| Age | Commit message (Collapse) | Author |
|---|
|
input doug@; OK beck@
|
|
patch from Mikolaj Kucharski
ok deraadt@
|
|
ok deraadt@ phessler@ claudio@
|
|
ok phessler@ deraadt@
|
|
if this happens, we want to tear down all of ntpd, so that people will
report it, any such bug can be found, and fixed.
ok bcook
|
|
ok bcook
|
|
handler. It is run in a chroot, so tzset() wouldn't even succeed to
open the zone file. Found with tame.
OK deraadt@
|
|
henning@ 9 years ago because of an issue with the /dev/hotplug device
- it does not support multiple readers opening it. Nobody ever cared
enough to fix it so it is time to sent the dead code to the Attic.
OK henning@ (feeling sad about it), mpi@ and others
|
|
instead of calling the SIOCGIFRDOMAIN ioctl for every single address.
OK deraadt@
|
|
of being wrong, not the NTP responses, reset it and query it from all
the constraint servers all over again. This is turned out to be a bit
aggressive because it could get triggered with just a few bad NTP
peers in a larger pool. To avoid constant reconnections, scale the
error margin with the number of resolved NTP peers using peer_cnt * 4.
This way a single or a few outliers in a NTP pool cannot trigger
reconnecting to the constraint servers immediately. More NTP peers,
less reason to mistrust the constraint.
Found by dtucker@
OK deraadt@
|
|
ok henning@, reyk@
|
|
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previously
only tried to connect to the first returned address, aborted and
skipped the constraint on failure. In difference to "constraints"
(plural), it still only connects to one address at a time and not to
all of them at once.
Pointed out by rpe@
OK rpe@ deraadt@
|
|
|
|
Original fix from Romuald Delavergne. ok henning@
|
|
|
|
ignore it directly. no functional change. Rafael Neves rafaelneves at gmail
|
|
ok deraadt@
|
|
|
|
while here i've reformatted the page to stop kidding that -s is 4 options;
original issue kind of spotted by adam thompson, though note i am not fixing the
issue he complained about (i'll address that mail in a minute);
|
|
ok reyk@
|
|
tls_config_insecure_noverifyname(), so that it is more accurate and keeps
inline with the distinction between DNS hostname and server name.
Requested by tedu@ during s2k15.
|
|
|
|
that order, tls, crypto, ssl.
|
|
ok reyk
|
|
Reported by Stefan Wollny.
|
|
Fixes segfault on configuration load time, as reported by Donovan Watteau.
|
|
allows to get constraint addresses even if network/DNS is not
available at startup (or system boot).
thumbs up & OK henning@
|
|
ntp_dns some years ago).
OK henning@
|
|
OK deraadt@
|
|
|
|
|
|
no need to request it ever again. The only exception is the
escalation of failed constraint checks that might lead into
re-requesting the constraint time from all servers. Adjust the states
accordingly.
OK henning@
|
|
OK henning@ deraadt@
|
|
the functionality.
Requested by henning@
OK beck@ deraadt@
|
|
time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses. This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present. This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@
|
|
ok phessler@ deraadt@
|
|
ok deraadt@
|
|
OK henning@
|
|
If the network is unreachable when ntpd starts and host_dns fails, be sure
that we still close the HOST_DNS imsg.
Thanks to Paul de Weerd <weerd at weirdnet dot nl> for reporting this.
ok beck@
|
|
This simplifies things and make action = -1 no longer a dead store.
Also, spell FALLTHROUGH consistently.
reported by fritjof@alokat.org
|
|
reported by Jonas 'Sortie' Termansen
|
|
daemon.
Old drift files will be interpreted as a minuscule adjustment and
ntpd will proceed to rediscover the drift, like starting from zero
on a newly installed machine.
ok deraadt@
|
|
from Paul B. Henson, ok phessler@
|
|
- Nothing seems to free the result of host_dns(), so add host_dns_free() and
call after each query.
- If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the
freed buf in imsg_close().
ok millert@ deraadt@
|
|
ok tedu@ deraadt@
|
|
generations don't try to change any of the values and break the code.
ok deraadt
|
|
unbreak config file address parsing
|
|
Match what parse.y expects it to return.
ok millert@
|
|
Match what parse.y expects it to return.
ok millert@
|
|
peanuts -- but all work has to start somewhere.
|
