From gitlab at mg.gitlab.com Mon Sep 25 00:43:01 2023 From: gitlab at mg.gitlab.com (Hal Murray (@hal.murray)) Date: Mon, 25 Sep 2023 00:43:01 +0000 Subject: [Git][NTPsec/ntpsec][master] 6 commits: Turn on server preference, fix #797 Message-ID: <6510d7957944a_28a557899945@gitlab-sidekiq-low-urgency-cpu-bound-v2-575467565f-frbls.mail> Hal Murray pushed to branch master at NTPsec / ntpsec Commits: f5a8755d by Hal Murray at 2023-08-29T11:18:55-07:00 Turn on server preference, fix #797 Turn on SSL_OP_CIPHER_SERVER_PREFERENCE when the admin sets ciphers. - - - - - a31f4378 by Hal Murray at 2023-08-29T11:18:55-07:00 Working on ntskestats Change double to l_fp in ntske_counters Merge usr+sys=>CPU in ntskestats and ntpq -c nts Add wall+cpu time for noSSL ntpq doesn't have a handy way to process l_fp so convert to double for now - - - - - 7ec3ad40 by Hal Murray at 2023-08-29T11:18:55-07:00 Add nts.xxx_r support to ntp_control Tested by hand. No changes to ntpq.py to use it. - - - - - 1f70af1c by Hal Murray at 2023-09-22T16:26:50-07:00 Add second hist to show (long) tail - - - - - 680cae59 by Hal Murray at 2023-09-22T16:27:51-07:00 Tweak names for NTS printout no SSL => no-TLS - - - - - 9ab1eca2 by Hal Murray at 2023-09-22T16:29:10-07:00 Add doc for ntsstats and ntskestats - - - - - 10 changed files: - attic/aes-siv-timing.c - attic/clocks.c - docs/includes/mon-commands.adoc - docs/includes/nts-commands.adoc - include/nts.h - ntpclients/ntpq.py - ntpd/ntp_control.c - ntpd/ntp_util.c - ntpd/nts.c - ntpd/nts_server.c Changes: ===================================== attic/aes-siv-timing.c ===================================== @@ -21,6 +21,7 @@ #include #include #include "aes_siv.h" +#include "ntp_fp.h" #include "nts.h" #define UNUSED_ARG(arg) ((void)(arg)) ===================================== attic/clocks.c ===================================== @@ -18,7 +18,8 @@ struct table { #define BILLION 1000000000 #define HISTSIZE 2500 #define NSPERBUCKET 1 -#define MAXHISTLINES 10 +#define NSPERBUCKET2 250 +#define MAXHISTLINES 15 struct table clocks [] = { {CLOCK_REALTIME, "CLOCK_REALTIME"}, @@ -148,28 +149,53 @@ static int do_fastest(int type) { dups++; continue; } - if (nanos < fastest) { fastest = nanos; - } + if (nanos < fastest) fastest = nanos; } return fastest; } +static int do_slowest(int type) { + struct timespec start, stop; + uint64_t sec, nanos, slowest; + + dups = 0; + slowest = 0; + for (int i = 0; i < BATCHSIZE; i++) { + clock_gettime(type, &start); /* warm up caches */ + clock_gettime(type, &start); + clock_gettime(type, &stop); + sec = (stop.tv_sec-start.tv_sec); + nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec); + if (0 == nanos) { + /* I've seen this on Pi 1. */ + dups++; + continue; + } + if (nanos > slowest) slowest = nanos; + } + + return slowest; +} -static int do_hist(int type, int fastest) { +/* The second hist shows the tail. */ +static void do_hist(int type) { int nsPerBucket = NSPERBUCKET; + int nsPerBucket2 = NSPERBUCKET2; int i; - int delta, lines, toobig, hits, miss; + int index, lines, toobig, hits; + int last = 0; struct timespec start, stop; - int64_t sec, nanos; + int64_t sec, nanos, slowest; unsigned int hist[HISTSIZE]; - int faster = 0; + unsigned int hist2[HISTSIZE]; dups = 0; - toobig = 0; for (i = 0; i < HISTSIZE; i++) { hist[i] = 0; + hist2[i] = 0; } + slowest = 0; for (i = 0; i < BATCHSIZE; i++) { clock_gettime(type, &start); /* warm up cache */ clock_gettime(type, &stop); @@ -185,33 +211,29 @@ static int