OpenNTPD daemon with OpenSSL implementation & flexible configurability
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

396 lines
13 KiB

  1. From: Pekka Helenius <fincer89@hotmail.com>
  2. Date: Thu, 13 Aug 2020 18:29:24 +0300
  3. Subject: Improve constraint & NTP peer log entries; update conf & man
  4. --- a/src/client.c 2020-08-05 15:32:27.511659074 +0300
  5. +++ b/src/client.c 2020-08-05 16:40:21.478329708 +0300
  6. @@ -377,7 +377,7 @@ client_dispatch(struct ntp_peer *p, u_in
  7. }
  8. interval = error_interval();
  9. set_next(p, interval);
  10. - log_info("NTP client: reply from %-16s is not synced (%s), next query in %llds",
  11. + log_info("NTP client: reply from NTP peer %-16s is not synced (%s), next query in %llds",
  12. log_sockaddr((struct sockaddr *)&p->addr->ss), s,
  13. (long long)interval);
  14. return (0);
  15. @@ -405,9 +405,13 @@ client_dispatch(struct ntp_peer *p, u_in
  16. /* Detect liars */
  17. if (!p->trusted && conf->constraint_median != 0 &&
  18. (constraint_check(T2) != 0 || constraint_check(T3) != 0)) {
  19. - log_info("NTP client: reply from %-16s constraint check failed",
  20. - log_sockaddr((struct sockaddr *)&p->addr->ss));
  21. - set_next(p, error_interval());
  22. + interval = error_interval();
  23. + log_info("NTP client: reply from NTP peer %-16s constraint check failed, "
  24. + "next query in %llds",
  25. + log_sockaddr((struct sockaddr *)&p->addr->ss),
  26. + (long long)interval
  27. + );
  28. + set_next(p, interval);
  29. return (0);
  30. }
  31. @@ -417,10 +421,12 @@ client_dispatch(struct ntp_peer *p, u_in
  32. if (p->reply[p->shift].delay < 0) {
  33. interval = error_interval();
  34. set_next(p, interval);
  35. - log_info("NTP client: reply from %-16s has negative delay %9fs, "
  36. + log_info("NTP client: reply from NTP peer %-16s has negative delay %9fs, "
  37. "next query in %llds",
  38. - log_sockaddr((struct sockaddr *)&p->addr->ss),
  39. - p->reply[p->shift].delay, (long long)interval);
  40. + log_sockaddr((struct sockaddr *)&p->addr->ss),
  41. + p->reply[p->shift].delay,
  42. + (long long)interval
  43. + );
  44. return (0);
  45. }
  46. p->reply[p->shift].error = (T2 - T1) - (T3 - T4);
  47. @@ -472,7 +478,7 @@ client_dispatch(struct ntp_peer *p, u_in
  48. p->trustlevel++;
  49. }
  50. - log_debug("NTP client: reply from %-16s offset: %9fs, delay: %9fs, "
  51. + log_debug("NTP client: reply from NTP peer %-16s offset: %9fs, delay: %9fs, "
  52. "next query in %llds",
  53. log_sockaddr((struct sockaddr *)&p->addr->ss),
  54. p->reply[p->shift].offset, p->reply[p->shift].delay,
  55. --- a/src/constraint-libressl.c 2020-08-04 00:01:30.008179382 +0300
  56. +++ b/src/constraint-libressl.c 2020-08-05 15:56:10.558327257 +0300
  57. @@ -42,7 +42,8 @@ httpsdate_init(const char *addr, const i
  58. if ((httpsdate->tls_addr = strdup(addr)) == NULL ||
  59. (httpsdate->tls_port = strdup(port_s)) == NULL ||
  60. (httpsdate->tls_hostname = strdup(hostname)) == NULL ||
  61. - (httpsdate->tls_path = strdup(path)) == NULL)
  62. + (httpsdate->tls_path = strdup(path)) == NULL
  63. + )
  64. goto fail;
  65. if (useragent)
  66. @@ -53,13 +54,15 @@ httpsdate_init(const char *addr, const i
  67. "HEAD %s HTTP/1.1\r\nHost: %s\r\nUser-Agent: %s\r\nConnection: close\r\n\r\n",
  68. httpsdate->tls_path,
  69. httpsdate->tls_hostname,
  70. - httpsdate->tls_useragent) == -1)
  71. + httpsdate->tls_useragent
  72. + ) == -1)
  73. goto fail;
  74. } else {
  75. if (asprintf(&httpsdate->tls_request,
  76. "HEAD %s HTTP/1.1\r\nHost: %s\r\nConnection: close\r\n\r\n",
  77. httpsdate->tls_path,
  78. - httpsdate->tls_hostname) == -1)
  79. + httpsdate->tls_hostname
  80. + ) == -1)
  81. goto fail;
  82. }
  83. @@ -67,10 +70,16 @@ httpsdate_init(const char *addr, const i
