diff options
360 files changed, 22143 insertions, 11774 deletions
diff --git a/cddl/usr.sbin/zfsd/case_file.cc b/cddl/usr.sbin/zfsd/case_file.cc index c310585..1ddffae 100644 --- a/cddl/usr.sbin/zfsd/case_file.cc +++ b/cddl/usr.sbin/zfsd/case_file.cc @@ -442,10 +442,38 @@ CaseFile::ReEvaluate(const ZfsEvent &event) return (consumed || closed); } +/* Find a Vdev containing the vdev with the given GUID */ +static nvlist_t* +find_parent(nvlist_t *pool_config, nvlist_t *config, DevdCtl::Guid child_guid) +{ + nvlist_t **vdevChildren; + int error; + unsigned ch, numChildren; + + error = nvlist_lookup_nvlist_array(config, ZPOOL_CONFIG_CHILDREN, + &vdevChildren, &numChildren); + + if (error != 0 || numChildren == 0) + return (NULL); + + for (ch = 0; ch < numChildren; ch++) { + nvlist *result; + Vdev vdev(pool_config, vdevChildren[ch]); + + if (vdev.GUID() == child_guid) + return (config); + + result = find_parent(pool_config, vdevChildren[ch], child_guid); + if (result != NULL) + return (result); + } + + return (NULL); +} bool CaseFile::ActivateSpare() { - nvlist_t *config, *nvroot; + nvlist_t *config, *nvroot, *parent_config; nvlist_t **spares; char *devPath, *vdev_type; const char *poolname; @@ -472,6 +500,22 @@ CaseFile::ActivateSpare() { "tree for pool %s", poolname); return (false); } + + parent_config = find_parent(config, nvroot, m_vdevGUID); + if (parent_config != NULL) { + char *parent_type; + + /* + * Don't activate spares for members of a "replacing" vdev. + * They're already dealt with. Sparing them will just drag out + * the resilver process. + */ + error = nvlist_lookup_string(parent_config, + ZPOOL_CONFIG_TYPE, &parent_type); + if (error == 0 && strcmp(parent_type, VDEV_TYPE_REPLACING) == 0) + return (false); + } + nspares = 0; nvlist_lookup_nvlist_array(nvroot, ZPOOL_CONFIG_SPARES, &spares, &nspares); diff --git a/contrib/netbsd-tests/lib/libc/sys/t_mlock.c b/contrib/netbsd-tests/lib/libc/sys/t_mlock.c index 0a3a40d..59ab2b0 100644 --- a/contrib/netbsd-tests/lib/libc/sys/t_mlock.c +++ b/contrib/netbsd-tests/lib/libc/sys/t_mlock.c @@ -133,38 +133,43 @@ ATF_TC_BODY(mlock_err, tc) ATF_REQUIRE_ERRNO(ENOMEM, mlock((char *)0, page) == -1); errno = 0; - ATF_REQUIRE_ERRNO(ENOMEM, mlock((char *)-1, page) == -1); - - errno = 0; ATF_REQUIRE_ERRNO(ENOMEM, munlock(NULL, page) == -1); errno = 0; ATF_REQUIRE_ERRNO(ENOMEM, munlock((char *)0, page) == -1); +#ifdef __FreeBSD__ + /* Wrap around should return EINVAL */ + errno = 0; + ATF_REQUIRE_ERRNO(EINVAL, mlock((char *)-1, page) == -1); + errno = 0; + ATF_REQUIRE_ERRNO(EINVAL, munlock((char *)-1, page) == -1); +#else + errno = 0; + ATF_REQUIRE_ERRNO(ENOMEM, mlock((char *)-1, page) == -1); errno = 0; ATF_REQUIRE_ERRNO(ENOMEM, munlock((char *)-1, page) == -1); +#endif - buf = malloc(page); + buf = malloc(page); /* Get a valid address */ ATF_REQUIRE(buf != NULL); - - /* - * unlocking memory that is not locked is an error... - */ - +#ifdef __FreeBSD__ errno = 0; - ATF_REQUIRE_ERRNO(ENOMEM, munlock(buf, page) == -1); + /* Wrap around should return EINVAL */ + ATF_REQUIRE_ERRNO(EINVAL, mlock(buf, -page) == -1); + errno = 0; + ATF_REQUIRE_ERRNO(EINVAL, munlock(buf, -page) == -1); +#else + errno = 0; + ATF_REQUIRE_ERRNO(ENOMEM, mlock(buf, -page) == -1); + errno = 0; + ATF_REQUIRE_ERRNO(ENOMEM, munlock(buf, -page) == -1); +#endif + (void)free(buf); /* There is no sbrk on AArch64 and RISC-V */ #if !defined(__aarch64__) && !defined(__riscv__) /* - * These are permitted to fail (EINVAL) but do not on NetBSD - */ - ATF_REQUIRE(mlock((void *)(((uintptr_t)buf) + page/3), page/5) == 0); - ATF_REQUIRE(munlock((void *)(((uintptr_t)buf) + page/3), page/5) == 0); - - (void)free(buf); - - /* * Try to create a pointer to an unmapped page - first after current * brk will likely do. */ @@ -360,6 +365,80 @@ ATF_TC_CLEANUP(mlock_nested, tc) } #endif +#ifdef __FreeBSD__ +ATF_TC_WITH_CLEANUP(mlock_unaligned); +#else +ATF_TC(mlock_unaligned); +#endif +ATF_TC_HEAD(mlock_unaligned, tc) +{ + atf_tc_set_md_var(tc, "descr", + "Test that mlock(2) can lock page-unaligned memory"); +#ifdef __FreeBSD__ + atf_tc_set_md_var(tc, "require.config", "allow_sysctl_side_effects"); + atf_tc_set_md_var(tc, "require.user", "root"); +#endif +} + +ATF_TC_BODY(mlock_unaligned, tc) +{ + void *buf, *addr; + +#ifdef __FreeBSD__ + /* Set max_wired really really high to avoid EAGAIN */ + set_vm_max_wired(INT_MAX); +#endif + + buf = malloc(page); + ATF_REQUIRE(buf != NULL); + + if ((uintptr_t)buf & ((uintptr_t)page - 1)) + addr = buf; + else + addr = (void *)(((uintptr_t)buf) + page/3); + + ATF_REQUIRE_EQ(mlock(addr, page/5), 0); + ATF_REQUIRE_EQ(munlock(addr, page/5), 0); + + (void)free(buf); +} + +#ifdef __FreeBSD__ +ATF_TC_CLEANUP(mlock_unaligned, tc) +{ + + restore_vm_max_wired(); +} +#endif + +ATF_TC(munlock_unlocked); +ATF_TC_HEAD(munlock_unlocked, tc) +{ + atf_tc_set_md_var(tc, "descr", +#ifdef __FreeBSD__ + "munlock(2) accepts unlocked memory"); +#else + "munlock(2) of unlocked memory is an error"); +#endif + atf_tc_set_md_var(tc, "require.user", "root"); +} + +ATF_TC_BODY(munlock_unlocked, tc) +{ + void *buf; + + buf = malloc(page); + ATF_REQUIRE(buf != NULL); + +#ifdef __FreeBSD__ + ATF_REQUIRE_EQ(munlock(buf, page), 0); +#else + errno = 0; + ATF_REQUIRE_ERRNO(ENOMEM, munlock(buf, page) == -1); +#endif + (void)free(buf); +} + ATF_TP_ADD_TCS(tp) { @@ -371,6 +450,8 @@ ATF_TP_ADD_TCS(tp) ATF_TP_ADD_TC(tp, mlock_limits); ATF_TP_ADD_TC(tp, mlock_mmap); ATF_TP_ADD_TC(tp, mlock_nested); + ATF_TP_ADD_TC(tp, mlock_unaligned); + ATF_TP_ADD_TC(tp, munlock_unlocked); return atf_no_error(); } diff --git a/contrib/ntp/ChangeLog b/contrib/ntp/ChangeLog index a1a1cfa..b4ee424 100644 --- a/contrib/ntp/ChangeLog +++ b/contrib/ntp/ChangeLog @@ -1,6 +1,107 @@ --- -(4.2.8p10-win-beta1) 2017/03/21 Released by Harlan Stenn <stenn@ntp.org> -(4.2.8p10) + +* [Sec 3454] Unauthenticated packet can reset authenticated interleave + associations. HStenn. +* [Sec 3453] Interleaved symmetric mode cannot recover from bad state. HStenn. +* [Sec 3415] Permit blocking authenticated symmetric/passive associations. + Implement ippeerlimit. HStenn, JPerlinger. +* [Sec 3414] ntpq: decodearr() can write beyond its 'buf' limits + - initial patch by <stenn@ntp.org>, extended by <perlinger@ntp.org> +* [Sec 3412] ctl_getitem(): Don't compare names past NUL. <perlinger@ntp.org> +* [Sec 3012] Sybil vulnerability: noepeer support. HStenn, JPerlinger. +* [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> +* [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> + - applied patch by Sean Haugh +* [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> +* [Bug 3450] Dubious error messages from plausibility checks in get_systime() + - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> +* [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> + - refactoring the MAC code, too +* [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org +* [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> + - applied patch by ggarvey +* [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> + - applied patch by ggarvey (with minor mods) +* [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain + - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> +* [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> +* [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> +* [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" + - fixed several issues with hash algos in ntpd, sntp, ntpq, + ntpdc and the test suites <perlinger@ntp.org> +* [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> + - initial patch by Daniel Pouzzner +* [Bug 3423] QNX adjtime() implementation error checking is + wrong <perlinger@ntp.org> +* [Bug 3417] ntpq ifstats packet counters can be negative + made IFSTATS counter quantities unsigned <perlinger@ntp.org> +* [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 + - raised receive buffer size to 1200 <perlinger@ntp.org> +* [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static + analysis tool. <abe@ntp.org> +* [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. +* [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> + - fix/drop assumptions on OpenSSL libs directory layout +* [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation + - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> +* [Bug 3398] tests fail with core dump <perlinger@ntp.org> + - patch contributed by Alexander Bluhm +* [Bug 3397] ctl_putstr() asserts that data fits in its buffer + rework of formatting & data transfer stuff in 'ntp_control.c' + avoids unecessary buffers and size limitations. <perlinger@ntp.org> +* [Bug 3394] Leap second deletion does not work on ntpd clients + - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> +* [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size + - increased mimimum stack size to 32kB <perlinger@ntp.org> +* [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> + - reverted handling of PPS kernel consumer to 4.2.6 behavior +* [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> +* [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. +* [Bug 3016] wrong error position reported for bad ":config pool" + - fixed location counter & ntpq output <perlinger@ntp.org> +* [Bug 2900] libntp build order problem. HStenn. +* [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> +* [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, + perlinger@ntp.org +* [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. +* [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> +* Use strlcpy() to copy strings, not memcpy(). HStenn. +* Typos. HStenn. +* test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. +* refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. +* Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org +* Fix trivial warnings from 'make check'. perlinger@ntp.org +* Fix bug in the override portion of the compiler hardening macro. HStenn. +* record_raw_stats(): Log entire packet. Log writes. HStenn. +* AES-128-CMAC support. BInglis, HStenn, JPerlinger. +* sntp: tweak key file logging. HStenn. +* sntp: pkt_output(): Improve debug output. HStenn. +* update-leap: updates from Paul McMath. +* When using pkg-config, report --modversion. HStenn. +* Clean up libevent configure checks. HStenn. +* sntp: show the IP of who sent us a crypto-NAK. HStenn. +* Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. +* authistrustedip() - use it in more places. HStenn, JPerlinger. +* New sysstats: sys_lamport, sys_tsrounding. HStenn. +* Update ntp.keys .../N documentation. HStenn. +* Distribute testconf.yml. HStenn. +* Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. +* Rename the configuration flag fifo variables. HStenn. +* Improve saveconfig output. HStenn. +* Decode restrict flags on receive() debug output. HStenn. +* Decode interface flags on receive() debug output. HStenn. +* Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. +* Update the documentation in ntp.conf.def . HStenn. +* restrictions() must return restrict flags and ippeerlimit. HStenn. +* Update ntpq peer documentation to describe the 'p' type. HStenn. +* Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. +* Provide dump_restricts() for debugging. HStenn. +* Use consistent 4th arg type for [gs]etsockopt. JPerlinger. +* Some tests might need LIBM. HStenn. +* update-leap: Allow -h/--help early. HStenn. + +--- +(4.2.8p10) 2017/03/21 Released by Harlan Stenn <stenn@ntp.org> * [Sec 3389] NTP-01-016: Denial of Service via Malformed Config (Pentest report 01.2017) <perlinger@ntp.org> diff --git a/contrib/ntp/Makefile.am b/contrib/ntp/Makefile.am index ed9a546..7c95863 100644 --- a/contrib/ntp/Makefile.am +++ b/contrib/ntp/Makefile.am @@ -5,10 +5,10 @@ NULL = # moved sntp first to get libtool and libevent built. SUBDIRS = \ - sntp \ scripts \ include \ libntp \ + sntp \ libparse \ ntpd \ ntpdate \ diff --git a/contrib/ntp/Makefile.in b/contrib/ntp/Makefile.in index f2fedad..0cb05d3 100644 --- a/contrib/ntp/Makefile.in +++ b/contrib/ntp/Makefile.in @@ -99,6 +99,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -523,10 +524,10 @@ NULL = # moved sntp first to get libtool and libevent built. SUBDIRS = \ - sntp \ scripts \ include \ libntp \ + sntp \ libparse \ ntpd \ ntpdate \ diff --git a/contrib/ntp/NEWS b/contrib/ntp/NEWS index 0e95f42..b30f187 100644 --- a/contrib/ntp/NEWS +++ b/contrib/ntp/NEWS @@ -1,4 +1,331 @@ -- +NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27) + +NOTE: this NEWS file will be undergoing more revisions. + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + +This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity +vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and +provides 65 other non-security fixes and improvements: + +* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved + association (LOW/MED) + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3454 / CVE-2018-7185 / VU#961909 + Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11. + CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between + 2.9 and 6.8. + CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could + score between 2.6 and 3.1 + Summary: + The NTP Protocol allows for both non-authenticated and + authenticated associations, in client/server, symmetric (peer), + and several broadcast modes. In addition to the basic NTP + operational modes, symmetric mode and broadcast servers can + support an interleaved mode of operation. In ntp-4.2.8p4 a bug + was inadvertently introduced into the protocol engine that + allows a non-authenticated zero-origin (reset) packet to reset + an authenticated interleaved peer association. If an attacker + can send a packet with a zero-origin timestamp and the source + IP address of the "other side" of an interleaved association, + the 'victim' ntpd will reset its association. The attacker must + continue sending these packets in order to maintain the + disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6, + interleave mode could be entered dynamically. As of ntp-4.2.8p7, + interleaved mode must be explicitly configured/enabled. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p11, or later, from the NTP Project Download Page + or the NTP Public Services Project Download Page. + If you are unable to upgrade to 4.2.8p11 or later and have + 'peer HOST xleave' lines in your ntp.conf file, remove the + 'xleave' option. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was discovered by Miroslav Lichvar of Red Hat. + +* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad + state (LOW/MED) + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3453 / CVE-2018-7184 / VU#961909 + Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11. + CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) + Could score between 2.9 and 6.8. + CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L + Could score between 2.6 and 6.0. + Summary: + The fix for NtpBug2952 was incomplete, and while it fixed one + problem it created another. Specifically, it drops bad packets + before updating the "received" timestamp. This means a + third-party can inject a packet with a zero-origin timestamp, + meaning the sender wants to reset the association, and the + transmit timestamp in this bogus packet will be saved as the + most recent "received" timestamp. The real remote peer does + not know this value and this will disrupt the association until + the association resets. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Use authentication with 'peer' mode. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was discovered by Miroslav Lichvar of Red Hat. + +* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive + peering (LOW) + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3415 / CVE-2018-7170 / VU#961909 + Sec 3012 / CVE-2016-1549 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. + CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) + CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N + Summary: + ntpd can be vulnerable to Sybil attacks. If a system is set up to + use a trustedkey and if one is not using the feature introduced in + ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to + specify which IPs can serve time, a malicious authenticated peer + -- i.e. one where the attacker knows the private symmetric key -- + can create arbitrarily-many ephemeral associations in order to win + the clock selection of ntpd and modify a victim's clock. Three + additional protections are offered in ntp-4.2.8p11. One is the + new 'noepeer' directive, which disables symmetric passive + ephemeral peering. Another is the new 'ippeerlimit' directive, + which limits the number of peers that can be created from an IP. + The third extends the functionality of the 4th field in the + ntp.keys file to include specifying a subnet range. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Use the 'noepeer' directive to prohibit symmetric passive + ephemeral associations. + Use the 'ippeerlimit' directive to limit the number of peers + that can be created from an IP. + Use the 4th argument in the ntp.keys file to limit the IPs and + subnets that can be time servers. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was reported as Bug 3012 by Matthew Van Gundy of + Cisco ASIG, and separately by Stefan Moser as Bug 3415. + +* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium) + Date Resolved: 27 Feb 2018 + References: Sec 3414 / CVE-2018-7183 / VU#961909 + Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11. + CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) + CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L + Summary: + ntpq is a monitoring and control program for ntpd. decodearr() + is an internal function of ntpq that is used to -- wait for it -- + decode an array in a response string when formatted data is being + displayed. This is a problem in affected versions of ntpq if a + maliciously-altered ntpd returns an array result that will trip this + bug, or if a bad actor is able to read an ntpq request on its way to + a remote ntpd server and forge and send a response before the remote + ntpd sends its response. It's potentially possible that the + malicious data could become injectable/executable code. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Credit: + This weakness was discovered by Michael Macnair of Thales e-Security. + +* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined + behavior and information leak (Info/Medium) + Date Resolved: 27 Feb 2018 + References: Sec 3412 / CVE-2018-7182 / VU#961909 + Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11. + CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N + CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + 0.0 if C:N + Summary: + ctl_getitem() is used by ntpd to process incoming mode 6 packets. + A malicious mode 6 packet can be sent to an ntpd instance, and + if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will + cause ctl_getitem() to read past the end of its buffer. + Mitigation: + Implement BCP-38. + Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page + or the NTP Public Services Project Download Page. + Have enough sources of time. + Properly monitor your ntpd instances. + If ntpd stops running, auto-restart it without -g . + Credit: + This weakness was discovered by Yihan Lian of Qihoo 360. + +* NTP Bug 3012: Sybil vulnerability: ephemeral association attack + Also see Bug 3415, above. + Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016 + Date Resolved: Stable (4.2.8p11) 27 Feb 2018 + References: Sec 3012 / CVE-2016-1549 / VU#718152 + Affects: All ntp-4 releases up to, but not including 4.2.8p7, and + 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11. + CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) + CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N + Summary: + ntpd can be vulnerable to Sybil attacks. If a system is set up + to use a trustedkey and if one is not using the feature + introduced in ntp-4.2.8p6 allowing an optional 4th field in the + ntp.keys file to specify which IPs can serve time, a malicious + authenticated peer -- i.e. one where the attacker knows the + private symmetric key -- can create arbitrarily-many ephemeral + associations in order to win the clock selection of ntpd and + modify a victim's clock. Two additional protections are + offered in ntp-4.2.8p11. One is the 'noepeer' directive, which + disables symmetric passive ephemeral peering. The other extends + the functionality of the 4th field in the ntp.keys file to + include specifying a subnet range. + Mitigation: + Implement BCP-38. + Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or + the NTP Public Services Project Download Page. + Use the 'noepeer' directive to prohibit symmetric passive + ephemeral associations. + Use the 'ippeerlimit' directive to limit the number of peer + associations from an IP. + Use the 4th argument in the ntp.keys file to limit the IPs + and subnets that can be time servers. + Properly monitor your ntpd instances. + Credit: + This weakness was discovered by Matthew Van Gundy of Cisco ASIG. + +* Bug fixes: + [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org> + [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org> + - applied patch by Sean Haugh + [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org> + [Bug 3450] Dubious error messages from plausibility checks in get_systime() + - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org> + [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org> + - refactoring the MAC code, too + [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org + [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org> + - applied patch by ggarvey + [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org> + - applied patch by ggarvey (with minor mods) + [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain + - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org> + [Bug 3435] anchor NTP era alignment <perlinger@ntp.org> + [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org> + [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" + - fixed several issues with hash algos in ntpd, sntp, ntpq, + ntpdc and the test suites <perlinger@ntp.org> + [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org> + - initial patch by Daniel Pouzzner + [Bug 3423] QNX adjtime() implementation error checking is + wrong <perlinger@ntp.org> + [Bug 3417] ntpq ifstats packet counters can be negative + made IFSTATS counter quantities unsigned <perlinger@ntp.org> + [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10 + - raised receive buffer size to 1200 <perlinger@ntp.org> + [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static + analysis tool. <abe@ntp.org> + [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath. + [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org> + - fix/drop assumptions on OpenSSL libs directory layout + [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation + - initial patch by timeflies@mail2tor.com <perlinger@ntp.org> + [Bug 3398] tests fail with core dump <perlinger@ntp.org> + - patch contributed by Alexander Bluhm + [Bug 3397] ctl_putstr() asserts that data fits in its buffer + rework of formatting & data transfer stuff in 'ntp_control.c' + avoids unecessary buffers and size limitations. <perlinger@ntp.org> + [Bug 3394] Leap second deletion does not work on ntpd clients + - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org> + [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size + - increased mimimum stack size to 32kB <perlinger@ntp.org> + [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org> + - reverted handling of PPS kernel consumer to 4.2.6 behavior + [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org> + [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn. + [Bug 3016] wrong error position reported for bad ":config pool" + - fixed location counter & ntpq output <perlinger@ntp.org> + [Bug 2900] libntp build order problem. HStenn. + [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org> + [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net, + perlinger@ntp.org + [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp. + [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org> + Use strlcpy() to copy strings, not memcpy(). HStenn. + Typos. HStenn. + test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn. + refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn. + Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org + Fix trivial warnings from 'make check'. perlinger@ntp.org + Fix bug in the override portion of the compiler hardening macro. HStenn. + record_raw_stats(): Log entire packet. Log writes. HStenn. + AES-128-CMAC support. BInglis, HStenn, JPerlinger. + sntp: tweak key file logging. HStenn. + sntp: pkt_output(): Improve debug output. HStenn. + update-leap: updates from Paul McMath. + When using pkg-config, report --modversion. HStenn. + Clean up libevent configure checks. HStenn. + sntp: show the IP of who sent us a crypto-NAK. HStenn. + Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger. + authistrustedip() - use it in more places. HStenn, JPerlinger. + New sysstats: sys_lamport, sys_tsrounding. HStenn. + Update ntp.keys .../N documentation. HStenn. + Distribute testconf.yml. HStenn. + Add DPRINTF(2,...) lines to receive() for packet drops. HStenn. + Rename the configuration flag fifo variables. HStenn. + Improve saveconfig output. HStenn. + Decode restrict flags on receive() debug output. HStenn. + Decode interface flags on receive() debug output. HStenn. + Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn. + Update the documentation in ntp.conf.def . HStenn. + restrictions() must return restrict flags and ippeerlimit. HStenn. + Update ntpq peer documentation to describe the 'p' type. HStenn. + Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn. + Provide dump_restricts() for debugging. HStenn. + Use consistent 4th arg type for [gs]etsockopt. JPerlinger. + +* Other items: + +* update-leap needs the following perl modules: + Net::SSLeay + IO::Socket::SSL + +* New sysstats variables: sys_lamport, sys_tsrounding +See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding" +sys_lamport counts the number of observed Lamport violations, while +sys_tsrounding counts observed timestamp rounding events. + +* New ntp.conf items: + +- restrict ... noepeer +- restrict ... ippeerlimit N + +The 'noepeer' directive will disallow all ephemeral/passive peer +requests. + +The 'ippeerlimit' directive limits the number of time associations +for each IP in the designated set of addresses. This limit does not +apply to explicitly-configured associations. A value of -1, the current +default, means an unlimited number of associations may connect from a +single IP. 0 means "none", etc. Ordinarily the only way multiple +associations would come from the same IP would be if the remote side +was using a proxy. But a trusted machine might become compromised, +in which case an attacker might spin up multiple authenticated sessions +from different ports. This directive should be helpful in this case. + +* New ntp.keys feature: Each IP in the optional list of IPs in the 4th +field may contain a /subnetbits specification, which identifies the +scope of IPs that may use this key. This IP/subnet restriction can be +used to limit the IPs that may use the key in most all situations where +a key is used. +-- NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21) Focus: Security, Bug fixes, enhancements. @@ -960,7 +1287,7 @@ following 9 low- and medium-severity vulnerabilities: Implement BCP-38. Upgrade to 4.2.8p7, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page - Properly monitor your =ntpd= instances + Properly monitor your ntpd instances Credit: This weakness was discovered by Stephen Gray and Matthew Van Gundy of Cisco ASIG. @@ -1029,7 +1356,7 @@ following 9 low- and medium-severity vulnerabilities: Implement BCP-38. Upgrade to 4.2.8p7, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page - Properly monitor your =ntpd= instances + Properly monitor your ntpd instances Credit: This weakness was discovered by Yihan Lian of the Cloud Security Team, Qihoo 360. @@ -1266,7 +1593,7 @@ following 1 low- and 8 medium-severity vulnerabilities: Configure 'ntpd' to get time from multiple sources. Upgrade to 4.2.8p6, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. - Monitor your 'ntpd= instances. + Monitor your 'ntpd' instances. Credit: This weakness was discovered by Matthey Van Gundy and Jonathan Gardner of Cisco ASIG. diff --git a/contrib/ntp/aclocal.m4 b/contrib/ntp/aclocal.m4 index ff8d37f..b692416 100644 --- a/contrib/ntp/aclocal.m4 +++ b/contrib/ntp/aclocal.m4 @@ -1339,6 +1339,7 @@ m4_include([sntp/m4/ltoptions.m4]) m4_include([sntp/m4/ltsugar.m4]) m4_include([sntp/m4/ltversion.m4]) m4_include([sntp/m4/lt~obsolete.m4]) +m4_include([sntp/m4/ntp_af_unspec.m4]) m4_include([sntp/m4/ntp_cacheversion.m4]) m4_include([sntp/m4/ntp_compiler.m4]) m4_include([sntp/m4/ntp_crosscompile.m4]) diff --git a/contrib/ntp/adjtimed/Makefile.in b/contrib/ntp/adjtimed/Makefile.in index 7ef749f..915d3f5 100644 --- a/contrib/ntp/adjtimed/Makefile.in +++ b/contrib/ntp/adjtimed/Makefile.in @@ -108,6 +108,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -952,7 +953,6 @@ install-exec-hook: # check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/clockstuff/Makefile.in b/contrib/ntp/clockstuff/Makefile.in index 9db42f7..6297f44 100644 --- a/contrib/ntp/clockstuff/Makefile.in +++ b/contrib/ntp/clockstuff/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -793,7 +794,6 @@ uninstall-am: check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/configure b/contrib/ntp/configure index 0d41158..1ab45bc 100755 --- a/contrib/ntp/configure +++ b/contrib/ntp/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ntp 4.2.8p10. +# Generated by GNU Autoconf 2.69 for ntp 4.2.8p11. # # Report bugs to <http://bugs.ntp.org./>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='ntp' PACKAGE_TARNAME='ntp' -PACKAGE_VERSION='4.2.8p10' -PACKAGE_STRING='ntp 4.2.8p10' +PACKAGE_VERSION='4.2.8p11' +PACKAGE_STRING='ntp 4.2.8p11' PACKAGE_BUGREPORT='http://bugs.ntp.org./' PACKAGE_URL='http://www.ntp.org./' @@ -944,6 +944,7 @@ ac_user_opts=' enable_option_checking enable_silent_rules enable_dependency_tracking +with_hardenfile with_locfile enable_shared enable_static @@ -1613,7 +1614,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ntp 4.2.8p10 to adapt to many kinds of systems. +\`configure' configures ntp 4.2.8p11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1683,7 +1684,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ntp 4.2.8p10:";; + short | recursive ) echo "Configuration of ntp 4.2.8p11:";; esac cat <<\_ACEOF @@ -1699,6 +1700,7 @@ Optional Features and Packages: do not reject slow dependency extractors --disable-dependency-tracking speeds up one-time build + --with-hardenfile=XXX os-specific or "/dev/null" --with-locfile=XXX os-specific or "legacy" --enable-shared[=PKGS] build shared libraries [default=no] --enable-static[=PKGS] build static libraries [default=yes] @@ -1921,7 +1923,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ntp configure 4.2.8p10 +ntp configure 4.2.8p11 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2630,7 +2632,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ntp $as_me 4.2.8p10, which was +It was created by ntp $as_me 4.2.8p11, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3631,7 +3633,7 @@ fi # Define the identity of the package. PACKAGE='ntp' - VERSION='4.2.8p10' + VERSION='4.2.8p11' cat >>confdefs.h <<_ACEOF @@ -6581,11 +6583,11 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu $as_echo_n "checking for compile/link hardening flags... " >&6; } -# Check whether --with-locfile was given. -if test "${with_locfile+set}" = set; then : - withval=$with_locfile; +# Check whether --with-hardenfile was given. +if test "${with_hardenfile+set}" = set; then : + withval=$with_hardenfile; else - with_locfile=no + with_hardenfile=no fi @@ -6593,12 +6595,12 @@ fi ( \ SENTINEL_DIR="$PWD" && \ cd $srcdir/sntp && \ - case "$with_locfile" in \ + case "$with_hardenfile" in \ yes|no|'') \ scripts/genHardFlags -d "$SENTINEL_DIR" \ ;; \ *) \ - scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \ + scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \ ;; \ esac \ ) > genHardFlags.i 2> genHardFlags.err @@ -15937,8 +15939,13 @@ $as_echo_n "checking if libevent $ntp_libevent_min_version or later is installed if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent then ntp_use_local_libevent=no - { $as_echo "$as_me:${as_lineno-$LINENO}: Using the installed libevent" >&5 -$as_echo "$as_me: Using the installed libevent" >&6;} + ntp_libevent_version="`$PKG_CONFIG --modversion libevent`" + case "$ntp_libevent_version" in + *.*) ;; + *) ntp_libevent_version='(unknown)' ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_libevent_version" >&5 +$as_echo "yes, version $ntp_libevent_version" >&6; } CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads` CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent` # HMS: I hope the following is accurate. @@ -15966,8 +15973,6 @@ $as_echo "$as_me: Using the installed libevent" >&6;} LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads" esac LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } else ntp_use_local_libevent=yes # HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS @@ -26468,6 +26473,36 @@ fi done + + +# We could do a cv check here, but is it worth it? + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <sys/socket.h> + #ifndef AF_UNSPEC + #include "Bletch: AF_UNSPEC is undefined!" + #endif + #if AF_UNSPEC != 0 + #include "Bletch: AF_UNSPEC != 0" + #endif + +int +main () +{ +{ $as_echo "$as_me:${as_lineno-$LINENO}: AF_UNSPEC is zero, as expected." >&5 +$as_echo "$as_me: AF_UNSPEC is zero, as expected." >&6;} + ; + return 0; +} + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 $as_echo_n "checking return type of signal handlers... " >&6; } if ${ac_cv_type_signal+:} false; then : @@ -30114,8 +30149,13 @@ $as_echo_n "checking pkg-config for $pkg... " >&6; } VER_SUFFIX=o ntp_openssl=yes ntp_openssl_from_pkg_config=yes - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`" + case "$ntp_openssl_version" in + *.*) ;; + *) ntp_openssl_version='(unknown)' ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_openssl_version" >&5 +$as_echo "yes, version $ntp_openssl_version" >&6; } break fi @@ -33924,7 +33964,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ntp $as_me 4.2.8p10, which was +This file was extended by ntp $as_me 4.2.8p11, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -33991,7 +34031,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ntp config.status 4.2.8p10 +ntp config.status 4.2.8p11 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/ntp/configure.ac b/contrib/ntp/configure.ac index e0775b1..4e7e06a 100644 --- a/contrib/ntp/configure.ac +++ b/contrib/ntp/configure.ac @@ -528,6 +528,8 @@ AC_CHECK_HEADERS([sys/timex.h], [], [], [ #endif ]) +NTP_AF_UNSPEC + AC_TYPE_SIGNAL AC_TYPE_OFF_T AC_STRUCT_TM dnl defines TM_IN_SYS_TIME used by refclock_parse.c diff --git a/contrib/ntp/html/access.html b/contrib/ntp/html/access.html index 3489f8f..248def1 100644 --- a/contrib/ntp/html/access.html +++ b/contrib/ntp/html/access.html @@ -19,7 +19,7 @@ color: #FF0000; <p><img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a></p> <p>The skunk watches for intruders and sprays.</p> <p>Last update: - <!-- #BeginDate format:En2m -->11-Sep-2010 05:53<!-- #EndDate --> + <!-- #BeginDate format:En2m -->26-Jul-2017 20:10<!-- #EndDate --> UTC</p> <br clear="left"> <h4>Related Links</h4> @@ -32,7 +32,7 @@ color: #FF0000; <p>The ACL is specified as a list of <tt>restrict</tt> commands in the following format:</p> <p><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></p> <p>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the <tt><i>address</i></tt> is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 and IPv6 default entries. <tt>restrict source</tt> configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptable, and removed when the association is demobilized.</p> -<p>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.</p> +<p>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.</p> <p>An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. Let's assume (not true!) that subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might look like this:</p> <pre> restrict default nopeer # deny new associations diff --git a/contrib/ntp/html/accopt.html b/contrib/ntp/html/accopt.html index 6caff48..4417a8c 100644 --- a/contrib/ntp/html/accopt.html +++ b/contrib/ntp/html/accopt.html @@ -3,89 +3,185 @@ <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> <meta name="generator" content="HTML Tidy, see www.w3.org"> -<title>Access Control Commands and Options</title> -<!-- Changed by: Harlan &, 13-Nov-2014 --> +<title>Access Control Commands and Options</title> <!-- Changed by: Harlan +&, 13-Nov-2014 --> <link href="scripts/style.css" type="text/css" rel="stylesheet"> <style type="text/css"> <!-- <style1 { -color: #FF0000; - font-weight: bold; -} ---> +color: #FF0000; font-weight: bold; } --> </style> </head> <body> <h3>Access Control Commands and Options</h3> -<img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a> +<img src="pic/pogo6.gif" alt="gif" +align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, +Walt Kelly</a> <p>The skunk watches for intruders and sprays.</p> -<p>Last update: - <!-- #BeginDate format:En2m -->13-Nov-2014 03:00<!-- #EndDate --> - UTC</p> +<p>Last update: <!-- #BeginDate format:En2m -->7-Jan-2018 23:56<!-- #EndDate + --> UTC</p> <br clear="left"> <h4>Related Links</h4> -<script type="text/javascript" language="javascript" src="scripts/command.txt"></script> -<script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script> +<script type="text/javascript" language="javascript" +src="scripts/command.txt"></script> +<script type="text/javascript" language="javascript" +src="scripts/accopt.txt"></script> <hr> <h4>Commands and Options</h4> -<p>Unless noted otherwise, further information about these ccommands is on the <a href="accopt.html">Access Control Support</a> page.</p> +<p>Unless noted otherwise, further information about these ccommands is on +the <a href="accopt.html">Access Control Support</a> page.</p> <dl> - <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt></dt> - <dd>Set the parameters of the rate control facility which protects the server from client abuse. If the <tt>limited</tt> flag is present in the ACL, packets that violate these limits are discarded. If, in addition, the <tt>kod</tt> flag is present, a kiss-o'-death packet is returned. See the <a href="rate.html">Rate Management</a> page for further information. The options are: + <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] + [ monitor <i>prob</i> ]</tt></dt> + <dd>Set the parameters of the rate control facility which protects the + server from client abuse. If the <tt>limited</tt> flag is present in the + ACL, packets that violate these limits are discarded. If, in addition, + the <tt>kod</tt> flag is present, a kiss-o'-death packet is + returned. See the <a href="rate.html">Rate Management</a> page for + further information. The options are: <dl> <dt><tt>average <i>avg</i></tt></dt> - <dd>Specify the minimum average interpacket spacing (minimum average headway - time) in log<sub>2</sub> s with default 3.</dd> + <dd>Specify the minimum average interpacket spacing (minimum average + headway time) in log<sub>2</sub> s with default 3.</dd> <dt><tt>minimum <i>min</i></tt></dt> - <dd>Specify the minimum interpacket spacing (guard time) in seconds with default 2.</dd> + <dd>Specify the minimum interpacket spacing (guard time) in seconds + with default 2.</dd> <dt><tt>monitor</tt></dt> - <dd>Specify the probability of being recorded for packets that overflow the MRU list size limit set by <tt>mru maxmem</tt> or <tt>mru maxdepth</tt>. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.</dd> + <dd>Specify the probability of being recorded for packets that + overflow the MRU list size limit set by <tt>mru maxmem</tt> + or <tt>mru maxdepth</tt>. This is a performance optimization for + servers with aggregate arrivals of 1000 packets per second or + more.</dd> </dl> </dd> - <dt id="restrict"><tt>restrict default [<i>flag</i>][...]<br> - restrict source [<i>flag</i>][...]<br> - restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></dt> - <dd>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the <tt><i>address</i></tt> is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 and IPv6 default entries. <tt>restrict source</tt> configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.</dd> - <dd>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:</dd> + <dt id="restrict"><tt>restrict [-4 | -6] default [ippeerlimit <i>num</i>] + [<i>flag</i>][...]<br> restrict source [ippeerlimit <i>num</i>] + [<i>flag</i>][...]<br> restrict <i>address</i> [mask <i>mask</i>] + [ippeerlimit <i>num</i>] [<i>flag</i>][...]</tt></dt> + <dd>The <tt><i>address</i></tt> argument expressed in IPv4 or IPv6 numeric + address form is the address of a host or network. Alternatively, + the <tt><i>address</i></tt> argument can be a valid host DNS + name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 + numeric address form defaults to all mask bits on, meaning that + the <tt><i>address</i></tt> is treated as the address of an individual + host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and + address :: mask :: for IPv6) is always the first entry in the + list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 + and IPv6 default entries. <tt>restrict source</tt> configures a template + restriction automatically added at runtime for each association, whether + configured, ephemeral, or preemptible, and removed when the association + is demobilized.</dd> + <dd>The optional <tt>ippeerlimit</tt> takes a numeric argument that + indicates how many incoming (at present) peer requests will be permitted + for each IP, regardless of whether or not the request comes from an + authenticated source. A value of -1 means "unlimited", which is the + current default. A value of 0 means "none". Ordinarily one would + expect at most 1 of these sessions to exist per IP, however if the + remote side is operating thru a proxy there would be one association for + each remote peer at that IP.</dd> + <dd>Some flags have the effect to deny service, some have the effect to + enable service and some are conditioned by other flags. The flags are + not orthogonal, in that more restrictive flags will often make less + restrictive ones redundant. The flags that deny service are classed in + two categories, those that restrict time service and those that restrict + informational queries and attempts to do run-time reconfiguration of the + server. One or more of the following flags may be specified:</dd> <dd> <dl> <dt><tt>flake</tt></dt> - <dd>Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's <i>flakeway</i>, which once did a similar thing for early Internet testing.</dd> + <dd>Discard received NTP packets with probability 0.1; that is, on + average drop one packet in ten. This is for testing and + amusement. The name comes from Bob Braden's <i>flakeway</i>, which + once did a similar thing for early Internet testing.</dd> <dt><tt>ignore</tt></dt> - <dd>Deny packets of all kinds, including <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> + <dd>Deny packets of all kinds, including <tt>ntpq</tt> + and <tt>ntpdc</tt> queries.</dd> <dt><tt>kod</tt></dt> - <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is present and a packet violates the rate limits established by the <tt>discard</tt> command. KoD packets are themselves rate limited for each source address separately. If the <tt>kod</tt> flag is used in a restriction which does not have the <tt>limited</tt> flag, no KoD responses will result.</dd> + <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is + present and a packet violates the rate limits established by + the <tt>discard</tt> command. KoD packets are themselves rate + limited for each source address separately. If the <tt>kod</tt> flag + is used in a restriction which does not have the <tt>limited</tt> + flag, no KoD responses will result.</dd> <dt id="limited"><tt>limited</tt></dt> - <dd>Deny time service if the packet violates the rate limits established by the <tt>discard</tt> command. This does not apply to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> + <dd>Deny time service if the packet violates the rate limits + established by the <tt>discard</tt> command. This does not apply + to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> <dt><tt>lowpriotrap</tt></dt> - <dd>Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.</dd> + <dd>Declare traps set by matching hosts to be low priority. The number + of traps a server can maintain is limited (the current limit is + 3). Traps are usually assigned on a first come, first served basis, + with later trap requestors being denied service. This flag modifies + the assignment algorithm by allowing low priority traps to be + overridden by later requests for normal priority traps.</dd> <dt><tt>mssntp</tt></dt> - <dd>Enable Microsoft Windows MS-SNTP authentication using Active Directory services. <span class="style1"><b>Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.</b></span></dd> + <dd>Enable Microsoft Windows MS-SNTP authentication using Active + Directory services. <span class="style1"><b>Note: Potential users + should be aware that these services involve a TCP connection to + another process that could potentially block, denying services to + other users. Therefore, this flag should be used only for a + dedicated server with no clients other than MS-SNTP.