| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
for these. ok deraadt@
|
|
more clearly
ok ingo schwarze
|
|
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
|
|
server is wired up such that non MITM attacks are possible, and NTP
packets can be trusted. Therefore constraint validity is not required,
and during boot ntpd can spin-up correct time faster.
with otto, ok jmc schwarze
|
|
used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@
|
|
more similar
ok jmc schwarze
|
|
|
|
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.
|
|
ok deraadt@
|
|
are relative to monotime; so they shift when time is being adjusted.
2) Fix a race between SIGCHLD delivery and reading the result imsg.
3) Some cleanup: use a number to distinguish pools internally
|
|
ok deraadt@
|
|
|
|
and net config can change as well. So if a peer does not respond,
throw it out of the pool if it's a pool member and re-resolve to
find a replacement. Hold on to good peers so we end up with a good
set of peers. ok benno@
|
|
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
the log destination changes. ok claudio@ benno@
|
|
|
|
|
|
an (auto) settime or give up. 15s timeout is still in effect. ok florian@
|
|
engine does not know if we're in startup mode, so use a small interval
the first few times there.
|
|
ok benno@
|
|
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
|
|
an absolute value and fix poll loop to first generate messages and
then compute poll flags the write cases. This makes the timeout
workaround for constraints unneeded. ok reyk@ tb@
|
|
with once the clock is synced. ok deraadt@ florian@
|
|
If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time. Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@
|
|
larger types really is a range reduction...
Almost any cast to (unsigned) is a bug.
ok millert tb benno
|
|
Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
|
|
Spotted by tb@
ok deraadt@ tb@
|
|
Given that we're getting a constraint so that we can validate time, if our
own time is out we can fail the automatic validity checking since it is
based on the wallclock. Instead, disable the automatic validity checking
and perform manual checks based on the time reported from the server via
the HTTP header.
Discussed at length with and ok deraadt@
|
|
anything larger than an int. ok jca@ rsadowski@
|
|
This brings over the logic from bgpd & ospfd.
Input & OK deraadt
|
|
|
|
bonus: this exposed a few missing const qualifiers.
|
|
ok beck@ bluhm@ tb@
|
|
We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@
|
|
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
|
|
Merge host_v{4,6}() into much simpler host_ip() using just getaddrinfo().
host_dns() uses the same procedure.
OK naddy
|
|
job at startup. After much anguish I accept dlg's solution of chdir
for the problem ("starting ntpd on a filesystem I want to unmount"),
but we cannot change the main-process daemon() call. Why? Because
the ntpd privsep design predates more modern designs where the config
file is parsed once, and configuration marshalled to the fork+exec
children. Instead each ntpd process re-parses the config, and if
we chdir before fork+exec startup, it will move the basedir causing
-f "relativepath" to fail.
discussed with florian
|
|
constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.
|
|
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@
|
|
currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the program quits.
"sure" henning@
|
|
as unsynced. reported by naddy, also seen by me (I noticed because
monitoring-plugins check_ntp complained). ok claudio henning
|
|
sensors, mark us unsynced again. ok reyk krw, pt out / discussion / help naddy
|
|
calloc or strdup), we just need to log that we ran out of memory in a
particular function.
Recommended by florian@ and deraadt@
ok benno@ henning@ tb@
|
|
running out of memory.
Next step, be correct *and* consistent.
ok dennis@ tb@ benno@ schwarze@
|
|
the text about enabling it;
ok deraadt
|
