[Git][NTPsec/ntpsec][master] 6 commits: Turn on server preference, fix #797
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Mon Sep 25 00:43:01 UTC 2023
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
f5a8755d by Hal Murray at 2023-08-29T11:18:55-07:00
Turn on server preference, fix #797
Turn on SSL_OP_CIPHER_SERVER_PREFERENCE when the admin sets ciphers.
- - - - -
a31f4378 by Hal Murray at 2023-08-29T11:18:55-07:00
Working on ntskestats
Change double to l_fp in ntske_counters
Merge usr+sys=>CPU in ntskestats and ntpq -c nts
Add wall+cpu time for noSSL
ntpq doesn't have a handy way to process l_fp
so convert to double for now
- - - - -
7ec3ad40 by Hal Murray at 2023-08-29T11:18:55-07:00
Add nts.xxx_r support to ntp_control
Tested by hand. No changes to ntpq.py to use it.
- - - - -
1f70af1c by Hal Murray at 2023-09-22T16:26:50-07:00
Add second hist to show (long) tail
- - - - -
680cae59 by Hal Murray at 2023-09-22T16:27:51-07:00
Tweak names for NTS printout
no SSL => no-TLS
- - - - -
9ab1eca2 by Hal Murray at 2023-09-22T16:29:10-07:00
Add doc for ntsstats and ntskestats
- - - - -
10 changed files:
- attic/aes-siv-timing.c
- attic/clocks.c
- docs/includes/mon-commands.adoc
- docs/includes/nts-commands.adoc
- include/nts.h
- ntpclients/ntpq.py
- ntpd/ntp_control.c
- ntpd/ntp_util.c
- ntpd/nts.c
- ntpd/nts_server.c
Changes:
=====================================
attic/aes-siv-timing.c
=====================================
@@ -21,6 +21,7 @@
#include <openssl/err.h>
#include <openssl/rand.h>
#include "aes_siv.h"
+#include "ntp_fp.h"
#include "nts.h"
#define UNUSED_ARG(arg) ((void)(arg))
=====================================
attic/clocks.c
=====================================
@@ -18,7 +18,8 @@ struct table {
#define BILLION 1000000000
#define HISTSIZE 2500
#define NSPERBUCKET 1
-#define MAXHISTLINES 10
+#define NSPERBUCKET2 250
+#define MAXHISTLINES 15
struct table clocks [] = {
{CLOCK_REALTIME, "CLOCK_REALTIME"},
@@ -148,28 +149,53 @@ static int do_fastest(int type) {
dups++;
continue;
}
- if (nanos < fastest) { fastest = nanos;
- }
+ if (nanos < fastest) fastest = nanos;
}
return fastest;
}
+static int do_slowest(int type) {
+ struct timespec start, stop;
+ uint64_t sec, nanos, slowest;
+
+ dups = 0;
+ slowest = 0;
+ for (int i = 0; i < BATCHSIZE; i++) {
+ clock_gettime(type, &start); /* warm up caches */
+ clock_gettime(type, &start);
+ clock_gettime(type, &stop);
+ sec = (stop.tv_sec-start.tv_sec);
+ nanos = sec*BILLION + (stop.tv_nsec-start.tv_nsec);
+ if (0 == nanos) {
+ /* I've seen this on Pi 1. */
+ dups++;
+ continue;
+ }
+ if (nanos > slowest) slowest = nanos;
+ }
+
+ return slowest;
+}
-static int do_hist(int type, int fastest) {
+/* The second hist shows the tail. */
+static void do_hist(int type) {
int nsPerBucket = NSPERBUCKET;
+ int nsPerBucket2 = NSPERBUCKET2;
int i;
- int delta, lines, toobig, hits, miss;
+ int index, lines, toobig, hits;
+ int last = 0;
struct timespec start, stop;
- int64_t sec, nanos;
+ int64_t sec, nanos, slowest;
unsigned int hist[HISTSIZE];
- int faster = 0;
+ unsigned int hist2[HISTSIZE];
dups = 0;
- toobig = 0;
for (i = 0; i < HISTSIZE; i++) {
hist[i] = 0;
+ hist2[i] = 0;
}
+ slowest = 0;
for (i = 0; i < BATCHSIZE; i++) {
