[Git][NTPsec/ntpsec][master] 16 commits: Use clock_gettime rather than get_systime
Hal Murray
gitlab at mg.gitlab.com
Sun Dec 29 03:52:34 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
ee9e0368 by Hal Murray at 2019-12-28T19:52:01-08:00
Use clock_gettime rather than get_systime
when computing sys_authdelay
get_systime() calls ntp_random() which is slooow.
- - - - -
de6fe4ca by Hal Murray at 2019-12-28T19:52:01-08:00
Make noval work on OpenSSL 1.0.2
If you tell it the host name, it does the host name checking
automatically as part of SSL_accept(). You don't get a
chance to check the noval flag.
- - - - -
9db3dbe6 by Hal Murray at 2019-12-28T19:52:01-08:00
More work on attic/random.c
- - - - -
156cf50c by Hal Murray at 2019-12-28T19:52:01-08:00
Minor addition for disable-fuzz
- - - - -
21461538 by Hal Murray at 2019-12-28T19:52:01-08:00
Fix typo: sys_mindisp => sys_mindist and friends
This bug/quirk is in ntp classic. Many comments say "minimum distance"
PROTO_MINDISP => PROTO_MINDIST
MINDISPERSE => MINDISTANCE
- - - - -
2a6099fe by Hal Murray at 2019-12-28T19:52:01-08:00
Squash two more warnings from old compilers
Change an isprint to isgraph
- - - - -
441da2fc by Hal Murray at 2019-12-28T19:52:01-08:00
Fix typo, add comments to ntp_packetstamp
- - - - -
a79cd530 by Hal Murray at 2019-12-28T19:52:01-08:00
Make attic/random.c work on older OpenSSL
- - - - -
e754b93b by Hal Murray at 2019-12-28T19:52:01-08:00
Use random() rather than ntp_random() for fuzzing.
- - - - -
3f43b4c7 by Hal Murray at 2019-12-28T19:52:01-08:00
Fix bug in no-FUZZ - works now.
- - - - -
e78e7205 by Hal Murray at 2019-12-28T19:52:01-08:00
Setup peer->ppoll so ntpq shows useful timeouts for DNS and NTS.
- - - - -
abe873f7 by Hal Murray at 2019-12-28T19:52:01-08:00
Add mozilla-rootcerts-openssl for NetBSD
- - - - -
e1b6b7a4 by Hal Murray at 2019-12-28T19:52:01-08:00
Add longer chunks for attic/random.c
The overhead for RAND_bytes() is huge.
We could save a few cycles by getting 10 or 20
chunks at a time.
- - - - -
dd05e938 by Hal Murray at 2019-12-28T19:52:01-08:00
Add certificate details for NetBSD and other updates.
- - - - -
a9b779b6 by Hal Murray at 2019-12-28T19:52:01-08:00
Minor tweaks to hacking.adoc
- - - - -
444796d1 by Hal Murray at 2019-12-28T19:52:01-08:00
Add ppoll back to seccomp list -- used by NTS-KE on Arch Linux
- - - - -
14 changed files:
- attic/random.c
- buildprep
- devel/hacking.adoc
- docs/NTS-QuickStart.adoc
- include/ntp.h
- include/ntpd.h
- libntp/systime.c
- ntpd/ntp_config.c
- ntpd/ntp_control.c
- ntpd/ntp_packetstamp.c
- ntpd/ntp_proto.c
- ntpd/ntp_refclock.c
- ntpd/ntp_sandbox.c
- ntpd/nts_client.c
Changes:
=====================================
attic/random.c
=====================================
@@ -4,8 +4,11 @@
#include <stdint.h>
#include <stdio.h>
#include <time.h>
+#include <sys/types.h>
+#include <unistd.h>
-#include "ntp.h"
+#include <openssl/opensslv.h> /* for OPENSSL_VERSION_NUMBER */
+#include <openssl/rand.h>
#define BATCHSIZE 1000000
#define BILLION 1000000000
@@ -16,8 +19,55 @@
/* hack for libntp */
const char *progname = "foo";
-int do_average(void);
-int do_average(void) {
+static int getpid_average(void) {
+ int err;
+ struct timespec start, stop;
+ uint64_t sec, nanos;
+
+ err = clock_gettime(CLOCK_REALTIME, &start);
+ if (-1 == err) {
+ printf("clock_gettime(CLOCK_REALTIME) didn't work, err %d\n", errno);
+ return -1;
+ }
+
+ clock_gettime(CLOCK_REALTIME, &start);
+ for (int i = 0; i < BATCHSIZE; i++) {
+ getpid();
+ }
+ clock_gettime(CLOCK_REALTIME, &stop);
+
+ /* Beware of overflowing 32 bits. */
+ sec = (stop.tv_sec-start.tv_sec);
+ nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
+ return nanos/BATCHSIZE;
+
+}
+
+static int clock_average(void) {
+ int err;
+ struct timespec start, stop;
+ uint64_t sec, nanos;
+
+ err = clock_gettime(CLOCK_REALTIME, &start);
