Age | Commit message (Collapse) | Author |
|
leaked; ok florian@
|
|
macro-build a replacement for sccsid, and was done without any concern
for namespace damage. Unfortunately this practice started infecting
other code as others were unaware they didn't need the file.
ok millert guenther
|
|
3rd (variadic) mode_t parameter is irrelevant. Many developers in the past
have passed mode_t (0, 044, 0644, or such), which might lead future people
to copy this broken idiom, and perhaps even believe this parameter has some
meaning or implication or application. Delete them all.
This comes out of a conversation where tb@ noticed that a strange (but
intentional) pledge behaviour is to always knock-out high-bits from
mode_t on a number of system calls as a safety factor, and his bewilderment
that this appeared to be happening against valid modes (at least visually),
but no sorry, they are all irrelevant junk. They could all be 0xdeafbeef.
ok millert
|
|
functions that take "char *" arguments. Where such chars are
assigned to int or passed to ctype functions, explicitly cast them
to unsigned char.
For OpenBSD's clang, -Wpointer-sign has been disabled by default,
but when the parse.y code was built elsewhere, the compiler would
complain.
With help from millert@
ok benno@ deraadt@
|
|
chroot (and privdrop) in the child procs at this point are all set and done so
pledge("inet id") promises are not required anymore.
analysis and OK @kn
|
|
priv_constraint_child() which is called before we reach pledge(2), therefore we
we don't need to unveil(2) that file nor having pledge("rpath") since it was
only required to read that same file.
OK kn@
|
|
As per the manual and lib/libtls/tls.c revision 1.79 from 2018
"Automatically handle library initialisation for libtls." initialisation
is handled automatically by other tls_*(3) functions.
Remove the tls_init() call to not give the impression of it being needed.
Feedback tb
OK Tests mestre
|
|
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.
Work done and verified by Ashton Fagg <ashton@fagg.id.au>
ok deraadt@ semarie@ claudio@
|
|
"shift" consistently. Merge the two offset loops in client_update()
into one. Use a simple assignment for the best value instead of
memcpy(). Use the same mechanism to loop over the offset array
everywhere to avoid an invalid best value.
tested by weerd@; OK claudio@
|
|
|
|
returned by adjtime(2) from the kernel. T1 is local time when the
NTP packet is sent and T4 when the response is received. If between
these events a NTP reply from another server is received, it may
change the kernel offset with adjtime(2). Then the calulation of
the client offset was done with different bases, the result was
wrong and the system time started moving around.
So instead of correcting T1 and T4 individually at different events,
correct their sum once.
Error handling was missing if there is no timestamp in the response.
As this should not happen in our kernel, fatal() is appropriate.
tested by weerd@; OK claudio@
|
|
|
|
incoming icmp) do not register them as replies. Also, fix a bug
introduced in the previous commit: first recompute scale, then
recompute interval, so that when the offset increases and thus the
scale is lowered both the poll interval and the check interval use
the same scale.
First issue spotted by naddy@ second one by and ok semarie@
|
|
go into unsynced mode. The existing code to check if we're unsycned
is only done on receiving an ntp packet which does not happen if
there are connectivity issues. Prodded by naddy@ ok @florian
|
|
Move log level to debug for that case and while there correct the
string, we're reding, not writing.
|
|
configuration file.", but occasionally something else fit better; at the
same time, try to make the format for FILES more consistent;
original diff from clematis
|
|
|
|
definition; from Michael Forney
|
|
|
|
does not work. Make that more clear in the log and ntpdctl -s status.
report by and ok benno@
|
|
similar to what deraadt@ recently did in other manual pages.
|
|
manual pages that document the corresponding configuration files;
OK jmc@, and general direction discussed with many
|
|
the ntp timestamp wrapping in 2036.
|
|
|
|
|
|
|
|
|
|
for these. ok deraadt@
|
|
more clearly
ok ingo schwarze
|
|
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
|
|
server is wired up such that non MITM attacks are possible, and NTP
packets can be trusted. Therefore constraint validity is not required,
and during boot ntpd can spin-up correct time faster.
with otto, ok jmc schwarze
|
|
used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@
|
|
more similar
ok jmc schwarze
|
|
|
|
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.
|
|
ok deraadt@
|
|
are relative to monotime; so they shift when time is being adjusted.
2) Fix a race between SIGCHLD delivery and reading the result imsg.
3) Some cleanup: use a number to distinguish pools internally
|
|
ok deraadt@
|
|
|
|
and net config can change as well. So if a peer does not respond,
throw it out of the pool if it's a pool member and re-resolve to
find a replacement. Hold on to good peers so we end up with a good
set of peers. ok benno@
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
the log destination changes. ok claudio@ benno@
|
|
|
|
|
|
an (auto) settime or give up. 15s timeout is still in effect. ok florian@
|
|
engine does not know if we're in startup mode, so use a small interval
the first few times there.
|
|
ok benno@
|
|
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
|
|
an absolute value and fix poll loop to first generate messages and
then compute poll flags the write cases. This makes the timeout
workaround for constraints unneeded. ok reyk@ tb@
|