</b></span></dd> + <dt><tt>noepeer</tt></dt> + <dd>Deny packets that would mobilize an ephemeral peering association, + even if authenticated.</dd> <dt><tt>nomodify</tt></dt> - <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.</dd> + <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to + modify the state of the server (i.e., run time + reconfiguration). Queries which return information are + permitted.</dd> <dt><tt>noquery</tt></dt> - <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not affected.</dd> + <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not + affected.</dd> <dt><tt>nopeer</tt></dt> - <dd>Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. It also includes <tt>pool</tt> associations, so if you want to use servers from a <tt>pool</tt> directive and also want to use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source ..."</tt> line as well that does <i>not</i> include the <tt>nopeer</tt> directive. Note that this flag does not apply to packets that do not attempt to mobilize an association. </dd> + <dd>Deny packets that might mobilize an association unless + authenticated. This includes broadcast, symmetric-active and + manycast server packets when a configured association does not + exist. It also includes <tt>pool</tt> associations, so if you want + to use servers from a <tt>pool</tt> directive and also want to + use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source + ..."</tt> line as well that does <i>not</i> include + the <tt>nopeer</tt> directive. Note that this flag does not apply + to packets that do not attempt to mobilize an association. </dd> <dt><tt>noserve</tt></dt> - <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd> + <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> + queries.</dd> <dt><tt>notrap</tt></dt> - <dd>Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control message protocol which is intended for use by remote event logging programs.</dd> + <dd>Decline to provide mode 6 control message trap service to matching + hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control + message protocol which is intended for use by remote event logging + programs.</dd> <dt><tt>notrust</tt></dt> - <dd>Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the <tt>auth</tt> option of the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> is enabled, which is the default, authentication is required for all packets that might mobilize an association. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag is not present, an association can be mobilized whether or not authenticated. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag is present, authentication is required only for the specified address/mask range. </dd> + <dd>Deny packets that are not cryptographically authenticated. Note + carefully how this flag interacts with the <tt>auth</tt> option of + the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> + is enabled, which is the default, authentication is required for all + packets that might mobilize an association. If <tt>auth</tt> is + disabled, but the <tt>notrust</tt> flag is not present, an + association can be mobilized whether or not + authenticated. If <tt>auth</tt> is disabled, but + the <tt>notrust</tt> flag is present, authentication is required + only for the specified address/mask range. </dd> <dt><tt>ntpport</tt></dt> - <dd>This is actually a match algorithm modifier, rather than a restriction - flag. Its presence causes the restriction entry to be matched only if the - source port in the packet is the standard NTP UDP port (123). A restrict line - containing <tt>ntpport</tt> is considered more specific than one with the - same address and mask, but lacking <tt>ntpport</tt>.</dd> + <dd>This is actually a match algorithm modifier, rather than a + restriction flag. Its presence causes the restriction entry to be + matched only if the source port in the packet is the standard NTP + UDP port (123). A restrict line containing <tt>ntpport</tt> is + considered more specific than one with the same address and mask, + but lacking <tt>ntpport</tt>.</dd> <dt><tt>version</tt></dt> <dd>Deny packets that do not match the current NTP version.</dd> </dl> </dd> - <dd>Default restriction list entries with the flags <tt>ignore, ntpport</tt>, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).</dd> + <dd>Default restriction list entries with the flags <tt>ignore, + ntpport</tt>, for each of the local host's interface addresses are + inserted into the table at startup to prevent the server from + attempting to synchronize to its own time. A default entry is also + always present, though if it is otherwise unconfigured; no flags are + associated with the default entry (i.e., everything besides your own + NTP server is unrestricted).</dd> </dl> <hr> -<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> +<script type="text/javascript" language="javascript" +src="scripts/footer.txt"></script> </body> </html> diff --git a/contrib/ntp/html/authentic.html b/contrib/ntp/html/authentic.html index e529a6d..06bb67b 100644 --- a/contrib/ntp/html/authentic.html +++ b/contrib/ntp/html/authentic.html @@ -46,14 +46,40 @@ required.</p> <p>By default, the client sends non-authenticated packets and the server responds with non-authenticated packets. If the client sends authenticated packets, the server responds with authenticated packets if correct, or a crypto-NAK packet if not. In the case of unsolicited packets which might consume significant resources, such as broadcast or symmetric mode packets, authentication is required, unless overridden by a <tt>disable auth</tt> command. In the current climate of targeted broadcast or "letterbomb" attacks, defeating this requirement would be decidedly dangerous. In any case, the <tt>notrust </tt>flag, described on the <a href="authopt.html">Access Control Options</a> page, can be used to disable access to all but correctly authenticated clients.</p> <h4 id="symm">Symmetric Key Cryptography</h4> <p>The original NTPv3 specification (RFC-1305), as well as the current NTPv4 specification (RFC-5905), allows any one of possibly 65,534 message digest keys (excluding zero), each distinguished by a 32-bit key ID, to authenticate an association. The servers and clients involved must agree on the key ID, key type and key to authenticate NTP packets.</p> -<p>The message digest is a cryptographic hash computed by an algorithm such as MD5 or SHA. When authentication is specified, a message authentication code (MAC) is appended to the NTP packet header. The MAC consists of a 32-bit key identifier (key ID) followed by a 128- or 160-bit message digest. The algorithm computes the digest as the hash of a 128- or 160- bit message digest key concatenated with the NTP packet header fields with the exception of the MAC. On transmit, the message digest is computed and inserted in the MAC. On receive, the message digest is computed and compared with the MAC. The packet is accepted only if the two MACs are identical. If a discrepancy is found by the client, the client ignores the packet, but raises an alarm. If this happens at the server, the server returns a special message called a <em>crypto-NAK</em>. Since the crypto-NAK is protected by the loopback test, an intruder cannot disrupt the protocol by sending a bogus crypto-NAK.</p> +<p>The message digest is a cryptographic hash computed by an algorithm such as MD5, SHA, or AES-128 CMAC. When authentication is specified, a message authentication code (MAC) is appended to the NTP packet header. The MAC consists of a 32-bit key identifier (key ID) followed by a 128- or 160-bit message digest. The algorithm computes the digest as the hash of a 128- or 160- bit message digest key concatenated with the NTP packet header fields with the exception of the MAC. On transmit, the message digest is computed and inserted in the MAC. On receive, the message digest is computed and compared with the MAC. The packet is accepted only if the two MACs are identical. If a discrepancy is found by the client, the client ignores the packet, but raises an alarm. If this happens at the server, the server returns a special message called a <em>crypto-NAK</em>. Since the crypto-NAK is protected by the loopback test, an intruder cannot disrupt the protocol by sending a bogus crypto-NAK.</p> <p>Keys and related information are specified in a keys file, which must be distributed and stored using secure means beyond the scope of the NTP protocol itself. Besides the keys used for ordinary NTP associations, additional keys can be used as passwords for the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs. Ordinarily, the <tt>ntp.keys</tt> file is generated by the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can be constructed and edited using an ordinary text editor.</p> <p> Each line of the keys file consists of three or four fields: a key ID in the range 1 to 65,534, inclusive, a key type, a message digest key consisting of a printable ASCII string less than 40 characters or a 40-character hex digit string, and an optional comma-separated list of IPs that are allowed to serve time. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by the library. If the OpenSSL library is not installed, the only permitted key type is MD5.</p> -<div align="center"> - <p><img src="pic/sx5.gif" alt="gif"></p> - <p>Figure 1. Typical Symmetric Key File</p> -</div> -<p>Figure 1 shows a typical keys file used by the reference implementation when the OpenSSL library is installed. In this figure, for key IDs in he range 1-10, the key is interpreted as a printable ASCII string. For key IDs in the range 11-20, the key is a 40-character hex digit string. The key is truncated or zero-filled internally to either 128 or 160 bits, depending on the key type. The line can be edited later or new lines can be added to change any field. The key can be change to a password, such as <tt>2late4Me</tt> for key ID 10. Note that two or more keys files can be combined in any order as long as the key IDs are distinct.</p> +<table> + <caption style="caption-side: bottom;"> + Figure 1. Typical Symmetric Key File + </caption> + <tr><td style="border: 1px solid black; border-spacing: 0;"> + <pre style="color:grey;"> +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 + +1 MD5 L";Nw<`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key +5 MD5 B;fxlKgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key +7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key + </pre></td></tr></table> +<p>Figure 1 shows a typical keys file used by the reference implementation when the OpenSSL library is installed. In this figure, for key IDs in he range 1-10, the key is interpreted as a printable ASCII string. For key IDs in the range 11-20, the key is a 40-character hex digit string. The key is truncated or zero-filled internally to either 128 or 160 bits, depending on the key type. The line can be edited later or new lines can be added to change any field. The key can be changed to a password, such as <tt>2late4Me</tt> for key ID 10. Note that two or more keys files can be combined in any order as long as the key IDs are distinct.</p> <p>When <tt>ntpd</tt> is started, it reads the keys file specified by the <tt>keys</tt> command and installs the keys in the key cache. However, individual keys must be activated with the <tt>trustedkey</tt> configuration command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using <tt>ntpq</tt> or <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID used as the password for the <tt>ntpdc</tt> utility, while the <tt>controlkey</tt> command selects the key ID used as the password for the <tt>ntpq</tt> utility.</p> <h4 id="windows">Microsoft Windows Authentication</h4> <p>In addition to the above means, <tt>ntpd</tt> now supports Microsoft Windows MS-SNTP authentication using Active Directory services. This support was contributed by the Samba Team and is still in development. It is enabled using the <tt>mssntp</tt> flag of the <tt>restrict</tt> command described on the <a href="accopt.html#restrict">Access Control Options</a> page. <span class="style1">Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.</span></p> diff --git a/contrib/ntp/html/drivers/driver18.html b/contrib/ntp/html/drivers/driver18.html index 02fb5d2..4334de6 100644 --- a/contrib/ntp/html/drivers/driver18.html +++ b/contrib/ntp/html/drivers/driver18.html @@ -10,7 +10,7 @@ <h3>NIST/USNO/PTB Modem Time Services</h3> <p>Author: David L. Mills (mills@udel.edu)<br> Last update: - <!-- #BeginDate format:En2m -->1-Dec-2012 10:44<!-- #EndDate --> + <!-- #BeginDate format:En2m -->12-Oct-2017 08:13<!-- #EndDate --> UTC</p> <hr> <h4>Synopsis</h4> @@ -43,7 +43,7 @@ ...</tt></p> <p><tt>MJD</tt>, <tt>YR</tt>, <tt>ST</tt>, <tt>UT1</tt> and <tt>UTC(NIST)</tt> are not used by this driver. The <tt><OTM></tt> on-time character "<tt>*</tt>" changes to "<tt>#</tt>" when the delay correction is valid.</p> <p><a href="http://tycho.usno.navy.mil">US Naval Observatory (USNO)</a></p> -<p>Phone: (202) 762-1594 (Washington, DC); (719) 567-6742 (Boulder, CO)</p> +<p>Phone: (202) 762-1594 (Washington, DC); (719) 567-6743 (Colorado Springs, CO)</p> <p><a href="http://tycho.usno.navy.mil/modem_time.html">Data Format</a> (two lines, repeating at one-second intervals)</p> <p><tt>jjjjj nnn hhmmss UTC</tt></p> <p>* on-time character for previous timecode message<br> diff --git a/contrib/ntp/html/drivers/driver40-ja.html b/contrib/ntp/html/drivers/driver40-ja.html index d84c3ce..99ca482 100644 --- a/contrib/ntp/html/drivers/driver40-ja.html +++ b/contrib/ntp/html/drivers/driver40-ja.html @@ -16,7 +16,7 @@ <body> <h3>JJY Receivers</h3> <p>Last update: - <!-- #BeginDate format:En2m -->08-May-2016 00:00<!-- #EndDate --> + <!-- #BeginDate format:En2m -->12-Oct-2017 09:05<!-- #EndDate --> UTC <a href="driver40.html">ENGLISH(英語)</a> <a href="driver40-ja.html">JAPANESE(日本語)</a></p> <hr> <h4>Synopsis</h4> @@ -146,7 +146,8 @@ </li> <li> - <p><a name="mode-3">エコー計測器 LT-2000</a> <a href="http://www.clock.co.jp/">http://www.clock.co.jp/</a> (日本語)</p><br> + <p><a name="mode-3">エコー計測器 LT-2000</a> <!-- a href="http://www.clock.co.jp/" --></p><br> + <p>エコー計測器株式会社は解散しました。2015年7月に、一部の事業は、フレックタイム株式会社に継承されました。</p><br> <dl> <dt>NTPの設定 ( ntp.conf )</dt> <dd><br> diff --git a/contrib/ntp/html/drivers/driver40.html b/contrib/ntp/html/drivers/driver40.html index 3b5f00f..827aeff 100644 --- a/contrib/ntp/html/drivers/driver40.html +++ b/contrib/ntp/html/drivers/driver40.html @@ -16,7 +16,7 @@ <body> <h3>JJY Receivers</h3> <p>Last update: - <!-- #BeginDate format:En2m -->08-May-2016 00:00<!-- #EndDate --> + <!-- #BeginDate format:En2m -->12-Oct-2017 09:05<!-- #EndDate --> UTC <a href="driver40.html">ENGLISH</a> <a href="driver40-ja.html">JAPANESE</a></p> <hr> <h4>Synopsis</h4> @@ -145,7 +145,8 @@ </li> <li> - <p><a name="mode-3">Echo Keisokuki Co.,Ltd. LT-2000</a> <a href="http://www.clock.co.jp/">http://www.clock.co.jp/</a> (Japanese only)</p><br> + <p><a name="mode-3">Echo Keisokuki Co.,Ltd. LT-2000</a> <!-- a href="http://www.clock.co.jp/" --></p><br> + <p>Echo Keisokuki was dissolved. Some business of the company was taken over by FreqTime Co., Ltd. in July, 2015.</p><br> <dl> <dt>NTP configuration ( ntp.conf )</dt> <dd><br> diff --git a/contrib/ntp/html/keygen.html b/contrib/ntp/html/keygen.html index 191b714..4f10a28 100644 --- a/contrib/ntp/html/keygen.html +++ b/contrib/ntp/html/keygen.html @@ -1,116 +1,354 @@ <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> -<head> -<meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> -<meta name="generator" content="HTML Tidy, see www.w3.org"> -<title>ntp-keygen - generate public and private keys</title> -<link href="scripts/style.css" type="text/css" rel="stylesheet"> -</head> -<body> -<h3><tt>ntp-keygen</tt> - generate public and private keys</h3> -<p><img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a></p> -<p>Alice holds the key.</p> -<p>Last update: - <!-- #BeginDate format:En2m -->10-Mar-2014 05:11<!-- #EndDate --> - UTC</p> -<br clear="left"> -<h4>Related Links</h4> -<script type="text/javascript" language="javascript" src="scripts/manual.txt"></script> -<h4>Table of Contents</h4> -<ul> - <li class="inline"><a href="#synop">Synopsis</a></li> - <li class="inline"><a href="#descrip">Description</a></li> - <li class="inline"><a href="#run">Running the program</a></li> - <li class="inline"><a href="#cmd">Command Line Options</a></li> - <li class="inline"><a href="#rand">Random Seed File</a></li> - <li class="inline"><a href="#fmt">Cryptographic Data Files</a></li> - <li class="inline"><a href="#bug">Bugs</a></li> -</ul> -<hr> -<h4 id="synop">Synopsis</h4> -<p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -b <i>modulus</i> ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA - | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ] - [ -C <i>cipher</i> ] [-i <i>group</i> ] [ -l <em>days</em>] - [ -m <i>modulus</i> ] [ -p <i>passwd1</i> ] [ -q <i>passwd2</i> ] - [ -S [ RSA | DSA ] ] [ -s <i>host</i> ] [ -V <i>nkeys</i> ]</tt></p> -<h4 id="descrip">Description</h4> -<p>This program generates cryptographic data files used by the NTPv4 authentication and identity schemes. It can generate message digest keys used in symmetric key cryptography and, if the OpenSSL software library has been installed, it can generate host keys, sign keys, certificates, and identity keys and parameters used by the Autokey public key cryptography. The message digest keys file is generated in a format compatible with NTPv3. All other files are in PEM-encoded printable ASCII format so they can be embedded as MIME attachments in mail to other sites.</p> -<p>When used to generate message digest keys, the program produces a file containing - ten pseudo-random printable ASCII strings suitable for the MD5 message digest algorithm included in the distribution. If the OpenSSL library is installed, it produces an additional ten hex-encoded random bit strings suitable for the SHA1 and other message digest algorithms. The message digest keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.</p> -<p>The remaining generated files are compatible with other OpenSSL applications and other Public Key Infrastructure (PKI) resources. Certificates generated by this program are compatible with extant industry practice, although some users might find the interpretation of X509v3 extension fields somewhat liberal. However, the identity keys are probably not compatible with anything other than Autokey.</p> -<p>Some files used by this program are encrypted using a private password. The <tt>-p</tt> option specifies the password for local encrypted files and the <tt>-q</tt> option the password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix <tt>gethostname()</tt> function, normally the DNS name of the host, is used.</p> -<p>The <tt>pw</tt> option of the <tt>crypto</tt> configuration command specifies the read password for previously encrypted local files. This must match the local password used by this program. If not specified, the host name is used. Thus, if files are generated by this program without password, they can be read back by <tt>ntpd</tt> without password, but only on the same host.</p> -<p>Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called <tt>ntp.keys</tt>, is usually installed in <tt>/etc</tt>. Other files and links are usually installed in <tt>/usr/local/etc</tt>, which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. The location of the keys directory can be changed by the <tt>keysdir</tt> configuration command in such cases. Normally, this is in <tt>/etc</tt>.</p> -<p>This program directs commentary and error messages to the standard error stream <tt>stderr</tt> and remote files to the standard output stream <tt>stdout</tt> where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string <tt>ntpkey</tt> and include the file type, generating host and filestamp, as described in the <a href="#fmt">Cryptographic Data Files</a> section below</p> -<h4 id="run">Running the Program</h4> -<p>To test and gain experience with Autokey concepts, log in as root and change to the keys directory, usually <tt>/usr/local/etc</tt>. When run for the first time, or if all files with names beginning <tt>ntpkey</tt> have been removed, use the <tt>ntp-keygen </tt>command without arguments to generate a default RSA host key and matching RSA-MD5 certificate with expiration date one year hence. If run again without options, the program uses the existing keys and parameters and generates only a new certificate with new expiration date one year hence.</p> -<p>Run the command on as many hosts as necessary. Designate one of them as the trusted host (TH) using <tt>ntp-keygen</tt> with the <tt>-T</tt> option and configure it to synchronize from reliable Internet servers. Then configure the other hosts to synchronize to the TH directly or indirectly. A certificate trail is created when Autokey asks the immediately ascendant host towards the TH to sign its certificate, which is then provided to the immediately descendant host on request. All group hosts should have acyclic certificate trails ending on the TH.</p> -<p>The host key is used to encrypt the cookie when required and so must be RSA type. By default, the host key is also the sign key used to encrypt signatures. A different sign key can be assigned using the <tt>-S</tt> option and this can be either RSA or DSA type. By default, the signature message digest type is MD5, but any combination of sign key type and message digest type supported by the OpenSSL library can be specified using the <tt>-c</tt> option.</p> -<dd>The rules say cryptographic media should be generated with proventic filestamps, which means the host should already be synchronized before this program is run. This of course creates a chicken-and-egg problem when the host is started for the first time. Accordingly, the host time should be set by some other means, such as eyeball-and-wristwatch, at least so that the certificate lifetime is within the current year. After that and when the host is synchronized to a proventic source, the certificate should be re-generated.</dd> -<p>Additional information on trusted groups and identity schemes is on the <a href="autokey.html">Autokey Public-Key Authentication</a> page.</p> -<h4 id="cmd">Command Line Options</h4> -<dl> - <dt><tt>-b <i>modulus</i></tt></dt> - <dd>Set the modulus for generating identity keys to <i>modulus</i> bits. The modulus defaults to 256, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources and increases the size of authenticated packets.</dd> - <dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ]</tt></dt> - <dd>Select certificate digital signature and message digest scheme. Note that RSA schemes must be used with an RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is <tt>RSA-MD5</tt>. If compatibility with FIPS 140-2 is required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme must be used.</dd> - <dt><tt>-C <i>cipher</i></tt></dt> - <dd>Select the OpenSSL cipher to use for password-protected keys. The <tt>openssl -h</tt> command provided with OpenSSL displays available ciphers. The default without this option is <tt>des-ede3-cbc</tt>.</dd> - <dt><tt>-d</tt></dt> - <dd>Enable debugging. This option displays the cryptographic data produced for eye-friendly billboards.</dd> - <dt><tt>-e</tt></dt> - <dd>Extract the IFF or GQ public parameters from the <tt>IFFkey</tt> or <tt>GQkey</tt> keys file previously specified. Send the unencrypted data to the standard output stream <tt>stdout</tt>.</dd> - <dt><tt>-G</tt></dt> - <dd>Generate a new encrypted GQ key file for the Guillou-Quisquater (GQ) identity scheme. This option is mutually exclusive with the <tt>-I</tt> and <tt>-V</tt> options.</dd> - <dt><tt>-H</tt></dt> - <dd>Generate a new encrypted RSA public/private host key file.</dd> - <dt><tt>-i <i>group</i></tt></dt> - <dd>Set the optional Autokey group name to <tt><i>group</i></tt>. This is used in the identity scheme parameter file names. In that role, the default is the host name if no group is provided. The group name, if specified using <tt>-i</tt> or using <tt>-s</tt> following an <tt>@</tt> character, is also used in certificate subject and issuer names in the form <tt><i>host</i>@<i>group</i></tt> and should match the group specified via <tt>crypto ident</tt> or <tt>server ident</tt> in ntpd's configuration file.</dd> - <dt><tt>-I</tt></dt> - <dd>Generate a new encrypted IFF key file for the Schnorr (IFF) identity scheme. This option is mutually exclusive with the <tt>-G</tt> and <tt>-V</tt> options.</dd> - <dt><tt>-l <i>days</i></tt></dt> - <dd>Set the lifetime for certificates to <tt><i>days</i></tt>. The default lifetime is one year (365 d).</dd> - <dt><tt>-m <i>modulus</i></tt></dt> - <dd>Set the modulus for generating files to <i>modulus</i> bits. The modulus defaults to 512, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources and increases the size of authenticated packets.</dd> - <dt><tt>-M</tt></dt> - <dd>Generate a new keys file containing 10 MD5 keys and 10 SHA keys. An MD5 key is a string of 20 random printable ASCII characters, while a SHA key is a string of 40 random hex digits. The file can be edited using a text editor to change the key type or key content. This option is mutually exclusive with all other option.</dd> - <dt><tt>-P</tt></dt> - <dd>Generate a new private certificate used by the PC identity scheme. By default, the program generates public certificates. Note: the PC identity scheme is not recommended for new installations.</dd> - <dt><tt>-p <i>passwd</i></tt></dt> - <dd>Set the password for reading and writing encrypted files to <tt><i>passwd.</i></tt> These include the host, sign and identify key files. By default, the password is the string returned by the Unix <tt>gethostname()</tt> routine.</dd> - <dt><tt>-q <i>passwd</i></tt></dt> - <dd>Set the password for writing encrypted IFF, GQ and MV identity files redirected to <tt>stdout</tt> to <tt><i>passwd.</i></tt> In effect, these files are decrypted with the <tt>-p</tt> password, then encrypted with the <tt>-q</tt> password. By default, the password is the string returned by the Unix <tt>gethostname()</tt> routine.</dd> - <dt><tt>-S [ RSA | DSA ]</tt></dt> - <dd>Generate a new encrypted public/private sign key file of the specified type. By default, the sign key is - the host key and has the same type. If compatibly with FIPS 140-2 is required, - the sign key type must be <tt>DSA</tt>.</dd> - <dt><tt>-s <i>host</i>[@<i>group</i>]</tt></dt> - <dd>Specify the Autokey host name, where <tt><i>host</i></tt> is the host name and <tt><i>group</i></tt> is the optional group name. The host name, and if provided, group name are used in <tt><i>host</i>@<i>group</i></tt> form as certificate subject and issuer. Specifying <tt>-s @<i>group</i></tt> is allowed, and results in leaving the host name unchanged, as with <tt>-i <i>group</i></tt>. The group name, or if no group is provided, the host name are also used in the file names of IFF, GQ, and MV identity scheme parameter files. If <tt><i>host</i></tt> is not specified, the default host name is the string returned by the <tt>gethostname()</tt> routine.</dd> - <dt><tt>-T</tt></dt> - <dd>Generate a trusted certificate. By default, the program generates nontrusted certificates.</dd> - <dt><tt>-V <i>nkeys</i></tt></dt> - <dd>Generate <tt>nkeys</tt> encrypted server keys for the Mu-Varadharajan (MV) identity scheme. This option is mutually exclusive with the <tt>-I</tt> and <tt>-G</tt> options. Note: support for this option should be considered a work in progress.</dd> -</dl> -<h4 id="rand">Random Seed File</h4> -<p>All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize the internal pseudo-random number generator used by the OpenSSL library routines. If a site supports <tt>ssh</tt>, it is very likely that means to do this are already available. The entropy seed used by the OpenSSL library is contained in a file, usually called <tt>.rnd</tt>, which must be available when starting the <tt>ntp-keygen</tt> program or <tt>ntpd</tt> daemon.</p> -<p>The OpenSSL library looks for the file using the path specified by the <tt>RANDFILE</tt> environment variable in the user home directory, whether root or some other user. If the <tt>RANDFILE</tt> environment variable is not present, the library looks for the <tt>.rnd</tt> file in the user home directory. Since both the <tt>ntp-keygen</tt> program and <tt>ntpd</tt> daemon must run as root, the logical place to put this file is in <tt>/.rnd</tt> or <tt>/root/.rnd</tt>. If the file is not available or cannot be written, the program exits with a message to the system log.</p> -<h4 id="fmt">Cryptographic Data Files</h4> -<p>File and link names are in the form <tt>ntpkey_<i>key</i>_<i>name</i>.<i>fstamp</i></tt>, where <tt><i>key</i></tt> is the key or parameter type, <tt><i>name</i></tt> is the host or group name and <tt><i>fstamp</i></tt> is the filestamp (NTP seconds) when the file was created). By convention, <em><tt>key</tt></em> names in generated file names include both upper and lower case characters, while <em><tt>key</tt></em> names in generated link names include only lower case characters. The filestamp is not used in generated link names.</p> -<p>The <em><tt>key</tt></em> name is a string defining the cryptographic key type. Key types include public/private keys <tt>host</tt> and <tt>sign</tt>, certificate <tt>cert</tt> and several challenge/response key types. By convention, client files used for challenges have a <tt>par</tt> subtype, as in the IFF challenge <tt>IFFpar</tt>, while server files for responses have a <tt>key</tt> subtype, as in the GQ response <tt>GQkey</tt>.</p> -<p>All files begin with two nonencrypted lines. The first line contains the file name in the format <tt>ntpkey_<i>key</i>_<i>host</i>.<i>fstamp</i></tt>. The second line contains the datestamp in conventional Unix <tt>date</tt> format. Lines beginning with <tt>#</tt> are ignored.</p> -<p>The remainder of the file contains cryptographic data encoded first using ASN.1 rules, then encrypted using the DES-CBC algorithm with given password and finally written in PEM-encoded printable ASCII text preceded and followed by MIME content identifier lines.</p> -<p>The format of the symmetric keys file, ordinarily named <tt>ntp.keys,</tt> is somewhat different than the other files in the interest of backward compatibility. Ordinarily, the file is generated by this program, but it can be constructed and edited using an ordinary text editor.</p> -<div align="center"> - <p><img src="pic/sx5.gif" alt="gif"></p> - <p>Figure 1. Typical Symmetric Key File</p> -</div> -<p>Figure 1 shows a typical symmetric keys file used by the reference implementation. Each line of the file contains three fields, first an integer between 1 and 65534, inclusive, representing the key identifier used in the <tt>server</tt> and <tt>peer</tt> configuration commands. Next is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be <tt>MD5</tt> to designate the MD5 message digest algorithm. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by that library. However, if compatibility with FIPS 140-2 is required, the key type must be either <tt>SHA</tt> or <tt>SHA1</tt>. The key type can be changed using an ASCII text editor.</p> -<p> An MD5 key consists of a printable ASCII string less than or equal to 16 characters and terminated by whitespace or a # character. An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which is truncated as necessary.</p> -<p>Note that the keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs are checked against passwords requested by the programs and entered by hand, so it is generally appropriate to specify these keys in human readable ASCII format.</p> -<p>The <tt>ntp-keygen</tt> program generates a MD5 symmetric keys file <tt>ntpkey_MD5key_<i>hostname.filestamp</i></tt>. Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. The NTP daemon loads the file <tt>ntp.keys</tt>, so <tt>ntp-keygen</tt> installs a soft link from this name to the generated file. Subsequently, similar soft links must be installed by manual or automated means on the other subnet hosts. While this file is not used with the Autokey Version 2 protocol, it is needed to authenticate some remote configuration commands used by the <a href="ntpq.html"><tt>ntpq</tt></a> and <a href="ntpdc.html"><tt>ntpdc</tt></a> utilities.</p> -<h4 id="bug">Bugs</h4> -<p>It can take quite a while to generate some cryptographic values, from one to several minutes with modern architectures such as UltraSPARC and up to tens of minutes to an hour with older architectures such as SPARC IPC.</p> -<hr> -<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> -</body> + <head> + <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> + <meta name="generator" content="HTML Tidy, see www.w3.org"> + <title>ntp-keygen - generate public and private keys</title> + <link href="scripts/style.css" type="text/css" rel="stylesheet"> + </head> + <body> + <h3><tt>ntp-keygen</tt> - generate public and private keys</h3> + <p><img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a></p> + <p>Alice holds the key.</p> + <p>Last update: + <!-- #BeginDate format:En2m -->11-Jan-2018 11:55<!-- #EndDate --> + UTC</p> + <br clear="left"> + <h4>Related Links</h4> + <script type="text/javascript" language="javascript" src="scripts/manual.txt"></script> + <h4>Table of Contents</h4> + <ul> + <li class="inline"><a href="#synop">Synopsis</a></li> + <li class="inline"><a href="#descrip">Description</a></li> + <li class="inline"><a href="#run">Running the program</a></li> + <li class="inline"><a href="#cmd">Command Line Options</a></li> + <li class="inline"><a href="#rand">Random Seed File</a></li> + <li class="inline"><a href="#fmt">Cryptographic Data Files</a></li> + <li class="inline"><a href="#bug">Bugs</a></li> + </ul> + <hr> + <h4 id="synop">Synopsis</h4> + <p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -b <i>modulus</i> ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA + | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ] + [ -C <i>cipher</i> ] [-i <i>group</i> ] [ -l <em>days</em>] + [ -m <i>modulus</i> ] [ -p <i>passwd1</i> ] [ -q <i>passwd2</i> ] + [ -S [ RSA | DSA ] ] [ -s <i>host</i> ] [ -V <i>nkeys</i> ]</tt></p> + <h4 id="descrip">Description</h4> + <p>This program generates cryptographic data files used by the NTPv4 + authentication and identity schemes. It can generate message digest keys + used in symmetric key cryptography and, if the OpenSSL software library + has been installed, it can generate host keys, sign keys, certificates, + and identity keys and parameters used by the Autokey public key + cryptography. The message digest keys file is generated in a format + compatible with NTPv3. All other files are in PEM-encoded printable ASCII + format so they can be embedded as MIME attachments in mail to other + sites.</p> + <p>When used to generate message digest keys, the program produces a file + containing ten pseudo-random printable ASCII strings suitable for the MD5 + message digest algorithm included in the distribution. If the OpenSSL + library is installed, it produces an additional ten hex-encoded random bit + strings suitable for the SHA1, AES-128 CMAC, and other message digest + algorithms. The message digest keys file must be distributed and stored + using secure means beyond the scope of NTP itself. Besides the keys used + for ordinary NTP associations, additional keys can be defined as passwords + for the <tt><a href="ntpq.html">ntpq</a></tt> + and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.</p> + <p>The remaining generated files are compatible with other OpenSSL + applications and other Public Key Infrastructure (PKI) + resources. Certificates generated by this program are compatible with + extant industry practice, although some users might find the + interpretation of X509v3 extension fields somewhat liberal. However, + the identity keys are probably not compatible with anything other than + Autokey.</p> + <p>Some files used by this program are encrypted using a private + password. The <tt>-p</tt> option specifies the password for local + encrypted files and the <tt>-q</tt> option the password for encrypted + files sent to remote sites. If no password is specified, the host name + returned by the Unix <tt>gethostname()</tt> function, normally the DNS + name of the host, is used.</p> + <p>The <tt>pw</tt> option of the <tt>crypto</tt> configuration command + specifies the read password for previously encrypted local files. + This must match the local password used by this program. If not + specified, the host name is used. Thus, if files are generated by + this program without password, they can be read back by <tt>ntpd</tt> + without password, but only on the same host.</p> + <p>Normally, encrypted files for each host are generated by that host + and used only by that host, although exceptions exist as noted later + on this page. The symmetric keys file, normally + called <tt>ntp.keys</tt>, is usually installed in <tt>/etc</tt>. + Other files and links are usually installed + in <tt>/usr/local/etc</tt>, which is normally in a shared filesystem + in NFS-mounted networks and cannot be changed by shared clients. The + location of the keys directory can be changed by the <tt>keysdir</tt> + configuration command in such cases. Normally, this is + in <tt>/etc</tt>.</p> + <p>This program directs commentary and error messages to the standard + error stream <tt>stderr</tt> and remote files to the standard output + stream <tt>stdout</tt> where they can be piped to other applications + or redirected to files. The names used for generated files and links + all begin with the string <tt>ntpkey</tt> and include the file type, + generating host and filestamp, as described in + the <a href="#fmt">Cryptographic Data Files</a> section below</p> + <h4 id="run">Running the Program</h4> + <p>To test and gain experience with Autokey concepts, log in as root and + change to the keys directory, usually <tt>/usr/local/etc</tt>. When + run for the first time, or if all files with names + beginning <tt>ntpkey</tt> have been removed, use + the <tt>ntp-keygen</tt> command without arguments to generate a + default RSA host key and matching RSA-MD5 certificate with expiration + date one year hence. If run again without options, the program uses + the existing keys and parameters and generates only a new certificate + with new expiration date one year hence.</p> + <p>Run the command on as many hosts as necessary. Designate one of them + as the trusted host (TH) using <tt>ntp-keygen</tt> with + the <tt>-T</tt> option and configure it to synchronize from reliable + Internet servers. Then configure the other hosts to synchronize to + the TH directly or indirectly. A certificate trail is created when + Autokey asks the immediately ascendant host towards the TH to sign its + certificate, which is then provided to the immediately descendant host + on request. All group hosts should have acyclic certificate trails + ending on the TH.</p> + <p>The host key is used to encrypt the cookie when required and so must + be RSA type. By default, the host key is also the sign key used to + encrypt signatures. A different sign key can be assigned using + the <tt>-S</tt> option and this can be either RSA or DSA type. By + default, the signature message digest type is MD5, but any combination + of sign key type and message digest type supported by the OpenSSL + library can be specified using the <tt>-c</tt> option.</p> + <p>The rules say cryptographic media should be generated with proventic + filestamps, which means the host should already be synchronized before + this program is run. This of course creates a chicken-and-egg problem + when the host is started for the first time. Accordingly, the host + time should be set by some other means, such as + eyeball-and-wristwatch, at least so that the certificate lifetime is + within the current year. After that and when the host is synchronized + to a proventic source, the certificate should be re-generated.</p> + <p>Additional information on trusted groups and identity schemes is on + the <a href="autokey.html">Autokey Public-Key Authentication</a> + page.</p> + <h4 id="cmd">Command Line Options</h4> + <dl> + <dt><tt>-b <i>modulus</i></tt></dt> + <dd>Set the modulus for generating identity keys to <i>modulus</i> + bits. The modulus defaults to 256, but can be set from 256 (32 + octets) to 2048 (256 octets). Use the larger moduli with caution, + as this can consume considerable computing resources and increases + the size of authenticated packets.</dd> + <dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ]</tt></dt> + <dd>Select certificate digital signature and message digest scheme. + Note that RSA schemes must be used with an RSA sign key and DSA + schemes must be used with a DSA sign key. The default without this + option is <tt>RSA-MD5</tt>. If compatibility with FIPS 140-2 is + required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme + must be used.</dd> + <dt><tt>-C <i>cipher</i></tt></dt> + <dd>Select the OpenSSL cipher to use for password-protected keys. + The <tt>openssl -h</tt> command provided with OpenSSL displays + available ciphers. The default without this option + is <tt>des-ede3-cbc</tt>.</dd> + <dt><tt>-d</tt></dt> + <dd>Enable debugging. This option displays the cryptographic data + produced for eye-friendly billboards.</dd> + <dt><tt>-e</tt></dt> + <dd>Extract the IFF or GQ public parameters from the <tt>IFFkey</tt> + or <tt>GQkey</tt> keys file previously specified. Send the + unencrypted data to the standard output stream <tt>stdout</tt>.</dd> + <dt><tt>-G</tt></dt> + <dd>Generate a new encrypted GQ key file for the Guillou-Quisquater + (GQ) identity scheme. This option is mutually exclusive with + the <tt>-I</tt> and <tt>-V</tt> options.</dd> + <dt><tt>-H</tt></dt> + <dd>Generate a new encrypted RSA public/private host key file.</dd> + <dt><tt>-i <i>group</i></tt></dt> + <dd>Set the optional Autokey group name to <tt><i>group</i></tt>. This + is used in the identity scheme parameter file names. In that role, + the default is the host name if no group is provided. The group + name, if specified using <tt>-i</tt> or using <tt>-s</tt> following + an <tt>@</tt> character, is also used in certificate subject and + issuer names in the form <tt><i>host</i>@<i>group</i></tt> and + should match the group specified via <tt>crypto ident</tt> + or <tt>server ident</tt> in ntpd's configuration file.</dd> + <dt><tt>-I</tt></dt> + <dd>Generate a new encrypted IFF key file for the Schnorr (IFF) + identity scheme. This option is mutually exclusive with + the <tt>-G</tt> and <tt>-V</tt> options.</dd> + <dt><tt>-l <i>days</i></tt></dt> + <dd>Set the lifetime for certificates to <tt><i>days</i></tt>. The + default lifetime is one year (365 d).</dd> + <dt><tt>-m <i>modulus</i></tt></dt> + <dd>Set the modulus for generating files to <i>modulus</i> bits. The + modulus defaults to 512, but can be set from 256 (32 octets) to 2048 + (256 octets). Use the larger moduli with caution, as this can + consume considerable computing resources and increases the size of + authenticated packets.</dd> + <dt><tt>-M</tt></dt> + <dd>Generate a new keys file containing 10 MD5 keys and 10 SHA keys. + An MD5 key is a string of 20 random printable ASCII characters, + while a SHA key is a string of 40 random hex digits. The file can be + edited using a text editor to change the key type or key content. + This option is mutually exclusive with all other options.</dd> + <dt><tt>-P</tt></dt> + <dd>Generate a new private certificate used by the PC identity scheme. + By default, the program generates public certificates. Note: the PC + identity scheme is not recommended for new installations.</dd> + <dt><tt>-p <i>passwd</i></tt></dt> + <dd>Set the password for reading and writing encrypted files + to <tt><i>passwd</i></tt>. These include the host, sign and + identify key files. By default, the password is the string returned + by the Unix <tt>gethostname()</tt> routine.</dd> + <dt><tt>-q <i>passwd</i></tt></dt> + <dd>Set the password for writing encrypted IFF, GQ and MV identity + files redirected to <tt>stdout</tt> to <tt><i>passwd</i></tt>=. In + effect, these files are decrypted with the <tt>-p</tt> password, + then encrypted with the <tt>-q</tt> password. By default, the + password is the string returned by the Unix <tt>gethostname()</tt> + routine.</dd> + <dt><tt>-S [ RSA | DSA ]</tt></dt> + <dd>Generate a new encrypted public/private sign key file of the + specified type. By default, the sign key is the host key and has + the same type. If compatibly with FIPS 140-2 is required, the sign + key type must be <tt>DSA</tt>.</dd> + <dt><tt>-s <i>host</i>[@<i>group</i>]</tt></dt> + <dd>Specify the Autokey host name, where <tt><i>host</i></tt> is the + host name and <tt><i>group</i></tt> is the optional group name. The + host name, and if provided, group name are used + in <tt><i>host</i>@<i>group</i></tt> form as certificate subject and + issuer. Specifying <tt>-s @<i>group</i></tt> is allowed, and + results in leaving the host name unchanged, as + with <tt>-i <i>group</i></tt>. The group name, or if no group is + provided, the host name are also used in the file names of IFF, GQ, + and MV identity scheme parameter files. If <tt><i>host</i></tt> is + not specified, the default host name is the string returned by + the <tt>gethostname()</tt> routine.</dd> + <dt><tt>-T</tt></dt> + <dd>Generate a trusted certificate. By default, the program generates + nontrusted certificates.</dd> + <dt><tt>-V <i>nkeys</i></tt></dt> + <dd>Generate <tt>nkeys</tt> encrypted server keys for the + Mu-Varadharajan (MV) identity scheme. This option is mutually + exclusive with the <tt>-I</tt> and <tt>-G</tt> options. Note: + support for this option should be considered a work in + progress.</dd> + </dl> + <h4 id="rand">Random Seed File</h4> + <p>All cryptographically sound key generation schemes must have means to + randomize the entropy seed used to initialize the internal + pseudo-random number generator used by the OpenSSL library routines. + If a site supports <tt>ssh</tt>, it is very likely that means to do + this are already available. The entropy seed used by the OpenSSL + library is contained in a file, usually called <tt>.rnd</tt>, which + must be available when starting the <tt>ntp-keygen</tt> program + or <tt>ntpd</tt> daemon.</p> + <p>The OpenSSL library looks for the file using the path specified by + the <tt>RANDFILE</tt> environment variable in the user home directory, + whether root or some other user. If the <tt>RANDFILE</tt> environment + variable is not present, the library looks for the <tt>.rnd</tt> file + in the user home directory. Since both the <tt>ntp-keygen</tt> + program and <tt>ntpd</tt> daemon must run as root, the logical place + to put this file is in <tt>/.rnd</tt> or <tt>/root/.rnd</tt>. If the + file is not available or cannot be written, the program exits with a + message to the system log.</p> + <h4 id="fmt">Cryptographic Data Files</h4> + <p>File and link names are in the + form <tt>ntpkey_<i>key</i>_<i>name</i>.<i>fstamp</i></tt>, + where <tt><i>key</i></tt> is the key or parameter + type, <tt><i>name</i></tt> is the host or group name + and <tt><i>fstamp</i></tt> is the filestamp (NTP seconds) when the + file was created). By convention, <em><tt>key</tt></em> names in + generated file names include both upper and lower case characters, + while <em><tt>key</tt></em> names in generated link names include only + lower case characters. The filestamp is not used in generated link + names.</p> + <p>The <em><tt>key</tt></em> name is a string defining the cryptographic + key type. Key types include public/private keys <tt>host</tt> + and <tt>sign</tt>, certificate <tt>cert</tt> and several + challenge/response key types. By convention, client files used for + challenges have a <tt>par</tt> subtype, as in the IFF + challenge <tt>IFFpar</tt>, while server files for responses have + a <tt>key</tt> subtype, as in the GQ response <tt>GQkey</tt>.</p> + <p>All files begin with two nonencrypted lines. The first line contains + the file name in the + format <tt>ntpkey_<i>key</i>_<i>host</i>.<i>fstamp</i></tt>. The second + line contains the datestamp in conventional Unix <tt>date</tt> format. + Lines beginning with <tt>#</tt> are ignored.</p> + <p>The remainder of the file contains cryptographic data encoded first + using ASN.1 rules, then encrypted using the DES-CBC algorithm with + given password and finally written in PEM-encoded printable ASCII text + preceded and followed by MIME content identifier lines.</p> + <p>The format of the symmetric keys file, ordinarily + named <tt>ntp.keys,</tt> is somewhat different than the other files in + the interest of backward compatibility. Ordinarily, the file is + generated by this program, but it can be constructed and edited using + an ordinary text editor.</p> + <table> + <caption style="caption-side: bottom;"> + Figure 1. Typical Symmetric Key File + </caption> + <tr><td style="border: 1px solid black; border-spacing: 0;"> + <pre style="color:grey;"> + # ntpkey_MD5key_bk.ntp.org.3595864945 + # Thu Dec 12 19:22:25 2013 + + 1 MD5 L";Nw<`.I<f4U0)247"i # MD5 key + 2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key + 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key + 4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key + 5 MD5 B;fxlKgr/&4ZTbL6=RxA # MD5 key + 6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key + 7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key + 8 MD5 45:V,r4]l6y^JH6.Sh?F # MD5 key + 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key + 10 MD5 2late4Me # MD5 key + 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key + 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key + 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key + 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key + 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key + 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key + 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key + 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key + 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key + 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key + 21 MD5 sampo 10.1.2.3/24 + </pre></td></tr></table> + <p>Figure 1 shows a typical symmetric keys file used by the reference + implementation. Each line of the file contains three or four fields, + first an integer between 1 and 65534, inclusive, representing the key + identifier used in the <tt>server</tt> and <tt>peer</tt> configuration + commands. Second is the key type for the message digest algorithm, + which in the absence of the OpenSSL library must be <tt>MD5</tt> to + designate the MD5 message digest algorithm. If the OpenSSL library is + installed, the key type can be any message digest algorithm supported + by that library. However, if compatibility with FIPS 140-2 is + required, the key type must be either <tt>SHA</tt> or <tt>SHA1</tt>. + The key type can be changed using an ASCII text editor.</p> + <p>The third field is the key.</p> + <p>An MD5 key consists of a printable ASCII string less than or equal to + 16 characters and terminated by whitespace or a # character. An + OpenSSL key consists of a hex-encoded ASCII string of 40 characters, + which is truncated as necessary.</p> + <p>Note that the keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt> + programs are checked against passwords requested by the programs and + entered by hand, so it is generally appropriate to specify these keys + in human readable ASCII format.</p> + <p>The optional fourth field is one or more IPs, with each IP separated + with a comma. An IP may end with an optional <tt>/subnetbits</tt> + suffix, which limits the acceptance of the key identifier to packets + claiming to be from the described IP space.</p> + <p>The <tt>ntp-keygen</tt> program generates a MD5 symmetric keys + file <tt>ntpkey_MD5key_<i>hostname.filestamp</i></tt>. Since the file + contains private shared keys, it should be visible only to root and + distributed by secure means to other subnet hosts. The NTP daemon + loads the file <tt>ntp.keys</tt>, so <tt>ntp-keygen</tt> installs a + soft link from this name to the generated file. Subsequently, similar + soft links must be installed by manual or automated means on the other + subnet hosts. While this file is not used with the Autokey Version 2 + protocol, it is needed to authenticate some remote configuration + commands used by the <a href="ntpq.html"><tt>ntpq</tt></a> + and <a href="ntpdc.html"><tt>ntpdc</tt></a> utilities.</p> + <h4 id="bug">Bugs</h4> + <p>It can take quite a while to generate some cryptographic values.</p> + <hr> + <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script> + </body> </html> diff --git a/contrib/ntp/html/miscopt.html b/contrib/ntp/html/miscopt.html index 6e03963..247f532 100644 --- a/contrib/ntp/html/miscopt.html +++ b/contrib/ntp/html/miscopt.html @@ -3,7 +3,6 @@ <head> <meta http-equiv="content-type" content="text/html;charset=iso-8859-1"> <title>Miscellaneous Commands and Options</title> -<!-- Changed by: Harlan Stenn, 17-Nov-2015 --> <link href="scripts/style.css" type="text/css" rel="stylesheet"> </head> <body> @@ -11,7 +10,7 @@ <img src="pic/boom3.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a> <p>We have three, now looking for more.</p> <p>Last update: - <!-- #BeginDate format:En2m -->9-Nov-2016 12:26<!-- #EndDate --> + <!-- #BeginDate format:En2m -->14-Oct-2017 08:34<!-- #EndDate --> UTC</p> <br clear="left"> <h4>Related Links</h4> @@ -105,7 +104,10 @@ <dt id="nonvolatile"><tt>nonvolatile <i>threshold</i></tt></dt> <dd>Specify the <i><tt>threshold</tt></i> in seconds to write the frequency file, with default of 1e-7 (0.1 PPM). The frequency file is inspected each hour. If the difference between the current frequency and the last value written exceeds the threshold, the file is written and the <tt><em>threshold</em></tt> becomes the new threshold value. If the threshold is not exceeded, it is reduced by half. This is intended to reduce the frequency of unnecessary file writes for embedded systems with nonvolatile memory.</dd> <dt id="phone"><tt>phone <i>dial</i> ...</tt></dt> - <dd>This command is used in conjunction with the ACTS modem driver (type 18). The arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services. The Hayes command ATDT is normally prepended to the number, which can contain other modem control codes as well.</dd> + <dd>This command is used in conjunction with the ACTS modem driver (type 18) or the JJY driver (type 40 mode 100 - 180). + For the ACTS modem driver (type 18), the arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services. + For the JJY driver (type 40 mode 100 - 180), the argument is one telephone number used to dial the telephone JJY service. + The Hayes command ATDT is normally prepended to the number, which can contain other modem control codes as well.</dd> <dt id="reset"><tt>reset [allpeers] [auth] [ctl] [io] [mem] [sys] [timer]</tt></dt> <dd>Reset one or more groups of counters maintained by ntpd and exposed by <tt>ntpq</tt> and <tt>ntpdc</tt>.</dd> <dt id="rlimit"><tt>rlimit [memlock <i>Nmegabytes</i> | stacksize <i>N4kPages</i> | filenum <i>Nfiledescriptors</i>]</tt></dt> @@ -145,10 +147,12 @@ <dd>Specifies the stepout threshold in seconds. The default without this command is 300 s. Since this option also affects the training and startup intervals, it should not be set less than the default. Further details are on the <a href="clock.html">Clock State Machine</a> page.</dd> </dl> </dd> - <dt id="tos"><tt>tos [bcpollbstep <i>poll-gate</i> | beacon <i>beacon</i> | ceiling <i>ceiling</i> | cohort {0 | 1} | floor <i>floor</i> | maxclock <i>maxclock </i>| maxdist <i>maxdist</i> | minclock <i>minclock</i> | mindist <i>mindist </i>| minsane <i>minsane</i> | orphan <i>stratum</i> | orphanwait <em>delay</em>]</tt></dt> + <dt id="tos"><tt>tos [basedate <i>date<i> | bcpollbstep <i>poll-gate</i> | beacon <i>beacon</i> | ceiling <i>ceiling</i> | cohort {0 | 1} | floor <i>floor</i> | maxclock <i>maxclock </i>| maxdist <i>maxdist</i> | minclock <i>minclock</i> | mindist <i>mindist </i>| minsane <i>minsane</i> | orphan <i>stratum</i> | orphanwait <em>delay</em>]</tt></dt> <dd>This command alters certain system variables used by the the clock selection and clustering algorithms. The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. Very rarely is it necessary to change the default values; but, some folks can't resist twisting the knobs. It can be used to select the quality and quantity of peers used to synchronize the system clock and is most useful in dynamic server discovery schemes. The options are as follows:</dd> <dd> <dl> + <dt><tt>basedate <i>date</i></tt></dt> + <dd>Set NTP era anchor. <tt><i>date</i></tt> is either a date in ISO8601 format (<i>YYYY-MM-DD<i>) or an integer giving the days since 1900-01-01, the start of the NTP epoch. <tt>ntpd</tt> will clamp the system time to an era starting with the begin of this this day (00:00:00Z), covering a range of 2<sup>32</sup> seconds or roughly 136 years. The default is the begin of the UNIX epoch, 1970-01-01.</dd> <dt><tt>bcpollbstep <i>poll-gate</i></tt></dt> <dd>This option will cause the client to delay believing backward time steps from a broadcast server for <tt>bcpollbstep</tt> poll intervals. NTP Broadcast networks are expected to be trusted, and if the server's time gets stepped backwards then it's desireable that the clients follow this change as soon as possible. However, in spite of various protections built-in to the broadcast protocol, it is possible that an attacker could perform a carefully-constructed replay attack and cause clients to erroneously step their clocks backward. If the risk of a successful broadcast replay attack is greater than the risk of the clients being out of sync in the event that there is a backward step on the broadcast time servers, this option may be used to cause the clients to delay beliveving backward time steps until <i>poll-gate</i> consecutive polls have been received. The default is 0, which means the client will accept these steps upon receipt. Any value from 0 to 4 can be specified.</dd> <dt><tt>beacon <i>beacon</i></tt></dt> diff --git a/contrib/ntp/html/monopt.html b/contrib/ntp/html/monopt.html index 82dd8ba..e9b60e3 100644 --- a/contrib/ntp/html/monopt.html +++ b/contrib/ntp/html/monopt.html @@ -11,7 +11,7 @@ <img src="pic/pogo8.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html"></a> from <i>Pogo</i>, Walt Kelly</a> <p>Pig was hired to watch the logs.</p> <p>Last update: - <!-- #BeginDate format:En2m -->14-Feb-2016 09:38<!-- #EndDate --> + <!-- #BeginDate format:En2m -->7-Dec-2017 10:17<!-- #EndDate --> UTC</p> <br clear="left"> <h4>Related Links</h4> @@ -341,8 +341,10 @@ the <a href="decode.html">Event Messages and Status Words</a> page.</dd> <dt><tt>rawstats</tt></dt> <dd>Record timestamp statistics. Each NTP packet received appends one line to - the <tt>rawstats</tt> file set:</dd> +the <tt>rawstats</tt> file set. As of ntp-4.2.8p11, each NTP packet written appends one line to the <tt>rawstats</tt> file set, as well. The format of this line is:</dd> <dd><tt>56285 54575.160 128.4.1.1 192.168.1.5 3565350574.400229473 3565350574.442385200 3565350574.442436000 3565350575.154505763 0 4 4 1 8 -21 0.000000 0.000320 .PPS.</tt></dd> + <dd><tt>56285 54575.160 128.4.1.1 192.168.1.5 3565350574.400229473 3565350574.442385200 3565350574.442436000 3565350575.154505763 0 4 4 1 8 -21 0.000000 0.000320 .PPS. 4: 0000</tt></dd> + </tt></dd> <dd> <table width="100%" border="1" cellspacing="2" cellpadding="2"> <tr> @@ -431,9 +433,23 @@ <td>total dispersion to the primary reference clock</td> </tr> <tr> - <td><tt>PPS.</tt></td> - <td>IP or text</td> - <td>refid, association ID</td> + <td><tt>.PPS.</tt></td> + <td>REFID</td> + <td>system peer, association ID</td> + </tr> + <tr> + <td></td> + <td></td> + <td>If there is data beyond the base packet:</td> + </tr> + <tr> + <td><tt>4:</tt></td> + <td>Integer</td> + <td>Length, in bytes</td> + </tr> + <tr> + <td><tt>0000</tt></td> + <td>Hex data</td> </tr> </table> </dd> @@ -516,7 +532,7 @@ </table> </dd> <dt><tt>timingstats</tt></dt> - <dd>(Only available when the deamon is compiled with process time debugging + <dd>(Only available when the daemon is compiled with process time debugging support (--enable-debug-timing - costs performance). Record processing time statistics for various selected code paths.</dd> <dd><tt>53876 36.920 10.0.3.5 1 0.000014592 input processing delay</tt></dd> diff --git a/contrib/ntp/html/ntpq.html b/contrib/ntp/html/ntpq.html index 1aa8df3..4789c8b 100644 --- a/contrib/ntp/html/ntpq.html +++ b/contrib/ntp/html/ntpq.html @@ -11,7 +11,7 @@ <img src="pic/bustardfly.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a> <p>A typical NTP monitoring packet</p> <p>Last update: - <!-- #BeginDate format:En2m -->31-Jan-2014 06:54<!-- #EndDate --> + <!-- #BeginDate format:En2m -->24-Jan-2018 08:35<!-- #EndDate --> UTC</p> <br clear="left"> <h4>More Help</h4> @@ -71,7 +71,7 @@ <dt id="keyid"><tt>keyid <i>keyid</i></tt></dt> <dd>This command specifies the key number to be used to authenticate configuration requests. This must correspond to a key ID configured in <tt>ntp.conf</tt> for this purpose.</dd> <dt id="keytype"><tt>keytype</tt></dt> - <dd>Specify the digest algorithm to use for authenticated requests, with default <tt>MD5</tt>. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. The current selections are: <tt>MD2</tt>, <tt>MD4</tt>, <tt>MD5</tt>, <tt>MDC2</tt>, <tt>RIPEMD160</tt>, <tt>SHA</tt> and <tt>SHA1</tt>.</dd> + <dd>Specify the digest algorithm to use for authenticated requests, with default <tt>MD5</tt>. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. The current selections are: <tt>MD2</tt>, <tt>MD4</tt>, <tt>MD5</tt>, <tt>MDC2</tt>, <tt>RIPEMD160</tt>, <tt>SHA</tt>, <tt>SHA1</tt>, and <tt>AES128CMAC</tt>.</dd> <dt id="ntpversion"><tt>ntpversion 1 | 2 | 3 | 4</tt></dt> <dd>Sets the NTP version number which <tt>ntpq</tt> claims in packets. Defaults to 2, Note that mode-6 control messages (and modes, for that matter) didn't exist in NTP version 1.</dd> <dt id="passwd"><tt>passwd</tt></dt> @@ -232,9 +232,16 @@ </tr> <tr> <td><tt>t</tt></td> - <td><tt>u</tt>: unicast or manycast client, <tt>b</tt>: - broadcast or multicast client, <tt>l</tt>: local (reference clock), <tt>s</tt>: symmetric (peer), <tt>A</tt>: manycast server, <tt>B</tt>: - broadcast server, <tt>M</tt>: multicast server</td> + <td> + <tt>u</tt>: unicast or manycast client, + <tt>b</tt>: broadcast or multicast client, + <tt>p</tt>: pool source, + <tt>l</tt>: local (reference clock), + <tt>s</tt>: symmetric (peer), + <tt>A</tt>: manycast server, + <tt>B</tt>: broadcast server, + <tt>M</tt>: multicast server + </td> </tr> <tr> <td><tt>when</tt></td> diff --git a/contrib/ntp/include/Makefile.in b/contrib/ntp/include/Makefile.in index ebab2b5..15a1e86 100644 --- a/contrib/ntp/include/Makefile.in +++ b/contrib/ntp/include/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/include/isc/Makefile.in b/contrib/ntp/include/isc/Makefile.in index e3bee1e..192fe08 100644 --- a/contrib/ntp/include/isc/Makefile.in +++ b/contrib/ntp/include/isc/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/include/ntp.h b/contrib/ntp/include/ntp.h index 323135d..fb739c7 100644 --- a/contrib/ntp/include/ntp.h +++ b/contrib/ntp/include/ntp.h @@ -553,11 +553,13 @@ struct pkt { l_fp rec; /* receive time stamp */ l_fp xmt; /* transmit time stamp */ -#define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */ -#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */ -#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */ -#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */ +#define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */ +#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */ +#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */ +#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */ #define MAX_MAC_LEN (6 * sizeof(u_int32)) /* SHA */ +#define KEY_MAC_LEN sizeof(u_int32) /* key ID in MAC */ +#define MAX_MDG_LEN (MAX_MAC_LEN-KEY_MAC_LEN) /* max. digest len */ /* * The length of the packet less MAC must be a multiple of 64 @@ -822,11 +824,12 @@ typedef struct res_addr6_tag { typedef struct restrict_u_tag restrict_u; struct restrict_u_tag { - restrict_u * link; /* link to next entry */ - u_int32 count; /* number of packets matched */ - u_short flags; /* accesslist flags */ - u_short mflags; /* match flags */ - u_long expire; /* valid until time */ + restrict_u * link; /* link to next entry */ + u_int32 count; /* number of packets matched */ + u_short rflags; /* restrict (accesslist) flags */ + u_short mflags; /* match flags */ + short ippeerlimit; /* IP peer limit */ + u_long expire; /* valid until time */ union { /* variant starting here */ res_addr4 v4; res_addr6 v6; @@ -837,28 +840,40 @@ struct restrict_u_tag { #define V6_SIZEOF_RESTRICT_U (offsetof(restrict_u, u) \ + sizeof(res_addr6)) +typedef struct r4addr_tag r4addr; +struct r4addr_tag { + u_short rflags; /* match flags */ + short ippeerlimit; /* IP peer limit */ +}; + +char *build_iflags(u_int32 flags); +char *build_mflags(u_short mflags); +char *build_rflags(u_short rflags); + /* - * Access flags + * Restrict (Access) flags (rflags) */ #define RES_IGNORE 0x0001 /* ignore packet */ #define RES_DONTSERVE 0x0002 /* access denied */ #define RES_DONTTRUST 0x0004 /* authentication required */ #define RES_VERSION 0x0008 /* version mismatch */ #define RES_NOPEER 0x0010 /* new association denied */ -#define RES_LIMITED 0x0020 /* packet rate exceeded */ +#define RES_NOEPEER 0x0020 /* new ephemeral association denied */ +#define RES_LIMITED 0x0040 /* packet rate exceeded */ #define RES_FLAGS (RES_IGNORE | RES_DONTSERVE |\ RES_DONTTRUST | RES_VERSION |\ - RES_NOPEER | RES_LIMITED) + RES_NOPEER | RES_NOEPEER | RES_LIMITED) -#define RES_NOQUERY 0x0040 /* mode 6/7 packet denied */ -#define RES_NOMODIFY 0x0080 /* mode 6/7 modify denied */ -#define RES_NOTRAP 0x0100 /* mode 6/7 set trap denied */ -#define RES_LPTRAP 0x0200 /* mode 6/7 low priority trap */ +#define RES_NOQUERY 0x0080 /* mode 6/7 packet denied */ +#define RES_NOMODIFY 0x0100 /* mode 6/7 modify denied */ +#define RES_NOTRAP 0x0200 /* mode 6/7 set trap denied */ +#define RES_LPTRAP 0x0400 /* mode 6/7 low priority trap */ -#define RES_KOD 0x0400 /* send kiss of death packet */ -#define RES_MSSNTP 0x0800 /* enable MS-SNTP authentication */ -#define RES_FLAKE 0x1000 /* flakeway - drop 10% */ -#define RES_NOMRULIST 0x2000 /* mode 6 mrulist denied */ +#define RES_KOD 0x0800 /* send kiss of death packet */ +#define RES_MSSNTP 0x1000 /* enable MS-SNTP authentication */ +#define RES_FLAKE 0x2000 /* flakeway - drop 10% */ +#define RES_NOMRULIST 0x4000 /* mode 6 mrulist denied */ +#define RES_UNUSED 0x8000 /* Unused flag bits */ #define RES_ALLFLAGS (RES_FLAGS | RES_NOQUERY | \ RES_NOMODIFY | RES_NOTRAP | \ @@ -867,7 +882,7 @@ struct restrict_u_tag { RES_NOMRULIST) /* - * Match flags + * Match flags (mflags) */ #define RESM_INTERFACE 0x1000 /* this is an interface */ #define RESM_NTPONLY 0x2000 /* match source port 123 */ @@ -876,10 +891,13 @@ struct restrict_u_tag { /* * Restriction configuration ops */ -#define RESTRICT_FLAGS 1 /* add flags to restrict entry */ -#define RESTRICT_UNFLAG 2 /* remove flags from restrict entry */ -#define RESTRICT_REMOVE 3 /* remove a restrict entry */ -#define RESTRICT_REMOVEIF 4 /* remove an interface restrict entry */ +typedef enum +restrict_ops { + RESTRICT_FLAGS = 1, /* add rflags to restrict entry */ + RESTRICT_UNFLAG, /* remove rflags from restrict entry */ + RESTRICT_REMOVE, /* remove a restrict entry */ + RESTRICT_REMOVEIF, /* remove an interface restrict entry */ +} restrict_op; /* * Endpoint structure for the select algorithm diff --git a/contrib/ntp/include/ntp_calendar.h b/contrib/ntp/include/ntp_calendar.h index 6f36c07..41c5879 100644 --- a/contrib/ntp/include/ntp_calendar.h +++ b/contrib/ntp/include/ntp_calendar.h @@ -382,6 +382,29 @@ ntpcal_weekday_le(int32_t /* rdn */, int32_t /* dow */); extern int32_t ntpcal_weekday_lt(int32_t /* rdn */, int32_t /* dow */); + +/* + * handling of base date spec + */ +extern int32_t +basedate_eval_buildstamp(void); + +extern int32_t +basedate_eval_string(const char *str); + +extern int32_t +basedate_set_day(int32_t dayno); + +extern uint32_t +basedate_get_day(void); + +extern time_t +basedate_get_eracenter(void); + +extern time_t +basedate_get_erabase(void); + + /* * Additional support stuff for Ed Rheingold's calendrical calculations */ diff --git a/contrib/ntp/include/ntp_config.h b/contrib/ntp/include/ntp_config.h index bd8f595..dac933a 100644 --- a/contrib/ntp/include/ntp_config.h +++ b/contrib/ntp/include/ntp_config.h @@ -54,7 +54,15 @@ typedef struct int_range_tag { int last; } int_range; -/* Structure for storing an attribute-value pair */ +/* generic list node */ +typedef struct any_node_tag any_node; +struct any_node_tag { + any_node * link; +}; + +typedef DECL_FIFO_ANCHOR(any_node) any_node_fifo; + +/* Structure for storing an attribute-value pair */ typedef struct attr_val_tag attr_val; struct attr_val_tag { attr_val * link; @@ -102,8 +110,9 @@ struct restrict_node_tag { restrict_node * link; address_node * addr; address_node * mask; - int_fifo * flags; + int_fifo * flag_tok_fifo; int line_no; + short ippeerlimit; }; typedef DECL_FIFO_ANCHOR(restrict_node) restrict_fifo; @@ -267,8 +276,12 @@ typedef struct settrap_parms_tag { const char * token_name(int token); /* generic fifo routines for structs linked by 1st member */ -void* append_gen_fifo(void *fifo, void *entry); +typedef void (*fifo_deleter)(void*); +void * destroy_gen_fifo(void *fifo, fifo_deleter func); +void * append_gen_fifo(void *fifo, void *entry); void * concat_gen_fifos(void *first, void *second); +#define DESTROY_G_FIFO(pf, func) \ + ((pf) = destroy_gen_fifo((pf), (fifo_deleter)(func))) #define APPEND_G_FIFO(pf, pe) \ ((pf) = append_gen_fifo((pf), (pe))) #define CONCAT_G_FIFOS(first, second) \ @@ -288,11 +301,13 @@ attr_val *create_attr_ival(int attr, int value); attr_val *create_attr_uval(int attr, u_int value); attr_val *create_attr_rangeval(int attr, int first, int last); attr_val *create_attr_sval(int attr, const char *s); +void destroy_attr_val(attr_val *node); filegen_node *create_filegen_node(int filegen_token, attr_val_fifo *options); string_node *create_string_node(char *str); restrict_node *create_restrict_node(address_node *addr, address_node *mask, + short ippeerlimit, int_fifo *flags, int line_no); int_node *create_int_node(int val); addr_opts_node *create_addr_opts_node(address_node *addr, diff --git a/contrib/ntp/include/ntp_fp.h b/contrib/ntp/include/ntp_fp.h index b5d2820..2782ebf 100644 --- a/contrib/ntp/include/ntp_fp.h +++ b/contrib/ntp/include/ntp_fp.h @@ -364,6 +364,7 @@ extern void init_systime (void); extern void get_systime (l_fp *); extern int step_systime (double); extern int adj_systime (double); +extern int clamp_systime (void); extern struct tm * ntp2unix_tm (u_int32 ntp, int local); diff --git a/contrib/ntp/include/ntp_keyacc.h b/contrib/ntp/include/ntp_keyacc.h index 7e66504..f497b62 100644 --- a/contrib/ntp/include/ntp_keyacc.h +++ b/contrib/ntp/include/ntp_keyacc.h @@ -8,12 +8,18 @@ typedef struct keyaccess KeyAccT; struct keyaccess { KeyAccT * next; sockaddr_u addr; + unsigned int subnetbits; }; -extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr); +extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr, + unsigned int subnetbits); extern KeyAccT* keyacc_pop_free(KeyAccT *head); extern KeyAccT* keyacc_all_free(KeyAccT *head); extern int keyacc_contains(const KeyAccT *head, const sockaddr_u *addr, int res_on_empty_list); +/* public for testability: */ +extern int keyacc_amatch(const sockaddr_u *,const sockaddr_u *, + unsigned int mbits); + #endif /* NTP_KEYACC_H */ diff --git a/contrib/ntp/include/ntp_request.h b/contrib/ntp/include/ntp_request.h index c750b77..d05a67f 100644 --- a/contrib/ntp/include/ntp_request.h +++ b/contrib/ntp/include/ntp_request.h @@ -141,7 +141,7 @@ struct req_pkt { req_data_u u; /* data area */ l_fp tstamp; /* time stamp, for authentication */ keyid_t keyid; /* (optional) encryption key */ - char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */ + char mac[MAX_MDG_LEN]; /* (optional) auth code */ }; /* @@ -151,7 +151,7 @@ struct req_pkt { struct req_pkt_tail { l_fp tstamp; /* time stamp, for authentication */ keyid_t keyid; /* (optional) encryption key */ - char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */ + char mac[MAX_MDG_LEN]; /* (optional) auth code */ }; /* MODE_PRIVATE request packet header length before optional items. */ @@ -513,6 +513,8 @@ struct info_sys_stats { u_int32 badauth; /* bad authentication */ u_int32 received; /* packets received */ u_int32 limitrejected; /* rate exceeded */ + u_int32 lamport; /* Lamport violations */ + u_int32 tsrounding; /* Timestamp rounding errors */ }; @@ -652,7 +654,7 @@ struct info_restrict { u_int32 addr; /* match address */ u_int32 mask; /* match mask */ u_int32 count; /* number of packets matched */ - u_short flags; /* restrict flags */ + u_short rflags; /* restrict flags */ u_short mflags; /* match flags */ u_int v6_flag; /* is this v6 or not */ u_int unused1; /* unused, padding for addr6 */ @@ -667,6 +669,7 @@ struct info_restrict { struct conf_restrict { u_int32 addr; /* match address */ u_int32 mask; /* match mask */ + short ippeerlimit; /* ip peer limit */ u_short flags; /* restrict flags */ u_short mflags; /* match flags */ u_int v6_flag; /* is this v6 or not */ diff --git a/contrib/ntp/include/ntp_stdlib.h b/contrib/ntp/include/ntp_stdlib.h index a4e8574..889c3b2 100644 --- a/contrib/ntp/include/ntp_stdlib.h +++ b/contrib/ntp/include/ntp_stdlib.h @@ -97,8 +97,8 @@ extern void auth_prealloc_symkeys(int); extern int ymd2yd (int, int, int); /* a_md5encrypt.c */ -extern int MD5authdecrypt (int, const u_char *, u_int32 *, size_t, size_t); -extern size_t MD5authencrypt (int, const u_char *, u_int32 *, size_t); +extern int MD5authdecrypt (int, const u_char *, size_t, u_int32 *, size_t, size_t); +extern size_t MD5authencrypt (int, const u_char *, size_t, u_int32 *, size_t); extern void MD5auth_setkey (keyid_t, int, const u_char *, size_t, KeyAccT *c); extern u_int32 addr2refid (sockaddr_u *); diff --git a/contrib/ntp/include/ntpd.h b/contrib/ntp/include/ntpd.h index f944235..6a5128c 100644 --- a/contrib/ntp/include/ntpd.h +++ b/contrib/ntp/include/ntpd.h @@ -168,19 +168,19 @@ extern void mon_clearinterface(endpt *interface); /* ntp_peer.c */ extern void init_peer (void); extern struct peer *findexistingpeer(sockaddr_u *, const char *, - struct peer *, int, u_char); + struct peer *, int, u_char, int *); extern struct peer *findpeer (struct recvbuf *, int, int *); extern struct peer *findpeerbyassoc(associd_t); extern void set_peerdstadr (struct peer *, endpt *); -extern struct peer *newpeer (sockaddr_u *, const char *, - endpt *, u_char, u_char, - u_char, u_char, u_int, u_char, u_int32, +extern struct peer *newpeer (sockaddr_u *, const char *, endpt *, + int, u_char, u_char, u_char, u_char, + u_int, u_char, u_int32, keyid_t, const char *); extern void peer_all_reset (void); extern void peer_clr_stats (void); -extern struct peer *peer_config(sockaddr_u *, const char *, - endpt *, u_char, u_char, - u_char, u_char, u_int, u_int32, +extern struct peer *peer_config(sockaddr_u *, const char *, endpt *, + int, u_char, u_char, u_char, u_char, + u_int, u_int32, keyid_t, const char *); extern void peer_reset (struct peer *); extern void refresh_all_peerinterfaces(void); @@ -257,10 +257,11 @@ extern void reset_auth_stats(void); /* ntp_restrict.c */ extern void init_restrict (void); -extern u_short restrictions (sockaddr_u *); -extern void hack_restrict (int, sockaddr_u *, sockaddr_u *, - u_short, u_short, u_long); +extern void restrictions (sockaddr_u *, r4addr *); +extern void hack_restrict (restrict_op, sockaddr_u *, sockaddr_u *, + short, u_short, u_short, u_long); extern void restrict_source (sockaddr_u *, int, u_long); +extern void dump_restricts (void); /* ntp_timer.c */ extern void init_timer (void); @@ -288,7 +289,7 @@ extern void record_loop_stats (double, double, double, double, int); extern void record_clock_stats (sockaddr_u *, const char *); extern int mprintf_clock_stats(sockaddr_u *, const char *, ...) NTP_PRINTF(2, 3); -extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int ppoll, int precision, double root_delay, double root_dispersion, u_int32 refid); +extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int ppoll, int precision, double root_delay, double root_dispersion, u_int32 refid, int len, u_char *extra); extern void check_leap_file (int is_daily_check, u_int32 ntptime, const time_t * systime); extern void record_crypto_stats (sockaddr_u *, const char *); #ifdef DEBUG @@ -500,18 +501,19 @@ extern u_int sys_ttlmax; /* max ttl mapping vector index */ /* * Statistics counters */ -extern u_long sys_stattime; /* time since reset */ -extern u_long sys_received; /* packets received */ -extern u_long sys_processed; /* packets for this host */ -extern u_long sys_restricted; /* restricted packets */ -extern u_long sys_newversion; /* current version */ -extern u_long sys_oldversion; /* old version */ -extern u_long sys_restricted; /* access denied */ -extern u_long sys_badlength; /* bad length or format */ extern u_long sys_badauth; /* bad authentication */ +extern u_long sys_badlength; /* bad length or format */ extern u_long sys_declined; /* declined */ -extern u_long sys_limitrejected; /* rate exceeded */ extern u_long sys_kodsent; /* KoD sent */ +extern u_long sys_lamport; /* Lamport violation */ +extern u_long sys_limitrejected; /* rate exceeded */ +extern u_long sys_newversion; /* current version */ +extern u_long sys_oldversion; /* old version */ +extern u_long sys_processed; /* packets for this host */ +extern u_long sys_received; /* packets received */ +extern u_long sys_restricted; /* access denied */ +extern u_long sys_stattime; /* time since reset */ +extern u_long sys_tsrounding; /* timestamp rounding errors */ /* ntp_request.c */ extern keyid_t info_auth_keyid; /* keyid used to authenticate requests */ diff --git a/contrib/ntp/include/recvbuff.h b/contrib/ntp/include/recvbuff.h index fa2d9cc..4259715 100644 --- a/contrib/ntp/include/recvbuff.h +++ b/contrib/ntp/include/recvbuff.h @@ -39,9 +39,10 @@ extern HANDLE get_recv_buff_event(void); /* * the maximum length NTP packet contains the NTP header, one Autokey * request, one Autokey response and the MAC. Assuming certificates don't - * get too big, the maximum packet length is set arbitrarily at 1000. + * get too big, the maximum packet length is set arbitrarily at 1200. + * (was 1000, but that bumps on 2048 RSA keys) */ -#define RX_BUFF_SIZE 1000 /* hail Mary */ +#define RX_BUFF_SIZE 1200 /* hail Mary */ typedef struct recvbuf recvbuf_t; diff --git a/contrib/ntp/include/ssl_applink.c b/contrib/ntp/include/ssl_applink.c index e57cabd..693380f 100644 --- a/contrib/ntp/include/ssl_applink.c +++ b/contrib/ntp/include/ssl_applink.c @@ -27,10 +27,10 @@ #endif #ifdef WRAP_DBG_MALLOC -void *wrap_dbg_malloc(size_t s, const char *f, int l); -void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l); -void wrap_dbg_free(void *p); -void wrap_dbg_free_ex(void *p, const char *f, int l); +static void *wrap_dbg_malloc(size_t s, const char *f, int l); +static void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l); +static void wrap_dbg_free(void *p); +static void wrap_dbg_free_ex(void *p, const char *f, int l); #endif @@ -42,17 +42,21 @@ void ssl_applink(void) { #if OPENSSL_VERSION_NUMBER >= 0x10100000L + # ifdef WRAP_DBG_MALLOC CRYPTO_set_mem_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free_ex); # else OPENSSL_malloc_init(); # endif -#else + +# else + # ifdef WRAP_DBG_MALLOC CRYPTO_set_mem_ex_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free); # else CRYPTO_malloc_init(); # endif + #endif /* OpenSSL version cascade */ } #else /* !OPENSSL || !SYS_WINNT */ @@ -66,7 +70,7 @@ ssl_applink(void) * for DEBUG malloc/realloc/free (lacking block type). * Simple wrappers convert. */ -void *wrap_dbg_malloc(size_t s, const char *f, int l) +static void *wrap_dbg_malloc(size_t s, const char *f, int l) { void *ret; @@ -74,7 +78,7 @@ void *wrap_dbg_malloc(size_t s, const char *f, int l) return ret; } -void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l) +static void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l) { void *ret; @@ -82,12 +86,12 @@ void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l) return ret; } -void wrap_dbg_free(void *p) +static void wrap_dbg_free(void *p) { _free_dbg(p, _NORMAL_BLOCK); } -void wrap_dbg_free_ex(void *p, const char *f, int l) +static void wrap_dbg_free_ex(void *p, const char *f, int l) { (void)f; (void)l; diff --git a/contrib/ntp/kernel/Makefile.in b/contrib/ntp/kernel/Makefile.in index cec9bc5..3d1fbe9 100644 --- a/contrib/ntp/kernel/Makefile.in +++ b/contrib/ntp/kernel/Makefile.in @@ -99,6 +99,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/kernel/sys/Makefile.in b/contrib/ntp/kernel/sys/Makefile.in index 76b605c..de18d15 100644 --- a/contrib/ntp/kernel/sys/Makefile.in +++ b/contrib/ntp/kernel/sys/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/libntp/Makefile.in b/contrib/ntp/libntp/Makefile.in index 25718b9..2bef787 100644 --- a/contrib/ntp/libntp/Makefile.in +++ b/contrib/ntp/libntp/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/libntp/a_md5encrypt.c b/contrib/ntp/libntp/a_md5encrypt.c index 7394d0d..7dc7e7e 100644 --- a/contrib/ntp/libntp/a_md5encrypt.c +++ b/contrib/ntp/libntp/a_md5encrypt.c @@ -11,6 +11,177 @@ #include "ntp.h" #include "ntp_md5.h" /* provides OpenSSL digest API */ #include "isc/string.h" + +#ifdef OPENSSL +# include "openssl/cmac.h" +# define CMAC "AES128CMAC" +# define AES_128_KEY_SIZE 16 +#endif + +typedef struct { + const void * buf; + size_t len; +} robuffT; + +typedef struct { + void * buf; + size_t len; +} rwbuffT; + +#ifdef OPENSSL +static size_t +cmac_ctx_size( + CMAC_CTX * ctx) +{ + size_t mlen = 0; + + if (ctx) { + EVP_CIPHER_CTX * cctx; + if (NULL != (cctx = CMAC_CTX_get0_cipher_ctx (ctx))) + mlen = EVP_CIPHER_CTX_block_size(cctx); + } + return mlen; +} +#endif /*OPENSSL*/ + +static size_t +make_mac( + const rwbuffT * digest, + int ktype, + const robuffT * key, + const robuffT * msg) +{ + /* + * Compute digest of key concatenated with packet. Note: the + * key type and digest type have been verified when the key + * was created. + */ + size_t retlen = 0; + +#ifdef OPENSSL + + INIT_SSL(); + + /* Check if CMAC key type specific code required */ + if (ktype == NID_cmac) { + CMAC_CTX * ctx = NULL; + void const * keyptr = key->buf; + u_char keybuf[AES_128_KEY_SIZE]; + + /* adjust key size (zero padded buffer) if necessary */ + if (AES_128_KEY_SIZE > key->len) { + memcpy(keybuf, keyptr, key->len); + memset((keybuf + key->len), 0, + (AES_128_KEY_SIZE - key->len)); + keyptr = keybuf; + } + + if (NULL == (ctx = CMAC_CTX_new())) { + msyslog(LOG_ERR, "MAC encrypt: CMAC %s CTX new failed.", CMAC); + goto cmac_fail; + } + if (!CMAC_Init(ctx, keyptr, AES_128_KEY_SIZE, EVP_aes_128_cbc(), NULL)) { + msyslog(LOG_ERR, "MAC encrypt: CMAC %s Init failed.", CMAC); + goto cmac_fail; + } + if (cmac_ctx_size(ctx) > digest->len) { + msyslog(LOG_ERR, "MAC encrypt: CMAC %s buf too small.", CMAC); + goto cmac_fail; + } + if (!CMAC_Update(ctx, msg->buf, msg->len)) { + msyslog(LOG_ERR, "MAC encrypt: CMAC %s Update failed.", CMAC); + goto cmac_fail; + } + if (!CMAC_Final(ctx, digest->buf, &retlen)) { + msyslog(LOG_ERR, "MAC encrypt: CMAC %s Final failed.", CMAC); + retlen = 0; + } + cmac_fail: + if (ctx) + CMAC_CTX_cleanup(ctx); + } + else { /* generic MAC handling */ + EVP_MD_CTX * ctx = EVP_MD_CTX_new(); + u_int uilen = 0; + + if ( ! ctx) { + msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest CTX new failed.", + OBJ_nid2sn(ktype)); + goto mac_fail; + } + + #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + /* make sure MD5 is allowd */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + #endif + /* [Bug 3457] DON'T use plain EVP_DigestInit! It would + * kill the flags! */ + if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(ktype), NULL)) { + msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Init failed.", + OBJ_nid2sn(ktype)); + goto mac_fail; + } + if ((size_t)EVP_MD_CTX_size(ctx) > digest->len) { + msyslog(LOG_ERR, "MAC encrypt: MAC %s buf too small.", + OBJ_nid2sn(ktype)); + goto mac_fail; + } + if (!EVP_DigestUpdate(ctx, key->buf, (u_int)key->len)) { + msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Update key failed.", + OBJ_nid2sn(ktype)); + goto mac_fail; + } + if (!EVP_DigestUpdate(ctx, msg->buf, (u_int)msg->len)) { + msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Update data failed.", + OBJ_nid2sn(ktype)); + goto mac_fail; + } + if (!EVP_DigestFinal(ctx, digest->buf, &uilen)) { + msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Final failed.", + OBJ_nid2sn(ktype)); + uilen = 0; + } + mac_fail: + retlen = (size_t)uilen; + + if (ctx) + EVP_MD_CTX_free(ctx); + } + +#else /* !OPENSSL follows */ + + if (ktype == NID_md5) + { + EVP_MD_CTX * ctx = EVP_MD_CTX_new(); + uint uilen = 0; + + if (digest->len < 16) { + msyslog(LOG_ERR, "%s", "MAC encrypt: MAC md5 buf too small."); + } + else if ( ! ctx) { + msyslog(LOG_ERR, "%s", "MAC encrypt: MAC md5 Digest CTX new failed."); + } + else { + EVP_DigestInit(ctx, EVP_get_digestbynid(ktype)); + EVP_DigestUpdate(ctx, key->buf, key->len); + EVP_DigestUpdate(ctx, msg->buf, msg->len); + EVP_DigestFinal(ctx, digest->buf, &uilen); + } + if (ctx) + EVP_MD_CTX_free(ctx); + retlen = (size_t)uilen; + } + else + { + msyslog(LOG_ERR, "MAC encrypt: invalid key type %d" , ktype); + } + +#endif /* !OPENSSL */ + + return retlen; +} + + /* * MD5authencrypt - generate message digest * @@ -20,36 +191,23 @@ size_t MD5authencrypt( int type, /* hash algorithm */ const u_char * key, /* key pointer */ + size_t klen, /* key length */ u_int32 * pkt, /* packet pointer */ size_t length /* packet length */ ) { u_char digest[EVP_MAX_MD_SIZE]; - u_int len; - EVP_MD_CTX *ctx; + rwbuffT digb = { digest, sizeof(digest) }; + robuffT keyb = { key, klen }; + robuffT msgb = { pkt, length }; + size_t dlen = 0; - /* - * Compute digest of key concatenated with packet. Note: the - * key type and digest type have been verified when the key - * was creaded. - */ - INIT_SSL(); - ctx = EVP_MD_CTX_new(); - if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) { - msyslog(LOG_ERR, - "MAC encrypt: digest init failed"); - EVP_MD_CTX_free(ctx); - return (0); - } - EVP_DigestUpdate(ctx, key, cache_secretsize); - EVP_DigestUpdate(ctx, (u_char *)pkt, length); - EVP_DigestFinal(ctx, digest, &len); - EVP_MD_CTX_free(ctx); + dlen = make_mac(&digb, type, &keyb, &msgb); /* If the MAC is longer than the MAX then truncate it. */ - if (len > MAX_MAC_LEN - 4) - len = MAX_MAC_LEN - 4; - memmove((u_char *)pkt + length + 4, digest, len); - return (len + 4); + if (dlen > MAX_MDG_LEN) + dlen = MAX_MDG_LEN; + memcpy((u_char *)pkt + length + KEY_MAC_LEN, digest, dlen); + return (dlen + KEY_MAC_LEN); } @@ -62,41 +220,30 @@ int MD5authdecrypt( int type, /* hash algorithm */ const u_char * key, /* key pointer */ + size_t klen, /* key length */ u_int32 * pkt, /* packet pointer */ size_t length, /* packet length */ size_t size /* MAC size */ ) { u_char digest[EVP_MAX_MD_SIZE]; - u_int len; - EVP_MD_CTX *ctx; + rwbuffT digb = { digest, sizeof(digest) }; + robuffT keyb = { key, klen }; + robuffT msgb = { pkt, length }; + size_t dlen = 0; - /* - * Compute digest of key concatenated with packet. Note: the - * key type and digest type have been verified when the key - * was created. - */ - INIT_SSL(); - ctx = EVP_MD_CTX_new(); - if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) { - msyslog(LOG_ERR, - "MAC decrypt: digest init failed"); - EVP_MD_CTX_free(ctx); - return (0); - } - EVP_DigestUpdate(ctx, key, cache_secretsize); - EVP_DigestUpdate(ctx, (u_char *)pkt, length); - EVP_DigestFinal(ctx, digest, &len); - EVP_MD_CTX_free(ctx); + dlen = make_mac(&digb, type, &keyb, &msgb); + /* If the MAC is longer than the MAX then truncate it. */ - if (len > MAX_MAC_LEN - 4) - len = MAX_MAC_LEN - 4; - if (size != (size_t)len + 4) { + if (dlen > MAX_MDG_LEN) + dlen = MAX_MDG_LEN; + if (size != (size_t)dlen + KEY_MAC_LEN) { msyslog(LOG_ERR, "MAC decrypt: MAC length error"); return (0); } - return !isc_tsmemcmp(digest, (u_char *)pkt + length + 4, len); + return !isc_tsmemcmp(digest, + (u_char *)pkt + length + KEY_MAC_LEN, dlen); } /* @@ -108,7 +255,7 @@ MD5authdecrypt( u_int32 addr2refid(sockaddr_u *addr) { - u_char digest[20]; + u_char digest[EVP_MAX_MD_SIZE]; u_int32 addr_refid; EVP_MD_CTX *ctx; u_int len; @@ -119,11 +266,12 @@ addr2refid(sockaddr_u *addr) INIT_SSL(); ctx = EVP_MD_CTX_new(); - EVP_MD_CTX_init(ctx); -#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW +# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW /* MD5 is not used as a crypto hash here. */ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -#endif +# endif + /* [Bug 3457] DON'T use plain EVP_DigestInit! It would kill the + * flags! */ if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) { msyslog(LOG_ERR, "MD5 init failed"); diff --git a/contrib/ntp/libntp/adjtime.c b/contrib/ntp/libntp/adjtime.c index a8e6580..b536cc5 100644 --- a/contrib/ntp/libntp/adjtime.c +++ b/contrib/ntp/libntp/adjtime.c @@ -314,7 +314,7 @@ adjtime (struct timeval *delta, struct timeval *olddelta) /* * Get the current clock period (nanoseconds) */ - if (ClockPeriod (CLOCK_REALTIME, 0, &period, 0) < 0) + if (ClockPeriod (CLOCK_REALTIME, 0, &period, 0) == -1) return -1; /* @@ -354,7 +354,7 @@ adjtime (struct timeval *delta, struct timeval *olddelta) adj.tick_count = 0; } - if (ClockAdjust (CLOCK_REALTIME, &adj, &oldadj) < 0) + if (ClockAdjust (CLOCK_REALTIME, &adj, &oldadj) == -1) return -1; /* diff --git a/contrib/ntp/libntp/authkeys.c b/contrib/ntp/libntp/authkeys.c index b2ff410..7c1cbb0 100644 --- a/contrib/ntp/libntp/authkeys.c +++ b/contrib/ntp/libntp/authkeys.c @@ -114,13 +114,16 @@ KeyAccT *cache_keyacclist; /* key access list */ KeyAccT* keyacc_new_push( KeyAccT * head, - const sockaddr_u * addr + const sockaddr_u * addr, + unsigned int subnetbits ) { KeyAccT * node = emalloc(sizeof(KeyAccT)); memcpy(&node->addr, addr, sizeof(sockaddr_u)); + node->subnetbits = subnetbits; node->next = head; + return node; } @@ -165,7 +168,8 @@ keyacc_contains( { if (head) { do { - if (SOCK_EQ(&head->addr, addr)) + if (keyacc_amatch(&head->addr, addr, + head->subnetbits)) return TRUE; } while (NULL != (head = head->next)); return FALSE; @@ -174,6 +178,98 @@ keyacc_contains( } } +#if CHAR_BIT != 8 +# error "don't know how to handle bytes with that bit size" +#endif + +/* ----------------------------------------------------------------- */ +/* check two addresses for a match, taking a prefix length into account + * when doing the compare. + * + * The ISC lib contains a similar function with not entirely specified + * semantics, so it seemed somewhat cleaner to do this from