+ if (-1 == err) {
+ printf("clock_gettime(CLOCK_REALTIME) didn't work, err %d\n", errno);
+ return -1;
+ }
+
+ clock_gettime(CLOCK_REALTIME, &start);
+ for (int i = 0; i < BATCHSIZE; i++) {
+ clock_gettime(CLOCK_REALTIME, &stop);
+ }
+ clock_gettime(CLOCK_REALTIME, &stop);
+
+ /* Beware of overflowing 32 bits. */
+ sec = (stop.tv_sec-start.tv_sec);
+ nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
+ return nanos/BATCHSIZE;
+
+}
+
+static int do_average(void) {
long int sum = 0;
struct timespec start, stop;
uint64_t sec, nanos;
@@ -34,49 +84,71 @@ int do_average(void) {
return nanos/BATCHSIZE;
}
-int do_average32(void);
-int do_average32(void) {
- int32_t sum = 0;
+static int do_avg_bytes(unsigned int bytes) {
+ int err = 0;
struct timespec start, stop;
uint64_t sec, nanos;
+ unsigned char rnd[512];
+
+ if (bytes > sizeof(rnd)) {
+ printf("## do_avg_bytes - too big\n");
+ exit(1);
+ }
clock_gettime(CLOCK_REALTIME, &start);
for (int i = 0; i < BATCHSIZE; i++) {
- sum += ntp_random();
+ err += RAND_bytes((unsigned char *)&rnd, bytes);
}
clock_gettime(CLOCK_REALTIME, &stop);
+ if (BATCHSIZE != err) {
+ printf("## do_avg_bytes: troubles from RAND_bytes, %d\n",
+ BATCHSIZE-err);
+ exit(1);
+ }
+
/* Beware of overflowing 32 bits. */
sec = (stop.tv_sec-start.tv_sec);
nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
return nanos/BATCHSIZE;
}
-int do_average64(void);
-int do_average64(void) {
- uint64_t sum = 0;
+#if (OPENSSL_VERSION_NUMBER > 0x1010100fL)
+static int do_avg_priv(unsigned int bytes) {
+ int err = 0;
struct timespec start, stop;
uint64_t sec, nanos;
+ unsigned char rnd[512];
+
+ if (bytes > sizeof(rnd)) {
+ printf("## do_avg_priv - too big\n");
+ exit(1);
+ }
clock_gettime(CLOCK_REALTIME, &start);
for (int i = 0; i < BATCHSIZE; i++) {
- sum += ntp_random64();
+ err += RAND_priv_bytes((unsigned char *)&rnd, bytes);
}
clock_gettime(CLOCK_REALTIME, &stop);
+ if (BATCHSIZE != err) {
+ printf("## do_avg_priv: troubles from RAND_bytes, %d\n",
+ BATCHSIZE-err);
+ exit(1);
+ }
+
/* Beware of overflowing 32 bits. */
sec = (stop.tv_sec-start.tv_sec);
nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
return nanos/BATCHSIZE;
}
+#endif
-int do_fastest(void);
-int do_fastest(void) {
+static int do_fastest(void) {
int sum = 0;
struct timespec start, stop;
- uint64_t sec, nanos, fastest;
+ uint64_t sec, nanos, fastest = 999999999;
- fastest = 999999999;
for (int i = 0; i < BATCHSIZE; i++) {
clock_gettime(CLOCK_REALTIME, &start);
sum += random();
@@ -91,16 +163,20 @@ int do_fastest(void) {
return fastest;
}
-int do_fastest32(void);
-int do_fastest32(void) {
- int sum = 0;
+static int do_fast_bytes(unsigned bytes) {
+ int err = 0;
struct timespec start, stop;
- uint64_t sec, nanos, fastest;
+ uint64_t sec, nanos, fastest = 999999999;
+ unsigned char rnd[512];
+
+ if (bytes > sizeof(rnd)) {
+ printf("## do_fast_bytes - too big\n");
+ exit(1);
+ }
- fastest = 999999999;
for (int i = 0; i < BATCHSIZE; i++) {
clock_gettime(CLOCK_REALTIME, &start);
- sum += ntp_random();
+ err += RAND_bytes((unsigned char *)&rnd, bytes);
clock_gettime(CLOCK_REALTIME, &stop);
sec = (stop.tv_sec-start.tv_sec);
nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
@@ -109,19 +185,30 @@ int do_fastest32(void) {
}
}
+ if (BATCHSIZE != err) {
+ printf("## do_fast_bytes: troubles from RAND_bytes, %d\n",
+ BATCHSIZE-err);
+ exit(1);
+ }
+
return fastest;
}
-int do_fastest64(void);
-int do_fastest64(void) {
- uint64_t sum = 0;
+#if (OPENSSL_VERSION_NUMBER > 0x1010100fL)
+static int do_fast_priv(unsigned bytes) {
+ int err = 0;
struct timespec start, stop;
- uint64_t sec, nanos, fastest;
+ uint64_t sec, nanos, fastest = 999999999;
+ unsigned char rnd[512];
+
+ if (bytes > sizeof(rnd)) {
+ printf("## do_fast_priv - too big\n");
+ exit(1);
+ }
- fastest = 999999999;
for (int i = 0; i < BATCHSIZE; i++) {
