From 27e20a568b60658f1c8ce6daa7b373f94fbc3579 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 17 Jun 2020 12:06:21 +0200
Subject: [PATCH] socket: enable only specified IP families

Allow an IP family to be specified in the socket initialization in order
to globally disable the other family. This replaces the ntp_io and
cmdmon code handling the -4/-6 options and fixes a case where the NTP
client could still use a disabled family if the source was specified
with an IP address.
---
 client.c                |  2 +-
 cmdmon.c                | 15 +++++----------
 cmdmon.h                |  2 +-
 main.c                  |  6 +++---
 ntp_io.c                | 31 ++++++++++++-------------------
 ntp_io.h                |  2 +-
 nts_ke_server.c         |  2 +-
 socket.c                | 25 +++++++++++++++++++------
 socket.h                |  9 +++++----
 stubs.c                 |  4 ++--
 test/unit/ntp_core.c    |  2 +-
 test/unit/ntp_sources.c |  2 +-
 12 files changed, 52 insertions(+), 50 deletions(-)

diff --git a/client.c b/client.c
index 8001cd5..41527e7 100644
--- a/client.c
+++ b/client.c
@@ -3601,7 +3601,7 @@ main(int argc, char **argv)
 
   UTI_SetQuitSignalsHandler(signal_handler, 0);
 
-  SCK_Initialise();
+  SCK_Initialise(IPADDR_UNSPEC);
   server_addresses = get_addresses(hostnames, port);
 
   if (!open_io())
diff --git a/cmdmon.c b/cmdmon.c
index ebc7fe0..8e9764a 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -165,7 +165,7 @@ open_socket(int family)
     case IPADDR_INET4:
     case IPADDR_INET6:
       port = CNF_GetCommandPort();
-      if (port == 0 || !SCK_IsFamilySupported(family))
+      if (port == 0 || !SCK_IsIpFamilyEnabled(family))
         return INVALID_SOCK_FD;
 
       CNF_GetBindCommandAddress(family, &local_addr.ip_addr);
@@ -237,22 +237,17 @@ do_size_checks(void)
 /* ================================================== */
 
 void
-CAM_Initialise(int family)
+CAM_Initialise(void)
 {
   assert(!initialised);
   assert(sizeof (permissions) / sizeof (permissions[0]) == N_REQUEST_TYPES);
   do_size_checks();
 
   initialised = 1;
+
   sock_fdu = INVALID_SOCK_FD;
-  sock_fd4 = INVALID_SOCK_FD;
-  sock_fd6 = INVALID_SOCK_FD;
-
-  if (family == IPADDR_UNSPEC || family == IPADDR_INET4)
-    sock_fd4 = open_socket(IPADDR_INET4);
-
-  if (family == IPADDR_UNSPEC || family == IPADDR_INET6)
-    sock_fd6 = open_socket(IPADDR_INET6);
+  sock_fd4 = open_socket(IPADDR_INET4);
+  sock_fd6 = open_socket(IPADDR_INET6);
 
   access_auth_table = ADF_CreateTable();
 }
diff --git a/cmdmon.h b/cmdmon.h
index 5b717d2..86356b9 100644
--- a/cmdmon.h
+++ b/cmdmon.h
@@ -29,7 +29,7 @@
 
 #include "addressing.h"
 
-extern void CAM_Initialise(int family);
+extern void CAM_Initialise(void);
 
 extern void CAM_Finalise(void);
 
diff --git a/main.c b/main.c
index 26e1157..07b9458 100644
--- a/main.c
+++ b/main.c
@@ -568,11 +568,11 @@ int main
   SRC_Initialise();
   RCL_Initialise();
   KEY_Initialise();
-  SCK_Initialise();
+  SCK_Initialise(address_family);
 
   /* Open privileged ports before dropping root */
-  CAM_Initialise(address_family);
-  NIO_Initialise(address_family);
+  CAM_Initialise();
+  NIO_Initialise();
   NCR_Initialise();
   CNF_SetupAccessRestrictions();
 
diff --git a/ntp_io.c b/ntp_io.c
index bc1b1de..ed55687 100644
--- a/ntp_io.c
+++ b/ntp_io.c
@@ -86,7 +86,7 @@ open_socket(int family, int local_port, int client_only, IPSockAddr *remote_addr
   int sock_fd, sock_flags, events = SCH_FILE_INPUT;
   IPSockAddr local_addr;
 
