summaryrefslogtreecommitdiff
path: root/usr.sbin/ntpd
AgeCommit message (Collapse)Author
2022-01-07If no date could be parsed, bail out early and fix an error return thatOtto Moerbeek
leaked; ok florian@
2021-12-13including sys/cdefs.h manually started as a result of netbsd trying toTheo de Raadt
macro-build a replacement for sccsid, and was done without any concern for namespace damage. Unfortunately this practice started infecting other code as others were unaware they didn't need the file. ok millert guenther
2021-10-24For open/openat, if the flags parameter does not contain O_CREAT, theTheo de Raadt
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past have passed mode_t (0, 044, 0644, or such), which might lead future people to copy this broken idiom, and perhaps even believe this parameter has some meaning or implication or application. Delete them all. This comes out of a conversation where tb@ noticed that a strange (but intentional) pledge behaviour is to always knock-out high-bits from mode_t on a number of system calls as a safety factor, and his bewilderment that this appeared to be happening against valid modes (at least visually), but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef. ok millert
2021-10-15Don't declare variables as "unsigned char *" that are passed toChristian Weisgerber
functions that take "char *" arguments. Where such chars are assigned to int or passed to ctype functions, explicitly cast them to unsigned char. For OpenBSD's clang, -Wpointer-sign has been disabled by default, but when the parse.y code was built elsewhere, the compiler would complain. With help from millert@ ok benno@ deraadt@
2021-07-16main proc doesn't speak with sockets during the main loop and setpriority plusRicardo Mestre
chroot (and privdrop) in the child procs at this point are all set and done so pledge("inet id") promises are not required anymore. analysis and OK @kn
2021-07-16/etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local functionRicardo Mestre
priv_constraint_child() which is called before we reach pledge(2), therefore we we don't need to unveil(2) that file nor having pledge("rpath") since it was only required to read that same file. OK kn@
2021-07-16Remove unneeded call to tls_init(3)kn
As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions. Remove the tls_init() call to not give the impression of it being needed. Feedback tb OK Tests mestre
2021-07-12Change the error reporting pattern throughout the tree when unveilBob Beck
fails to report the path that the failure occured on. Suggested by deraadt@ after some tech discussion. Work done and verified by Ashton Fagg <ashton@fagg.id.au> ok deraadt@ semarie@ claudio@
2021-04-21Improve ntpd offset handling. Call the index of the offset loopsAlexander Bluhm
"shift" consistently. Merge the two offset loops in client_update() into one. Use a simple assignment for the best value instead of memcpy(). Use the same mechanism to loop over the offset array everywhere to avoid an invalid best value. tested by weerd@; OK claudio@
2021-03-18Remove duplicate prototype.Alexander Bluhm
2021-03-18The ntpd client code corrects both T1 and T4 with the current offsetAlexander Bluhm
returned by adjtime(2) from the kernel. T1 is local time when the NTP packet is sent and T4 when the response is received. If between these events a NTP reply from another server is received, it may change the kernel offset with adjtime(2). Then the calulation of the client offset was done with different bases, the result was wrong and the system time started moving around. So instead of correcting T1 and T4 individually at different events, correct their sum once. Error handling was missing if there is no timestamp in the response. As this should not happen in our kernel, fatal() is appropriate. tested by weerd@; OK claudio@
2021-01-06double word fix; from sean daviesJason McIntyre
2020-09-11If we get messages but they are not ntp replies (e.g. caused byOtto Moerbeek
incoming icmp) do not register them as replies. Also, fix a bug introduced in the previous commit: first recompute scale, then recompute interval, so that when the offset increases and thus the scale is lowered both the poll interval and the check interval use the same scale. First issue spotted by naddy@ second one by and ok semarie@
2020-08-30If no replies are received for a while due to connectivity issuesOtto Moerbeek
go into unsynced mode. The existing code to check if we're unsycned is only done on receiving an ntp packet which does not happen if there are connectivity issues. Prodded by naddy@ ok @florian
2020-06-22When the main process exits, it closes the pipe so a read 0 occurs.Otto Moerbeek
Move log level to debug for that case and while there correct the string, we're reding, not writing.
2020-05-16list example files in FILES with a short description: generally, "ExampleJason McIntyre
configuration file.", but occasionally something else fit better; at the same time, try to make the format for FILES more consistent; original diff from clematis
2020-04-12If all addresses are numeric no use for dns probe; ok florian@ sthen@Otto Moerbeek
2020-04-11Zap double definition of conf and make ibuf_dns static to avoid doubleOtto Moerbeek
definition; from Michael Forney
2020-02-20Typo in log messageOtto Moerbeek
2020-02-12If constraints are configured but do not work for whatever reason ntpdOtto Moerbeek
does not work. Make that more clear in the log and ntpdctl -s status. report by and ok benno@
2020-02-12Standardize argument naming for "sourceaddr" and unify the wording a bit,Ingo Schwarze
similar to what deraadt@ recently did in other manual pages.
