OpenBSD CVS Repository (original) (raw)

CVS Repository/src/usr.sbin/ntpd/ constraint.c

OpenBSD release(s):
1.60 (79 78 77), 1.56 (76 75), 1.54 (74 73), 1.53 (72 71), 1.52 (70), 1.51 (69), 1.50 (68 67), 1.48 (66), 1.42 (65), 1.35 (64 63 62 61), 1.30 (60), 1.25 (59), 1.14 (58), 1.6 (57),
Tags:
None

revision 1.61/(Download) -annotate -Mon, 01 Jun 2026 12:22:06 UTC by tb
Changes since 1.60: +9 -3(diff)

ntpd: use the usual error check for timegm(3).

Straightforward change. The code could use some refactoring to avoid two consecutive timegm(3) calls on tm_tls. The layering is a bit strange here.

ok deraadt henning job

revision 1.60/(Download) -annotate -Thu, 21 Nov 2024 13:38:14 UTC by claudio
OpenBSD release(s): 79 78 77
Changes since 1.59: +5 -3(diff)

Convert simple stuff in usr.sbin over to new imsgbuf_init behaviour

OK tb@

revision 1.59/(Download) -annotate -Thu, 21 Nov 2024 13:25:01 UTC by claudio
Changes since 1.58: +33 -12(diff)

Try to handle the dumpster fire called constraint.c a bit better.

The imsg handling in here is not quite right. It works but more by luck.

• use imsgbuf_read_one (similar code as found in a few other places) to read the one message we expect.
• do not call imsgbuf_flush() without a child running to read the data. With large enough requests imsgbuf_flush() may be locked forever since there is no reader on the other side of the pipe.

OK tb@

revision 1.58/(Download) -annotate -Thu, 21 Nov 2024 13:17:57 UTC by claudio
Changes since 1.57: +2 -2(diff)

Use imsgbuf_clear() where appropriate instead of msgbuf_clear().

OK tb@

revision 1.57/(Download) -annotate -Thu, 21 Nov 2024 13:17:02 UTC by claudio
Changes since 1.56: +12 -16(diff)

Rename imsg_init, imsg_clear, imsg_read, imsg_write and imsg_flush to imsgbuf_init, imsgbuf_clear, imsgbuf_read, imsgbuf_write and imsgbuf_flush.

This separates the imsgbuf API from the per-imsg API.

OK tb@

revision 1.56/(Download) -annotate -Wed, 20 Dec 2023 15:36:36 UTC by otto
OpenBSD release(s): 76 75
Changes since 1.55: +5 -6(diff)

introduce log_ntp_addr() and use it where applicable, avoids a null pointer deref in constraint.c reported by bluhm@; ok millert@

revision 1.55/(Download) -annotate -Wed, 06 Dec 2023 15:51:53 UTC by otto
Changes since 1.54: +2 -3(diff)

Periodically reset constraint DNS info for constraints that failed to reply; ok florian@

revision 1.54/(Download) -annotate -Sun, 27 Nov 2022 13:19:00 UTC by otto
OpenBSD release(s): 74 73
Changes since 1.53: +20 -12(diff)

Once we are synced, we can validate the certificate in the standard way. ok tb@

revision 1.53/(Download) -annotate -Fri, 07 Jan 2022 17:14:42 UTC by otto
OpenBSD release(s): 72 71
Changes since 1.52: +4 -2(diff)

If no date could be parsed, bail out early and fix an error return that leaked; ok florian@

revision 1.52/(Download) -annotate -Fri, 16 Jul 2021 13:59:10 UTC by kn
OpenBSD release(s): 70
Changes since 1.51: +2 -4(diff)

Remove unneeded call to tls_init(3)

As per the manual and lib/libtls/tls.c revision 1.79 from 2018 "Automatically handle library initialisation for libtls." initialisation is handled automatically by other tls_*(3) functions.

Remove the tls_init() call to not give the impression of it being needed.

Feedback tb OK Tests mestre

revision 1.51/(Download) -annotate -Thu, 18 Mar 2021 11:17:04 UTC by bluhm
OpenBSD release(s): 69
Changes since 1.50: +1 -2(diff)

Remove duplicate prototype.

revision 1.50/(Download) -annotate -Thu, 20 Feb 2020 14:41:01 UTC by otto
OpenBSD release(s): 68 67
Changes since 1.49: +2 -2(diff)

Typo in log message

revision 1.49/(Download) -annotate -Wed, 12 Feb 2020 19:14:56 UTC by otto
Changes since 1.48: +13 -3(diff)

If constraints are configured but do not work for whatever reason ntpd does not work. Make that more clear in the log and ntpdctl -s status. report by and ok benno@

revision 1.48/(Download) -annotate -Tue, 16 Jul 2019 14:15:40 UTC by otto
OpenBSD release(s): 66
Changes since 1.47: +30 -4(diff)

1. Re-resolve and re-get constraints once the clock is synced. Constraints are relative to monotime; so they shift when time is being adjusted.
2. Fix a race between SIGCHLD delivery and reading the result imsg.
3. Some cleanup: use a number to distinguish pools internally

revision 1.47/(Download) -annotate -Fri, 28 Jun 2019 13:32:49 UTC by deraadt
Changes since 1.46: +3 -3(diff)

When system calls indicate an error they return -1, not some arbitrary value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.

revision 1.46/(Download) -annotate -Sun, 16 Jun 2019 07:36:25 UTC by otto
Changes since 1.45: +4 -2(diff)

Be more aggressive retrying dns while in settime mode. The constraint engine does not know if we're in startup mode, so use a small interval the first few times there.

revision 1.45/(Download) -annotate -Sun, 09 Jun 2019 08:40:54 UTC by otto
Changes since 1.44: +6 -3(diff)

Introducing autmatic settime mode: if some preconditions are met (booting, constraint(s) defined) set the time but only if the clock should be moved forward by more than a minute, based on ntp replies that satisfied the constraints. Tested by many; ok deraadt@

revision 1.44/(Download) -annotate -Thu, 30 May 2019 13:42:19 UTC by otto
Changes since 1.43: +15 -13(diff)

Use proper algorithm for median computation; use fabs() for computing an absolute value and fix poll loop to first generate messages and then compute poll flags the write cases. This makes the timeout workaround for constraints unneeded. ok reyk@ tb@

revision 1.43/(Download) -annotate -Tue, 28 May 2019 06:49:46 UTC by otto
Changes since 1.42: +5 -2(diff)

A step in solving the bootstrap problem in a dnssec environement. If the time is wrong, we cannot validate dnssec, leading to failed DNS lookups, so we cannot adjust or set the time. Work around this by repeating a failed DNS lookup with a lookup with the DC (check disabled) bit set. ok florian@

revision 1.42/(Download) -annotate -Mon, 21 Jan 2019 11:08:37 UTC by jsing
OpenBSD release(s): 65
Changes since 1.41: +33 -6(diff)

Improve logging for TLS certificate validity checking.

Actually specify whether the certificate is not yet valid or has expired, and log the actual time values to hopefully save some head scratching.

ok deraadt@ tb@

revision 1.41/(Download) -annotate -Mon, 21 Jan 2019 11:05:41 UTC by jsing
Changes since 1.40: +3 -2(diff)

Explicitly check timegm() return value.

Spotted by tb@

ok deraadt@ tb@

revision 1.40/(Download) -annotate -Mon, 21 Jan 2019 08:38:22 UTC by jsing
Changes since 1.39: +22 -1(diff)

Perform manual validity checking of the X.509 certificate for constraints.

Given that we're getting a constraint so that we can validate time, if our own time is out we can fail the automatic validity checking since it is based on the wallclock. Instead, disable the automatic validity checking and perform manual checks based on the time reported from the server via the HTTP header.

Discussed at length with and ok deraadt@

revision 1.39/(Download) -annotate -Sun, 20 Jan 2019 16:40:42 UTC by otto
Changes since 1.38: +4 -2(diff)

Don't use *a - *b as compare idiom, it does not work as expected for anything larger than an int. ok jca@ rsadowski@

revision 1.38/(Download) -annotate -Thu, 29 Nov 2018 14:25:07 UTC by tedu
Changes since 1.37: +2 -2(diff)

update for libtls default cert changes. bonus: this exposed a few missing const qualifiers.

revision 1.37/(Download) -annotate -Tue, 06 Nov 2018 20:41:36 UTC by jsing
Changes since 1.36: +2 -2(diff)

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

revision 1.36/(Download) -annotate -Mon, 05 Nov 2018 00:13:36 UTC by jsing
Changes since 1.35: +2 -8(diff)

Be stricter with TLS configuration for ntpd constraints.

We already require TLSv1.2 so it does not make sense to be liberal with the cipher suites that we allow. Additionally, it is potentially dangerous to disable certificate verification when no CA data is available (which is currently an impossible case to reach).

Also ensure we check the return value from tls_config_set_ca_mem() (as spotted by tb@).

ok kn@ tb@

revision 1.35/(Download) -annotate -Mon, 05 Dec 2016 10:41:33 UTC by rzalamena
OpenBSD release(s): 64 63 62 61
Changes since 1.34: +18 -22(diff)

Use the stack to hold the constraint child process variables instead of using the heap.

ok bcook@

revision 1.34/(Download) -annotate -Tue, 18 Oct 2016 22:05:47 UTC by rzalamena
Changes since 1.33: +11 -5(diff)

Check for EAGAIN on imsg_flush() return otherwise we might be failing to send message to the child process. Do like we learned in httpd(8).

ok deraadt@

revision 1.33/(Download) -annotate -Tue, 18 Oct 2016 21:57:19 UTC by rzalamena
Changes since 1.32: +2 -2(diff)

Save the constraint process pid by getting the start_child() return value, this should fix the problem with random ntpd(8) deaths.

ok deraadt@

revision 1.32/(Download) -annotate -Mon, 26 Sep 2016 17:17:01 UTC by rzalamena
Changes since 1.31: +76 -37(diff)

Teach ntpd(8) constraint process to use exec*() instead of just forking, with this change we get the pledge() ability back to the parent process.

some tweaks from and ok reyk@

revision 1.31/(Download) -annotate -Wed, 14 Sep 2016 09:26:10 UTC by reyk
Changes since 1.30: +19 -2(diff)

Add clarifications ("comments") to three places where it wasn't obvious why it is implemented this way. The whole idea of constraints is to isolate them as much as possible, in a semi-paranoid way.

OK rzalamena@

revision 1.30/(Download) -annotate -Wed, 13 Jul 2016 16:35:47 UTC by jsing
OpenBSD release(s): 60
Changes since 1.29: +2 -2(diff)

Adjust existing tls_config_set_cipher() callers for TLS cipher group changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release.

Discussed with beck@

revision 1.29/(Download) -annotate -Wed, 01 Jun 2016 16:35:58 UTC by deraadt
Changes since 1.28: +2 -2(diff)

ntpd is too aggressive about retrying constraint connections. This became more visible recently because a log_debug was changed to log_warnx. Change it back for now. ok jsing

revision 1.28/(Download) -annotate -Sat, 21 May 2016 13:46:10 UTC by jsing
Changes since 1.27: +12 -10(diff)

Harden TLS for ntpd constraints - stop disabling server name verification, ensure that we load the CA certificates and use tls_connect_servername() so that we can verify the server we are connecting to (even though we've already resolved the hostname). Also add additional warnings for TLS connect and TLS write failures so that we know what is happening and why.

Lack of server name verification also reported by Luis M. Merino - thanks!

ok deraadt@ reyk@

revision 1.27/(Download) -annotate -Fri, 06 May 2016 16:49:46 UTC by jsing
Changes since 1.26: +20 -20(diff)

Unconfuse things by renaming variables to match their contents.

ok deraadt@ reyk@

revision 1.26/(Download) -annotate -Sat, 05 Mar 2016 16:09:20 UTC by naddy
Changes since 1.25: +2 -2(diff)

According to RFC7231, section 7.1.1.1, the HTTP date header supports no other timezone than the fixed string "GMT". Avoid using strptime %Z, which is nonstandard and can give surprising results on other operating systems. ok deraadt@ giovanni@ bcook@

revision 1.25/(Download) -annotate -Wed, 27 Jan 2016 21:48:34 UTC by reyk
OpenBSD release(s): 59
Changes since 1.24: +30 -6(diff)

Don't attempt to kill() the constraint in the wrong process. The process management of the contraint processes has been moved from ntp to the parent, for better privsep and pledge, but the ntp process still attempted to kill the constraints on timeout directly. Fix this regression by introducing a new imsg from ntp to the parent and the related logic to kill a constraint at the right place.

Reported & tested by bcook@ Ok bcook@

revision 1.24/(Download) -annotate -Sat, 19 Dec 2015 17:55:29 UTC by reyk
Changes since 1.23: +3 -2(diff)

Switch and sync to the log.c variant from httpd/relayd/iked/snmpd/vmd.

OK bcook@ jung@

revision 1.23/(Download) -annotate -Sat, 05 Dec 2015 13:12:16 UTC by claudio
Changes since 1.22: +3 -2(diff)

EAGAIN handling for imsg_read. OK henning@ benno@

revision 1.22/(Download) -annotate -Tue, 24 Nov 2015 01:03:25 UTC by deraadt
Changes since 1.21: +11 -14(diff)

Cache values from getpwnam() done at initialization, which need to be used by the constraint processes setup later (chroot, setuid...) [late getpwnam discovered during a further audit] ok millert

revision 1.21/(Download) -annotate -Thu, 19 Nov 2015 21:32:53 UTC by mmcc
Changes since 1.20: +2 -7(diff)

Simplify all instances of get_string() and get_data() using malloc() and strndup().

ok millert@

revision 1.20/(Download) -annotate -Tue, 17 Nov 2015 15:34:36 UTC by deraadt
Changes since 1.19: +2 -1(diff)

fix memory leak; from David CARLIER

revision 1.19/(Download) -annotate -Mon, 12 Oct 2015 06:50:08 UTC by reyk
Changes since 1.18: +327 -122(diff)

Move execution of the constraints from the ntp to the parent process. This helps the ntp process to a) give a better pledge(2) and to b) keep the promise of "saving the world again... on time" by removing the delays that have been introduced by expensive constraint forks. The new design offers better privsep but introduces a few more imsgs and runs a little bit more code in the privileged parent. The privileged code is minimal, carefully checked, and does not attempt to "parse" any contents; the forked constraints instantly drop all privileges and pledge to "stdio inet".

OK beck@ deraadt@

revision 1.18/(Download) -annotate -Fri, 09 Oct 2015 03:50:40 UTC by deraadt
Changes since 1.17: +5 -1(diff)

Once the constraint engine process is running, it only needs "stdio inet". It took weeks to get to this point...

revision 1.17/(Download) -annotate -Thu, 10 Sep 2015 13:49:48 UTC by beck
Changes since 1.16: +4 -4(diff)

fix type and return check for tls_read/write.

jontly with jsing@

revision 1.16/(Download) -annotate -Thu, 10 Sep 2015 10:34:19 UTC by beck
Changes since 1.15: +8 -8(diff)

fix after libtls api changes ok jsing@

revision 1.15/(Download) -annotate -Wed, 09 Sep 2015 15:05:58 UTC by millert
Changes since 1.14: +2 -1(diff)

Fix memory leak in error path when max length exceeded. From Michael McConville

revision 1.14/(Download) -annotate -Sat, 18 Jul 2015 21:50:47 UTC by bluhm
OpenBSD release(s): 58
Changes since 1.13: +15 -7(diff)

Handle short writes and TLS_{READ,WRITE}_AGAIN around tls_write(). input doug@; OK beck@

revision 1.13/(Download) -annotate -Sat, 18 Jul 2015 20:32:38 UTC by bcook
Changes since 1.12: +3 -3(diff)

prevent the tls constraint state machine from getting hung on STATE_INVALID

patch from Mikolaj Kucharski ok deraadt@

revision 1.12/(Download) -annotate -Thu, 28 May 2015 21:34:36 UTC by deraadt
Changes since 1.11: +8 -4(diff)

detect crashes from constraint sub-processes, instead of ignoring them. if this happens, we want to tear down all of ntpd, so that people will report it, any such bug can be found, and fixed. ok bcook

revision 1.11/(Download) -annotate -Thu, 21 May 2015 14:24:43 UTC by reyk
Changes since 1.10: +1 -4(diff)

No need to call tzset() and log_init() in the forked constraint handler. It is run in a chroot, so tzset() wouldn't even succeed to open the zone file. Found with tame.