clock_gettime(type, &start); /* warm up cache */
clock_gettime(type, &stop);
@@ -185,33 +211,29 @@ static int do_hist(int type, int fastest) {
continue;
}
if (0 == nanos) {
- /* I've seen this on Pi 1. */
+ /* This happens on Pi 1. */
dups++;
continue;
}
- delta = (nanos-fastest) / nsPerBucket;
- if (0 > delta) {
- /* fastest wasn't fast enough */
- if (0 == faster) {
- faster = delta;
- }
- if (faster > delta) {
- faster = delta;
- }
- continue;
+ index = nanos / nsPerBucket;
+ if (index < HISTSIZE) {
+ hist[index]++;
}
- if (delta < HISTSIZE) {
- hist[delta]++;
- } else {
- toobig++;
+ index = nanos / nsPerBucket2;
+ if (index < HISTSIZE) {
+ hist2[index]++;
}
+ if (slowest < nanos) slowest = nanos;
}
- if (faster) { return faster;
+ if (dups) {
+ printf("%d samples were duplicated.\n", dups);
}
+
printf("\n");
printf("Histogram: CLOCK_REALTIME, %d ns per bucket, %d samples.\n",
nsPerBucket, BATCHSIZE);
printf(" ns hits\n");
+ toobig = 0;
lines = 0;
hits = 0;
for (i=0; i<HISTSIZE; i++) {
@@ -219,28 +241,45 @@ static int do_hist(int type, int fastest) {
break; /* Avoid clutter of printing long tail */
}
if (hist[i]) {
- printf("%10d %8u\n", i*nsPerBucket+fastest, hist[i]);
+ last = i*nsPerBucket;
+ printf("%10d %8u\n", i*nsPerBucket, hist[i]);
lines++;
hits += hist[i];
}
}
- miss = i-1;
- for ( ; i<HISTSIZE; i++) {
- toobig += hist[i];
+ toobig = BATCHSIZE-hits;
+ if (toobig) { printf("%d samples were bigger than %d.\n",
+ toobig, last);
}
- if (dups) {
- printf("%d samples were duplicated.\n", dups);
+ printf("\n");
+ printf("Histogram: CLOCK_REALTIME, %d ns per bucket, %d samples.\n",
+ nsPerBucket2, BATCHSIZE);
+ printf(" ns hits\n");
+ lines = 0;
+ hits = 0;
+ for (i=0; i<HISTSIZE; i++) {
+ if ((MAXHISTLINES <= lines) && (0.98*BATCHSIZE < hits)) {
+ break; /* Avoid clutter of printing long tail */
+ }
+ if (hist2[i]) {
+ last = i*nsPerBucket2;
+ printf("%10d %8u\n", i*nsPerBucket2, hist2[i]);
+ lines++;
+ hits += hist2[i];
+ }
}
- if (toobig) { printf("%d samples were bigger than %d.\n",
- toobig, miss*nsPerBucket+fastest);
+ toobig = BATCHSIZE-hits;
+ if (toobig) {
+ printf("%d samples were bigger than %d.\n", toobig, last);
+ printf("Slowest was %ld.\n", (long)slowest);
}
- return faster;
}
int main(int argc, char *argv[]) {
int res, average, fastest;
+ int slowestest = 0;
(void)argc; /* Squash unused warnings */
(void)argv;
@@ -270,16 +309,24 @@ int main(int argc, char *argv[]) {
}
if (1) {
- int faster;
fastest = do_fastest(CLOCK_REALTIME);
- while (1) {
- faster = do_hist(CLOCK_REALTIME, fastest);
- if (0 == faster) { break;
- }
- printf("Found faster: %d => %d\n", fastest, faster);
- fastest = faster;
+ do_hist(CLOCK_REALTIME);
+ }
+
+
+ printf("\nSlowest from each batch of %d...\n", BATCHSIZE);
+ for (int i=0; i<50; i++) {
+ int slowest;
+ slowest = do_slowest(CLOCK_REALTIME);
+ printf(" %6ld", (long)slowest);
+ if ((i%10)==9) printf("\n");
+ if (dups) {
+ printf(" %d samples were duplicated.\n", dups);
}
+ if (slowest > slowestest) slowestest = slowest;
+
}
+ printf("Slowest was %ld\n", (long)slowestest);
return 0;
=====================================
docs/includes/mon-commands.adoc
=====================================
@@ -1,7 +1,7 @@
// Monitoring commands. Is included twice.