  84. goto fail;
  85. if (ca == NULL || ca_len == 0 || conf->constraint_ca_validation == 0) {
  86. - log_debug("constraint %s: certificate can't be verified", addr);
  87. + log_debug("constraint %s (%s): certificate can't be verified",
  88. + addr,
  89. + httpsdate->tls_hostname
  90. + );
  91. tls_config_insecure_noverifycert(httpsdate->tls_config);
  92. } else {
  93. - log_debug("constraint %s: verifying certificate", addr);
  94. + log_debug("constraint %s (%s): verifying certificate",
  95. + addr,
  96. + httpsdate->tls_hostname
  97. + );
  98. if (tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len) == -1)
  99. goto fail;
  100. }
  101. @@ -124,8 +133,11 @@ httpsdate_request(struct httpsdate *http
  102. goto fail;
  103. if (httpsdate->tls_useragent)
  104. - log_debug("constraint %s: user agent: %s", httpsdate->tls_addr,
  105. - httpsdate->tls_useragent);
  106. + log_debug("constraint %s (%s): user agent: %s",
  107. + httpsdate->tls_addr,
  108. + httpsdate->tls_hostname,
  109. + httpsdate->tls_useragent
  110. + );
  111. /*
  112. * LibreSSL expects an address string, which can also be a DNS name,
  113. @@ -133,13 +145,16 @@ httpsdate_request(struct httpsdate *http
  114. * does not trigger any DNS operation and is safe to be called
  115. * without the dns pledge.
  116. */
  117. - log_debug("constraint %s: establishing connection", httpsdate->tls_addr);
  118. + log_debug("constraint %s (%s): establishing connection",
  119. + httpsdate->tls_addr,
  120. + httpsdate->tls_hostname
  121. + );
  122. if (tls_connect_servername(httpsdate->tls_ctx, httpsdate->tls_addr,
  123. httpsdate->tls_port, httpsdate->tls_hostname) == -1) {
  124. - log_debug("constraint %s: TLS connection failed (%s): %s",
  125. - httpsdate->tls_addr,
  126. + log_debug("constraint %s (%s): TLS connection failed: %s",
  127. + httpsdate->tls_addr,
  128. httpsdate->tls_hostname,
  129. - tls_error(httpsdate->tls_ctx)
  130. + tls_error(httpsdate->tls_ctx)
  131. );
  132. goto fail;
  133. }
  134. @@ -151,7 +166,7 @@ httpsdate_request(struct httpsdate *http
  135. if (ret == TLS_WANT_POLLIN || ret == TLS_WANT_POLLOUT)
  136. continue;
  137. if (ret == -1) {
  138. - log_warnx("constraint %s: TLS write operation failed (%s): %s",
  139. + log_warnx("constraint %s (%s): TLS write operation failed: %s",
  140. httpsdate->tls_addr,
  141. httpsdate->tls_hostname,
  142. tls_error(httpsdate->tls_ctx)
  143. @@ -180,9 +195,10 @@ httpsdate_request(struct httpsdate *http
  144. * the timezone which is required here.
  145. */
  146. if (strptime(p, IMF_FIXDATE,
  147. - &httpsdate->tls_tm) == NULL) {
  148. - log_warnx("constraint %s: unsupported date format",
  149. - httpsdate->tls_addr
  150. + &httpsdate->tls_tm) == NULL) {
  151. + log_warnx("constraint %s (%s): unsupported date format",
  152. + httpsdate->tls_addr,
  153. + httpsdate->tls_hostname
  154. );
  155. free(line);
  156. return (-1);
  157. @@ -209,11 +225,15 @@ httpsdate_request(struct httpsdate *http
  158. if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
  159. goto fail;
  160. if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
  161. - &httpsdate->tls_tm) == 0)
  162. + &httpsdate->tls_tm) == 0)
  163. goto fail;
  164. - log_warnx("constraint %s: TLS certificate not yet valid (%s): "
  165. - "not before %s, now is %s", httpsdate->tls_addr,
  166. - httpsdate->tls_hostname, timebuf1, timebuf2);
  167. + log_warnx("constraint %s (%s): TLS certificate not yet valid: "
  168. + "not before %s, current time is %s",
  169. + httpsdate->tls_addr,
  170. + httpsdate->tls_hostname,
  171. + timebuf1,
  172. + timebuf2
  173. + );
  174. goto fail;
  175. }
  176. if (httptime >= notafter) {
  177. @@ -222,11 +242,15 @@ httpsdate_request(struct httpsdate *http
