Browse Source

Introduce a "trusted" modifier, for peers that should be on a local net

used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@
OPENBSD_6_7
otto 5 years ago
parent
commit
21c48e24ae
5 changed files with 28 additions and 13 deletions
  1. +6
    -6
      src/usr.sbin/ntpd/client.c
  2. +3
    -2
      src/usr.sbin/ntpd/ntp.c
  3. +3
    -2
      src/usr.sbin/ntpd/ntpd.c
  4. +3
    -1
      src/usr.sbin/ntpd/ntpd.h
  5. +13
    -2
      src/usr.sbin/ntpd/parse.y

+ 6
- 6
src/usr.sbin/ntpd/client.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: client.c,v 1.111 2019/11/10 16:56:30 deraadt Exp $ */
/* $OpenBSD: client.c,v 1.112 2019/11/10 19:24:47 otto Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -30,7 +30,7 @@
int client_update(struct ntp_peer *);
int auto_cmp(const void *, const void *);
void handle_auto(double);
void handle_auto(u_int8_t, double);
void set_deadline(struct ntp_peer *, time_t);
void
@ -233,7 +233,7 @@ auto_cmp(const void *a, const void *b)
}
void
handle_auto(double offset)
handle_auto(uint8_t trusted, double offset)
{
static int count;
static double v[AUTO_REPLIES];
@ -242,7 +242,7 @@ handle_auto(double offset)
* It happens the (constraint) resolves initially fail, don't give up
* but see if we get validated replies later.
*/
if (conf->constraint_median == 0)
if (!trusted && conf->constraint_median == 0)
return;
if (offset < AUTO_THRESHOLD) {
@ -386,7 +386,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic)
}
/* Detect liars */
if (conf->constraint_median != 0 &&
if (!p->trusted && conf->constraint_median != 0 &&
(constraint_check(T2) != 0 || constraint_check(T3) != 0)) {
log_info("reply from %s: constraint check failed",
log_sockaddr((struct sockaddr *)&p->addr->ss));
@ -464,7 +464,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic)
client_update(p);
if (settime) {
if (automatic)
handle_auto(p->reply[p->shift].offset);
handle_auto(p->trusted, p->reply[p->shift].offset);
else
priv_settime(p->reply[p->shift].offset, "");
}


+ 3
- 2
src/usr.sbin/ntpd/ntp.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntp.c,v 1.160 2019/11/10 07:32:58 otto Exp $ */
/* $OpenBSD: ntp.c,v 1.161 2019/11/10 19:24:47 otto Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -246,7 +246,8 @@ ntp_main(struct ntpd_conf *nconf, struct passwd *pw, int argc, char **argv)
idx_peers = i;
sent_cnt = trial_cnt = 0;
TAILQ_FOREACH(p, &conf->ntp_peers, entry) {
if (constraint_cnt && conf->constraint_median == 0)
if (!p->trusted && constraint_cnt &&
conf->constraint_median == 0)
continue;
if (p->next > 0 && p->next <= getmonotime()) {


+ 3
- 2
src/usr.sbin/ntpd/ntpd.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntpd.c,v 1.125 2019/11/10 07:32:58 otto Exp $ */
/* $OpenBSD: ntpd.c,v 1.126 2019/11/10 19:24:47 otto Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -114,7 +114,8 @@ auto_preconditions(const struct ntpd_conf *cnf)
if (sysctl(mib, 2, &securelevel, &sz, NULL, 0) == -1)
err(1, "sysctl");
constraints = !TAILQ_EMPTY(&cnf->constraints);
return !cnf->settime && constraints && securelevel == 0;
return !cnf->settime && (constraints || cnf->trusted_peers) &&
securelevel == 0;
}
#define POLL_MAX 8


+ 3
- 1
src/usr.sbin/ntpd/ntpd.h View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntpd.h,v 1.146 2019/07/16 14:15:40 otto Exp $ */
/* $OpenBSD: ntpd.h,v 1.147 2019/11/10 19:24:47 otto Exp $ */
/*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -171,6 +171,7 @@ struct ntp_peer {
u_int8_t shift;
u_int8_t trustlevel;
u_int8_t weight;
u_int8_t trusted;
int lasterror;
int senderrors;
};
@ -240,6 +241,7 @@ struct ntpd_conf {
u_int8_t automatic;
u_int8_t noaction;
u_int8_t filters;
u_int8_t trusted_peers;
time_t constraint_last;
time_t constraint_median;
u_int constraint_errors;


+ 13
- 2
src/usr.sbin/ntpd/parse.y View File

@ -1,4 +1,4 @@
/* $OpenBSD: parse.y,v 1.74 2019/11/06 13:35:25 otto Exp $ */
/* $OpenBSD: parse.y,v 1.75 2019/11/10 19:24:47 otto Exp $ */
/*
* Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -67,6 +67,7 @@ struct opts {
int correction;
int stratum;
int rtable;
int trusted;
char *refstr;
} opts;
void opts_default(void);
@ -83,7 +84,7 @@ typedef struct {
%}
%token LISTEN ON CONSTRAINT CONSTRAINTS FROM QUERY
%token LISTEN ON CONSTRAINT CONSTRAINTS FROM QUERY TRUSTED
%token SERVER SERVERS SENSOR CORRECTION RTABLE REFID STRATUM WEIGHT
%token ERROR
%token <v.string> STRING
@ -97,6 +98,7 @@ typedef struct {
%type <v.opts> refid
%type <v.opts> stratum
%type <v.opts> weight
%type <v.opts> trusted
%%
grammar : /* empty */
@ -180,6 +182,7 @@ main : LISTEN ON address listen_opts {
p = new_peer();
p->weight = $3.weight;
p->trusted = $3.trusted;
p->query_addr4 = query_addr4;
p->query_addr6 = query_addr6;
p->addr = h;
@ -219,6 +222,7 @@ main : LISTEN ON address listen_opts {
}
p->weight = $3.weight;
p->trusted = $3.trusted;
p->query_addr4 = query_addr4;
p->query_addr6 = query_addr6;
p->addr_head.a = p->addr;
@ -409,6 +413,7 @@ server_opts_l : server_opts_l server_opt
| server_opt
;
server_opt : weight
| trusted
;
sensor_opts : { opts_default(); }
@ -474,6 +479,11 @@ rtable : RTABLE NUMBER {
}
;
trusted : TRUSTED {
opts.trusted = 1;
conf->trusted_peers = 1;
}
%%
void
@ -529,6 +539,7 @@ lookup(char *s)
{ "server", SERVER},
{ "servers", SERVERS},
{ "stratum", STRATUM},
{ "trusted", TRUSTED},
{ "weight", WEIGHT}
};
const struct keywords *p;


Loading…
Cancel
Save