[[statistics]]+statistics+ _name..._::
- Enables writing of statistics records. Currently, eight kinds of
+ Enables writing of statistics records. Currently, ten kinds of
_name_ statistics are supported.
+
+clockstats+;;
@@ -57,12 +57,86 @@ The first two fields show the date (Modified Julian Day) and time
time offset (seconds), frequency offset (parts per million - PPM),
RMS jitter (seconds), Allan deviation (PPM) and clock discipline
time constant.
++
+ +ntsstats+;;
+ Enables recording of NTS statistics counters on a periodic basis.
+ Each hour a line of the following form is appended to the file
+ generation set named _ntsstats_:
++
+-----------------------------------------------------------
+60209 77147.187 3600 1320 1239 0 2895 2895 11 4104 0 2897 2885 10 0 0 2 0
+-----------------------------------------------------------
++
+[width="100%",cols="<34%,<33%,<33%"]
+|====================================
+|Item |Units |Description
+|+60209+ |MJD |date
+|+77147.187+ |s |time past midnight
+|+3600+ |s |time since reset
+|+1320+ |packets |client requests sent
+|+1239+ |packets |client responses received good
+|+0+ |packets |client responses received bad
+|+2895+ |packets |server responses sent
+|+2895+ |packets |server requests received good
+|+11+ |packets |server requests received bad
+|+4104+ |packets |cookies made
+|+0+ |packets |cookie decodes not server
+|+2897+ |packets |cookie decodes total
+|+2885+ |packets |cookie decodes current
+|+10+ |packets |cookie decodes 1-2 days
+|+0+ |packets |cookie decodes 2-3 days
+|+0+ |packets |cookie decodes 3-10 days
+|+2+ |packets |cookie decodes too old
+|+0+ |packets |cookie decodes error
+|====================================
++
+These counters are also available via _ntpq_'s _nts_ command.
++
+ +ntskestats+;;
+ Enables recording of NTS-KE statistics counters on a periodic basis.
+ Each hour a line of the following form is appended to the file
+ generation set named _ntskestats_:
++
+-----------------------------------------------------------
+60209 77147.187 3600 10 2.914 0.026 2 3.218 0.004 0 0.000 0.000 0 0
+-----------------------------------------------------------
++
+[width="100%",cols="<34%,<33%,<33%"]
+|====================================
+|Item |Units |Description
+|+60209+ |MJD |date
+|+77147.187+ |s |time past midnight
+|+3600+ |s |time since reset
+|+10+ |requests |server requests good
+|+2.914+ |seconds |server good wall clock time
+|+0.026+ |seconds |server good server cpu time
+|+2+ |requests |server requests no-TLS
+|+3.218+ |seconds |server no-TLS wall clock time
+|+0.004+ |seconds |server no-TLS server cpu time
+|+0+ |requests |server requests bad
+|+0.000+ |seconds |server bad wall clock time
+|+0.000+ |seconds |server bad server cpu time
+|+0+ |requests |client requests good
+|+0+ |requests |client requests bad
+|====================================
++
+These counters are also available via _ntpq_'s _nts_ command.
++
+There are two types of failures for NTS-KE server processing.
+The _no-TLS_ slots are for the path when the TLS connection doesn't get setup.
+The _bad_ slots are for the path when the TLS connection does get setup
+but there is an error during the NTS-KE exchange.
++
+Both are typically caused by bad guys probing for servers to abuse.
+A _no-TLS_ event would be caused by a bad guy using unencrypted SMTP while a _bad_ event would be caused by SMTP over TLS.
+
+protostats+;;
Record significant peer and system events. Each significant
event appends one line to the +protostats+ file set:
+
-+49213 525.624 128.4.1.1 963a 8a+ _message_
+---------------------------------------------------
+49213 525.624 128.4.1.1 963a 8a+ _message_
+---------------------------------------------------
+
[width="100%",cols="<34%,<33%,<33%"]
|====================================
=====================================
docs/includes/nts-commands.adoc
=====================================
@@ -54,6 +54,10 @@ The options are as follows:
+tlsciphersuites+ _string_::
An OpenSSL ciphersuite list to configure the allowed ciphersuites for
TLS 1.3. A single NULL cipher disables encryption and use of certificates.