do_hist(int type, int fastest) { continue; } if (0 == nanos) { - /* I've seen this on Pi 1. */ + /* This happens on Pi 1. */ dups++; continue; } - delta = (nanos-fastest) / nsPerBucket; - if (0 > delta) { - /* fastest wasn't fast enough */ - if (0 == faster) { - faster = delta; - } - if (faster > delta) { - faster = delta; - } - continue; + index = nanos / nsPerBucket; + if (index < HISTSIZE) { + hist[index]++; } - if (delta < HISTSIZE) { - hist[delta]++; - } else { - toobig++; + index = nanos / nsPerBucket2; + if (index < HISTSIZE) { + hist2[index]++; } + if (slowest < nanos) slowest = nanos; } - if (faster) { return faster; + if (dups) { + printf("%d samples were duplicated.\n", dups); } + printf("\n"); printf("Histogram: CLOCK_REALTIME, %d ns per bucket, %d samples.\n", nsPerBucket, BATCHSIZE); printf(" ns hits\n"); + toobig = 0; lines = 0; hits = 0; for (i=0; i %d\n", fastest, faster); - fastest = faster; + do_hist(CLOCK_REALTIME); + } + + + printf("\nSlowest from each batch of %d...\n", BATCHSIZE); + for (int i=0; i<50; i++) { + int slowest; + slowest = do_slowest(CLOCK_REALTIME); + printf(" %6ld", (long)slowest); + if ((i%10)==9) printf("\n"); + if (dups) { + printf(" %d samples were duplicated.\n", dups); } + if (slowest > slowestest) slowestest = slowest; + } + printf("Slowest was %ld\n", (long)slowestest); return 0; ===================================== docs/includes/mon-commands.adoc ===================================== @@ -1,7 +1,7 @@ // Monitoring commands. Is included twice. [[statistics]]+statistics+ _name..._:: - Enables writing of statistics records. Currently, eight kinds of + Enables writing of statistics records. Currently, ten kinds of _name_ statistics are supported. + +clockstats+;; @@ -57,12 +57,86 @@ The first two fields show the date (Modified Julian Day) and time time offset (seconds), frequency offset (parts per million - PPM), RMS jitter (seconds), Allan deviation (PPM) and clock discipline time constant. ++ + +ntsstats+;; + Enables recording of NTS statistics counters on a periodic basis. + Each hour a line of the following form is appended to the file + generation set named _ntsstats_: ++ +----------------------------------------------------------- +60209 77147.187 3600 1320 1239 0 2895 2895 11 4104 0 2897 2885 10 0 0 2 0 +----------------------------------------------------------- ++ +[width="100%",cols="<34%,<33%,<33%"] +|==================================== +|Item |Units |Description +|+60209+ |MJD |date +|+77147.187+ |s |time past midnight +|+3600+ |s |time since reset +|+1320+ |packets |client requests sent +|+1239+ |packets |client responses received good +|+0+ |packets |client responses received bad +|+2895+ |packets |server responses sent +|+2895+ |packets |server requests received good +|+11+ |packets |server requests received bad +|+4104+ |packets |cookies made +|+0+ |packets |cookie decodes not server +|+2897+ |packets |cookie decodes total +|+2885+ |packets |cookie decodes current +|+10+ |packets |cookie decodes 1-2 days +|+0+ |packets |cookie decodes 2-3 days +|+0+ |packets |cookie decodes 3-10 days +|+2+ |packets |cookie decodes too old +|+0+ |packets |cookie decodes error +|==================================== ++ +These counters are also available via _ntpq_'s _nts_ command. ++ + +ntskestats+;; + Enables recording of NTS-KE statistics counters on a periodic basis. + Each hour a line of the following form is appended to the file + generation set named _ntskestats_: ++ +----------------------------------------------------------- +60209 77147.187 3600 10 2.914 0.026 2 3.218 0.004 0 0.000 0.000 0 0 +----------------------------------------------------------- ++ +[width="100%",cols="<34%,<33%,<33%"] +|==================================== +|Item |Units |Description +|+60209+ |MJD |date +|+77147.187+ |s |time past midnight +|+3600+ |s |time since reset +|+10+ |requests |server requests good +|+2.914+ |seconds |server good wall clock time +|+0.026+ |seconds |server good server cpu time +|+2+ |requests |server requests no-TLS +|+3.218+ |seconds |server no-TLS wall clock time +|+0.004+ |seconds |server no-TLS server cpu time +|+0+ |requests |server requests bad +|+0.000+ |seconds |server bad wall clock time +|+0.000+ |seconds |server bad server cpu time +|+0+ |requests |client requests good +|+0+ |requests |client requests bad +|==================================== ++ +These counters are also available via _ntpq_'s _nts_ command. ++ +There are two types of failures for NTS-KE server processing. +The _no-TLS_ slots are for the path when the TLS connection doesn't get setup. +The _bad_ slots are for the path when the TLS connection does get setup +but there is an error during the NTS-KE exchange. ++ +Both are typically caused by bad guys probing for servers to abuse. +A _no-TLS_ event would be caused by a bad guy using unencrypted SMTP while a _bad_ event would be caused by SMTP over TLS. + +protostats+;; Record significant peer and system events. Each significant event appends one line to the +protostats+ file set: + -+49213 525.624 128.4.1.1 963a 8a+ _message_ +--------------------------------------------------- +49213 525.624 128.4.1.1 963a 8a+ _message_ +--------------------------------------------------- + [width="100%",cols="<34%,<33%,<33%"] |==================================== ===================================== docs/includes/nts-commands.adoc ===================================== @@ -54,6 +54,10 @@ The options are as follows: +tlsciphersuites+ _string_:: An OpenSSL ciphersuite list to configure the allowed ciphersuites for TLS 1.3. A single NULL cipher disables encryption and use of certificates. + This sets the ciphers used by both the client and server sides. + + + The server picks the cipher. The default is client preference. + Specifying ciphersuites also switches to server preference. +tlsecdhcurves+ _string_:: An OpenSSL ecdhcurves list to configure the allowed ecdhcurves for ===================================== include/nts.h ===================================== @@ -257,14 +257,14 @@ struct nts_counters { }; struct ntske_counters { uint64_t serves_good; - double serves_good_wall; - double serves_good_usr; - double serves_good_sys; + l_fp serves_good_wall; + l_fp serves_good_cpu; uint64_t serves_nossl; + l_fp serves_nossl_wall; + l_fp serves_nossl_cpu; uint64_t serves_bad; - double serves_bad_wall; - double serves_bad_usr; - double serves_bad_sys; + l_fp serves_bad_wall; + l_fp serves_bad_cpu; uint64_t probes_good; uint64_t probes_bad; }; ===================================== ntpclients/ntpq.py ===================================== @@ -1667,17 +1667,17 @@ usage: authinfo ("nts_cookie_decode_error", "NTS decode cookies error: ", NTP_UINT), ) ntskeinfo = ( - ("nts_ke_probes_good", "NTS KE client probes good: ", NTP_UINT), - ("nts_ke_probes_bad", "NTS KE client probes bad: ", NTP_UINT), ("nts_ke_serves_good", "NTS KE serves good: ", NTP_UINT), ("nts_ke_serves_good_wall", "NTS KE serves good wall: ", NTP_FLOAT), - ("nts_ke_serves_good_usr", "NTS