Introduce a "trusted" modifier, for peers that should be on a local net

used in situations where https constraints cannot be used and we still want auto settime. Result of discussion with and ok deraadt@
4 years ago · 21c48e24ae
--- a/src/usr.sbin/ntpd/client.c
+++ b/src/usr.sbin/ntpd/client.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: client.c,v 1.111 2019/11/10 16:56:30 deraadt Exp $ */
 /*	$OpenBSD: client.c,v 1.112 2019/11/10 19:24:47 otto Exp $ */

 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -30,7 +30,7 @@

 int	client_update(struct ntp_peer *);
 int	auto_cmp(const void *, const void *);
 void	handle_auto(double);
 void	handle_auto(u_int8_t, double);
 void	set_deadline(struct ntp_peer *, time_t);

 void
@ -233,7 +233,7 @@ auto_cmp(const void *a, const void *b)
 }

 void
 handle_auto(double offset)
 handle_auto(uint8_t trusted, double offset)
 {
 	static int count;
 	static double v[AUTO_REPLIES];
@ -242,7 +242,7 @@ handle_auto(double offset)
 	 * It happens the (constraint) resolves initially fail, don't give up
 	 * but see if we get validated replies later.
 	 */
 	if (conf->constraint_median == 0)
 	if (!trusted && conf->constraint_median == 0)
 		return;

 	if (offset < AUTO_THRESHOLD) {
@ -386,7 +386,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic)
 	}

 	/* Detect liars */
 	if (conf->constraint_median != 0 &&
 	if (!p->trusted && conf->constraint_median != 0 &&
 	    (constraint_check(T2) != 0 || constraint_check(T3) != 0)) {
 		log_info("reply from %s: constraint check failed",
 		    log_sockaddr((struct sockaddr *)&p->addr->ss));
@ -464,7 +464,7 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime, u_int8_t automatic)
 	client_update(p);
 	if (settime) {
 		if (automatic)
 			handle_auto(p->reply[p->shift].offset);
 			handle_auto(p->trusted, p->reply[p->shift].offset);
 		else
 			priv_settime(p->reply[p->shift].offset, "");
 	}
--- a/src/usr.sbin/ntpd/ntp.c
+++ b/src/usr.sbin/ntpd/ntp.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: ntp.c,v 1.160 2019/11/10 07:32:58 otto Exp $ */
 /*	$OpenBSD: ntp.c,v 1.161 2019/11/10 19:24:47 otto Exp $ */

 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -246,7 +246,8 @@ ntp_main(struct ntpd_conf *nconf, struct passwd *pw, int argc, char **argv)
 		idx_peers = i;
 		sent_cnt = trial_cnt = 0;
 		TAILQ_FOREACH(p, &conf->ntp_peers, entry) {
 			if (constraint_cnt && conf->constraint_median == 0)
 			if (!p->trusted && constraint_cnt &&
 			    conf->constraint_median == 0)
 				continue;

 			if (p->next > 0 && p->next <= getmonotime()) {
--- a/src/usr.sbin/ntpd/ntpd.c
+++ b/src/usr.sbin/ntpd/ntpd.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: ntpd.c,v 1.125 2019/11/10 07:32:58 otto Exp $ */
 /*	$OpenBSD: ntpd.c,v 1.126 2019/11/10 19:24:47 otto Exp $ */

 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -114,7 +114,8 @@ auto_preconditions(const struct ntpd_conf *cnf)
 	if (sysctl(mib, 2, &securelevel, &sz, NULL, 0) == -1)
 		err(1, "sysctl");
 	constraints = !TAILQ_EMPTY(&cnf->constraints);
 	return !cnf->settime && constraints && securelevel == 0;
 	return !cnf->settime && (constraints || cnf->trusted_peers) &&
 	    securelevel == 0;
 }

 #define POLL_MAX		8
--- a/src/usr.sbin/ntpd/ntpd.h
+++ b/src/usr.sbin/ntpd/ntpd.h
@ -1,4 +1,4 @@
 /*	$OpenBSD: ntpd.h,v 1.146 2019/07/16 14:15:40 otto Exp $ */
 /*	$OpenBSD: ntpd.h,v 1.147 2019/11/10 19:24:47 otto Exp $ */

 /*
 * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -171,6 +171,7 @@ struct ntp_peer {
 	u_int8_t			 shift;
 	u_int8_t			 trustlevel;
 	u_int8_t			 weight;
 	u_int8_t			 trusted;
 	int				 lasterror;
 	int				 senderrors;
 };
@ -240,6 +241,7 @@ struct ntpd_conf {
 	u_int8_t					automatic;
 	u_int8_t					noaction;
 	u_int8_t					filters;
 	u_int8_t					trusted_peers;
 	time_t						constraint_last;
 	time_t						constraint_median;
 	u_int						constraint_errors;
--- a/src/usr.sbin/ntpd/parse.y
+++ b/src/usr.sbin/ntpd/parse.y
@ -1,4 +1,4 @@
 /*	$OpenBSD: parse.y,v 1.74 2019/11/06 13:35:25 otto Exp $ */
 /*	$OpenBSD: parse.y,v 1.75 2019/11/10 19:24:47 otto Exp $ */

 /*
 * Copyright (c) 2002, 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -67,6 +67,7 @@ struct opts {
 	int		correction;
 	int		stratum;
 	int		rtable;
 	int		trusted;
 	char		*refstr;
 } opts;
 void		opts_default(void);
@ -83,7 +84,7 @@ typedef struct {

 %}

 %token	LISTEN ON CONSTRAINT CONSTRAINTS FROM QUERY
 %token	LISTEN ON CONSTRAINT CONSTRAINTS FROM QUERY TRUSTED
 %token	SERVER SERVERS SENSOR CORRECTION RTABLE REFID STRATUM WEIGHT
 %token	ERROR
 %token	<v.string>		STRING
@ -97,6 +98,7 @@ typedef struct {
 %type	<v.opts>		refid
 %type	<v.opts>		stratum
 %type	<v.opts>		weight
 %type	<v.opts>		trusted
 %%

 grammar		: /* empty */
@ -180,6 +182,7 @@ main		: LISTEN ON address listen_opts	{

 				p = new_peer();
 				p->weight = $3.weight;
 				p->trusted = $3.trusted;
 				p->query_addr4 = query_addr4;
 				p->query_addr6 = query_addr6;
 				p->addr = h;
@ -219,6 +222,7 @@ main		: LISTEN ON address listen_opts	{
 			}

 			p->weight = $3.weight;
 			p->trusted = $3.trusted;
 			p->query_addr4 = query_addr4;
 			p->query_addr6 = query_addr6;
 			p->addr_head.a = p->addr;
@ -409,6 +413,7 @@ server_opts_l	: server_opts_l server_opt
 		| server_opt
 		;
 server_opt	: weight
 		| trusted
 		;

 sensor_opts	:	{ opts_default(); }
@ -474,6 +479,11 @@ rtable		: RTABLE NUMBER {
 		}
 		;

 trusted		: TRUSTED	{
 			opts.trusted = 1;
 			conf->trusted_peers = 1;
 		}

 %%

 void
@ -529,6 +539,7 @@ lookup(char *s)
 		{ "server",		SERVER},
 		{ "servers",		SERVERS},
 		{ "stratum",		STRATUM},
 		{ "trusted",		TRUSTED},
 		{ "weight",		WEIGHT}
 	};
 	const struct keywords	*p;