+ This sets the ciphers used by both the client and server sides.
+ +
+ The server picks the cipher. The default is client preference.
+ Specifying ciphersuites also switches to server preference.
+tlsecdhcurves+ _string_::
An OpenSSL ecdhcurves list to configure the allowed ecdhcurves for
=====================================
include/nts.h
=====================================
@@ -257,14 +257,14 @@ struct nts_counters {
};
struct ntske_counters {
uint64_t serves_good;
- double serves_good_wall;
- double serves_good_usr;
- double serves_good_sys;
+ l_fp serves_good_wall;
+ l_fp serves_good_cpu;
uint64_t serves_nossl;
+ l_fp serves_nossl_wall;
+ l_fp serves_nossl_cpu;
uint64_t serves_bad;
- double serves_bad_wall;
- double serves_bad_usr;
- double serves_bad_sys;
+ l_fp serves_bad_wall;
+ l_fp serves_bad_cpu;
uint64_t probes_good;
uint64_t probes_bad;
};
=====================================
ntpclients/ntpq.py
=====================================
@@ -1667,17 +1667,17 @@ usage: authinfo
("nts_cookie_decode_error", "NTS decode cookies error: ", NTP_UINT),
)
ntskeinfo = (
- ("nts_ke_probes_good", "NTS KE client probes good: ", NTP_UINT),
- ("nts_ke_probes_bad", "NTS KE client probes bad: ", NTP_UINT),
("nts_ke_serves_good", "NTS KE serves good: ", NTP_UINT),
("nts_ke_serves_good_wall", "NTS KE serves good wall: ", NTP_FLOAT),
- ("nts_ke_serves_good_usr", "NTS KE serves good CPU/usr: ", NTP_FLOAT),
- ("nts_ke_serves_good_sys", "NTS KE serves good CPU/sys: ", NTP_FLOAT),
- ("nts_ke_serves_nossl", "NTS KE serves no SSL: ", NTP_UINT),
+ ("nts_ke_serves_good_cpu", "NTS KE serves good CPU: ", NTP_FLOAT),
+ ("nts_ke_serves_nossl", "NTS KE serves no-TLS: ", NTP_UINT),
+ ("nts_ke_serves_nossl_wall", "NTS KE serves no-TLS wall: ", NTP_FLOAT),
+ ("nts_ke_serves_nossl_cpu", "NTS KE serves no-TLS CPU: ", NTP_FLOAT),
("nts_ke_serves_bad", "NTS KE serves bad: ", NTP_UINT),
("nts_ke_serves_bad_wall", "NTS KE serves bad wall: ", NTP_FLOAT),
- ("nts_ke_serves_bad_usr", "NTS KE serves bad CPU/usr: ", NTP_FLOAT),
- ("nts_ke_serves_bad_sys", "NTS KE serves bad CPU/sys: ", NTP_FLOAT),
+ ("nts_ke_serves_bad_cpu", "NTS KE serves bad CPU: ", NTP_FLOAT),
+ ("nts_ke_probes_good", "NTS KE client probes good: ", NTP_UINT),
+ ("nts_ke_probes_bad", "NTS KE client probes bad: ", NTP_UINT),
)
self.collect_display(associd=0, variables=ntsinfo, decodestatus=False)
self.collect_display(associd=0, variables=ntskeinfo, decodestatus=False)
=====================================
ntpd/ntp_control.c
=====================================
@@ -165,7 +165,8 @@ enum var_type {v_time,
v_str, v_dbl, v_uli, v_li, v_uint, v_int,
v_u64, v_i64, v_u32, v_i32, v_u8, v_i8, v_bool,
v_strP, v_u64P, v_u32P, v_uliP,
- v_l_fp, v_l_fp_ms,
+ v_l_fp, v_l_fp_ms, v_l_fp_sec,
+ v_u64_r, v_l_fp_sec_r,
v_mrumem,
v_since, v_kli, v_special};
enum var_type_special {
