#
b7f2e836 |
| 14-Sep-2016 |
reyk <reyk@openbsd.org> |
Add clarifications ("comments") to three places where it wasn't obvious why it is implemented this way. The whole idea of constraints is to isolate them as much as possible, in a semi-paranoid way.
Add clarifications ("comments") to three places where it wasn't obvious why it is implemented this way. The whole idea of constraints is to isolate them as much as possible, in a semi-paranoid way.
OK rzalamena@
show more ...
|
#
0b1f3db1 |
| 13-Jul-2016 |
jsing <jsing@openbsd.org> |
Adjust existing tls_config_set_cipher() callers for TLS cipher group changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release.
Discussed with
Adjust existing tls_config_set_cipher() callers for TLS cipher group changes - map the previous configuration to the equivalent in the new groups. This will be revisited post release.
Discussed with beck@
show more ...
|
#
afaa0890 |
| 01-Jun-2016 |
deraadt <deraadt@openbsd.org> |
ntpd is too aggressive about retrying constraint connections. This became more visible recently because a log_debug was changed to log_warnx. Change it back for now. ok jsing
|
#
9083f23c |
| 21-May-2016 |
jsing <jsing@openbsd.org> |
Harden TLS for ntpd constraints - stop disabling server name verification, ensure that we load the CA certificates and use tls_connect_servername() so that we can verify the server we are connecting
Harden TLS for ntpd constraints - stop disabling server name verification, ensure that we load the CA certificates and use tls_connect_servername() so that we can verify the server we are connecting to (even though we've already resolved the hostname). Also add additional warnings for TLS connect and TLS write failures so that we know what is happening and why.
Lack of server name verification also reported by Luis M. Merino <luismiguelmerino at gmail dot com> - thanks!
ok deraadt@ reyk@
show more ...
|
#
51d66267 |
| 06-May-2016 |
jsing <jsing@openbsd.org> |
Unconfuse things by renaming variables to match their contents.
ok deraadt@ reyk@
|
#
7640a52f |
| 05-Mar-2016 |
naddy <naddy@openbsd.org> |
According to RFC7231, section 7.1.1.1, the HTTP date header supports no other timezone than the fixed string "GMT". Avoid using strptime %Z, which is nonstandard and can give surprising results on o
According to RFC7231, section 7.1.1.1, the HTTP date header supports no other timezone than the fixed string "GMT". Avoid using strptime %Z, which is nonstandard and can give surprising results on other operating systems. ok deraadt@ giovanni@ bcook@
show more ...
|
#
0a1ac5ec |
| 27-Jan-2016 |
reyk <reyk@openbsd.org> |
Don't attempt to kill() the constraint in the wrong process. The process management of the contraint processes has been moved from ntp to the parent, for better privsep and pledge, but the ntp proce
Don't attempt to kill() the constraint in the wrong process. The process management of the contraint processes has been moved from ntp to the parent, for better privsep and pledge, but the ntp process still attempted to kill the constraints on timeout directly. Fix this regression by introducing a new imsg from ntp to the parent and the related logic to kill a constraint at the right place.
Reported & tested by bcook@ Ok bcook@
show more ...
|
#
579813e4 |
| 19-Dec-2015 |
reyk <reyk@openbsd.org> |
Switch and sync to the log.c variant from httpd/relayd/iked/snmpd/vmd.
OK bcook@ jung@
|
#
1a2f0668 |
| 05-Dec-2015 |
claudio <claudio@openbsd.org> |
EAGAIN handling for imsg_read. OK henning@ benno@
|
#
b1da763c |
| 24-Nov-2015 |
deraadt <deraadt@openbsd.org> |
Cache values from getpwnam() done at initialization, which need to be used by the constraint processes setup later (chroot, setuid...) [late getpwnam discovered during a further audit] ok millert
|
#
b52b3078 |
| 19-Nov-2015 |
mmcc <mmcc@openbsd.org> |
Simplify all instances of get_string() and get_data() using malloc() and strndup().