-  if (!SCK_IsFamilySupported(family))
+  if (!SCK_IsIpFamilyEnabled(family))
     return INVALID_SOCK_FD;
 
   if (!client_only)
@@ -152,7 +152,7 @@ close_socket(int sock_fd)
 /* ================================================== */
 
 void
-NIO_Initialise(int family)
+NIO_Initialise(void)
 {
   int server_port, client_port;
 
@@ -191,25 +191,18 @@ NIO_Initialise(int family)
   server_sock_ref4 = 0;
   server_sock_ref6 = 0;
 
-  if (family == IPADDR_UNSPEC || family == IPADDR_INET4) {
-    if (permanent_server_sockets && server_port)
-      server_sock_fd4 = open_socket(IPADDR_INET4, server_port, 0, NULL);
-    if (!separate_client_sockets) {
-      if (client_port != server_port || !server_port)
-        client_sock_fd4 = open_socket(IPADDR_INET4, client_port, 1, NULL);
-      else
-        client_sock_fd4 = server_sock_fd4;
-    }
+  if (permanent_server_sockets && server_port) {
+    server_sock_fd4 = open_socket(IPADDR_INET4, server_port, 0, NULL);
+    server_sock_fd6 = open_socket(IPADDR_INET6, server_port, 0, NULL);
   }
 
-  if (family == IPADDR_UNSPEC || family == IPADDR_INET6) {
-    if (permanent_server_sockets && server_port)
-      server_sock_fd6 = open_socket(IPADDR_INET6, server_port, 0, NULL);
-    if (!separate_client_sockets) {
-      if (client_port != server_port || !server_port)
-        client_sock_fd6 = open_socket(IPADDR_INET6, client_port, 1, NULL);
-      else
-        client_sock_fd6 = server_sock_fd6;
+  if (!separate_client_sockets) {
+    if (client_port != server_port || !server_port) {
+      client_sock_fd4 = open_socket(IPADDR_INET4, client_port, 1, NULL);
+      client_sock_fd6 = open_socket(IPADDR_INET6, client_port, 1, NULL);
+    } else {
+      client_sock_fd4 = server_sock_fd4;
+      client_sock_fd6 = server_sock_fd6;
     }
   }
 
diff --git a/ntp_io.h b/ntp_io.h
index d52d56f..9787ca1 100644
--- a/ntp_io.h
+++ b/ntp_io.h
@@ -33,7 +33,7 @@
 #include "addressing.h"
 
 /* Function to initialise the module. */
-extern void NIO_Initialise(int family);
+extern void NIO_Initialise(void);
 
 /* Function to finalise the module */
 extern void NIO_Finalise(void);
diff --git a/nts_ke_server.c b/nts_ke_server.c
index 76bb6a3..a4b1e2d 100644
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -258,7 +258,7 @@ open_socket(int family, int port)
   IPSockAddr local_addr;
   int sock_fd;
 
-  if (!SCK_IsFamilySupported(family))
+  if (!SCK_IsIpFamilyEnabled(family))
     return INVALID_SOCK_FD;
 
   CNF_GetBindAddress(family, &local_addr.ip_addr);
diff --git a/socket.c b/socket.c
index 952b0d8..f546a4b 100644
--- a/socket.c
+++ b/socket.c
@@ -82,6 +82,10 @@ struct MessageHeader {
 
 static int initialised;
 
+/* Flags indicating in which IP families sockets can be requested */
+static int ip4_enabled;
+static int ip6_enabled;
+
 /* Flags supported by socket() */
 static int supported_socket_flags;
 