@@ -199,6 +200,11 @@ struct var {
unsigned long int (*p_uliP)(void);
const enum var_type_special special;
};
+ union {
+ /* second pointer for returning recent since-stats-logged */
+ const uint64_t* p2_u64;
+ const uint64_t* p2_l_fp;
+ };
};
#define Var_time(xname, xflags, xlocation) { \
@@ -227,6 +233,9 @@ struct var {
#define Var_u64(xname, xflags, xlocation) { \
.name = xname, .flags = xflags, .type = v_u64, .p_u64 = &xlocation }
+#define Var_u64_r(xname, xflags, xlocation) { \
+ .name = xname, .flags = xflags, .type = v_u64_r, \
+ .p_u64 = &xlocation, .p2_u64 = &(old_##xlocation) }
#define Var_i64(xname, xflags, xlocation) { \
.name = xname, .flags = xflags, .type = v_i64, .p_i84 = &xlocation }
#define Var_u32(xname, xflags, xlocation) { \
@@ -244,6 +253,11 @@ struct var {
.name = xname, .flags = xflags, .type = v_l_fp, .p_l_fp = &xlocation }
#define Var_l_fp_ms(xname, xflags, xlocation) { \
.name = xname, .flags = xflags, .type = v_l_fp_ms, .p_l_fp = &xlocation }
+#define Var_l_fp_sec(xname, xflags, xlocation) { \
+ .name = xname, .flags = xflags, .type = v_l_fp_sec, .p_l_fp = &xlocation }
+#define Var_l_fp_r(xname, xflags, xlocation) { \
+ .name = xname, .flags = xflags, .type = v_l_fp_sec_r, \
+ .p_l_fp = &xlocation, .p2_l_fp = &(old_##xlocation) }
#define Var_since(xname, xflags, xlocation) { \
.name = xname, .flags = xflags, .type = v_since, .p_up = &xlocation }
@@ -323,6 +337,7 @@ static const struct var sys_var[] = {
Var_Pair("ss_limited", limitrejected),
Var_Pair("ss_kodsent", kodsent),
Var_Pair("ss_processed", processed),
+#undef Var_Pair
/* We own this one. See above. No proc mode.
* Note that lots of others are not (yet?) in this table. */
@@ -407,36 +422,44 @@ static const struct var sys_var[] = {
Var_bool("lockclock", RO, loop_data.lockclock),
#ifndef DISABLE_NTS
+#define Var_Pair(name, location) \
+ Var_u64(name, RO, location), \
+ Var_u64_r(name "_r", RO, location)
+#define Var_PairF(name, location) \
+ Var_l_fp_sec(name, RO, location), \
+ Var_l_fp_r(name "_r", RO, location)
/* ntsinfo: NTS statistics */
- Var_u64("nts_client_send", RO, nts_cnt.client_send),
- Var_u64("nts_client_recv_good", RO, nts_cnt.client_recv_good),
- Var_u64("nts_client_recv_bad", RO, nts_cnt.client_recv_bad),
- Var_u64("nts_server_send", RO, nts_cnt.server_send),
- Var_u64("nts_server_recv_good", RO, nts_cnt.server_recv_good),
- Var_u64("nts_server_recv_bad", RO, nts_cnt.server_recv_bad),
- Var_u64("nts_cookie_make", RO, nts_cnt.cookie_make),
- Var_u64("nts_cookie_not_server", RO, nts_cnt.cookie_not_server),
- Var_u64("nts_cookie_decode_total", RO, nts_cnt.cookie_decode_total),
- Var_u64("nts_cookie_decode_current", RO, nts_cnt.cookie_decode_current),
+ Var_Pair("nts_client_send", nts_cnt.client_send),
+ Var_Pair("nts_client_recv_good", nts_cnt.client_recv_good),
+ Var_Pair("nts_client_recv_bad", nts_cnt.client_recv_bad),
+ Var_Pair("nts_server_send", nts_cnt.server_send),
+ Var_Pair("nts_server_recv_good", nts_cnt.server_recv_good),
+ Var_Pair("nts_server_recv_bad", nts_cnt.server_recv_bad),
+ Var_Pair("nts_cookie_make", nts_cnt.cookie_make),
+ Var_Pair("nts_cookie_not_server", nts_cnt.cookie_not_server),
+ Var_Pair("nts_cookie_decode_total", nts_cnt.cookie_decode_total),
+ Var_Pair("nts_cookie_decode_current", nts_cnt.cookie_decode_current),
/* Following line is a hack for old versions of ntpq
* nts_cookie_decode is old name for nts_cookie_decode_current */
- Var_u64("nts_cookie_decode", RO, nts_cnt.cookie_decode_current),
- Var_u64("nts_cookie_decode_old", RO, nts_cnt.cookie_decode_old),
- Var_u64("nts_cookie_decode_old2", RO, nts_cnt.cookie_decode_old2),
- Var_u64("nts_cookie_decode_older", RO, nts_cnt.cookie_decode_older),
- Var_u64("nts_cookie_decode_too_old", RO, nts_cnt.cookie_decode_too_old),
- Var_u64("nts_cookie_decode_error", RO, nts_cnt.cookie_decode_error),
- Var_u64("nts_ke_serves_good", RO, ntske_cnt.serves_good),
- Var_dbl("nts_ke_serves_good_wall", RO, ntske_cnt.serves_good_wall),
- Var_dbl("nts_ke_serves_good_usr", RO, ntske_cnt.serves_good_usr),
- Var_dbl("nts_ke_serves_good_sys", RO, ntske_cnt.serves_good_sys),
- Var_u64("nts_ke_serves_nossl", RO, ntske_cnt.serves_nossl),
- Var_u64("nts_ke_serves_bad", RO, ntske_cnt.serves_bad),
- Var_dbl("nts_ke_serves_bad_wall", RO, ntske_cnt.serves_bad_wall),
- Var_dbl("nts_ke_serves_bad_usr", RO, ntske_cnt.serves_bad_usr),
- Var_dbl("nts_ke_serves_bad_sys", RO, ntske_cnt.serves_bad_sys),
- Var_u64("nts_ke_probes_good", RO, ntske_cnt.probes_good),
- Var_u64("nts_ke_probes_bad", RO, ntske_cnt.probes_bad),
+ Var_Pair("nts_cookie_decode", nts_cnt.cookie_decode_current),
+ Var_Pair("nts_cookie_decode_old", nts_cnt.cookie_decode_old),
+ Var_Pair("nts_cookie_decode_old2", nts_cnt.cookie_decode_old2),
+ Var_Pair("nts_cookie_decode_older", nts_cnt.cookie_decode_older),
+ Var_Pair("nts_cookie_decode_too_old", nts_cnt.cookie_decode_too_old),
+ Var_Pair("nts_cookie_decode_error", nts_cnt.cookie_decode_error),
+ Var_Pair("nts_ke_serves_good", ntske_cnt.serves_good),
+ Var_PairF("nts_ke_serves_good_wall", ntske_cnt.serves_good_wall),
+ Var_PairF("nts_ke_serves_good_cpu", ntske_cnt.serves_good_cpu),
+ Var_Pair("nts_ke_serves_nossl", ntske_cnt.serves_nossl),
+ Var_PairF("nts_ke_serves_nossl_wall", ntske_cnt.serves_nossl_wall),
+ Var_PairF("nts_ke_serves_nossl_cpu", ntske_cnt.serves_nossl_cpu),
+ Var_Pair("nts_ke_serves_bad", ntske_cnt.serves_bad),
+ Var_PairF("nts_ke_serves_bad_wall", ntske_cnt.serves_bad_wall),
+ Var_PairF("nts_ke_serves_bad_cpu", ntske_cnt.serves_bad_cpu),
+ Var_Pair("nts_ke_probes_good", ntske_cnt.probes_good),
+ Var_Pair("nts_ke_probes_bad", ntske_cnt.probes_bad),
+#undef Var_Pair
+#undef Var_PairF
#endif
{ .flags=EOV } // end marker for scans
@@ -1412,6 +1435,8 @@ ctl_putsys(const struct var * v) {
case v_uli: ctl_putuint(v->name, *v->p_uli); break;
case v_uint: ctl_putuint(v->name, *v->p_uint); break;
case v_u64: ctl_putuint(v->name, *v->p_u64); break;
+ case v_u64_r:
+ ctl_putuint(v->name, *v->p_u64-*v->p2_u64); break;
case v_u32: ctl_putuint(v->name, *v->p_u32); break;
case v_u8: ctl_putuint(v->name, *v->p_u8); break;
@@ -1431,12 +1456,21 @@ ctl_putsys(const struct var * v) {
/* time of day */
case v_l_fp: ctl_putts(v->name, *v->p_l_fp); break;
+
/* time differences */
case v_l_fp_ms:
temp_d = lfptod(*v->p_l_fp);
temp_d *= MS_PER_S;
ctl_putdbl(v->name, temp_d);
break;
+ case v_l_fp_sec:
+ temp_d = lfptod(*v->p_l_fp);
+ ctl_putdbl(v->name, temp_d);
+ break;
+ case v_l_fp_sec_r:
+ temp_d = lfptod(*v->p_l_fp-*v->p2_l_fp);
+ ctl_putdbl(v->name, temp_d);
+ break;
case v_mrumem:
mem = *v->p_u64 * sizeof(mon_entry);
=====================================
ntpd/ntp_util.c
=====================================
@@ -773,7 +773,7 @@ void record_nts_stats(void) {
}
#define ntske_since(CNT) ((unsigned long long)(ntske_cnt.CNT - old_ntske_cnt.CNT))
-#define ntske_since_f(CNT) (ntske_cnt.CNT - old_ntske_cnt.CNT)
+#define ntske_since_f(CNT) ((double)lfptod(ntske_cnt.CNT - old_ntske_cnt.CNT))
uptime_t ntske_stattime;
void record_ntske_stats(void) {
#ifndef DISABLE_NTS
@@ -786,17 +786,17 @@ void record_ntske_stats(void) {
filegen_setup(&ntskestats, now.tv_sec);
if (ntsstats.fp != NULL) {
fprintf(ntskestats.fp,
- "%s %u %llu %.3f %.3f %.3f %llu %llu %.3f %.3f %.3f %llu %llu\n",
+ "%s %u %llu %.3f %.3f %llu %.3f %.3f %llu %.3f %.3f %llu %llu\n",
timespec_to_MJDtime(&now), current_time-ntske_stattime,
ntske_since(serves_good),
ntske_since_f(serves_good_wall),
- ntske_since_f(serves_good_usr),
- ntske_since_f(serves_good_sys),
+ ntske_since_f(serves_good_cpu),
ntske_since(serves_nossl),
+ ntske_since_f(serves_nossl_wall),
+ ntske_since_f(serves_nossl_cpu),
ntske_since(serves_bad),
ntske_since_f(serves_bad_wall),
- ntske_since_f(serves_bad_usr),
- ntske_since_f(serves_bad_sys),
+ ntske_since_f(serves_bad_cpu),
ntske_since(probes_good),
ntske_since(probes_bad) );
fflush(ntskestats.fp);
=====================================
ntpd/nts.c
=====================================
@@ -182,14 +182,22 @@ bool nts_load_ciphers(SSL_CTX *ctx) {
* There is no SSL_CTX_get_cipher_list, so we can't easily read back
* the ciphers to see what it took.
* We could make a dummy SSL, read the list, then free it.
+ * man SSL_CTX_set_ciphersuites() has info.
*/
- if (NULL != ntsconfig.tlsciphersuites) {
- if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
- msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
- return false;
- } else {
- msyslog(LOG_INFO, "NTS: set ciphersuites.");
- }
+ if (NULL == ntsconfig.tlsciphersuites) {
+ return true;
+ }
+ /* The server picks the ciphers.
+ * Default is client preference.