clock_gettime(CLOCK_REALTIME, &start);
- sum += ntp_random64();
+ err += RAND_priv_bytes((unsigned char *)&rnd, bytes);
clock_gettime(CLOCK_REALTIME, &stop);
sec = (stop.tv_sec-start.tv_sec);
nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
@@ -130,93 +217,31 @@ int do_fastest64(void) {
}
}
- return fastest;
-}
-
-int dups = 0;
-int do_hist(int type, int fastest);
-int do_hist(int type, int fastest) {
- int nsPerBucket = NSPERBUCKET;
- int i;
- int delta, lines, toobig, hits, miss;
- struct timespec start, stop;
- int64_t sec, nanos;
- unsigned int hist[HISTSIZE];
- int faster = 0;
-
- toobig = 0;
- for (i = 0; i < HISTSIZE; i++) {
- hist[i] = 0;
+ if (BATCHSIZE != err) {
+ printf("## do_fast_priv: troubles from RAND_bytes, %d\n",
+ BATCHSIZE-err);
+ exit(1);
}
- for (i = 0; i < BATCHSIZE; i++) {
- clock_gettime(type, &start); /* warm up cache */
- clock_gettime(type, &stop);
- clock_gettime(type, &start);
- clock_gettime(type, &stop);
- sec = (stop.tv_sec-start.tv_sec);
- nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
- if (0 > nanos) {
- printf("## Time went backwards: %ld.%9ld-%ld.%9ld=>%ld\n",
- (long)stop.tv_sec, stop.tv_nsec,
- (long)start.tv_sec, start.tv_nsec,
- (long)nanos);
- continue;
- }
- if (0 == nanos) {
- /* I've seen this on Pi 1. */
- dups++;
- continue;
- }
- delta = (nanos-fastest) / nsPerBucket;
- if (0 > delta) {
- /* fastest wasn't fast enough */
- if (0 == faster) {
- faster = delta;
- }
- if (faster > delta) {
- faster = delta;
- }
- continue;
- }
- if (delta < HISTSIZE) {
- hist[delta]++;
- } else {
- toobig++;
- }
- }
- if (faster) { return faster;
- }
- printf("\n");
- printf("Histogram: CLOCK_REALTIME, %d ns per bucket, %d samples.\n",
- nsPerBucket, BATCHSIZE);
- printf(" ns hits\n");
- lines = 0;
- hits = 0;
- for (i=0; i<HISTSIZE; i++) {
- if ((MAXHISTLINES <= lines) && (0.98*BATCHSIZE < hits)) {
- break; /* Avoid clutter of printing long tail */
- }
- if (hist[i]) {
- printf("%10d %8u\n", i*nsPerBucket+fastest, hist[i]);
- lines++;
- hits += hist[i];
- }
- }
- miss = i-1;
- for ( ; i<HISTSIZE; i++) {
- toobig += hist[i];
- }
+ return fastest;
+}
+#endif
- if (dups) {
- printf("%d samples were duplicated.\n", dups);
- }
- if (toobig) { printf("%d samples were bigger than %d.\n",
- toobig, miss*nsPerBucket+fastest);
- }
- return faster;
+static void do_bytes(int bytes) {
+ int average = do_avg_bytes(bytes);
+ int fastest = do_fast_bytes(bytes);
+ printf("RAND_bytes(): %5d %8d %4d\n", average, fastest, bytes);
+ fflush(stdout);
}
+#if (OPENSSL_VERSION_NUMBER > 0x1010100fL)
+static void do_priv(int bytes) {
+ int average = do_avg_priv(bytes);
+ int fastest = do_fast_priv(bytes);
+ printf("RAND_priv_bytes(): %5d %8d %4d\n", average, fastest, bytes);
+ fflush(stdout);
+}
+#endif
int main(int argc, char *argv[]) {
int average, fastest;
@@ -224,22 +249,34 @@ int main(int argc, char *argv[]) {
(void)argc; /* Squash unused warnings */
(void)argv;
- printf(" avg fastest\n");
+ printf(" times in ns avg fastest lng\n");
+
+ average = getpid_average();
+ printf("getpid(): %5d (simple kernel call)\n",
+ average);
+
+ average = clock_average();
+ printf("clock_gettime: %5d (overhead of fastest)\n",
+ average);
average = do_average();
fastest = do_fastest();
- printf("random(): %5d %8d\n", average, fastest);
+ printf("random(): %5d %8d\n", average, fastest);
fflush(stdout);
- average = do_average32();
- fastest = do_fastest32();
- printf("ntp_random(): %5d %8d\n", average, fastest);
- fflush(stdout);
-
- average = do_average64();
- fastest = do_fastest64();
- printf("ntp_random64(): %5d %8d\n", average, fastest);
- fflush(stdout);
+ do_bytes(4);
+ do_bytes(16);
+ do_bytes(32);
+ do_bytes(160);
+ do_bytes(320);
+
+#if (OPENSSL_VERSION_NUMBER > 0x1010100fL)
+ do_priv(4);
+ do_priv(16);
+ do_priv(32);
+ do_priv(160);
+ do_priv(320);
+#endif
return 0;
