)
+
+/*
+ * We allocate INC_RESLIST{4|6} entries to the free list whenever empty.
+ * Auto-tune these to be just less than 1KB (leaving at least 16 bytes
+ * for allocator overhead).
+ */
+#define	INC_RESLIST4	((1024 - 16) / V4_SIZEOF_RESTRICT_U)
+#define	INC_RESLIST6	((1024 - 16) / V6_SIZEOF_RESTRICT_U)
+
+/*
+ * The restriction list
+ */
+restrict_u *restrictlist4;
+restrict_u *restrictlist6;
+static int restrictcount;	/* count in the restrict lists */
+
+/*
+ * The free list and associated counters.  Also some uninteresting
+ * stat counters.
+ */
+static restrict_u *resfree4;	/* available entries (free list) */
+static restrict_u *resfree6;
+
+static u_long res_calls;
+static u_long res_found;
+static u_long res_not_found;
+
+/*
+ * Count number of restriction entries referring to RES_LIMITED, to
+ * control implicit activation/deactivation of the MRU monlist.
+ */
+static	u_long res_limited_refcnt;
+
+/*
+ * Our default entries.
+ */
+static	restrict_u	restrict_def4;
+static	restrict_u	restrict_def6;
+
+/*
+ * "restrict source ..." enabled knob and restriction bits.
+ */
+static	int		restrict_source_enabled;
+static	u_short		restrict_source_flags;
+static	u_short		restrict_source_mflags;
+
+/*
+ * private functions
+ */
+static restrict_u *	alloc_res4(void);
+static restrict_u *	alloc_res6(void);
+static void		free_res(restrict_u *, int);
+static void		inc_res_limited(void);
+static void		dec_res_limited(void);
+static restrict_u *	match_restrict4_addr(u_int32, u_short);
+static restrict_u *	match_restrict6_addr(const struct in6_addr *,
+					     u_short);
+static restrict_u *	match_restrict_entry(const restrict_u *, int);
+static int		res_sorts_before4(restrict_u *, restrict_u *);
+static int		res_sorts_before6(restrict_u *, restrict_u *);
+
+
+/*
+ * init_restrict - initialize the restriction data structures
+ */
+void
+init_restrict(void)
+{
+	/*
+	 * The restriction lists begin with a default entry with address
+	 * and mask 0, which will match any entry.  The lists are kept
+	 * sorted by descending address followed by descending mask:
+	 *
+	 *   address	  mask
+	 * 192.168.0.0	255.255.255.0	kod limited noquery nopeer
+	 * 192.168.0.0	255.255.0.0	kod limited
+	 * 0.0.0.0	0.0.0.0		kod limited noquery
+	 *
+	 * The first entry which matches an address is used.  With the
+	 * example restrictions above, 192.168.0.0/24 matches the first
+	 * entry, the rest of 192.168.0.0/16 matches the second, and
+	 * everything else matches the third (default).
+	 *
+	 * Note this achieves the same result a little more efficiently
+	 * than the documented behavior, which is to keep the lists
+	 * sorted by ascending address followed by ascending mask, with
+	 * the _last_ matching entry used.
+	 *
+	 * An additional wrinkle is we may have multiple entries with
+	 * the same address and mask but differing match flags (mflags).
+	 * At present there is only one, RESM_NTPONLY.  Entries with
+	 * RESM_NTPONLY are sorted earlier so they take precedence over
+	 * any otherwise similar entry without.  Again, this is the same
+	 * behavior as but reversed implementation compared to the docs.
