Index: /branches/rel_avx_2_7_3/avx_cli.spec =================================================================== --- /branches/rel_avx_2_7_3/avx_cli.spec (revision 8915) +++ /branches/rel_avx_2_7_3/avx_cli.spec (working copy) @@ -321,6 +321,8 @@ install -Dm 0644 lib/chrony/chronyd.service %{buildroot}/usr/lib/systemd/system/ install -Dm 0644 lib/chrony/chrony.conf %{buildroot}/ca/conf/ install -Dm 0644 lib/chrony/chrony.conf %{buildroot}/ca/conf/chrony.conf.default +install -Dm 0644 lib/chrony/chrony.keys %{buildroot}/ca/conf/ +install -Dm 0644 lib/chrony/chrony.keys %{buildroot}/ca/conf/chrony.keys.default install -Dm 0755 lib/chrony/chrony-4.6/chronyc %{buildroot}/usr/local/bin install -Dm 0755 lib/chrony/chrony-4.6/chronyd %{buildroot}/usr/local/sbin install -Dm 0755 scripts/chrony_setup.py %{buildroot}/ca/bin/ @@ -520,6 +522,8 @@ %attr (644,root,root)/usr/lib/systemd/system/chronyd.service %attr (644,root,root)/ca/conf/chrony.conf %attr (644,root,root)/ca/conf/chrony.conf.default +%attr (644,root,root)/ca/conf/chrony.keys +%attr (644,root,root)/ca/conf/chrony.keys.default %attr (755,root,root)/usr/local/bin/chronyc %attr (755,root,root)/usr/local/sbin/chronyd %attr (755,root,root)/ca/bin/chrony_setup.py Index: /branches/rel_avx_2_7_3/lib/chrony/chrony.conf =================================================================== --- /branches/rel_avx_2_7_3/lib/chrony/chrony.conf (revision 8915) +++ /branches/rel_avx_2_7_3/lib/chrony/chrony.conf (working copy) @@ -1,6 +1,6 @@ driftfile /var/lib/chrony/drift makestep 1.0 -1 rtcsync -keyfile /etc/chrony.keys +keyfile /ca/conf/chrony.keys leapsectz right/UTC logdir /var/log/chrony Index: /branches/rel_avx_2_7_3/scripts/chrony_setup.py =================================================================== --- /branches/rel_avx_2_7_3/scripts/chrony_setup.py (revision 8915) +++ /branches/rel_avx_2_7_3/scripts/chrony_setup.py (working copy) @@ -7,6 +7,8 @@ CHRONY_ENV["LD_LIBRARY_PATH"] = "/usr/local/lib:/usr/local/lib64" CHRONY_CONFIG_FILE = "/ca/conf/chrony.conf" CHRONY_CONFIG_FILE_DEFAULT = "/ca/conf/chrony.conf.default" +CHRONY_KEYS_FILE = "/ca/conf/chrony.keys" +CHRONY_KEYS_FILE_DEFAULT = "/ca/conf/chrony.keys.default" def start_chrony(): """Start the chronyd service.""" @@ -56,7 +58,29 @@ else: print("Chrony daemon is not running.\n") print_server_from_conf() - + +def show_chrony_authentication_keys(): + """Show chrony authentication keys""" + header = "{:<10} {:<32}".format('key ID', 'MD5 String') + separator = "{:<10} {:<32}".format('-' * 10, '-' * 32) + keys = [] + + with open(CHRONY_KEYS_FILE, 'r') as file: + for line in file: + line = line.strip() + if not line or line.startswith("#"): + continue + parts = line.split() + key_id = int(parts[0]) + md5_string = parts[2] + keys.append((key_id, md5_string)) + + keys.sort(key=lambda x: x[0]) + + print(header) + print(separator) + for key in keys: + print("{:<10} {:<32}".format(key[0], key[1])) def add_server(server): """Add or update a server/pool entry in the chrony configuration and dynamically using chronyc.""" @@ -103,18 +127,73 @@ """Reset chrony configure file to default""" try: shutil.copy(CHRONY_CONFIG_FILE_DEFAULT, CHRONY_CONFIG_FILE) + shutil.copy(CHRONY_KEYS_FILE_DEFAULT, CHRONY_KEYS_FILE) print("Configuration file restored to default.") except IOError as e: print("Failed to restore configuration file: {}".format(e)) +def add_key(key_cfg): + """Add or update a key entry in the chrony keys file and dynamically using chronyc.""" + exists = False + key_id = key_cfg.split()[0] + key = key_cfg.split()[2] + with open(CHRONY_KEYS_FILE, "r") as f: + lines = f.readlines() + + # Update or add the key entry in the keys file + for i, line in