@@ -412,10 +416,14 @@ open_ip_socket(IPSockAddr *remote_addr, IPSockAddr *local_addr, int type, int fl
 
   switch (family) {
     case IPADDR_INET4:
+      if (!ip4_enabled)
+        return INVALID_SOCK_FD;
       domain = AF_INET;
       break;
 #ifdef FEAT_IPV6
     case IPADDR_INET6:
+      if (!ip6_enabled)
+        return INVALID_SOCK_FD;
       domain = AF_INET6;
       break;
 #endif
@@ -1090,8 +1098,15 @@ send_message(int sock_fd, SCK_Message *message, int flags)
 /* ================================================== */
 
 void
-SCK_Initialise(void)
+SCK_Initialise(int family)
 {
+  ip4_enabled = family == IPADDR_INET4 || family == IPADDR_UNSPEC;
+#ifdef FEAT_IPV6
+  ip6_enabled = family == IPADDR_INET6 || family == IPADDR_UNSPEC;
+#else
+  ip6_enabled = 0;
+#endif
+
   recv_messages = ARR_CreateInstance(sizeof (struct Message));
   ARR_SetSize(recv_messages, MAX_RECV_MESSAGES);
   recv_headers = ARR_CreateInstance(sizeof (struct MessageHeader));
@@ -1131,15 +1146,13 @@ SCK_Finalise(void)
 /* ================================================== */
 
 int
-SCK_IsFamilySupported(int family)
+SCK_IsIpFamilyEnabled(int family)
 {
   switch (family) {
     case IPADDR_INET4:
-      return 1;
+      return ip4_enabled;
     case IPADDR_INET6:
-#ifdef FEAT_IPV6
-      return 1;
-#endif
+      return ip6_enabled;
     default:
       return 0;
   }
diff --git a/socket.h b/socket.h
index 949690b..a51a67c 100644
--- a/socket.h
+++ b/socket.h
@@ -73,14 +73,15 @@ typedef struct {
   int descriptor;
 } SCK_Message;
 
-/* Initialisation function */
-extern void SCK_Initialise(void);
+/* Initialisation function (the specified IP family is enabled,
+   or all if IPADDR_UNSPEC) */
+extern void SCK_Initialise(int family);
 
 /* Finalisation function */
 extern void SCK_Finalise(void);
 
-/* Check if support for the IP family was enabled in the build */
-extern int SCK_IsFamilySupported(int family);
+/* Check if support for the IP family is enabled */
+extern int SCK_IsIpFamilyEnabled(int family);
 
 /* Get the 0.0.0.0/::0 or 127.0.0.1/::1 address */
 extern void SCK_GetAnyLocalIPAddress(int family, IPAddr *local_addr);
diff --git a/stubs.c b/stubs.c
index b9ad60f..fd29a10 100644
--- a/stubs.c
+++ b/stubs.c
@@ -112,7 +112,7 @@ DNS_Name2IPAddressAsync(const char *name, DNS_NameResolveHandler handler, void *
 #ifndef FEAT_CMDMON
 
 void
-CAM_Initialise(int family)
+CAM_Initialise(void)
 {
 }
 
@@ -174,7 +174,7 @@ NCR_CheckAccessRestriction(IPAddr *ip_addr)
 }
 
 void
-NIO_Initialise(int family)
+NIO_Initialise(void)
 {
 }
 
diff --git a/test/unit/ntp_core.c b/test/unit/ntp_core.c
index 9a92ded..ac8aec3 100644
--- a/test/unit/ntp_core.c
+++ b/test/unit/ntp_core.c
@@ -322,7 +322,7 @@ test_unit(void)
   TST_RegisterDummyDrivers();
   SCH_Initialise();
   SRC_Initialise();
-  NIO_Initialise(IPADDR_UNSPEC);
+  NIO_Initialise();
   NCR_Initialise();
   REF_Initialise();
 
diff --git a/test/unit/ntp_sources.c b/test/unit/ntp_sources.c
index 2488831..f824316 100644
--- a/test/unit/ntp_sources.c
+++ b/test/unit/ntp_sources.c
@@ -44,7 +44,7 @@ test_unit(void)
   LCL_Initialise();
   SCH_Initialise();
   SRC_Initialise();
-  NIO_Initialise(IPADDR_UNSPEC);
+  NIO_Initialise();
   NCR_Initialise();
   NSR_Initialise();