2020-02-10briefly mention /etc/examples/ in the FILES section of all theIngo Schwarze
manual pages that document the corresponding configuration files; OK jmc@, and general direction discussed with many
2020-01-30Properly determine era 0 or era 1, making it possible to move pastOtto Moerbeek
the ntp timestamp wrapping in 2036.
2019-11-12tweak previous; ok deraadtJason McIntyre
2019-11-11sensors can als be marked trusted; ok deraadt@Otto Moerbeek
2019-11-11tweak previous: delete stray .PpIngo Schwarze
2019-11-11trusted sub-option works on sensors also now; ok ottoTheo de Raadt
2019-11-11Also implement "trusted" for sensors; do not do constraint validationOtto Moerbeek
for these. ok deraadt@
2019-11-11remove -s and -S documentation, and explain the boot-time startup modeTheo de Raadt
more clearly ok ingo schwarze
2019-11-11Disable -s and -S functionality. -s would force time using NTP packets withoutTheo de Raadt
any MITM protection checks. We've had constraint checks for MITM protection for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode. In environments where https traffic doesn't work, ethernet-near servers can be labelled as "trusted". trusted sensor support is also coming. We have reasons to immediately move people away from the -s mode. ok otto
2019-11-10document server/servers "trusted" sub-option. Indicates a particularTheo de Raadt
server is wired up such that non MITM attacks are possible, and NTP packets can be trusted. Therefore constraint validity is not required, and during boot ntpd can spin-up correct time faster. with otto, ok jmc schwarze
2019-11-10Introduce a "trusted" modifier, for peers that should be on a local netOtto Moerbeek
used in situations where https constraints cannot be used and we still want auto settime. Result of discussion with and ok deraadt@
2019-11-10alphatically order sub-options for sensors, and make the explanationsTheo de Raadt
more similar ok jmc schwarze
2019-11-10typoTheo de Raadt
2019-11-10- validate sensor values against constraintsOtto Moerbeek
- do not restart settime timeout interval if something happens in the main event loop - apply a tight loop protection; it can be painfull on a single core machine since the process runs at maximum priority. Should only happen when a bug is introduced while developing, but prevents having to machine taken over by ntpd.
2019-11-06Allow the singular constraint clause to list multiple addresses;Otto Moerbeek
ok deraadt@
2019-07-161) Re-resolve and re-get constraints once the clock is synced. ConstraintsOtto Moerbeek
are relative to monotime; so they shift when time is being adjusted. 2) Fix a race between SIGCHLD delivery and reading the result imsg. 3) Some cleanup: use a number to distinguish pools internally
2019-07-10fix printing when the pool is specified as an IP address; reported by andOtto Moerbeek
ok deraadt@
2019-07-07proper level of two messages, prompted by deraadt@Otto Moerbeek
2019-07-07Sometimes ntp peers are unreliable (looking at you pool.ntp.org!)Otto Moerbeek
and net config can change as well. So if a peer does not respond, throw it out of the pool if it's a pool member and re-resolve to find a replacement. Hold on to good peers so we end up with a good set of peers. ok benno@
2019-07-03Forgotten va_copy/va_end; on some archs that is really needed. ok benno@Otto Moerbeek
2019-06-28When system calls indicate an error they return -1, not some arbitraryTheo de Raadt
value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
2019-06-27Allow logging to both stderr and syslog; don't reset the log level ifOtto Moerbeek
the log destination changes. ok claudio@ benno@
2019-06-20tweaks with help from jmc@Otto Moerbeek
2019-06-20Tell a bit about automatic mode; ok jmc@Otto Moerbeek
2019-06-20Do a quick DNS probe to decide to stay in the forground and attemptOtto Moerbeek
an (auto) settime or give up. 15s timeout is still in effect. ok florian@
2019-06-16Be more aggressive retrying dns while in settime mode. The constraintOtto Moerbeek
engine does not know if we're in startup mode, so use a small interval the first few times there.
2019-06-12Fix init of syslog for childs and teach dns process about synced state.Otto Moerbeek
ok benno@
2019-06-09Introducing autmatic settime mode: if some preconditions are metOtto Moerbeek
(booting, constraint(s) defined) set the time but only if the clock should be moved forward by more than a minute, based on ntp replies that satisfied the constraints. Tested by many; ok deraadt@
2019-05-30Use proper algorithm for median computation; use fabs() for computingOtto Moerbeek
an absolute value and fix poll loop to first generate messages and then compute poll flags the write cases. This makes the timeout workaround for constraints unneeded. ok reyk@ tb@