=====================================
buildprep
=====================================
@@ -188,7 +188,8 @@ daemon () {
# In Dec 2018, 3.6 and 2.7 are also good candidates.
$install bison python37 py37-curses-3.7
# certificates for NTS
- $install mozilla-rootcerts
+ $install mozilla-rootcerts mozilla-rootcerts-openssl
+ # Also needs "nts ca /etc/openssl/certs/"
# setup "python" from command line
$do ln -s /usr/pkg/bin/python3.7 /usr/pkg/bin/python
$do ln -s /usr/pkg/bin/python3.7 /usr/pkg/bin/python3
=====================================
devel/hacking.adoc
=====================================
@@ -61,11 +61,9 @@ You can download the C99 standard for free from here:
You *may* use C11-style anonymous unions.
Only POSIX-1.2001/SUSv3 library functions should be used (a few
-specific exceptions are noted below). If a library
-function not in that standard is required, then a wrapper function for backward
-compatibility must be provided. One notable case is clock_gettime()
-which is used, when available, for increased accuracy, and has a
-fallback implementation using native time calls.
+specific exceptions are noted below). If a library function not
+in that standard is required, then a wrapper function for backward
+compatibility must be provided.
You can read POSIX-1.2001, with 2004 Corrigendum, online for free here:
https://pubs.opengroup.org/onlinepubs/009695399/toc.htm
@@ -74,17 +72,25 @@ You can see POSIX.1-2001, SUSv3, online for free here:
http://www.unix-systems.org/version3/
POSIX threads *are* considered part of the standardized API, but their
-use requires extreme care. The main part of ntpd assumes it is the only
-thread. One interesting area is msyslog. The DNS thread doesn't call msyslog.
+use requires care. The main part of ntpd assumes it is the only
+thread.
+
+One interesting area is msyslog. The DNS thread doesn't call msyslog,
+but that is historical. In the old days, msyslog wasn't thread-safe.
That was impractical for NTS, so msyslog is thread safe as of 2019-Apr.
-Beware of calling strerror() from non-main threads. Use ntp_strerror_r() into
-a buffer on the stack. Similarly, use socktoa_r() and sockporttoa_r() and
-don't call lib_getbuf(), refclock_name(), or exit(). [exit() calls
-the registered cleanup routines and some of them call lib_getbuf()
-which will crash (again) when called from a non-main thread. So
-avoid exit() if you can, but use it if you can't find a better way.]
-
-You *may* assume the clock_gettime(2) and clock_settime(2) calls, and
+
+Beware of calling strerror() from non-main threads. Use ntp_strerror_r()
+into a buffer on the stack. (strerror_r() has an ambigious API.)
+
+Similarly, use socktoa_r() and sockporttoa_r() and don't call lib_getbuf(),
+refclock_name(), or exit(). [exit() calls the registered cleanup routines
+and some of them call lib_getbuf() which will crash (again) when called
+from a non-main thread. So avoid exit() if you can, but use it if you
+can't find a better way.]
+
+Don't call get_systime() from non-main threads.
+
+You *may* use clock_gettime(2) and clock_settime(2) calls, and
the related getitimer(2)/setitimer(2), from POSIX-1.2008.
Here are the non-standardized APIs that may be used:
=====================================
docs/NTS-QuickStart.adoc
=====================================
@@ -74,6 +74,8 @@ the server's certificate. IP addresses will not work.
This assumes that the server is using a certificate covered by
your OS/distro's root certificate collection.
+NetBSD needs the +mozilla-rootcerts-openssl+ package and `ca /etc/openssl/certs/` added to the +server+ line.
+
Restart `ntpd`, and skip to link:#verify[Verification], below.
[[server]]
@@ -139,9 +141,9 @@ Restart your server, and skip to link:#verify[Verification], below.
[[verify]]
== Verification
-Check your log file. The current NTS implementation is quite chatty, and the
-log lines may change, so what you see will be similar, but not the same,
-as below.
+Check your log file. The current client side NTS implementation
+is quite chatty. The log lines may change, but what you see should be
+similar to below.