  178. if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
  179. goto fail;
  180. if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
  181. - &httpsdate->tls_tm) == 0)
  182. + &httpsdate->tls_tm) == 0)
  183. goto fail;
  184. - log_warnx("constraint %s: TLS certificate has been expired (%s): "
  185. - "not after %s, now is %s", httpsdate->tls_addr,
  186. - httpsdate->tls_hostname, timebuf1, timebuf2);
  187. + log_warnx("constraint %s (%s): TLS certificate has been expired: "
  188. + "not after %s, current time is %s",
  189. + httpsdate->tls_addr,
  190. + httpsdate->tls_hostname,
  191. + timebuf1,
  192. + timebuf2
  193. + );
  194. goto fail;
  195. }
  196. --- a/src/constraint-openssl.c 2020-08-04 00:01:16.178179367 +0300
  197. +++ b/src/constraint-openssl.c 2020-08-05 16:33:55.571662669 +0300
  198. @@ -122,16 +122,23 @@ o_httpsdate_request(struct o_httpsdate *
  199. inet_ntop(AF_INET, &sa_in.sin_addr, ia_str, sizeof(ia_str));
  200. if ((sslfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP)) == -1)
  201. - log_warnx("constraint %s: can't create OpenSSL socket (4)", ia_str);
  202. + log_warnx("constraint %s (%s): can't create OpenSSL socket (4)",
  203. + ia_str,
  204. + httpsdate->cstr->addr_head.name
  205. + );
  206. SSL_set_fd(httpsdate->tls_conn, sslfd);
  207. - log_debug("constraint %s: initializing HTTPS request", ia_str);
  208. + log_debug("constraint %s (%s): initializing HTTPS request",
  209. + ia_str,
  210. + httpsdate->cstr->addr_head.name
  211. + );
  212. ret = connect(sslfd, (struct sockaddr *)&sa_in, sizeof(sa_in));
  213. if (ret < 0) {
  214. - log_warnx("constraint %s: TLS connection failed, socket error: %d",
  215. - ia_str,
  216. - errno
  217. + log_warnx("constraint %s (%s): TLS connection failed, socket error: %d",
  218. + ia_str,
  219. + httpsdate->cstr->addr_head.name,
  220. + errno
  221. );
  222. goto fail;
  223. }
  224. @@ -145,18 +152,23 @@ o_httpsdate_request(struct o_httpsdate *
  225. inet_ntop(AF_INET6, &sa_in6->sin6_addr, ia_str, sizeof(ia_str));
  226. if ((sslfd = socket(AF_INET6, SOCK_STREAM, 0)) == -1)
  227. - log_warnx("constraint %s: can't create OpenSSL socket (6)",
  228. - ia_str
  229. + log_warnx("constraint %s (%s): can't create OpenSSL socket (6)",
  230. + ia_str,
  231. + httpsdate->cstr->addr_head.name
  232. );
  233. SSL_set_fd(httpsdate->tls_conn, sslfd);
  234. - log_debug("constraint %s: initializing HTTPS request", ia_str);
  235. + log_debug("constraint %s (%s): initializing HTTPS request",
  236. + ia_str,
  237. + httpsdate->cstr->addr_head.name
  238. + );
  239. ret = connect(sslfd, (struct sockaddr *)&sa_in6, sizeof(sa_in6));
  240. if (ret < 0) {
  241. - log_warnx("constraint %s: TLS connection failed, socket error: %d",
  242. - ia_str,
  243. - errno
  244. + log_warnx("constraint %s (%s): TLS connection failed, socket error: %d",
  245. + ia_str,
  246. + httpsdate->cstr->addr_head.name,
  247. + errno
  248. );
  249. goto fail;
  250. }
  251. @@ -164,20 +176,26 @@ o_httpsdate_request(struct o_httpsdate *
  252. break;
  253. default:
  254. - fatalx("constraint %s: invalid network address family in HTTPS request",
  255. - ia_str
  256. + fatalx("constraint %s (%s): invalid network address family in HTTPS request",
  257. + ia_str,
  258. + httpsdate->cstr->addr_head.name
  259. );
  260. goto fail;
  261. }
  262. if (httpsdate->cstr->useragent)
  263. - log_debug("constraint %s: user agent: %s", ia_str,
  264. - httpsdate->cstr->useragent);
  265. + log_debug("constraint %s (%s): user agent: %s",
  266. + ia_str,
  267. + httpsdate->cstr->addr_head.name,
  268. + httpsdate->cstr->useragent);
  269. - log_debug("constraint %s: establishing connection", ia_str);