KE serves good CPU/usr: ", NTP_FLOAT), - ("nts_ke_serves_good_sys", "NTS KE serves good CPU/sys: ", NTP_FLOAT), - ("nts_ke_serves_nossl", "NTS KE serves no SSL: ", NTP_UINT), + ("nts_ke_serves_good_cpu", "NTS KE serves good CPU: ", NTP_FLOAT), + ("nts_ke_serves_nossl", "NTS KE serves no-TLS: ", NTP_UINT), + ("nts_ke_serves_nossl_wall", "NTS KE serves no-TLS wall: ", NTP_FLOAT), + ("nts_ke_serves_nossl_cpu", "NTS KE serves no-TLS CPU: ", NTP_FLOAT), ("nts_ke_serves_bad", "NTS KE serves bad: ", NTP_UINT), ("nts_ke_serves_bad_wall", "NTS KE serves bad wall: ", NTP_FLOAT), - ("nts_ke_serves_bad_usr", "NTS KE serves bad CPU/usr: ", NTP_FLOAT), - ("nts_ke_serves_bad_sys", "NTS KE serves bad CPU/sys: ", NTP_FLOAT), + ("nts_ke_serves_bad_cpu", "NTS KE serves bad CPU: ", NTP_FLOAT), + ("nts_ke_probes_good", "NTS KE client probes good: ", NTP_UINT), + ("nts_ke_probes_bad", "NTS KE client probes bad: ", NTP_UINT), ) self.collect_display(associd=0, variables=ntsinfo, decodestatus=False) self.collect_display(associd=0, variables=ntskeinfo, decodestatus=False) ===================================== ntpd/ntp_control.c ===================================== @@ -165,7 +165,8 @@ enum var_type {v_time, v_str, v_dbl, v_uli, v_li, v_uint, v_int, v_u64, v_i64, v_u32, v_i32, v_u8, v_i8, v_bool, v_strP, v_u64P, v_u32P, v_uliP, - v_l_fp, v_l_fp_ms, + v_l_fp, v_l_fp_ms, v_l_fp_sec, + v_u64_r, v_l_fp_sec_r, v_mrumem, v_since, v_kli, v_special}; enum var_type_special { @@ -199,6 +200,11 @@ struct var { unsigned long int (*p_uliP)(void); const enum var_type_special special; }; + union { + /* second pointer for returning recent since-stats-logged */ + const uint64_t* p2_u64; + const uint64_t* p2_l_fp; + }; }; #define Var_time(xname, xflags, xlocation) { \ @@ -227,6 +233,9 @@ struct var { #define Var_u64(xname, xflags, xlocation) { \ .name = xname, .flags = xflags, .type = v_u64, .p_u64 = &xlocation } +#define Var_u64_r(xname, xflags, xlocation) { \ + .name = xname, .flags = xflags, .type = v_u64_r, \ + .p_u64 = &xlocation, .p2_u64 = &(old_##xlocation) } #define Var_i64(xname, xflags, xlocation) { \ .name = xname, .flags = xflags, .type = v_i64, .p_i84 = &xlocation } #define Var_u32(xname, xflags, xlocation) { \ @@ -244,6 +253,11 @@ struct var { .name = xname, .flags = xflags, .type = v_l_fp, .p_l_fp = &xlocation } #define Var_l_fp_ms(xname, xflags, xlocation) { \ .name = xname, .flags = xflags, .type = v_l_fp_ms, .p_l_fp = &xlocation } +#define Var_l_fp_sec(xname, xflags, xlocation) { \ + .name = xname, .flags = xflags, .type = v_l_fp_sec, .p_l_fp = &xlocation } +#define Var_l_fp_r(xname, xflags, xlocation) { \ + .name = xname, .flags = xflags, .type = v_l_fp_sec_r, \ + .p_l_fp = &xlocation, .p2_l_fp = &(old_##xlocation) } #define Var_since(xname, xflags, xlocation) { \ .name = xname, .flags = xflags, .type = v_since, .p_up = &xlocation } @@ -323,6 +337,7 @@ static const struct var sys_var[] = { Var_Pair("ss_limited", limitrejected), Var_Pair("ss_kodsent", kodsent), Var_Pair("ss_processed", processed), +#undef Var_Pair /* We own this one. See above. No proc mode. * Note that lots of others are not (yet?) in this table. */ @@ -407,36 +422,44 @@ static const struct var sys_var[] = { Var_bool("lockclock", RO, loop_data.lockclock), #ifndef DISABLE_NTS +#define Var_Pair(name, location) \ + Var_u64(name, RO, location), \ + Var_u64_r(name "_r", RO, location) +#define Var_PairF(name, location) \ + Var_l_fp_sec(name, RO, location), \ + Var_l_fp_r(name "_r", RO, location) /* ntsinfo: NTS statistics */ - Var_u64("nts_client_send", RO, nts_cnt.client_send), - Var_u64("nts_client_recv_good", RO, nts_cnt.client_recv_good), - Var_u64("nts_client_recv_bad", RO, nts_cnt.client_recv_bad), - Var_u64("nts_server_send", RO, nts_cnt.server_send), - Var_u64("nts_server_recv_good", RO, nts_cnt.server_recv_good), - Var_u64("nts_server_recv_bad", RO, nts_cnt.server_recv_bad), - Var_u64("nts_cookie_make", RO, nts_cnt.cookie_make), - Var_u64("nts_cookie_not_server", RO, nts_cnt.cookie_not_server), - Var_u64("nts_cookie_decode_total", RO, nts_cnt.cookie_decode_total), - Var_u64("nts_cookie_decode_current", RO, nts_cnt.cookie_decode_current), + Var_Pair("nts_client_send", nts_cnt.client_send), + Var_Pair("nts_client_recv_good", nts_cnt.client_recv_good), + Var_Pair("nts_client_recv_bad", nts_cnt.client_recv_bad), + Var_Pair("nts_server_send", nts_cnt.server_send), + Var_Pair("nts_server_recv_good", nts_cnt.server_recv_good), + Var_Pair("nts_server_recv_bad", nts_cnt.server_recv_bad), + Var_Pair("nts_cookie_make", nts_cnt.cookie_make), + Var_Pair("nts_cookie_not_server", nts_cnt.cookie_not_server), + Var_Pair("nts_cookie_decode_total", nts_cnt.cookie_decode_total), + Var_Pair("nts_cookie_decode_current", nts_cnt.cookie_decode_current), /* Following line is a hack for old versions of ntpq * nts_cookie_decode is old name for nts_cookie_decode_current */ - Var_u64("nts_cookie_decode", RO, nts_cnt.cookie_decode_current), - Var_u64("nts_cookie_decode_old", RO, nts_cnt.cookie_decode_old), - Var_u64("nts_cookie_decode_old2", RO, nts_cnt.cookie_decode_old2), - Var_u64("nts_cookie_decode_older", RO, nts_cnt.cookie_decode_older), - Var_u64("nts_cookie_decode_too_old", RO, nts_cnt.cookie_decode_too_old), - Var_u64("nts_cookie_decode_error", RO, nts_cnt.cookie_decode_error), - Var_u64("nts_ke_serves_good", RO, ntske_cnt.serves_good), - Var_dbl("nts_ke_serves_good_wall", RO, ntske_cnt.serves_good_wall), - Var_dbl("nts_ke_serves_good_usr", RO, ntske_cnt.serves_good_usr), - Var_dbl("nts_ke_serves_good_sys", RO, ntske_cnt.serves_good_sys), - Var_u64("nts_ke_serves_nossl", RO, ntske_cnt.serves_nossl), - Var_u64("nts_ke_serves_bad", RO, ntske_cnt.serves_bad), - Var_dbl("nts_ke_serves_bad_wall", RO, ntske_cnt.serves_bad_wall), - Var_dbl("nts_ke_serves_bad_usr", RO, ntske_cnt.serves_bad_usr), - Var_dbl("nts_ke_serves_bad_sys", RO, ntske_cnt.serves_bad_sys), - Var_u64("nts_ke_probes_good", RO, ntske_cnt.probes_good), - Var_u64("nts_ke_probes_bad", RO, ntske_cnt.probes_bad), + Var_Pair("nts_cookie_decode", nts_cnt.cookie_decode_current), + Var_Pair("nts_cookie_decode_old", nts_cnt.cookie_decode_old), + Var_Pair("nts_cookie_decode_old2", nts_cnt.cookie_decode_old2), + Var_Pair("nts_cookie_decode_older", nts_cnt.cookie_decode_older), + Var_Pair("nts_cookie_decode_too_old", nts_cnt.cookie_decode_too_old), + Var_Pair("nts_cookie_decode_error", nts_cnt.cookie_decode_error), + Var_Pair("nts_ke_serves_good", ntske_cnt.serves_good), + Var_PairF("nts_ke_serves_good_wall", ntske_cnt.serves_good_wall), + Var_PairF("nts_ke_serves_good_cpu", ntske_cnt.serves_good_cpu), + Var_Pair("nts_ke_serves_nossl", ntske_cnt.serves_nossl), + Var_PairF("nts_ke_serves_nossl_wall", ntske_cnt.serves_nossl_wall), + Var_PairF("nts_ke_serves_nossl_cpu", ntske_cnt.serves_nossl_cpu), + Var_Pair("nts_ke_serves_bad", ntske_cnt.serves_bad), + Var_PairF("nts_ke_serves_bad_wall", ntske_cnt.serves_bad_wall), + Var_PairF("nts_ke_serves_bad_cpu", ntske_cnt.serves_bad_cpu), + Var_Pair("nts_ke_probes_good", ntske_cnt.probes_good), + Var_Pair("nts_ke_probes_bad", ntske_cnt.probes_bad), +#undef