As a client, you should see lines like this:
@@ -161,35 +163,38 @@ As a client, you should see lines like this:
For initializing a server, you should see lines like this:
------------------------------------------------------------
-2019-03-22T08:06:32 ntpd[12915]: NTSs: starting NTS-KE server listening on port 123
-2019-03-22T08:06:32 ntpd[12915]: NTSs: loaded certificate (chain) from /etc/letsencrypt/live/ntpmon.dcs1.biz/fullchain.pem
-2019-03-22T08:06:32 ntpd[12915]: NTSs: loaded private key from /etc/letsencrypt/live/ntpmon.dcs1.biz/privkey.pem
-2019-03-22T08:06:32 ntpd[12915]: NTSs: Private Key OK
-2019-03-22T08:06:32 ntpd[12915]: NTSs: OpenSSL security level is 2
-2019-03-22T08:06:32 ntpd[12915]: NTSs: listen4 worked
-2019-03-22T08:06:32 ntpd[12915]: NTSs: listen6 worked
-2019-03-22T08:06:32 ntpd[12915]: NTSc: Using system default root certificates.
+27 Dec 12:03:47 ntpd[962738]: INIT: OpenSSL 1.1.1d FIPS 10 Sep 2019, 1010104f
+27 Dec 12:03:47 ntpd[962738]: NTSs: starting NTS-KE server listening on port 123
+27 Dec 12:03:47 ntpd[962738]: NTSs: loaded certificate (chain) from /etc/ntp/fullchain.pem
+27 Dec 12:03:47 ntpd[962738]: NTSs: loaded private key from /etc/ntp/privkey.pem
+27 Dec 12:03:47 ntpd[962738]: NTSs: Private Key OK
+27 Dec 12:03:47 ntpd[962738]: NTSs: OpenSSL security level is 1
+27 Dec 12:03:47 ntpd[962738]: NTSs: listen4 worked
+27 Dec 12:03:47 ntpd[962738]: NTSs: listen6 worked
+27 Dec 12:03:47 ntpd[962738]: NTSc: Using system default root certificates.
------------------------------------------------------------
On a server, each time a client uses TLS to setup cookies,
-you should see lines like this:
+you should see lines like these. If all goes well, there is a single
+line for each connection.
------------------------------------------------------------
-10 Jun 04:50:39 ntpd[823]: NTSs: TCP accept-ed from 64.139.1.69:61561
-10 Jun 04:50:39 ntpd[823]: NTSs: Using TLSv1.3, TLS_AES_256_GCM_SHA384 (256)
-10 Jun 04:50:40 ntpd[823]: NTSs: Read 16, wrote 880 bytes. AEAD=15
-10 Jun 04:50:40 ntpd[823]: NTSs: NTS-KE server took 1.569 sec
+ 1 Dec 22:42:21 ntpd[237777]: NTSs: NTS-KE from 192.168.1.71:43560, Using TLSv1.3, TLS_CHACHA20_POLY1305_SHA256 (256), took 0.018 sec
+ 1 Dec 22:42:56 ntpd[237777]: NTSs: NTS-KE from 192.168.1.61:33930, Using TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 (256), took 0.075 sec
------------------------------------------------------------
Servers on the big bad internet will get a lot of garbage connections.
-Each one will produce log lines like this:
+The common cases produce a single line. Less common cases will have additional lines with OpenSSL error data.
------------------------------------------------------------
-10 Jun 04:55:11 ntpd[823]: NTSs: TCP accept-ed from 70.95.39.88:49176
-10 Jun 04:55:11 ntpd[823]: NTSs: SSL accept from 70.95.39.88:49176 failed, 0.006 sec
-10 Jun 04:55:11 ntpd[823]: NTS: error:1408F10B:SSL routines:ssl3_get_record:wrong version number
+26 Dec 18:13:55 ntpd[940892]: NTSs: SSL accept from 68.134.33.4:52188 failed: wrong version number, took 0.000 sec
+26 Dec 18:24:20 ntpd[940892]: NTSs: SSL accept from 64.139.1.69:56525 failed, took 0.101 sec
+26 Dec 18:24:20 ntpd[940892]: NTS: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca
------------------------------------------------------------
+`alert` means the client on the other end encountered troubles and is
+reporting them back to the server.
+
The logging prefix *NTSs* is for the NTS server component. The *NTSc*
component is for the NTS client part, where you are talking to NTS servers.
