main proc doesn't speak with sockets during the main loop and setpriority plus
chroot (and privdrop) in the child procs at this point are all set and done so
pledge("inet id") promises are not requir

main proc doesn't speak with sockets during the main loop and setpriority plus
chroot (and privdrop) in the child procs at this point are all set and done so
pledge("inet id") promises are not required anymore.

analysis and OK @kn

show more ...

/etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function
priv_constraint_child() which is called before we reach pledge(2), therefore we
we don't need to unveil(2) that file nor h

/etc/ssl/cert.pem is loaded into mem with tls_load_file(3) on local function
priv_constraint_child() which is called before we reach pledge(2), therefore we
we don't need to unveil(2) that file nor having pledge("rpath") since it was
only required to read that same file.

OK kn@

show more ...

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by A

Change the error reporting pattern throughout the tree when unveil
fails to report the path that the failure occured on. Suggested by
deraadt@ after some tech discussion.

Work done and verified by Ashton Fagg <ashton@fagg.id.au>

ok deraadt@ semarie@ claudio@

show more ...

If constraints are configured but do not work for whatever reason ntpd
does not work. Make that more clear in the log and ntpdctl -s status.
report by and ok benno@

Also implement "trusted" for sensors; do not do constraint validation
for these. ok deraadt@

Disable -s and -S functionality. -s would force time using NTP packets without
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the def

Disable -s and -S functionality. -s would force time using NTP packets without
any MITM protection checks. We've had constraint checks for MITM protection
for some time. Recent work changed the default mode to rapidly check NTP packets against constraint validation, as the default mode.
In environments where https traffic doesn't work, ethernet-near servers can
be labelled as "trusted". trusted sensor support is also coming.
We have reasons to immediately move people away from the -s mode.
ok otto

show more ...

Introduce a "trusted" modifier, for peers that should be on a local net
used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok dera

Introduce a "trusted" modifier, for peers that should be on a local net
used in situations where https constraints cannot be used and we still want
auto settime. Result of discussion with and ok deraadt@

show more ...

- validate sensor values against constraints
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single

- validate sensor values against constraints
- do not restart settime timeout interval if something happens in the main
event loop
- apply a tight loop protection; it can be painfull on a single
core machine since the process runs at maximum priority. Should only
happen when a bug is introduced while developing, but prevents having to
machine taken over by ntpd.

show more ...

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if

When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.

show more ...

Allow logging to both stderr and syslog; don't reset the log level if
the log destination changes. ok claudio@ benno@

Fix init of syslog for childs and teach dns process about synced state.
ok benno@

Introducing autmatic settime mode: if some preconditions are met
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replie

Introducing autmatic settime mode: if some preconditions are met
(booting, constraint(s) defined) set the time but only if the clock
should be moved forward by more than a minute, based on ntp replies
that satisfied the constraints. Tested by many; ok deraadt@

show more ...

Prevent multiple ntpds from tripping over each other.
This brings over the logic from bgpd & ospfd.
Input & OK deraadt

update for libtls default cert changes.
bonus: this exposed a few missing const qualifiers.

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@

the main process must chdir to /, since it cannot have daemon() do the
job at startup. After much anguish I accept dlg's solution of chdir
for the problem ("starting ntpd on a filesystem I want to u

the main process must chdir to /, since it cannot have daemon() do the
job at startup. After much anguish I accept dlg's solution of chdir
for the problem ("starting ntpd on a filesystem I want to unmount"),
but we cannot change the main-process daemon() call. Why? Because
the ntpd privsep design predates more modern designs where the config
file is parsed once, and configuration marshalled to the fork+exec
children. Instead each ntpd process re-parses the config, and if
we chdir before fork+exec startup, it will move the basedir causing
-f "relativepath" to fail.

discussed with florian

show more ...

ntpd unveils the cert.pem "r" file (which is passed-over-socket to the
constraints process), and /usr/sbin/ntpd "x" to perform fork+exec operations.

Revert back previous commit, we have decided that socket files don't cause any
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allow

Revert back previous commit, we have decided that socket files don't cause any
harm if not deleted after the daemon is shutdown and at the same time we also
tackle another attack surface by not allowing the program to create/delete
any more files (by removing "cpath" promise from pledge(2)).

Discussion initiated by a question from deraadt@ OK florian@

show more ...

ntpd(8) has logic in place to delete its control socket on shutdown, but it
currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the

ntpd(8) has logic in place to delete its control socket on shutdown, but it
currently doesn't call the function control_cleanup to do so. The solution is
to simply call that function just before the program quits.

"sure" henning@

show more ...

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by ben

Stop accessing verbose and debug variables from log.c directly.

This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().

Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)

show more ...

Remove unused variable which was leaking memory, and while here remove 2 other
variables that were also never used

OK otto@

Teach ntpd(8) constraint process to use exec*() instead of just forking,
with this change we get the pledge() ability back to the parent process.

some tweaks from and ok reyk@

Teach ntpd(8) how to use socket status to shutdown the daemon. While at
it, remove some verbose shutdown messages that we had before with pipe
close.

ok reyk@

Teach ntpd(8) how to fork+exec.

ok reyk@, bcook@

Remove the oh so funny "LOSS OF MIND" from the diclaimer that was not
part of the original ISC license that we use in OpenBSD. Done for
files were Henning is the original author.

OK henning@ deraad

Remove the oh so funny "LOSS OF MIND" from the diclaimer that was not
part of the original ISC license that we use in OpenBSD. Done for
files were Henning is the original author.

OK henning@ deraadt@

show more ...