enumerate(lines): + if line.strip().startswith("#") or not line.strip(): + continue + if line.split()[0] == key_id: + exists = True + if line.split()[2] != key: + lines[i] = key_cfg + "\n" # Update key if different + break + + if not exists: + lines.append(key_cfg + "\n") + + with open(CHRONY_KEYS_FILE, "w") as f: + f.writelines(lines) + + # Dynamically add to chrony if daemon is running + if os.path.exists("/var/run/chrony/chronyd.pid"): + cmd = ["chronyc", "reload", "sources"] + subprocess.call(cmd, env=CHRONY_ENV) + +def remove_key(key_id): + """Remove a KEY entry from the chrony keys file and dynamically using chronyc.""" + with open(CHRONY_KEYS_FILE, "r") as f: + lines = f.readlines() + + # Filter out lines that match the key_id + updated_lines = [] + for line in lines: + if line.strip().startswith("#") or not line.strip(): + updated_lines.append(line) + continue + + if line.split()[0] != key_id: + updated_lines.append(line) + + with open(CHRONY_KEYS_FILE, "w") as f: + f.writelines(updated_lines) + + # Dynamically delete from chrony if daemon is running + if os.path.exists("/var/run/chrony/chronyd.pid"): + cmd = ["chronyc", "reload", "sources"] + subprocess.call(cmd, env=CHRONY_ENV) if __name__ == "__main__": parser = argparse.ArgumentParser(description="Manage chrony service and configuration.") parser.add_argument("-s", "--start", action="store_true", help="Start the chrony service.") parser.add_argument("-e", "--end", action="store_true", help="Stop the chrony service.") parser.add_argument("-l", "--list", action="store_true", help="List chrony status.") + parser.add_argument("-p", "--printkey", action="store_true", help="List chrony authentication keys.") parser.add_argument("-a", "--add", type=str, help="Add a server or pool to chrony configuration.") parser.add_argument("-r", "--remove", type=str, help="Remove a server or pool from chrony configuration.") + parser.add_argument("-k", "--key", type=str, help="To define the authentication key.") + parser.add_argument("-d", "--delkey", type=str, help="To remove the authentication key.") parser.add_argument("-c", "--clear", action="store_true", help="Reset chrony configure file to default.") args = parser.parse_args() @@ -122,11 +201,17 @@ start_chrony() elif args.end: stop_chrony() + elif args.printkey: + show_chrony_authentication_keys() elif args.list: show_chrony_status() elif args.add: add_server(args.add) elif args.remove: remove_server(args.remove) + elif args.key: + add_key(args.key) + elif args.delkey: + remove_key(args.delkey) elif args.clear: clear_chrony_config() Index: /branches/rel_avx_2_7_3/src/backend/ntp.c =================================================================== --- /branches/rel_avx_2_7_3/src/backend/ntp.c (revision 8915) +++ /branches/rel_avx_2_7_3/src/backend/ntp.c (working copy) @@ -4,14 +4,103 @@ #include #include +#include +#include #define AVX_NTP_PID_FILE "/var/run/chrony/chronyd.pid" #define AVX_TIME_STATE_FILE "/var/lib/rsyslog/imjournal.state" #define AVX_NTP_CONF_FILE "/ca/conf/chrony.conf" #define AVX_NTP_CONF_FILE_TMP "/ca/etc/ntp.conf.tmp" +#define AVX_NTP_KEYS_FILE "/ca/conf/chrony.keys" #define AVX_NTP_BIN "/usr/sbin/ntpd" #define NTP_MAX_SERVER_CNT 6 +#define NTP_MAX_AUTH_KEY_LEN 32 +#define NTP_ENCRYPTED_FLAG "ENCRYPTED" + +#define AVX_AES_BLOCK_SZ 16 +#define AVX_ENCRYPTED_SECRET_LEN 129 + +static int encrypt_auth_key(const unsigned char *key_in, unsigned char *key_out) { + AES_KEY aes_key; + unsigned char key[AVX_AES_BLOCK_SZ]; + unsigned char iv[AVX_AES_BLOCK_SZ]; + unsigned char seed_key[] = "ARRAYNETWORKS"; + unsigned char seed_iv[] = "NTPAUTHKEY"; + unsigned char temp[2 * AVX_ENCRYPTED_SECRET_LEN]; + int len; + int