any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto
server is wired up such that non MITM attacks are possible, and NTP
packets can be trusted. Therefore constraint validity is not required,
and during boot ntpd can spin-up correct time faster.
with otto, ok jmc schwarze
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.
are relative to monotime; so they shift when time is being adjusted.
2) Fix a race between SIGCHLD delivery and reading the result imsg.
3) Some cleanup: use a number to distinguish pools internally
and net config can change as well. So if a peer does not respond,
throw it out of the pool if it's a pool member and re-resolve to
find a replacement. Hold on to good peers so we end up with a good
set of peers. ok benno@
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
an absolute value and fix poll loop to first generate messages and
then compute poll flags the write cases. This makes the timeout
workaround for constraints unneeded. ok reyk@ tb@
If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time. Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@
Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
Given that we're getting a constraint so that we can validate time, if our
own time is out we can fail the automatic validity checking since it is
based on the wallclock. Instead, disable the automatic validity checking
and perform manual checks based on the time reported from the server via
the HTTP header.
Discussed at length with and ok deraadt@
We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
job at startup. After much anguish I accept dlg's solution of chdir
for the problem ("starting ntpd on a filesystem I want to unmount"),
but we cannot change the main-process daemon() call. Why? Because
the ntpd privsep design predates more modern designs where the config
file is parsed once, and configuration marshalled to the fork+exec
children. Instead each ntpd process re-parses the config, and if
we chdir before fork+exec startup, it will move the basedir causing
-f "relativepath" to fail.
discussed with florian