=====================================
include/ntp.h
=====================================
@@ -566,7 +566,7 @@ struct pkt {
#define PROTO_CEILING 18
/* #define PROTO_COHORT 19 */
#define PROTO_CALLDELAY 20
-#define PROTO_MINDISP 21
+#define PROTO_MINDIST 21
#define PROTO_MAXDIST 22
#define PROTO_MAXDISP 23
#define PROTO_MAXHOP 24
=====================================
include/ntpd.h
=====================================
@@ -159,7 +159,7 @@ extern void peer_clear (struct peer *, const char *, const bool);
extern void set_sys_leap (uint8_t);
extern int sys_orphan;
-extern double sys_mindisp;
+extern double sys_mindist;
extern double sys_maxdisp;
extern void poll_update (struct peer *, uint8_t);
=====================================
libntp/systime.c
=====================================
@@ -227,7 +227,8 @@ get_systime(
struct timespec ts; /* seconds and nanoseconds */
get_ostime(&ts);
#ifdef ENABLE_FUZZ
- normalize_time(ts, sys_fuzz > 0.0 ? ntp_random() : 0, now);
+/* normalize_time(ts, sys_fuzz > 0.0 ? ntp_random() : 0, now); */
+ normalize_time(ts, sys_fuzz > 0.0 ? random() : 0, now);
#else
*now = tspec_stamp_to_lfp(ts);
#endif
=====================================
ntpd/ntp_config.c
=====================================
@@ -1272,7 +1272,7 @@ config_tos(
break;
case T_Mindist:
- item = PROTO_MINDISP;
+ item = PROTO_MINDIST;
break;
case T_Maxdisp:
=====================================
ntpd/ntp_control.c
=====================================
@@ -1305,7 +1305,7 @@ ctl_putrefid(
cp = (char *)&refid;
/* make sure all printable */
for (i = 0; sizeof(refid) > i && '\0' != cp[i]; i++) {
- if (isprint(cp[i]))
+ if (isgraph((int)cp[i]))
buf[i] = cp[i];
else
buf[i] = '.';
=====================================
ntpd/ntp_packetstamp.c
=====================================
@@ -152,7 +152,8 @@ fetch_packetstamp(
# error "Can't get packet timestamp"
#endif
#ifdef ENABLE_FUZZ
- fuzz = ntp_random() * 2. / FRAC * sys_fuzz;
+/* fuzz = ntp_random() * 2. / FRAC * sys_fuzz; */
+ fuzz = random() * 2. / FRAC * sys_fuzz;
lfpfuzz = dtolfp(fuzz);
nts += lfpfuzz;
#endif
=====================================
ntpd/ntp_proto.c
=====================================
@@ -61,7 +61,7 @@ static inline l_fp_w htonl_fp(l_fp lfp) {
*/
#define NTP_MINCLOCK 3 /* min survivors */
#define NTP_MAXCLOCK 10 /* max candidates */
-#define MINDISPERSE .001 /* min distance */
+#define MINDISTANCE .001 /* min distance */
#define CLOCK_SGATE 3. /* popcorn spike gate */
#define NTP_ORPHWAIT 300 /* orphan wait (s) */
@@ -119,7 +119,7 @@ bool leap_sec_in_progress;
* Nonspecified system state variables
*/
l_fp sys_authdelay; /* authentication delay */
-double sys_mindisp = MINDISPERSE; /* minimum distance (s) */
+double sys_mindist = MINDISTANCE; /* minimum distance (s) */
static double sys_maxdist = MAXDISTANCE; /* selection threshold */
double sys_maxdisp = MAXDISPERSE; /* maximum dispersion */
static unsigned long sys_epoch; /* last clock update time */
@@ -231,7 +231,9 @@ void set_use_stattime(uptime_t stattime) {
}
+#ifdef ENABLE_FUZZ
double measured_tick; /* non-overridable sys_tick (s) */
+#endif
static void clock_combine (peer_select *, int, int);
static void clock_select (void);
@@ -1030,10 +1032,10 @@ clock_update(
+ loop_data.clock_phi * (current_time - peer->update)
+ fabs(clkstate.sys_offset);
- if (dtemp > sys_mindisp)
+ if (dtemp > sys_mindist)
sys_vars.sys_rootdisp = dtemp;
else
- sys_vars.sys_rootdisp = sys_mindisp;
+ sys_vars.sys_rootdisp = sys_mindist;
sys_vars.sys_rootdelay = peer->delay + peer->rootdelay;
sys_vars.sys_reftime = peer->dst;
@@ -1252,7 +1254,7 @@ peer_clear(
* Clear all values, including the optional crypto values above.
*/
memset(CLEAR_TO_ZERO(peer), 0, LEN_CLEAR_TO_ZERO(peer));
- peer->ppoll = peer->cfg.maxpoll;
+ peer->ppoll = NTP_MAXPOLL_UNK;
peer->hpoll = peer->cfg.minpoll;
peer->disp = sys_maxdisp;
peer->flash = peer_unfit(peer);
@@ -1792,7 +1794,7 @@ clock_select(void)
*/
if (nlist == 0) {
peers[0].error = 0;
- peers[0].synch = sys_mindisp;
+ peers[0].synch = sys_mindist;
#ifdef REFCLOCK
if (typemodem != NULL) {
peers[0].peer = typemodem;
@@ -1874,11 +1876,11 @@ clock_select(void)
*
* Choose the system peer using a hybrid metric composed of the
* selection jitter scaled by the root distance augmented by
- * stratum scaled by sys_mindisp (.001 by default). The goal of
+ * stratum scaled by sys_mindist (.001 by default). The goal of
* the small stratum factor is to avoid clockhop between a
* reference clock and a network peer which has a refclock and
* is using an older ntpd, which does not floor sys_rootdisp at
- * sys_mindisp.