i; + + memcpy(temp, key_in, AVX_ENCRYPTED_SECRET_LEN); + len = strlen((char *)temp) + 1; + + if (len % AVX_AES_BLOCK_SZ != 0) { + len = (len / AVX_AES_BLOCK_SZ + 1) * AVX_AES_BLOCK_SZ; + } + + for (i = 0; i < AVX_AES_BLOCK_SZ; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < AVX_AES_BLOCK_SZ; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_encrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(key_in, temp, len, &aes_key, iv, AES_ENCRYPT); + EVP_EncodeBlock(key_out, temp, len); + + return 0; +} + +static int decrypt_secret(const unsigned char *secret_in, unsigned char *secret_out) { + AES_KEY aes_key; + unsigned char key[AVX_AES_BLOCK_SZ]; + unsigned char iv[AVX_AES_BLOCK_SZ]; + unsigned char seed_key[] = "ARRAYNETWORKS"; + unsigned char seed_iv[] = "NTPAUTHKEY"; + unsigned char temp[2 * AVX_ENCRYPTED_SECRET_LEN]; + int len; + int i; + + memcpy(temp, secret_in, 2 * AVX_ENCRYPTED_SECRET_LEN); + temp[2 * AVX_ENCRYPTED_SECRET_LEN - 1] = '\0'; + len = strlen((char *)temp); + + if (len > (AVX_ENCRYPTED_SECRET_LEN / 3 * 4)) { + return -1; + } + + if (len < 24) { + /* encrypted secret is 16 Byte at least, after base64 it is 24 */ + return -1; + } + + len = EVP_DecodeBlock(temp, secret_in, len); + if (len == -1) { + return -1; + } + + len -= len % AVX_AES_BLOCK_SZ; + for (i = 0; i < AVX_AES_BLOCK_SZ; i++) { + key[i] = seed_key[i % sizeof(seed_key)]; + } + + for (i = 0; i < AVX_AES_BLOCK_SZ; i++) { + iv[i] = seed_iv[i % sizeof(seed_iv)]; + } + + if (AES_set_decrypt_key(key, 128, &aes_key) < 0) { + return -1; + } + + AES_cbc_encrypt(temp, secret_out, len, &aes_key, iv, AES_DECRYPT); + + return 0; +} // Deperated Functions Start // Was reffered in sys_tool.c Need to clear up later. @@ -163,13 +252,13 @@ if((q = strstr(linebuf, "version"))){ version = atoi(q + strlen("version")); memcpy(ip, p + strlen("server") + 1, q - p - 2 - strlen("server")); - fclose(fp); + fclose(fp); return version; } } } - fclose(fp); + fclose(fp); return 0; } @@ -185,8 +274,8 @@ while (fgets(linebuf, sizeof(linebuf), fp)) { if (strstr(linebuf, "server") && strstr(linebuf, ip)) { - fclose(fp); - return 1; + fclose(fp); + return 1; } } @@ -199,13 +288,29 @@ FILE *fp = NULL; char linebuf[1024]; char *server_config = NULL; - // int version = 0; - // char ipstr[256] = {0}; + char algorithm[10]; + char key_str[NTP_MAX_AUTH_KEY_LEN]; + char encrypt_key[AVX_ENCRYPTED_SECRET_LEN]; + char server[512]; + char option[10]; + int key_id = 0; if(buf == NULL || buf_len <= 0){ return -1; } - + + fp = fopen(AVX_NTP_KEYS_FILE, "r"); + while (fgets(linebuf, sizeof(linebuf), fp)) { + if(linebuf[0] != '#' && linebuf[0] != '\n') { + sscanf(linebuf, "%d %s %s", &key_id, algorithm, key_str); + encrypt_auth_key(key_str, encrypt_key); + i += snprintf(buf + i, buf_len - i, "ntp key %d \"%s\" \"%s\"\n", key_id, encrypt_key, NTP_ENCRYPTED_FLAG); + } + } + + fclose(fp); + fp = NULL; + fp = fopen(AVX_NTP_CONF_FILE, "r"); if (!fp) { i += snprintf(buf + i, buf_len - i, "ntp off\n"); @@ -214,8 +319,45 @@ while (fgets(linebuf, sizeof(linebuf), fp)) { server_config = strstr(linebuf, "server"); + i += snprintf(buf + i, buf_len - i, "%s", server_config); if (server_config){ - i += snprintf(buf + i, buf_len - i, "ntp %s", server_config); + char *copy = strdup(server_config); + char *token; + + copy[strlen(copy)-1] = '\0'; + + memset(server, '\0', sizeof(server)); + memset(option, '\0', sizeof(option)); + key_id = 0; + + token = strtok(copy, " "); + token = strtok(NULL, " "); + if (token) { + strcpy(server, token); + } + + while ((token = strtok(NULL, " ")) != NULL) { + if (strcmp(token, "key") == 0) { + token = strtok(NULL, " "); + if (token) { + key_id = atoi(token); + } + } else { + strcpy(option, token); + } + } + + if(key_id) { + i += snprintf(buf + i, buf_len - i, "ntp server \"%s\" \"%s\" %d\n", server, option, key_id); + } else if (strcmp(option, "key") == 0) { + i += snprintf(buf + i, buf_len - i, "ntp server \"%s\" %d\n", server, key_id); + } else if (strcmp(option, "") == 0) { + i += snprintf(buf + i, buf_len - i, "ntp server \"%s\"\n", server); + } else { + i += snprintf(buf + i, buf_len - i, "ntp server \"%s\" \"%s\"\n", server, option); + } + + free(copy); } } @@ -284,18 +426,18 @@ int show_ntp_sysstat() { return 0; - char *cmd = "/usr/sbin/ntpdc -c sysstat"; - char buf[2048] = { 0 }; - FILE *fp = NULL; - - fp = popen(cmd, "r"); - if (fp) { - if (fread(buf, 1, sizeof(buf), fp) > 0) { - printf("%s", buf); - } - pclose(fp); - } - return 0; + char *cmd = "/usr/sbin/ntpdc -c sysstat"; + char buf[2048] = { 0 }; + FILE *fp = NULL; + + fp = popen(cmd, "r"); + if (fp) { + if (fread(buf, 1, sizeof(buf), fp) > 0) { + printf("%s", buf); + } + pclose(fp); + } + return 0; } // Deperated Functions End @@ -316,14 +458,33 @@ return 0; } -int ui_ntp_server(char *ip, char *option){ +int ui_ntp_server(char *ip, char *option, int key_id){ // reuse this function for handling chrony client char cmd[256] = {0}; + char *support_options[] = {"nts", "iburst"}; + int cases = sizeof(support_options) / sizeof(support_options[0]); + int i, unsupport = 1; + // empty option case if (!option || option[0] == '\0') { - snprintf(cmd, sizeof(cmd), "python /ca/bin/chrony_setup.py -a 'server %s'", ip); + snprintf(cmd, sizeof(cmd), "python /ca/bin/chrony_setup.py -a 'server %s", ip); } else { - snprintf(cmd, sizeof(cmd), "python /ca/bin/chrony_setup.py -a 'server %s %s'", ip, option); + for(i = 0; i < cases; i++) { + if(strcmp(option, support_options[i]) == 0) { + unsupport = 0; + } + } + if(unsupport) { + printf("Unsupport option: %s.", option); + return 1; + } + snprintf(cmd, sizeof(cmd), "python /ca/bin/chrony_setup.py -a 'server %s %s", ip, option); + } + // Append the key if key_id is provided + if(key_id) { + snprintf(cmd + strlen(cmd), sizeof(cmd) - strlen(cmd), " key %d'", key_id); + } else { + snprintf(cmd + strlen(cmd), sizeof(cmd) - strlen(cmd), "'"); } system(cmd); return 0; @@ -337,27 +498,85 @@ return 0; } +int ui_ntp_auth_key(int key_id, char *key_str, char *encrypted_flag){ + char cmd[256] = {0}; + char md5_key[NTP_MAX_AUTH_KEY_LEN]; + char *tmp; + if(strcmp(encrypted_flag, NTP_ENCRYPTED_FLAG)) { + strcpy(md5_key, key_str); + } else { + decrypt_secret(key_str, md5_key); + } + if(strlen(md5_key) > NTP_MAX_AUTH_KEY_LEN) { + printf("Maximum key string length is %d.", NTP_MAX_AUTH_KEY_LEN); + return 1; + } + tmp = md5_key; + while(*tmp) { + if((*tmp >= 'A' && *tmp <= 'Z') || (*tmp >= 'a' && *tmp <= 'z') || + (*tmp >= '0' && *tmp <= '9') || (*tmp == '_')) { + tmp++; + } else { + printf("value can only contain the following characters: A\-Z, a\-z, 0\-9, and underscore (_).\n"); + return -1; + } + } + snprintf(cmd, sizeof(cmd), "python /ca/bin/chrony_setup.py -k '%d MD5 %s'", key_id, md5_key); + system(cmd); + return 0; +} + +int ui_ntp_remove_auth_key(int key_id){ + char cmd[256] = {0}; + snprintf(cmd, sizeof(cmd), "python /ca/bin/chrony_setup.py -d '%d'", key_id); + system(cmd); + return 0; +} + int ui_show_ntp(){ // reuse this function for handling chrony client FILE *fp; - char path[1035]; + char path[1035]; - /* Open the command for reading. */ - fp = popen("python /ca/bin/chrony_setup.py -l", "r"); - if (fp == NULL) { - printf("Failed to run command\n"); - return 1; - } - - /* Read the output a line at a time - output it to stdout or process it. */ - while (fgets(path, sizeof(path)-1, fp) != NULL) { - printf("%s", path); - } + /* Open the command for reading. */ + fp = popen("python /ca/bin/chrony_setup.py -l", "r"); + if (fp == NULL) { + printf("Failed to run command\n"); + return 1; + } + + /* Read the output a line at a time - output it to stdout or process it. */ + while (fgets(path, sizeof(path)-1, fp) != NULL) { + printf("%s", path); + } - /* Close the file pointer. */ - pclose(fp); + /* Close the file pointer. */ + pclose(fp); - return 0; + return 0; +} + +int ui_show_ntp_auth_keys(){ + // reuse this function for handling chrony client + FILE *fp; + char path[1035]; + + /* Open the command for reading. */ + fp = popen("python /ca/bin/chrony_setup.py -p", "r"); + if (fp == NULL) { + printf("Failed to run command\n"); + return 1; + } + + /* Read the output a line at a time - output it to stdout or process it. */ + while (fgets(path, sizeof(path)-1, fp) != NULL) { + printf("%s", path); + } + + /* Close the file pointer. */ + pclose(fp); + + return 0; } int ui_clear_ntp(){ Index: /branches/rel_avx_2_7_3/src/generator/commands.pm =================================================================== --- /branches/rel_avx_2_7_3/src/generator/commands.pm (revision 8915) +++ /branches/rel_avx_2_7_3/src/generator/commands.pm (working copy) @@ -2976,17 +2976,49 @@ cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", user_level => "CLI_LEVEL_CONFIG", function_name => "ui_ntp_server", - function_args => [ { + function_args => [{ type => "STRING", help_string => "NTP server IP or URL. NTP need UDP port 123.", optional => "NO", - }, - { + }, + { type => "STRING", help_string => "NTP server option(nts, iburst etc). NTS is on TCP port 4460.", optional => "YES", default_value => "NULL", - }, ], + }, + { + type => "U16", + help_string => "Key ID (Specifies the authentication key ID. Range: 1 to 65535.)", + optional => "YES", + default_value => "0", + }], + }, + { + obj_type => "ITEM", + name => "key", + menu => "root_ntp", + help_string => "Define the NTP authentication key", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "ui_ntp_auth_key", + function_args => [{ + type => "U16", + help_string => "Key ID (Specifies the authentication key ID. Range: 1 to 65535.)", + optional => "NO", + }, + { + type => "STRING", + help_string => "Specifies the authentication md5 key", + optional => "NO", + }, + { + type => "STRING", + help_string => "", + optional => "YES", + default_value => "\"\"", + }, + ] }, { obj_type => "MENU", @@ -3013,15 +3045,48 @@ }, { obj_type => "ITEM", + name => "key", + menu => "root_no_ntp", + help_string => "Delete the NTP authentication key", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL|CMD_GLOBAL", + user_level => "CLI_LEVEL_CONFIG", + function_name => "ui_ntp_remove_auth_key", + function_args => [ { + type => "U16", + help_string => "Key ID (Specifies the authentication key ID. Range: 1 to 65535.)", + optional => "NO", + },], + }, + { + obj_type => "MENU", name => "ntp", - menu => "root_show", - help_string => "Show NTP status", + parent_menu => "root_show", + uniq_name => "root_show_ntp", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + help_string => "Display NTP status", + }, + { + obj_type => "ITEM", + name => "status", + menu => "root_show_ntp", + help_string => "Display NTP servers states and settings", cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", user_level => "CLI_LEVEL_ENABLE", function_name => "ui_show_ntp", function_args => [], }, { + obj_type => "ITEM", + name => "keys", + menu => "root_show_ntp", + help_string => "Display NTP authentication keys", + cmd_attribute => "CMD_ARRAYOS|CMD_NORMAL", + user_level => "CLI_LEVEL_ENABLE", + function_name => "ui_show_ntp_auth_keys", + function_args => [], + }, + { obj_type => "ITEM", name => "ntp", menu => "root_clear",