+	 * 
+	 */
+	LINK_SLIST(restrictlist4, &restrict_def4, link);
+	LINK_SLIST(restrictlist6, &restrict_def6, link);
+	restrictcount = 2;
+}
+
+
+static restrict_u *
+alloc_res4(void)
+{
+	const size_t	cb = V4_SIZEOF_RESTRICT_U;
+	const size_t	count = INC_RESLIST4;
+	restrict_u *	rl;
+	restrict_u *	res;
+	int		i;
+
+	UNLINK_HEAD_SLIST(res, resfree4, link);
+	if (res != NULL)
+		return res;
+
+	rl = emalloc_zero(count * cb);
+	/* link all but the first onto free list */
+	res = (void *)((char *)rl + (count - 1) * cb);
+	for (i = count - 1; i > 0; i--) {
+		LINK_SLIST(resfree4, res, link);
+		res = (void *)((char *)res - cb);
+	}
+	NTP_INSIST(rl == res);
+	/* allocate the first */
+	return res;
+}
+
+
+static restrict_u *
+alloc_res6(void)
+{
+	const size_t	cb = V6_SIZEOF_RESTRICT_U;
+	const size_t	count = INC_RESLIST6;
+	restrict_u *	rl;
+	restrict_u *	res;
+	int		i;
+
+	UNLINK_HEAD_SLIST(res, resfree6, link);
+	if (res != NULL)
+		return res;
+
+	rl = emalloc_zero(count * cb);
+	/* link all but the first onto free list */
+	res = (void *)((char *)rl + (count - 1) * cb);
+	for (i = count - 1; i > 0; i--) {
+		LINK_SLIST(resfree6, res, link);
+		res = (void *)((char *)res - cb);
+	}
+	NTP_INSIST(rl == res);
+	/* allocate the first */
+	return res;
+}
+
+
+static void
+free_res(
+	restrict_u *	res,
+	int		v6
+	)
+{
+	restrict_u **	plisthead;
+	restrict_u *	unlinked;
+
+	restrictcount--;
+	if (RES_LIMITED & res->flags)
+		dec_res_limited();
+
+	if (v6)
+		plisthead = &restrictlist6;
+	else
+		plisthead = &restrictlist4;
+	UNLINK_SLIST(unlinked, *plisthead, res, link, restrict_u);
+	NTP_INSIST(unlinked == res);
+
+	if (v6) {
+		zero_mem(res, V6_SIZEOF_RESTRICT_U);
+		plisthead = &resfree6;
+	} else {
+		zero_mem(res, V4_SIZEOF_RESTRICT_U);
+		plisthead = &resfree4;
+	}
+	LINK_SLIST(*plisthead, res, link);
+}
+
+
+static void
+inc_res_limited(void)
+{
+	if (!res_limited_refcnt)
+		mon_start(MON_RES);
+	res_limited_refcnt++;
+}
+
+
+static void
+dec_res_limited(void)
+{
+	res_limited_refcnt--;
+	if (!res_limited_refcnt)
+		mon_stop(MON_RES);
+}
+
+
+static restrict_u *
+match_restrict4_addr(
+	u_int32	addr,
+	u_short	port
+	)
+{
+	const int	v6 = 0;
+	restrict_u *	res;
+	restrict_u *	next;
+
+	for (res = restrictlist4; res != NULL; res = next) {
+		next = res->link;
+		if (res->expire &&
+		    res->expire <= current_time)
+			free_res(res, v6);
+		if (res->u.v4.addr == (addr & res->u.v4.mask)
+		    && (!(RESM_NTPONLY & res->mflags)
+			|| NTP_PORT == port))
+			break;
+	}
+	return res;
+}
+
+
+static restrict_u *
+match_restrict6_addr(
+	const struct in6_addr *	addr,
+	u_short			port
+	)
+{
+	const int	v6 = 1;
+	restrict_u *	res;
+	restrict_u *	next;
+	struct in6_addr	masked;
+
+	for (res = restrictlist6; res != NULL; res = next) {
+		next = res->link;
+		NTP_INSIST(next != res);
+		if (res->expire &&
+		    res->expire <= current_time)
+			free_res(res, v6);
+		MASK_IPV6_ADDR(&masked, addr, &res->u.v6.mask);
+		if (ADDR6_EQ(&masked, &res->u.v6.addr)
+		    && (!(RESM_NTPONLY & res->mflags)
+			|| NTP_PORT == port))
+			break;
+	}
+	return res;
+}
+
+
+/*
+ * match_restrict_entry - find an exact match on a restrict list.
