Add clarifications ("comments") to three places where it wasn't
obvious why it is implemented this way. The whole idea of constraints
is to isolate them as much as possible, in a semi-paranoid way.

Add clarifications ("comments") to three places where it wasn't
obvious why it is implemented this way. The whole idea of constraints
is to isolate them as much as possible, in a semi-paranoid way.

OK rzalamena@

show more ...

Adjust existing tls_config_set_cipher() callers for TLS cipher group
changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.

Discussed with

Adjust existing tls_config_set_cipher() callers for TLS cipher group
changes - map the previous configuration to the equivalent in the new
groups. This will be revisited post release.

Discussed with beck@

show more ...

ntpd is too aggressive about retrying constraint connections. This
became more visible recently because a log_debug was changed to
log_warnx. Change it back for now.
ok jsing

Harden TLS for ntpd constraints - stop disabling server name verification,
ensure that we load the CA certificates and use tls_connect_servername()
so that we can verify the server we are connecting

Harden TLS for ntpd constraints - stop disabling server name verification,
ensure that we load the CA certificates and use tls_connect_servername()
so that we can verify the server we are connecting to (even though we've
already resolved the hostname). Also add additional warnings for TLS
connect and TLS write failures so that we know what is happening and why.

Lack of server name verification also reported by Luis M. Merino
<luismiguelmerino at gmail dot com> - thanks!

ok deraadt@ reyk@

show more ...

Unconfuse things by renaming variables to match their contents.

ok deraadt@ reyk@

According to RFC7231, section 7.1.1.1, the HTTP date header supports
no other timezone than the fixed string "GMT". Avoid using strptime %Z,
which is nonstandard and can give surprising results on o

According to RFC7231, section 7.1.1.1, the HTTP date header supports
no other timezone than the fixed string "GMT". Avoid using strptime %Z,
which is nonstandard and can give surprising results on other operating
systems. ok deraadt@ giovanni@ bcook@

show more ...

Don't attempt to kill() the constraint in the wrong process. The
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp proce

Don't attempt to kill() the constraint in the wrong process. The
process management of the contraint processes has been moved from ntp
to the parent, for better privsep and pledge, but the ntp process
still attempted to kill the constraints on timeout directly. Fix this
regression by introducing a new imsg from ntp to the parent and the
related logic to kill a constraint at the right place.

Reported & tested by bcook@
Ok bcook@

show more ...

Switch and sync to the log.c variant from httpd/relayd/iked/snmpd/vmd.

OK bcook@ jung@

EAGAIN handling for imsg_read. OK henning@ benno@

Cache values from getpwnam() done at initialization, which need to be
used by the constraint processes setup later (chroot, setuid...)
[late getpwnam discovered during a further audit]
ok millert

Simplify all instances of get_string() and get_data() using malloc() and
strndup().

ok millert@

fix memory leak; from David CARLIER

Move execution of the constraints from the ntp to the parent process.
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by rem

Move execution of the constraints from the ntp to the parent process.
This helps the ntp process to a) give a better pledge(2) and to b)
keep the promise of "saving the world again... on time" by removing
the delays that have been introduced by expensive constraint forks.
The new design offers better privsep but introduces a few more imsgs
and runs a little bit more code in the privileged parent. The
privileged code is minimal, carefully checked, and does not attempt to
"parse" any contents; the forked constraints instantly drop all
privileges and pledge to "stdio inet".

OK beck@ deraadt@

show more ...

Once the constraint engine process is running, it only needs
"stdio inet". It took weeks to get to this point...

fix type and return check for tls_read/write.

jontly with jsing@

fix after libtls api changes
ok jsing@

Fix memory leak in error path when max length exceeded.
From Michael McConville

Handle short writes and TLS_{READ,WRITE}_AGAIN around tls_write().
input doug@; OK beck@

prevent the tls constraint state machine from getting hung on STATE_INVALID

patch from Mikolaj Kucharski
ok deraadt@

detect crashes from constraint sub-processes, instead of ignoring them.
if this happens, we want to tear down all of ntpd, so that people will
report it, any such bug can be found, and fixed.
ok bcook

No need to call tzset() and log_init() in the forked constraint
handler. It is run in a chroot, so tzset() wouldn't even succeed to
open the zone file. Found with tame.

OK deraadt@

Currently, after 4 failed constraint checks, we suspect the constraint
of being wrong, not the NTP responses, reset it and query it from all
the constraint servers all over again. This is turned out

Currently, after 4 failed constraint checks, we suspect the constraint
of being wrong, not the NTP responses, reset it and query it from all
the constraint servers all over again. This is turned out to be a bit
aggressive because it could get triggered with just a few bad NTP
peers in a larger pool. To avoid constant reconnections, scale the
error margin with the number of resolved NTP peers using peer_cnt * 4.
This way a single or a few outliers in a NTP pool cannot trigger
reconnecting to the constraint servers immediately. More NTP peers,
less reason to mistrust the constraint.

Found by dtucker@
OK deraadt@

show more ...

When resolving the "constraint" (singular), store all returned IP
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previ

When resolving the "constraint" (singular), store all returned IP
addresses and try one after another until the connection succeeded -
based on the existing mechanism of "server". "constraint" previously
only tried to connect to the first returned address, aborted and
skipped the constraint on failure. In difference to "constraints"
(plural), it still only connects to one address at a time and not to
all of them at once.

Pointed out by rpe@
OK rpe@ deraadt@

show more ...

fix a memory leak if tls_read() fails. ok henning@

remove unused 'cause' string when checking child status

ok deraadt@