Var_Pair +#undef Var_PairF #endif { .flags=EOV } // end marker for scans @@ -1412,6 +1435,8 @@ ctl_putsys(const struct var * v) { case v_uli: ctl_putuint(v->name, *v->p_uli); break; case v_uint: ctl_putuint(v->name, *v->p_uint); break; case v_u64: ctl_putuint(v->name, *v->p_u64); break; + case v_u64_r: + ctl_putuint(v->name, *v->p_u64-*v->p2_u64); break; case v_u32: ctl_putuint(v->name, *v->p_u32); break; case v_u8: ctl_putuint(v->name, *v->p_u8); break; @@ -1431,12 +1456,21 @@ ctl_putsys(const struct var * v) { /* time of day */ case v_l_fp: ctl_putts(v->name, *v->p_l_fp); break; + /* time differences */ case v_l_fp_ms: temp_d = lfptod(*v->p_l_fp); temp_d *= MS_PER_S; ctl_putdbl(v->name, temp_d); break; + case v_l_fp_sec: + temp_d = lfptod(*v->p_l_fp); + ctl_putdbl(v->name, temp_d); + break; + case v_l_fp_sec_r: + temp_d = lfptod(*v->p_l_fp-*v->p2_l_fp); + ctl_putdbl(v->name, temp_d); + break; case v_mrumem: mem = *v->p_u64 * sizeof(mon_entry); ===================================== ntpd/ntp_util.c ===================================== @@ -773,7 +773,7 @@ void record_nts_stats(void) { } #define ntske_since(CNT) ((unsigned long long)(ntske_cnt.CNT - old_ntske_cnt.CNT)) -#define ntske_since_f(CNT) (ntske_cnt.CNT - old_ntske_cnt.CNT) +#define ntske_since_f(CNT) ((double)lfptod(ntske_cnt.CNT - old_ntske_cnt.CNT)) uptime_t ntske_stattime; void record_ntske_stats(void) { #ifndef DISABLE_NTS @@ -786,17 +786,17 @@ void record_ntske_stats(void) { filegen_setup(&ntskestats, now.tv_sec); if (ntsstats.fp != NULL) { fprintf(ntskestats.fp, - "%s %u %llu %.3f %.3f %.3f %llu %llu %.3f %.3f %.3f %llu %llu\n", + "%s %u %llu %.3f %.3f %llu %.3f %.3f %llu %.3f %.3f %llu %llu\n", timespec_to_MJDtime(&now), current_time-ntske_stattime, ntske_since(serves_good), ntske_since_f(serves_good_wall), - ntske_since_f(serves_good_usr), - ntske_since_f(serves_good_sys), + ntske_since_f(serves_good_cpu), ntske_since(serves_nossl), + ntske_since_f(serves_nossl_wall), + ntske_since_f(serves_nossl_cpu), ntske_since(serves_bad), ntske_since_f(serves_bad_wall), - ntske_since_f(serves_bad_usr), - ntske_since_f(serves_bad_sys), + ntske_since_f(serves_bad_cpu), ntske_since(probes_good), ntske_since(probes_bad) ); fflush(ntskestats.fp); ===================================== ntpd/nts.c ===================================== @@ -182,14 +182,22 @@ bool nts_load_ciphers(SSL_CTX *ctx) { * There is no SSL_CTX_get_cipher_list, so we can't easily read back * the ciphers to see what it took. * We could make a dummy SSL, read the list, then free it. + * man SSL_CTX_set_ciphersuites() has info. */ - if (NULL != ntsconfig.tlsciphersuites) { - if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) { - msyslog(LOG_ERR, "NTS: troubles setting ciphersuites."); - return false; - } else { - msyslog(LOG_INFO, "NTS: set ciphersuites."); - } + if (NULL == ntsconfig.tlsciphersuites) { + return true; + } + /* The server picks the ciphers. + * Default is client preference. + * This switches to server preference if the admin + * specifies the valid ciphers. See #797 + */ + SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); + if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) { + msyslog(LOG_ERR, "NTS: troubles setting ciphersuites."); + return false; + } else { + msyslog(LOG_INFO, "NTS: set ciphersuites %s.", ntsconfig.tlsciphersuites); } return