[Git][NTPsec/ntpsec][master] 4 commits: Reduce verbosity on NTS Using message
Hal Murray
gitlab at mg.gitlab.com
Sun Mar 3 05:22:44 UTC 2019
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
2b689598 by Hal Murray at 2019-03-03T00:43:57Z
Reduce verbosity on NTS Using message
- - - - -
e9110c7f by Hal Murray at 2019-03-03T00:43:57Z
Process the out-of-cookies case, retry NTS-KE
- - - - -
69d149fa by Hal Murray at 2019-03-03T01:54:58Z
Fix for #564, config parser segfault on min/maxtls
- - - - -
7df09cae by Hal Murray at 2019-03-03T02:10:29Z
NTS: fix processing of received responses
- - - - -
5 changed files:
- include/ntpd.h
- ntpd/ntp_parser.y
- ntpd/ntp_peer.c
- ntpd/ntp_proto.c
- ntpd/nts_client.c
Changes:
=====================================
include/ntpd.h
=====================================
@@ -130,7 +130,8 @@ extern void set_peerdstadr (struct peer *, endpt *);
extern struct peer *newpeer (sockaddr_u *, const char *,
endpt *, uint8_t, struct peer_ctl *,
uint8_t, const bool);
-extern void peer_update_hash (struct peer *);
+extern void peer_add_hash (struct peer *);
+extern void peer_del_hash (struct peer *);
extern void peer_all_reset (void);
extern void peer_clr_stats (void);
extern void refresh_all_peerinterfaces(void);
=====================================
ntpd/ntp_parser.y
=====================================
@@ -295,7 +295,6 @@
%type <Integer> tinker_option_keyword
%type <Attr_val> tinker_option
%type <Attr_val_fifo> tinker_option_list
-%type <Integer> nts_int_option_keyword
%type <Integer> nts_string_option_keyword
%type <Attr_val> nts_option
%type <Attr_val_fifo> nts_option_list
@@ -1122,9 +1121,7 @@ nts_option_list
;
nts_option
- : nts_int_option_keyword number
- { $$ = create_attr_dval($1, $2); }
- | nts_string_option_keyword T_String
+ : nts_string_option_keyword T_String
{ $$ = create_attr_sval($1, $2); }
| T_Disable
{ $$ = create_attr_ival($1, 0); }
@@ -1132,9 +1129,6 @@ nts_option
{ $$ = create_attr_ival($1, 1); }
;
-nts_int_option_keyword
- : T_Maxtls
- | T_Mintls
;
nts_string_option_keyword
@@ -1143,6 +1137,8 @@ nts_string_option_keyword
| T_Key
| T_Tlsciphers
| T_Tlsciphersuites
+ | T_Maxtls
+ | T_Mintls
/* Miscellaneous Commands
=====================================
ntpd/ntp_peer.c
=====================================
@@ -683,7 +683,7 @@ newpeer(
* Put the new peer in the hash tables.
*/
if ((MDF_UCAST & cast_flags) && !(FLAG_LOOKUP & ctl->flags))
- peer_update_hash(peer);
+ peer_add_hash(peer);
hash = peer->associd & NTP_HASH_MASK;
LINK_SLIST(assoc_hash[hash], peer, aid_link);
assoc_hash_count[hash]++;
@@ -698,7 +698,23 @@ newpeer(
return peer;
}
-void peer_update_hash (struct peer *peer)
+void peer_del_hash (struct peer *peer)
+{
+ unsigned int hash;
+ struct peer *unlinked;
+
+ hash = NTP_HASH_ADDR(&peer->srcadr);
+ peer_hash_count[hash]--;
+
+ UNLINK_SLIST(unlinked, peer_hash[hash], peer, adr_link, struct peer);
+ if (NULL == unlinked) {
+ peer_hash_count[hash]++;
+ msyslog(LOG_ERR, "ERR: peer %s not in address table!",
+ socktoa(&peer->srcadr));
+ }
+}
+
+void peer_add_hash (struct peer *peer)
{
unsigned int hash;
=====================================
ntpd/ntp_proto.c
=====================================
@@ -161,6 +161,7 @@ static double measure_tick_fuzz(void);
static void peer_xmit (struct peer *);
static int peer_unfit (struct peer *);
static double root_distance (struct peer *);
+static void restart_nts_ke (struct peer *);
void
@@ -716,9 +717,9 @@ receive(
stat_count.sys_declined++;
break;
}
- if (rbufp->extens_present
- && !extens_client_recv(peer,
- rbufp->recv_buffer, rbufp->recv_length)) {
+ if ((peer->cfg.flags & FLAG_NTS)
+ && (!rbufp->extens_present || !extens_client_recv(peer,
+ rbufp->recv_buffer, rbufp->recv_length))) {
stat_count.sys_declined++;
break;
}
@@ -2066,7 +2067,7 @@ peer_xmit(
if (0 < peer->nts_state.count)
sendlen += extens_client_send(peer, &xpkt);
else {
- // FIXME - out of cookies
+ restart_nts_ke(peer); /* out of cookies */
return;
}
} else if (0 != peer->cfg.peerkey) {
@@ -2281,7 +2282,7 @@ dns_take_server(
server->cfg.flags &= (unsigned)~FLAG_LOOKUP;
server->srcadr = *rmtadr;
- peer_update_hash(server);
+ peer_add_hash(server);
restrict_mask = restrictions(&server->srcadr);
if (RES_FLAGS & restrict_mask) {
@@ -2399,6 +2400,26 @@ void dns_take_status(struct peer* peer, DNS_Status status) {
peer->nextdate = current_time + (1U << hpoll);
}
+/* NTS out of cookies
+ * Beware of clutter in NTS-KE server logs
+ * There are actually several cases:
+ * No NTS-KE server
+ * NTS-KE server answers, but we don't like it.
+ * NTS-KE works, but NTP server doesn't respond.
+ */
+static void restart_nts_ke(struct peer *peer) {
+ uint8_t hpoll = peer->hpoll;
+ peer_del_hash(peer);
+ hpoll += 2;
+ if (hpoll < 8)
+ hpoll = 8; /* min retry: 256 seconds, ~5 min */
+ if (hpoll > 12)
+ hpoll = 12; /* 4096, a bit over an hour */
+ peer->hpoll = hpoll;
+ peer->nextdate = current_time + (1U << hpoll);
+ peer->cfg.flags |= FLAG_LOOKUP;
+};
+
/*
* dns_new_interface
* A new interface is now active
=====================================
ntpd/nts_client.c
=====================================
@@ -124,7 +124,7 @@ bool nts_probe(struct peer * peer) {
}
/* This may be clutter, but this is how to do it. */
- msyslog(LOG_INFO, "NTSc: Using %s, %s with %d secret bits",
+ msyslog(LOG_INFO, "NTSc: Using %s, %s (%d)",
SSL_get_version(ssl),
SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, NULL));
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/8196a672eb4d3df982db8626d2d408fe7d72100a...7df09caef9ac4338ab6acbb2c6f5b0e6741c8a79
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/compare/8196a672eb4d3df982db8626d2d408fe7d72100a...7df09caef9ac4338ab6acbb2c6f5b0e6741c8a79
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20190303/1a225984/attachment-0001.html>
More information about the vc
mailing list