s4:ntp_signd Fix bug 6656 - Set protocol version to 0, as used by ntpd

The change to protocol version 1 was not intentional, and broke the
protocol established with the ntp.org project.

Andrew Bartlett

diff --git a/source4/librpc/idl/ntp_signd.idl b/source4/librpc/idl/ntp_signd.idl
index 2b2fbc76629c55824f6483551665ca86281960c7..b78420569854b47e4f5c7511d6c7d8c7f27a844b 100644 (file)
--- a/source4/librpc/idl/ntp_signd.idl
+++ b/source4/librpc/idl/ntp_signd.idl
@@ -12,6 +12,8 @@
 interface ntp_signd
 {
 
+       const int NTP_SIGND_PROTOCOL_VERSION_0 = 0;
+
        typedef [v1_enum] enum {
                SIGN_TO_CLIENT = 0,
                ASK_SERVER_TO_SIGN = 1,
@@ -21,7 +23,7 @@ interface ntp_signd
        } ntp_signd_op;
 
        typedef [flag(NDR_BIG_ENDIAN),public] struct {
-               uint32 version;
+               [value(NTP_SIGND_PROTOCOL_VERSION_0)] uint32 version;
                ntp_signd_op op;
                uint16 packet_id;
                [flag(NDR_LITTLE_ENDIAN)] uint32 key_id;
@@ -30,7 +32,7 @@ interface ntp_signd
        } sign_request;
 
        typedef [flag(NDR_BIG_ENDIAN),public] struct samba_key_out {
-               uint32 version;
+               [value(NTP_SIGND_PROTOCOL_VERSION_0)] uint32 version;
                ntp_signd_op op;
                uint32 packet_id;
                [flag(NDR_REMAINING)]   DATA_BLOB signed_packet;

diff --git a/source4/ntp_signd/ntp_signd.c b/source4/ntp_signd/ntp_signd.c
index 6c6416dea02712ca7a1a7e003d26659889f2b6af..8ea7fe4ff969530d72fcb1f8eeba7030245c92ad 100644 (file)
--- a/source4/ntp_signd/ntp_signd.c
+++ b/source4/ntp_signd/ntp_signd.c
@@ -74,7 +74,6 @@ static NTSTATUS signing_failure(struct ntp_signd_connection *ntp_signdconn,
 
        NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
 
-       signed_reply.version = 1;
        signed_reply.op = SIGNING_FAILURE;
        signed_reply.packet_id = packet_id;
        signed_reply.signed_packet = data_blob(NULL, 0);
@@ -155,7 +154,7 @@ static NTSTATUS ntp_signd_recv(void *private_data, DATA_BLOB wrapped_input)
 
        /* We need to implement 'check signature' and 'request server
         * to sign' operations at some point */
-       if (sign_request.version != 1) {
+       if (sign_request.version != NTP_SIGND_PROTOCOL_VERSION_0) {
                talloc_free(tmp_ctx);
                return signing_failure(ntp_signdconn, sign_request.packet_id);
        }
@@ -214,7 +213,6 @@ static NTSTATUS ntp_signd_recv(void *private_data, DATA_BLOB wrapped_input)
        }
 
        /* Generate the reply packet */
-       signed_reply.version = 1;
        signed_reply.packet_id = sign_request.packet_id;
        signed_reply.op = SIGNING_SUCCESS;
        signed_reply.signed_packet = data_blob_talloc(tmp_ctx, 

diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
index e82276a08627c24fd8929c4532e4949d3df21332..1b3c59543e5ddeb4bb4696322a9bb1693cf3de9e 100644 (file)
--- a/source4/torture/ntp/ntp_signd.c
+++ b/source4/torture/ntp/ntp_signd.c
@@ -154,7 +154,6 @@ static bool test_ntp_signd(struct torture_context *tctx,
        torture_assert_ntstatus_ok(tctx, status, "ServerAuthenticate3");
        torture_assert(tctx, netlogon_creds_client_check(creds, &credentials3), "Credential chaining failed");
 
-       sign_req.version = 1;
        sign_req.op = SIGN_TO_CLIENT;
        sign_req.packet_id = 1;
        sign_req.key_id = rid;
@@ -225,7 +224,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
        torture_assert(tctx, NDR_ERR_CODE_IS_SUCCESS(ndr_err), ndr_map_error2string(ndr_err));
 
        torture_assert_u64_equal(tctx, signed_reply.version, 
-                                sign_req.version, "Invalid Version");
+                                NTP_SIGND_PROTOCOL_VERSION_0, "Invalid Version");
        torture_assert_u64_equal(tctx, signed_reply.packet_id, 
                                 sign_req.packet_id, "Invalid Packet ID");
        torture_assert_u64_equal(tctx, signed_reply.op,