+ *
+ * Exact match is addr, mask, and mflags all equal.
+ * In order to use more common code for IPv4 and IPv6, this routine
+ * requires the caller to populate a restrict_u with mflags and either
+ * the v4 or v6 address and mask as appropriate.  Other fields in the
+ * input restrict_u are ignored.
+ */
+static restrict_u *
+match_restrict_entry(
+	const restrict_u *	pmatch,
+	int			v6
+	)
+{
+	restrict_u *res;
+	restrict_u *rlist;
+	size_t cb;
+
+	if (v6) {
+		rlist = restrictlist6;
+		cb = sizeof(pmatch->u.v6);
+	} else {
+		rlist = restrictlist4;
+		cb = sizeof(pmatch->u.v4);
+	}
+
+	for (res = rlist; res != NULL; res = res->link)
+		if (res->mflags == pmatch->mflags &&
+		    !memcmp(&res->u, &pmatch->u, cb))
+			break;
+	return res;
+}
+
+
+/*
+ * res_sorts_before4 - compare two restrict4 entries
+ *
+ * Returns nonzero if r1 sorts before r2.  We sort by descending
+ * address, then descending mask, then descending mflags, so sorting
+ * before means having a higher value.
+ */
+static int
+res_sorts_before4(
+	restrict_u *r1,
+	restrict_u *r2
+	)
+{
+	int r1_before_r2;
+
+	if (r1->u.v4.addr > r2->u.v4.addr)
+		r1_before_r2 = 1;
+	else if (r1->u.v4.addr < r2->u.v4.addr)
+		r1_before_r2 = 0;
+	else if (r1->u.v4.mask > r2->u.v4.mask)
+		r1_before_r2 = 1;
+	else if (r1->u.v4.mask < r2->u.v4.mask)
+		r1_before_r2 = 0;
+	else if (r1->mflags > r2->mflags)
+		r1_before_r2 = 1;
+	else
+		r1_before_r2 = 0;
+
+	return r1_before_r2;
+}
+
+
+/*
+ * res_sorts_before6 - compare two restrict6 entries
+ *
+ * Returns nonzero if r1 sorts before r2.  We sort by descending
+ * address, then descending mask, then descending mflags, so sorting
+ * before means having a higher value.
+ */
+static int
+res_sorts_before6(
+	restrict_u *r1,
+	restrict_u *r2
+	)
+{
+	int r1_before_r2;
+	int cmp;
+
+	cmp = ADDR6_CMP(&r1->u.v6.addr, &r2->u.v6.addr);
+	if (cmp > 0)		/* r1->addr > r2->addr */
+		r1_before_r2 = 1;
+	else if (cmp < 0)	/* r2->addr > r1->addr */
+		r1_before_r2 = 0;
+	else {
+		cmp = ADDR6_CMP(&r1->u.v6.mask, &r2->u.v6.mask);
+		if (cmp > 0)		/* r1->mask > r2->mask*/
+			r1_before_r2 = 1;
+		else if (cmp < 0)	/* r2->mask > r1->mask */
+			r1_before_r2 = 0;
+		else if (r1->mflags > r2->mflags)
+			r1_before_r2 = 1;
+		else
+			r1_before_r2 = 0;
+	}
+
+	return r1_before_r2;
+}
+
+
+/*
+ * restrictions - return restrictions for this host
+ */
+u_short
+restrictions(
+	sockaddr_u *srcadr
+	)
+{
+	restrict_u *match;
+	struct in6_addr *pin6;
+	u_short flags;
+
+	res_calls++;
+	flags = 0;
+	/* IPv4 source address */
+	if (IS_IPV4(srcadr)) {
+		/*
+		 * Ignore any packets with a multicast source address
+		 * (this should be done early in the receive process,
+		 * not later!)
+		 */
+		if (IN_CLASSD(SRCADR(srcadr)))
+			return (int)RES_IGNORE;
+
+		match = match_restrict4_addr(SRCADR(srcadr),
+					     SRCPORT(srcadr));
+		match->count++;
+		/*
+		 * res_not_found counts only use of the final default
+		 * entry, not any "restrict default ntpport ...", which
+		 * would be just before the final default.
+		 */
+		if (&restrict_def4 == match)
+			res_not_found++;
+		else
+			res_found++;
+		flags = match->flags;
+	}
+
+	/* IPv6 source address */
+	if (IS_IPV6(srcadr)) {
+		pin6 = PSOCK_ADDR6(srcadr);
+
+		/*
+		 * Ignore any packets with a multicast source address
+		 * (this should be done early in the receive process,
+		 * not later!)
+		 */
+		if (IN6_IS_ADDR_MULTICAST(pin6))
+			return (int)RES_IGNORE;
+
+		match = match_restrict6_addr(pin6, SRCPORT(srcadr));
+		match->count++;
+		if (&restrict_def6 == match)
+			res_not_found++;
+		else
+			res_found++;
+		flags = match->flags;
+	}
+	return (flags);
+}
+
+
+/*
+ * hack_restrict - add/subtract/manipulate entries on the restrict list
+ */
+void
+hack_restrict(
+	int		op,
+	sockaddr_u *	resaddr,
+	sockaddr_u *	resmask,
+	u_short		mflags,
+	u_short		flags,
+	u_long		expire
+	)
+{
+	int		v6;
+	restrict_u	match;
+	restrict_u *	res;
+	restrict_u **	plisthead;
+
+	DPRINTF(1, ("restrict: op %d addr %s mask %s mflags %08x flags %08x\n",
+		    op, stoa(resaddr), stoa(resmask), mflags, flags));
+
+	if (NULL == resaddr) {
+		NTP_REQUIRE(NULL == resmask);
+		NTP_REQUIRE(RESTRICT_FLAGS == op);
+		restrict_source_flags = flags;
+		restrict_source_mflags = mflags;
+		restrict_source_enabled = 1;
+		return;
+	}
+
+	ZERO(match);
+	/* silence VC9 potentially uninit warnings */
+	res = NULL;
+	v6 = 0;
+
+	if (IS_IPV4(resaddr)) {
+		v6 = 0;
+		/*
+		 * Get address and mask in host byte order for easy
+		 * comparison as u_int32
+		 */
+		match.u.v4.addr = SRCADR(resaddr);
+		match.u.v4.mask = SRCADR(resmask);
+		match.u.v4.addr &= match.u.v4.mask;
+
+	} else if (IS_IPV6(resaddr)) {
+		v6 = 1;
+		/*
+		 * Get address and mask in network byte order for easy
+		 * comparison as byte sequences (e.g. memcmp())
+		 */
+		match.u.v6.mask = SOCK_ADDR6(resmask);
+		MASK_IPV6_ADDR(&match.u.v6.addr, PSOCK_ADDR6(resaddr),
+			       &match.u.v6.mask);
+
+	} else	/* not IPv4 nor IPv6 */
+		NTP_REQUIRE(0);
+
+	match.flags = flags;
+	match.mflags = mflags;
+	match.expire = expire;
+	res = match_restrict_entry(&match, v6);
+
+	switch (op) {
+
+	case RESTRICT_FLAGS:
+		/*
+		 * Here we add bits to the flags. If this is a
+		 * new restriction add it.
+		 */
+		if (NULL == res) {
+			if (v6) {
+				res = alloc_res6();
+				memcpy(res, &match,
+				       V6_SIZEOF_RESTRICT_U);
+				plisthead = &restrictlist6;
+			} else {
+				res = alloc_res4();
+				memcpy(res, &match,
+				       V4_SIZEOF_RESTRICT_U);
+				plisthead = &restrictlist4;
+			}
+			LINK_SORT_SLIST(
+				*plisthead, res,
+				(v6)
+				  ? res_sorts_before6(res, L_S_S_CUR())
+				  : res_sorts_before4(res, L_S_S_CUR()),
+				link, restrict_u);
+			restrictcount++;
+			if (RES_LIMITED & flags)
+				inc_res_limited();
+		} else {
+			if ((RES_LIMITED & flags) &&
+			    !(RES_LIMITED & res->flags))
+				inc_res_limited();
+			res->flags |= flags;
+		}
+		break;
+
+	case RESTRICT_UNFLAG:
+		/*
+		 * Remove some bits from the flags. If we didn't
+		 * find this one, just return.
+		 */
+		if (res != NULL) {
+			if ((RES_LIMITED & res->flags)
+			    && (RES_LIMITED & flags))
+				dec_res_limited();
+			res->flags &= ~flags;
+		}
+		break;
+
+	case RESTRICT_REMOVE:
+	case RESTRICT_REMOVEIF:
+		/*
+		 * Remove an entry from the table entirely if we
+		 * found one. Don't remove the default entry and
+		 * don't remove an interface entry.
+		 */
+		if (res != NULL
+		    && (RESTRICT_REMOVEIF == op
+			|| !(RESM_INTERFACE & res->mflags))
+		    && res != &restrict_def4
+		    && res != &restrict_def6)
+			free_res(res, v6);
+		break;
+
+	default:	/* unknown op */
+		NTP_INSIST(0);
+		break;
+	}
+
+}
+
+
+/*
+ * restrict_source - maintains dynamic "restrict source ..." entries as
+ *		     peers come and go.
+ */
+void
+restrict_source(
+	sockaddr_u *	addr,
+	int		farewell,	/* 0 to add, 1 to remove */
+	u_long		expire		/* 0 is infinite, valid until */
+	)
+{
+	sockaddr_u	onesmask;
+	restrict_u *	res;
+	int		found_specific;
+
+	if (!restrict_source_enabled || SOCK_UNSPEC(addr) ||
+	    IS_MCAST(addr) || ISREFCLOCKADR(addr))
+		return;
+
+	NTP_REQUIRE(AF_INET == AF(addr) || AF_INET6 == AF(addr));
+
+	SET_HOSTMASK(&onesmask, AF(addr));
+	if (farewell) {
+		hack_restrict(RESTRICT_REMOVE, addr, &onesmask,
+			      0, 0, 0);
+		DPRINTF(1, ("restrict_source: %s removed", stoa(addr)));
+		return;
+	}
+
+	/*
+	 * If there is a specific entry for this address, hands
+	 * off, as it is condidered more specific than "restrict
+	 * server ...".
+	 * However, if the specific entry found is a fleeting one
+	 * added by pool_xmit() before soliciting, replace it
+	 * immediately regardless of the expire value to make way
+	 * for the more persistent entry.
+	 */
+	if (IS_IPV4(addr)) {
+		res = match_restrict4_addr(SRCADR(addr), SRCPORT(addr));
+		found_specific = (SRCADR(&onesmask) == res->u.v4.mask);
+	} else {
+		res = match_restrict6_addr(&SOCK_ADDR6(addr),
+					   SRCPORT(addr));
+		found_specific = ADDR6_EQ(&res->u.v6.mask,
+					  &SOCK_ADDR6(&onesmask));
+	}
+	if (!expire && found_specific && res->expire) {
+		found_specific = 0;
+		free_res(res, IS_IPV6(addr));
+	}
+	if (found_specific)
+		return;
+
+	hack_restrict(RESTRICT_FLAGS, addr, &onesmask,
+		      restrict_source_mflags, restrict_source_flags,
+		      expire);
+	DPRINTF(1, ("restrict_source: %s host restriction added\n", 
+		    stoa(addr)));
+}