true; } ===================================== ntpd/nts_server.c ===================================== @@ -185,6 +185,13 @@ void nts_unlock_certlock(void) { } } +/* lfptod goes to long double */ +static inline double lfptox(l_fp r) { +/* l_fp to double */ + return ldexp((double)((int64_t)r), -32); +} + + void* nts_ke_listener(void* arg) { struct timeval timeout = {.tv_sec = NTS_KE_TIMEOUT, .tv_usec = 0}; int sock = *(int*)arg; @@ -192,13 +199,13 @@ void* nts_ke_listener(void* arg) { char addrbuf[100]; char usingbuf[100]; struct timespec start, finish; /* wall clock */ - double wall; + l_fp wall; bool worked; const char *good; #ifdef RUSAGE_THREAD struct timespec start_u, finish_u; /* CPU user */ struct timespec start_s, finish_s; /* CPU system */ - double usr, sys; /* seconds */ + l_fp usr, sys; struct rusage usage; #endif @@ -269,12 +276,23 @@ void* nts_ke_listener(void* arg) { if (SSL_accept(ssl) <= 0) { clock_gettime(CLOCK_REALTIME, &finish); - wall = tspec_to_d(sub_tspec(finish, start)); - nts_ke_accept_fail(addrbuf, wall); + wall = tspec_intv_to_lfp(sub_tspec(finish, start)); + nts_ke_accept_fail(addrbuf, lfptox(wall)); SSL_free(ssl); close(client); ntske_cnt.serves_nossl++; -// FIXME: update start_u and start_s + ntske_cnt.serves_nossl_wall += wall; +#ifdef RUSAGE_THREAD + getrusage(RUSAGE_THREAD, &usage); + finish_u = tval_to_tspec(usage.ru_utime); + finish_s = tval_to_tspec(usage.ru_stime); + usr = tspec_intv_to_lfp(sub_tspec(finish_u, start_u)); + sys = tspec_intv_to_lfp(sub_tspec(finish_s, start_s)); + start_u = finish_u; + start_s = finish_s; + ntske_cnt.serves_nossl_cpu += usr; + ntske_cnt.serves_nossl_cpu += sys; +#endif continue; } @@ -297,7 +315,7 @@ void* nts_ke_listener(void* arg) { close(client); clock_gettime(CLOCK_REALTIME, &finish); - wall = tspec_to_d(sub_tspec(finish, start)); + wall = tspec_intv_to_lfp(sub_tspec(finish, start)); if (worked) { ntske_cnt.serves_good++; ntske_cnt.serves_good_wall += wall; @@ -309,23 +327,23 @@ void* nts_ke_listener(void* arg) { getrusage(RUSAGE_THREAD, &usage); finish_u = tval_to_tspec(usage.ru_utime); finish_s = tval_to_tspec(usage.ru_stime); - usr = tspec_to_d(sub_tspec(finish_u, start_u)); - sys = tspec_to_d(sub_tspec(finish_s, start_s)); + usr = tspec_intv_to_lfp(sub_tspec(finish_u, start_u)); + sys = tspec_intv_to_lfp(sub_tspec(finish_s, start_s)); start_u = finish_u; start_s = finish_s; if (worked) { - ntske_cnt.serves_good_usr += usr; - ntske_cnt.serves_good_sys += sys; + ntske_cnt.serves_good_cpu += usr; + ntske_cnt.serves_good_cpu += sys; } else { - ntske_cnt.serves_bad_usr += usr; - ntske_cnt.serves_bad_sys += sys; + ntske_cnt.serves_bad_cpu += usr; + ntske_cnt.serves_bad_cpu += sys; } msyslog(LOG_INFO, "NTSs: NTS-KE from %s, %s, Using %s, took %.3f sec, CPU: %.3f+%.3f ms", - addrbuf, good, usingbuf, wall, - usr*1000, sys*1000); + addrbuf, good, usingbuf, lfptox(wall), + lfptox(usr*1000), lfptox(sys*1000)); #else msyslog(LOG_INFO, "NTSs: NTS-KE from %s, %s, Using %s, took %.3f sec", - addrbuf, good, usingbuf, wall); + addrbuf, good, usingbuf, lfptox(wall)); #endif } return NULL; View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/45e7c3f695c49f638bea3a738e36f98395abadf3...9ab1eca2454136414a98d163fcc91a05b54760f7 -- View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/45e7c3f695c49f638bea3a738e36f98395abadf3...9ab1eca2454136414a98d163fcc91a05b54760f7 You're receiving this email because of your account on gitlab.com. -------------- next part -------------- An HTML attachment was scrubbed... URL: