[Git][NTPsec/ntpsec][master] 6 commits: Cleanup to wscript
Hal Murray (@hal.murray)
gitlab at mg.gitlab.com
Fri May 1 00:29:47 UTC 2026
Hal Murray pushed to branch master at NTPsec / ntpsec
Commits:
849d8d17 by Hal Murray at 2026-04-27T15:57:20-07:00
Cleanup to wscript
Activate link time optimization (-flto).
(if --disable-debug-gdb is set during configuration).
It was unconditionally disabled.
Builds without errors on Linux and FreeBSD.
Breaks horribly on NetBSD so disabled there.
Cleanup testing and setting compiler options.
The code had a table that was used to test if an option
worked, but it didn't actually set the option. That was
done with a separate clump of
if test worked
set option
That clump was a long distance from the table so it was
easy to not notice that you had to make 2 edits to add
an option.
There was at least one option that was missing from
that clump of test/set.
- - - - -
0a4665a7 by Hal Murray at 2026-04-27T15:57:20-07:00
Tweaks to tests/option-tester.sh
Add --disable-debug-gdb to a couple of tests
(It found a bug on some code I was working on)
Add command line to log files.
- - - - -
78afd017 by Hal Murray at 2026-04-27T15:57:20-07:00
Tweaks to tests/option-tester.sh
Added config parameters to log file
Added --disable-nts to minimal
- - - - -
ecc1b5ef by Hal Murray at 2026-04-27T15:57:20-07:00
Add ntskelog to stats files
This allows moving the NTS-KE server logging out of the main log file.
- - - - -
72320e27 by Hal Murray at 2026-04-27T15:57:20-07:00
Fix double counting of NTSKE server CPU stats
- - - - -
4faf3f70 by Hal Murray at 2026-04-29T02:32:10-07:00
Fix SSL_set1_host -- deprecated in OpenSSL 4.0
- - - - -
15 changed files:
- NEWS.adoc
- docs/includes/mon-commands.adoc
- include/ntpd.h
- include/nts.h
- include/nts2.h
- ntpd/keyword-gen.c
- ntpd/ntp_parser.y
- ntpd/ntp_util.c
- ntpd/nts.c
- ntpd/nts_client.c
- ntpd/nts_server.c
- tests/ntpd/nts_client.c
- tests/ntpd/nts_server.c
- tests/option-tester.sh
- wscript
Changes:
=====================================
NEWS.adoc
=====================================
@@ -12,6 +12,14 @@ on user-visible changes.
## Repository Head
+ ntskelog has been added to the stats file collection
+ NTSKE logging will go here to reduce clutter in the main log file.
+
+ Link Time Optimization is now enabled on Linux and FreeBSD
+ (if --disable-debug-gdb is set during configuration).
+ It is disabled on NetBSD because it breaks horribly.
+ Other systems may need similar treatement.
+
pool <serv> nts now works
maxclock now skips the POOL slots when counting servers.
=====================================
docs/includes/mon-commands.adoc
=====================================
@@ -92,6 +92,38 @@ time constant.
+
These counters are also available via _ntpq_'s _nts_ command.
+ +ntskelog+;;
+ Enables recording of NTS-KE statistics for each connection attempt.
+ For each connection, a line of the following form is appended to
+ the file generation set named _ntskelog_:
++
+|===
+|61151 21317.793 OK 0.007 0.796 0.084 [2600:1700:a460:4b60::38:67]:54914 TLSv1.3:TLS_AES_256_GCM_SHA384(256)
+|===
++
+[options="header"]
+|===
+|Item |Units |Description
+|+61151+ |MJD |date
+|+21317.793+ |s |time past midnight
+|+OK+ | |Tag to indicate progress:
+
+* TLS: Error setting up TLS connection
+* KE: Error processing the KE request
+* OK: Worked
+|+0.007+ |s |Wall clock time
+|+0.796+ |ms |CPU time in user mode
+|+0.084+ |ms |CPU time in system mode
+|+[2600:1700:a460:4b60::38:67]:54914+
+ | |IP Address:port
+|<rest> | |Depends on the Tag:
+
+* TLS: a description of the error
+* KE: a description of the error
+* OK: the crypto used on the TLS connection
+|===
+
+
+ntskestats+;;
Enables recording of NTS-KE statistics counters on a periodic basis.
Each hour a line of the following form is appended to the file
=====================================
include/ntpd.h
=====================================
@@ -260,6 +260,15 @@ extern void record_ref_stats(
double std_dev_all /* std deviation of everything */
);
+
+typedef enum {NTSKE_OK, NTSKE_Failed, NTSKE_SSL_Failed} NTSKE_Status;
+extern void record_ntske_log(
+ NTSKE_Status tag, const char* from, const char* msg,
+ double wall, double usr, double sys,
+ const char* errbuf
+);
+
+
extern void check_leap_file (bool is_daily_check, time_t systime);
/* NTS */
=====================================
include/nts.h
=====================================
@@ -50,7 +50,8 @@ struct BufCtl_t {
typedef struct BufCtl_t BufCtl;
/* Here for test routines */
-bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead);
+bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead,
+ char *errbuf, int errlng, const char **errtxt);
/***********************************************************/
@@ -267,15 +268,17 @@ struct nts_counters {
uint64_t cookie_decode_error;
};
struct ntske_counters {
- uint64_t serves_good;
- l_fp serves_good_wall;
- l_fp serves_good_cpu;
+ /* Server */
uint64_t serves_nossl;
l_fp serves_nossl_wall;
l_fp serves_nossl_cpu;
uint64_t serves_bad;
l_fp serves_bad_wall;
l_fp serves_bad_cpu;
+ uint64_t serves_good;
+ l_fp serves_good_wall;
+ l_fp serves_good_cpu;
+ /* Client */
uint64_t probes_good;
uint64_t probes_bad;
};
=====================================
include/nts2.h
=====================================
@@ -28,6 +28,7 @@ int nts_ssl_read(SSL *ssl, uint8_t *buff, int buff_length, const char **errtxt);
int nts_ssl_write(SSL *ssl, uint8_t *buff, int buff_length, const char **errtxt);
void nts_log_ssl_error(void);
+void nts_get_ssl_error(char *errbuf, int errlng);
int nts_get_key_length(uint16_t aead);
int nts_translate_version(const char *arg);
=====================================
ntpd/keyword-gen.c
=====================================
@@ -102,6 +102,7 @@ struct key_tok ntp_keywords[] = {
{ "usestats", T_Usestats, FOLLBY_TOKEN },
{ "ntsstats", T_Ntsstats, FOLLBY_TOKEN },
{ "ntskestats", T_Ntskestats, FOLLBY_TOKEN },
+{ "ntskelog", T_Ntskelog, FOLLBY_TOKEN },
/* filegen_option */
{ "file", T_File, FOLLBY_STRING },
{ "link", T_Link, FOLLBY_TOKEN },
=====================================
ntpd/ntp_parser.y
=====================================
@@ -168,6 +168,7 @@
%token <Integer> T_Nts
%token <Integer> T_Ntsstats
%token <Integer> T_Ntskestats
+%token <Integer> T_Ntskelog
%token <Integer> T_Orphan
%token <Integer> T_Orphanwait
%token <Integer> T_Panic
@@ -664,6 +665,7 @@ stat
| T_Usestats
| T_Ntsstats
| T_Ntskestats
+ | T_Ntskelog
;
filegen_option_list
=====================================
ntpd/ntp_util.c
=====================================
@@ -66,6 +66,7 @@ static FILEGEN sysstats;
static FILEGEN usestats;
static FILEGEN ntsstats;
static FILEGEN ntskestats;
+static FILEGEN ntskelog;
/*
* This controls whether stats are written to the fileset. Provided
@@ -120,6 +121,7 @@ uninit_util(void)
filegen_unregister("usestats");
filegen_unregister("ntsstats");
filegen_unregister("ntpkestats");
+ filegen_unregister("ntpkelog");
}
#endif /* DEBUG */
@@ -140,6 +142,7 @@ init_util(void)
filegen_register(statsdir, "usestats", &usestats);
filegen_register(statsdir, "ntsstats", &ntsstats);
filegen_register(statsdir, "ntskestats", &ntskestats);
+ filegen_register(statsdir, "ntskelog", &ntskelog);
/*
* register with libntp ntp_set_tod() to call us back
@@ -805,6 +808,86 @@ void record_ntske_stats(void) {
#endif
}
+/* Times are in seconds -- convert to ms here. */
+/* If OK, NULL==errbuf */
+void record_ntske_log(
+ NTSKE_Status tag, const char* from, const char* msg,
+ double wall, double usr, double sys,
+ const char* errbuf
+) {
+#ifndef DISABLE_NTS
+ struct timespec now;
+ const char *tag_txt;
+
+ if (!stats_control) return; /* also disables logging to syslog */
+
+ switch (tag) {
+ case NTSKE_OK:
+ tag_txt = "OK";
+ ntske_cnt.serves_good++;
+ ntske_cnt.serves_good_wall += wall;
+ ntske_cnt.serves_good_cpu += usr+sys;
+ break;
+ case NTSKE_Failed:
+ tag_txt = "KE";
+ ntske_cnt.serves_bad++;
+ ntske_cnt.serves_bad_wall += wall;
+ ntske_cnt.serves_bad_cpu += usr+sys;
+ break;
+ case NTSKE_SSL_Failed:
+ tag_txt = "TLS";
+ ntske_cnt.serves_nossl++;
+ ntske_cnt.serves_nossl_wall += wall;
+ ntske_cnt.serves_nossl_cpu += usr+sys;
+ break;
+ default:
+ tag_txt = "???"; // FIXME want compiler warning.
+ break;
+ }
+
+ clock_gettime(CLOCK_REALTIME, &now);
+ filegen_setup(&ntskelog, now.tv_sec);
+ if (ntskelog.fp != NULL) {
+ /* need to collect everything into one write so it's atomic */
+ char buffer[1000];
+ int used;
+ unsigned long day, sec, msec;
+
+ used = snprintf(buffer, sizeof(buffer),
+ "%3s %.3f %.3f %.3f %s %s", tag_txt, wall, usr*1000, sys*1000, from, msg);
+ // FIXME check overflow
+ if (errbuf) {
+ used += snprintf(buffer+used, sizeof(buffer)-used, ", %s", errbuf);
+ }
+ /* can't call timespec_to_MJDtime -- not main thread */
+ day = (unsigned long)now.tv_sec / SECSPERDAY + MJD_1970;
+ sec = (unsigned long)now.tv_sec % SECSPERDAY;
+ msec = (unsigned long)now.tv_nsec / NS_PER_MS;
+ fprintf(ntskelog.fp, "%lu %lu.%03lu %s\n", day, sec, msec, buffer);
+ fflush(ntskelog.fp);
+ } else {
+ /* special ntske log file not setup -- add to main log file */
+ if (NULL == errbuf) {
+ msyslog(LOG_INFO,
+ "NTSs: NTS-KE from %s, OK, Using %s, took %.3f sec, CPU: %.3f+%.3f ms",
+ from, msg, wall, usr*1000, sys*1000);
+ } else {
+ msyslog(LOG_INFO,
+ "NTSs: NTS-KE from %s, Failed, Using %s, took %.3f sec, CPU: %.3f+%.3f ms, %s",
+ from, msg, wall, usr*1000, sys*1000, errbuf);
+ }
+ }
+#else
+ UNUSED_ARG(tag);
+ UNUSED_ARG(from);
+ UNUSED_ARG(msg);
+ UNUSED_ARG(wall);
+ UNUSED_ARG(usr);
+ UNUSED_ARG(sys);
+ UNUSED_ARG(errbuf);
+#endif
+}
+
/*
* record_proto_stats - write system statistics to file
*
@@ -942,3 +1025,4 @@ ntpd_time_stepped(void) {
mon_start();
}
}
+
=====================================
ntpd/nts.c
=====================================
@@ -382,6 +382,11 @@ int nts_ssl_write(SSL *ssl, uint8_t *buff, int buff_length, const char** errtxt)
}
/* Each thread has it's own queue of errors */
+void nts_get_ssl_error(char *errbuf, int errlng) {
+ int err = ERR_get_error();
+ ERR_error_string_n(err, errbuf, errlng);
+}
+
void nts_log_ssl_error(void) {
char buff[256];
int err = ERR_get_error();
=====================================
ntpd/nts_client.c
=====================================
@@ -8,9 +8,6 @@
*
*/
-#define OPENSSL_SUPPRESS_DEPRECATED 1
-// SSL_set1_host is deprecated in 4.0
-
#include "config.h"
#include <ctype.h>
@@ -35,6 +32,7 @@
#include "nts.h"
#include "nts2.h"
#include "ntp_dns.h"
+#include "ntp_io.h"
#include "ntp_stdlib.h"
#include "timespecops.h"
@@ -500,9 +498,20 @@ void set_hostname(SSL *ssl, const char *hostname) {
* prohibited in an RFC
*/
SSL_set_hostflags(ssl, X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
-/* FIXME FIXME FIXME */
+#if OPENSSL_VERSION_NUMBER >= 0x40000000L
+{
+ sockaddr_u addr;
+ if (is_ip_address(host, AF_UNSPEC, &addr))
+ SSL_set1_ipaddr(ssl, host);
+ else {
+ SSL_set1_dnsname(ssl, host);
+ SSL_set_tlsext_host_name(ssl, host);
+ }
+}
+#else
SSL_set1_host(ssl, host); /* DEPRECATED in OpenSSL 4.0 */
SSL_set_tlsext_host_name(ssl, host);
+#endif
msyslog(LOG_DEBUG, "NTSc: set cert host: %s", host);
}
=====================================
ntpd/nts_server.c
=====================================
@@ -35,8 +35,10 @@
static bool create_listener4(int port);
static bool create_listener6(int port);
static void* nts_ke_listener(void*);
-static void nts_ke_request(SSL *ssl, const char **errtxt);
-static void nts_ke_accept_fail(char* hostname, double sec, int code);
+static void nts_ke_request(SSL *ssl,
+ char *errbuf, int errlng, const char **errtxt);
+static void nts_ke_accept_fail(char* hostname,
+ double wall, double usr, double sys, int code);
static void nts_lock_certlock(void);
static void nts_unlock_certlock(void);
@@ -203,12 +205,12 @@ void* nts_ke_listener(void* arg) {
char addrbuf[100];
char usingbuf[100];
struct timespec start, finish; /* wall clock */
- l_fp wall;
+ l_fp wall, usr, sys;
const char *errtxt; /* not NULL if error */
#ifdef RUSAGE_THREAD
+ /* Not in NetBSD 10.1, 2026-Apr-05 */
struct timespec start_u, finish_u; /* CPU user */
struct timespec start_s, finish_s; /* CPU system */
- l_fp usr, sys;
struct rusage usage;
#endif
@@ -224,9 +226,13 @@ void* nts_ke_listener(void* arg) {
getrusage(RUSAGE_THREAD, &usage);
start_u = tval_to_tspec(usage.ru_utime);
start_s = tval_to_tspec(usage.ru_stime);
+#else
+ usr = 0;
+ sys = 0;
#endif
while(1) {
+ NTSKE_Status status = NTSKE_SSL_Failed;
sockaddr_u addr;
socklen_t len = sizeof(addr);
SSL *ssl;
@@ -290,13 +296,10 @@ void* nts_ke_listener(void* arg) {
err = SSL_accept(ssl);
if (0 >= err) {
int code = SSL_get_error(ssl, err);
- clock_gettime(CLOCK_MONOTONIC, &finish);
- wall = tspec_intv_to_lfp(sub_tspec(finish, start));
- nts_ke_accept_fail(addrbuf, lfptox(wall), code);
SSL_free(ssl);
close(client);
- ntske_cnt.serves_nossl++;
- ntske_cnt.serves_nossl_wall += wall;
+ clock_gettime(CLOCK_MONOTONIC, &finish);
+ wall = tspec_intv_to_lfp(sub_tspec(finish, start));
#ifdef RUSAGE_THREAD
getrusage(RUSAGE_THREAD, &usage);
finish_u = tval_to_tspec(usage.ru_utime);
@@ -305,19 +308,21 @@ void* nts_ke_listener(void* arg) {
sys = tspec_intv_to_lfp(sub_tspec(finish_s, start_s));
start_u = finish_u;
start_s = finish_s;
- ntske_cnt.serves_nossl_cpu += usr;
- ntske_cnt.serves_nossl_cpu += sys;
#endif
+ nts_ke_accept_fail(addrbuf,
+ lfptox(wall), lfptox(usr), lfptox(sys), code);
continue;
}
/* Save info for final message. */
- snprintf(usingbuf, sizeof(usingbuf), "%s, %s (%d)",
+ snprintf(usingbuf, sizeof(usingbuf), "%s:%s(%d)",
SSL_get_version(ssl),
SSL_get_cipher_name(ssl),
SSL_get_cipher_bits(ssl, NULL));
- nts_ke_request(ssl, &errtxt);
+ status = NTSKE_Failed;
+ nts_ke_request(ssl, errbuf, sizeof(errbuf), &errtxt);
+ if (NULL==errtxt) status = NTSKE_OK;
SSL_shutdown(ssl);
SSL_free(ssl);
@@ -325,13 +330,6 @@ void* nts_ke_listener(void* arg) {
clock_gettime(CLOCK_MONOTONIC, &finish);
wall = tspec_intv_to_lfp(sub_tspec(finish, start));
- if (NULL == errtxt) {
- ntske_cnt.serves_good++;
- ntske_cnt.serves_good_wall += wall;
- } else {
- ntske_cnt.serves_bad++;
- ntske_cnt.serves_bad_wall += wall;
- }
#ifdef RUSAGE_THREAD
getrusage(RUSAGE_THREAD, &usage);
finish_u = tval_to_tspec(usage.ru_utime);
@@ -340,34 +338,12 @@ void* nts_ke_listener(void* arg) {
sys = tspec_intv_to_lfp(sub_tspec(finish_s, start_s));
start_u = finish_u;
start_s = finish_s;
- if (NULL == errtxt) {
- ntske_cnt.serves_good_cpu += usr;
- ntske_cnt.serves_good_cpu += sys;
- msyslog(LOG_INFO,
- "NTSs: NTS-KE from %s, OK, Using %s, took %.3f sec, CPU: %.3f+%.3f ms",
- addrbuf, usingbuf, lfptox(wall),
- lfptox(usr*1000), lfptox(sys*1000));
- } else {
- ntske_cnt.serves_bad_cpu += usr;
- ntske_cnt.serves_bad_cpu += sys;
- msyslog(LOG_INFO,
- "NTSs: NTS-KE from %s, Failed, Using %s, took %.3f sec, CPU: %.3f+%.3f ms, %s",
- addrbuf, usingbuf, lfptox(wall),
- lfptox(usr*1000), lfptox(sys*1000),
- errtxt);
- }
-#else
- if (NULL == errtxt) {
- msyslog(LOG_INFO,
- "NTSs: NTS-KE from %s, OK, Using %s, took %.3f sec",
- addrbuf, usingbuf, lfptox(wall));
- } else {
- msyslog(LOG_INFO,
- "NTSs: NTS-KE from %s, Failed, Using %s, took %.3f sec, %s",
- addrbuf, usingbuf, lfptox(wall), errtxt);
- }
#endif
+ record_ntske_log(status, addrbuf, usingbuf,
+ lfptox(wall), lfptox(usr), lfptox(sys),
+ errtxt);
}
+
return NULL;
}
@@ -375,11 +351,13 @@ void* nts_ke_listener(void* arg) {
* print single error message for common cases.
* Similar code in nts.c, nts_ssl_read() and nts_ssl_write()
*/
-void nts_ke_accept_fail(char* hostname, double sec, int code) {
+void nts_ke_accept_fail(char* hostname,
+ double wall, double usr, double sys, int code) {
unsigned long err = ERR_peek_error();
char errbuf[100];
char buff[200];
const char *msg = NULL;
+ const char *errmsg = NULL;
if (0 == err) {
switch (code) {
case SSL_ERROR_WANT_READ:
@@ -387,7 +365,7 @@ void nts_ke_accept_fail(char* hostname, double sec, int code) {
break;
case SSL_ERROR_SYSCALL:
if (ECONNRESET==errno) {
- msg = "Connection reset1";
+ msg = "Connection reset";
break;
}
/* fall through */
@@ -399,52 +377,29 @@ void nts_ke_accept_fail(char* hostname, double sec, int code) {
break;
}
} else {
- switch (code) {
- case SSL_ERROR_SSL:
- switch (ERR_GET_REASON(err)) {
- case SSL_R_HTTP_REQUEST:
- msg = "HTTP request";
- break;
- case SSL_R_NO_SHARED_CIPHER:
- msg = "no shared cipher";
- break;
- case SSL_R_WRONG_VERSION_NUMBER:
- msg = "wrong version number";
- break;
- case SSL_R_UNSUPPORTED_PROTOCOL:
- msg = "unsupported protocol";
- break;
-#ifdef SSL_R_UNEXPECTED_EOF_WHILE_READING
-/* Not available in OpenSSL 1.1.1w as used by Debian 11 (bullseye), Jul 2025 */
- case SSL_R_UNEXPECTED_EOF_WHILE_READING:
- msg = "Connection reset2";
- break;
-#endif
- default:
- // cc (Debian 8.3.0-6) 8.3.0
- // error: label at end of compound statement
- NULL;
- /* fall through */
- }
- if (NULL != msg) {
- err = 0;
- break;
- }
- /* fall through */
- default:
+ if (code==SSL_ERROR_SSL) {
+ msg = ERR_reason_error_string(err);
+ err = 0;
+ } else {
ntp_strerror_r(errno, errbuf, sizeof(errbuf));
snprintf(buff, sizeof(buff), "code %d, errno=>%d, %s, %lx=>%s",
code, errno, errbuf, err, ERR_reason_error_string(err));
+ err = 0;
msg = buff;
}
}
- msyslog(LOG_INFO, "NTSs: SSL_accept from %s, Failed, took %.3f sec, %s",
- hostname, sec, msg);
+ record_ntske_log(NTSKE_SSL_Failed, hostname, msg,
+ wall, usr, sys, errmsg);
if (err)
+ // FIXME This goes to log file, not ntskelog
+ // This only happens for multi error errors
+ // I think that is very rare.
nts_log_ssl_error();
}
-void nts_ke_request(SSL *ssl, const char **errtxt) {
+
+void nts_ke_request(SSL *ssl,
+ char *errbuf, int errlng, const char **errtxt) {
/* RFC 4: servers must accept 1024
* Our cookies can be 104, 136, or 168 for AES_SIV_CMAC_xxx
* 8*168 fits comfortably into 2K.
@@ -462,8 +417,7 @@ void nts_ke_request(SSL *ssl, const char **errtxt) {
buf.next = buff;
buf.left = bytes_read;
- if (!nts_ke_process_receive(&buf, &aead)) {
- *errtxt = "xx";
+ if (!nts_ke_process_receive(&buf, &aead, errbuf, errlng, errtxt)) {
return;
}
@@ -592,17 +546,18 @@ bool create_listener6(int port) {
return true;
}
-bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead) {
+bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead,
+ char *errbuf, int errlng, const char **errtxt) {
while (buf->left >= NTS_KE_HDR_LNG) {
uint16_t type, data;
int length;
bool critical = false;
-
- // FIXME: msyslogs need rate limiting
type = ke_next_record(buf, &length);
- if (length > buf->left){
- msyslog(LOG_ERR, "NTSs: Chunk too big: 0x%x, %d, %d",
+ if (length > buf->left) {
+ snprintf(errbuf, errlng,
+ "Chunk too big: 0x%x, %d, %d",
type, buf->left, length);
+ *errtxt = errbuf;
return false;
}
if (NTS_CRITICAL & type) {
@@ -614,26 +569,36 @@ bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead) {
switch (type) {
case nts_error:
if (sizeof(data) != length) {
- msyslog(LOG_ERR, "NTSs: wrong length on error: %d", length);
+ snprintf(errbuf, errlng,
+ "Wrong length on error: %d", length);
+ *errtxt = errbuf;
return false;
}
data = next_uint16(buf);
- msyslog(LOG_ERR, "NTSs: error: %d", data);
+ snprintf(errbuf, errlng,
+ "Received error: %d", data);
+ *errtxt = errbuf;
return false;
case nts_next_protocol_negotiation:
if (sizeof(data) != length) {
- msyslog(LOG_ERR, "NTSs: NPN-Wrong length: %d", length);
+ snprintf(errbuf, errlng,
+ "NPN-Wrong length: %d", length);
+ *errtxt = errbuf;
return false;
}
data = next_uint16(buf);
if (data != nts_protocol_NTP) {
- msyslog(LOG_ERR, "NTSs: NPN-Bad data: %d", data);
+ snprintf(errbuf, errlng,
+ "NPN-Bad data: %d", data);
+ *errtxt = errbuf;
return false;
}
break;
case nts_algorithm_negotiation:
- if (buf->left < length || length % sizeof(uint16_t) > 0) {
- msyslog(LOG_ERR, "NTSs: AN-Wrong length: %d", length);
+ if (length % sizeof(uint16_t) > 0) {
+ snprintf(errbuf, errlng,
+ "AN-Wrong length: %d", length);
+ *errtxt = errbuf;
return false;
}
for (int i=0; i<length; i+=sizeof(uint16_t)) {
@@ -650,32 +615,41 @@ bool nts_ke_process_receive(struct BufCtl_t *buf, int *aead) {
break;
case nts_end_of_message:
if ((0 != length) || !critical) {
- msyslog(LOG_ERR, "NTSs: EOM-Wrong length or not Critical: %d, %d",
+ snprintf(errbuf, errlng,
+ "EOM-Wrong length or not Critical: %d, %d",
length, critical);
+ *errtxt = errbuf;
return false;
}
if (0 != buf->left) {
- msyslog(LOG_ERR, "NTSs: EOM not at end: %d", buf->left);
+ snprintf(errbuf, errlng,
+ "EOM not at end: %d", buf->left);
+ *errtxt = errbuf;
return false;
}
- break;
+ return true;
default:
- msyslog(LOG_ERR, "NTSs: received strange type: T=%d, C=%d, L=%d",
+ snprintf(errbuf, errlng,
+ "Received strange type: T=%d, C=%d, L=%d",
type, critical, length);
- if (critical) {
- return false;
- }
+ return false;
buf->next += length;
buf->left -= length;
break;
} /* case */
} /* while */
-// FIXME: check for missing EOM. Need to read more?
- if (buf->left > 0)
+ /* If we get here, we ran off the end without finding an EOM.
+ * nts_ssl_read() should have complained, so this check
+ * should never happen.
+ */
+ if (buf->left > 0) {
+ *errtxt = "*** Leftovers";
return false;
+ }
- return true;
+ *errtxt = "*** Missing EOM";
+ return false;
}
=====================================
tests/ntpd/nts_client.c
=====================================
@@ -9,6 +9,7 @@
#include <stdlib.h>
#include <string.h>
+bool is_ip_address(const char *, unsigned short, sockaddr_u *);
void dns_take_pool(struct peer *a, sockaddr_u *b);
void dns_take_server(struct peer *a, sockaddr_u *b);
void dns_take_status(struct peer *a, DNS_Status b);
@@ -301,6 +302,13 @@ void setup_SIGSYS_trap(void) {
}
#endif
+bool is_ip_address(const char *host, unsigned short af, sockaddr_u *addr) {
+ UNUSED_ARG(host);
+ UNUSED_ARG(af);
+ UNUSED_ARG(addr);
+ return false;
+}
+
void dns_take_pool(struct peer *a, sockaddr_u *b) {
UNUSED_ARG(a);
UNUSED_ARG(b);
=====================================
tests/ntpd/nts_server.c
=====================================
@@ -12,6 +12,20 @@
/* Hack to keep linker happy */
uint16_t extra_port = 0;
+void record_ntske_log(
+ NTSKE_Status tag, const char* from, const char* using,
+ double wall, double usr, double sys,
+ const char* errbuf
+) {
+ UNUSED_ARG(tag);
+ UNUSED_ARG(from);
+ UNUSED_ARG(using);
+ UNUSED_ARG(wall);
+ UNUSED_ARG(usr);
+ UNUSED_ARG(sys);
+ UNUSED_ARG(errbuf);
+}
+
TEST_GROUP(nts_server);
TEST_SETUP(nts_server) {}
@@ -20,6 +34,8 @@ TEST_TEAR_DOWN(nts_server) {}
TEST(nts_server, nts_ke_process_receive) {
/* General init */
+ char errbuf[100];
+ const char *errtxt = NULL;
struct BufCtl_t buf;
int aead;
bool success;
@@ -33,7 +49,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.left = sizeof(buf0);
aead = NO_AEAD;
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(true, success);
TEST_ASSERT_EQUAL_INT(AEAD_AES_SIV_CMAC_256, aead);
/* ===== Test: nts_error ===== */
@@ -44,7 +61,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf1;
buf.left = sizeof(buf1);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
/* ===== Test: nts_next_protocol_negotiation, bad length ===== */
uint8_t buf2[] = {
@@ -54,7 +72,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf2;
buf.left = sizeof(buf2);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
/* ===== Test: nts_next_protocol_negotiation, bad protocol ===== */
uint8_t buf3[] = {
@@ -64,7 +83,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf3;
buf.left = sizeof(buf3);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
/* ===== Test: nts_end_of_message, bad length ===== */
uint8_t buf4[] = {
@@ -73,7 +93,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf4;
buf.left = sizeof(buf4);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
/* ===== Test: nts_end_of_message, bad critical ===== */
uint8_t buf5[] = {
@@ -82,7 +103,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf5;
buf.left = sizeof(buf5);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
/* ===== Test: nts_end_of_message, remaining ===== */
uint8_t buf6[] = {
@@ -92,7 +114,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf6;
buf.left = sizeof(buf6);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
/* ===== Test: default, bad critical ===== */
uint8_t buf7[] = {
@@ -101,7 +124,8 @@ TEST(nts_server, nts_ke_process_receive) {
buf.next = buf7;
buf.left = sizeof(buf7);
/* test */
- success = nts_ke_process_receive(&buf, &aead);
+ success = nts_ke_process_receive(&buf, &aead,
+ errbuf, sizeof(errbuf), &errtxt);
TEST_ASSERT_EQUAL(false, success);
}
=====================================
tests/option-tester.sh
=====================================
@@ -67,7 +67,9 @@ doit ()
DIR="test-${1}"
[ ! -d "${DIR:?}" ] && mkdir "${DIR:?}"
rm -rf "${DIR:?}"/*
- "${PYTHON}" ./waf configure ${DISABLE_NTS} --out="${DIR}" ${2} 2>&1 | tee "${DIR:?}/test.log"
+ echo "Config:" ${2} 2>&1 | tee "${DIR:?}/test.log"
+ echo 2>&1 | tee -a "${DIR:?}/test.log"
+ "${PYTHON}" ./waf configure ${DISABLE_NTS} --out="${DIR}" ${2} 2>&1 | tee -a "${DIR:?}/test.log"
if [ "$?" != 0 ]
then
fail "configure"
@@ -91,7 +93,7 @@ doit ()
# no --disable-manpage on default and all
doit default "--disable-debug-gdb"
-doit minimal "--disable-droproot --disable-mdns-registration --disable-doc --disable-manpage --disable-debug-gdb --enable-pylib=none"
+doit minimal "--disable-droproot --disable-mdns-registration --disable-doc --disable-manpage --disable-debug-gdb --disable-nts --enable-pylib=none"
# This also tests refclocks without DEBUG
doit classic "--enable-classic-mode --refclock=all --disable-doc --disable-manpage --enable-pylib=ffi --disable-debug-gdb"
=====================================
wscript
=====================================
@@ -283,6 +283,12 @@ def configure(ctx):
if ret:
ctx.env.LDFLAGS += ["-lssp_nonshared"]
+# Info on warnings:
+# gcc: man gcc
+# clang: https://clang.llvm.org/docs/UsersManual.html
+# https://clang.llvm.org/docs/DiagnosticsReference.html
+# Looks interesting, but it breaks WAF checking
+# ('w_everything', "-Weverything"), # clang
cc_test_flags = [
('PIC', '-fPIC'),
('PIE', '-pie -fPIE'),
@@ -328,9 +334,11 @@ def configure(ctx):
ctx.define("USEBACKTRACE", "1", quote=False)
else:
# not gdb debugging
- cc_test_flags += [
- ('LTO', '-flto'), # link time optimization
- ]
+ # Breaks horribly on NetBSD, Hal, 2026-Apr-13
+ if not ctx.env.DEST_OS == "netbsd":
+ cc_test_flags += [
+ ('LTO', '-flto=auto'), # link time optimization
+ ]
ld_hardening_flags += [
('stripall', "-Wl,--strip-all"), # Strip binaries
]
@@ -387,7 +395,7 @@ def configure(ctx):
# gotta be tricky to test for -Wsuggest-attribute=const
FRAGMENT = '''
-int tmp;
+static int tmp;
int main(int argc, char **argv) {
(void)argc; (void)argv;
tmp = argc;
@@ -398,19 +406,22 @@ int main(int argc, char **argv) {
# check if C compiler supports some flags
old_run_build_cls = ctx.run_build_cls
ctx.run_build_cls = 'oc'
+ # Can't just add hits to CFLAGS now -- breaks some checking
+ # So collect a list to add later.
+ # should be fixible. Hal, 2026-Apr-13
+ cc_flag_hits = []
for (name, ccflag) in cc_test_flags:
- ctx.check(cflags=ccflag,
+ if ctx.check(cflags=ccflag,
define_name='HAS_' + name,
fragment=FRAGMENT,
mandatory=False,
msg='Checking if C compiler supports ' + ccflag,
- run_build_cls='oc')
+ run_build_cls='oc'):
+ if "PIE"==name: continue # special
+ cc_flag_hits = cc_flag_hits + [ccflag]
ctx.run_build_cls = old_run_build_cls
- if ctx.env.HAS_PIC:
- ctx.env.CFLAGS = ["-fPIC"] + ctx.env.CFLAGS
-
if ctx.env.HAS_PIE:
ctx.env.LINKFLAGS_NTPD += [
"-pie",
@@ -420,57 +431,7 @@ int main(int argc, char **argv) {
('relro', "-Wl,-z,relro"), # hardening, marks some read only,
]
- if ctx.env.HAS_unused:
- ctx.env.CFLAGS = ['-Qunused-arguments'] + ctx.env.CFLAGS
-
- # XXX: -flto currently breaks link of ntpd
- if ctx.env.HAS_LTO and False:
- ctx.env.CFLAGS = ["-flto"] + ctx.env.CFLAGS
-
- # debug warnings that are not available with all compilers
- if ctx.env.HAS_w_implicit_fallthru:
- ctx.env.CFLAGS = ['-Wimplicit-fallthrough=3'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_suggest_attribute_const:
- ctx.env.CFLAGS = ['-Wsuggest-attribute=const'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_suggest_attribute_noreturn:
- ctx.env.CFLAGS = ['-Wsuggest-attribute=noreturn'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_suggest_attribute_pure:
- ctx.env.CFLAGS = ['-Wsuggest-attribute=pure'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_format_security:
- ctx.env.CFLAGS = ['-Wformat-security'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_format_signedness:
- ctx.env.CFLAGS = ['-Wformat-signedness'] + ctx.env.CFLAGS
- # should be before other -Wformat-* in CFLAGS
- if ctx.env.HAS_w_format:
- ctx.env.CFLAGS = ['-Wformat'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_float_equal:
- ctx.env.CFLAGS = ['-Wfloat-equal'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_init_self:
- ctx.env.CFLAGS = ['-Winit-self'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_write_strings:
- ctx.env.CFLAGS = ['-Wwrite-strings'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_pointer_arith:
- ctx.env.CFLAGS = ['-Wpointer-arith'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_invalid_pch:
- ctx.env.CFLAGS = ['-Winvalid-pch'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_implicit_function_declaration:
- ctx.env.CFLAGS = ['-Wimplicit-function-declaration'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_disabled_optimization:
- ctx.env.CFLAGS = ['-Wdisabled-optimization'] + ctx.env.CFLAGS
- # if ctx.env.HAS_w_cast_align:
- # ctx.env.CFLAGS = ['-Wcast-align'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_missing_declarations:
- ctx.env.CFLAGS = ['-Wmissing-declarations'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_cast_qual:
- ctx.env.CFLAGS = ['-Wcast-qual'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_packed:
- ctx.env.CFLAGS = ['-Wpacked'] + ctx.env.CFLAGS
- if ctx.env.HAS_w_shadow:
- ctx.env.CFLAGS = ['-Wshadow'] + ctx.env.CFLAGS
- # if ctx.env.HAS_w_sign_conversion:
- # ctx.env.CFLAGS = ['-Wsign-conversion'] + ctx.env.CFLAGS
- if ctx.env.HAS_f_stack_protector_all:
- ctx.env.CFLAGS = ['-fstack-protector-all'] + ctx.env.CFLAGS
+ ctx.env.CFLAGS = cc_flag_hits + ctx.env.CFLAGS
# old gcc takes -z,relro, but then barfs if -fPIE available and used.
# ("relro", "-Wl,-z,relro"), # marks some sections read only
@@ -924,6 +885,7 @@ int main(int argc, char **argv) {
msg("Build Options")
msg_setting("CC", " ".join(ctx.env.CC))
msg_setting("CFLAGS", " ".join(ctx.env.CFLAGS))
+ # print("CFLAGS:", sorted(ctx.env.CFLAGS))
msg_setting("LDFLAGS", " ".join(ctx.env.LDFLAGS))
msg_setting("LINKFLAGS_NTPD", " ".join(ctx.env.LINKFLAGS_NTPD))
msg_setting("PREFIX", ctx.env.PREFIX)
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/5ac1f369637288033b018be3831055e9015c1cf6...4faf3f70d606d57c229c9ef836e3ffdb014acbaf
--
View it on GitLab: https://gitlab.com/NTPsec/ntpsec/-/compare/5ac1f369637288033b018be3831055e9015c1cf6...4faf3f70d606d57c229c9ef836e3ffdb014acbaf
You're receiving this email because of your account on gitlab.com. Manage all notifications: https://gitlab.com/-/profile/notifications | Help: https://gitlab.com/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20260501/c0998517/attachment-0001.htm>
More information about the vc
mailing list