scratch. + * + * Note 1: It *is* assumed that the addresses are stored in network byte + * order, that is, most significant byte first! + * + * Note 2: "no address" compares unequal to all other addresses, even to + * itself. This has the same semantics as NaNs have for floats: *any* + * relational or equality operation involving a NaN returns FALSE, even + * equality with itself. "no address" is either a NULL pointer argument + * or an address of type AF_UNSPEC. + */ +int/*BOOL*/ +keyacc_amatch( + const sockaddr_u * a1, + const sockaddr_u * a2, + unsigned int mbits + ) +{ + const uint8_t * pm1; + const uint8_t * pm2; + uint8_t msk; + unsigned int len; + + /* 1st check: If any address is not an address, it's inequal. */ + if ( !a1 || (AF_UNSPEC == AF(a1)) || + !a2 || (AF_UNSPEC == AF(a2)) ) + return FALSE; + + /* We could check pointers for equality here and shortcut the + * other checks if we find object identity. But that use case is + * too rare to care for it. + */ + + /* 2nd check: Address families must be the same. */ + if (AF(a1) != AF(a2)) + return FALSE; + + /* type check: address family determines buffer & size */ + switch (AF(a1)) { + case AF_INET: + /* IPv4 is easy: clamp size, get byte pointers */ + if (mbits > sizeof(NSRCADR(a1)) * 8) + mbits = sizeof(NSRCADR(a1)) * 8; + pm1 = (const void*)&NSRCADR(a1); + pm2 = (const void*)&NSRCADR(a2); + break; + + case AF_INET6: + /* IPv6 is slightly different: Both scopes must match, + * too, before we even consider doing a match! + */ + if ( ! SCOPE_EQ(a1, a2)) + return FALSE; + if (mbits > sizeof(NSRCADR6(a1)) * 8) + mbits = sizeof(NSRCADR6(a1)) * 8; + pm1 = (const void*)&NSRCADR6(a1); + pm2 = (const void*)&NSRCADR6(a2); + break; + + default: + /* don't know how to compare that!?! */ + return FALSE; + } + + /* Split bit length into byte length and partial byte mask. + * Note that the byte mask extends from the MSB of a byte down, + * and that zero shift (--> mbits % 8 == 0) results in an + * all-zero mask. + */ + msk = 0xFFu ^ (0xFFu >> (mbits & 7)); + len = mbits >> 3; + + /* 3rd check: Do memcmp() over full bytes, if any */ + if (len && memcmp(pm1, pm2, len)) + return FALSE; + + /* 4th check: compare last incomplete byte, if any */ + if (msk && ((pm1[len] ^ pm2[len]) & msk)) + return FALSE; + + /* If none of the above failed, we're successfully through. */ + return TRUE; +} /* * init_auth - initialize internal data @@ -316,6 +412,10 @@ auth_log2(size_t x) return (u_short)r; } +int/*BOOL*/ +ipaddr_match_masked(const sockaddr_u *,const sockaddr_u *, + unsigned int mbits); + static void authcache_flush_id( keyid_t id @@ -617,20 +717,19 @@ authistrusted( { symkey * sk; - /* That specific key was already used to authenticate the - * packet. Therefore, the key *must* exist... There's a chance - * that is not trusted, though. - */ if (keyno == cache_keyid) { return (KEY_TRUSTED & cache_flags) && keyacc_contains(cache_keyacclist, sau, TRUE); - } else { + } + + if (NULL != (sk = auth_findkey(keyno))) { authkeyuncached++; - sk = auth_findkey(keyno); - INSIST(NULL != sk); return (KEY_TRUSTED & sk->flags) && keyacc_contains(sk->keyacclist, sau, TRUE); } + + authkeynotfound++; + return FALSE; } /* Note: There are two locations below where 'strncpy()' is used. While @@ -795,7 +894,9 @@ authencrypt( return 0; } - return MD5authencrypt(cache_type, cache_secret, pkt, length); + return MD5authencrypt(cache_type, + cache_secret, cache_secretsize, + pkt, length); } @@ -822,6 +923,7 @@ authdecrypt( return FALSE; } - return MD5authdecrypt(cache_type, cache_secret, pkt, length, - size); + return MD5authdecrypt(cache_type, + cache_secret, cache_secretsize, + pkt, length, size); } diff --git a/contrib/ntp/libntp/authreadkeys.c b/contrib/ntp/libntp/authreadkeys.c index e9273ad..bd98ab2 100644 --- a/contrib/ntp/libntp/authreadkeys.c +++ b/contrib/ntp/libntp/authreadkeys.c @@ -5,8 +5,8 @@ #include <stdio.h> #include <ctype.h> -#include "ntpd.h" /* Only for DPRINTF */ -#include "ntp_fp.h" +//#include "ntpd.h" /* Only for DPRINTF */ +//#include "ntp_fp.h" #include "ntp.h" #include "ntp_syslog.h" #include "ntp_stdlib.h" @@ -148,6 +148,7 @@ authreadkeys( u_int nerr; KeyDataT *list = NULL; KeyDataT *next = NULL; + /* * Open file. Complain and return if it can't be opened. */ @@ -220,7 +221,8 @@ authreadkeys( log_maybe(NULL, "authreadkeys: invalid type for key %d", keyno); - } else if (EVP_get_digestbynid(keytype) == NULL) { + } else if (NID_cmac != keytype && + EVP_get_digestbynid(keytype) == NULL) { log_maybe(NULL, "authreadkeys: no algorithm for key %d", keyno); @@ -295,28 +297,62 @@ authreadkeys( } token = nexttok(&line); - DPRINTF(0, ("authreadkeys: full access list <%s>\n", (token) ? token : "NULL")); if (token != NULL) { /* A comma-separated IP access list */ char *tp = token; while (tp) { char *i; + char *snp; /* subnet text pointer */ + unsigned int snbits; sockaddr_u addr; i = strchr(tp, (int)','); - if (i) + if (i) { *i = '\0'; - DPRINTF(0, ("authreadkeys: access list: <%s>\n", tp)); + } + snp = strchr(tp, (int)'/'); + if (snp) { + char *sp; + + *snp++ = '\0'; + snbits = 0; + sp = snp; + + while (*sp != '\0') { + if (!isdigit((unsigned char)*sp)) + break; + if (snbits > 1000) + break; /* overflow */ + snbits = 10 * snbits + (*sp++ - '0'); /* ascii dependent */ + } + if (*sp != '\0') { + log_maybe(&nerr, + "authreadkeys: Invalid character in subnet specification for <%s/%s> in key %d", + sp, snp, keyno); + goto nextip; + } + } else { + snbits = UINT_MAX; + } if (is_ip_address(tp, AF_UNSPEC, &addr)) { - next->keyacclist = keyacc_new_push( - next->keyacclist, &addr); + /* Make sure that snbits is valid for addr */ + if ((snbits < UINT_MAX) && + ( (IS_IPV4(&addr) && snbits > 32) || + (IS_IPV6(&addr) && snbits > 128))) { + log_maybe(NULL, + "authreadkeys: excessive subnet mask <%s/%s> for key %d", + tp, snp, keyno); + } + next->keyacclist = keyacc_new_push( + next->keyacclist, &addr, snbits); } else { log_maybe(&nerr, "authreadkeys: invalid IP address <%s> for key %d", tp, keyno); } + nextip: if (i) { tp = i + 1; } else { diff --git a/contrib/ntp/libntp/libssl_compat.c b/contrib/ntp/libntp/libssl_compat.c index afe4d07..5527682 100644 --- a/contrib/ntp/libntp/libssl_compat.c +++ b/contrib/ntp/libntp/libssl_compat.c @@ -74,7 +74,10 @@ sslshimBN_GENCB_free( EVP_MD_CTX* sslshim_EVP_MD_CTX_new(void) { - return calloc(1, sizeof(EVP_MD_CTX)); + EVP_MD_CTX * ctx; + if (NULL != (ctx = calloc(1, sizeof(EVP_MD_CTX)))) + EVP_MD_CTX_init(ctx); + return ctx; } void diff --git a/contrib/ntp/libntp/ntp_calendar.c b/contrib/ntp/libntp/ntp_calendar.c index 4bfb0e7..a550d5d 100644 --- a/contrib/ntp/libntp/ntp_calendar.c +++ b/contrib/ntp/libntp/ntp_calendar.c @@ -1825,4 +1825,113 @@ isocal_date_to_ntp( return isocal_date_to_ntp64(id).d_s.lo; } +/* + * ==================================================================== + * 'basedate' support functions + * ==================================================================== + */ + +static int32_t s_baseday = NTP_TO_UNIX_DAYS; + +int32_t +basedate_eval_buildstamp(void) +{ + struct calendar jd; + int32_t ed; + + if (!ntpcal_get_build_date(&jd)) + return NTP_TO_UNIX_DAYS; + + /* The time zone of the build stamp is unspecified; we remove + * one day to provide a certain slack. And in case somebody + * fiddled with the system clock, we make sure we do not go + * before the UNIX epoch (1970-01-01). It's probably not possible + * to do this to the clock on most systems, but there are other + * ways to tweak the build stamp. + */ + jd.monthday -= 1; + ed = ntpcal_date_to_rd(&jd) - DAY_NTP_STARTS; + return (ed < NTP_TO_UNIX_DAYS) ? NTP_TO_UNIX_DAYS : ed; +} + +int32_t +basedate_eval_string( + const char * str + ) +{ + u_short y,m,d; + u_long ned; + int rc, nc; + size_t sl; + + sl = strlen(str); + rc = sscanf(str, "%4hu-%2hu-%2hu%n", &y, &m, &d, &nc); + if (rc == 3 && (size_t)nc == sl) { + if (m >= 1 && m <= 12 && d >= 1 && d <= 31) + return ntpcal_edate_to_eradays(y-1, m-1, d) + - DAY_NTP_STARTS; + goto buildstamp; + } + + rc = scanf(str, "%lu%n", &ned, &nc); + if (rc == 1 && (size_t)nc == sl) { + if (ned <= INT32_MAX) + return (int32_t)ned; + goto buildstamp; + } + + buildstamp: + msyslog(LOG_WARNING, + "basedate string \"%s\" invalid, build date substituted!", + str); + return basedate_eval_buildstamp(); +} + +uint32_t +basedate_get_day(void) +{ + return s_baseday; +} + +int32_t +basedate_set_day( + int32_t day + ) +{ + struct calendar jd; + int32_t retv; + + if (day < NTP_TO_UNIX_DAYS) { + msyslog(LOG_WARNING, + "baseday_set_day: invalid day (%lu), UNIX epoch substituted", + (unsigned long)day); + day = NTP_TO_UNIX_DAYS; + } + retv = s_baseday; + s_baseday = day; + ntpcal_rd_to_date(&jd, day + DAY_NTP_STARTS); + msyslog(LOG_INFO, "basedate set to %04hu-%02hu-%02hu", + jd.year, (u_short)jd.month, (u_short)jd.monthday); + return retv; +} + +time_t +basedate_get_eracenter(void) +{ + time_t retv; + retv = (time_t)(s_baseday - NTP_TO_UNIX_DAYS); + retv *= SECSPERDAY; + retv += (UINT32_C(1) << 31); + return retv; +} + +time_t +basedate_get_erabase(void) +{ + time_t retv; + retv = (time_t)(s_baseday - NTP_TO_UNIX_DAYS); + retv *= SECSPERDAY; + return retv; +} + /* -*-EOF-*- */ diff --git a/contrib/ntp/libntp/ssl_init.c b/contrib/ntp/libntp/ssl_init.c index bebf6e1..96d9d08 100644 --- a/contrib/ntp/libntp/ssl_init.c +++ b/contrib/ntp/libntp/ssl_init.c @@ -5,7 +5,7 @@ * Moved from ntpd/ntp_crypto.c crypto_setup() */ #ifdef HAVE_CONFIG_H -#include <config.h> +# include <config.h> #endif #include <ctype.h> #include <ntp.h> @@ -13,11 +13,15 @@ #include <lib_strbuf.h> #ifdef OPENSSL -#include "openssl/crypto.h" -#include "openssl/err.h" -#include "openssl/evp.h" -#include "openssl/opensslv.h" -#include "libssl_compat.h" +# include "openssl/cmac.h" +# include "openssl/crypto.h" +# include "openssl/err.h" +# include "openssl/evp.h" +# include "openssl/opensslv.h" +# include "libssl_compat.h" + +# define CMAC_LENGTH 16 +# define CMAC "AES128CMAC" int ssl_init_done; @@ -26,8 +30,9 @@ int ssl_init_done; static void atexit_ssl_cleanup(void) { - if (!ssl_init_done) + if (!ssl_init_done) { return; + } ssl_init_done = FALSE; EVP_cleanup(); @@ -63,7 +68,7 @@ void ssl_check_version(void) { u_long v; - + v = OpenSSL_version_num(); if ((v ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) { msyslog(LOG_WARNING, @@ -77,6 +82,8 @@ ssl_check_version(void) INIT_SSL(); } +#else /* !OPENSSL */ +# define MD5_LENGTH 16 #endif /* OPENSSL */ @@ -88,61 +95,95 @@ ssl_check_version(void) */ int keytype_from_text( - const char *text, - size_t *pdigest_len + const char * text, + size_t * pdigest_len ) { int key_type; u_int digest_len; -#ifdef OPENSSL +#ifdef OPENSSL /* --*-- OpenSSL code --*-- */ const u_long max_digest_len = MAX_MAC_LEN - sizeof(keyid_t); - u_char digest[EVP_MAX_MD_SIZE]; char * upcased; char * pch; + EVP_MD const * md; /* * OpenSSL digest short names are capitalized, so uppercase the * digest name before passing to OBJ_sn2nid(). If it is not - * recognized but begins with 'M' use NID_md5 to be consistent - * with past behavior. + * recognized but matches our CMAC string use NID_cmac, or if + * it begins with 'M' or 'm' use NID_md5 to be consistent with + * past behavior. */ INIT_SSL(); + + /* get name in uppercase */ LIB_GETBUF(upcased); strlcpy(upcased, text, LIB_BUFLENGTH); - for (pch = upcased; '\0' != *pch; pch++) + + for (pch = upcased; '\0' != *pch; pch++) { *pch = (char)toupper((unsigned char)*pch); + } + key_type = OBJ_sn2nid(upcased); + + if (!key_type && !strncmp(CMAC, upcased, strlen(CMAC) + 1)) { + key_type = NID_cmac; + + if (debug) { + fprintf(stderr, "%s:%d:%s():%s:key\n", + __FILE__, __LINE__, __func__, CMAC); + } + } #else + key_type = 0; #endif - if (!key_type && 'm' == tolower((unsigned char)text[0])) + if (!key_type && 'm' == tolower((unsigned char)text[0])) { key_type = NID_md5; + } - if (!key_type) + if (!key_type) { return 0; + } if (NULL != pdigest_len) { #ifdef OPENSSL - EVP_MD_CTX *ctx; + md = EVP_get_digestbynid(key_type); + digest_len = (md) ? EVP_MD_size(md) : 0; - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_get_digestbynid(key_type)); - EVP_DigestFinal(ctx, digest, &digest_len); - EVP_MD_CTX_free(ctx); - if (digest_len > max_digest_len) { + if (!md || digest_len <= 0) { + if (key_type == NID_cmac) { + digest_len = CMAC_LENGTH; + + if (debug) { + fprintf(stderr, "%s:%d:%s():%s:len\n", + __FILE__, __LINE__, __func__, CMAC); + } + } else { fprintf(stderr, - "key type %s %u octet digests are too big, max %lu\n", - keytype_name(key_type), digest_len, - max_digest_len); + "key type %s is not supported by OpenSSL\n", + keytype_name(key_type)); msyslog(LOG_ERR, - "key type %s %u octet digests are too big, max %lu", - keytype_name(key_type), digest_len, - max_digest_len); + "key type %s is not supported by OpenSSL\n", + keytype_name(key_type)); return 0; + } + } + + if (digest_len > max_digest_len) { + fprintf(stderr, + "key type %s %u octet digests are too big, max %lu\n", + keytype_name(key_type), digest_len, + max_digest_len); + msyslog(LOG_ERR, + "key type %s %u octet digests are too big, max %lu", + keytype_name(key_type), digest_len, + max_digest_len); + return 0; } #else - digest_len = 16; + digest_len = MD5_LENGTH; #endif *pdigest_len = digest_len; } @@ -167,8 +208,18 @@ keytype_name( #ifdef OPENSSL INIT_SSL(); name = OBJ_nid2sn(nid); - if (NULL == name) + + if (NID_cmac == nid) { + name = CMAC; + + if (debug) { + fprintf(stderr, "%s:%d:%s():%s:nid\n", + __FILE__, __LINE__, __func__, CMAC); + } + } else + if (NULL == name) { name = unknown_type; + } #else /* !OPENSSL follows */ if (NID_md5 == nid) name = "MD5"; @@ -203,3 +254,4 @@ getpass_keytype( return getpass(pass_prompt); } + diff --git a/contrib/ntp/libntp/statestr.c b/contrib/ntp/libntp/statestr.c index b8fa53c..d135222 100644 --- a/contrib/ntp/libntp/statestr.c +++ b/contrib/ntp/libntp/statestr.c @@ -22,64 +22,65 @@ */ struct codestring { int code; - const char * const string; + const char * const string1; + const char * const string0; }; /* * Leap status (leap) */ static const struct codestring leap_codes[] = { - { LEAP_NOWARNING, "leap_none" }, - { LEAP_ADDSECOND, "leap_add_sec" }, - { LEAP_DELSECOND, "leap_del_sec" }, - { LEAP_NOTINSYNC, "leap_alarm" }, - { -1, "leap" } + { LEAP_NOWARNING, "leap_none", 0 }, + { LEAP_ADDSECOND, "leap_add_sec", 0 }, + { LEAP_DELSECOND, "leap_del_sec", 0 }, + { LEAP_NOTINSYNC, "leap_alarm", 0 }, + { -1, "leap", 0 } }; /* * Clock source status (sync) */ static const struct codestring sync_codes[] = { - { CTL_SST_TS_UNSPEC, "sync_unspec" }, - { CTL_SST_TS_ATOM, "sync_pps" }, - { CTL_SST_TS_LF, "sync_lf_radio" }, - { CTL_SST_TS_HF, "sync_hf_radio" }, - { CTL_SST_TS_UHF, "sync_uhf_radio" }, - { CTL_SST_TS_LOCAL, "sync_local" }, - { CTL_SST_TS_NTP, "sync_ntp" }, - { CTL_SST_TS_UDPTIME, "sync_other" }, - { CTL_SST_TS_WRSTWTCH, "sync_wristwatch" }, - { CTL_SST_TS_TELEPHONE, "sync_telephone" }, - { -1, "sync" } + { CTL_SST_TS_UNSPEC, "sync_unspec", 0 }, + { CTL_SST_TS_ATOM, "sync_pps", 0 }, + { CTL_SST_TS_LF, "sync_lf_radio", 0 }, + { CTL_SST_TS_HF, "sync_hf_radio", 0 }, + { CTL_SST_TS_UHF, "sync_uhf_radio", 0 }, + { CTL_SST_TS_LOCAL, "sync_local", 0 }, + { CTL_SST_TS_NTP, "sync_ntp", 0 }, + { CTL_SST_TS_UDPTIME, "sync_other", 0 }, + { CTL_SST_TS_WRSTWTCH, "sync_wristwatch", 0 }, + { CTL_SST_TS_TELEPHONE, "sync_telephone", 0 }, + { -1, "sync", 0 } }; /* * Peer selection status (sel) */ static const struct codestring select_codes[] = { - { CTL_PST_SEL_REJECT, "sel_reject" }, - { CTL_PST_SEL_SANE, "sel_falsetick" }, - { CTL_PST_SEL_CORRECT, "sel_excess" }, - { CTL_PST_SEL_SELCAND, "sel_outlier" }, - { CTL_PST_SEL_SYNCCAND, "sel_candidate" }, - { CTL_PST_SEL_EXCESS, "sel_backup" }, - { CTL_PST_SEL_SYSPEER, "sel_sys.peer" }, - { CTL_PST_SEL_PPS, "sel_pps.peer" }, - { -1, "sel" } + { CTL_PST_SEL_REJECT, "sel_reject", 0 }, + { CTL_PST_SEL_SANE, "sel_falsetick", 0 }, + { CTL_PST_SEL_CORRECT, "sel_excess", 0 }, + { CTL_PST_SEL_SELCAND, "sel_outlier", 0 }, + { CTL_PST_SEL_SYNCCAND, "sel_candidate", 0 }, + { CTL_PST_SEL_EXCESS, "sel_backup", 0 }, + { CTL_PST_SEL_SYSPEER, "sel_sys.peer", 0 }, + { CTL_PST_SEL_PPS, "sel_pps.peer", 0 }, + { -1, "sel", 0 } }; /* * Clock status (clk) */ static const struct codestring clock_codes[] = { - { CTL_CLK_OKAY, "clk_unspec" }, - { CTL_CLK_NOREPLY, "clk_no_reply" }, - { CTL_CLK_BADFORMAT, "clk_bad_format" }, - { CTL_CLK_FAULT, "clk_fault" }, - { CTL_CLK_PROPAGATION, "clk_bad_signal" }, - { CTL_CLK_BADDATE, "clk_bad_date" }, - { CTL_CLK_BADTIME, "clk_bad_time" }, - { -1, "clk" } + { CTL_CLK_OKAY, "clk_unspec", 0 }, + { CTL_CLK_NOREPLY, "clk_no_reply", 0 }, + { CTL_CLK_BADFORMAT, "clk_bad_format", 0 }, + { CTL_CLK_FAULT, "clk_fault", 0 }, + { CTL_CLK_PROPAGATION, "clk_bad_signal", 0 }, + { CTL_CLK_BADDATE, "clk_bad_date", 0 }, + { CTL_CLK_BADTIME, "clk_bad_time", 0 }, + { -1, "clk", 0 } }; @@ -88,20 +89,20 @@ static const struct codestring clock_codes[] = { * Flash bits -- see ntpq.c tstflags & tstflagnames */ static const struct codestring flash_codes[] = { - { TEST1, "pkt_dup" }, - { TEST2, "pkt_bogus" }, - { TEST3, "pkt_unsync" }, - { TEST4, "pkt_denied" }, - { TEST5, "pkt_auth" }, - { TEST6, "pkt_stratum" }, - { TEST7, "pkt_header" }, - { TEST8, "pkt_autokey" }, - { TEST9, "pkt_crypto" }, - { TEST10, "peer_stratum" }, - { TEST11, "peer_dist" }, - { TEST12, "peer_loop" }, - { TEST13, "peer_unreach" }, - { -1, "flash" } + { TEST1, "pkt_dup", 0 }, + { TEST2, "pkt_bogus", 0 }, + { TEST3, "pkt_unsync", 0 }, + { TEST4, "pkt_denied", 0 }, + { TEST5, "pkt_auth", 0 }, + { TEST6, "pkt_stratum", 0 }, + { TEST7, "pkt_header", 0 }, + { TEST8, "pkt_autokey", 0 }, + { TEST9, "pkt_crypto", 0 }, + { TEST10, "peer_stratum", 0 }, + { TEST11, "peer_dist", 0 }, + { TEST12, "peer_loop", 0 }, + { TEST13, "peer_unreach", 0 }, + { -1, "flash", 0 } }; #endif @@ -110,56 +111,56 @@ static const struct codestring flash_codes[] = { * System events (sys) */ static const struct codestring sys_codes[] = { - { EVNT_UNSPEC, "unspecified" }, - { EVNT_NSET, "freq_not_set" }, - { EVNT_FSET, "freq_set" }, - { EVNT_SPIK, "spike_detect" }, - { EVNT_FREQ, "freq_mode" }, - { EVNT_SYNC, "clock_sync" }, - { EVNT_SYSRESTART, "restart" }, - { EVNT_SYSFAULT, "panic_stop" }, - { EVNT_NOPEER, "no_sys_peer" }, - { EVNT_ARMED, "leap_armed" }, - { EVNT_DISARMED, "leap_disarmed" }, - { EVNT_LEAP, "leap_event" }, - { EVNT_CLOCKRESET, "clock_step" }, - { EVNT_KERN, "kern" }, - { EVNT_TAI, "TAI" }, - { EVNT_LEAPVAL, "stale_leapsecond_values" }, - { -1, "" } + { EVNT_UNSPEC, "unspecified", 0 }, + { EVNT_NSET, "freq_not_set", 0 }, + { EVNT_FSET, "freq_set", 0 }, + { EVNT_SPIK, "spike_detect", 0 }, + { EVNT_FREQ, "freq_mode", 0 }, + { EVNT_SYNC, "clock_sync", 0 }, + { EVNT_SYSRESTART, "restart", 0 }, + { EVNT_SYSFAULT, "panic_stop", 0 }, + { EVNT_NOPEER, "no_sys_peer", 0 }, + { EVNT_ARMED, "leap_armed", 0 }, + { EVNT_DISARMED, "leap_disarmed", 0 }, + { EVNT_LEAP, "leap_event", 0 }, + { EVNT_CLOCKRESET, "clock_step", 0 }, + { EVNT_KERN, "kern", 0 }, + { EVNT_TAI, "TAI", 0 }, + { EVNT_LEAPVAL, "stale_leapsecond_values", 0 }, + { -1, "", 0 } }; /* * Peer events (peer) */ static const struct codestring peer_codes[] = { - { PEVNT_MOBIL & ~PEER_EVENT, "mobilize" }, - { PEVNT_DEMOBIL & ~PEER_EVENT, "demobilize" }, - { PEVNT_UNREACH & ~PEER_EVENT, "unreachable" }, - { PEVNT_REACH & ~PEER_EVENT, "reachable" }, - { PEVNT_RESTART & ~PEER_EVENT, "restart" }, - { PEVNT_REPLY & ~PEER_EVENT, "no_reply" }, - { PEVNT_RATE & ~PEER_EVENT, "rate_exceeded" }, - { PEVNT_DENY & ~PEER_EVENT, "access_denied" }, - { PEVNT_ARMED & ~PEER_EVENT, "leap_armed" }, - { PEVNT_NEWPEER & ~PEER_EVENT, "sys_peer" }, - { PEVNT_CLOCK & ~PEER_EVENT, "clock_event" }, - { PEVNT_AUTH & ~PEER_EVENT, "bad_auth" }, - { PEVNT_POPCORN & ~PEER_EVENT, "popcorn" }, - { PEVNT_XLEAVE & ~PEER_EVENT, "interleave_mode" }, - { PEVNT_XERR & ~PEER_EVENT, "interleave_error" }, - { -1, "" } + { PEVNT_MOBIL & ~PEER_EVENT, "mobilize", 0 }, + { PEVNT_DEMOBIL & ~PEER_EVENT, "demobilize", 0 }, + { PEVNT_UNREACH & ~PEER_EVENT, "unreachable", 0 }, + { PEVNT_REACH & ~PEER_EVENT, "reachable", 0 }, + { PEVNT_RESTART & ~PEER_EVENT, "restart", 0 }, + { PEVNT_REPLY & ~PEER_EVENT, "no_reply", 0 }, + { PEVNT_RATE & ~PEER_EVENT, "rate_exceeded", 0 }, + { PEVNT_DENY & ~PEER_EVENT, "access_denied", 0 }, + { PEVNT_ARMED & ~PEER_EVENT, "leap_armed", 0 }, + { PEVNT_NEWPEER & ~PEER_EVENT, "sys_peer", 0 }, + { PEVNT_CLOCK & ~PEER_EVENT, "clock_event", 0 }, + { PEVNT_AUTH & ~PEER_EVENT, "bad_auth", 0 }, + { PEVNT_POPCORN & ~PEER_EVENT, "popcorn", 0 }, + { PEVNT_XLEAVE & ~PEER_EVENT, "interleave_mode", 0 }, + { PEVNT_XERR & ~PEER_EVENT, "interleave_error", 0 }, + { -1, "", 0 } }; /* * Peer status bits */ static const struct codestring peer_st_bits[] = { - { CTL_PST_CONFIG, "conf" }, - { CTL_PST_AUTHENABLE, "authenb" }, - { CTL_PST_AUTHENTIC, "auth" }, - { CTL_PST_REACH, "reach" }, - { CTL_PST_BCAST, "bcast" }, + { CTL_PST_CONFIG, "conf", 0 }, + { CTL_PST_AUTHENABLE, "authenb", 0 }, + { CTL_PST_AUTHENTIC, "auth", 0 }, + { CTL_PST_REACH, "reach", 0 }, + { CTL_PST_BCAST, "bcast", 0 }, /* not used with getcode(), no terminating entry needed */ }; @@ -167,9 +168,9 @@ static const struct codestring peer_st_bits[] = { * Restriction match bits */ static const struct codestring res_match_bits[] = { - { RESM_NTPONLY, "ntpport" }, - { RESM_INTERFACE, "interface" }, - { RESM_SOURCE, "source" }, + { RESM_NTPONLY, "ntpport", 0 }, + { RESM_INTERFACE, "interface", 0 }, + { RESM_SOURCE, "source", 0 }, /* not used with getcode(), no terminating entry needed */ }; @@ -177,18 +178,19 @@ static const struct codestring res_match_bits[] = { * Restriction access bits */ static const struct codestring res_access_bits[] = { - { RES_IGNORE, "ignore" }, - { RES_DONTSERVE, "noserve" }, - { RES_DONTTRUST, "notrust" }, - { RES_NOQUERY, "noquery" }, - { RES_NOMODIFY, "nomodify" }, - { RES_NOPEER, "nopeer" }, - { RES_NOTRAP, "notrap" }, - { RES_LPTRAP, "lptrap" }, - { RES_LIMITED, "limited" }, - { RES_VERSION, "version" }, - { RES_KOD, "kod" }, - { RES_FLAKE, "flake" }, + { RES_IGNORE, "ignore", 0 }, + { RES_DONTSERVE, "noserve", "serve" }, + { RES_DONTTRUST, "notrust", "trust" }, + { RES_NOQUERY, "noquery", "query" }, + { RES_NOMODIFY, "nomodify", 0 }, + { RES_NOPEER, "nopeer", "peer" }, + { RES_NOEPEER, "noepeer", "epeer" }, + { RES_NOTRAP, "notrap", "trap" }, + { RES_LPTRAP, "lptrap", 0 }, + { RES_LIMITED, "limited", 0 }, + { RES_VERSION, "version", 0 }, + { RES_KOD, "kod", 0 }, + { RES_FLAKE, "flake", 0 }, /* not used with getcode(), no terminating entry needed */ }; @@ -197,23 +199,23 @@ static const struct codestring res_access_bits[] = { * Crypto events (cryp) */ static const struct codestring crypto_codes[] = { - { XEVNT_OK & ~CRPT_EVENT, "success" }, - { XEVNT_LEN & ~CRPT_EVENT, "bad_field_format_or_length" }, - { XEVNT_TSP & ~CRPT_EVENT, "bad_timestamp" }, - { XEVNT_FSP & ~CRPT_EVENT, "bad_filestamp" }, - { XEVNT_PUB & ~CRPT_EVENT, "bad_or_missing_public_key" }, - { XEVNT_MD & ~CRPT_EVENT, "unsupported_digest_type" }, - { XEVNT_KEY & ~CRPT_EVENT, "unsupported_identity_type" }, - { XEVNT_SGL & ~CRPT_EVENT, "bad_signature_length" }, - { XEVNT_SIG & ~CRPT_EVENT, "signature_not_verified" }, - { XEVNT_VFY & ~CRPT_EVENT, "certificate_not_verified" }, - { XEVNT_PER & ~CRPT_EVENT, "host_certificate_expired" }, - { XEVNT_CKY & ~CRPT_EVENT, "bad_or_missing_cookie" }, - { XEVNT_DAT & ~CRPT_EVENT, "bad_or_missing_leapseconds" }, - { XEVNT_CRT & ~CRPT_EVENT, "bad_or_missing_certificate" }, - { XEVNT_ID & ~CRPT_EVENT, "bad_or_missing_group key" }, - { XEVNT_ERR & ~CRPT_EVENT, "protocol_error" }, - { -1, "" } + { XEVNT_OK & ~CRPT_EVENT, "success", 0 }, + { XEVNT_LEN & ~CRPT_EVENT, "bad_field_format_or_length", 0 }, + { XEVNT_TSP & ~CRPT_EVENT, "bad_timestamp", 0 }, + { XEVNT_FSP & ~CRPT_EVENT, "bad_filestamp", 0 }, + { XEVNT_PUB & ~CRPT_EVENT, "bad_or_missing_public_key", 0 }, + { XEVNT_MD & ~CRPT_EVENT, "unsupported_digest_type", 0 }, + { XEVNT_KEY & ~CRPT_EVENT, "unsupported_identity_type", 0 }, + { XEVNT_SGL & ~CRPT_EVENT, "bad_signature_length", 0 }, + { XEVNT_SIG & ~CRPT_EVENT, "signature_not_verified", 0 }, + { XEVNT_VFY & ~CRPT_EVENT, "certificate_not_verified", 0 }, + { XEVNT_PER & ~CRPT_EVENT, "host_certificate_expired", 0 }, + { XEVNT_CKY & ~CRPT_EVENT, "bad_or_missing_cookie", 0 }, + { XEVNT_DAT & ~CRPT_EVENT, "bad_or_missing_leapseconds", 0 }, + { XEVNT_CRT & ~CRPT_EVENT, "bad_or_missing_certificate", 0 }, + { XEVNT_ID & ~CRPT_EVENT, "bad_or_missing_group key", 0 }, + { XEVNT_ERR & ~CRPT_EVENT, "protocol_error", 0 }, + { -1, "", 0 } }; #endif /* AUTOKEY */ @@ -223,52 +225,52 @@ static const struct codestring crypto_codes[] = { */ static const struct codestring k_st_bits[] = { # ifdef STA_PLL - { STA_PLL, "pll" }, + { STA_PLL, "pll", 0 }, # endif # ifdef STA_PPSFREQ - { STA_PPSFREQ, "ppsfreq" }, + { STA_PPSFREQ, "ppsfreq", 0 }, # endif # ifdef STA_PPSTIME - { STA_PPSTIME, "ppstime" }, + { STA_PPSTIME, "ppstime", 0 }, # endif # ifdef STA_FLL - { STA_FLL, "fll" }, + { STA_FLL, "fll", 0 }, # endif # ifdef STA_INS - { STA_INS, "ins" }, + { STA_INS, "ins", 0 }, # endif # ifdef STA_DEL - { STA_DEL, "del" }, + { STA_DEL, "del", 0 }, # endif # ifdef STA_UNSYNC - { STA_UNSYNC, "unsync" }, + { STA_UNSYNC, "unsync", 0 }, # endif # ifdef STA_FREQHOLD - { STA_FREQHOLD, "freqhold" }, + { STA_FREQHOLD, "freqhold", 0 }, # endif # ifdef STA_PPSSIGNAL - { STA_PPSSIGNAL, "ppssignal" }, + { STA_PPSSIGNAL, "ppssignal", 0 }, # endif # ifdef STA_PPSJITTER - { STA_PPSJITTER, "ppsjitter" }, + { STA_PPSJITTER, "ppsjitter", 0 }, # endif # ifdef STA_PPSWANDER - { STA_PPSWANDER, "ppswander" }, + { STA_PPSWANDER, "ppswander", 0 }, # endif # ifdef STA_PPSERROR - { STA_PPSERROR, "ppserror" }, + { STA_PPSERROR, "ppserror", 0 }, # endif # ifdef STA_CLOCKERR - { STA_CLOCKERR, "clockerr" }, + { STA_CLOCKERR, "clockerr", 0 }, # endif # ifdef STA_NANO - { STA_NANO, "nano" }, + { STA_NANO, "nano", 0 }, # endif # ifdef STA_MODE - { STA_MODE, "mode=fll" }, + { STA_MODE, "mode=fll", 0 }, # endif # ifdef STA_CLK - { STA_CLK, "src=B" }, + { STA_CLK, "src=B", 0 }, # endif /* not used with getcode(), no terminating entry needed */ }; @@ -292,12 +294,12 @@ getcode( while (codetab->code != -1) { if (codetab->code == code) - return codetab->string; + return codetab->string1; codetab++; } LIB_GETBUF(buf); - snprintf(buf, LIB_BUFLENGTH, "%s_%d", codetab->string, code); + snprintf(buf, LIB_BUFLENGTH, "%s_%d", codetab->string1, code); return buf; } @@ -354,10 +356,18 @@ decode_bitflags( sep = ""; for (b = 0; b < tab_ct; b++) { + const char * flagstr; + if (tab[b].code & bits) { + flagstr = tab[b].string1; + } else { + flagstr = tab[b].string0; + } + + if (flagstr) { size_t avail = lim - pch; rc = snprintf(pch, avail, "%s%s", sep, - tab[b].string); + flagstr); if ((size_t)rc >= avail) goto toosmall; pch += rc; diff --git a/contrib/ntp/libntp/systime.c b/contrib/ntp/libntp/systime.c index 29f1e86..8e70897 100644 --- a/contrib/ntp/libntp/systime.c +++ b/contrib/ntp/libntp/systime.c @@ -5,8 +5,10 @@ * */ #include <config.h> +#include <math.h> #include "ntp.h" +#include "ntpd.h" #include "ntp_syslog.h" #include "ntp_stdlib.h" #include "ntp_random.h" @@ -14,6 +16,7 @@ #include "timevalops.h" #include "timespecops.h" #include "ntp_calendar.h" +#include "lib_strbuf.h" #ifdef HAVE_SYS_PARAM_H # include <sys/param.h> @@ -28,6 +31,9 @@ int allow_panic = FALSE; /* allow panic correction (-g) */ int enable_panic_check = TRUE; /* Can we check allow_panic's state? */ +u_long sys_lamport; /* Lamport violation */ +u_long sys_tsrounding; /* timestamp rounding errors */ + #ifndef USE_COMPILETIME_PIVOT # define USE_COMPILETIME_PIVOT 1 #endif @@ -110,7 +116,10 @@ set_sys_fuzz( sys_fuzz = fuzz_val; INSIST(sys_fuzz >= 0); INSIST(sys_fuzz <= 1.0); - sys_fuzz_nsec = (long)(sys_fuzz * 1e9 + 0.5); + /* [Bug 3450] ensure nsec fuzz >= sys_fuzz to reduce chance of + * short-falling fuzz advance + */ + sys_fuzz_nsec = (long)ceil(sys_fuzz * 1e9); } @@ -168,13 +177,10 @@ get_systime( static struct timespec ts_last; /* last sampled os time */ static struct timespec ts_prev; /* prior os time */ static l_fp lfp_prev; /* prior result */ - static double dfuzz_prev; /* prior fuzz */ struct timespec ts; /* seconds and nanoseconds */ struct timespec ts_min; /* earliest permissible */ struct timespec ts_lam; /* lamport fictional increment */ - struct timespec ts_prev_log; /* for msyslog only */ double dfuzz; - double ddelta; l_fp result; l_fp lfpfuzz; l_fp lfpdelta; @@ -191,8 +197,10 @@ get_systime( * introduce small steps backward. It should not be an issue on * systems where get_ostime() results in a true syscall.) */ - if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0) + if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0) { lamport_violated = 1; + sys_lamport++; + } ts_last = ts; /* @@ -216,21 +224,16 @@ get_systime( if (!lamport_violated) ts = ts_min; } - ts_prev_log = ts_prev; ts_prev = ts; - } else { - /* - * Quiet "ts_prev_log.tv_sec may be used uninitialized" - * warning from x86 gcc 4.5.2. - */ - ZERO(ts_prev_log); } /* convert from timespec to l_fp fixed-point */ result = tspec_stamp_to_lfp(ts); /* - * Add in the fuzz. + * Add in the fuzz. 'ntp_random()' returns [0..2**31-1] so we + * must scale up the result by 2.0 to cover the full fractional + * range. */ dfuzz = ntp_random() * 2. / FRAC * sys_fuzz; DTOLFP(dfuzz, &lfpfuzz); @@ -240,30 +243,34 @@ get_systime( * Ensure result is strictly greater than prior result (ignoring * sys_residual's effect for now) once sys_fuzz has been * determined. + * + * [Bug 3450] Rounding errors and time slew can lead to a + * violation of the expected postcondition. This is bound to + * happen from time to time (depending on state of the random + * generator, the current slew and the closeness of system time + * stamps drawn) and does not warrant a syslog entry. Instead it + * makes much more sense to ensure the postcondition and hop + * along silently. */ if (!USING_SIGIO()) { - if (!L_ISZERO(&lfp_prev) && !lamport_violated) { - if (!L_ISGTU(&result, &lfp_prev) && - sys_fuzz > 0.) { - msyslog(LOG_ERR, "ts_prev %s ts_min %s", - tspectoa(ts_prev_log), - tspectoa(ts_min)); - msyslog(LOG_ERR, "ts %s", tspectoa(ts)); - msyslog(LOG_ERR, "sys_fuzz %ld nsec, prior fuzz %.9f", - sys_fuzz_nsec, dfuzz_prev); - msyslog(LOG_ERR, "this fuzz %.9f", - dfuzz); - lfpdelta = lfp_prev; - L_SUB(&lfpdelta, &result); - LFPTOD(&lfpdelta, ddelta); - msyslog(LOG_ERR, - "prev get_systime 0x%x.%08x is %.9f later than 0x%x.%08x", - lfp_prev.l_ui, lfp_prev.l_uf, - ddelta, result.l_ui, result.l_uf); + if ( !L_ISZERO(&lfp_prev) + && !lamport_violated + && (sys_fuzz > 0.0) + ) { + lfpdelta = result; + L_SUB(&lfpdelta, &lfp_prev); + L_SUBUF(&lfpdelta, 1); + if (lfpdelta.l_i < 0) + { + L_NEG(&lfpdelta); + DPRINTF(1, ("get_systime: postcond failed by %s secs, fixed\n", + lfptoa(&lfpdelta, 9))); + result = lfp_prev; + L_ADDUF(&result, 1); + sys_tsrounding++; } } lfp_prev = result; - dfuzz_prev = dfuzz; if (lamport_violated) lamport_violated = FALSE; } @@ -362,105 +369,16 @@ adj_systime( } #endif - /* - * step_systime - step the system clock. + * helper to keep utmp/wtmp up to date */ - -int -step_systime( - double step +static void +update_uwtmp( + struct timeval timetv, + struct timeval tvlast ) { - time_t pivot; /* for ntp era unfolding */ - struct timeval timetv, tvlast, tvdiff; - struct timespec timets; - struct calendar jd; - l_fp fp_ofs, fp_sys; /* offset and target system time in FP */ - - /* - * Get pivot time for NTP era unfolding. Since we don't step - * very often, we can afford to do the whole calculation from - * scratch. And we're not in the time-critical path yet. - */ -#if SIZEOF_TIME_T > 4 - /* - * This code makes sure the resulting time stamp for the new - * system time is in the 2^32 seconds starting at 1970-01-01, - * 00:00:00 UTC. - */ - pivot = 0x80000000; -#if USE_COMPILETIME_PIVOT - /* - * Add the compile time minus 10 years to get a possible target - * area of (compile time - 10 years) to (compile time + 126 - * years). This should be sufficient for a given binary of - * NTPD. - */ - if (ntpcal_get_build_date(&jd)) { - jd.year -= 10; - pivot += ntpcal_date_to_time(&jd); - } else { - msyslog(LOG_ERR, - "step-systime: assume 1970-01-01 as build date"); - } -#else - UNUSED_LOCAL(jd); -#endif /* USE_COMPILETIME_PIVOT */ -#else - UNUSED_LOCAL(jd); - /* This makes sure the resulting time stamp is on or after - * 1969-12-31/23:59:59 UTC and gives us additional two years, - * from the change of NTP era in 2036 to the UNIX rollover in - * 2038. (Minus one second, but that won't hurt.) We *really* - * need a longer 'time_t' after that! Or a different baseline, - * but that would cause other serious trouble, too. - */ - pivot = 0x7FFFFFFF; -#endif - - /* get the complete jump distance as l_fp */ - DTOLFP(sys_residual, &fp_sys); - DTOLFP(step, &fp_ofs); - L_ADD(&fp_ofs, &fp_sys); - - /* ---> time-critical path starts ---> */ - - /* get the current time as l_fp (without fuzz) and as struct timeval */ - get_ostime(&timets); - fp_sys = tspec_stamp_to_lfp(timets); - tvlast.tv_sec = timets.tv_sec; - tvlast.tv_usec = (timets.tv_nsec + 500) / 1000; - - /* get the target time as l_fp */ - L_ADD(&fp_sys, &fp_ofs); - - /* unfold the new system time */ - timetv = lfp_stamp_to_tval(fp_sys, &pivot); - - /* now set new system time */ - if (ntp_set_tod(&timetv, NULL) != 0) { - msyslog(LOG_ERR, "step-systime: %m"); - if (enable_panic_check && allow_panic) { - msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!"); - } - return FALSE; - } - - /* <--- time-critical path ended with 'ntp_set_tod()' <--- */ - - sys_residual = 0; - lamport_violated = (step < 0); - if (step_callback) - (*step_callback)(); - -#ifdef NEED_HPUX_ADJTIME - /* - * CHECKME: is this correct when called by ntpdate????? - */ - _clear_adjtime(); -#endif - + struct timeval tvdiff; /* * FreeBSD, for example, has: * struct utmp { @@ -589,6 +507,83 @@ step_systime( #endif /* UPDATE_WTMPX */ } +} + +/* + * step_systime - step the system clock. + */ + +int +step_systime( + double step + ) +{ + time_t pivot; /* for ntp era unfolding */ + struct timeval timetv, tvlast; + struct timespec timets; + l_fp fp_ofs, fp_sys; /* offset and target system time in FP */ + + /* + * Get pivot time for NTP era unfolding. Since we don't step + * very often, we can afford to do the whole calculation from + * scratch. And we're not in the time-critical path yet. + */ +#if SIZEOF_TIME_T > 4 + pivot = basedate_get_eracenter(); +#else + /* This makes sure the resulting time stamp is on or after + * 1969-12-31/23:59:59 UTC and gives us additional two years, + * from the change of NTP era in 2036 to the UNIX rollover in + * 2038. (Minus one second, but that won't hurt.) We *really* + * need a longer 'time_t' after that! Or a different baseline, + * but that would cause other serious trouble, too. + */ + pivot = 0x7FFFFFFF; +#endif + + /* get the complete jump distance as l_fp */ + DTOLFP(sys_residual, &fp_sys); + DTOLFP(step, &fp_ofs); + L_ADD(&fp_ofs, &fp_sys); + + /* ---> time-critical path starts ---> */ + + /* get the current time as l_fp (without fuzz) and as struct timeval */ + get_ostime(&timets); + fp_sys = tspec_stamp_to_lfp(timets); + tvlast.tv_sec = timets.tv_sec; + tvlast.tv_usec = (timets.tv_nsec + 500) / 1000; + + /* get the target time as l_fp */ + L_ADD(&fp_sys, &fp_ofs); + + /* unfold the new system time */ + timetv = lfp_stamp_to_tval(fp_sys, &pivot); + + /* now set new system time */ + if (ntp_set_tod(&timetv, NULL) != 0) { + msyslog(LOG_ERR, "step-systime: %m"); + if (enable_panic_check && allow_panic) { + msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!"); + } + return FALSE; + } + + /* <--- time-critical path ended with 'ntp_set_tod()' <--- */ + + sys_residual = 0; + lamport_violated = (step < 0); + if (step_callback) + (*step_callback)(); + +#ifdef NEED_HPUX_ADJTIME + /* + * CHECKME: is this correct when called by ntpdate????? + */ + _clear_adjtime(); +#endif + + update_uwtmp(timetv, tvlast); if (enable_panic_check && allow_panic) { msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!"); INSIST(!allow_panic); @@ -596,4 +591,93 @@ step_systime( return TRUE; } +static const char * +tv_fmt_libbuf( + const struct timeval * ptv + ) +{ + char * retv; + vint64 secs; + ntpcal_split dds; + struct calendar jd; + + secs = time_to_vint64(&ptv->tv_sec); + dds = ntpcal_daysplit(&secs); + ntpcal_daysplit_to_date(&jd, &dds, DAY_UNIX_STARTS); + LIB_GETBUF(retv); + snprintf(retv, LIB_BUFLENGTH, + "%04hu-%02hu-%02hu/%02hu:%02hu:%02hu.%06u", + jd.year, (u_short)jd.month, (u_short)jd.monthday, + (u_short)jd.hour, (u_short)jd.minute, (u_short)jd.second, + (u_int)ptv->tv_usec); + return retv; +} + + +int /*BOOL*/ +clamp_systime(void) +{ +#if SIZEOF_TIME_T > 4 + + struct timeval timetv, tvlast; + struct timespec timets; + uint32_t tdiff; + + + timetv.tv_sec = basedate_get_erabase(); + + /* ---> time-critical path starts ---> */ + + /* get the current time as l_fp (without fuzz) and as struct timeval */ + get_ostime(&timets); + tvlast.tv_sec = timets.tv_sec; + tvlast.tv_usec = (timets.tv_nsec + 500) / 1000; + if (tvlast.tv_usec >= 1000000) { + tvlast.tv_usec -= 1000000; + tvlast.tv_sec += 1; + } + timetv.tv_usec = tvlast.tv_usec; + + tdiff = (uint32_t)(tvlast.tv_sec & UINT32_MAX) - + (uint32_t)(timetv.tv_sec & UINT32_MAX); + timetv.tv_sec += tdiff; + if (timetv.tv_sec != tvlast.tv_sec) { + /* now set new system time */ + if (ntp_set_tod(&timetv, NULL) != 0) { + msyslog(LOG_ERR, "clamp-systime: %m"); + return FALSE; + } + } else { + msyslog(LOG_INFO, + "clamp-systime: clock (%s) in allowed range", + tv_fmt_libbuf(&timetv)); + return FALSE; + } + + /* <--- time-critical path ended with 'ntp_set_tod()' <--- */ + + sys_residual = 0; + lamport_violated = (timetv.tv_sec < tvlast.tv_sec); + if (step_callback) + (*step_callback)(); + +# ifdef NEED_HPUX_ADJTIME + /* + * CHECKME: is this correct when called by ntpdate????? + */ + _clear_adjtime(); +# endif + + update_uwtmp(timetv, tvlast); + msyslog(LOG_WARNING, + "clamp-systime: clock stepped from %s to %s!", + tv_fmt_libbuf(&tvlast), tv_fmt_libbuf(&timetv)); + return TRUE; + +#else + + return 0; +#endif +} + #endif /* !SIM */ diff --git a/contrib/ntp/libntp/work_thread.c b/contrib/ntp/libntp/work_thread.c index 82f6064..433290c 100644 --- a/contrib/ntp/libntp/work_thread.c +++ b/contrib/ntp/libntp/work_thread.c @@ -27,7 +27,7 @@ #define CHILD_GONE_RESP CHILD_EXIT_REQ /* Queue size increments: * The request queue grows a bit faster than the response queue -- the - * deamon can push requests and pull results faster on avarage than the + * daemon can push requests and pull results faster on avarage than the * worker can process requests and push results... If this really pays * off is debatable. */ diff --git a/contrib/ntp/libparse/Makefile.in b/contrib/ntp/libparse/Makefile.in index 785e12c..4ff96bb 100644 --- a/contrib/ntp/libparse/Makefile.in +++ b/contrib/ntp/libparse/Makefile.in @@ -102,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -1007,7 +1008,6 @@ check-libparse: $(noinst_LIBRARIES) @: do-nothing action to avoid default SCCS get check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/ntpd/Makefile.in b/contrib/ntp/ntpd/Makefile.in index b5950c4..fc9bc78 100644 --- a/contrib/ntp/ntpd/Makefile.in +++ b/contrib/ntp/ntpd/Makefile.in @@ -109,6 +109,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -1856,7 +1857,6 @@ check-libopts: ../sntp/libopts/libopts.la -cd ../sntp/libopts && $(MAKE) $(AM_MAKEFLAGS) libopts.la check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/ntpd/complete.conf.in b/contrib/ntp/ntpd/complete.conf.in index 4c6c045..2747098 100644 --- a/contrib/ntp/ntpd/complete.conf.in +++ b/contrib/ntp/ntpd/complete.conf.in @@ -46,14 +46,14 @@ manycastserver 224.0.1.1 ff05::101 multicastclient 224.0.1.1 ff05::101 mru maxage 64 mindepth 600 initalloc 600 initmem 16 incalloc 99 incmem 4 maxdepth 1024 maxmem 4096 discard minimum 1 average 3 monitor 3000 -restrict default -restrict default nomodify limited kod noserve nomrulist -restrict source -restrict source nomodify limited kod -restrict trusted.host.name.example.com. nomodify -restrict [fe80::1] mask [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] -restrict 127.0.0.1 mask 255.255.255.255 -restrict ::1 +restrict default ippeerlimit -1 +restrict default ippeerlimit 0 nomodify limited kod noserve nomrulist +restrict source ippeerlimit 1 +restrict source ippeerlimit 2 nomodify limited kod +restrict trusted.host.name.example.com. ippeerlimit -1 nomodify +restrict [fe80::1] mask [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] ippeerlimit -1 +restrict 127.0.0.1 mask 255.255.255.255 ippeerlimit -1 +restrict ::1 ippeerlimit -1 interface drop ipv6 interface ignore ipv4 interface drop wildcard diff --git a/contrib/ntp/ntpd/invoke-ntp.conf.texi b/contrib/ntp/ntpd/invoke-ntp.conf.texi index ff8dbdf..7e8a4dc 100644 --- a/contrib/ntp/ntpd/invoke-ntp.conf.texi +++ b/contrib/ntp/ntpd/invoke-ntp.conf.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:44:16 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:14:34 PM by AutoGen 5.18.5 # From the definitions ntp.conf.def # and the template file agtexi-file.tpl @end ignore @@ -1462,7 +1462,7 @@ The @code{monitor} subcommand specifies the probability of discard for packets that overflow the rate-control window. -@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@kbd{flag} @kbd{...}]} +@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@code{ippeerlimit} @kbd{int}]} @code{[@kbd{flag} @kbd{...}]} The @kbd{address} argument expressed in @@ -1486,6 +1486,15 @@ Note that text string @code{default}, with no mask option, may be used to indicate the default entry. +The +@code{ippeerlimit} +directive limits the number of peer requests for each IP to +@kbd{int}, +where a value of -1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, @code{flag} always @@ -1536,6 +1545,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +@item @code{noepeer} +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +@file{ntp.keys} +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +@code{noepeer} +to become the default in ntp-4.4. @item @code{nomodify} Deny @code{ntpq(1ntpqmdoc)} @@ -1553,10 +1574,10 @@ and queries. Time service is not affected. @item @code{nopeer} -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes @code{pool} associations, so if you want to use servers from a @@ -1564,8 +1585,9 @@ associations, so if you want to use servers from a directive and also want to use @code{nopeer} by default, you'll want a -@code{restrict source ...} @code{line} @code{as} @code{well} @code{that} @code{does} -@item not +@code{restrict source ...} +line as well that does +@emph{not} include the @code{nopeer} directive. @@ -1937,9 +1959,10 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +@end table @subsubsection Manycast Options @table @asis @item @code{tos} @code{[@code{ceiling} @kbd{ceiling} | @code{cohort} @code{@{} @code{0} | @code{1} @code{@}} | @code{floor} @kbd{floor} | @code{minclock} @kbd{minclock} | @code{minsane} @kbd{minsane}]} @@ -2255,7 +2278,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -@file{/usr/share/doc/ntp}). +@file{/usr/share/doc/ntp} @file{).} @item @code{stratum} @kbd{int} Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2516,6 +2539,69 @@ This option is useful for sites that run @code{ntpd(1ntpdmdoc)} on multiple hosts, with (mostly) common options (e.g., a restriction list). +@item @code{interface} @code{[@code{listen} | @code{ignore} | @code{drop}]} @code{[@code{all} | @code{ipv4} | @code{ipv6} | @code{wildcard} @kbd{name} | @kbd{address} @code{[@code{/} @kbd{prefixlen}]}]} +The +@code{interface} +directive controls which network addresses +@code{ntpd(1ntpdmdoc)} +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +@kbd{prefixlen} +determines how many bits must match for this rule to apply. +@code{ignore} +prevents opening matching addresses, +@code{drop} +causes +@code{ntpd(1ntpdmdoc)} +to open the address and drop all received packets without examination. +Multiple +@code{interface} +directives can be used. +The last rule which matches a particular address determines the action for it. +@code{interface} +directives are disabled if any +@code{-I}, +@code{--interface}, +@code{-L}, +or +@code{--novirtualips} +command-line options are specified in the configuration file, +all available network addresses are opened. +The +@code{nic} +directive is an alias for +@code{interface}. +@item @code{leapfile} @kbd{leapfile} +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +@code{https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list} +or +@code{ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list}. +The +@code{leapfile} +is scanned when +@code{ntpd(1ntpdmdoc)} +processes the +@code{leapfile} @code{directive} @code{or} @code{when} +@code{ntpd} @code{detects} @code{that} @code{the} +@kbd{leapfile} +has changed. +@code{ntpd} +checks once a day to see if the +@kbd{leapfile} +has changed. +The +@code{update-leap(1update_leapmdoc)} +script can be run to see if the +@kbd{leapfile} +should be updated. @item @code{leapsmearinterval} @kbd{seconds} This EXPERIMENTAL option is only available if @code{ntpd(1ntpdmdoc)} @@ -2606,6 +2692,146 @@ facility. This is the same operation as the @code{-l} command line option. +@item @code{mru} @code{[@code{maxdepth} @kbd{count} | @code{maxmem} @kbd{kilobytes} | @code{mindepth} @kbd{count} | @code{maxage} @kbd{seconds} | @code{initialloc} @kbd{count} | @code{initmem} @kbd{kilobytes} | @code{incalloc} @kbd{count} | @code{incmem} @kbd{kilobytes}]} +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +@table @asis +@item @code{maxdepth} @kbd{count} +@item @code{maxmem} @kbd{kilobytes} +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +@code{incalloc} +entries or +@code{incmem} +kilobytes larger. +As with all of the +@code{mru} +options offered in units of entries or kilobytes, if both +@code{maxdepth} +and +@code{maxmem} @code{are} @code{used,} @code{the} @code{last} @code{one} @code{used} @code{controls.} +The default is 1024 kilobytes. +@item @code{mindepth} @kbd{count} +Lower limit on the MRU list size. +When the MRU list has fewer than +@code{mindepth} +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +@item @code{maxage} @kbd{seconds} +Once the MRU list has +@code{mindepth} +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +@code{maxage} +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +@code{maxdepth} @code{/} @code{moxmem}. +The default is 64 seconds. +@item @code{initalloc} @kbd{count} +@item @code{initmem} @kbd{kilobytes} +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +@item @code{incalloc} @kbd{count} +@item @code{incmem} @kbd{kilobytes} +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +@end table +@item @code{nonvolatile} @kbd{threshold} +Specify the +@kbd{threshold} +delta in seconds before an hourly change to the +@code{driftfile} +(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +@code{threshold} +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +@item @code{phone} @kbd{dial} @kbd{...} +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 - 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 - 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +@item @code{reset} @code{[@code{allpeers}]} @code{[@code{auth}]} @code{[@code{ctl}]} @code{[@code{io}]} @code{[@code{mem}]} @code{[@code{sys}]} @code{[@code{timer}]} +Reset one or more groups of counters maintained by +@code{ntpd} +and exposed by +@code{ntpq} +and +@code{ntpdc}. +@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]} +@table @asis +@item @code{memlock} @kbd{Nmegabytes} +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +@code{-i} +option). +The default is 32 megabytes on non-Linux machines, and -1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +@item @code{stacksize} @kbd{N4kPages} +Specifies the maximum size of the process stack on systems with the +@code{mlockall()} +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +@item @code{filenum} @kbd{Nfiledescriptors} +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +@end table +@item @code{saveconfigdir} @kbd{directory_path} +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +@code{saveconfig} +command. +If +@code{saveconfigdir} +does not appear in the configuration file, +@code{saveconfig} +requests are rejected by +@code{ntpd}. +@item @code{saveconfig} @kbd{filename} +Write the current configuration, including any runtime +modifications given with +@code{:config} +or +@code{config-from-file} +to the +@code{ntpd} +host's +@kbd{filename} +in the +@code{saveconfigdir}. +This command will be rejected unless the +@code{saveconfigdir} +directive appears in +.Cm ntpd 's +configuration file. +@kbd{filename} +can use +@code{strftime(3)} +format directives to substitute the current date and time, +for example, +@code{saveconfig\ ntp-%Y%m%d-%H%M%S.conf}. +The filename used is stored in the system variable +@code{savedconfig}. +Authentication is required. @item @code{setvar} @kbd{variable} @code{[@code{default}]} This command adds an additional system variable. These @@ -2638,6 +2864,10 @@ holds the names of all peer variables and the @code{clock_var_list} holds the names of the reference clock variables. +@item @code{sysinfo} +Display operational summary. +@item @code{sysstats} +Show statistics counters maintained in the protocol module. @item @code{tinker} @code{[@code{allan} @kbd{allan} | @code{dispersion} @kbd{dispersion} | @code{freq} @kbd{freq} | @code{huffpuff} @kbd{huffpuff} | @code{panic} @kbd{panic} | @code{step} @kbd{step} | @code{stepback} @kbd{stepback} | @code{stepfwd} @kbd{stepfwd} | @code{stepout} @kbd{stepout}]} This command can be used to alter several system variables in very exceptional circumstances. @@ -2715,27 +2945,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. @end table -@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]} -@table @asis -@item @code{memlock} @kbd{Nmegabytes} -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -@code{-i} -option). -The default is 32 megabytes on non-Linux machines, and -1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -@item @code{stacksize} @kbd{N4kPages} -Specifies the maximum size of the process stack on systems with the -@code{mlockall()} -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -@item @code{filenum} @kbd{Nfiledescriptors} -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -@end table +@item @code{writevar} @kbd{assocID\ name} @kbd{=} @kbd{value} @kbd{[,...]} +Write (create or update) the specified variables. +If the +@code{assocID} +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +@code{assocID} +is required, as the same name can occur in both name spaces. @item @code{trap} @kbd{host_address} @code{[@code{port} @kbd{port_number}]} @code{[@code{interface} @kbd{interface_address}]} This command configures a trap receiver at the given host address and port number for sending messages with the specified @@ -2747,6 +2968,13 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +@item @code{ttl} @kbd{hop} @kbd{...} +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +@code{manycast} +mode these values are used in-turn in an expanding-ring search. +The default is eight multiples of 32 starting at 31. The trap receiver will generally log event messages and other information from the server in a log file. diff --git a/contrib/ntp/ntpd/invoke-ntp.keys.texi b/contrib/ntp/ntpd/invoke-ntp.keys.texi index f1b1f32..d729fc0 100644 --- a/contrib/ntp/ntpd/invoke-ntp.keys.texi +++ b/contrib/ntp/ntpd/invoke-ntp.keys.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp.keys.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:31:04 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:14:37 PM by AutoGen 5.18.5 # From the definitions ntp.keys.def # and the template file agtexi-file.tpl @end ignore @@ -45,16 +45,24 @@ where is a positive integer (between 1 and 65534), @kbd{type} is the message digest algorithm, -and @kbd{key} is the key itself, and @kbd{opt_IP_list} is an optional comma-separated list of IPs +where the +@kbd{keyno} +should be trusted. that are allowed to serve time. +Each IP in +@kbd{opt_IP_list} +may contain an optional +@code{/subnetbits} +specification which identifies the number of bits for +the desired subnet of trust. If @kbd{opt_IP_list} is empty, -any properly-authenticated server message will be +any properly-authenticated message will be accepted. The diff --git a/contrib/ntp/ntpd/invoke-ntpd.texi b/contrib/ntp/ntpd/invoke-ntpd.texi index 0b881db..28f132d 100644 --- a/contrib/ntp/ntpd/invoke-ntpd.texi +++ b/contrib/ntp/ntpd/invoke-ntpd.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpd.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:44:20 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:14:39 PM by AutoGen 5.18.5 # From the definitions ntpd-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -142,7 +142,7 @@ with a status code of 0. @exampleindent 0 @example -ntpd - NTP daemon program - Ver. 4.2.8p10-beta +ntpd - NTP daemon program - Ver. 4.2.8p11 Usage: ntpd [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \ [ <server1> ... <serverN> ] Flg Arg Option-Name Description diff --git a/contrib/ntp/ntpd/keyword-gen-utd b/contrib/ntp/ntpd/keyword-gen-utd index 683453d..9b836ba 100644 --- a/contrib/ntp/ntpd/keyword-gen-utd +++ b/contrib/ntp/ntpd/keyword-gen-utd @@ -1 +1 @@ - * Generated 2016-11-09 11:39:28 UTC diff_ignore_line + * Generated 2018-01-14 03:53:33 UTC diff_ignore_line diff --git a/contrib/ntp/ntpd/keyword-gen.c b/contrib/ntp/ntpd/keyword-gen.c index c9d30be..e07548a 100644 --- a/contrib/ntp/ntpd/keyword-gen.c +++ b/contrib/ntp/ntpd/keyword-gen.c @@ -153,11 +153,15 @@ struct key_tok ntp_keywords[] = { { "orphan", T_Orphan, FOLLBY_TOKEN }, { "orphanwait", T_Orphanwait, FOLLBY_TOKEN }, { "nonvolatile", T_Nonvolatile, FOLLBY_TOKEN }, +{ "basedate", T_Basedate, FOLLBY_STRING }, /* access_control_flag */ { "default", T_Default, FOLLBY_TOKEN }, { "source", T_Source, FOLLBY_TOKEN }, +{ "epeer", T_Epeer, FOLLBY_TOKEN }, +{ "noepeer", T_Noepeer, FOLLBY_TOKEN }, { "flake", T_Flake, FOLLBY_TOKEN }, { "ignore", T_Ignore, FOLLBY_TOKEN }, +{ "ippeerlimit", T_Ippeerlimit, FOLLBY_TOKEN }, { "limited", T_Limited, FOLLBY_TOKEN }, { "mssntp", T_Mssntp, FOLLBY_TOKEN }, { "kod", T_Kod, FOLLBY_TOKEN }, diff --git a/contrib/ntp/ntpd/ntp.conf.5man b/contrib/ntp/ntpd/ntp.conf.5man index 846465a..1a50633 100644 --- a/contrib/ntp/ntpd/ntp.conf.5man +++ b/contrib/ntp/ntpd/ntp.conf.5man @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp.conf 5man "21 Mar 2017" "4.2.8p10-beta" "File Formats" +.TH ntp.conf 5man "27 Feb 2018" "4.2.8p11" "File Formats" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-UAaqtC/ag-6AaisC) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LkaqTP/ag-XkaiSP) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:30:48 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:22 PM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .SH NAME @@ -1665,7 +1665,7 @@ The subcommand specifies the probability of discard for packets that overflow the rate-control window. .TP 7 -.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] +.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[B-Font]ippeerlimit\f[] \f\*[I-Font]int\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] The \f\*[I-Font]address\f[] argument expressed in @@ -1689,6 +1689,15 @@ Note that text string \f\*[B-Font]default\f[], with no mask option, may be used to indicate the default entry. +The +\f\*[B-Font]ippeerlimit\f[] +directive limits the number of peer requests for each IP to +\f\*[I-Font]int\f[], +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, \f\*[B-Font]flag\f[] always @@ -1744,6 +1753,19 @@ This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. .TP 7 +.NOP \f\*[B-Font]noepeer\f[] +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +\fIntp.keys\f[] +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +\f\*[B-Font]noepeer\f[] +to become the default in ntp-4.4. +.TP 7 .NOP \f\*[B-Font]nomodify\f[] Deny \fCntpq\f[]\fR(1ntpqmdoc)\f[] @@ -1763,10 +1785,10 @@ queries. Time service is not affected. .TP 7 .NOP \f\*[B-Font]nopeer\f[] -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes \f\*[B-Font]pool\f[] associations, so if you want to use servers from a @@ -1774,9 +1796,9 @@ associations, so if you want to use servers from a directive and also want to use \f\*[B-Font]nopeer\f[] by default, you'll want a -\f\*[B-Font]restrict source ...\f[] \f\*[B-Font]line\f[] \f\*[B-Font]as\f[] \f\*[B-Font]well\f[] \f\*[B-Font]that\f[] \f\*[B-Font]does\f[] -.TP 7 -.NOP not +\f\*[B-Font]restrict source ...\f[] +line as well that does +\fInot\f[] include the \f\*[B-Font]nopeer\f[] directive. @@ -2186,11 +2208,11 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +.PP .SS Manycast Options -.RS .TP 7 .NOP \f\*[B-Font]tos\f[] [\f\*[B-Font]ceiling\f[] \f\*[I-Font]ceiling\f[] | \f\*[B-Font]cohort\f[] { \f\*[B-Font]0\f[] | \f\*[B-Font]1\f[] } | \f\*[B-Font]floor\f[] \f\*[I-Font]floor\f[] | \f\*[B-Font]minclock\f[] \f\*[I-Font]minclock\f[] | \f\*[B-Font]minsane\f[] \f\*[I-Font]minsane\f[]] This command affects the clock selection and clustering @@ -2260,7 +2282,7 @@ In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31. -.RE +.PP .SH Reference Clock Support The NTP Version 4 daemon supports some three dozen different radio, satellite and modem reference clocks plus a special pseudo-clock @@ -2427,7 +2449,6 @@ option is used for this purpose. Except where noted, these options apply to all clock drivers. .SS Reference Clock Commands -.RS .TP 7 .NOP \f\*[B-Font]server\f[] \f[C]127.127.\f[]\f\*[I-Font]t\f[].\f\*[I-Font]u\f[] [\f\*[B-Font]prefer\f[]] [\f\*[B-Font]mode\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]minpoll\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]maxpoll\f[] \f\*[I-Font]int\f[]] This command can be used to configure reference clocks in @@ -2528,7 +2549,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -\fI/usr/share/doc/ntp\f[]). +\fI/usr/share/doc/ntp\f[] \fI).\f[] .TP 7 .NOP \f\*[B-Font]stratum\f[] \f\*[I-Font]int\f[] Specifies the stratum number assigned to the driver, an integer @@ -2576,9 +2597,8 @@ Further information on the command can be found in \fIMonitoring\f[] \fIOptions\f[]. .RE -.RE +.PP .SH Miscellaneous Options -.RS .TP 7 .NOP \f\*[B-Font]broadcastdelay\f[] \f\*[I-Font]seconds\f[] The broadcast and multicast modes require a special calibration @@ -2817,6 +2837,71 @@ This option is useful for sites that run on multiple hosts, with (mostly) common options (e.g., a restriction list). .TP 7 +.NOP \f\*[B-Font]interface\f[] [\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] [\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]]] +The +\f\*[B-Font]interface\f[] +directive controls which network addresses +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +\f\*[I-Font]prefixlen\f[] +determines how many bits must match for this rule to apply. +\f\*[B-Font]ignore\f[] +prevents opening matching addresses, +\f\*[B-Font]drop\f[] +causes +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +to open the address and drop all received packets without examination. +Multiple +\f\*[B-Font]interface\f[] +directives can be used. +The last rule which matches a particular address determines the action for it. +\f\*[B-Font]interface\f[] +directives are disabled if any +\f\*[B-Font]\-I\f[], +\f\*[B-Font]\-\-interface\f[], +\f\*[B-Font]\-L\f[], +or +\f\*[B-Font]\-\-novirtualips\f[] +command-line options are specified in the configuration file, +all available network addresses are opened. +The +\f\*[B-Font]nic\f[] +directive is an alias for +\f\*[B-Font]interface\f[]. +.TP 7 +.NOP \f\*[B-Font]leapfile\f[] \f\*[I-Font]leapfile\f[] +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +\f[C]https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[] +or +\f[C]ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[]. +The +\f\*[B-Font]leapfile\f[] +is scanned when +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +processes the +\f\*[B-Font]leapfile\f[] \f\*[B-Font]directive\f[] \f\*[B-Font]or\f[] \f\*[B-Font]when\f[] +\f\*[B-Font]ntpd\f[] \f\*[B-Font]detects\f[] \f\*[B-Font]that\f[] \f\*[B-Font]the\f[] +\f\*[I-Font]leapfile\f[] +has changed. +\f\*[B-Font]ntpd\f[] +checks once a day to see if the +\f\*[I-Font]leapfile\f[] +has changed. +The +\fCupdate-leap\f[]\fR(1update_leapmdoc)\f[] +script can be run to see if the +\f\*[I-Font]leapfile\f[] +should be updated. +.TP 7 .NOP \f\*[B-Font]leapsmearinterval\f[] \f\*[I-Font]seconds\f[] This EXPERIMENTAL option is only available if \fCntpd\f[]\fR(1ntpdmdoc)\f[] @@ -2922,6 +3007,164 @@ This is the same operation as the \f\*[B-Font]\-l\f[] command line option. .TP 7 +.NOP \f\*[B-Font]mru\f[] [\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]] +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +.RS +.TP 7 +.NOP \f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] +.TP 7 +.NOP \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +\f\*[B-Font]incalloc\f[] +entries or +\f\*[B-Font]incmem\f[] +kilobytes larger. +As with all of the +\f\*[B-Font]mru\f[] +options offered in units of entries or kilobytes, if both +\f\*[B-Font]maxdepth\f[] +and +\f\*[B-Font]maxmem\f[] \f\*[B-Font]are\f[] \f\*[B-Font]used,\f[] \f\*[B-Font]the\f[] \f\*[B-Font]last\f[] \f\*[B-Font]one\f[] \f\*[B-Font]used\f[] \f\*[B-Font]controls.\f[] +The default is 1024 kilobytes. +.TP 7 +.NOP \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] +Lower limit on the MRU list size. +When the MRU list has fewer than +\f\*[B-Font]mindepth\f[] +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +.TP 7 +.NOP \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] +Once the MRU list has +\f\*[B-Font]mindepth\f[] +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +\f\*[B-Font]maxage\f[] +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +\f\*[B-Font]maxdepth\f[] \f\*[B-Font]/\f[] \f\*[B-Font]moxmem\f[]. +The default is 64 seconds. +.TP 7 +.NOP \f\*[B-Font]initalloc\f[] \f\*[I-Font]count\f[] +.TP 7 +.NOP \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +.TP 7 +.NOP \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] +.TP 7 +.NOP \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[] +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +.RE +.TP 7 +.NOP \f\*[B-Font]nonvolatile\f[] \f\*[I-Font]threshold\f[] +Specify the +\f\*[I-Font]threshold\f[] +delta in seconds before an hourly change to the +\f\*[B-Font]driftfile\f[] +(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +\f\*[B-Font]threshold\f[] +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +.TP 7 +.NOP \f\*[B-Font]phone\f[] \f\*[I-Font]dial\f[] \f\*[I-Font]...\f[] +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 \- 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 \- 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +.TP 7 +.NOP \f\*[B-Font]reset\f[] [\f\*[B-Font]allpeers\f[]] [\f\*[B-Font]auth\f[]] [\f\*[B-Font]ctl\f[]] [\f\*[B-Font]io\f[]] [\f\*[B-Font]mem\f[]] [\f\*[B-Font]sys\f[]] [\f\*[B-Font]timer\f[]] +Reset one or more groups of counters maintained by +\f\*[B-Font]ntpd\f[] +and exposed by +\f\*[B-Font]ntpq\f[] +and +\f\*[B-Font]ntpdc\f[]. +.TP 7 +.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]] +.RS +.TP 7 +.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +\f\*[B-Font]\-i\f[] +option). +The default is 32 megabytes on non-Linux machines, and \-1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +.TP 7 +.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] +Specifies the maximum size of the process stack on systems with the +\fBmlockall\f[]\fR()\f[] +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +.TP 7 +.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[] +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +.RE +.TP 7 +.NOP \f\*[B-Font]saveconfigdir\f[] \f\*[I-Font]directory_path\f[] +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +\f\*[B-Font]saveconfig\f[] +command. +If +\f\*[B-Font]saveconfigdir\f[] +does not appear in the configuration file, +\f\*[B-Font]saveconfig\f[] +requests are rejected by +\f\*[B-Font]ntpd\f[]. +.TP 7 +.NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[] +Write the current configuration, including any runtime +modifications given with +\f\*[B-Font]:config\f[] +or +\f\*[B-Font]config-from-file\f[] +to the +\f\*[B-Font]ntpd\f[] +host's +\f\*[I-Font]filename\f[] +in the +\f\*[B-Font]saveconfigdir\f[]. +This command will be rejected unless the +\f\*[B-Font]saveconfigdir\f[] +directive appears in +.Cm ntpd 's +configuration file. +\f\*[I-Font]filename\f[] +can use +\fCstrftime\f[]\fR(3)\f[] +format directives to substitute the current date and time, +for example, +\f\*[B-Font]saveconfig\ ntp-%Y%m%d-%H%M%S.conf\f[]. +The filename used is stored in the system variable +\f\*[B-Font]savedconfig\f[]. +Authentication is required. +.TP 7 .NOP \f\*[B-Font]setvar\f[] \f\*[I-Font]variable\f[] [\f\*[B-Font]default\f[]] This command adds an additional system variable. These @@ -2955,6 +3198,12 @@ the names of all peer variables and the \fIclock_var_list\f[] holds the names of the reference clock variables. .TP 7 +.NOP \f\*[B-Font]sysinfo\f[] +Display operational summary. +.TP 7 +.NOP \f\*[B-Font]sysstats\f[] +Show statistics counters maintained in the protocol module. +.TP 7 .NOP \f\*[B-Font]tinker\f[] [\f\*[B-Font]allan\f[] \f\*[I-Font]allan\f[] | \f\*[B-Font]dispersion\f[] \f\*[I-Font]dispersion\f[] | \f\*[B-Font]freq\f[] \f\*[I-Font]freq\f[] | \f\*[B-Font]huffpuff\f[] \f\*[I-Font]huffpuff\f[] | \f\*[B-Font]panic\f[] \f\*[I-Font]panic\f[] | \f\*[B-Font]step\f[] \f\*[I-Font]step\f[] | \f\*[B-Font]stepback\f[] \f\*[I-Font]stepback\f[] | \f\*[B-Font]stepfwd\f[] \f\*[I-Font]stepfwd\f[] | \f\*[B-Font]stepout\f[] \f\*[I-Font]stepout\f[]] This command can be used to alter several system variables in very exceptional circumstances. @@ -3044,30 +3293,18 @@ If set to zero, the stepout pulses will not be suppressed. .RE .TP 7 -.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]] -.RS -.TP 7 -.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -\f\*[B-Font]\-i\f[] -option). -The default is 32 megabytes on non-Linux machines, and \-1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -.TP 7 -.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] -Specifies the maximum size of the process stack on systems with the -\fBmlockall\f[]\fR()\f[] -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -.TP 7 -.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[] -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -.RE +.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\ name\f[] \f\*[I-Font]=\f[] \f\*[I-Font]value\f[] \f\*[I-Font][,...]\f[] +Write (create or update) the specified variables. +If the +\f\*[B-Font]assocID\f[] +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +\f\*[B-Font]assocID\f[] +is required, as the same name can occur in both name spaces. .TP 7 .NOP \f\*[B-Font]trap\f[] \f\*[I-Font]host_address\f[] [\f\*[B-Font]port\f[] \f\*[I-Font]port_number\f[]] [\f\*[B-Font]interface\f[] \f\*[I-Font]interface_address\f[]] This command configures a trap receiver at the given host @@ -3080,6 +3317,14 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +.TP 7 +.NOP \f\*[B-Font]ttl\f[] \f\*[I-Font]hop\f[] \f\*[I-Font]...\f[] +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +\f\*[B-Font]manycast\f[] +mode these values are used in-turn in an expanding-ring search. +The default is eight multiples of 32 starting at 31. .sp \n(Ppu .ne 2 @@ -3097,9 +3342,8 @@ In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31. -.RE +.PP .SH "OPTIONS" -.RS .TP .NOP \f\*[B-Font]\-\-help\f[] Display usage information and exit. @@ -3111,7 +3355,7 @@ Pass the extended usage information through a pager. Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice. -.RE +.PP .SH "OPTION PRESETS" Any option that is not marked as \fInot presettable\fP may be preset by loading values from environment variables named: @@ -3122,7 +3366,6 @@ by loading values from environment variables named: .SH "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .SH FILES -.RS .TP 15 .NOP \fI/etc/ntp.conf\f[] the default name of the configuration file @@ -3146,10 +3389,9 @@ RSA public key .TP 15 .NOP \fIntp_dh\f[] Diffie-Hellman agreement parameters -.RE +.PP .SH "EXIT STATUS" One of the following exit values will be returned: -.RS .TP .NOP 0 " (EXIT_SUCCESS)" Successful program execution. @@ -3160,7 +3402,7 @@ The operation failed or the command syntax was not valid. .NOP 70 " (EX_SOFTWARE)" libopts had an internal operational error. Please report it to autogen-users@lists.sourceforge.net. Thank you. -.RE +.PP .SH "SEE ALSO" \fCntpd\f[]\fR(1ntpdmdoc)\f[], \fCntpdc\f[]\fR(1ntpdcmdoc)\f[], diff --git a/contrib/ntp/ntpd/ntp.conf.5mdoc b/contrib/ntp/ntpd/ntp.conf.5mdoc index 46e8cab..7286c81 100644 --- a/contrib/ntp/ntpd/ntp.conf.5mdoc +++ b/contrib/ntp/ntpd/ntp.conf.5mdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_CONF 5mdoc File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:31:09 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -1532,6 +1532,7 @@ subcommand specifies the probability of discard for packets that overflow the rate\-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1557,6 +1558,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1607,6 +1617,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp\-4.4. .It Cm nomodify Deny .Xr ntpq 1ntpqmdoc @@ -1624,10 +1646,10 @@ and queries. Time service is not affected. .It Cm nopeer -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes .Cm pool associations, so if you want to use servers from a @@ -1635,8 +1657,9 @@ associations, so if you want to use servers from a directive and also want to use .Cm nopeer by default, you'll want a -.Cm "restrict source ..." line as well that does -.It not +.Cm "restrict source ..." +line as well that does +.Em not include the .Cm nopeer directive. @@ -2011,9 +2034,10 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +.El .Ss Manycast Options .Bl -tag -width indent .It Xo Ic tos @@ -2359,7 +2383,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -.Pa /usr/share/doc/ntp ) . +.Pa /usr/share/doc/ntp ). .It Cm stratum Ar int Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2637,6 +2661,79 @@ This option is useful for sites that run .Xr ntpd 1ntpdmdoc on multiple hosts, with (mostly) common options (e.g., a restriction list). +.It Xo Ic interface +.Oo +.Cm listen | Cm ignore | Cm drop +.Oc +.Oo +.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard +.Ar name | Ar address +.Oo Cm / Ar prefixlen +.Oc +.Oc +.Xc +The +.Cm interface +directive controls which network addresses +.Xr ntpd 1ntpdmdoc +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +.Ar prefixlen +determines how many bits must match for this rule to apply. +.Cm ignore +prevents opening matching addresses, +.Cm drop +causes +.Xr ntpd 1ntpdmdoc +to open the address and drop all received packets without examination. +Multiple +.Cm interface +directives can be used. +The last rule which matches a particular address determines the action for it. +.Cm interface +directives are disabled if any +.Fl I , +.Fl \-interface , +.Fl L , +or +.Fl \-novirtualips +command\-line options are specified in the configuration file, +all available network addresses are opened. +The +.Cm nic +directive is an alias for +.Cm interface . +.It Ic leapfile Ar leapfile +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list +or +.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list . +The +.Cm leapfile +is scanned when +.Xr ntpd 1ntpdmdoc +processes the +.Cm leapfile directive or when +.Cm ntpd detects that the +.Ar leapfile +has changed. +.Cm ntpd +checks once a day to see if the +.Ar leapfile +has changed. +The +.Xr update\-leap 1update_leapmdoc +script can be run to see if the +.Ar leapfile +should be updated. .It Ic leapsmearinterval Ar seconds This EXPERIMENTAL option is only available if .Xr ntpd 1ntpdmdoc @@ -2741,6 +2838,181 @@ facility. This is the same operation as the .Fl l command line option. +.It Xo Ic mru +.Oo +.Cm maxdepth Ar count | Cm maxmem Ar kilobytes | +.Cm mindepth Ar count | Cm maxage Ar seconds | +.Cm initialloc Ar count | Cm initmem Ar kilobytes | +.Cm incalloc Ar count | Cm incmem Ar kilobytes +.Oc +.Xc +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +.Bl -tag -width indent +.It Ic maxdepth Ar count +.It Ic maxmem Ar kilobytes +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +.Cm incalloc +entries or +.Cm incmem +kilobytes larger. +As with all of the +.Cm mru +options offered in units of entries or kilobytes, if both +.Cm maxdepth +and +.Cm maxmem are used, the last one used controls. +The default is 1024 kilobytes. +.It Cm mindepth Ar count +Lower limit on the MRU list size. +When the MRU list has fewer than +.Cm mindepth +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +.It Cm maxage Ar seconds +Once the MRU list has +.Cm mindepth +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +.Cm maxage +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +.Cm maxdepth / moxmem . +The default is 64 seconds. +.It Cm initalloc Ar count +.It Cm initmem Ar kilobytes +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +.It Cm incalloc Ar count +.It Cm incmem Ar kilobytes +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +.El +.It Ic nonvolatile Ar threshold +Specify the +.Ar threshold +delta in seconds before an hourly change to the +.Cm driftfile +(frequency file) will be written, with a default value of 1e\-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +.Cm threshold +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +.It Ic phone Ar dial ... +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 \- 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 \- 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +.It Xo Ic reset +.Oo +.Ic allpeers +.Oc +.Oo +.Ic auth +.Oc +.Oo +.Ic ctl +.Oc +.Oo +.Ic io +.Oc +.Oo +.Ic mem +.Oc +.Oo +.Ic sys +.Oc +.Oo +.Ic timer +.Oc +.Xc +Reset one or more groups of counters maintained by +.Cm ntpd +and exposed by +.Cm ntpq +and +.Cm ntpdc . +.It Xo Ic rlimit +.Oo +.Cm memlock Ar Nmegabytes | +.Cm stacksize Ar N4kPages +.Cm filenum Ar Nfiledescriptors +.Oc +.Xc +.Bl -tag -width indent +.It Cm memlock Ar Nmegabytes +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +.Fl i +option). +The default is 32 megabytes on non\-Linux machines, and \-1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +.It Cm stacksize Ar N4kPages +Specifies the maximum size of the process stack on systems with the +.Fn mlockall +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +.It Cm filenum Ar Nfiledescriptors +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +.El +.It Ic saveconfigdir Ar directory_path +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +.Cm saveconfig +command. +If +.Cm saveconfigdir +does not appear in the configuration file, +.Cm saveconfig +requests are rejected by +.Cm ntpd . +.It Ic saveconfig Ar filename +Write the current configuration, including any runtime +modifications given with +.Cm :config +or +.Cm config\-from\-file +to the +.Cm ntpd +host's +.Ar filename +in the +.Cm saveconfigdir . +This command will be rejected unless the +.Cm saveconfigdir +directive appears in +.Cm ntpd 's +configuration file. +.Ar filename +can use +.Xr strftime 3 +format directives to substitute the current date and time, +for example, +.Cm saveconfig\ ntp\-%Y%m%d\-%H%M%S.conf . +The filename used is stored in the system variable +.Cm savedconfig . +Authentication is required. .It Ic setvar Ar variable Op Cm default This command adds an additional system variable. These @@ -2779,6 +3051,10 @@ holds the names of all peer variables and the .Va clock_var_list holds the names of the reference clock variables. +.It Cm sysinfo +Display operational summary. +.It Cm sysstats +Show statistics counters maintained in the protocol module. .It Xo Ic tinker .Oo .Cm allan Ar allan | @@ -2868,33 +3144,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. .El -.It Xo Ic rlimit -.Oo -.Cm memlock Ar Nmegabytes | -.Cm stacksize Ar N4kPages -.Cm filenum Ar Nfiledescriptors -.Oc -.Xc -.Bl -tag -width indent -.It Cm memlock Ar Nmegabytes -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -.Fl i -option). -The default is 32 megabytes on non\-Linux machines, and \-1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -.It Cm stacksize Ar N4kPages -Specifies the maximum size of the process stack on systems with the -.Fn mlockall -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -.It Cm filenum Ar Nfiledescriptors -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -.El +.It Cm writevar Ar assocID\ name = value [,...] +Write (create or update) the specified variables. +If the +.Cm assocID +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +.Cm assocID +is required, as the same name can occur in both name spaces. .It Xo Ic trap Ar host_address .Op Cm port Ar port_number .Op Cm interface Ar interface_address @@ -2909,6 +3170,13 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +.It Cm ttl Ar hop ... +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +.Cm manycast +mode these values are used in\-turn in an expanding\-ring search. +The default is eight multiples of 32 starting at 31. .Pp The trap receiver will generally log event messages and other information from the server in a log file. diff --git a/contrib/ntp/ntpd/ntp.conf.def b/contrib/ntp/ntpd/ntp.conf.def index 5ae8c38..4af7742 100644 --- a/contrib/ntp/ntpd/ntp.conf.def +++ b/contrib/ntp/ntpd/ntp.conf.def @@ -1534,6 +1534,7 @@ subcommand specifies the probability of discard for packets that overflow the rate-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1559,6 +1560,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of -1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1609,6 +1619,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp-4.4. .It Cm nomodify Deny .Xr ntpq 1ntpqmdoc @@ -1626,10 +1648,10 @@ and queries. Time service is not affected. .It Cm nopeer -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes .Cm pool associations, so if you want to use servers from a @@ -1637,8 +1659,9 @@ associations, so if you want to use servers from a directive and also want to use .Cm nopeer by default, you'll want a -.Cm "restrict source ..." line as well that does -.It not +.Cm "restrict source ..." +line as well that does +.Em not include the .Cm nopeer directive. @@ -2013,9 +2036,10 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +.El .Ss Manycast Options .Bl -tag -width indent .It Xo Ic tos @@ -2361,7 +2385,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -.Pa /usr/share/doc/ntp ) . +.Pa /usr/share/doc/ntp ). .It Cm stratum Ar int Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2639,6 +2663,79 @@ This option is useful for sites that run .Xr ntpd 1ntpdmdoc on multiple hosts, with (mostly) common options (e.g., a restriction list). +.It Xo Ic interface +.Oo +.Cm listen | Cm ignore | Cm drop +.Oc +.Oo +.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard +.Ar name | Ar address +.Oo Cm / Ar prefixlen +.Oc +.Oc +.Xc +The +.Cm interface +directive controls which network addresses +.Xr ntpd 1ntpdmdoc +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +.Ar prefixlen +determines how many bits must match for this rule to apply. +.Cm ignore +prevents opening matching addresses, +.Cm drop +causes +.Xr ntpd 1ntpdmdoc +to open the address and drop all received packets without examination. +Multiple +.Cm interface +directives can be used. +The last rule which matches a particular address determines the action for it. +.Cm interface +directives are disabled if any +.Fl I , +.Fl -interface , +.Fl L , +or +.Fl -novirtualips +command-line options are specified in the configuration file, +all available network addresses are opened. +The +.Cm nic +directive is an alias for +.Cm interface . +.It Ic leapfile Ar leapfile +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list +or +.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list . +The +.Cm leapfile +is scanned when +.Xr ntpd 1ntpdmdoc +processes the +.Cm leapfile directive or when +.Cm ntpd detects that the +.Ar leapfile +has changed. +.Cm ntpd +checks once a day to see if the +.Ar leapfile +has changed. +The +.Xr update-leap 1update_leapmdoc +script can be run to see if the +.Ar leapfile +should be updated. .It Ic leapsmearinterval Ar seconds This EXPERIMENTAL option is only available if .Xr ntpd 1ntpdmdoc @@ -2743,6 +2840,181 @@ facility. This is the same operation as the .Fl l command line option. +.It Xo Ic mru +.Oo +.Cm maxdepth Ar count | Cm maxmem Ar kilobytes | +.Cm mindepth Ar count | Cm maxage Ar seconds | +.Cm initialloc Ar count | Cm initmem Ar kilobytes | +.Cm incalloc Ar count | Cm incmem Ar kilobytes +.Oc +.Xc +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +.Bl -tag -width indent +.It Ic maxdepth Ar count +.It Ic maxmem Ar kilobytes +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +.Cm incalloc +entries or +.Cm incmem +kilobytes larger. +As with all of the +.Cm mru +options offered in units of entries or kilobytes, if both +.Cm maxdepth +and +.Cm maxmem are used, the last one used controls. +The default is 1024 kilobytes. +.It Cm mindepth Ar count +Lower limit on the MRU list size. +When the MRU list has fewer than +.Cm mindepth +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +.It Cm maxage Ar seconds +Once the MRU list has +.Cm mindepth +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +.Cm maxage +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +.Cm maxdepth / moxmem . +The default is 64 seconds. +.It Cm initalloc Ar count +.It Cm initmem Ar kilobytes +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +.It Cm incalloc Ar count +.It Cm incmem Ar kilobytes +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +.El +.It Ic nonvolatile Ar threshold +Specify the +.Ar threshold +delta in seconds before an hourly change to the +.Cm driftfile +(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +.Cm threshold +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +.It Ic phone Ar dial ... +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 - 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 - 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +.It Xo Ic reset +.Oo +.Ic allpeers +.Oc +.Oo +.Ic auth +.Oc +.Oo +.Ic ctl +.Oc +.Oo +.Ic io +.Oc +.Oo +.Ic mem +.Oc +.Oo +.Ic sys +.Oc +.Oo +.Ic timer +.Oc +.Xc +Reset one or more groups of counters maintained by +.Cm ntpd +and exposed by +.Cm ntpq +and +.Cm ntpdc . +.It Xo Ic rlimit +.Oo +.Cm memlock Ar Nmegabytes | +.Cm stacksize Ar N4kPages +.Cm filenum Ar Nfiledescriptors +.Oc +.Xc +.Bl -tag -width indent +.It Cm memlock Ar Nmegabytes +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +.Fl i +option). +The default is 32 megabytes on non-Linux machines, and -1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +.It Cm stacksize Ar N4kPages +Specifies the maximum size of the process stack on systems with the +.Fn mlockall +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +.It Cm filenum Ar Nfiledescriptors +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +.El +.It Ic saveconfigdir Ar directory_path +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +.Cm saveconfig +command. +If +.Cm saveconfigdir +does not appear in the configuration file, +.Cm saveconfig +requests are rejected by +.Cm ntpd . +.It Ic saveconfig Ar filename +Write the current configuration, including any runtime +modifications given with +.Cm :config +or +.Cm config-from-file +to the +.Cm ntpd +host's +.Ar filename +in the +.Cm saveconfigdir . +This command will be rejected unless the +.Cm saveconfigdir +directive appears in +.Cm ntpd 's +configuration file. +.Ar filename +can use +.Xr strftime 3 +format directives to substitute the current date and time, +for example, +.Cm saveconfig\ ntp-%Y%m%d-%H%M%S.conf . +The filename used is stored in the system variable +.Cm savedconfig . +Authentication is required. .It Ic setvar Ar variable Op Cm default This command adds an additional system variable. These @@ -2781,6 +3053,10 @@ holds the names of all peer variables and the .Va clock_var_list holds the names of the reference clock variables. +.It Cm sysinfo +Display operational summary. +.It Cm sysstats +Show statistics counters maintained in the protocol module. .It Xo Ic tinker .Oo .Cm allan Ar allan | @@ -2870,33 +3146,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. .El -.It Xo Ic rlimit -.Oo -.Cm memlock Ar Nmegabytes | -.Cm stacksize Ar N4kPages -.Cm filenum Ar Nfiledescriptors -.Oc -.Xc -.Bl -tag -width indent -.It Cm memlock Ar Nmegabytes -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -.Fl i -option). -The default is 32 megabytes on non-Linux machines, and -1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -.It Cm stacksize Ar N4kPages -Specifies the maximum size of the process stack on systems with the -.Fn mlockall -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -.It Cm filenum Ar Nfiledescriptors -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -.El +.It Cm writevar Ar assocID\ name = value [,...] +Write (create or update) the specified variables. +If the +.Cm assocID +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +.Cm assocID +is required, as the same name can occur in both name spaces. .It Xo Ic trap Ar host_address .Op Cm port Ar port_number .Op Cm interface Ar interface_address @@ -2911,6 +3172,13 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +.It Cm ttl Ar hop ... +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +.Cm manycast +mode these values are used in-turn in an expanding-ring search. +The default is eight multiples of 32 starting at 31. .Pp The trap receiver will generally log event messages and other information from the server in a log file. diff --git a/contrib/ntp/ntpd/ntp.conf.html b/contrib/ntp/ntpd/ntp.conf.html index 5718a01..2d477e2 100644 --- a/contrib/ntp/ntpd/ntp.conf.html +++ b/contrib/ntp/ntpd/ntp.conf.html @@ -33,9 +33,9 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <p>This document describes the configuration file for the NTP Project's <code>ntpd</code> program. - <p>This document applies to version 4.2.8p10 of <code>ntp.conf</code>. + <p>This document applies to version 4.2.8p11 of <code>ntp.conf</code>. - <div class="shortcontents"> + <div class="shortcontents"> <h2>Short Contents</h2> <ul> <a href="#Top">NTP's Configuration File User Manual</a> @@ -1467,7 +1467,7 @@ The <code>monitor</code> subcommand specifies the probability of discard for packets that overflow the rate-control window. -<br><dt><code>restrict</code> <code>address</code> <code>[mask </code><kbd>mask</kbd><code>]</code> <code>[</code><kbd>flag</kbd> <kbd>...</kbd><code>]</code><dd>The +<br><dt><code>restrict</code> <code>address</code> <code>[mask </code><kbd>mask</kbd><code>]</code> <code>[ippeerlimit </code><kbd>int</kbd><code>]</code> <code>[</code><kbd>flag</kbd> <kbd>...</kbd><code>]</code><dd>The <kbd>address</kbd> argument expressed in dotted-quad form is the address of a host or network. @@ -1490,6 +1490,15 @@ Note that text string <code>default</code>, with no mask option, may be used to indicate the default entry. +The +<code>ippeerlimit</code> +directive limits the number of peer requests for each IP to +<kbd>int</kbd>, +where a value of -1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, <code>flag</code> always @@ -1536,6 +1545,17 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +<br><dt><code>noepeer</code><dd>Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +<span class="file">ntp.keys</span> +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +<code>noepeer</code> +to become the default in ntp-4.4. <br><dt><code>nomodify</code><dd>Deny <code>ntpq(1ntpqmdoc)</code> and @@ -1550,10 +1570,10 @@ and <code>ntpdc(1ntpdcmdoc)</code> queries. Time service is not affected. -<br><dt><code>nopeer</code><dd>Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +<br><dt><code>nopeer</code><dd>Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes <code>pool</code> associations, so if you want to use servers from a @@ -1561,8 +1581,10 @@ associations, so if you want to use servers from a directive and also want to use <code>nopeer</code> by default, you'll want a -<code>restrict source ...</code> <code>line</code> <code>as</code> <code>well</code> <code>that</code> <code>does</code> -<br><dt>not<dd>include the +<code>restrict source ...</code> +line as well that does +<em>not</em> +include the <code>nopeer</code> directive. <br><dt><code>noserve</code><dd>Deny all packets except @@ -1938,13 +1960,14 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed -to any number of poll intervals between 0 and 4. +to any number of poll intervals between 0 and 4. +</dl> <h5 class="subsubsection">Manycast Options</h5> - <dl> + <dl> <dt><code>tos</code> <code>[ceiling </code><kbd>ceiling</kbd><code> | cohort { 0 | 1 } | floor </code><kbd>floor</kbd><code> | minclock </code><kbd>minclock</kbd><code> | minsane </code><kbd>minsane</kbd><code>]</code><dd>This command affects the clock selection and clustering algorithms. It can be used to select the quality and @@ -1952,7 +1975,7 @@ quantity of peers used to synchronize the system clock and is most useful in manycast mode. The variables operate as follows: - <dl> + <dl> <dt><code>ceiling</code> <kbd>ceiling</kbd><dd>Peers with strata above <code>ceiling</code> will be discarded if there are at least @@ -1994,14 +2017,14 @@ Byzantine agreement, should be at least 4 in order to detect and discard a single falseticker. </dl> - <br><dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd><dd>This command specifies a list of TTL values in increasing + <br><dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd><dd>This command specifies a list of TTL values in increasing order, up to 8 values can be specified. In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31. </dl> - <div class="node"> +<div class="node"> <p><hr> <a name="Reference-Clock-Support"></a> <br> @@ -2009,7 +2032,7 @@ multiples of 32 starting at 31. <h4 class="subsection">Reference Clock Support</h4> - <p>The NTP Version 4 daemon supports some three dozen different radio, +<p>The NTP Version 4 daemon supports some three dozen different radio, satellite and modem reference clocks plus a special pseudo-clock used for backup or when no other clock source is available. Detailed descriptions of individual device drivers and options can @@ -2046,7 +2069,7 @@ page provided in <span class="file">/usr/share/doc/ntp</span>). - <p>A reference clock will generally (though not always) be a radio + <p>A reference clock will generally (though not always) be a radio timecode receiver which is synchronized to a source of standard time such as the services offered by the NRC in Canada and NIST and USNO in the US. @@ -2062,7 +2085,7 @@ or the hardware port has not been appropriately configured results in a scalding remark to the system log file, but is otherwise non hazardous. - <p>For the purposes of configuration, + <p>For the purposes of configuration, <code>ntpd(1ntpdmdoc)</code> treats reference clocks in a manner analogous to normal NTP peers as much @@ -2083,7 +2106,7 @@ While it may seem overkill, it is in fact sometimes useful to configure multiple reference clocks of the same type, in which case the unit numbers must be unique. - <p>The + <p>The <code>server</code> command is used to configure a reference clock, where the @@ -2121,7 +2144,7 @@ meaning only for selected clock drivers. See the individual clock driver document pages for additional information. - <p>The + <p>The <code>fudge</code> command is used to provide additional information for individual clock drivers and normally follows @@ -2143,7 +2166,7 @@ in the <code>fudge</code> command as well. - <p>The stratum number of a reference clock is by default zero. + <p>The stratum number of a reference clock is by default zero. Since the <code>ntpd(1ntpdmdoc)</code> daemon adds one to the stratum of each @@ -2166,11 +2189,11 @@ these options apply to all clock drivers. <h5 class="subsubsection">Reference Clock Commands</h5> - <dl> + <dl> <dt><code>server</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[prefer]</code> <code>[mode </code><kbd>int</kbd><code>]</code> <code>[minpoll </code><kbd>int</kbd><code>]</code> <code>[maxpoll </code><kbd>int</kbd><code>]</code><dd>This command can be used to configure reference clocks in special ways. The options are interpreted as follows: - <dl> + <dl> <dt><code>prefer</code><dd>Marks the reference clock as preferred. All other things being equal, this host will be chosen for synchronization among a set of @@ -2203,7 +2226,7 @@ defaults to 10 (17.1 m) and defaults to 14 (4.5 h). The allowable range is 4 (16 s) to 17 (36.4 h) inclusive. </dl> - <br><dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[time1 </code><kbd>sec</kbd><code>]</code> <code>[time2 </code><kbd>sec</kbd><code>]</code> <code>[stratum </code><kbd>int</kbd><code>]</code> <code>[refid </code><kbd>string</kbd><code>]</code> <code>[mode </code><kbd>int</kbd><code>]</code> <code>[flag1 0 | 1]</code> <code>[flag2 0 | 1]</code> <code>[flag3 0 | 1]</code> <code>[flag4 0 | 1]</code><dd>This command can be used to configure reference clocks in + <br><dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[time1 </code><kbd>sec</kbd><code>]</code> <code>[time2 </code><kbd>sec</kbd><code>]</code> <code>[stratum </code><kbd>int</kbd><code>]</code> <code>[refid </code><kbd>string</kbd><code>]</code> <code>[mode </code><kbd>int</kbd><code>]</code> <code>[flag1 0 | 1]</code> <code>[flag2 0 | 1]</code> <code>[flag3 0 | 1]</code> <code>[flag4 0 | 1]</code><dd>This command can be used to configure reference clocks in special ways. It must immediately follow the <code>server</code> @@ -2214,7 +2237,7 @@ is possible at run time using the program. The options are interpreted as follows: - <dl> + <dl> <dt><code>time1</code> <kbd>sec</kbd><dd>Specifies a constant to be added to the time offset produced by the driver, a fixed-point decimal number in seconds. This is used @@ -2251,7 +2274,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -<span class="file">/usr/share/doc/ntp</span>). +<span class="file">/usr/share/doc/ntp</span> <span class="file">).</span> <br><dt><code>stratum</code> <kbd>int</kbd><dd>Specifies the stratum number assigned to the driver, an integer between 0 and 15. This number overrides the default stratum number @@ -2285,8 +2308,8 @@ Further information on the command can be found in <a href="#Monitoring-Options">Monitoring Options</a>. </dl> - </dl> - <div class="node"> + </dl> +<div class="node"> <p><hr> <a name="Miscellaneous-Options"></a> <br> @@ -2294,7 +2317,7 @@ command can be found in <h4 class="subsection">Miscellaneous Options</h4> - <dl> + <dl> <dt><code>broadcastdelay</code> <kbd>seconds</kbd><dd>The broadcast and multicast modes require a special calibration to determine the network delay between the local and remote servers. @@ -2327,7 +2350,7 @@ frequency of zero and creates the file when writing it for the first time. If this command is not given, the daemon will always start with an initial frequency of zero. - <p>The file format consists of a single line containing a single + <p>The file format consists of a single line containing a single floating point number, which records the frequency offset measured in parts-per-million (PPM). The file is updated by first writing @@ -2347,7 +2370,7 @@ Note that all of these flags can be controlled remotely using the <code>ntpdc(1ntpdcmdoc)</code> utility program. - <dl> + <dl> <dt><code>auth</code><dd>Enables the server to synchronize with unconfigured peers only if the peer has been correctly authenticated using either public key or private key cryptography. @@ -2482,7 +2505,7 @@ The default for this flag is <code>enable</code>. </dl> - <br><dt><code>includefile</code> <kbd>includefile</kbd><dd>This command allows additional configuration commands + <br><dt><code>includefile</code> <kbd>includefile</kbd><dd>This command allows additional configuration commands to be included from a separate file. Include files may be nested to a depth of five; upon reaching the end of any @@ -2492,6 +2515,67 @@ This option is useful for sites that run <code>ntpd(1ntpdmdoc)</code> on multiple hosts, with (mostly) common options (e.g., a restriction list). +<br><dt><code>interface</code> <code>[listen | ignore | drop]</code> <code>[all | ipv4 | ipv6 | wildcard </code><kbd>name</kbd><code> | </code><kbd>address</kbd><code> [/ </code><kbd>prefixlen</kbd><code>]]</code><dd>The +<code>interface</code> +directive controls which network addresses +<code>ntpd(1ntpdmdoc)</code> +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +<kbd>prefixlen</kbd> +determines how many bits must match for this rule to apply. +<code>ignore</code> +prevents opening matching addresses, +<code>drop</code> +causes +<code>ntpd(1ntpdmdoc)</code> +to open the address and drop all received packets without examination. +Multiple +<code>interface</code> +directives can be used. +The last rule which matches a particular address determines the action for it. +<code>interface</code> +directives are disabled if any +<code>-I</code>, +<code>--interface</code>, +<code>-L</code>, +or +<code>--novirtualips</code> +command-line options are specified in the configuration file, +all available network addresses are opened. +The +<code>nic</code> +directive is an alias for +<code>interface</code>. +<br><dt><code>leapfile</code> <kbd>leapfile</kbd><dd>This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +<code>https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code> +or +<code>ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>. +The +<code>leapfile</code> +is scanned when +<code>ntpd(1ntpdmdoc)</code> +processes the +<code>leapfile</code> <code>directive</code> <code>or</code> <code>when</code> +<code>ntpd</code> <code>detects</code> <code>that</code> <code>the</code> +<kbd>leapfile</kbd> +has changed. +<code>ntpd</code> +checks once a day to see if the +<kbd>leapfile</kbd> +has changed. +The +<code>update-leap(1update_leapmdoc)</code> +script can be run to see if the +<kbd>leapfile</kbd> +should be updated. <br><dt><code>leapsmearinterval</code> <kbd>seconds</kbd><dd>This EXPERIMENTAL option is only available if <code>ntpd(1ntpdmdoc)</code> was built with the @@ -2543,7 +2627,7 @@ and status messages (<code>status</code>). - <p>Configuration keywords are formed by concatenating the message class with + <p>Configuration keywords are formed by concatenating the message class with the event class. The <code>all</code> @@ -2555,20 +2639,20 @@ keyword to enable/disable all messages of the respective message class. Thus, a minimal log configuration could look like this: -<pre class="verbatim"> - logconfig =syncstatus +sysevents - </pre> +<pre class="verbatim"> + logconfig =syncstatus +sysevents +</pre> - <p>This would just list the synchronizations state of + <p>This would just list the synchronizations state of <code>ntpd(1ntpdmdoc)</code> and the major system events. For a simple reference server, the following minimum message configuration could be useful: -<pre class="verbatim"> - logconfig =syncall +clockall - </pre> +<pre class="verbatim"> + logconfig =syncall +clockall +</pre> - <p>This configuration will list all clock information and + <p>This configuration will list all clock information and synchronization information. All other events and messages about peers, system events and so on is suppressed. @@ -2579,6 +2663,129 @@ facility. This is the same operation as the <code>-l</code> command line option. +<br><dt><code>mru</code> <code>[maxdepth </code><kbd>count</kbd><code> | maxmem </code><kbd>kilobytes</kbd><code> | mindepth </code><kbd>count</kbd><code> | maxage </code><kbd>seconds</kbd><code> | initialloc </code><kbd>count</kbd><code> | initmem </code><kbd>kilobytes</kbd><code> | incalloc </code><kbd>count</kbd><code> | incmem </code><kbd>kilobytes</kbd><code>]</code><dd>Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. + <dl> +<dt><code>maxdepth</code> <kbd>count</kbd><br><dt><code>maxmem</code> <kbd>kilobytes</kbd><dd>Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +<code>incalloc</code> +entries or +<code>incmem</code> +kilobytes larger. +As with all of the +<code>mru</code> +options offered in units of entries or kilobytes, if both +<code>maxdepth</code> +and +<code>maxmem</code> <code>are</code> <code>used,</code> <code>the</code> <code>last</code> <code>one</code> <code>used</code> <code>controls.</code> +The default is 1024 kilobytes. +<br><dt><code>mindepth</code> <kbd>count</kbd><dd>Lower limit on the MRU list size. +When the MRU list has fewer than +<code>mindepth</code> +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +<br><dt><code>maxage</code> <kbd>seconds</kbd><dd>Once the MRU list has +<code>mindepth</code> +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +<code>maxage</code> +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +<code>maxdepth</code> <code>/</code> <code>moxmem</code>. +The default is 64 seconds. +<br><dt><code>initalloc</code> <kbd>count</kbd><br><dt><code>initmem</code> <kbd>kilobytes</kbd><dd>Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +<br><dt><code>incalloc</code> <kbd>count</kbd><br><dt><code>incmem</code> <kbd>kilobytes</kbd><dd>Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +</dl> + <br><dt><code>nonvolatile</code> <kbd>threshold</kbd><dd>Specify the +<kbd>threshold</kbd> +delta in seconds before an hourly change to the +<code>driftfile</code> +(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +<code>threshold</code> +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +<br><dt><code>phone</code> <kbd>dial</kbd> <kbd>...</kbd><dd>This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 - 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 - 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +<br><dt><code>reset</code> <code>[allpeers]</code> <code>[auth]</code> <code>[ctl]</code> <code>[io]</code> <code>[mem]</code> <code>[sys]</code> <code>[timer]</code><dd>Reset one or more groups of counters maintained by +<code>ntpd</code> +and exposed by +<code>ntpq</code> +and +<code>ntpdc</code>. +<br><dt><code>rlimit</code> <code>[memlock </code><kbd>Nmegabytes</kbd><code> | stacksize </code><kbd>N4kPages</kbd><code> filenum </code><kbd>Nfiledescriptors</kbd><code>]</code><dd> + <dl> +<dt><code>memlock</code> <kbd>Nmegabytes</kbd><dd>Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +<code>-i</code> +option). +The default is 32 megabytes on non-Linux machines, and -1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +<br><dt><code>stacksize</code> <kbd>N4kPages</kbd><dd>Specifies the maximum size of the process stack on systems with the +<code>mlockall()</code> +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +<br><dt><code>filenum</code> <kbd>Nfiledescriptors</kbd><dd>Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +</dl> + <br><dt><code>saveconfigdir</code> <kbd>directory_path</kbd><dd>Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +<code>saveconfig</code> +command. +If +<code>saveconfigdir</code> +does not appear in the configuration file, +<code>saveconfig</code> +requests are rejected by +<code>ntpd</code>. +<br><dt><code>saveconfig</code> <kbd>filename</kbd><dd>Write the current configuration, including any runtime +modifications given with +<code>:config</code> +or +<code>config-from-file</code> +to the +<code>ntpd</code> +host's +<kbd>filename</kbd> +in the +<code>saveconfigdir</code>. +This command will be rejected unless the +<code>saveconfigdir</code> +directive appears in +.Cm ntpd 's +configuration file. +<kbd>filename</kbd> +can use +<code>strftime(3)</code> +format directives to substitute the current date and time, +for example, +<code>saveconfig\ ntp-%Y%m%d-%H%M%S.conf</code>. +The filename used is stored in the system variable +<code>savedconfig</code>. +Authentication is required. <br><dt><code>setvar</code> <kbd>variable</kbd> <code>[default]</code><dd>This command adds an additional system variable. These variables can be used to distribute additional information such as @@ -2610,6 +2817,8 @@ holds the names of all peer variables and the <code>clock_var_list</code> holds the names of the reference clock variables. +<br><dt><code>sysinfo</code><dd>Display operational summary. +<br><dt><code>sysstats</code><dd>Show statistics counters maintained in the protocol module. <br><dt><code>tinker</code> <code>[allan </code><kbd>allan</kbd><code> | dispersion </code><kbd>dispersion</kbd><code> | freq </code><kbd>freq</kbd><code> | huffpuff </code><kbd>huffpuff</kbd><code> | panic </code><kbd>panic</kbd><code> | step </code><kbd>step</kbd><code> | stepback </code><kbd>stepback</kbd><code> | stepfwd </code><kbd>stepfwd</kbd><code> | stepout </code><kbd>stepout</kbd><code>]</code><dd>This command can be used to alter several system variables in very exceptional circumstances. It should occur in the @@ -2627,8 +2836,8 @@ for them. Emphasis added: twisters are on their own and can expect no help from the support group. - <p>The variables operate as follows: - <dl> + <p>The variables operate as follows: + <dl> <dt><code>allan</code> <kbd>allan</kbd><dd>The argument becomes the new value for the minimum Allan intercept, which is a parameter of the PLL/FLL clock discipline algorithm. @@ -2677,25 +2886,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. </dl> - <br><dt><code>rlimit</code> <code>[memlock </code><kbd>Nmegabytes</kbd><code> | stacksize </code><kbd>N4kPages</kbd><code> filenum </code><kbd>Nfiledescriptors</kbd><code>]</code><dd> - <dl> -<dt><code>memlock</code> <kbd>Nmegabytes</kbd><dd>Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -<code>-i</code> -option). -The default is 32 megabytes on non-Linux machines, and -1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -<br><dt><code>stacksize</code> <kbd>N4kPages</kbd><dd>Specifies the maximum size of the process stack on systems with the -<code>mlockall()</code> -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -<br><dt><code>filenum</code> <kbd>Nfiledescriptors</kbd><dd>Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -</dl> - <br><dt><code>trap</code> <kbd>host_address</kbd> <code>[port </code><kbd>port_number</kbd><code>]</code> <code>[interface </code><kbd>interface_address</kbd><code>]</code><dd>This command configures a trap receiver at the given host + <br><dt><code>writevar</code> <kbd>assocID\ name</kbd> <kbd>=</kbd> <kbd>value</kbd> <kbd>[,...]</kbd><dd>Write (create or update) the specified variables. +If the +<code>assocID</code> +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +<code>assocID</code> +is required, as the same name can occur in both name spaces. +<br><dt><code>trap</code> <kbd>host_address</kbd> <code>[port </code><kbd>port_number</kbd><code>]</code> <code>[interface </code><kbd>interface_address</kbd><code>]</code><dd>This command configures a trap receiver at the given host address and port number for sending messages with the specified local interface address. If the port number is unspecified, a value @@ -2704,9 +2906,15 @@ If the interface address is not specified, the message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the -interface used may vary from time to time with routing changes. +interface used may vary from time to time with routing changes. +<br><dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd><dd>This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +<code>manycast</code> +mode these values are used in-turn in an expanding-ring search. +The default is eight multiples of 32 starting at 31. - <p>The trap receiver will generally log event messages and other + <p>The trap receiver will generally log event messages and other information from the server in a log file. While such monitor programs may also request their own trap dynamically, configuring a @@ -2720,11 +2928,11 @@ The default is eight multiples of 32 starting at 31. </dl> - <p>This section was generated by <strong>AutoGen</strong>, + <p>This section was generated by <strong>AutoGen</strong>, using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp.conf</code> program. This software is released under the NTP license, <http://ntp.org/license>. - <ul class="menu"> +<ul class="menu"> <li><a accesskey="1" href="#ntp_002econf-Files">ntp.conf Files</a>: Files <li><a accesskey="2" href="#ntp_002econf-See-Also">ntp.conf See Also</a>: See Also <li><a accesskey="3" href="#ntp_002econf-Bugs">ntp.conf Bugs</a>: Bugs @@ -2739,14 +2947,14 @@ This software is released under the NTP license, <http://ntp.org/license>. <h4 class="subsection">ntp.conf Files</h4> - <dl> + <dl> <dt><span class="file">/etc/ntp.conf</span><dd>the default name of the configuration file <br><dt><span class="file">ntp.keys</span><dd>private MD5 keys <br><dt><span class="file">ntpkey</span><dd>RSA private key <br><dt><span class="file">ntpkey_</span><kbd>host</kbd><dd>RSA public key <br><dt><span class="file">ntp_dh</span><dd>Diffie-Hellman agreement parameters </dl> - <div class="node"> +<div class="node"> <p><hr> <a name="ntp_002econf-See-Also"></a> <br> @@ -2754,11 +2962,11 @@ This software is released under the NTP license, <http://ntp.org/license>. <h4 class="subsection">ntp.conf See Also</h4> - <p><code>ntpd(1ntpdmdoc)</code>, +<p><code>ntpd(1ntpdmdoc)</code>, <code>ntpdc(1ntpdcmdoc)</code>, <code>ntpq(1ntpqmdoc)</code> - <p>In addition to the manual pages provided, + <p>In addition to the manual pages provided, comprehensive documentation is available on the world wide web at <code>http://www.ntp.org/</code>. @@ -2766,7 +2974,7 @@ A snapshot of this documentation is available in HTML format in <span class="file">/usr/share/doc/ntp</span>. <br> - <p><br> + <p><br> David L. Mills, <em>Network Time Protocol (Version 4)</em>, RFC5905 <div class="node"> <p><hr> @@ -2776,11 +2984,11 @@ David L. Mills, <em>Network Time Protocol (Version 4)</em>, RFC5905 <h4 class="subsection">ntp.conf Bugs</h4> - <p>The syntax checking is not picky; some combinations of +<p>The syntax checking is not picky; some combinations of ridiculous and even hilarious options and modes may not be detected. - <p>The + <p>The <span class="file">ntpkey_</span><kbd>host</kbd> files are really digital certificates. @@ -2794,7 +3002,7 @@ services when they become universally available. <h4 class="subsection">ntp.conf Notes</h4> - <p>This document was derived from FreeBSD. +<p>This document was derived from FreeBSD. </body></html> diff --git a/contrib/ntp/ntpd/ntp.conf.man.in b/contrib/ntp/ntpd/ntp.conf.man.in index cd6faaa..0f2b211 100644 --- a/contrib/ntp/ntpd/ntp.conf.man.in +++ b/contrib/ntp/ntpd/ntp.conf.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp.conf 5 "21 Mar 2017" "4.2.8p10-beta" "File Formats" +.TH ntp.conf 5 "27 Feb 2018" "4.2.8p11" "File Formats" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-UAaqtC/ag-6AaisC) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LkaqTP/ag-XkaiSP) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:30:48 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:22 PM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agman-cmd.tpl .SH NAME @@ -1665,7 +1665,7 @@ The subcommand specifies the probability of discard for packets that overflow the rate-control window. .TP 7 -.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] +.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[B-Font]ippeerlimit\f[] \f\*[I-Font]int\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]] The \f\*[I-Font]address\f[] argument expressed in @@ -1689,6 +1689,15 @@ Note that text string \f\*[B-Font]default\f[], with no mask option, may be used to indicate the default entry. +The +\f\*[B-Font]ippeerlimit\f[] +directive limits the number of peer requests for each IP to +\f\*[I-Font]int\f[], +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, \f\*[B-Font]flag\f[] always @@ -1744,6 +1753,19 @@ This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. .TP 7 +.NOP \f\*[B-Font]noepeer\f[] +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +\fIntp.keys\f[] +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +\f\*[B-Font]noepeer\f[] +to become the default in ntp-4.4. +.TP 7 .NOP \f\*[B-Font]nomodify\f[] Deny \fCntpq\f[]\fR(@NTPQ_MS@)\f[] @@ -1763,10 +1785,10 @@ queries. Time service is not affected. .TP 7 .NOP \f\*[B-Font]nopeer\f[] -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes \f\*[B-Font]pool\f[] associations, so if you want to use servers from a @@ -1774,9 +1796,9 @@ associations, so if you want to use servers from a directive and also want to use \f\*[B-Font]nopeer\f[] by default, you'll want a -\f\*[B-Font]restrict source ...\f[] \f\*[B-Font]line\f[] \f\*[B-Font]as\f[] \f\*[B-Font]well\f[] \f\*[B-Font]that\f[] \f\*[B-Font]does\f[] -.TP 7 -.NOP not +\f\*[B-Font]restrict source ...\f[] +line as well that does +\fInot\f[] include the \f\*[B-Font]nopeer\f[] directive. @@ -2186,11 +2208,11 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +.PP .SS Manycast Options -.RS .TP 7 .NOP \f\*[B-Font]tos\f[] [\f\*[B-Font]ceiling\f[] \f\*[I-Font]ceiling\f[] | \f\*[B-Font]cohort\f[] { \f\*[B-Font]0\f[] | \f\*[B-Font]1\f[] } | \f\*[B-Font]floor\f[] \f\*[I-Font]floor\f[] | \f\*[B-Font]minclock\f[] \f\*[I-Font]minclock\f[] | \f\*[B-Font]minsane\f[] \f\*[I-Font]minsane\f[]] This command affects the clock selection and clustering @@ -2260,7 +2282,7 @@ In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31. -.RE +.PP .SH Reference Clock Support The NTP Version 4 daemon supports some three dozen different radio, satellite and modem reference clocks plus a special pseudo-clock @@ -2427,7 +2449,6 @@ option is used for this purpose. Except where noted, these options apply to all clock drivers. .SS Reference Clock Commands -.RS .TP 7 .NOP \f\*[B-Font]server\f[] \f[C]127.127.\f[]\f\*[I-Font]t\f[].\f\*[I-Font]u\f[] [\f\*[B-Font]prefer\f[]] [\f\*[B-Font]mode\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]minpoll\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]maxpoll\f[] \f\*[I-Font]int\f[]] This command can be used to configure reference clocks in @@ -2528,7 +2549,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -\fI/usr/share/doc/ntp\f[]). +\fI/usr/share/doc/ntp\f[] \fI).\f[] .TP 7 .NOP \f\*[B-Font]stratum\f[] \f\*[I-Font]int\f[] Specifies the stratum number assigned to the driver, an integer @@ -2576,9 +2597,8 @@ Further information on the command can be found in \fIMonitoring\f[] \fIOptions\f[]. .RE -.RE +.PP .SH Miscellaneous Options -.RS .TP 7 .NOP \f\*[B-Font]broadcastdelay\f[] \f\*[I-Font]seconds\f[] The broadcast and multicast modes require a special calibration @@ -2817,6 +2837,71 @@ This option is useful for sites that run on multiple hosts, with (mostly) common options (e.g., a restriction list). .TP 7 +.NOP \f\*[B-Font]interface\f[] [\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] [\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]]] +The +\f\*[B-Font]interface\f[] +directive controls which network addresses +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +\f\*[I-Font]prefixlen\f[] +determines how many bits must match for this rule to apply. +\f\*[B-Font]ignore\f[] +prevents opening matching addresses, +\f\*[B-Font]drop\f[] +causes +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +to open the address and drop all received packets without examination. +Multiple +\f\*[B-Font]interface\f[] +directives can be used. +The last rule which matches a particular address determines the action for it. +\f\*[B-Font]interface\f[] +directives are disabled if any +\f\*[B-Font]\-I\f[], +\f\*[B-Font]\-\-interface\f[], +\f\*[B-Font]\-L\f[], +or +\f\*[B-Font]\-\-novirtualips\f[] +command-line options are specified in the configuration file, +all available network addresses are opened. +The +\f\*[B-Font]nic\f[] +directive is an alias for +\f\*[B-Font]interface\f[]. +.TP 7 +.NOP \f\*[B-Font]leapfile\f[] \f\*[I-Font]leapfile\f[] +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +\f[C]https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[] +or +\f[C]ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[]. +The +\f\*[B-Font]leapfile\f[] +is scanned when +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +processes the +\f\*[B-Font]leapfile\f[] \f\*[B-Font]directive\f[] \f\*[B-Font]or\f[] \f\*[B-Font]when\f[] +\f\*[B-Font]ntpd\f[] \f\*[B-Font]detects\f[] \f\*[B-Font]that\f[] \f\*[B-Font]the\f[] +\f\*[I-Font]leapfile\f[] +has changed. +\f\*[B-Font]ntpd\f[] +checks once a day to see if the +\f\*[I-Font]leapfile\f[] +has changed. +The +\fCupdate-leap\f[]\fR(1update_leapmdoc)\f[] +script can be run to see if the +\f\*[I-Font]leapfile\f[] +should be updated. +.TP 7 .NOP \f\*[B-Font]leapsmearinterval\f[] \f\*[I-Font]seconds\f[] This EXPERIMENTAL option is only available if \fCntpd\f[]\fR(@NTPD_MS@)\f[] @@ -2922,6 +3007,164 @@ This is the same operation as the \f\*[B-Font]\-l\f[] command line option. .TP 7 +.NOP \f\*[B-Font]mru\f[] [\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]] +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +.RS +.TP 7 +.NOP \f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] +.TP 7 +.NOP \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +\f\*[B-Font]incalloc\f[] +entries or +\f\*[B-Font]incmem\f[] +kilobytes larger. +As with all of the +\f\*[B-Font]mru\f[] +options offered in units of entries or kilobytes, if both +\f\*[B-Font]maxdepth\f[] +and +\f\*[B-Font]maxmem\f[] \f\*[B-Font]are\f[] \f\*[B-Font]used,\f[] \f\*[B-Font]the\f[] \f\*[B-Font]last\f[] \f\*[B-Font]one\f[] \f\*[B-Font]used\f[] \f\*[B-Font]controls.\f[] +The default is 1024 kilobytes. +.TP 7 +.NOP \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] +Lower limit on the MRU list size. +When the MRU list has fewer than +\f\*[B-Font]mindepth\f[] +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +.TP 7 +.NOP \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] +Once the MRU list has +\f\*[B-Font]mindepth\f[] +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +\f\*[B-Font]maxage\f[] +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +\f\*[B-Font]maxdepth\f[] \f\*[B-Font]/\f[] \f\*[B-Font]moxmem\f[]. +The default is 64 seconds. +.TP 7 +.NOP \f\*[B-Font]initalloc\f[] \f\*[I-Font]count\f[] +.TP 7 +.NOP \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +.TP 7 +.NOP \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] +.TP 7 +.NOP \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[] +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +.RE +.TP 7 +.NOP \f\*[B-Font]nonvolatile\f[] \f\*[I-Font]threshold\f[] +Specify the +\f\*[I-Font]threshold\f[] +delta in seconds before an hourly change to the +\f\*[B-Font]driftfile\f[] +(frequency file) will be written, with a default value of 1e-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +\f\*[B-Font]threshold\f[] +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +.TP 7 +.NOP \f\*[B-Font]phone\f[] \f\*[I-Font]dial\f[] \f\*[I-Font]...\f[] +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 \- 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 \- 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +.TP 7 +.NOP \f\*[B-Font]reset\f[] [\f\*[B-Font]allpeers\f[]] [\f\*[B-Font]auth\f[]] [\f\*[B-Font]ctl\f[]] [\f\*[B-Font]io\f[]] [\f\*[B-Font]mem\f[]] [\f\*[B-Font]sys\f[]] [\f\*[B-Font]timer\f[]] +Reset one or more groups of counters maintained by +\f\*[B-Font]ntpd\f[] +and exposed by +\f\*[B-Font]ntpq\f[] +and +\f\*[B-Font]ntpdc\f[]. +.TP 7 +.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]] +.RS +.TP 7 +.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +\f\*[B-Font]\-i\f[] +option). +The default is 32 megabytes on non-Linux machines, and \-1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +.TP 7 +.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] +Specifies the maximum size of the process stack on systems with the +\fBmlockall\f[]\fR()\f[] +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +.TP 7 +.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[] +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +.RE +.TP 7 +.NOP \f\*[B-Font]saveconfigdir\f[] \f\*[I-Font]directory_path\f[] +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +\f\*[B-Font]saveconfig\f[] +command. +If +\f\*[B-Font]saveconfigdir\f[] +does not appear in the configuration file, +\f\*[B-Font]saveconfig\f[] +requests are rejected by +\f\*[B-Font]ntpd\f[]. +.TP 7 +.NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[] +Write the current configuration, including any runtime +modifications given with +\f\*[B-Font]:config\f[] +or +\f\*[B-Font]config-from-file\f[] +to the +\f\*[B-Font]ntpd\f[] +host's +\f\*[I-Font]filename\f[] +in the +\f\*[B-Font]saveconfigdir\f[]. +This command will be rejected unless the +\f\*[B-Font]saveconfigdir\f[] +directive appears in +.Cm ntpd 's +configuration file. +\f\*[I-Font]filename\f[] +can use +\fCstrftime\f[]\fR(3)\f[] +format directives to substitute the current date and time, +for example, +\f\*[B-Font]saveconfig\ ntp-%Y%m%d-%H%M%S.conf\f[]. +The filename used is stored in the system variable +\f\*[B-Font]savedconfig\f[]. +Authentication is required. +.TP 7 .NOP \f\*[B-Font]setvar\f[] \f\*[I-Font]variable\f[] [\f\*[B-Font]default\f[]] This command adds an additional system variable. These @@ -2955,6 +3198,12 @@ the names of all peer variables and the \fIclock_var_list\f[] holds the names of the reference clock variables. .TP 7 +.NOP \f\*[B-Font]sysinfo\f[] +Display operational summary. +.TP 7 +.NOP \f\*[B-Font]sysstats\f[] +Show statistics counters maintained in the protocol module. +.TP 7 .NOP \f\*[B-Font]tinker\f[] [\f\*[B-Font]allan\f[] \f\*[I-Font]allan\f[] | \f\*[B-Font]dispersion\f[] \f\*[I-Font]dispersion\f[] | \f\*[B-Font]freq\f[] \f\*[I-Font]freq\f[] | \f\*[B-Font]huffpuff\f[] \f\*[I-Font]huffpuff\f[] | \f\*[B-Font]panic\f[] \f\*[I-Font]panic\f[] | \f\*[B-Font]step\f[] \f\*[I-Font]step\f[] | \f\*[B-Font]stepback\f[] \f\*[I-Font]stepback\f[] | \f\*[B-Font]stepfwd\f[] \f\*[I-Font]stepfwd\f[] | \f\*[B-Font]stepout\f[] \f\*[I-Font]stepout\f[]] This command can be used to alter several system variables in very exceptional circumstances. @@ -3044,30 +3293,18 @@ If set to zero, the stepout pulses will not be suppressed. .RE .TP 7 -.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]] -.RS -.TP 7 -.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -\f\*[B-Font]\-i\f[] -option). -The default is 32 megabytes on non-Linux machines, and \-1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -.TP 7 -.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] -Specifies the maximum size of the process stack on systems with the -\fBmlockall\f[]\fR()\f[] -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -.TP 7 -.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[] -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -.RE +.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\ name\f[] \f\*[I-Font]=\f[] \f\*[I-Font]value\f[] \f\*[I-Font][,...]\f[] +Write (create or update) the specified variables. +If the +\f\*[B-Font]assocID\f[] +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +\f\*[B-Font]assocID\f[] +is required, as the same name can occur in both name spaces. .TP 7 .NOP \f\*[B-Font]trap\f[] \f\*[I-Font]host_address\f[] [\f\*[B-Font]port\f[] \f\*[I-Font]port_number\f[]] [\f\*[B-Font]interface\f[] \f\*[I-Font]interface_address\f[]] This command configures a trap receiver at the given host @@ -3080,6 +3317,14 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +.TP 7 +.NOP \f\*[B-Font]ttl\f[] \f\*[I-Font]hop\f[] \f\*[I-Font]...\f[] +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +\f\*[B-Font]manycast\f[] +mode these values are used in-turn in an expanding-ring search. +The default is eight multiples of 32 starting at 31. .sp \n(Ppu .ne 2 @@ -3097,9 +3342,8 @@ In manycast mode these values are used in turn in an expanding-ring search. The default is eight multiples of 32 starting at 31. -.RE +.PP .SH "OPTIONS" -.RS .TP .NOP \f\*[B-Font]\-\-help\f[] Display usage information and exit. @@ -3111,7 +3355,7 @@ Pass the extended usage information through a pager. Output version of program and exit. The default mode is `v', a simple version. The `c' mode will print copyright information and `n' will print the full copyright notice. -.RE +.PP .SH "OPTION PRESETS" Any option that is not marked as \fInot presettable\fP may be preset by loading values from environment variables named: @@ -3122,7 +3366,6 @@ by loading values from environment variables named: .SH "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .SH FILES -.RS .TP 15 .NOP \fI/etc/ntp.conf\f[] the default name of the configuration file @@ -3146,10 +3389,9 @@ RSA public key .TP 15 .NOP \fIntp_dh\f[] Diffie-Hellman agreement parameters -.RE +.PP .SH "EXIT STATUS" One of the following exit values will be returned: -.RS .TP .NOP 0 " (EXIT_SUCCESS)" Successful program execution. @@ -3160,7 +3402,7 @@ The operation failed or the command syntax was not valid. .NOP 70 " (EX_SOFTWARE)" libopts had an internal operational error. Please report it to autogen-users@lists.sourceforge.net. Thank you. -.RE +.PP .SH "SEE ALSO" \fCntpd\f[]\fR(@NTPD_MS@)\f[], \fCntpdc\f[]\fR(@NTPDC_MS@)\f[], diff --git a/contrib/ntp/ntpd/ntp.conf.mdoc.in b/contrib/ntp/ntpd/ntp.conf.mdoc.in index 1d5d3b6..321acc9 100644 --- a/contrib/ntp/ntpd/ntp.conf.mdoc.in +++ b/contrib/ntp/ntpd/ntp.conf.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_CONF 5 File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:31:09 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -1532,6 +1532,7 @@ subcommand specifies the probability of discard for packets that overflow the rate\-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1557,6 +1558,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1607,6 +1617,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp\-4.4. .It Cm nomodify Deny .Xr ntpq @NTPQ_MS@ @@ -1624,10 +1646,10 @@ and queries. Time service is not affected. .It Cm nopeer -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes .Cm pool associations, so if you want to use servers from a @@ -1635,8 +1657,9 @@ associations, so if you want to use servers from a directive and also want to use .Cm nopeer by default, you'll want a -.Cm "restrict source ..." line as well that does -.It not +.Cm "restrict source ..." +line as well that does +.Em not include the .Cm nopeer directive. @@ -2011,9 +2034,10 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +.El .Ss Manycast Options .Bl -tag -width indent .It Xo Ic tos @@ -2359,7 +2383,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -.Pa /usr/share/doc/ntp ) . +.Pa /usr/share/doc/ntp ). .It Cm stratum Ar int Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2637,6 +2661,79 @@ This option is useful for sites that run .Xr ntpd @NTPD_MS@ on multiple hosts, with (mostly) common options (e.g., a restriction list). +.It Xo Ic interface +.Oo +.Cm listen | Cm ignore | Cm drop +.Oc +.Oo +.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard +.Ar name | Ar address +.Oo Cm / Ar prefixlen +.Oc +.Oc +.Xc +The +.Cm interface +directive controls which network addresses +.Xr ntpd @NTPD_MS@ +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +.Ar prefixlen +determines how many bits must match for this rule to apply. +.Cm ignore +prevents opening matching addresses, +.Cm drop +causes +.Xr ntpd @NTPD_MS@ +to open the address and drop all received packets without examination. +Multiple +.Cm interface +directives can be used. +The last rule which matches a particular address determines the action for it. +.Cm interface +directives are disabled if any +.Fl I , +.Fl \-interface , +.Fl L , +or +.Fl \-novirtualips +command\-line options are specified in the configuration file, +all available network addresses are opened. +The +.Cm nic +directive is an alias for +.Cm interface . +.It Ic leapfile Ar leapfile +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list +or +.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list . +The +.Cm leapfile +is scanned when +.Xr ntpd @NTPD_MS@ +processes the +.Cm leapfile directive or when +.Cm ntpd detects that the +.Ar leapfile +has changed. +.Cm ntpd +checks once a day to see if the +.Ar leapfile +has changed. +The +.Xr update\-leap 1update_leapmdoc +script can be run to see if the +.Ar leapfile +should be updated. .It Ic leapsmearinterval Ar seconds This EXPERIMENTAL option is only available if .Xr ntpd @NTPD_MS@ @@ -2741,6 +2838,181 @@ facility. This is the same operation as the .Fl l command line option. +.It Xo Ic mru +.Oo +.Cm maxdepth Ar count | Cm maxmem Ar kilobytes | +.Cm mindepth Ar count | Cm maxage Ar seconds | +.Cm initialloc Ar count | Cm initmem Ar kilobytes | +.Cm incalloc Ar count | Cm incmem Ar kilobytes +.Oc +.Xc +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +.Bl -tag -width indent +.It Ic maxdepth Ar count +.It Ic maxmem Ar kilobytes +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +.Cm incalloc +entries or +.Cm incmem +kilobytes larger. +As with all of the +.Cm mru +options offered in units of entries or kilobytes, if both +.Cm maxdepth +and +.Cm maxmem are used, the last one used controls. +The default is 1024 kilobytes. +.It Cm mindepth Ar count +Lower limit on the MRU list size. +When the MRU list has fewer than +.Cm mindepth +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +.It Cm maxage Ar seconds +Once the MRU list has +.Cm mindepth +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +.Cm maxage +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +.Cm maxdepth / moxmem . +The default is 64 seconds. +.It Cm initalloc Ar count +.It Cm initmem Ar kilobytes +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +.It Cm incalloc Ar count +.It Cm incmem Ar kilobytes +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +.El +.It Ic nonvolatile Ar threshold +Specify the +.Ar threshold +delta in seconds before an hourly change to the +.Cm driftfile +(frequency file) will be written, with a default value of 1e\-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +.Cm threshold +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +.It Ic phone Ar dial ... +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 \- 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 \- 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +.It Xo Ic reset +.Oo +.Ic allpeers +.Oc +.Oo +.Ic auth +.Oc +.Oo +.Ic ctl +.Oc +.Oo +.Ic io +.Oc +.Oo +.Ic mem +.Oc +.Oo +.Ic sys +.Oc +.Oo +.Ic timer +.Oc +.Xc +Reset one or more groups of counters maintained by +.Cm ntpd +and exposed by +.Cm ntpq +and +.Cm ntpdc . +.It Xo Ic rlimit +.Oo +.Cm memlock Ar Nmegabytes | +.Cm stacksize Ar N4kPages +.Cm filenum Ar Nfiledescriptors +.Oc +.Xc +.Bl -tag -width indent +.It Cm memlock Ar Nmegabytes +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +.Fl i +option). +The default is 32 megabytes on non\-Linux machines, and \-1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +.It Cm stacksize Ar N4kPages +Specifies the maximum size of the process stack on systems with the +.Fn mlockall +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +.It Cm filenum Ar Nfiledescriptors +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +.El +.It Ic saveconfigdir Ar directory_path +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +.Cm saveconfig +command. +If +.Cm saveconfigdir +does not appear in the configuration file, +.Cm saveconfig +requests are rejected by +.Cm ntpd . +.It Ic saveconfig Ar filename +Write the current configuration, including any runtime +modifications given with +.Cm :config +or +.Cm config\-from\-file +to the +.Cm ntpd +host's +.Ar filename +in the +.Cm saveconfigdir . +This command will be rejected unless the +.Cm saveconfigdir +directive appears in +.Cm ntpd 's +configuration file. +.Ar filename +can use +.Xr strftime 3 +format directives to substitute the current date and time, +for example, +.Cm saveconfig\ ntp\-%Y%m%d\-%H%M%S.conf . +The filename used is stored in the system variable +.Cm savedconfig . +Authentication is required. .It Ic setvar Ar variable Op Cm default This command adds an additional system variable. These @@ -2779,6 +3051,10 @@ holds the names of all peer variables and the .Va clock_var_list holds the names of the reference clock variables. +.It Cm sysinfo +Display operational summary. +.It Cm sysstats +Show statistics counters maintained in the protocol module. .It Xo Ic tinker .Oo .Cm allan Ar allan | @@ -2868,33 +3144,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. .El -.It Xo Ic rlimit -.Oo -.Cm memlock Ar Nmegabytes | -.Cm stacksize Ar N4kPages -.Cm filenum Ar Nfiledescriptors -.Oc -.Xc -.Bl -tag -width indent -.It Cm memlock Ar Nmegabytes -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -.Fl i -option). -The default is 32 megabytes on non\-Linux machines, and \-1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -.It Cm stacksize Ar N4kPages -Specifies the maximum size of the process stack on systems with the -.Fn mlockall -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -.It Cm filenum Ar Nfiledescriptors -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -.El +.It Cm writevar Ar assocID\ name = value [,...] +Write (create or update) the specified variables. +If the +.Cm assocID +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +.Cm assocID +is required, as the same name can occur in both name spaces. .It Xo Ic trap Ar host_address .Op Cm port Ar port_number .Op Cm interface Ar interface_address @@ -2909,6 +3170,13 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +.It Cm ttl Ar hop ... +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +.Cm manycast +mode these values are used in\-turn in an expanding\-ring search. +The default is eight multiples of 32 starting at 31. .Pp The trap receiver will generally log event messages and other information from the server in a log file. diff --git a/contrib/ntp/ntpd/ntp.keys.5man b/contrib/ntp/ntpd/ntp.keys.5man index 9daf75f..b107e02 100644 --- a/contrib/ntp/ntpd/ntp.keys.5man +++ b/contrib/ntp/ntpd/ntp.keys.5man @@ -1,8 +1,8 @@ -.TH ntp.keys 5man "21 Mar 2017" "4.2.8p10" "File Formats" +.TH ntp.keys 5man "27 Feb 2018" "4.2.8p11" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:10 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:26 PM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agman-file.tpl .Sh NAME @@ -76,16 +76,24 @@ where is a positive integer (between 1 and 65534), \f\*[I-Font]type\f[] is the message digest algorithm, -and \f\*[I-Font]key\f[] is the key itself, and \f\*[I-Font]opt_IP_list\f[] is an optional comma-separated list of IPs +where the +\f\*[I-Font]keyno\f[] +should be trusted. that are allowed to serve time. +Each IP in +\f\*[I-Font]opt_IP_list\f[] +may contain an optional +\f\*[B-Font]/subnetbits\f[] +specification which identifies the number of bits for +the desired subnet of trust. If \f\*[I-Font]opt_IP_list\f[] is empty, -any properly-authenticated server message will be +any properly-authenticated message will be accepted. .sp \n(Ppu .ne 2 diff --git a/contrib/ntp/ntpd/ntp.keys.5mdoc b/contrib/ntp/ntpd/ntp.keys.5mdoc index 02664db..bec3980 100644 --- a/contrib/ntp/ntpd/ntp.keys.5mdoc +++ b/contrib/ntp/ntpd/ntp.keys.5mdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_KEYS 5mdoc File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:22 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME @@ -51,16 +51,24 @@ where is a positive integer (between 1 and 65534), .Ar type is the message digest algorithm, -and .Ar key is the key itself, and .Ar opt_IP_list is an optional comma\-separated list of IPs +where the +.Ar keyno +should be trusted. that are allowed to serve time. +Each IP in +.Ar opt_IP_list +may contain an optional +.Cm /subnetbits +specification which identifies the number of bits for +the desired subnet of trust. If .Ar opt_IP_list is empty, -any properly\-authenticated server message will be +any properly\-authenticated message will be accepted. .Pp The diff --git a/contrib/ntp/ntpd/ntp.keys.def b/contrib/ntp/ntpd/ntp.keys.def index efe774c..88dd2aa 100644 --- a/contrib/ntp/ntpd/ntp.keys.def +++ b/contrib/ntp/ntpd/ntp.keys.def @@ -50,16 +50,24 @@ where is a positive integer (between 1 and 65534), .Ar type is the message digest algorithm, -and .Ar key is the key itself, and .Ar opt_IP_list is an optional comma-separated list of IPs +where the +.Ar keyno +should be trusted. that are allowed to serve time. +Each IP in +.Ar opt_IP_list +may contain an optional +.Cm /subnetbits +specification which identifies the number of bits for +the desired subnet of trust. If .Ar opt_IP_list is empty, -any properly-authenticated server message will be +any properly-authenticated message will be accepted. .Pp The diff --git a/contrib/ntp/ntpd/ntp.keys.html b/contrib/ntp/ntpd/ntp.keys.html index 7713789..28a4076 100644 --- a/contrib/ntp/ntpd/ntp.keys.html +++ b/contrib/ntp/ntpd/ntp.keys.html @@ -33,7 +33,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <p>This document describes the symmetric key file for the NTP Project's <code>ntpd</code> program. - <p>This document applies to version 4.2.8p10 of <code>ntp.keys</code>. + <p>This document applies to version 4.2.8p11 of <code>ntp.keys</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -100,16 +100,24 @@ Key entries use a fixed format of the form is a positive integer (between 1 and 65534), <kbd>type</kbd> is the message digest algorithm, -and <kbd>key</kbd> is the key itself, and <kbd>opt_IP_list</kbd> is an optional comma-separated list of IPs +where the +<kbd>keyno</kbd> +should be trusted. that are allowed to serve time. +Each IP in +<kbd>opt_IP_list</kbd> +may contain an optional +<code>/subnetbits</code> +specification which identifies the number of bits for +the desired subnet of trust. If <kbd>opt_IP_list</kbd> is empty, -any properly-authenticated server message will be +any properly-authenticated message will be accepted. <p>The diff --git a/contrib/ntp/ntpd/ntp.keys.man.in b/contrib/ntp/ntpd/ntp.keys.man.in index a88bf58..3712747 100644 --- a/contrib/ntp/ntpd/ntp.keys.man.in +++ b/contrib/ntp/ntpd/ntp.keys.man.in @@ -1,8 +1,8 @@ -.TH ntp.keys 5 "21 Mar 2017" "4.2.8p10" "File Formats" +.TH ntp.keys 5 "27 Feb 2018" "4.2.8p11" "File Formats" .