ok millert@
|
#
d746074e |
| 17-Nov-2015 |
deraadt <deraadt@openbsd.org> |
fix memory leak; from David CARLIER
|
#
a257dd04 |
| 12-Oct-2015 |
reyk <reyk@openbsd.org> |
Move execution of the constraints from the ntp to the parent process. This helps the ntp process to a) give a better pledge(2) and to b) keep the promise of "saving the world again... on time" by rem
Move execution of the constraints from the ntp to the parent process. This helps the ntp process to a) give a better pledge(2) and to b) keep the promise of "saving the world again... on time" by removing the delays that have been introduced by expensive constraint forks. The new design offers better privsep but introduces a few more imsgs and runs a little bit more code in the privileged parent. The privileged code is minimal, carefully checked, and does not attempt to "parse" any contents; the forked constraints instantly drop all privileges and pledge to "stdio inet".
OK beck@ deraadt@
show more ...
|
#
d2f9ff44 |
| 09-Oct-2015 |
deraadt <deraadt@openbsd.org> |
Once the constraint engine process is running, it only needs "stdio inet". It took weeks to get to this point...
|
#
cd548fa4 |
| 10-Sep-2015 |
beck <beck@openbsd.org> |
fix type and return check for tls_read/write.
jontly with jsing@
|
#
caf85d1d |
| 10-Sep-2015 |
beck <beck@openbsd.org> |
fix after libtls api changes ok jsing@
|
#
9d863a9f |
| 09-Sep-2015 |
millert <millert@openbsd.org> |
Fix memory leak in error path when max length exceeded. From Michael McConville
|
#
a9fc612d |
| 18-Jul-2015 |
bluhm <bluhm@openbsd.org> |
Handle short writes and TLS_{READ,WRITE}_AGAIN around tls_write(). input doug@; OK beck@
|
#
eb6f5dd5 |
| 18-Jul-2015 |
bcook <bcook@openbsd.org> |
prevent the tls constraint state machine from getting hung on STATE_INVALID
patch from Mikolaj Kucharski ok deraadt@
|
#
31f765bf |
| 28-May-2015 |
deraadt <deraadt@openbsd.org> |
detect crashes from constraint sub-processes, instead of ignoring them. if this happens, we want to tear down all of ntpd, so that people will report it, any such bug can be found, and fixed. ok bcook
|
#
4ab0fb89 |
| 21-May-2015 |
reyk <reyk@openbsd.org> |
No need to call tzset() and log_init() in the forked constraint handler. It is run in a chroot, so tzset() wouldn't even succeed to open the zone file. Found with tame.
OK deraadt@
|
#
dcbb241c |
| 18-May-2015 |
reyk <reyk@openbsd.org> |
Currently, after 4 failed constraint checks, we suspect the constraint of being wrong, not the NTP responses, reset it and query it from all the constraint servers all over again. This is turned out
Currently, after 4 failed constraint checks, we suspect the constraint of being wrong, not the NTP responses, reset it and query it from all the constraint servers all over again. This is turned out to be a bit aggressive because it could get triggered with just a few bad NTP peers in a larger pool. To avoid constant reconnections, scale the error margin with the number of resolved NTP peers using peer_cnt * 4. This way a single or a few outliers in a NTP pool cannot trigger reconnecting to the constraint servers immediately. More NTP peers, less reason to mistrust the constraint.
Found by dtucker@ OK deraadt@
show more ...
|
#
3303745e |
| 17-May-2015 |
reyk <reyk@openbsd.org> |
When resolving the "constraint" (singular), store all returned IP addresses and try one after another until the connection succeeded - based on the existing mechanism of "server". "constraint" previ
When resolving the "constraint" (singular), store all returned IP addresses and try one after another until the connection succeeded - based on the existing mechanism of "server". "constraint" previously only tried to connect to the first returned address, aborted and skipped the constraint on failure. In difference to "constraints" (plural), it still only connects to one address at a time and not to all of them at once.
Pointed out by rpe@ OK rpe@ deraadt@
show more ...
|
#
87e97f23 |
| 21-Apr-2015 |
jsg <jsg@openbsd.org> |
fix a memory leak if tls_read() fails. ok henning@
|
#
91e60ad5 |
| 14-Mar-2015 |
bcook <bcook@openbsd.org> |
remove unused 'cause' string when checking child status
ok deraadt@
|