are relative to monotime; so they shift when time is being adjusted.
2) Fix a race between SIGCHLD delivery and reading the result imsg.
3) Some cleanup: use a number to distinguish pools internally
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time. Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
removing its second parameter and the enum() that provided the
values for said parameter.
The function was only called with the second parameter set to one
value (BM_NONBLOCKING) from the enum(). So just do the right thing.
Similar to changes made in smtpd.
While here remove the pointless third parameter from the fcntl(F_GETFL)
call.
No functional change.
ok guenther@ bcook@ deraadt@
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly. Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.
Reported & tested by bcook@
Ok bcook@
non-sensical. The dns lookups happened in the process routing table
(usually '0'), which is very likely to have different results from the
other routing domains. If you do depend on having this behaviour,
you'll need to use pf to cross the rtable boundary.
"listen on * rtable X" is still supported.
Users of "server * rtable X" will need to switch to launching ntpd with
"route -T X exec /usr/sbin/ntpd"
OK deraadt@
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".
OK beck@ deraadt@
henning@ 9 years ago because of an issue with the /dev/hotplug device
- it does not support multiple readers opening it. Nobody ever cared
enough to fix it so it is time to sent the dead code to the Attic.
OK henning@ (feeling sad about it), mpi@ and others
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previously
only tried to connect to the first returned address, aborted and
skipped the constraint on failure. In difference to "constraints"
(plural), it still only connects to one address at a time and not to
all of them at once.
Pointed out by rpe@
OK rpe@ deraadt@
time from HTTPS servers, by parsing the Date: header, and use the
median constraint time as a boundary to verify NTP responses. This
adds some level of authentication and protection against MITM attacks
while preserving the accuracy of the NTP protocol; without relying on
authentication options for NTP that are basically unavailable at
present. This is an initial implementation and the semantics will be
improved once it is in the tree.
Discussed with deraadt@ and henning@
OK henning@
- Nothing seems to free the result of host_dns(), so add host_dns_free() and
call after each query.
- If imsg_add() fails, it frees buf. Avoid subsequently dereferencing the
freed buf in imsg_close().
ok millert@ deraadt@
This basically adds the "rtable %d" keyword to "listen on", "server",
"servers" keywords, to specify which routing table to use.
OK henning@ claudio@ sthen@
manpage reviewed by jmc@
corrections more often. Due to physical effects crystal oscillators aren't
really stable beyond 1000s or so - at least not the kind found in pc's.
ok henning
offset. This avoids future frequency adjustments based on measurements of a
clock that was being adjusted. End result: more stable clock and better
frequency convergence.
Also, fix a mis-ordered structure member while I'm here.
ok henning
the first query we will never do the settime because
SENSOR_QUERY_INTERVAL (30s) is greater than SETTIME_TIMEOUT (15s). so
during the settime period only, be more aggressive and use
SETTIME_TIMEOUT/3 for the query interval.
ok henning@