  270. + log_debug("constraint %s (%s): establishing connection",
  271. + ia_str,
  272. + httpsdate->cstr->addr_head.name
  273. + );
  274. ret = SSL_connect(httpsdate->tls_conn);
  275. if (ret < 1) {
  276. - log_warnx("constraint %s: TLS connection failed in accept (%s)",
  277. + log_warnx("constraint %s (%s): TLS connection failed in accept",
  278. ia_str,
  279. httpsdate->cstr->addr_head.name
  280. );
  281. @@ -185,7 +203,10 @@ o_httpsdate_request(struct o_httpsdate *
  282. goto fail;
  283. }
  284. if (ret == 5) {
  285. - log_warnx("constraint %s: socket error no: %d", ia_str, ret);
  286. + log_warnx("constraint %s (%s): socket error no: %d",
  287. + ia_str,
  288. + httpsdate->cstr->addr_head.name,
  289. + ret);
  290. goto fail;
  291. }
  292. @@ -197,7 +218,7 @@ o_httpsdate_request(struct o_httpsdate *
  293. if (ret == SSL_ERROR_WANT_WRITE || ret == SSL_ERROR_WANT_READ)
  294. continue;
  295. if (ret < 1) {
  296. - log_warnx("constraint %s: TLS write operation failed: (%s)",
  297. + log_warnx("constraint %s (%s): TLS write operation failed",
  298. ia_str,
  299. httpsdate->cstr->addr_head.name
  300. );
  301. @@ -205,7 +226,10 @@ o_httpsdate_request(struct o_httpsdate *
  302. goto fail;
  303. }
  304. if (ret == 6) {
  305. - log_warnx("constraint %s: HTTPS server aborted the request", ia_str);
  306. + log_warnx("constraint %s (%s): HTTPS server aborted the request",
  307. + ia_str,
  308. + httpsdate->cstr->addr_head.name
  309. + );
  310. openssl_lasterr();
  311. SSL_shutdown(httpsdate->tls_conn);
  312. }
  313. @@ -233,8 +257,9 @@ o_httpsdate_request(struct o_httpsdate *
  314. */
  315. if (strptime(p, IMF_FIXDATE,
  316. &httpsdate->tls_tm) == NULL) {
  317. - log_warnx("constraint %s: unsupported date format",
  318. - ia_str
  319. + log_warnx("constraint %s (%s): unsupported date format",
  320. + ia_str,
  321. + httpsdate->cstr->addr_head.name
  322. );
  323. free(line);
  324. return (-1);
  325. --- a/src/constraint.c 2020-08-03 23:43:48.584926017 +0300
  326. +++ b/src/constraint.c 2020-08-13 18:29:05.369040808 +0300
  327. @@ -767,9 +767,10 @@ constraint_msg_result(u_int32_t id, u_in
  328. offset = gettime_from_timeval(&tv[0]) -
  329. gettime_from_timeval(&tv[1]);
  330. - log_info("constraint %s: reply received: offset %fs",
  331. - log_sockaddr((struct sockaddr *)&cstr->addr->ss),
  332. - offset);
  333. + log_info("constraint %s (%s): reply received: offset %fs",
  334. + log_sockaddr((struct sockaddr *)&cstr->addr->ss),
  335. + cstr->addr_head.name,
  336. + offset);
  337. cstr->state = STATE_REPLY_RECEIVED;
  338. cstr->last = getmonotime();
  339. --- a/ntpd.conf 2020-08-02 02:30:41.000000000 +0300
  340. +++ b/ntpd.conf 2020-08-05 16:01:50.858327562 +0300
  341. @@ -115,11 +115,11 @@ constraints from "https://www.duckduckgo
  342. # ntpd(8) socket file path.
  343. #
  344. -# ctlsocket /var/run/ntpd.sock
  345. +# ctlsocket "/var/run/ntpd.sock"
  346. # ntpd(8) drift file path.
  347. #
  348. -# driftfile /var/db/ntpd.drift
  349. +# driftfile "/var/db/ntpd.drift"
  350. # Whether to reset frequency filters after
  351. # frequency adjustment.
  352. --- a/src/ntpd.conf.5 2020-08-04 01:38:53.878185531 +0300
  353. +++ b/src/ntpd.conf.5 2020-08-05 16:02:55.751660907 +0300
  354. @@ -463,7 +463,7 @@ socket file path.
  355. .Bd -literal -offset indent
  356. .Bl -tag -width "Default:" -compact
  357. .It Default:
  358. -/var/run/ntpd.sock
  359. +"/var/run/ntpd.sock"
  360. .El
  361. .Ed
  362. .It Ic driftfile Ar path-to-file
  363. @@ -472,7 +472,7 @@ drift file path.
  364. .Bd -literal -offset indent
  365. .Bl -tag -width "Default:" -compact
  366. .It Default:
  367. -/var/db/ntpd.drift
  368. +"/var/db/ntpd.drift"
  369. .El
  370. .Ed
  371. .It Ic filter_adjfreq Ar true | false