+ * This switches to server preference if the admin
+ * specifies the valid ciphers. See #797
+ */
+ SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ if (1 != SSL_CTX_set_ciphersuites(ctx, ntsconfig.tlsciphersuites)) {
+ msyslog(LOG_ERR, "NTS: troubles setting ciphersuites.");
+ return false;
+ } else {
+ msyslog(LOG_INFO, "NTS: set ciphersuites %s.", ntsconfig.tlsciphersuites);
}
return true;
}
=====================================
ntpd/nts_server.c
=====================================
@@ -185,6 +185,13 @@ void nts_unlock_certlock(void) {
}
}
+/* lfptod goes to long double */
+static inline double lfptox(l_fp r) {
+/* l_fp to double */
+ return ldexp((double)((int64_t)r), -32);
+}
+
+
void* nts_ke_listener(void* arg) {
struct timeval timeout = {.tv_sec = NTS_KE_TIMEOUT, .tv_usec = 0};
int sock = *(int*)arg;
@@ -192,13 +199,13 @@ void* nts_ke_listener(void* arg) {
char addrbuf[100];
char usingbuf[100];
struct timespec start, finish; /* wall clock */
- double wall;
+ l_fp wall;
bool worked;
const char *good;
#ifdef RUSAGE_THREAD
struct timespec start_u, finish_u; /* CPU user */
struct timespec start_s, finish_s; /* CPU system */
- double usr, sys; /* seconds */
+ l_fp usr, sys;
struct rusage usage;
#endif
@@ -269,12 +276,23 @@ void* nts_ke_listener(void* arg) {
if (SSL_accept(ssl) <= 0) {
clock_gettime(CLOCK_REALTIME, &finish);
- wall = tspec_to_d(sub_tspec(finish, start));
- nts_ke_accept_fail(addrbuf, wall);
+ wall = tspec_intv_to_lfp(sub_tspec(finish, start));
+ nts_ke_accept_fail(addrbuf, lfptox(wall));
SSL_free(ssl);
close(client);
ntske_cnt.serves_nossl++;
-// FIXME: update start_u and start_s
+ ntske_cnt.serves_nossl_wall += wall;
+#ifdef RUSAGE_THREAD
+ getrusage(RUSAGE_THREAD, &usage);
+ finish_u = tval_to_tspec(usage.ru_utime);
+ finish_s = tval_to_tspec(usage.ru_stime);
+ usr = tspec_intv_to_lfp(sub_tspec(finish_u, start_u));
+ sys = tspec_intv_to_lfp(sub_tspec(finish_s, start_s));
+ start_u = finish_u;
+ start_s = finish_s;
+ ntske_cnt.serves_nossl_cpu += usr;
+ ntske_cnt.serves_nossl_cpu += sys;
+#endif
continue;
}
@@ -297,7 +315,7 @@ void* nts_ke_listener(void* arg) {
close(client);
clock_gettime(CLOCK_REALTIME, &finish);
- wall = tspec_to_d(sub_tspec(finish, start));
+ wall = tspec_intv_to_lfp(sub_tspec(finish, start));
if (worked) {
ntske_cnt.serves_good++;
ntske_cnt.serves_good_wall += wall;
@@ -309,23 +327,23 @@ void* nts_ke_listener(void* arg) {
getrusage(RUSAGE_THREAD, &usage);
finish_u = tval_to_tspec(usage.ru_utime);
finish_s = tval_to_tspec(usage.ru_stime);
- usr = tspec_to_d(sub_tspec(finish_u, start_u));
- sys = tspec_to_d(sub_tspec(finish_s, start_s));
+ usr = tspec_intv_to_lfp(sub_tspec(finish_u, start_u));
+ sys = tspec_intv_to_lfp(sub_tspec(finish_s, start_s));
start_u = finish_u;
start_s = finish_s;
if (worked) {
- ntske_cnt.serves_good_usr += usr;
- ntske_cnt.serves_good_sys += sys;
+ ntske_cnt.serves_good_cpu += usr;
+ ntske_cnt.serves_good_cpu += sys;
} else {
- ntske_cnt.serves_bad_usr += usr;
- ntske_cnt.serves_bad_sys += sys;
+ ntske_cnt.serves_bad_cpu += usr;
+ ntske_cnt.serves_bad_cpu += sys;
}
msyslog(LOG_INFO, "NTSs: NTS-KE from %s, %s, Using %s, took %.3f sec, CPU: %.3f+%.3f ms",
- addrbuf, good, usingbuf, wall,
- usr*1000, sys*1000);
+ addrbuf, good, usingbuf, lfptox(wall),
+ lfptox(usr*1000), lfptox(sys*1000));
#else
msyslog(LOG_INFO, "NTSs: NTS-KE from %s, %s, Using %s, took %.3f sec",
- addrbuf, good, usingbuf, wall);
+ addrbuf, good, usingbuf, lfptox(wall));
#endif
}
return NULL;
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/45e7c3f695c49f638bea3a738e36f98395abadf3...9ab1eca2454136414a98d163fcc91a05b54760f7
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/45e7c3f695c49f638bea3a738e36f98395abadf3...9ab1eca2454136414a98d163fcc91a05b54760f7
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20230925/9b359a4a/attachment-0001.htm>
More information about the vc
mailing list