+ * sys_mindist.
*
* In contrast, ntpd 4.2.6 and earlier used stratum primarily
* in selecting the system peer, using a weight of 1 second of
@@ -1912,7 +1914,7 @@ clock_select(void)
if (peer->cfg.flags & FLAG_PREFER)
sys_prefer = peer;
speermet = peers[i].seljit * peers[i].synch +
- peer->stratum * sys_mindisp;
+ peer->stratum * sys_mindist;
if (speermet < e) {
e = speermet;
speer = i;
@@ -1933,9 +1935,9 @@ clock_select(void)
if (osys_peer == NULL || osys_peer == typesystem) {
sys_clockhop = 0;
} else if ((x = fabs(typesystem->offset -
- osys_peer->offset)) < sys_mindisp) {
+ osys_peer->offset)) < sys_mindist) {
if ( D_ISZERO_NS(sys_clockhop) ) {
- sys_clockhop = sys_mindisp;
+ sys_clockhop = sys_mindist;
} else {
sys_clockhop *= .5;
}
@@ -2100,8 +2102,8 @@ root_distance(
* cannot exceed the sys_maxdist, as this is the cutoff by the
* selection algorithm.
*/
- if (dtemp < sys_mindisp) {
- dtemp = sys_mindisp;
+ if (dtemp < sys_mindist) {
+ dtemp = sys_mindist;
}
return (dtemp);
}
@@ -2217,7 +2219,8 @@ fast_xmit(
)
{
struct pkt xpkt; /* transmit packet structure */
- l_fp xmt_tx, xmt_ty;
+ l_fp xmt_tx;
+ struct timespec start, finish;
size_t sendlen;
/*
@@ -2336,16 +2339,15 @@ fast_xmit(
* 3) none
*/
sendlen = LEN_PKT_NOMAC;
- get_systime(&xmt_tx);
+ clock_gettime(CLOCK_REALTIME, &start);
if (rbufp->ntspacket.valid) {
sendlen += extens_server_send(&rbufp->ntspacket, &xpkt);
} else if (NULL != auth) {
sendlen += (size_t)authencrypt(auth, (uint32_t *)&xpkt, (int)sendlen);
}
sendpkt(&rbufp->recv_srcadr, rbufp->dstadr, &xpkt, (int)sendlen);
- get_systime(&xmt_ty);
- xmt_ty -= xmt_tx;
- sys_authdelay = xmt_ty;
+ clock_gettime(CLOCK_REALTIME, &finish);
+ sys_authdelay = tspec_to_d(sub_tspec(finish, start));
/* Previous versions of this code had separate DPRINT-s so it
* could print the key on the auth case. That requires separate
* sendpkt-s on each branch or the DPRINT pollutes the timing. */
@@ -2531,6 +2533,7 @@ static void restart_nts_ke(struct peer *peer) {
hpoll = 8; /* min retry: 256 seconds, ~5 min */
if (hpoll > 12)
hpoll = 12; /* 4096, a bit over an hour */
+ peer->ppoll = NTP_MAXPOLL_UNK;
peer->hpoll = hpoll;
peer->nextdate = current_time + (1U << hpoll);
peer->cfg.flags |= FLAG_LOOKUP;
@@ -2544,6 +2547,7 @@ void dns_try_again(void) {
struct peer *p;
for (p = peer_list; p != NULL; p = p->p_link) {
if ((p->cfg.flags & FLAG_LOOKUP) || (p->cast_flags & MDF_POOL)) {
+ p->ppoll = NTP_MAXPOLL_UNK;
p->hpoll = p->cfg.minpoll;
transmit(p); /* does all the work */
}
@@ -2809,6 +2813,7 @@ init_proto(const bool verbose)
measure_precision(verbose);
#else
UNUSED_ARG(verbose);
+ sys_vars.sys_precision = -30; /* ns */
#endif
get_systime(&dummy);
sys_survivors = 0;
@@ -2906,8 +2911,8 @@ proto_config(
sys_minclock = (int)dvalue;
break;
- case PROTO_MINDISP: /* minimum distance (mindist) */
- sys_mindisp = dvalue;
+ case PROTO_MINDIST: /* minimum distance (mindist) */
+ sys_mindist = dvalue;
break;
case PROTO_MINSANE: /* minimum survivors (minsane) */
=====================================
ntpd/ntp_refclock.c
=====================================
@@ -541,7 +541,7 @@ refclock_receive(
return;
clock_filter(peer, pp->offset, 0., pp->jitter);
- if (cal_enable && fabs(clkstate.last_offset) < sys_mindisp &&
+ if (cal_enable && fabs(clkstate.last_offset) < sys_mindist &&
sys_vars.sys_peer != NULL) {
if (sys_vars.sys_peer->is_pps_driver &&
!peer->is_pps_driver)
=====================================
ntpd/ntp_sandbox.c
=====================================
@@ -412,9 +412,10 @@ int scmp_sc[] = {
SCMP_SYS(gettid),
SCMP_SYS(geteuid),
/* __NR_ppoll is not available in Fedora 31.
