| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |
|
|
|
| |
does not work. Make that more clear in the log and ntpdctl -s status.
report by and ok benno@
|
| |
|
|
|
|
| |
are relative to monotime; so they shift when time is being adjusted.
2) Fix a race between SIGCHLD delivery and reading the result imsg.
3) Some cleanup: use a number to distinguish pools internally
|
| |
|
|
|
|
| |
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
| |
|
|
|
| |
engine does not know if we're in startup mode, so use a small interval
the first few times there.
|
| |
|
|
|
|
| |
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
|
| |
|
|
|
|
| |
an absolute value and fix poll loop to first generate messages and
then compute poll flags the write cases. This makes the timeout
workaround for constraints unneeded. ok reyk@ tb@
|
| |
|
|
|
|
|
| |
If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time. Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@
|
| |
|
|
|
|
|
| |
Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
|
| |
|
|
|
|
| |
Spotted by tb@
ok deraadt@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
Given that we're getting a constraint so that we can validate time, if our
own time is out we can fail the automatic validity checking since it is
based on the wallclock. Instead, disable the automatic validity checking
and perform manual checks based on the time reported from the server via
the HTTP header.
Discussed at length with and ok deraadt@
|
| |
|
|
| |
anything larger than an int. ok jca@ rsadowski@
|
| |
|
|
| |
bonus: this exposed a few missing const qualifiers.
|
| |
|
|
| |
ok beck@ bluhm@ tb@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@
|
| |
|
|
|
|
| |
using the heap.
ok bcook@
|
| |
|
|
|
|
| |
to send message to the child process. Do like we learned in httpd(8).
ok deraadt@
|
| |
|
|
|
|
| |
this should fix the problem with random ntpd(8) deaths.
ok deraadt@
|
| |
|
|
|
|
| |
with this change we get the pledge() ability back to the parent process.
some tweaks from and ok reyk@
|
| |
|
|
|
|
|
| |
obvious why it is implemented this way. The whole idea of constraints
is to isolate them as much as possible, in a semi-paranoid way.
OK rzalamena@
|
| |
|
|
|
|
|
| |
changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.
Discussed with beck@
|
| |
|
|
|
|
| |
became more visible recently because a log_debug was changed to
log_warnx. Change it back for now.
ok jsing
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ensure that we load the CA certificates and use tls_connect_servername()
so that we can verify the server we are connecting to (even though we've
already resolved the hostname). Also add additional warnings for TLS
connect and TLS write failures so that we know what is happening and why.
Lack of server name verification also reported by Luis M. Merino
<luismiguelmerino at gmail dot com> - thanks!
ok deraadt@ reyk@
|
| |
|
|
| |
ok deraadt@ reyk@
|
| |
|
|
|
|
| |
no other timezone than the fixed string "GMT". Avoid using strptime %Z,
which is nonstandard and can give surprising results on other operating
systems. ok deraadt@ giovanni@ bcook@
|
| |
|
|
|
|
|
|
|
|
|
| |
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly. Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.
Reported & tested by bcook@
Ok bcook@
|
| |
|
|
| |
OK bcook@ jung@
|
| | |
|
| |
|
|
|
|
| |
used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert
|
| |
|
|
|
|
| |
strndup().
ok millert@
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
|
| |
|
|
| |
"stdio inet". It took weeks to get to this point...
|
| |
|
|
| |
jontly with jsing@
|
| |
|
|
| |
ok jsing@
|
| |
|
|
| |
From Michael McConville
|
| |
|
|
| |
input doug@; OK beck@
|
| |
|
|
|
| |
patch from Mikolaj Kucharski
ok deraadt@
|
| |
|
|
|
|
| |
if this happens, we want to tear down all of ntpd, so that people will
report it, any such bug can be found, and fixed.
ok bcook
|
| |
|
|
|
|
|
| |
handler. It is run in a chroot, so tzset() wouldn't even succeed to
open the zone file. Found with tame.
OK deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
of being wrong, not the NTP responses, reset it and query it from all
the constraint servers all over again. This is turned out to be a bit
aggressive because it could get triggered with just a few bad NTP
peers in a larger pool. To avoid constant reconnections, scale the
error margin with the number of resolved NTP peers using peer_cnt * 4.
This way a single or a few outliers in a NTP pool cannot trigger
reconnecting to the constraint servers immediately. More NTP peers,
less reason to mistrust the constraint.
Found by dtucker@
OK deraadt@
|
| |
|
|
|
|
|
|
|
|
|
|
| |
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previously
only tried to connect to the first returned address, aborted and
skipped the constraint on failure. In difference to "constraints"
(plural), it still only connects to one address at a time and not to
all of them at once.
Pointed out by rpe@
OK rpe@ deraadt@
|
| | |
|
| |
|
|
| |
ok deraadt@
|
| |
|
|
|
|
|
| |
tls_config_insecure_noverifyname(), so that it is more accurate and keeps
inline with the distinction between DNS hostname and server name.
Requested by tedu@ during s2k15.
|
| | |
|
| |
|
|
|
|
|
| |
allows to get constraint addresses even if network/DNS is not
available at startup (or system boot).
thumbs up & OK henning@
|
| |
|
|
| |
OK deraadt@
|
| |
|
|
|
|
|
|
|
| |
no need to request it ever again. The only exception is the
escalation of failed constraint checks that might lead into
re-requesting the constraint time from all servers. Adjust the states
accordingly.
OK henning@
|
bluhm
otto
deraadt
jsing
tedu
rzalamena
reyk
naddy
claudio
mmcc
beck
millert
bcook
jsg