(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@
an absolute value and fix poll loop to first generate messages and
then compute poll flags the write cases. This makes the timeout
workaround for constraints unneeded. ok reyk@ tb@
If the time is wrong, we cannot validate dnssec, leading to failed
DNS lookups, so we cannot adjust or set the time. Work around this
by repeating a failed DNS lookup with a lookup with the DC (check
disabled) bit set. ok florian@
Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
Given that we're getting a constraint so that we can validate time, if our
own time is out we can fail the automatic validity checking since it is
based on the wallclock. Instead, disable the automatic validity checking
and perform manual checks based on the time reported from the server via
the HTTP header.
Discussed at length with and ok deraadt@
We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@
(and other lexers too)
This commit rectifies earlier change:
in the lex... even inside quotes, a \ followed by space or tab should
expand to space or tab, and a \ followed by newline should be ignored
(as a line continuation). compatible with the needs of hoststated
(which has the most strict quoted string requirements), and ifstated
(where one commonly does line continuations in strings).
OK deraadt@, OK millert@
job at startup. After much anguish I accept dlg's solution of chdir
for the problem ("starting ntpd on a filesystem I want to unmount"),
but we cannot change the main-process daemon() call. Why? Because
the ntpd privsep design predates more modern designs where the config
file is parsed once, and configuration marshalled to the fork+exec
children. Instead each ntpd process re-parses the config, and if
we chdir before fork+exec startup, it will move the basedir causing
-f "relativepath" to fail.
discussed with florian
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).
Discussion initiated by a question from deraadt@ OK florian@
currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the program quits.
"sure" henning@
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
case the dup2() would fail silently and the descriptor would remain with
the CLOEXEC flag causing the exec*()d child process to have unexpected
behavior.
ok guenther@
otto