- * I can't find where it is needed. HGM 2019-Nov-23
- * SCMP_SYS(ppoll),
- */
+ * Needed by getaddrinfo on Arch Linux. 2019-Dec */
+#ifdef __NR_ppoll
+ SCMP_SYS(ppoll),
+#endif
SCMP_SYS(sendmsg),
#ifdef __NR_geteuid32
SCMP_SYS(geteuid32),
=====================================
ntpd/nts_client.c
=====================================
@@ -35,7 +35,7 @@
SSL_CTX* make_ssl_client_ctx(const char *filename);
int open_TCP_socket(struct peer *peer, const char *hostname);
bool nts_set_cert_search(SSL_CTX *ctx, const char *filename);
-void set_hostname(SSL *ssl, const char *hostname);
+void set_hostname(SSL *ssl, struct peer *peer, const char *hostname);
bool check_certificate(SSL *ssl, struct peer *peer);
bool check_aead(SSL *ssl, struct peer *peer, const char *hostname);
bool nts_client_send_request(SSL *ssl, struct peer *peer);
@@ -127,7 +127,7 @@ bool nts_probe(struct peer * peer) {
ssl = SSL_new(ctx);
SSL_CTX_free(ctx);
}
- set_hostname(ssl, hostname);
+ set_hostname(ssl, peer, hostname);
SSL_set_fd(ssl, server);
if (1 != SSL_connect(ssl)) {
@@ -324,7 +324,7 @@ int open_TCP_socket(struct peer *peer, const char *hostname) {
return sockfd;
}
-void set_hostname(SSL *ssl, const char *hostname) {
+void set_hostname(SSL *ssl, struct peer *peer, const char *hostname) {
char host[256], *tmp;
/* chop off trailing :port */
@@ -340,10 +340,13 @@ void set_hostname(SSL *ssl, const char *hostname) {
// https://wiki.openssl.org/index.php/Hostname_validation
#if (OPENSSL_VERSION_NUMBER > 0x1010000fL)
+ UNUSED_ARG(peer);
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_WILDCARDS);
SSL_set1_host(ssl, host);
msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
#elif (OPENSSL_VERSION_NUMBER > 0x1000200fL)
+ if (FLAG_NTS_NOVAL & peer->cfg.flags)
+ return;
{ /* enable automatic hostname checks */
X509_VERIFY_PARAM *param = SSL_get0_param(ssl);
X509_VERIFY_PARAM_set_hostflags(param, X509_CHECK_FLAG_NO_WILDCARDS);
@@ -355,6 +358,7 @@ void set_hostname(SSL *ssl, const char *hostname) {
#else
/* Versions prior to 1.0.2 did not perform hostname validation */
UNUSED_ARG(ssl);
+ UNUSED_ARG(peer);
msyslog(LOG_ERR, "NTSc: can't check hostname/certificate");
#endif
@@ -385,8 +389,11 @@ bool check_certificate(SSL *ssl, struct peer* peer) {
} else {
msyslog(LOG_ERR, "NTSc: certificate invalid: %d=>%s",
certok, X509_verify_cert_error_string(certok));
- if (!(FLAG_NTS_NOVAL & peer->cfg.flags))
- return false;
+ if (FLAG_NTS_NOVAL & peer->cfg.flags) {
+ msyslog(LOG_INFO, "NTSc: noval - accepting invalid cert.");
+ return true;
+ }
+ return false;
}
}
return true;
@@ -421,7 +428,7 @@ bool check_aead(SSL *ssl, struct peer* peer, const char *hostname) {
memcpy(buff, data, l);
buff[l] = '\0';
for (i=0; i<l; i++) {
- if (!isgraph(buff[i])) {
+ if (!isgraph((int)buff[i])) {
buff[i] = '*'; /* fix non-printing crap */
}
}
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/d0cc180deff68b9cf7c6cbd62a75496b5054ff29...444796d1e01c43c6fcda04827989738518d748a2
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/d0cc180deff68b9cf7c6cbd62a75496b5054ff29...444796d1e01c43c6fcda04827989738518d748a2
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20191229/fc424fd4/attachment-0001.htm>
More information about the vc
mailing list