OK deraadt@

revision 1.10/(Download) -annotate -Mon, 18 May 2015 14:19:23 UTC by reyk
Changes since 1.9: +4 -2(diff)

Currently, after 4 failed constraint checks, we suspect the constraint of being wrong, not the NTP responses, reset it and query it from all the constraint servers all over again. This is turned out to be a bit aggressive because it could get triggered with just a few bad NTP peers in a larger pool. To avoid constant reconnections, scale the error margin with the number of resolved NTP peers using peer_cnt * 4. This way a single or a few outliers in a NTP pool cannot trigger reconnecting to the constraint servers immediately. More NTP peers, less reason to mistrust the constraint.

Found by dtucker@ OK deraadt@

revision 1.9/(Download) -annotate -Sun, 17 May 2015 18:31:32 UTC by reyk
Changes since 1.8: +35 -24(diff)

When resolving the "constraint" (singular), store all returned IP addresses and try one after another until the connection succeeded - based on the existing mechanism of "server". "constraint" previously only tried to connect to the first returned address, aborted and skipped the constraint on failure. In difference to "constraints" (plural), it still only connects to one address at a time and not to all of them at once.

Pointed out by rpe@ OK rpe@ deraadt@

revision 1.8/(Download) -annotate -Tue, 21 Apr 2015 01:49:19 UTC by jsg
Changes since 1.7: +2 -1(diff)

fix a memory leak if tls_read() fails. ok henning@

revision 1.7/(Download) -annotate -Sat, 14 Mar 2015 05:10:11 UTC by bcook
Changes since 1.6: +3 -10(diff)

remove unused 'cause' string when checking child status

ok deraadt@

revision 1.6/(Download) -annotate -Sun, 22 Feb 2015 15:09:54 UTC by jsing
OpenBSD release(s): 57
Changes since 1.5: +2 -2(diff)

Rename tls_config_insecure_noverifyhost() to tls_config_insecure_noverifyname(), so that it is more accurate and keeps inline with the distinction between DNS hostname and server name.

Requested by tedu@ during s2k15.

revision 1.5/(Download) -annotate -Sun, 22 Feb 2015 14:55:41 UTC by jsing
Changes since 1.4: +4 -1(diff)

Set the TLS ciphers to "compat" mode, restoring the previous behaviour.

revision 1.4/(Download) -annotate -Thu, 12 Feb 2015 01:54:57 UTC by reyk
Changes since 1.3: +117 -23(diff)

Use ntpd's deferred DNS resolving for constraints as well. This allows to get constraint addresses even if network/DNS is not available at startup (or system boot).

thumbs up & OK henning@

revision 1.3/(Download) -annotate -Tue, 10 Feb 2015 23:52:41 UTC by reyk
Changes since 1.2: +3 -3(diff)

Be less chatty on constraint errors.

OK deraadt@

revision 1.2/(Download) -annotate -Tue, 10 Feb 2015 11:36:37 UTC by reyk
Changes since 1.1: +21 -11(diff)

After successfully getting a constraint from an HTTPS server, there is no need to request it ever again. The only exception is the escalation of failed constraint checks that might lead into re-requesting the constraint time from all servers. Adjust the states accordingly.

OK henning@

revision 1.1/(Download) -annotate -Tue, 10 Feb 2015 06:40:08 UTC by reyk

Add support for "constraints": when configured, ntpd(8) will query the time from HTTPS servers, by parsing the Date: header, and use the median constraint time as a boundary to verify NTP responses. This adds some level of authentication and protection against MITM attacks while preserving the accuracy of the NTP protocol; without relying on authentication options for NTP that are basically unavailable at present. This is an initial implementation and the semantics will be improved once it is in the tree.

Discussed with deraadt@ and henning@ OK henning@