\" .\" EDIT THIS FILE WITH CAUTION (ntp.man) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:10 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:26 PM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agman-file.tpl .Sh NAME @@ -76,16 +76,24 @@ where is a positive integer (between 1 and 65534), \f\*[I-Font]type\f[] is the message digest algorithm, -and \f\*[I-Font]key\f[] is the key itself, and \f\*[I-Font]opt_IP_list\f[] is an optional comma-separated list of IPs +where the +\f\*[I-Font]keyno\f[] +should be trusted. that are allowed to serve time. +Each IP in +\f\*[I-Font]opt_IP_list\f[] +may contain an optional +\f\*[B-Font]/subnetbits\f[] +specification which identifies the number of bits for +the desired subnet of trust. If \f\*[I-Font]opt_IP_list\f[] is empty, -any properly-authenticated server message will be +any properly-authenticated message will be accepted. .sp \n(Ppu .ne 2 diff --git a/contrib/ntp/ntpd/ntp.keys.mdoc.in b/contrib/ntp/ntpd/ntp.keys.mdoc.in index fb2f7ea..6dc4f88 100644 --- a/contrib/ntp/ntpd/ntp.keys.mdoc.in +++ b/contrib/ntp/ntpd/ntp.keys.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_KEYS 5 File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:22 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME @@ -51,16 +51,24 @@ where is a positive integer (between 1 and 65534), .Ar type is the message digest algorithm, -and .Ar key is the key itself, and .Ar opt_IP_list is an optional comma\-separated list of IPs +where the +.Ar keyno +should be trusted. that are allowed to serve time. +Each IP in +.Ar opt_IP_list +may contain an optional +.Cm /subnetbits +specification which identifies the number of bits for +the desired subnet of trust. If .Ar opt_IP_list is empty, -any properly\-authenticated server message will be +any properly\-authenticated message will be accepted. .Pp The diff --git a/contrib/ntp/ntpd/ntp_config.c b/contrib/ntp/ntpd/ntp_config.c index 428ab9f..003b153 100644 --- a/contrib/ntp/ntpd/ntp_config.c +++ b/contrib/ntp/ntpd/ntp_config.c @@ -149,9 +149,9 @@ typedef struct peer_resolved_ctx_tag { extern int yydebug; /* ntp_parser.c (.y) */ config_tree cfgt; /* Parser output stored here */ struct config_tree_tag *cfg_tree_history; /* History of configs */ -char *sys_phone[MAXPHONE] = {NULL}; /* ACTS phone numbers */ +char * sys_phone[MAXPHONE] = {NULL}; /* ACTS phone numbers */ char default_keysdir[] = NTP_KEYSDIR; -char *keysdir = default_keysdir; /* crypto keys directory */ +char * keysdir = default_keysdir; /* crypto keys directory */ char * saveconfigdir; #if defined(HAVE_SCHED_SETSCHEDULER) int config_priority_override = 0; @@ -312,6 +312,7 @@ static void config_monitor(config_tree *); static void config_rlimit(config_tree *); static void config_system_opts(config_tree *); static void config_tinker(config_tree *); +static int config_tos_clock(config_tree *); static void config_tos(config_tree *); static void config_vars(config_tree *); @@ -363,6 +364,8 @@ static u_int32 get_match(const char *, struct masks *); static u_int32 get_logmask(const char *); static int/*BOOL*/ is_refclk_addr(const address_node * addr); +static void appendstr(char *, size_t, char *); + #ifndef SIM static int getnetnum(const char *num, sockaddr_u *addr, int complain, @@ -528,7 +531,7 @@ dump_config_tree( setvar_node *setv_node; nic_rule_node *rule_node; int_node *i_n; - int_node *flags; + int_node *flag_tok_fifo; int_node *counter_set; string_node *str_node; @@ -554,7 +557,10 @@ dump_config_tree( ptree->source.value.s); } - /* For options I didn't find documentation I'll just output its name and the cor. value */ + /* + * For options without documentation we just output the name + * and its data value + */ atrv = HEAD_PFIFO(ptree->vars); for ( ; atrv != NULL; atrv = atrv->link) { switch (atrv->type) { @@ -722,6 +728,21 @@ dump_config_tree( token_name(atrv->type)); break; #endif + case T_Integer: + if (atrv->attr == T_Basedate) { + struct calendar jd; + ntpcal_rd_to_date(&jd, atrv->value.i + DAY_NTP_STARTS); + fprintf(df, " %s \"%04hu-%02hu-%02hu\"", + keyword(atrv->attr), jd.year, + (u_short)jd.month, + (u_short)jd.monthday); + } else { + fprintf(df, " %s %d", + keyword(atrv->attr), + atrv->value.i); + } + break; + case T_Double: fprintf(df, " %s %s", keyword(atrv->attr), @@ -904,30 +925,52 @@ dump_config_tree( fprintf(df, "\n"); } - for (rest_node = HEAD_PFIFO(ptree->restrict_opts); rest_node != NULL; rest_node = rest_node->link) { + int is_default = 0; if (NULL == rest_node->addr) { s = "default"; - flags = HEAD_PFIFO(rest_node->flags); - for ( ; flags != NULL; flags = flags->link) - if (T_Source == flags->i) { + /* Don't need to set is_default=1 here */ + flag_tok_fifo = HEAD_PFIFO(rest_node->flag_tok_fifo); + for ( ; flag_tok_fifo != NULL; flag_tok_fifo = flag_tok_fifo->link) { + if (T_Source == flag_tok_fifo->i) { s = "source"; break; - } + } + } } else { - s = rest_node->addr->address; + const char *ap = rest_node->addr->address; + const char *mp = ""; + + if (rest_node->mask) + mp = rest_node->mask->address; + + if ( rest_node->addr->type == AF_INET + && !strcmp(ap, "0.0.0.0") + && !strcmp(mp, "0.0.0.0")) { + is_default = 1; + s = "-4 default"; + } else if ( rest_node->mask + && rest_node->mask->type == AF_INET6 + && !strcmp(ap, "::") + && !strcmp(mp, "::")) { + is_default = 1; + s = "-6 default"; + } else { + s = ap; + } } fprintf(df, "restrict %s", s); - if (rest_node->mask != NULL) + if (rest_node->mask != NULL && !is_default) fprintf(df, " mask %s", rest_node->mask->address); - flags = HEAD_PFIFO(rest_node->flags); - for ( ; flags != NULL; flags = flags->link) - if (T_Source != flags->i) - fprintf(df, " %s", keyword(flags->i)); + fprintf(df, " ippeerlimit %d", rest_node->ippeerlimit); + flag_tok_fifo = HEAD_PFIFO(rest_node->flag_tok_fifo); + for ( ; flag_tok_fifo != NULL; flag_tok_fifo = flag_tok_fifo->link) + if (T_Source != flag_tok_fifo->i) + fprintf(df, " %s", keyword(flag_tok_fifo->i)); fprintf(df, "\n"); } @@ -1057,11 +1100,45 @@ concat_gen_fifos( return pf1; } +void* +destroy_gen_fifo( + void *fifo, + fifo_deleter func + ) +{ + any_node * np = NULL; + any_node_fifo * pf1 = fifo; + + if (pf1 != NULL) { + if (!func) + func = free; + for (;;) { + UNLINK_FIFO(np, *pf1, link); + if (np == NULL) + break; + (*func)(np); + } + free(pf1); + } + return NULL; +} /* FUNCTIONS FOR CREATING NODES ON THE SYNTAX TREE * ----------------------------------------------- */ +void +destroy_attr_val( + attr_val * av + ) +{ + if (av) { + if (T_String == av->type) + free(av->value.s); + free(av); + } +} + attr_val * create_attr_dval( int attr, @@ -1402,7 +1479,8 @@ restrict_node * create_restrict_node( address_node * addr, address_node * mask, - int_fifo * flags, + short ippeerlimit, + int_fifo * flag_tok_fifo, int line_no ) { @@ -1411,7 +1489,8 @@ create_restrict_node( my_node = emalloc_zero(sizeof(*my_node)); my_node->addr = addr; my_node->mask = mask; - my_node->flags = flags; + my_node->ippeerlimit = ippeerlimit; + my_node->flag_tok_fifo = flag_tok_fifo; my_node->line_no = line_no; return my_node; @@ -1428,7 +1507,7 @@ destroy_restrict_node( */ destroy_address_node(my_node->addr); destroy_address_node(my_node->mask); - destroy_int_fifo(my_node->flags); + destroy_int_fifo(my_node->flag_tok_fifo); free(my_node); } @@ -1484,9 +1563,7 @@ destroy_attr_val_fifo( UNLINK_FIFO(av, *av_fifo, link); if (av == NULL) break; - if (T_String == av->type) - free(av->value.s); - free(av); + destroy_attr_val(av); } free(av_fifo); } @@ -2009,6 +2086,35 @@ free_config_auth( #endif /* FREE_CFG_T */ +/* Configure low-level clock-related parameters. Return TRUE if the + * clock might need adjustment like era-checking after the call, FALSE + * otherwise. + */ +static int/*BOOL*/ +config_tos_clock( + config_tree *ptree + ) +{ + int ret; + attr_val * tos; + + ret = FALSE; + tos = HEAD_PFIFO(ptree->orphan_cmds); + for (; tos != NULL; tos = tos->link) { + switch(tos->attr) { + + default: + break; + + case T_Basedate: + basedate_set_day(tos->value.i); + ret = TRUE; + break; + } + } + return ret; +} + static void config_tos( config_tree *ptree @@ -2034,12 +2140,16 @@ config_tos( /* -*- phase one: inspect / sanitize the values */ tos = HEAD_PFIFO(ptree->orphan_cmds); for (; tos != NULL; tos = tos->link) { - val = tos->value.d; + /* not all attributes are doubles (any more), so loading + * 'val' in all cases is not a good idea: It should be + * done as needed in every case processed here. + */ switch(tos->attr) { default: break; case T_Bcpollbstep: + val = tos->value.d; if (val > 4) { msyslog(LOG_WARNING, "Using maximum bcpollbstep ceiling %d, %d requested", @@ -2054,6 +2164,7 @@ config_tos( break; case T_Ceiling: + val = tos->value.d; if (val > STRATUM_UNSPEC - 1) { msyslog(LOG_WARNING, "Using maximum tos ceiling %d, %d requested", @@ -2068,18 +2179,21 @@ config_tos( break; case T_Minclock: + val = tos->value.d; if ((int)tos->value.d < 1) tos->value.d = 1; l_minclock = (int)tos->value.d; break; case T_Maxclock: + val = tos->value.d; if ((int)tos->value.d < 1) tos->value.d = 1; l_maxclock = (int)tos->value.d; break; case T_Minsane: + val = tos->value.d; if ((int)tos->value.d < 1) tos->value.d = 1; l_minsane = (int)tos->value.d; @@ -2097,7 +2211,6 @@ config_tos( /* -*- phase two: forward the values to the protocol machinery */ tos = HEAD_PFIFO(ptree->orphan_cmds); for (; tos != NULL; tos = tos->link) { - val = tos->value.d; switch(tos->attr) { default: @@ -2150,8 +2263,11 @@ config_tos( case T_Beacon: item = PROTO_BEACON; break; + + case T_Basedate: + continue; /* SKIP proto-config for this! */ } - proto_config(item, 0, val, NULL); + proto_config(item, 0, tos->value.d, NULL); } } @@ -2348,7 +2464,7 @@ config_access( static int warned_signd; attr_val * my_opt; restrict_node * my_node; - int_node * curr_flag; + int_node * curr_tok_fifo; sockaddr_u addr; sockaddr_u mask; struct addrinfo hints; @@ -2356,8 +2472,9 @@ config_access( struct addrinfo * pai; int rc; int restrict_default; - u_short flags; + u_short rflags; u_short mflags; + short ippeerlimit; int range_err; const char * signd_warning = #ifdef HAVE_NTP_SIGND @@ -2476,17 +2593,23 @@ config_access( /* Configure the restrict options */ my_node = HEAD_PFIFO(ptree->restrict_opts); + for (; my_node != NULL; my_node = my_node->link) { + /* Grab the ippeerlmit */ + ippeerlimit = my_node->ippeerlimit; + +DPRINTF(1, ("config_access: top-level node %p: ippeerlimit %d\n", my_node, ippeerlimit)); + /* Parse the flags */ - flags = 0; + rflags = 0; mflags = 0; - curr_flag = HEAD_PFIFO(my_node->flags); - for (; curr_flag != NULL; curr_flag = curr_flag->link) { - switch (curr_flag->i) { + curr_tok_fifo = HEAD_PFIFO(my_node->flag_tok_fifo); + for (; curr_tok_fifo != NULL; curr_tok_fifo = curr_tok_fifo->link) { + switch (curr_tok_fifo->i) { default: - fatal_error("config-access: flag-type-token=%d", curr_flag->i); + fatal_error("config_access: flag-type-token=%d", curr_tok_fifo->i); case T_Ntpport: mflags |= RESM_NTPONLY; @@ -2497,71 +2620,75 @@ config_access( break; case T_Flake: - flags |= RES_FLAKE; + rflags |= RES_FLAKE; break; case T_Ignore: - flags |= RES_IGNORE; + rflags |= RES_IGNORE; break; case T_Kod: - flags |= RES_KOD; + rflags |= RES_KOD; break; case T_Mssntp: - flags |= RES_MSSNTP; + rflags |= RES_MSSNTP; break; case T_Limited: - flags |= RES_LIMITED; + rflags |= RES_LIMITED; break; case T_Lowpriotrap: - flags |= RES_LPTRAP; + rflags |= RES_LPTRAP; break; case T_Nomodify: - flags |= RES_NOMODIFY; + rflags |= RES_NOMODIFY; break; case T_Nomrulist: - flags |= RES_NOMRULIST; + rflags |= RES_NOMRULIST; + break; + + case T_Noepeer: + rflags |= RES_NOEPEER; break; case T_Nopeer: - flags |= RES_NOPEER; + rflags |= RES_NOPEER; break; case T_Noquery: - flags |= RES_NOQUERY; + rflags |= RES_NOQUERY; break; case T_Noserve: - flags |= RES_DONTSERVE; + rflags |= RES_DONTSERVE; break; case T_Notrap: - flags |= RES_NOTRAP; + rflags |= RES_NOTRAP; break; case T_Notrust: - flags |= RES_DONTTRUST; + rflags |= RES_DONTTRUST; break; case T_Version: - flags |= RES_VERSION; + rflags |= RES_VERSION; break; } } - if ((RES_MSSNTP & flags) && !warned_signd) { + if ((RES_MSSNTP & rflags) && !warned_signd) { warned_signd = 1; fprintf(stderr, "%s\n", signd_warning); msyslog(LOG_WARNING, "%s", signd_warning); } /* It would be swell if we could identify the line number */ - if ((RES_KOD & flags) && !(RES_LIMITED & flags)) { + if ((RES_KOD & rflags) && !(RES_LIMITED & rflags)) { const char *kod_where = (my_node->addr) ? my_node->addr->address : (mflags & RESM_SOURCE) @@ -2589,10 +2716,10 @@ config_access( restrict_default = 1; } else { /* apply "restrict source ..." */ - DPRINTF(1, ("restrict source template mflags %x flags %x\n", - mflags, flags)); - hack_restrict(RESTRICT_FLAGS, NULL, - NULL, mflags, flags, 0); + DPRINTF(1, ("restrict source template ippeerlimit %d mflags %x rflags %x\n", + ippeerlimit, mflags, rflags)); + hack_restrict(RESTRICT_FLAGS, NULL, NULL, + ippeerlimit, mflags, rflags, 0); continue; } } else { @@ -2661,15 +2788,15 @@ config_access( if (restrict_default) { AF(&addr) = AF_INET; AF(&mask) = AF_INET; - hack_restrict(RESTRICT_FLAGS, &addr, - &mask, mflags, flags, 0); + hack_restrict(RESTRICT_FLAGS, &addr, &mask, + ippeerlimit, mflags, rflags, 0); AF(&addr) = AF_INET6; AF(&mask) = AF_INET6; } do { - hack_restrict(RESTRICT_FLAGS, &addr, - &mask, mflags, flags, 0); + hack_restrict(RESTRICT_FLAGS, &addr, &mask, + ippeerlimit, mflags, rflags, 0); if (pai != NULL && NULL != (pai = pai->ai_next)) { INSIST(pai->ai_addr != NULL); @@ -2720,6 +2847,9 @@ config_rlimit( case T_Memlock: /* What if we HAVE_OPT(SAVECONFIGQUIT) ? */ + if (HAVE_OPT( SAVECONFIGQUIT )) { + break; + } if (rlimit_av->value.i == -1) { # if defined(HAVE_MLOCKALL) if (cur_memlock != 0) { @@ -3006,17 +3136,17 @@ apply_enable_disable( int enable ) { - attr_val *curr_flag; + attr_val *curr_tok_fifo; int option; #ifdef BC_LIST_FRAMEWORK_NOT_YET_USED bc_entry *pentry; #endif - for (curr_flag = HEAD_PFIFO(fifo); - curr_flag != NULL; - curr_flag = curr_flag->link) { + for (curr_tok_fifo = HEAD_PFIFO(fifo); + curr_tok_fifo != NULL; + curr_tok_fifo = curr_tok_fifo->link) { - option = curr_flag->value.i; + option = curr_tok_fifo->value.i; switch (option) { default: @@ -3851,6 +3981,9 @@ config_peers( * If we have a numeric address, we can safely * proceed in the mainline with it. Otherwise, hand * the hostname off to the blocking child. + * + * Note that if we're told to add the peer here, we + * do that regardless of ippeerlimit. */ if (is_ip_address(*cmdline_servers, AF_UNSPEC, &peeraddr)) { @@ -3862,6 +3995,7 @@ config_peers( &peeraddr, NULL, NULL, + -1, MODE_CLIENT, NTP_VERSION, 0, @@ -3912,6 +4046,7 @@ config_peers( &peeraddr, curr_peer->addr->address, NULL, + -1, hmode, curr_peer->peerversion, curr_peer->minpoll, @@ -3935,6 +4070,7 @@ config_peers( &peeraddr, NULL, NULL, + -1, hmode, curr_peer->peerversion, curr_peer->minpoll, @@ -4035,6 +4171,7 @@ peer_name_resolved( &peeraddr, NULL, NULL, + -1, ctx->hmode, ctx->version, ctx->minpoll, @@ -4113,7 +4250,7 @@ config_unpeers( if (rc > 0) { DPRINTF(1, ("unpeer: searching for %s\n", stoa(&peeraddr))); - p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0); + p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL); if (p != NULL) { msyslog(LOG_NOTICE, "unpeered %s", stoa(&peeraddr)); @@ -4193,7 +4330,7 @@ unpeer_name_resolved( memcpy(&peeraddr, res->ai_addr, res->ai_addrlen); DPRINTF(1, ("unpeer: searching for peer %s\n", stoa(&peeraddr))); - peer = findexistingpeer(&peeraddr, NULL, NULL, -1, 0); + peer = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL); if (peer != NULL) { af = AF(&peeraddr); fam_spec = (AF_INET6 == af) @@ -4420,6 +4557,15 @@ config_ntpd( int/*BOOL*/ input_from_files ) { + /* [Bug 3435] check and esure clock sanity if configured from + * file and clock sanity parameters (-> basedate) are given. Do + * this ASAP, so we don't disturb the closed loop controller. + */ + if (input_from_files) { + if (config_tos_clock(ptree)) + clamp_systime(); + } + config_nic_rules(ptree, input_from_files); config_monitor(ptree); config_auth(ptree); @@ -4444,6 +4590,12 @@ config_ntpd( config_fudge(ptree); config_reset_counters(ptree); +#ifdef DEBUG + if (debug > 1) { + dump_restricts(); + } +#endif + #ifdef TEST_BLOCKING_WORKER { struct addrinfo hints; @@ -5043,6 +5195,9 @@ ntp_rlimit( switch (rl_what) { # ifdef RLIMIT_MEMLOCK case RLIMIT_MEMLOCK: + if (HAVE_OPT( SAVECONFIGQUIT )) { + break; + } /* * The default RLIMIT_MEMLOCK is very low on Linux systems. * Unless we increase this limit malloc calls are likely to @@ -5104,3 +5259,217 @@ ntp_rlimit( } } #endif /* HAVE_SETRLIMIT */ + + +char * +build_iflags(u_int32 iflags) +{ + static char ifs[1024]; + + ifs[0] = '\0'; + + if (iflags & INT_UP) { + iflags &= ~INT_UP; + appendstr(ifs, sizeof ifs, "up"); + } + + if (iflags & INT_PPP) { + iflags &= ~INT_PPP; + appendstr(ifs, sizeof ifs, "ppp"); + } + + if (iflags & INT_LOOPBACK) { + iflags &= ~INT_LOOPBACK; + appendstr(ifs, sizeof ifs, "loopback"); + } + + if (iflags & INT_BROADCAST) { + iflags &= ~INT_BROADCAST; + appendstr(ifs, sizeof ifs, "broadcast"); + } + + if (iflags & INT_MULTICAST) { + iflags &= ~INT_MULTICAST; + appendstr(ifs, sizeof ifs, "multicast"); + } + + if (iflags & INT_BCASTOPEN) { + iflags &= ~INT_BCASTOPEN; + appendstr(ifs, sizeof ifs, "bcastopen"); + } + + if (iflags & INT_MCASTOPEN) { + iflags &= ~INT_MCASTOPEN; + appendstr(ifs, sizeof ifs, "mcastopen"); + } + + if (iflags & INT_WILDCARD) { + iflags &= ~INT_WILDCARD; + appendstr(ifs, sizeof ifs, "wildcard"); + } + + if (iflags & INT_MCASTIF) { + iflags &= ~INT_MCASTIF; + appendstr(ifs, sizeof ifs, "MCASTif"); + } + + if (iflags & INT_PRIVACY) { + iflags &= ~INT_PRIVACY; + appendstr(ifs, sizeof ifs, "IPv6privacy"); + } + + if (iflags & INT_BCASTXMIT) { + iflags &= ~INT_BCASTXMIT; + appendstr(ifs, sizeof ifs, "bcastxmit"); + } + + if (iflags) { + char string[10]; + + snprintf(string, sizeof string, "%0x", iflags); + appendstr(ifs, sizeof ifs, string); + } + + return ifs; +} + + +char * +build_mflags(u_short mflags) +{ + static char mfs[1024]; + + mfs[0] = '\0'; + + if (mflags & RESM_NTPONLY) { + mflags &= ~RESM_NTPONLY; + appendstr(mfs, sizeof mfs, "ntponly"); + } + + if (mflags & RESM_SOURCE) { + mflags &= ~RESM_SOURCE; + appendstr(mfs, sizeof mfs, "source"); + } + + if (mflags) { + char string[10]; + + snprintf(string, sizeof string, "%0x", mflags); + appendstr(mfs, sizeof mfs, string); + } + + return mfs; +} + + +char * +build_rflags(u_short rflags) +{ + static char rfs[1024]; + + rfs[0] = '\0'; + + if (rflags & RES_FLAKE) { + rflags &= ~RES_FLAKE; + appendstr(rfs, sizeof rfs, "flake"); + } + + if (rflags & RES_IGNORE) { + rflags &= ~RES_IGNORE; + appendstr(rfs, sizeof rfs, "ignore"); + } + + if (rflags & RES_KOD) { + rflags &= ~RES_KOD; + appendstr(rfs, sizeof rfs, "kod"); + } + + if (rflags & RES_MSSNTP) { + rflags &= ~RES_MSSNTP; + appendstr(rfs, sizeof rfs, "mssntp"); + } + + if (rflags & RES_LIMITED) { + rflags &= ~RES_LIMITED; + appendstr(rfs, sizeof rfs, "limited"); + } + + if (rflags & RES_LPTRAP) { + rflags &= ~RES_LPTRAP; + appendstr(rfs, sizeof rfs, "lptrap"); + } + + if (rflags & RES_NOMODIFY) { + rflags &= ~RES_NOMODIFY; + appendstr(rfs, sizeof rfs, "nomodify"); + } + + if (rflags & RES_NOMRULIST) { + rflags &= ~RES_NOMRULIST; + appendstr(rfs, sizeof rfs, "nomrulist"); + } + + if (rflags & RES_NOEPEER) { + rflags &= ~RES_NOEPEER; + appendstr(rfs, sizeof rfs, "noepeer"); + } + + if (rflags & RES_NOPEER) { + rflags &= ~RES_NOPEER; + appendstr(rfs, sizeof rfs, "nopeer"); + } + + if (rflags & RES_NOQUERY) { + rflags &= ~RES_NOQUERY; + appendstr(rfs, sizeof rfs, "noquery"); + } + + if (rflags & RES_DONTSERVE) { + rflags &= ~RES_DONTSERVE; + appendstr(rfs, sizeof rfs, "dontserve"); + } + + if (rflags & RES_NOTRAP) { + rflags &= ~RES_NOTRAP; + appendstr(rfs, sizeof rfs, "notrap"); + } + + if (rflags & RES_DONTTRUST) { + rflags &= ~RES_DONTTRUST; + appendstr(rfs, sizeof rfs, "notrust"); + } + + if (rflags & RES_VERSION) { + rflags &= ~RES_VERSION; + appendstr(rfs, sizeof rfs, "version"); + } + + if (rflags) { + char string[10]; + + snprintf(string, sizeof string, "%0x", rflags); + appendstr(rfs, sizeof rfs, string); + } + + if ('\0' == rfs[0]) { + appendstr(rfs, sizeof rfs, "(none)"); + } + + return rfs; +} + + +static void +appendstr( + char *string, + size_t s, + char *new + ) +{ + if (*string != '\0') { + (void)strlcat(string, ",", s); + } + (void)strlcat(string, new, s); + + return; +} diff --git a/contrib/ntp/ntpd/ntp_control.c b/contrib/ntp/ntpd/ntp_control.c index a18a4d3..d98f6aa 100644 --- a/contrib/ntp/ntpd/ntp_control.c +++ b/contrib/ntp/ntpd/ntp_control.c @@ -176,56 +176,58 @@ static const struct ctl_proc control_codes[] = { #define CS_SS_LIMITED 41 #define CS_SS_KODSENT 42 #define CS_SS_PROCESSED 43 -#define CS_PEERADR 44 -#define CS_PEERMODE 45 -#define CS_BCASTDELAY 46 -#define CS_AUTHDELAY 47 -#define CS_AUTHKEYS 48 -#define CS_AUTHFREEK 49 -#define CS_AUTHKLOOKUPS 50 -#define CS_AUTHKNOTFOUND 51 -#define CS_AUTHKUNCACHED 52 -#define CS_AUTHKEXPIRED 53 -#define CS_AUTHENCRYPTS 54 -#define CS_AUTHDECRYPTS 55 -#define CS_AUTHRESET 56 -#define CS_K_OFFSET 57 -#define CS_K_FREQ 58 -#define CS_K_MAXERR 59 -#define CS_K_ESTERR 60 -#define CS_K_STFLAGS 61 -#define CS_K_TIMECONST 62 -#define CS_K_PRECISION 63 -#define CS_K_FREQTOL 64 -#define CS_K_PPS_FREQ 65 -#define CS_K_PPS_STABIL 66 -#define CS_K_PPS_JITTER 67 -#define CS_K_PPS_CALIBDUR 68 -#define CS_K_PPS_CALIBS 69 -#define CS_K_PPS_CALIBERRS 70 -#define CS_K_PPS_JITEXC 71 -#define CS_K_PPS_STBEXC 72 +#define CS_SS_LAMPORT 44 +#define CS_SS_TSROUNDING 45 +#define CS_PEERADR 46 +#define CS_PEERMODE 47 +#define CS_BCASTDELAY 48 +#define CS_AUTHDELAY 49 +#define CS_AUTHKEYS 50 +#define CS_AUTHFREEK 51 +#define CS_AUTHKLOOKUPS 52 +#define CS_AUTHKNOTFOUND 53 +#define CS_AUTHKUNCACHED 54 +#define CS_AUTHKEXPIRED 55 +#define CS_AUTHENCRYPTS 56 +#define CS_AUTHDECRYPTS 57 +#define CS_AUTHRESET 58 +#define CS_K_OFFSET 59 +#define CS_K_FREQ 60 +#define CS_K_MAXERR 61 +#define CS_K_ESTERR 62 +#define CS_K_STFLAGS 63 +#define CS_K_TIMECONST 64 +#define CS_K_PRECISION 65 +#define CS_K_FREQTOL 66 +#define CS_K_PPS_FREQ 67 +#define CS_K_PPS_STABIL 68 +#define CS_K_PPS_JITTER 69 +#define CS_K_PPS_CALIBDUR 70 +#define CS_K_PPS_CALIBS 71 +#define CS_K_PPS_CALIBERRS 72 +#define CS_K_PPS_JITEXC 73 +#define CS_K_PPS_STBEXC 74 #define CS_KERN_FIRST CS_K_OFFSET #define CS_KERN_LAST CS_K_PPS_STBEXC -#define CS_IOSTATS_RESET 73 -#define CS_TOTAL_RBUF 74 -#define CS_FREE_RBUF 75 -#define CS_USED_RBUF 76 -#define CS_RBUF_LOWATER 77 -#define CS_IO_DROPPED 78 -#define CS_IO_IGNORED 79 -#define CS_IO_RECEIVED 80 -#define CS_IO_SENT 81 -#define CS_IO_SENDFAILED 82 -#define CS_IO_WAKEUPS 83 -#define CS_IO_GOODWAKEUPS 84 -#define CS_TIMERSTATS_RESET 85 -#define CS_TIMER_OVERRUNS 86 -#define CS_TIMER_XMTS 87 -#define CS_FUZZ 88 -#define CS_WANDER_THRESH 89 -#define CS_LEAPSMEARINTV 90 -#define CS_LEAPSMEAROFFS 91 +#define CS_IOSTATS_RESET 75 +#define CS_TOTAL_RBUF 76 +#define CS_FREE_RBUF 77 +#define CS_USED_RBUF 78 +#define CS_RBUF_LOWATER 79 +#define CS_IO_DROPPED 80 +#define CS_IO_IGNORED 81 +#define CS_IO_RECEIVED 82 +#define CS_IO_SENT 83 +#define CS_IO_SENDFAILED 84 +#define CS_IO_WAKEUPS 85 +#define CS_IO_GOODWAKEUPS 86 +#define CS_TIMERSTATS_RESET 87 +#define CS_TIMER_OVERRUNS 88 +#define CS_TIMER_XMTS 89 +#define CS_FUZZ 90 +#define CS_WANDER_THRESH 91 +#define CS_LEAPSMEARINTV 92 +#define CS_LEAPSMEAROFFS 93 #define CS_MAX_NOAUTOKEY CS_LEAPSMEAROFFS #ifdef AUTOKEY #define CS_FLAGS (1 + CS_MAX_NOAUTOKEY) @@ -376,55 +378,57 @@ static const struct ctl_var sys_var[] = { { CS_SS_LIMITED, RO, "ss_limited" }, /* 41 */ { CS_SS_KODSENT, RO, "ss_kodsent" }, /* 42 */ { CS_SS_PROCESSED, RO, "ss_processed" }, /* 43 */ - { CS_PEERADR, RO, "peeradr" }, /* 44 */ - { CS_PEERMODE, RO, "peermode" }, /* 45 */ - { CS_BCASTDELAY, RO, "bcastdelay" }, /* 46 */ - { CS_AUTHDELAY, RO, "authdelay" }, /* 47 */ - { CS_AUTHKEYS, RO, "authkeys" }, /* 48 */ - { CS_AUTHFREEK, RO, "authfreek" }, /* 49 */ - { CS_AUTHKLOOKUPS, RO, "authklookups" }, /* 50 */ - { CS_AUTHKNOTFOUND, RO, "authknotfound" }, /* 51 */ - { CS_AUTHKUNCACHED, RO, "authkuncached" }, /* 52 */ - { CS_AUTHKEXPIRED, RO, "authkexpired" }, /* 53 */ - { CS_AUTHENCRYPTS, RO, "authencrypts" }, /* 54 */ - { CS_AUTHDECRYPTS, RO, "authdecrypts" }, /* 55 */ - { CS_AUTHRESET, RO, "authreset" }, /* 56 */ - { CS_K_OFFSET, RO, "koffset" }, /* 57 */ - { CS_K_FREQ, RO, "kfreq" }, /* 58 */ - { CS_K_MAXERR, RO, "kmaxerr" }, /* 59 */ - { CS_K_ESTERR, RO, "kesterr" }, /* 60 */ - { CS_K_STFLAGS, RO, "kstflags" }, /* 61 */ - { CS_K_TIMECONST, RO, "ktimeconst" }, /* 62 */ - { CS_K_PRECISION, RO, "kprecis" }, /* 63 */ - { CS_K_FREQTOL, RO, "kfreqtol" }, /* 64 */ - { CS_K_PPS_FREQ, RO, "kppsfreq" }, /* 65 */ - { CS_K_PPS_STABIL, RO, "kppsstab" }, /* 66 */ - { CS_K_PPS_JITTER, RO, "kppsjitter" }, /* 67 */ - { CS_K_PPS_CALIBDUR, RO, "kppscalibdur" }, /* 68 */ - { CS_K_PPS_CALIBS, RO, "kppscalibs" }, /* 69 */ - { CS_K_PPS_CALIBERRS, RO, "kppscaliberrs" }, /* 70 */ - { CS_K_PPS_JITEXC, RO, "kppsjitexc" }, /* 71 */ - { CS_K_PPS_STBEXC, RO, "kppsstbexc" }, /* 72 */ - { CS_IOSTATS_RESET, RO, "iostats_reset" }, /* 73 */ - { CS_TOTAL_RBUF, RO, "total_rbuf" }, /* 74 */ - { CS_FREE_RBUF, RO, "free_rbuf" }, /* 75 */ - { CS_USED_RBUF, RO, "used_rbuf" }, /* 76 */ - { CS_RBUF_LOWATER, RO, "rbuf_lowater" }, /* 77 */ - { CS_IO_DROPPED, RO, "io_dropped" }, /* 78 */ - { CS_IO_IGNORED, RO, "io_ignored" }, /* 79 */ - { CS_IO_RECEIVED, RO, "io_received" }, /* 80 */ - { CS_IO_SENT, RO, "io_sent" }, /* 81 */ - { CS_IO_SENDFAILED, RO, "io_sendfailed" }, /* 82 */ - { CS_IO_WAKEUPS, RO, "io_wakeups" }, /* 83 */ - { CS_IO_GOODWAKEUPS, RO, "io_goodwakeups" }, /* 84 */ - { CS_TIMERSTATS_RESET, RO, "timerstats_reset" },/* 85 */ - { CS_TIMER_OVERRUNS, RO, "timer_overruns" }, /* 86 */ - { CS_TIMER_XMTS, RO, "timer_xmts" }, /* 87 */ - { CS_FUZZ, RO, "fuzz" }, /* 88 */ - { CS_WANDER_THRESH, RO, "clk_wander_threshold" }, /* 89 */ - - { CS_LEAPSMEARINTV, RO, "leapsmearinterval" }, /* 90 */ - { CS_LEAPSMEAROFFS, RO, "leapsmearoffset" }, /* 91 */ + { CS_SS_LAMPORT, RO, "ss_lamport" }, /* 44 */ + { CS_SS_TSROUNDING, RO, "ss_tsrounding" }, /* 45 */ + { CS_PEERADR, RO, "peeradr" }, /* 46 */ + { CS_PEERMODE, RO, "peermode" }, /* 47 */ + { CS_BCASTDELAY, RO, "bcastdelay" }, /* 48 */ + { CS_AUTHDELAY, RO, "authdelay" }, /* 49 */ + { CS_AUTHKEYS, RO, "authkeys" }, /* 50 */ + { CS_AUTHFREEK, RO, "authfreek" }, /* 51 */ + { CS_AUTHKLOOKUPS, RO, "authklookups" }, /* 52 */ + { CS_AUTHKNOTFOUND, RO, "authknotfound" }, /* 53 */ + { CS_AUTHKUNCACHED, RO, "authkuncached" }, /* 54 */ + { CS_AUTHKEXPIRED, RO, "authkexpired" }, /* 55 */ + { CS_AUTHENCRYPTS, RO, "authencrypts" }, /* 56 */ + { CS_AUTHDECRYPTS, RO, "authdecrypts" }, /* 57 */ + { CS_AUTHRESET, RO, "authreset" }, /* 58 */ + { CS_K_OFFSET, RO, "koffset" }, /* 59 */ + { CS_K_FREQ, RO, "kfreq" }, /* 60 */ + { CS_K_MAXERR, RO, "kmaxerr" }, /* 61 */ + { CS_K_ESTERR, RO, "kesterr" }, /* 62 */ + { CS_K_STFLAGS, RO, "kstflags" }, /* 63 */ + { CS_K_TIMECONST, RO, "ktimeconst" }, /* 64 */ + { CS_K_PRECISION, RO, "kprecis" }, /* 65 */ + { CS_K_FREQTOL, RO, "kfreqtol" }, /* 66 */ + { CS_K_PPS_FREQ, RO, "kppsfreq" }, /* 67 */ + { CS_K_PPS_STABIL, RO, "kppsstab" }, /* 68 */ + { CS_K_PPS_JITTER, RO, "kppsjitter" }, /* 69 */ + { CS_K_PPS_CALIBDUR, RO, "kppscalibdur" }, /* 70 */ + { CS_K_PPS_CALIBS, RO, "kppscalibs" }, /* 71 */ + { CS_K_PPS_CALIBERRS, RO, "kppscaliberrs" }, /* 72 */ + { CS_K_PPS_JITEXC, RO, "kppsjitexc" }, /* 73 */ + { CS_K_PPS_STBEXC, RO, "kppsstbexc" }, /* 74 */ + { CS_IOSTATS_RESET, RO, "iostats_reset" }, /* 75 */ + { CS_TOTAL_RBUF, RO, "total_rbuf" }, /* 76 */ + { CS_FREE_RBUF, RO, "free_rbuf" }, /* 77 */ + { CS_USED_RBUF, RO, "used_rbuf" }, /* 78 */ + { CS_RBUF_LOWATER, RO, "rbuf_lowater" }, /* 79 */ + { CS_IO_DROPPED, RO, "io_dropped" }, /* 80 */ + { CS_IO_IGNORED, RO, "io_ignored" }, /* 81 */ + { CS_IO_RECEIVED, RO, "io_received" }, /* 82 */ + { CS_IO_SENT, RO, "io_sent" }, /* 83 */ + { CS_IO_SENDFAILED, RO, "io_sendfailed" }, /* 84 */ + { CS_IO_WAKEUPS, RO, "io_wakeups" }, /* 85 */ + { CS_IO_GOODWAKEUPS, RO, "io_goodwakeups" }, /* 86 */ + { CS_TIMERSTATS_RESET, RO, "timerstats_reset" },/* 87 */ + { CS_TIMER_OVERRUNS, RO, "timer_overruns" }, /* 88 */ + { CS_TIMER_XMTS, RO, "timer_xmts" }, /* 89 */ + { CS_FUZZ, RO, "fuzz" }, /* 90 */ + { CS_WANDER_THRESH, RO, "clk_wander_threshold" }, /* 91 */ + + { CS_LEAPSMEARINTV, RO, "leapsmearinterval" }, /* 92 */ + { CS_LEAPSMEAROFFS, RO, "leapsmearoffset" }, /* 93 */ #ifdef AUTOKEY { CS_FLAGS, RO, "flags" }, /* 1 + CS_MAX_NOAUTOKEY */ @@ -436,7 +440,7 @@ static const struct ctl_var sys_var[] = { { CS_IDENT, RO, "ident" }, /* 7 + CS_MAX_NOAUTOKEY */ { CS_DIGEST, RO, "digest" }, /* 8 + CS_MAX_NOAUTOKEY */ #endif /* AUTOKEY */ - { 0, EOV, "" } /* 87/95 */ + { 0, EOV, "" } /* 94/102 */ }; static struct ctl_var *ext_sys_var = NULL; @@ -1264,7 +1268,7 @@ process_control( rbufp->recv_length, properlen, res_keyid, maclen)); - if (!authistrusted(res_keyid)) + if (!authistrustedip(res_keyid, &rbufp->recv_srcadr)) DPRINTF(3, ("invalid keyid %08x\n", res_keyid)); else if (authdecrypt(res_keyid, (u_int32 *)pkt, rbufp->recv_length - maclen, @@ -1472,28 +1476,46 @@ ctl_flushpkt( } -/* - * ctl_putdata - write data into the packet, fragmenting and starting - * another if this one is full. +/* -------------------------------------------------------------------- + * block transfer API -- stream string/data fragments into xmit buffer + * without additional copying + */ + +/* buffer descriptor: address & size of fragment + * 'buf' may only be NULL when 'len' is zero! */ +typedef struct { + const void *buf; + size_t len; +} CtlMemBufT; + +/* put ctl data in a gather-style operation */ static void -ctl_putdata( - const char *dp, - unsigned int dlen, - int bin /* set to 1 when data is binary */ +ctl_putdata_ex( + const CtlMemBufT * argv, + size_t argc, + int/*BOOL*/ bin /* set to 1 when data is binary */ ) { - int overhead; - unsigned int currentlen; + const char * src_ptr; + size_t src_len, cur_len, add_len, argi; - overhead = 0; - if (!bin) { + /* text / binary preprocessing, possibly create new linefeed */ + if (bin) { + add_len = 0; + } else { datanotbinflag = TRUE; - overhead = 3; + add_len = 3; + if (datasent) { *datapt++ = ','; datalinelen++; - if ((dlen + datalinelen + 1) >= MAXDATALINELEN) { + + /* sum up total length */ + for (argi = 0, src_len = 0; argi < argc; ++argi) + src_len += argv[argi].len; + /* possibly start a new line, assume no size_t overflow */ + if ((src_len + datalinelen + 1) >= MAXDATALINELEN) { *datapt++ = '\r'; *datapt++ = '\n'; datalinelen = 0; @@ -1504,31 +1526,56 @@ ctl_putdata( } } - /* - * Save room for trailing junk - */ - while (dlen + overhead + datapt > dataend) { - /* - * Not enough room in this one, flush it out. - */ - currentlen = MIN(dlen, (unsigned int)(dataend - datapt)); + /* now stream out all buffers */ + for (argi = 0; argi < argc; ++argi) { + src_ptr = argv[argi].buf; + src_len = argv[argi].len; - memcpy(datapt, dp, currentlen); + if ( ! (src_ptr && src_len)) + continue; - datapt += currentlen; - dp += currentlen; - dlen -= currentlen; - datalinelen += currentlen; + cur_len = (size_t)(dataend - datapt); + while ((src_len + add_len) > cur_len) { + /* Not enough room in this one, flush it out. */ + if (src_len < cur_len) + cur_len = src_len; + + memcpy(datapt, src_ptr, cur_len); + datapt += cur_len; + datalinelen += cur_len; + + src_ptr += cur_len; + src_len -= cur_len; + + ctl_flushpkt(CTL_MORE); + cur_len = (size_t)(dataend - datapt); + } - ctl_flushpkt(CTL_MORE); - } + memcpy(datapt, src_ptr, src_len); + datapt += src_len; + datalinelen += src_len; - memcpy(datapt, dp, dlen); - datapt += dlen; - datalinelen += dlen; - datasent = TRUE; + datasent = TRUE; + } } +/* + * ctl_putdata - write data into the packet, fragmenting and starting + * another if this one is full. + */ +static void +ctl_putdata( + const char *dp, + unsigned int dlen, + int bin /* set to 1 when data is binary */ + ) +{ + CtlMemBufT args[1]; + + args[0].buf = dp; + args[0].len = dlen; + ctl_putdata_ex(args, 1, bin); +} /* * ctl_putstr - write a tagged string into the response packet @@ -1546,16 +1593,21 @@ ctl_putstr( size_t len ) { - char buffer[512]; - int rc; - - INSIST(len < sizeof(buffer)); - if (len) - rc = snprintf(buffer, sizeof(buffer), "%s=\"%.*s\"", tag, (int)len, data); - else - rc = snprintf(buffer, sizeof(buffer), "%s", tag); - INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + CtlMemBufT args[4]; + + args[0].buf = tag; + args[0].len = strlen(tag); + if (data && len) { + args[1].buf = "=\""; + args[1].len = 2; + args[2].buf = data; + args[2].len = len; + args[3].buf = "\""; + args[3].len = 1; + ctl_putdata_ex(args, 4, FALSE); + } else { + ctl_putdata_ex(args, 1, FALSE); + } } @@ -1575,16 +1627,19 @@ ctl_putunqstr( size_t len ) { - char buffer[512]; - int rc; - - INSIST(len < sizeof(buffer)); - if (len) - rc = snprintf(buffer, sizeof(buffer), "%s=%.*s", tag, (int)len, data); - else - rc = snprintf(buffer, sizeof(buffer), "%s", tag); - INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + CtlMemBufT args[3]; + + args[0].buf = tag; + args[0].len = strlen(tag); + if (data && len) { + args[1].buf = "="; + args[1].len = 1; + args[2].buf = data; + args[2].len = len; + ctl_putdata_ex(args, 3, FALSE); + } else { + ctl_putdata_ex(args, 1, FALSE); + } } @@ -1599,14 +1654,14 @@ ctl_putdblf( double d ) { - char buffer[200]; + char buffer[40]; int rc; rc = snprintf(buffer, sizeof(buffer), - (use_f ? "%s=%.*f" : "%s=%.*g"), - tag, precision, d); + (use_f ? "%.*f" : "%.*g"), + precision, d); INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } /* @@ -1618,12 +1673,12 @@ ctl_putuint( u_long uval ) { - char buffer[200]; + char buffer[24]; /* needs to fit for 64 bits! */ int rc; - rc = snprintf(buffer, sizeof(buffer), "%s=%lu", tag, uval); + rc = snprintf(buffer, sizeof(buffer), "%lu", uval); INSIST(rc >= 0 && rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } /* @@ -1637,17 +1692,16 @@ ctl_putcal( const struct calendar *pcal ) { - char buffer[100]; + char buffer[16]; int rc; rc = snprintf(buffer, sizeof(buffer), - "%s=%04d%02d%02d%02d%02d", - tag, + "%04d%02d%02d%02d%02d", pcal->year, pcal->month, pcal->monthday, pcal->hour, pcal->minute ); INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } #endif @@ -1660,23 +1714,21 @@ ctl_putfs( tstamp_t uval ) { - char buffer[200]; - struct tm *tm = NULL; - time_t fstamp; - int rc; + char buffer[16]; + int rc; - fstamp = (time_t)uval - JAN_1970; - tm = gmtime(&fstamp); + time_t fstamp = (time_t)uval - JAN_1970; + struct tm *tm = gmtime(&fstamp); + if (NULL == tm) return; rc = snprintf(buffer, sizeof(buffer), - "%s=%04d%02d%02d%02d%02d", - tag, + "%04d%02d%02d%02d%02d", tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min); INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } @@ -1690,12 +1742,12 @@ ctl_puthex( u_long uval ) { - char buffer[200]; + char buffer[24]; /* must fit 64bit int! */ int rc; - rc = snprintf(buffer, sizeof(buffer), "%s=0x%lx", tag, uval); + rc = snprintf(buffer, sizeof(buffer), "0x%lx", uval); INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } @@ -1708,12 +1760,12 @@ ctl_putint( long ival ) { - char buffer[200]; + char buffer[24]; /*must fit 64bit int */ int rc; - rc = snprintf(buffer, sizeof(buffer), "%s=%ld", tag, ival); + rc = snprintf(buffer, sizeof(buffer), "%ld", ival); INSIST(rc >= 0 && rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } @@ -1726,14 +1778,14 @@ ctl_putts( l_fp *ts ) { - char buffer[200]; + char buffer[24]; int rc; rc = snprintf(buffer, sizeof(buffer), - "%s=0x%08lx.%08lx", - tag, (u_long)ts->l_ui, (u_long)ts->l_uf); + "0x%08lx.%08lx", + (u_long)ts->l_ui, (u_long)ts->l_uf); INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, buffer, rc); } @@ -1748,16 +1800,12 @@ ctl_putadr( ) { const char *cq; - char buffer[200]; - int rc; if (NULL == addr) cq = numtoa(addr32); else cq = stoa(addr); - rc = snprintf(buffer, sizeof(buffer), "%s=%s", tag, cq); - INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, 0); + ctl_putunqstr(tag, cq, strlen(cq)); } @@ -1770,8 +1818,7 @@ ctl_putrefid( u_int32 refid ) { - char buffer[128]; - int rc, i; + size_t nc; union { uint32_t w; @@ -1779,13 +1826,10 @@ ctl_putrefid( } bytes; bytes.w = refid; - for (i = 0; i < sizeof(bytes.b); ++i) - if (bytes.b[i] && !isprint(bytes.b[i])) - bytes.b[i] = '.'; - rc = snprintf(buffer, sizeof(buffer), "%s=%.*s", - tag, (int)sizeof(bytes.b), bytes.b); - INSIST(rc >= 0 && (size_t)rc < sizeof(buffer)); - ctl_putdata(buffer, (u_int)rc, FALSE); + for (nc = 0; nc < sizeof(bytes.b) && bytes.b[nc]; ++nc) + if (!isprint(bytes.b[nc])) + bytes.b[nc] = '.'; + ctl_putunqstr(tag, (const char*)bytes.b, nc); } @@ -1805,21 +1849,16 @@ ctl_putarray( cp = buffer; ep = buffer + sizeof(buffer); - - rc = snprintf(cp, (size_t)(ep - cp), "%s=", tag); - INSIST(rc >= 0 && rc < (ep - cp)); - cp += rc; - - i = start; + i = start; do { if (i == 0) i = NTP_SHIFT; i--; rc = snprintf(cp, (size_t)(ep - cp), " %.2f", arr[i] * 1e3); - INSIST(rc >= 0 && rc < (ep - cp)); + INSIST(rc >= 0 && (size_t)rc < (size_t)(ep - cp)); cp += rc; } while (i != start); - ctl_putdata(buffer, (u_int)(cp - buffer), 0); + ctl_putunqstr(tag, buffer, (size_t)(cp - buffer)); } /* @@ -2183,6 +2222,14 @@ ctl_putsys( ctl_putuint(sys_var[varid].text, sys_limitrejected); break; + case CS_SS_LAMPORT: + ctl_putuint(sys_var[varid].text, sys_lamport); + break; + + case CS_SS_TSROUNDING: + ctl_putuint(sys_var[varid].text, sys_tsrounding); + break; + case CS_SS_KODSENT: ctl_putuint(sys_var[varid].text, sys_kodsent); break; @@ -3095,7 +3142,9 @@ ctl_getitem( const char *sp1 = reqpt; const char *sp2 = v->text; - while ((sp1 != tp) && (*sp1 == *sp2)) { + /* [Bug 3412] do not compare past NUL byte in name */ + while ( (sp1 != tp) + && ('\0' != *sp2) && (*sp1 == *sp2)) { ++sp1; ++sp2; } @@ -3594,7 +3643,13 @@ static u_int32 derive_nonce( } ctx = EVP_MD_CTX_new(); +# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + /* [Bug 3457] set flags and don't kill them again */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(ctx, EVP_get_digestbynid(NID_md5), NULL); +# else EVP_DigestInit(ctx, EVP_get_digestbynid(NID_md5)); +# endif EVP_DigestUpdate(ctx, salt, sizeof(salt)); EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i)); EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f)); @@ -4373,6 +4428,7 @@ send_restrict_entry( while (sent[which]) which = (which + 1) % COUNTOF(sent); + /* XXX: Numbers? Really? */ switch (which) { case 0: @@ -4395,7 +4451,7 @@ send_restrict_entry( case 3: snprintf(tag, sizeof(tag), flags_fmt, idx); match_str = res_match_flags(pres->mflags); - access_str = res_access_flags(pres->flags); + access_str = res_access_flags(pres->rflags); if ('\0' == match_str[0]) { pch = access_str; } else { diff --git a/contrib/ntp/ntpd/ntp_crypto.c b/contrib/ntp/ntpd/ntp_crypto.c index 36b43cf..fd74222 100644 --- a/contrib/ntp/ntpd/ntp_crypto.c +++ b/contrib/ntp/ntpd/ntp_crypto.c @@ -268,7 +268,13 @@ session_key( break; } ctx = EVP_MD_CTX_new(); +# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + /* [Bug 3457] set flags and don't kill them again */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(ctx, EVP_get_digestbynid(crypto_nid), NULL); +# else EVP_DigestInit(ctx, EVP_get_digestbynid(crypto_nid)); +# endif EVP_DigestUpdate(ctx, (u_char *)header, hdlen); EVP_DigestFinal(ctx, dgst, &len); EVP_MD_CTX_free(ctx); @@ -2087,7 +2093,13 @@ bighash( ptr = emalloc(len); BN_bn2bin(bn, ptr); ctx = EVP_MD_CTX_new(); +# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) + /* [Bug 3457] set flags and don't kill them again */ + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_DigestInit_ex(ctx, EVP_md5(), NULL); +# else EVP_DigestInit(ctx, EVP_md5()); +# endif EVP_DigestUpdate(ctx, ptr, len); EVP_DigestFinal(ctx, dgst, &len); EVP_MD_CTX_free(ctx); diff --git a/contrib/ntp/ntpd/ntp_io.c b/contrib/ntp/ntpd/ntp_io.c index fe62ec5..ed5f0dc 100644 --- a/contrib/ntp/ntpd/ntp_io.c +++ b/contrib/ntp/ntpd/ntp_io.c @@ -1043,7 +1043,7 @@ remove_interface( /* remove restrict interface entry */ SET_HOSTMASK(&resmask, AF(&ep->sin)); hack_restrict(RESTRICT_REMOVEIF, &ep->sin, &resmask, - RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); + -3, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); } @@ -1600,7 +1600,7 @@ set_wildcard_reuse( if (fd != INVALID_SOCKET) { if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, - (char *)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_ERR, "set_wildcard_reuse: setsockopt(SO_REUSEADDR, %s) failed: %m", on ? "on" : "off"); @@ -2093,7 +2093,7 @@ create_interface( */ SET_HOSTMASK(&resmask, AF(&iface->sin)); hack_restrict(RESTRICT_FLAGS, &iface->sin, &resmask, - RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); + -4, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0); /* * set globals with the first found @@ -2156,7 +2156,7 @@ set_excladdruse( #endif failed = setsockopt(fd, SOL_SOCKET, SO_EXCLUSIVEADDRUSE, - (char *)&one, sizeof(one)); + (void *)&one, sizeof(one)); if (!failed) return; @@ -2210,7 +2210,7 @@ set_reuseaddr( if (ep->fd != INVALID_SOCKET) { if (setsockopt(ep->fd, SOL_SOCKET, SO_REUSEADDR, - (char *)&flag, sizeof(flag))) { + (void *)&flag, sizeof(flag))) { msyslog(LOG_ERR, "set_reuseaddr: setsockopt(%s, SO_REUSEADDR, %s) failed: %m", stoa(&ep->sin), flag ? "on" : "off"); } @@ -2253,7 +2253,7 @@ socket_broadcast_enable( if (IS_IPV4(baddr)) { /* if this interface can support broadcast, set SO_BROADCAST */ if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST, - (char *)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_ERR, "setsockopt(SO_BROADCAST) enable failure on address %s: %m", stoa(baddr)); @@ -2284,7 +2284,7 @@ socket_broadcast_disable( int off = 0; /* This seems to be OK as an int */ if (IS_IPV4(baddr) && setsockopt(iface->fd, SOL_SOCKET, - SO_BROADCAST, (char *)&off, sizeof(off))) + SO_BROADCAST, (void *)&off, sizeof(off))) msyslog(LOG_ERR, "setsockopt(SO_BROADCAST) disable failure on address %s: %m", stoa(baddr)); @@ -2365,7 +2365,7 @@ enable_multicast_if( */ if (setsockopt(iface->fd, IPPROTO_IP, IP_MULTICAST_LOOP, - SETSOCKOPT_ARG_CAST &off, + (void *)&off, sizeof(off))) { msyslog(LOG_ERR, @@ -2384,7 +2384,7 @@ enable_multicast_if( */ if (setsockopt(iface->fd, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, - (char *) &off6, sizeof(off6))) { + (void *) &off6, sizeof(off6))) { msyslog(LOG_ERR, "setsockopt IPV6_MULTICAST_LOOP failed: %m on socket %d, addr %s for multicast address %s", @@ -2426,7 +2426,7 @@ socket_multicast_enable( if (setsockopt(iface->fd, IPPROTO_IP, IP_ADD_MEMBERSHIP, - (char *)&mreq, + (void *)&mreq, sizeof(mreq))) { DPRINTF(2, ( "setsockopt IP_ADD_MEMBERSHIP failed: %m on socket %d, addr %s for %x / %x (%s)", @@ -2456,7 +2456,7 @@ socket_multicast_enable( mreq6.ipv6mr_interface = iface->ifindex; if (setsockopt(iface->fd, IPPROTO_IPV6, - IPV6_JOIN_GROUP, (char *)&mreq6, + IPV6_JOIN_GROUP, (void *)&mreq6, sizeof(mreq6))) { DPRINTF(2, ( "setsockopt IPV6_JOIN_GROUP failed: %m on socket %d, addr %s for interface %u (%s)", @@ -2510,7 +2510,7 @@ socket_multicast_disable( mreq.imr_multiaddr = SOCK_ADDR4(maddr); mreq.imr_interface = SOCK_ADDR4(&iface->sin); if (setsockopt(iface->fd, IPPROTO_IP, - IP_DROP_MEMBERSHIP, (char *)&mreq, + IP_DROP_MEMBERSHIP, (void *)&mreq, sizeof(mreq))) { msyslog(LOG_ERR, @@ -2534,7 +2534,7 @@ socket_multicast_disable( mreq6.ipv6mr_interface = iface->ifindex; if (setsockopt(iface->fd, IPPROTO_IPV6, - IPV6_LEAVE_GROUP, (char *)&mreq6, + IPV6_LEAVE_GROUP, (void *)&mreq6, sizeof(mreq6))) { msyslog(LOG_ERR, @@ -2730,6 +2730,7 @@ io_multicast_add( if (ep->fd != INVALID_SOCKET) { ep->ignore_packets = ISC_FALSE; ep->flags |= INT_MCASTIF; + ep->ifindex = SCOPE(addr); strlcpy(ep->name, "multicast", sizeof(ep->name)); DPRINT_INTERFACE(2, (ep, "multicast add ", "\n")); @@ -2895,7 +2896,7 @@ open_socket( if (isc_win32os_versioncheck(5, 1, 0, 0) < 0) /* before 5.1 */ #endif if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, - (char *)((turn_off_reuse) + (void *)((turn_off_reuse) ? &off : &on), sizeof(on))) { @@ -2923,7 +2924,7 @@ open_socket( */ if (IS_IPV4(addr)) { #if defined(IPPROTO_IP) && defined(IP_TOS) - if (setsockopt(fd, IPPROTO_IP, IP_TOS, (char*)&qos, + if (setsockopt(fd, IPPROTO_IP, IP_TOS, (void *)&qos, sizeof(qos))) msyslog(LOG_ERR, "setsockopt IP_TOS (%02x) fails on address %s: %m", @@ -2938,7 +2939,7 @@ open_socket( */ if (IS_IPV6(addr)) { #if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS) - if (setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, (char*)&qos, + if (setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&qos, sizeof(qos))) msyslog(LOG_ERR, "setsockopt IPV6_TCLASS (%02x) fails on address %s: %m", @@ -2947,14 +2948,14 @@ open_socket( #ifdef IPV6_V6ONLY if (isc_net_probe_ipv6only() == ISC_R_SUCCESS && setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, - (char*)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_ERR, "setsockopt IPV6_V6ONLY on fails on address %s: %m", stoa(addr)); #endif #ifdef IPV6_BINDV6ONLY if (setsockopt(fd, IPPROTO_IPV6, IPV6_BINDV6ONLY, - (char*)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_ERR, "setsockopt IPV6_BINDV6ONLY on fails on address %s: %m", stoa(addr)); @@ -3006,7 +3007,7 @@ open_socket( #ifdef HAVE_TIMESTAMP { if (setsockopt(fd, SOL_SOCKET, SO_TIMESTAMP, - (char*)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_DEBUG, "setsockopt SO_TIMESTAMP on fails on address %s: %m", stoa(addr)); @@ -3018,7 +3019,7 @@ open_socket( #ifdef HAVE_TIMESTAMPNS { if (setsockopt(fd, SOL_SOCKET, SO_TIMESTAMPNS, - (char*)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_DEBUG, "setsockopt SO_TIMESTAMPNS on fails on address %s: %m", stoa(addr)); @@ -3030,7 +3031,7 @@ open_socket( #ifdef HAVE_BINTIME { if (setsockopt(fd, SOL_SOCKET, SO_BINTIME, - (char*)&on, sizeof(on))) + (void *)&on, sizeof(on))) msyslog(LOG_DEBUG, "setsockopt SO_BINTIME on fails on address %s: %m", stoa(addr)); @@ -3091,6 +3092,7 @@ sendpkt( int cc; int rc; u_char cttl; + l_fp fp_zero = { 0, 0 }; ismcast = IS_MCAST(dest); if (!ismcast) @@ -3174,6 +3176,19 @@ sendpkt( if (ismcast) src = src->mclink; } while (ismcast && src != NULL); + + /* HMS: pkt->rootdisp is usually random here */ + record_raw_stats(src ? &src->sin : NULL, dest, + &pkt->org, &pkt->rec, &pkt->xmt, &fp_zero, + PKT_MODE(pkt->li_vn_mode), + PKT_VERSION(pkt->li_vn_mode), + PKT_LEAP(pkt->li_vn_mode), + pkt->stratum, + pkt->ppoll, pkt->precision, + pkt->rootdelay, pkt->rootdisp, pkt->refid, + len - MIN_V4_PKT_LEN, (u_char *)&pkt->exten); + + return; } @@ -3960,6 +3975,17 @@ findlocalinterface( DPRINTF(4, ("Finding interface for addr %s in list of addresses\n", stoa(addr))); + /* [Bug 3437] The dummy POOL peer comes in with an AF of + * zero. This is bound to fail, but on the way to nowhere it + * triggers a security incident on SELinux. + * + * Checking the condition and failing early is probably a good + * advice, and even saves us some syscalls in that case. + * Thanks to Miroslav Lichvar for finding this. + */ + if (AF_UNSPEC == AF(addr)) + return NULL; + s = socket(AF(addr), SOCK_DGRAM, 0); if (INVALID_SOCKET == s) return NULL; @@ -3972,7 +3998,7 @@ findlocalinterface( on = 1; if (SOCKET_ERROR == setsockopt(s, SOL_SOCKET, SO_BROADCAST, - (char *)&on, + (void *)&on, sizeof(on))) { closesocket(s); return NULL; diff --git a/contrib/ntp/ntpd/ntp_keyword.h b/contrib/ntp/ntpd/ntp_keyword.h index 57ec764..6638810 100644 --- a/contrib/ntp/ntpd/ntp_keyword.h +++ b/contrib/ntp/ntpd/ntp_keyword.h @@ -2,7 +2,7 @@ * ntp_keyword.h * * NOTE: edit this file with caution, it is generated by keyword-gen.c - * Generated 2016-11-09 11:39:28 UTC diff_ignore_line + * Generated 2018-01-14 03:53:33 UTC diff_ignore_line * */ #include "ntp_scanner.h" @@ -10,7 +10,7 @@ #define LOWEST_KEYWORD_ID 258 -const char * const keyword_text[196] = { +const char * const keyword_text[200] = { /* 0 258 T_Abbrev */ "abbrev", /* 1 259 T_Age */ "age", /* 2 260 T_All */ "all", @@ -20,203 +20,207 @@ const char * const keyword_text[196] = { /* 6 264 T_Autokey */ "autokey", /* 7 265 T_Automax */ "automax", /* 8 266 T_Average */ "average", - /* 9 267 T_Bclient */ "bclient", - /* 10 268 T_Bcpollbstep */ "bcpollbstep", - /* 11 269 T_Beacon */ "beacon", - /* 12 270 T_Broadcast */ "broadcast", - /* 13 271 T_Broadcastclient */ "broadcastclient", - /* 14 272 T_Broadcastdelay */ "broadcastdelay", - /* 15 273 T_Burst */ "burst", - /* 16 274 T_Calibrate */ "calibrate", - /* 17 275 T_Ceiling */ "ceiling", - /* 18 276 T_Clockstats */ "clockstats", - /* 19 277 T_Cohort */ "cohort", - /* 20 278 T_ControlKey */ "controlkey", - /* 21 279 T_Crypto */ "crypto", - /* 22 280 T_Cryptostats */ "cryptostats", - /* 23 281 T_Ctl */ "ctl", - /* 24 282 T_Day */ "day", - /* 25 283 T_Default */ "default", - /* 26 284 T_Digest */ "digest", - /* 27 285 T_Disable */ "disable", - /* 28 286 T_Discard */ "discard", - /* 29 287 T_Dispersion */ "dispersion", - /* 30 288 T_Double */ NULL, - /* 31 289 T_Driftfile */ "driftfile", - /* 32 290 T_Drop */ "drop", - /* 33 291 T_Dscp */ "dscp", - /* 34 292 T_Ellipsis */ "...", - /* 35 293 T_Enable */ "enable", - /* 36 294 T_End */ "end", - /* 37 295 T_False */ NULL, - /* 38 296 T_File */ "file", - /* 39 297 T_Filegen */ "filegen", - /* 40 298 T_Filenum */ "filenum", - /* 41 299 T_Flag1 */ "flag1", - /* 42 300 T_Flag2 */ "flag2", - /* 43 301 T_Flag3 */ "flag3", - /* 44 302 T_Flag4 */ "flag4", - /* 45 303 T_Flake */ "flake", - /* 46 304 T_Floor */ "floor", - /* 47 305 T_Freq */ "freq", - /* 48 306 T_Fudge */ "fudge", - /* 49 307 T_Host */ "host", - /* 50 308 T_Huffpuff */ "huffpuff", - /* 51 309 T_Iburst */ "iburst", - /* 52 310 T_Ident */ "ident", - /* 53 311 T_Ignore */ "ignore", - /* 54 312 T_Incalloc */ "incalloc", - /* 55 313 T_Incmem */ "incmem", - /* 56 314 T_Initalloc */ "initalloc", - /* 57 315 T_Initmem */ "initmem", - /* 58 316 T_Includefile */ "includefile", - /* 59 317 T_Integer */ NULL, - /* 60 318 T_Interface */ "interface", - /* 61 319 T_Intrange */ NULL, - /* 62 320 T_Io */ "io", - /* 63 321 T_Ipv4 */ "ipv4", - /* 64 322 T_Ipv4_flag */ "-4", - /* 65 323 T_Ipv6 */ "ipv6", - /* 66 324 T_Ipv6_flag */ "-6", - /* 67 325 T_Kernel */ "kernel", - /* 68 326 T_Key */ "key", - /* 69 327 T_Keys */ "keys", - /* 70 328 T_Keysdir */ "keysdir", - /* 71 329 T_Kod */ "kod", - /* 72 330 T_Mssntp */ "mssntp", - /* 73 331 T_Leapfile */ "leapfile", - /* 74 332 T_Leapsmearinterval */ "leapsmearinterval", - /* 75 333 T_Limited */ "limited", - /* 76 334 T_Link */ "link", - /* 77 335 T_Listen */ "listen", - /* 78 336 T_Logconfig */ "logconfig", - /* 79 337 T_Logfile */ "logfile", - /* 80 338 T_Loopstats */ "loopstats", - /* 81 339 T_Lowpriotrap */ "lowpriotrap", - /* 82 340 T_Manycastclient */ "manycastclient", - /* 83 341 T_Manycastserver */ "manycastserver", - /* 84 342 T_Mask */ "mask", - /* 85 343 T_Maxage */ "maxage", - /* 86 344 T_Maxclock */ "maxclock", - /* 87 345 T_Maxdepth */ "maxdepth", - /* 88 346 T_Maxdist */ "maxdist", - /* 89 347 T_Maxmem */ "maxmem", - /* 90 348 T_Maxpoll */ "maxpoll", - /* 91 349 T_Mdnstries */ "mdnstries", - /* 92 350 T_Mem */ "mem", - /* 93 351 T_Memlock */ "memlock", - /* 94 352 T_Minclock */ "minclock", - /* 95 353 T_Mindepth */ "mindepth", - /* 96 354 T_Mindist */ "mindist", - /* 97 355 T_Minimum */ "minimum", - /* 98 356 T_Minpoll */ "minpoll", - /* 99 357 T_Minsane */ "minsane", - /* 100 358 T_Mode */ "mode", - /* 101 359 T_Mode7 */ "mode7", - /* 102 360 T_Monitor */ "monitor", - /* 103 361 T_Month */ "month", - /* 104 362 T_Mru */ "mru", - /* 105 363 T_Multicastclient */ "multicastclient", - /* 106 364 T_Nic */ "nic", - /* 107 365 T_Nolink */ "nolink", - /* 108 366 T_Nomodify */ "nomodify", - /* 109 367 T_Nomrulist */ "nomrulist", - /* 110 368 T_None */ "none", - /* 111 369 T_Nonvolatile */ "nonvolatile", - /* 112 370 T_Nopeer */ "nopeer", - /* 113 371 T_Noquery */ "noquery", - /* 114 372 T_Noselect */ "noselect", - /* 115 373 T_Noserve */ "noserve", - /* 116 374 T_Notrap */ "notrap", - /* 117 375 T_Notrust */ "notrust", - /* 118 376 T_Ntp */ "ntp", - /* 119 377 T_Ntpport */ "ntpport", - /* 120 378 T_NtpSignDsocket */ "ntpsigndsocket", - /* 121 379 T_Orphan */ "orphan", - /* 122 380 T_Orphanwait */ "orphanwait", - /* 123 381 T_PCEdigest */ "peer_clear_digest_early", - /* 124 382 T_Panic */ "panic", - /* 125 383 T_Peer */ "peer", - /* 126 384 T_Peerstats */ "peerstats", - /* 127 385 T_Phone */ "phone", - /* 128 386 T_Pid */ "pid", - /* 129 387 T_Pidfile */ "pidfile", - /* 130 388 T_Pool */ "pool", - /* 131 389 T_Port */ "port", - /* 132 390 T_Preempt */ "preempt", - /* 133 391 T_Prefer */ "prefer", - /* 134 392 T_Protostats */ "protostats", - /* 135 393 T_Pw */ "pw", - /* 136 394 T_Randfile */ "randfile", - /* 137 395 T_Rawstats */ "rawstats", - /* 138 396 T_Refid */ "refid", - /* 139 397 T_Requestkey */ "requestkey", - /* 140 398 T_Reset */ "reset", - /* 141 399 T_Restrict */ "restrict", - /* 142 400 T_Revoke */ "revoke", - /* 143 401 T_Rlimit */ "rlimit", - /* 144 402 T_Saveconfigdir */ "saveconfigdir", - /* 145 403 T_Server */ "server", - /* 146 404 T_Setvar */ "setvar", - /* 147 405 T_Source */ "source", - /* 148 406 T_Stacksize */ "stacksize", - /* 149 407 T_Statistics */ "statistics", - /* 150 408 T_Stats */ "stats", - /* 151 409 T_Statsdir */ "statsdir", - /* 152 410 T_Step */ "step", - /* 153 411 T_Stepback */ "stepback", - /* 154 412 T_Stepfwd */ "stepfwd", - /* 155 413 T_Stepout */ "stepout", - /* 156 414 T_Stratum */ "stratum", - /* 157 415 T_String */ NULL, - /* 158 416 T_Sys */ "sys", - /* 159 417 T_Sysstats */ "sysstats", - /* 160 418 T_Tick */ "tick", - /* 161 419 T_Time1 */ "time1", - /* 162 420 T_Time2 */ "time2", - /* 163 421 T_Timer */ "timer", - /* 164 422 T_Timingstats */ "timingstats", - /* 165 423 T_Tinker */ "tinker", - /* 166 424 T_Tos */ "tos", - /* 167 425 T_Trap */ "trap", - /* 168 426 T_True */ "true", - /* 169 427 T_Trustedkey */ "trustedkey", - /* 170 428 T_Ttl */ "ttl", - /* 171 429 T_Type */ "type", - /* 172 430 T_U_int */ NULL, - /* 173 431 T_UEcrypto */ "unpeer_crypto_early", - /* 174 432 T_UEcryptonak */ "unpeer_crypto_nak_early", - /* 175 433 T_UEdigest */ "unpeer_digest_early", - /* 176 434 T_Unconfig */ "unconfig", - /* 177 435 T_Unpeer */ "unpeer", - /* 178 436 T_Version */ "version", - /* 179 437 T_WanderThreshold */ NULL, - /* 180 438 T_Week */ "week", - /* 181 439 T_Wildcard */ "wildcard", - /* 182 440 T_Xleave */ "xleave", - /* 183 441 T_Year */ "year", - /* 184 442 T_Flag */ NULL, - /* 185 443 T_EOC */ NULL, - /* 186 444 T_Simulate */ "simulate", - /* 187 445 T_Beep_Delay */ "beep_delay", - /* 188 446 T_Sim_Duration */ "simulation_duration", - /* 189 447 T_Server_Offset */ "server_offset", - /* 190 448 T_Duration */ "duration", - /* 191 449 T_Freq_Offset */ "freq_offset", - /* 192 450 T_Wander */ "wander", - /* 193 451 T_Jitter */ "jitter", - /* 194 452 T_Prop_Delay */ "prop_delay", - /* 195 453 T_Proc_Delay */ "proc_delay" + /* 9 267 T_Basedate */ "basedate", + /* 10 268 T_Bclient */ "bclient", + /* 11 269 T_Bcpollbstep */ "bcpollbstep", + /* 12 270 T_Beacon */ "beacon", + /* 13 271 T_Broadcast */ "broadcast", + /* 14 272 T_Broadcastclient */ "broadcastclient", + /* 15 273 T_Broadcastdelay */ "broadcastdelay", + /* 16 274 T_Burst */ "burst", + /* 17 275 T_Calibrate */ "calibrate", + /* 18 276 T_Ceiling */ "ceiling", + /* 19 277 T_Clockstats */ "clockstats", + /* 20 278 T_Cohort */ "cohort", + /* 21 279 T_ControlKey */ "controlkey", + /* 22 280 T_Crypto */ "crypto", + /* 23 281 T_Cryptostats */ "cryptostats", + /* 24 282 T_Ctl */ "ctl", + /* 25 283 T_Day */ "day", + /* 26 284 T_Default */ "default", + /* 27 285 T_Digest */ "digest", + /* 28 286 T_Disable */ "disable", + /* 29 287 T_Discard */ "discard", + /* 30 288 T_Dispersion */ "dispersion", + /* 31 289 T_Double */ NULL, + /* 32 290 T_Driftfile */ "driftfile", + /* 33 291 T_Drop */ "drop", + /* 34 292 T_Dscp */ "dscp", + /* 35 293 T_Ellipsis */ "...", + /* 36 294 T_Enable */ "enable", + /* 37 295 T_End */ "end", + /* 38 296 T_Epeer */ "epeer", + /* 39 297 T_False */ NULL, + /* 40 298 T_File */ "file", + /* 41 299 T_Filegen */ "filegen", + /* 42 300 T_Filenum */ "filenum", + /* 43 301 T_Flag1 */ "flag1", + /* 44 302 T_Flag2 */ "flag2", + /* 45 303 T_Flag3 */ "flag3", + /* 46 304 T_Flag4 */ "flag4", + /* 47 305 T_Flake */ "flake", + /* 48 306 T_Floor */ "floor", + /* 49 307 T_Freq */ "freq", + /* 50 308 T_Fudge */ "fudge", + /* 51 309 T_Host */ "host", + /* 52 310 T_Huffpuff */ "huffpuff", + /* 53 311 T_Iburst */ "iburst", + /* 54 312 T_Ident */ "ident", + /* 55 313 T_Ignore */ "ignore", + /* 56 314 T_Incalloc */ "incalloc", + /* 57 315 T_Incmem */ "incmem", + /* 58 316 T_Initalloc */ "initalloc", + /* 59 317 T_Initmem */ "initmem", + /* 60 318 T_Includefile */ "includefile", + /* 61 319 T_Integer */ NULL, + /* 62 320 T_Interface */ "interface", + /* 63 321 T_Intrange */ NULL, + /* 64 322 T_Io */ "io", + /* 65 323 T_Ippeerlimit */ "ippeerlimit", + /* 66 324 T_Ipv4 */ "ipv4", + /* 67 325 T_Ipv4_flag */ "-4", + /* 68 326 T_Ipv6 */ "ipv6", + /* 69 327 T_Ipv6_flag */ "-6", + /* 70 328 T_Kernel */ "kernel", + /* 71 329 T_Key */ "key", + /* 72 330 T_Keys */ "keys", + /* 73 331 T_Keysdir */ "keysdir", + /* 74 332 T_Kod */ "kod", + /* 75 333 T_Mssntp */ "mssntp", + /* 76 334 T_Leapfile */ "leapfile", + /* 77 335 T_Leapsmearinterval */ "leapsmearinterval", + /* 78 336 T_Limited */ "limited", + /* 79 337 T_Link */ "link", + /* 80 338 T_Listen */ "listen", + /* 81 339 T_Logconfig */ "logconfig", + /* 82 340 T_Logfile */ "logfile", + /* 83 341 T_Loopstats */ "loopstats", + /* 84 342 T_Lowpriotrap */ "lowpriotrap", + /* 85 343 T_Manycastclient */ "manycastclient", + /* 86 344 T_Manycastserver */ "manycastserver", + /* 87 345 T_Mask */ "mask", + /* 88 346 T_Maxage */ "maxage", + /* 89 347 T_Maxclock */ "maxclock", + /* 90 348 T_Maxdepth */ "maxdepth", + /* 91 349 T_Maxdist */ "maxdist", + /* 92 350 T_Maxmem */ "maxmem", + /* 93 351 T_Maxpoll */ "maxpoll", + /* 94 352 T_Mdnstries */ "mdnstries", + /* 95 353 T_Mem */ "mem", + /* 96 354 T_Memlock */ "memlock", + /* 97 355 T_Minclock */ "minclock", + /* 98 356 T_Mindepth */ "mindepth", + /* 99 357 T_Mindist */ "mindist", + /* 100 358 T_Minimum */ "minimum", + /* 101 359 T_Minpoll */ "minpoll", + /* 102 360 T_Minsane */ "minsane", + /* 103 361 T_Mode */ "mode", + /* 104 362 T_Mode7 */ "mode7", + /* 105 363 T_Monitor */ "monitor", + /* 106 364 T_Month */ "month", + /* 107 365 T_Mru */ "mru", + /* 108 366 T_Multicastclient */ "multicastclient", + /* 109 367 T_Nic */ "nic", + /* 110 368 T_Nolink */ "nolink", + /* 111 369 T_Nomodify */ "nomodify", + /* 112 370 T_Nomrulist */ "nomrulist", + /* 113 371 T_None */ "none", + /* 114 372 T_Nonvolatile */ "nonvolatile", + /* 115 373 T_Noepeer */ "noepeer", + /* 116 374 T_Nopeer */ "nopeer", + /* 117 375 T_Noquery */ "noquery", + /* 118 376 T_Noselect */ "noselect", + /* 119 377 T_Noserve */ "noserve", + /* 120 378 T_Notrap */ "notrap", + /* 121 379 T_Notrust */ "notrust", + /* 122 380 T_Ntp */ "ntp", + /* 123 381 T_Ntpport */ "ntpport", + /* 124 382 T_NtpSignDsocket */ "ntpsigndsocket", + /* 125 383 T_Orphan */ "orphan", + /* 126 384 T_Orphanwait */ "orphanwait", + /* 127 385 T_PCEdigest */ "peer_clear_digest_early", + /* 128 386 T_Panic */ "panic", + /* 129 387 T_Peer */ "peer", + /* 130 388 T_Peerstats */ "peerstats", + /* 131 389 T_Phone */ "phone", + /* 132 390 T_Pid */ "pid", + /* 133 391 T_Pidfile */ "pidfile", + /* 134 392 T_Pool */ "pool", + /* 135 393 T_Port */ "port", + /* 136 394 T_Preempt */ "preempt", + /* 137 395 T_Prefer */ "prefer", + /* 138 396 T_Protostats */ "protostats", + /* 139 397 T_Pw */ "pw", + /* 140 398 T_Randfile */ "randfile", + /* 141 399 T_Rawstats */ "rawstats", + /* 142 400 T_Refid */ "refid", + /* 143 401 T_Requestkey */ "requestkey", + /* 144 402 T_Reset */ "reset", + /* 145 403 T_Restrict */ "restrict", + /* 146 404 T_Revoke */ "revoke", + /* 147 405 T_Rlimit */ "rlimit", + /* 148 406 T_Saveconfigdir */ "saveconfigdir", + /* 149 407 T_Server */ "server", + /* 150 408 T_Setvar */ "setvar", + /* 151 409 T_Source */ "source", + /* 152 410 T_Stacksize */ "stacksize", + /* 153 411 T_Statistics */ "statistics", + /* 154 412 T_Stats */ "stats", + /* 155 413 T_Statsdir */ "statsdir", + /* 156 414 T_Step */ "step", + /* 157 415 T_Stepback */ "stepback", + /* 158 416 T_Stepfwd */ "stepfwd", + /* 159 417 T_Stepout */ "stepout", + /* 160 418 T_Stratum */ "stratum", + /* 161 419 T_String */ NULL, + /* 162 420 T_Sys */ "sys", + /* 163 421 T_Sysstats */ "sysstats", + /* 164 422 T_Tick */ "tick", + /* 165 423 T_Time1 */ "time1", + /* 166 424 T_Time2 */ "time2", + /* 167 425 T_Timer */ "timer", + /* 168 426 T_Timingstats */ "timingstats", + /* 169 427 T_Tinker */ "tinker", + /* 170 428 T_Tos */ "tos", + /* 171 429 T_Trap */ "trap", + /* 172 430 T_True */ "true", + /* 173 431 T_Trustedkey */ "trustedkey", + /* 174 432 T_Ttl */ "ttl", + /* 175 433 T_Type */ "type", + /* 176 434 T_U_int */ NULL, + /* 177 435 T_UEcrypto */ "unpeer_crypto_early", + /* 178 436 T_UEcryptonak */ "unpeer_crypto_nak_early", + /* 179 437 T_UEdigest */ "unpeer_digest_early", + /* 180 438 T_Unconfig */ "unconfig", + /* 181 439 T_Unpeer */ "unpeer", + /* 182 440 T_Version */ "version", + /* 183 441 T_WanderThreshold */ NULL, + /* 184 442 T_Week */ "week", + /* 185 443 T_Wildcard */ "wildcard", + /* 186 444 T_Xleave */ "xleave", + /* 187 445 T_Year */ "year", + /* 188 446 T_Flag */ NULL, + /* 189 447 T_EOC */ NULL, + /* 190 448 T_Simulate */ "simulate", + /* 191 449 T_Beep_Delay */ "beep_delay", + /* 192 450 T_Sim_Duration */ "simulation_duration", + /* 193 451 T_Server_Offset */ "server_offset", + /* 194 452 T_Duration */ "duration", + /* 195 453 T_Freq_Offset */ "freq_offset", + /* 196 454 T_Wander */ "wander", + /* 197 455 T_Jitter */ "jitter", + /* 198 456 T_Prop_Delay */ "prop_delay", + /* 199 457 T_Proc_Delay */ "proc_delay" }; -#define SCANNER_INIT_S 915 +#define SCANNER_INIT_S 940 -const scan_state sst[918] = { +const scan_state sst[943] = { /*SS_T( ch, f-by, match, other ), */ 0, /* 0 */ - S_ST( '-', 3, 324, 0 ), /* 1 */ + S_ST( '-', 3, 327, 0 ), /* 1 */ S_ST( '.', 3, 3, 1 ), /* 2 */ - S_ST( '.', 3, 292, 0 ), /* 3 . */ + S_ST( '.', 3, 293, 0 ), /* 3 . */ S_ST( 'a', 3, 23, 2 ), /* 4 */ S_ST( 'b', 3, 6, 0 ), /* 5 a */ S_ST( 'b', 3, 7, 0 ), /* 6 ab */ @@ -241,236 +245,236 @@ const scan_state sst[918] = { S_ST( 'r', 3, 26, 0 ), /* 25 ave */ S_ST( 'a', 3, 27, 0 ), /* 26 aver */ S_ST( 'g', 3, 266, 0 ), /* 27 avera */ - S_ST( 'b', 3, 69, 4 ), /* 28 */ - S_ST( 'c', 3, 34, 0 ), /* 29 b */ - S_ST( 'l', 3, 31, 0 ), /* 30 bc */ - S_ST( 'i', 3, 32, 0 ), /* 31 bcl */ - S_ST( 'e', 3, 33, 0 ), /* 32 bcli */ - S_ST( 'n', 3, 267, 0 ), /* 33 bclie */ - S_ST( 'p', 3, 35, 30 ), /* 34 bc */ - S_ST( 'o', 3, 36, 0 ), /* 35 bcp */ - S_ST( 'l', 3, 37, 0 ), /* 36 bcpo */ - S_ST( 'l', 3, 38, 0 ), /* 37 bcpol */ - S_ST( 'b', 3, 39, 0 ), /* 38 bcpoll */ - S_ST( 's', 3, 40, 0 ), /* 39 bcpollb */ - S_ST( 't', 3, 41, 0 ), /* 40 bcpollbs */ - S_ST( 'e', 3, 268, 0 ), /* 41 bcpollbst */ - S_ST( 'e', 3, 46, 29 ), /* 42 b */ - S_ST( 'a', 3, 44, 0 ), /* 43 be */ - S_ST( 'c', 3, 45, 0 ), /* 44 bea */ - S_ST( 'o', 3, 269, 0 ), /* 45 beac */ - S_ST( 'e', 3, 47, 43 ), /* 46 be */ - S_ST( 'p', 3, 48, 0 ), /* 47 bee */ - S_ST( '_', 3, 49, 0 ), /* 48 beep */ - S_ST( 'd', 3, 50, 0 ), /* 49 beep_ */ - S_ST( 'e', 3, 51, 0 ), /* 50 beep_d */ - S_ST( 'l', 3, 52, 0 ), /* 51 beep_de */ - S_ST( 'a', 3, 445, 0 ), /* 52 beep_del */ - S_ST( 'r', 3, 54, 42 ), /* 53 b */ - S_ST( 'o', 3, 55, 0 ), /* 54 br */ - S_ST( 'a', 3, 56, 0 ), /* 55 bro */ - S_ST( 'd', 3, 57, 0 ), /* 56 broa */ - S_ST( 'c', 3, 58, 0 ), /* 57 broad */ - S_ST( 'a', 3, 59, 0 ), /* 58 broadc */ - S_ST( 's', 3, 270, 0 ), /* 59 broadca */ - S_ST( 'c', 3, 61, 0 ), /* 60 broadcast */ - S_ST( 'l', 3, 62, 0 ), /* 61 broadcastc */ - S_ST( 'i', 3, 63, 0 ), /* 62 broadcastcl */ - S_ST( 'e', 3, 64, 0 ), /* 63 broadcastcli */ - S_ST( 'n', 3, 271, 0 ), /* 64 broadcastclie */ - S_ST( 'd', 3, 66, 60 ), /* 65 broadcast */ - S_ST( 'e', 3, 67, 0 ), /* 66 broadcastd */ - S_ST( 'l', 3, 68, 0 ), /* 67 broadcastde */ - S_ST( 'a', 3, 272, 0 ), /* 68 broadcastdel */ - S_ST( 'u', 3, 70, 53 ), /* 69 b */ - S_ST( 'r', 3, 71, 0 ), /* 70 bu */ - S_ST( 's', 3, 273, 0 ), /* 71 bur */ - S_ST( 'c', 3, 112, 28 ), /* 72 */ - S_ST( 'a', 3, 74, 0 ), /* 73 c */ - S_ST( 'l', 3, 75, 0 ), /* 74 ca */ - S_ST( 'i', 3, 76, 0 ), /* 75 cal */ - S_ST( 'b', 3, 77, 0 ), /* 76 cali */ - S_ST( 'r', 3, 78, 0 ), /* 77 calib */ - S_ST( 'a', 3, 79, 0 ), /* 78 calibr */ - S_ST( 't', 3, 274, 0 ), /* 79 calibra */ - S_ST( 'e', 3, 81, 73 ), /* 80 c */ - S_ST( 'i', 3, 82, 0 ), /* 81 ce */ - S_ST( 'l', 3, 83, 0 ), /* 82 cei */ - S_ST( 'i', 3, 84, 0 ), /* 83 ceil */ - S_ST( 'n', 3, 275, 0 ), /* 84 ceili */ - S_ST( 'l', 3, 86, 80 ), /* 85 c */ - S_ST( 'o', 3, 87, 0 ), /* 86 cl */ - S_ST( 'c', 3, 88, 0 ), /* 87 clo */ - S_ST( 'k', 3, 89, 0 ), /* 88 cloc */ - S_ST( 's', 3, 90, 0 ), /* 89 clock */ - S_ST( 't', 3, 91, 0 ), /* 90 clocks */ - S_ST( 'a', 3, 92, 0 ), /* 91 clockst */ - S_ST( 't', 3, 276, 0 ), /* 92 clocksta */ - S_ST( 'o', 3, 97, 85 ), /* 93 c */ - S_ST( 'h', 3, 95, 0 ), /* 94 co */ - S_ST( 'o', 3, 96, 0 ), /* 95 coh */ - S_ST( 'r', 3, 277, 0 ), /* 96 coho */ - S_ST( 'n', 3, 98, 94 ), /* 97 co */ - S_ST( 't', 3, 99, 0 ), /* 98 con */ - S_ST( 'r', 3, 100, 0 ), /* 99 cont */ - S_ST( 'o', 3, 101, 0 ), /* 100 contr */ - S_ST( 'l', 3, 102, 0 ), /* 101 contro */ - S_ST( 'k', 3, 103, 0 ), /* 102 control */ - S_ST( 'e', 3, 278, 0 ), /* 103 controlk */ - S_ST( 'r', 3, 105, 93 ), /* 104 c */ - S_ST( 'y', 3, 106, 0 ), /* 105 cr */ - S_ST( 'p', 3, 107, 0 ), /* 106 cry */ - S_ST( 't', 3, 279, 0 ), /* 107 cryp */ - S_ST( 's', 3, 109, 0 ), /* 108 crypto */ - S_ST( 't', 3, 110, 0 ), /* 109 cryptos */ - S_ST( 'a', 3, 111, 0 ), /* 110 cryptost */ - S_ST( 't', 3, 280, 0 ), /* 111 cryptosta */ - S_ST( 't', 3, 281, 104 ), /* 112 c */ - S_ST( 'd', 3, 147, 72 ), /* 113 */ - S_ST( 'a', 3, 282, 0 ), /* 114 d */ - S_ST( 'e', 3, 116, 114 ), /* 115 d */ - S_ST( 'f', 3, 117, 0 ), /* 116 de */ - S_ST( 'a', 3, 118, 0 ), /* 117 def */ - S_ST( 'u', 3, 119, 0 ), /* 118 defa */ - S_ST( 'l', 3, 283, 0 ), /* 119 defau */ - S_ST( 'i', 3, 124, 115 ), /* 120 d */ - S_ST( 'g', 3, 122, 0 ), /* 121 di */ - S_ST( 'e', 3, 123, 0 ), /* 122 dig */ - S_ST( 's', 3, 284, 0 ), /* 123 dige */ - S_ST( 's', 3, 131, 121 ), /* 124 di */ - S_ST( 'a', 3, 126, 0 ), /* 125 dis */ - S_ST( 'b', 3, 127, 0 ), /* 126 disa */ - S_ST( 'l', 3, 285, 0 ), /* 127 disab */ - S_ST( 'c', 3, 129, 125 ), /* 128 dis */ - S_ST( 'a', 3, 130, 0 ), /* 129 disc */ - S_ST( 'r', 3, 286, 0 ), /* 130 disca */ - S_ST( 'p', 3, 132, 128 ), /* 131 dis */ - S_ST( 'e', 3, 133, 0 ), /* 132 disp */ - S_ST( 'r', 3, 134, 0 ), /* 133 dispe */ - S_ST( 's', 3, 135, 0 ), /* 134 disper */ - S_ST( 'i', 3, 136, 0 ), /* 135 dispers */ - S_ST( 'o', 3, 287, 0 ), /* 136 dispersi */ - S_ST( 'r', 3, 144, 120 ), /* 137 d */ - S_ST( 'i', 3, 139, 0 ), /* 138 dr */ - S_ST( 'f', 3, 140, 0 ), /* 139 dri */ - S_ST( 't', 3, 141, 0 ), /* 140 drif */ - S_ST( 'f', 3, 142, 0 ), /* 141 drift */ - S_ST( 'i', 3, 143, 0 ), /* 142 driftf */ - S_ST( 'l', 3, 289, 0 ), /* 143 driftfi */ - S_ST( 'o', 3, 290, 138 ), /* 144 dr */ - S_ST( 's', 3, 146, 137 ), /* 145 d */ - S_ST( 'c', 3, 291, 0 ), /* 146 ds */ - S_ST( 'u', 3, 148, 145 ), /* 147 d */ - S_ST( 'r', 3, 149, 0 ), /* 148 du */ - S_ST( 'a', 3, 150, 0 ), /* 149 dur */ - S_ST( 't', 3, 151, 0 ), /* 150 dura */ - S_ST( 'i', 3, 152, 0 ), /* 151 durat */ - S_ST( 'o', 3, 448, 0 ), /* 152 durati */ - S_ST( 'e', 3, 154, 113 ), /* 153 */ - S_ST( 'n', 3, 294, 0 ), /* 154 e */ - S_ST( 'a', 3, 156, 0 ), /* 155 en */ - S_ST( 'b', 3, 157, 0 ), /* 156 ena */ - S_ST( 'l', 3, 293, 0 ), /* 157 enab */ - S_ST( 'f', 3, 179, 153 ), /* 158 */ - S_ST( 'i', 3, 160, 0 ), /* 159 f */ - S_ST( 'l', 3, 296, 0 ), /* 160 fi */ - S_ST( 'g', 3, 162, 0 ), /* 161 file */ - S_ST( 'e', 3, 297, 0 ), /* 162 fileg */ - S_ST( 'n', 3, 164, 161 ), /* 163 file */ - S_ST( 'u', 3, 298, 0 ), /* 164 filen */ - S_ST( 'l', 3, 169, 159 ), /* 165 f */ - S_ST( 'a', 3, 168, 0 ), /* 166 fl */ - S_ST( 'g', 3, 302, 0 ), /* 167 fla */ - S_ST( 'k', 3, 303, 167 ), /* 168 fla */ - S_ST( 'o', 3, 170, 166 ), /* 169 fl */ - S_ST( 'o', 3, 304, 0 ), /* 170 flo */ - S_ST( 'r', 3, 172, 165 ), /* 171 f */ - S_ST( 'e', 3, 305, 0 ), /* 172 fr */ - S_ST( '_', 3, 174, 0 ), /* 173 freq */ - S_ST( 'o', 3, 175, 0 ), /* 174 freq_ */ - S_ST( 'f', 3, 176, 0 ), /* 175 freq_o */ - S_ST( 'f', 3, 177, 0 ), /* 176 freq_of */ - S_ST( 's', 3, 178, 0 ), /* 177 freq_off */ - S_ST( 'e', 3, 449, 0 ), /* 178 freq_offs */ - S_ST( 'u', 3, 180, 171 ), /* 179 f */ - S_ST( 'd', 3, 181, 0 ), /* 180 fu */ - S_ST( 'g', 3, 306, 0 ), /* 181 fud */ - S_ST( 'h', 3, 185, 158 ), /* 182 */ - S_ST( 'o', 3, 184, 0 ), /* 183 h */ - S_ST( 's', 3, 307, 0 ), /* 184 ho */ - S_ST( 'u', 3, 186, 183 ), /* 185 h */ - S_ST( 'f', 3, 187, 0 ), /* 186 hu */ - S_ST( 'f', 3, 188, 0 ), /* 187 huf */ - S_ST( 'p', 3, 189, 0 ), /* 188 huff */ - S_ST( 'u', 3, 190, 0 ), /* 189 huffp */ - S_ST( 'f', 3, 308, 0 ), /* 190 huffpu */ - S_ST( 'i', 3, 232, 182 ), /* 191 */ - S_ST( 'b', 3, 193, 0 ), /* 192 i */ - S_ST( 'u', 3, 194, 0 ), /* 193 ib */ - S_ST( 'r', 3, 195, 0 ), /* 194 ibu */ - S_ST( 's', 3, 309, 0 ), /* 195 ibur */ - S_ST( 'd', 3, 197, 192 ), /* 196 i */ - S_ST( 'e', 3, 198, 0 ), /* 197 id */ - S_ST( 'n', 3, 310, 0 ), /* 198 ide */ - S_ST( 'g', 3, 200, 196 ), /* 199 i */ - S_ST( 'n', 3, 201, 0 ), /* 200 ig */ - S_ST( 'o', 3, 202, 0 ), /* 201 ign */ - S_ST( 'r', 3, 311, 0 ), /* 202 igno */ - S_ST( 'n', 3, 226, 199 ), /* 203 i */ - S_ST( 'c', 3, 216, 0 ), /* 204 in */ - S_ST( 'a', 3, 206, 0 ), /* 205 inc */ - S_ST( 'l', 3, 207, 0 ), /* 206 inca */ - S_ST( 'l', 3, 208, 0 ), /* 207 incal */ - S_ST( 'o', 3, 312, 0 ), /* 208 incall */ - S_ST( 'l', 3, 210, 205 ), /* 209 inc */ - S_ST( 'u', 3, 211, 0 ), /* 210 incl */ - S_ST( 'd', 3, 212, 0 ), /* 211 inclu */ - S_ST( 'e', 3, 213, 0 ), /* 212 includ */ - S_ST( 'f', 3, 214, 0 ), /* 213 include */ - S_ST( 'i', 3, 215, 0 ), /* 214 includef */ - S_ST( 'l', 3, 316, 0 ), /* 215 includefi */ - S_ST( 'm', 3, 217, 209 ), /* 216 inc */ - S_ST( 'e', 3, 313, 0 ), /* 217 incm */ - S_ST( 'i', 3, 219, 204 ), /* 218 in */ - S_ST( 't', 3, 224, 0 ), /* 219 ini */ - S_ST( 'a', 3, 221, 0 ), /* 220 init */ - S_ST( 'l', 3, 222, 0 ), /* 221 inita */ - S_ST( 'l', 3, 223, 0 ), /* 222 inital */ - S_ST( 'o', 3, 314, 0 ), /* 223 initall */ - S_ST( 'm', 3, 225, 220 ), /* 224 init */ - S_ST( 'e', 3, 315, 0 ), /* 225 initm */ - S_ST( 't', 3, 227, 218 ), /* 226 in */ - S_ST( 'e', 3, 228, 0 ), /* 227 int */ - S_ST( 'r', 3, 229, 0 ), /* 228 inte */ - S_ST( 'f', 3, 230, 0 ), /* 229 inter */ - S_ST( 'a', 3, 231, 0 ), /* 230 interf */ - S_ST( 'c', 3, 318, 0 ), /* 231 interfa */ - S_ST( 'p', 3, 233, 320 ), /* 232 i */ - S_ST( 'v', 3, 323, 0 ), /* 233 ip */ - S_ST( 'j', 3, 235, 191 ), /* 234 */ - S_ST( 'i', 3, 236, 0 ), /* 235 j */ - S_ST( 't', 3, 237, 0 ), /* 236 ji */ - S_ST( 't', 3, 238, 0 ), /* 237 jit */ - S_ST( 'e', 3, 451, 0 ), /* 238 jitt */ - S_ST( 'k', 3, 246, 234 ), /* 239 */ - S_ST( 'e', 3, 326, 0 ), /* 240 k */ - S_ST( 'r', 3, 242, 0 ), /* 241 ke */ - S_ST( 'n', 3, 243, 0 ), /* 242 ker */ - S_ST( 'e', 3, 325, 0 ), /* 243 kern */ - S_ST( 'd', 3, 245, 0 ), /* 244 keys */ - S_ST( 'i', 3, 328, 0 ), /* 245 keysd */ - S_ST( 'o', 3, 329, 240 ), /* 246 k */ - S_ST( 'l', 3, 462, 239 ), /* 247 */ - S_ST( 'e', 3, 249, 0 ), /* 248 l */ - S_ST( 'a', 3, 250, 0 ), /* 249 le */ - S_ST( 'p', 3, 254, 0 ), /* 250 lea */ - S_ST( 'f', 3, 252, 0 ), /* 251 leap */ - S_ST( 'i', 3, 253, 0 ), /* 252 leapf */ - S_ST( 'l', 3, 331, 0 ), /* 253 leapfi */ - S_ST( 's', 3, 255, 251 ), /* 254 leap */ - S_ST( 'm', 3, 256, 0 ), /* 255 leaps */ - S_ST( 'e', 3, 257, 0 ), /* 256 leapsm */ - S_ST( 'a', 3, 288, 0 ), /* 257 leapsme */ + S_ST( 'b', 3, 75, 4 ), /* 28 */ + S_ST( 'a', 3, 30, 0 ), /* 29 b */ + S_ST( 's', 3, 31, 0 ), /* 30 ba */ + S_ST( 'e', 3, 32, 0 ), /* 31 bas */ + S_ST( 'd', 3, 33, 0 ), /* 32 base */ + S_ST( 'a', 3, 34, 0 ), /* 33 based */ + S_ST( 't', 3, 267, 0 ), /* 34 baseda */ + S_ST( 'c', 3, 40, 29 ), /* 35 b */ + S_ST( 'l', 3, 37, 0 ), /* 36 bc */ + S_ST( 'i', 3, 38, 0 ), /* 37 bcl */ + S_ST( 'e', 3, 39, 0 ), /* 38 bcli */ + S_ST( 'n', 3, 268, 0 ), /* 39 bclie */ + S_ST( 'p', 3, 41, 36 ), /* 40 bc */ + S_ST( 'o', 3, 42, 0 ), /* 41 bcp */ + S_ST( 'l', 3, 43, 0 ), /* 42 bcpo */ + S_ST( 'l', 3, 44, 0 ), /* 43 bcpol */ + S_ST( 'b', 3, 45, 0 ), /* 44 bcpoll */ + S_ST( 's', 3, 46, 0 ), /* 45 bcpollb */ + S_ST( 't', 3, 47, 0 ), /* 46 bcpollbs */ + S_ST( 'e', 3, 269, 0 ), /* 47 bcpollbst */ + S_ST( 'e', 3, 52, 35 ), /* 48 b */ + S_ST( 'a', 3, 50, 0 ), /* 49 be */ + S_ST( 'c', 3, 51, 0 ), /* 50 bea */ + S_ST( 'o', 3, 270, 0 ), /* 51 beac */ + S_ST( 'e', 3, 53, 49 ), /* 52 be */ + S_ST( 'p', 3, 54, 0 ), /* 53 bee */ + S_ST( '_', 3, 55, 0 ), /* 54 beep */ + S_ST( 'd', 3, 56, 0 ), /* 55 beep_ */ + S_ST( 'e', 3, 57, 0 ), /* 56 beep_d */ + S_ST( 'l', 3, 58, 0 ), /* 57 beep_de */ + S_ST( 'a', 3, 449, 0 ), /* 58 beep_del */ + S_ST( 'r', 3, 60, 48 ), /* 59 b */ + S_ST( 'o', 3, 61, 0 ), /* 60 br */ + S_ST( 'a', 3, 62, 0 ), /* 61 bro */ + S_ST( 'd', 3, 63, 0 ), /* 62 broa */ + S_ST( 'c', 3, 64, 0 ), /* 63 broad */ + S_ST( 'a', 3, 65, 0 ), /* 64 broadc */ + S_ST( 's', 3, 271, 0 ), /* 65 broadca */ + S_ST( 'c', 3, 67, 0 ), /* 66 broadcast */ + S_ST( 'l', 3, 68, 0 ), /* 67 broadcastc */ + S_ST( 'i', 3, 69, 0 ), /* 68 broadcastcl */ + S_ST( 'e', 3, 70, 0 ), /* 69 broadcastcli */ + S_ST( 'n', 3, 272, 0 ), /* 70 broadcastclie */ + S_ST( 'd', 3, 72, 66 ), /* 71 broadcast */ + S_ST( 'e', 3, 73, 0 ), /* 72 broadcastd */ + S_ST( 'l', 3, 74, 0 ), /* 73 broadcastde */ + S_ST( 'a', 3, 273, 0 ), /* 74 broadcastdel */ + S_ST( 'u', 3, 76, 59 ), /* 75 b */ + S_ST( 'r', 3, 77, 0 ), /* 76 bu */ + S_ST( 's', 3, 274, 0 ), /* 77 bur */ + S_ST( 'c', 3, 118, 28 ), /* 78 */ + S_ST( 'a', 3, 80, 0 ), /* 79 c */ + S_ST( 'l', 3, 81, 0 ), /* 80 ca */ + S_ST( 'i', 3, 82, 0 ), /* 81 cal */ + S_ST( 'b', 3, 83, 0 ), /* 82 cali */ + S_ST( 'r', 3, 84, 0 ), /* 83 calib */ + S_ST( 'a', 3, 85, 0 ), /* 84 calibr */ + S_ST( 't', 3, 275, 0 ), /* 85 calibra */ + S_ST( 'e', 3, 87, 79 ), /* 86 c */ + S_ST( 'i', 3, 88, 0 ), /* 87 ce */ + S_ST( 'l', 3, 89, 0 ), /* 88 cei */ + S_ST( 'i', 3, 90, 0 ), /* 89 ceil */ + S_ST( 'n', 3, 276, 0 ), /* 90 ceili */ + S_ST( 'l', 3, 92, 86 ), /* 91 c */ + S_ST( 'o', 3, 93, 0 ), /* 92 cl */ + S_ST( 'c', 3, 94, 0 ), /* 93 clo */ + S_ST( 'k', 3, 95, 0 ), /* 94 cloc */ + S_ST( 's', 3, 96, 0 ), /* 95 clock */ + S_ST( 't', 3, 97, 0 ), /* 96 clocks */ + S_ST( 'a', 3, 98, 0 ), /* 97 clockst */ + S_ST( 't', 3, 277, 0 ), /* 98 clocksta */ + S_ST( 'o', 3, 103, 91 ), /* 99 c */ + S_ST( 'h', 3, 101, 0 ), /* 100 co */ + S_ST( 'o', 3, 102, 0 ), /* 101 coh */ + S_ST( 'r', 3, 278, 0 ), /* 102 coho */ + S_ST( 'n', 3, 104, 100 ), /* 103 co */ + S_ST( 't', 3, 105, 0 ), /* 104 con */ + S_ST( 'r', 3, 106, 0 ), /* 105 cont */ + S_ST( 'o', 3, 107, 0 ), /* 106 contr */ + S_ST( 'l', 3, 108, 0 ), /* 107 contro */ + S_ST( 'k', 3, 109, 0 ), /* 108 control */ + S_ST( 'e', 3, 279, 0 ), /* 109 controlk */ + S_ST( 'r', 3, 111, 99 ), /* 110 c */ + S_ST( 'y', 3, 112, 0 ), /* 111 cr */ + S_ST( 'p', 3, 113, 0 ), /* 112 cry */ + S_ST( 't', 3, 280, 0 ), /* 113 cryp */ + S_ST( 's', 3, 115, 0 ), /* 114 crypto */ + S_ST( 't', 3, 116, 0 ), /* 115 cryptos */ + S_ST( 'a', 3, 117, 0 ), /* 116 cryptost */ + S_ST( 't', 3, 281, 0 ), /* 117 cryptosta */ + S_ST( 't', 3, 282, 110 ), /* 118 c */ + S_ST( 'd', 3, 153, 78 ), /* 119 */ + S_ST( 'a', 3, 283, 0 ), /* 120 d */ + S_ST( 'e', 3, 122, 120 ), /* 121 d */ + S_ST( 'f', 3, 123, 0 ), /* 122 de */ + S_ST( 'a', 3, 124, 0 ), /* 123 def */ + S_ST( 'u', 3, 125, 0 ), /* 124 defa */ + S_ST( 'l', 3, 284, 0 ), /* 125 defau */ + S_ST( 'i', 3, 130, 121 ), /* 126 d */ + S_ST( 'g', 3, 128, 0 ), /* 127 di */ + S_ST( 'e', 3, 129, 0 ), /* 128 dig */ + S_ST( 's', 3, 285, 0 ), /* 129 dige */ + S_ST( 's', 3, 137, 127 ), /* 130 di */ + S_ST( 'a', 3, 132, 0 ), /* 131 dis */ + S_ST( 'b', 3, 133, 0 ), /* 132 disa */ + S_ST( 'l', 3, 286, 0 ), /* 133 disab */ + S_ST( 'c', 3, 135, 131 ), /* 134 dis */ + S_ST( 'a', 3, 136, 0 ), /* 135 disc */ + S_ST( 'r', 3, 287, 0 ), /* 136 disca */ + S_ST( 'p', 3, 138, 134 ), /* 137 dis */ + S_ST( 'e', 3, 139, 0 ), /* 138 disp */ + S_ST( 'r', 3, 140, 0 ), /* 139 dispe */ + S_ST( 's', 3, 141, 0 ), /* 140 disper */ + S_ST( 'i', 3, 142, 0 ), /* 141 dispers */ + S_ST( 'o', 3, 288, 0 ), /* 142 dispersi */ + S_ST( 'r', 3, 150, 126 ), /* 143 d */ + S_ST( 'i', 3, 145, 0 ), /* 144 dr */ + S_ST( 'f', 3, 146, 0 ), /* 145 dri */ + S_ST( 't', 3, 147, 0 ), /* 146 drif */ + S_ST( 'f', 3, 148, 0 ), /* 147 drift */ + S_ST( 'i', 3, 149, 0 ), /* 148 driftf */ + S_ST( 'l', 3, 290, 0 ), /* 149 driftfi */ + S_ST( 'o', 3, 291, 144 ), /* 150 dr */ + S_ST( 's', 3, 152, 143 ), /* 151 d */ + S_ST( 'c', 3, 292, 0 ), /* 152 ds */ + S_ST( 'u', 3, 154, 151 ), /* 153 d */ + S_ST( 'r', 3, 155, 0 ), /* 154 du */ + S_ST( 'a', 3, 156, 0 ), /* 155 dur */ + S_ST( 't', 3, 157, 0 ), /* 156 dura */ + S_ST( 'i', 3, 158, 0 ), /* 157 durat */ + S_ST( 'o', 3, 452, 0 ), /* 158 durati */ + S_ST( 'e', 3, 164, 119 ), /* 159 */ + S_ST( 'n', 3, 295, 0 ), /* 160 e */ + S_ST( 'a', 3, 162, 0 ), /* 161 en */ + S_ST( 'b', 3, 163, 0 ), /* 162 ena */ + S_ST( 'l', 3, 294, 0 ), /* 163 enab */ + S_ST( 'p', 3, 165, 160 ), /* 164 e */ + S_ST( 'e', 3, 166, 0 ), /* 165 ep */ + S_ST( 'e', 3, 296, 0 ), /* 166 epe */ + S_ST( 'f', 3, 188, 159 ), /* 167 */ + S_ST( 'i', 3, 169, 0 ), /* 168 f */ + S_ST( 'l', 3, 298, 0 ), /* 169 fi */ + S_ST( 'g', 3, 171, 0 ), /* 170 file */ + S_ST( 'e', 3, 299, 0 ), /* 171 fileg */ + S_ST( 'n', 3, 173, 170 ), /* 172 file */ + S_ST( 'u', 3, 300, 0 ), /* 173 filen */ + S_ST( 'l', 3, 178, 168 ), /* 174 f */ + S_ST( 'a', 3, 177, 0 ), /* 175 fl */ + S_ST( 'g', 3, 304, 0 ), /* 176 fla */ + S_ST( 'k', 3, 305, 176 ), /* 177 fla */ + S_ST( 'o', 3, 179, 175 ), /* 178 fl */ + S_ST( 'o', 3, 306, 0 ), /* 179 flo */ + S_ST( 'r', 3, 181, 174 ), /* 180 f */ + S_ST( 'e', 3, 307, 0 ), /* 181 fr */ + S_ST( '_', 3, 183, 0 ), /* 182 freq */ + S_ST( 'o', 3, 184, 0 ), /* 183 freq_ */ + S_ST( 'f', 3, 185, 0 ), /* 184 freq_o */ + S_ST( 'f', 3, 186, 0 ), /* 185 freq_of */ + S_ST( 's', 3, 187, 0 ), /* 186 freq_off */ + S_ST( 'e', 3, 453, 0 ), /* 187 freq_offs */ + S_ST( 'u', 3, 189, 180 ), /* 188 f */ + S_ST( 'd', 3, 190, 0 ), /* 189 fu */ + S_ST( 'g', 3, 308, 0 ), /* 190 fud */ + S_ST( 'h', 3, 194, 167 ), /* 191 */ + S_ST( 'o', 3, 193, 0 ), /* 192 h */ + S_ST( 's', 3, 309, 0 ), /* 193 ho */ + S_ST( 'u', 3, 195, 192 ), /* 194 h */ + S_ST( 'f', 3, 196, 0 ), /* 195 hu */ + S_ST( 'f', 3, 197, 0 ), /* 196 huf */ + S_ST( 'p', 3, 198, 0 ), /* 197 huff */ + S_ST( 'u', 3, 199, 0 ), /* 198 huffp */ + S_ST( 'f', 3, 310, 0 ), /* 199 huffpu */ + S_ST( 'i', 3, 241, 191 ), /* 200 */ + S_ST( 'b', 3, 202, 0 ), /* 201 i */ + S_ST( 'u', 3, 203, 0 ), /* 202 ib */ + S_ST( 'r', 3, 204, 0 ), /* 203 ibu */ + S_ST( 's', 3, 311, 0 ), /* 204 ibur */ + S_ST( 'd', 3, 206, 201 ), /* 205 i */ + S_ST( 'e', 3, 207, 0 ), /* 206 id */ + S_ST( 'n', 3, 312, 0 ), /* 207 ide */ + S_ST( 'g', 3, 209, 205 ), /* 208 i */ + S_ST( 'n', 3, 210, 0 ), /* 209 ig */ + S_ST( 'o', 3, 211, 0 ), /* 210 ign */ + S_ST( 'r', 3, 313, 0 ), /* 211 igno */ + S_ST( 'n', 3, 235, 208 ), /* 212 i */ + S_ST( 'c', 3, 225, 0 ), /* 213 in */ + S_ST( 'a', 3, 215, 0 ), /* 214 inc */ + S_ST( 'l', 3, 216, 0 ), /* 215 inca */ + S_ST( 'l', 3, 217, 0 ), /* 216 incal */ + S_ST( 'o', 3, 314, 0 ), /* 217 incall */ + S_ST( 'l', 3, 219, 214 ), /* 218 inc */ + S_ST( 'u', 3, 220, 0 ), /* 219 incl */ + S_ST( 'd', 3, 221, 0 ), /* 220 inclu */ + S_ST( 'e', 3, 222, 0 ), /* 221 includ */ + S_ST( 'f', 3, 223, 0 ), /* 222 include */ + S_ST( 'i', 3, 224, 0 ), /* 223 includef */ + S_ST( 'l', 3, 318, 0 ), /* 224 includefi */ + S_ST( 'm', 3, 226, 218 ), /* 225 inc */ + S_ST( 'e', 3, 315, 0 ), /* 226 incm */ + S_ST( 'i', 3, 228, 213 ), /* 227 in */ + S_ST( 't', 3, 233, 0 ), /* 228 ini */ + S_ST( 'a', 3, 230, 0 ), /* 229 init */ + S_ST( 'l', 3, 231, 0 ), /* 230 inita */ + S_ST( 'l', 3, 232, 0 ), /* 231 inital */ + S_ST( 'o', 3, 316, 0 ), /* 232 initall */ + S_ST( 'm', 3, 234, 229 ), /* 233 init */ + S_ST( 'e', 3, 317, 0 ), /* 234 initm */ + S_ST( 't', 3, 236, 227 ), /* 235 in */ + S_ST( 'e', 3, 237, 0 ), /* 236 int */ + S_ST( 'r', 3, 238, 0 ), /* 237 inte */ + S_ST( 'f', 3, 239, 0 ), /* 238 inter */ + S_ST( 'a', 3, 240, 0 ), /* 239 interf */ + S_ST( 'c', 3, 320, 0 ), /* 240 interfa */ + S_ST( 'p', 3, 250, 322 ), /* 241 i */ + S_ST( 'p', 3, 243, 0 ), /* 242 ip */ + S_ST( 'e', 3, 244, 0 ), /* 243 ipp */ + S_ST( 'e', 3, 245, 0 ), /* 244 ippe */ + S_ST( 'r', 3, 246, 0 ), /* 245 ippee */ + S_ST( 'l', 3, 247, 0 ), /* 246 ippeer */ + S_ST( 'i', 3, 248, 0 ), /* 247 ippeerl */ + S_ST( 'm', 3, 249, 0 ), /* 248 ippeerli */ + S_ST( 'i', 3, 323, 0 ), /* 249 ippeerlim */ + S_ST( 'v', 3, 326, 242 ), /* 250 ip */ + S_ST( 'j', 3, 252, 200 ), /* 251 */ + S_ST( 'i', 3, 253, 0 ), /* 252 j */ + S_ST( 't', 3, 254, 0 ), /* 253 ji */ + S_ST( 't', 3, 255, 0 ), /* 254 jit */ + S_ST( 'e', 3, 455, 0 ), /* 255 jitt */ + S_ST( 'k', 3, 434, 251 ), /* 256 */ + S_ST( 'e', 3, 329, 0 ), /* 257 k */ S_ST( 'v', 1, 0, 0 ), /* 258 T_Abbrev */ S_ST( 'e', 0, 0, 0 ), /* 259 T_Age */ S_ST( 'l', 0, 12, 0 ), /* 260 T_All */ @@ -480,656 +484,681 @@ const scan_state sst[918] = { S_ST( 'y', 0, 0, 0 ), /* 264 T_Autokey */ S_ST( 'x', 0, 0, 0 ), /* 265 T_Automax */ S_ST( 'e', 0, 0, 0 ), /* 266 T_Average */ - S_ST( 't', 0, 0, 0 ), /* 267 T_Bclient */ - S_ST( 'p', 0, 0, 0 ), /* 268 T_Bcpollbstep */ - S_ST( 'n', 0, 0, 0 ), /* 269 T_Beacon */ - S_ST( 't', 1, 65, 0 ), /* 270 T_Broadcast */ - S_ST( 't', 0, 0, 0 ), /* 271 T_Broadcastclient */ - S_ST( 'y', 0, 0, 0 ), /* 272 T_Broadcastdelay */ - S_ST( 't', 0, 0, 0 ), /* 273 T_Burst */ - S_ST( 'e', 0, 0, 0 ), /* 274 T_Calibrate */ - S_ST( 'g', 0, 0, 0 ), /* 275 T_Ceiling */ - S_ST( 's', 0, 0, 0 ), /* 276 T_Clockstats */ - S_ST( 't', 0, 0, 0 ), /* 277 T_Cohort */ - S_ST( 'y', 0, 0, 0 ), /* 278 T_ControlKey */ - S_ST( 'o', 0, 108, 0 ), /* 279 T_Crypto */ - S_ST( 's', 0, 0, 0 ), /* 280 T_Cryptostats */ - S_ST( 'l', 0, 0, 0 ), /* 281 T_Ctl */ - S_ST( 'y', 0, 0, 0 ), /* 282 T_Day */ - S_ST( 't', 0, 0, 0 ), /* 283 T_Default */ - S_ST( 't', 1, 0, 0 ), /* 284 T_Digest */ - S_ST( 'e', 0, 0, 0 ), /* 285 T_Disable */ - S_ST( 'd', 0, 0, 0 ), /* 286 T_Discard */ - S_ST( 'n', 0, 0, 0 ), /* 287 T_Dispersion */ - S_ST( 'r', 3, 295, 0 ), /* 288 leapsmea */ - S_ST( 'e', 1, 0, 0 ), /* 289 T_Driftfile */ - S_ST( 'p', 0, 0, 0 ), /* 290 T_Drop */ - S_ST( 'p', 0, 0, 0 ), /* 291 T_Dscp */ - S_ST( '.', 0, 0, 0 ), /* 292 T_Ellipsis */ - S_ST( 'e', 0, 0, 0 ), /* 293 T_Enable */ - S_ST( 'd', 0, 0, 155 ), /* 294 T_End */ - S_ST( 'i', 3, 317, 0 ), /* 295 leapsmear */ - S_ST( 'e', 1, 163, 0 ), /* 296 T_File */ - S_ST( 'n', 0, 0, 0 ), /* 297 T_Filegen */ - S_ST( 'm', 0, 0, 0 ), /* 298 T_Filenum */ - S_ST( '1', 0, 0, 0 ), /* 299 T_Flag1 */ - S_ST( '2', 0, 0, 299 ), /* 300 T_Flag2 */ - S_ST( '3', 0, 0, 300 ), /* 301 T_Flag3 */ - S_ST( '4', 0, 0, 301 ), /* 302 T_Flag4 */ - S_ST( 'e', 0, 0, 0 ), /* 303 T_Flake */ - S_ST( 'r', 0, 0, 0 ), /* 304 T_Floor */ - S_ST( 'q', 0, 173, 0 ), /* 305 T_Freq */ - S_ST( 'e', 1, 0, 0 ), /* 306 T_Fudge */ - S_ST( 't', 1, 0, 0 ), /* 307 T_Host */ - S_ST( 'f', 0, 0, 0 ), /* 308 T_Huffpuff */ - S_ST( 't', 0, 0, 0 ), /* 309 T_Iburst */ - S_ST( 't', 1, 0, 0 ), /* 310 T_Ident */ - S_ST( 'e', 0, 0, 0 ), /* 311 T_Ignore */ - S_ST( 'c', 0, 0, 0 ), /* 312 T_Incalloc */ - S_ST( 'm', 0, 0, 0 ), /* 313 T_Incmem */ - S_ST( 'c', 0, 0, 0 ), /* 314 T_Initalloc */ - S_ST( 'm', 0, 0, 0 ), /* 315 T_Initmem */ - S_ST( 'e', 1, 0, 0 ), /* 316 T_Includefile */ - S_ST( 'n', 3, 319, 0 ), /* 317 leapsmeari */ - S_ST( 'e', 0, 0, 0 ), /* 318 T_Interface */ - S_ST( 't', 3, 415, 0 ), /* 319 leapsmearin */ - S_ST( 'o', 0, 0, 203 ), /* 320 T_Io */ - S_ST( '4', 0, 0, 0 ), /* 321 T_Ipv4 */ - S_ST( '4', 0, 0, 0 ), /* 322 T_Ipv4_flag */ - S_ST( '6', 0, 0, 321 ), /* 323 T_Ipv6 */ - S_ST( '6', 0, 0, 322 ), /* 324 T_Ipv6_flag */ - S_ST( 'l', 0, 0, 0 ), /* 325 T_Kernel */ - S_ST( 'y', 0, 327, 241 ), /* 326 T_Key */ - S_ST( 's', 1, 244, 0 ), /* 327 T_Keys */ - S_ST( 'r', 1, 0, 0 ), /* 328 T_Keysdir */ - S_ST( 'd', 0, 0, 0 ), /* 329 T_Kod */ - S_ST( 'p', 0, 0, 0 ), /* 330 T_Mssntp */ - S_ST( 'e', 1, 0, 0 ), /* 331 T_Leapfile */ - S_ST( 'l', 0, 0, 0 ), /* 332 T_Leapsmearinterval */ - S_ST( 'd', 0, 0, 0 ), /* 333 T_Limited */ - S_ST( 'k', 0, 0, 0 ), /* 334 T_Link */ - S_ST( 'n', 0, 0, 0 ), /* 335 T_Listen */ - S_ST( 'g', 2, 0, 0 ), /* 336 T_Logconfig */ - S_ST( 'e', 1, 0, 0 ), /* 337 T_Logfile */ - S_ST( 's', 0, 0, 0 ), /* 338 T_Loopstats */ - S_ST( 'p', 0, 0, 0 ), /* 339 T_Lowpriotrap */ - S_ST( 't', 1, 0, 0 ), /* 340 T_Manycastclient */ - S_ST( 'r', 2, 0, 0 ), /* 341 T_Manycastserver */ - S_ST( 'k', 0, 0, 0 ), /* 342 T_Mask */ - S_ST( 'e', 0, 0, 0 ), /* 343 T_Maxage */ - S_ST( 'k', 0, 0, 0 ), /* 344 T_Maxclock */ - S_ST( 'h', 0, 0, 0 ), /* 345 T_Maxdepth */ - S_ST( 't', 0, 0, 0 ), /* 346 T_Maxdist */ - S_ST( 'm', 0, 0, 0 ), /* 347 T_Maxmem */ - S_ST( 'l', 0, 0, 0 ), /* 348 T_Maxpoll */ - S_ST( 's', 0, 0, 0 ), /* 349 T_Mdnstries */ - S_ST( 'm', 0, 531, 0 ), /* 350 T_Mem */ - S_ST( 'k', 0, 0, 0 ), /* 351 T_Memlock */ - S_ST( 'k', 0, 0, 0 ), /* 352 T_Minclock */ - S_ST( 'h', 0, 0, 0 ), /* 353 T_Mindepth */ - S_ST( 't', 0, 0, 0 ), /* 354 T_Mindist */ - S_ST( 'm', 0, 0, 0 ), /* 355 T_Minimum */ - S_ST( 'l', 0, 0, 0 ), /* 356 T_Minpoll */ - S_ST( 'e', 0, 0, 0 ), /* 357 T_Minsane */ - S_ST( 'e', 0, 359, 0 ), /* 358 T_Mode */ - S_ST( '7', 0, 0, 0 ), /* 359 T_Mode7 */ - S_ST( 'r', 0, 0, 0 ), /* 360 T_Monitor */ - S_ST( 'h', 0, 0, 0 ), /* 361 T_Month */ - S_ST( 'u', 0, 0, 0 ), /* 362 T_Mru */ - S_ST( 't', 2, 0, 0 ), /* 363 T_Multicastclient */ - S_ST( 'c', 0, 0, 0 ), /* 364 T_Nic */ - S_ST( 'k', 0, 0, 0 ), /* 365 T_Nolink */ - S_ST( 'y', 0, 0, 0 ), /* 366 T_Nomodify */ - S_ST( 't', 0, 0, 0 ), /* 367 T_Nomrulist */ - S_ST( 'e', 0, 0, 0 ), /* 368 T_None */ - S_ST( 'e', 0, 0, 0 ), /* 369 T_Nonvolatile */ - S_ST( 'r', 0, 0, 0 ), /* 370 T_Nopeer */ - S_ST( 'y', 0, 0, 0 ), /* 371 T_Noquery */ - S_ST( 't', 0, 0, 0 ), /* 372 T_Noselect */ - S_ST( 'e', 0, 0, 0 ), /* 373 T_Noserve */ - S_ST( 'p', 0, 0, 0 ), /* 374 T_Notrap */ - S_ST( 't', 0, 0, 0 ), /* 375 T_Notrust */ - S_ST( 'p', 0, 627, 0 ), /* 376 T_Ntp */ - S_ST( 't', 0, 0, 0 ), /* 377 T_Ntpport */ - S_ST( 't', 1, 0, 0 ), /* 378 T_NtpSignDsocket */ - S_ST( 'n', 0, 642, 0 ), /* 379 T_Orphan */ - S_ST( 't', 0, 0, 0 ), /* 380 T_Orphanwait */ - S_ST( 'y', 0, 0, 0 ), /* 381 T_PCEdigest */ - S_ST( 'c', 0, 0, 0 ), /* 382 T_Panic */ - S_ST( 'r', 1, 669, 0 ), /* 383 T_Peer */ - S_ST( 's', 0, 0, 0 ), /* 384 T_Peerstats */ - S_ST( 'e', 2, 0, 0 ), /* 385 T_Phone */ - S_ST( 'd', 0, 677, 0 ), /* 386 T_Pid */ - S_ST( 'e', 1, 0, 0 ), /* 387 T_Pidfile */ - S_ST( 'l', 1, 0, 0 ), /* 388 T_Pool */ - S_ST( 't', 0, 0, 0 ), /* 389 T_Port */ - S_ST( 't', 0, 0, 0 ), /* 390 T_Preempt */ - S_ST( 'r', 0, 0, 0 ), /* 391 T_Prefer */ - S_ST( 's', 0, 0, 0 ), /* 392 T_Protostats */ - S_ST( 'w', 1, 0, 683 ), /* 393 T_Pw */ - S_ST( 'e', 1, 0, 0 ), /* 394 T_Randfile */ - S_ST( 's', 0, 0, 0 ), /* 395 T_Rawstats */ - S_ST( 'd', 1, 0, 0 ), /* 396 T_Refid */ - S_ST( 'y', 0, 0, 0 ), /* 397 T_Requestkey */ - S_ST( 't', 0, 0, 0 ), /* 398 T_Reset */ - S_ST( 't', 0, 0, 0 ), /* 399 T_Restrict */ - S_ST( 'e', 0, 0, 0 ), /* 400 T_Revoke */ - S_ST( 't', 0, 0, 0 ), /* 401 T_Rlimit */ - S_ST( 'r', 1, 0, 0 ), /* 402 T_Saveconfigdir */ - S_ST( 'r', 1, 760, 0 ), /* 403 T_Server */ - S_ST( 'r', 1, 0, 0 ), /* 404 T_Setvar */ - S_ST( 'e', 0, 0, 0 ), /* 405 T_Source */ - S_ST( 'e', 0, 0, 0 ), /* 406 T_Stacksize */ - S_ST( 's', 0, 0, 0 ), /* 407 T_Statistics */ - S_ST( 's', 0, 803, 798 ), /* 408 T_Stats */ - S_ST( 'r', 1, 0, 0 ), /* 409 T_Statsdir */ - S_ST( 'p', 0, 811, 0 ), /* 410 T_Step */ - S_ST( 'k', 0, 0, 0 ), /* 411 T_Stepback */ - S_ST( 'd', 0, 0, 0 ), /* 412 T_Stepfwd */ - S_ST( 't', 0, 0, 0 ), /* 413 T_Stepout */ - S_ST( 'm', 0, 0, 0 ), /* 414 T_Stratum */ - S_ST( 'e', 3, 430, 0 ), /* 415 leapsmearint */ - S_ST( 's', 0, 818, 0 ), /* 416 T_Sys */ - S_ST( 's', 0, 0, 0 ), /* 417 T_Sysstats */ - S_ST( 'k', 0, 0, 0 ), /* 418 T_Tick */ - S_ST( '1', 0, 0, 0 ), /* 419 T_Time1 */ - S_ST( '2', 0, 0, 419 ), /* 420 T_Time2 */ - S_ST( 'r', 0, 0, 420 ), /* 421 T_Timer */ - S_ST( 's', 0, 0, 0 ), /* 422 T_Timingstats */ - S_ST( 'r', 0, 0, 0 ), /* 423 T_Tinker */ - S_ST( 's', 0, 0, 0 ), /* 424 T_Tos */ - S_ST( 'p', 1, 0, 0 ), /* 425 T_Trap */ - S_ST( 'e', 0, 0, 0 ), /* 426 T_True */ - S_ST( 'y', 0, 0, 0 ), /* 427 T_Trustedkey */ - S_ST( 'l', 0, 0, 0 ), /* 428 T_Ttl */ - S_ST( 'e', 0, 0, 0 ), /* 429 T_Type */ - S_ST( 'r', 3, 437, 0 ), /* 430 leapsmearinte */ - S_ST( 'y', 0, 0, 0 ), /* 431 T_UEcrypto */ - S_ST( 'y', 0, 0, 0 ), /* 432 T_UEcryptonak */ - S_ST( 'y', 0, 0, 0 ), /* 433 T_UEdigest */ - S_ST( 'g', 1, 0, 0 ), /* 434 T_Unconfig */ - S_ST( 'r', 1, 860, 0 ), /* 435 T_Unpeer */ - S_ST( 'n', 0, 0, 0 ), /* 436 T_Version */ - S_ST( 'v', 3, 442, 0 ), /* 437 leapsmearinter */ - S_ST( 'k', 0, 0, 0 ), /* 438 T_Week */ - S_ST( 'd', 0, 0, 0 ), /* 439 T_Wildcard */ - S_ST( 'e', 0, 0, 0 ), /* 440 T_Xleave */ - S_ST( 'r', 0, 0, 0 ), /* 441 T_Year */ - S_ST( 'a', 3, 332, 0 ), /* 442 leapsmearinterv */ - S_ST( 'i', 3, 459, 248 ), /* 443 l */ - S_ST( 'e', 0, 0, 0 ), /* 444 T_Simulate */ - S_ST( 'y', 0, 0, 0 ), /* 445 T_Beep_Delay */ - S_ST( 'n', 0, 0, 0 ), /* 446 T_Sim_Duration */ - S_ST( 't', 0, 0, 0 ), /* 447 T_Server_Offset */ - S_ST( 'n', 0, 0, 0 ), /* 448 T_Duration */ - S_ST( 't', 0, 0, 0 ), /* 449 T_Freq_Offset */ - S_ST( 'r', 0, 0, 0 ), /* 450 T_Wander */ - S_ST( 'r', 0, 0, 0 ), /* 451 T_Jitter */ - S_ST( 'y', 0, 0, 0 ), /* 452 T_Prop_Delay */ - S_ST( 'y', 0, 0, 0 ), /* 453 T_Proc_Delay */ - S_ST( 'm', 3, 455, 0 ), /* 454 li */ - S_ST( 'i', 3, 456, 0 ), /* 455 lim */ - S_ST( 't', 3, 457, 0 ), /* 456 limi */ - S_ST( 'e', 3, 333, 0 ), /* 457 limit */ - S_ST( 'n', 3, 334, 454 ), /* 458 li */ - S_ST( 's', 3, 460, 458 ), /* 459 li */ - S_ST( 't', 3, 461, 0 ), /* 460 lis */ - S_ST( 'e', 3, 335, 0 ), /* 461 list */ - S_ST( 'o', 3, 478, 443 ), /* 462 l */ - S_ST( 'g', 3, 469, 0 ), /* 463 lo */ - S_ST( 'c', 3, 465, 0 ), /* 464 log */ - S_ST( 'o', 3, 466, 0 ), /* 465 logc */ - S_ST( 'n', 3, 467, 0 ), /* 466 logco */ - S_ST( 'f', 3, 468, 0 ), /* 467 logcon */ - S_ST( 'i', 3, 336, 0 ), /* 468 logconf */ - S_ST( 'f', 3, 470, 464 ), /* 469 log */ - S_ST( 'i', 3, 471, 0 ), /* 470 logf */ - S_ST( 'l', 3, 337, 0 ), /* 471 logfi */ - S_ST( 'o', 3, 473, 463 ), /* 472 lo */ - S_ST( 'p', 3, 474, 0 ), /* 473 loo */ - S_ST( 's', 3, 475, 0 ), /* 474 loop */ - S_ST( 't', 3, 476, 0 ), /* 475 loops */ - S_ST( 'a', 3, 477, 0 ), /* 476 loopst */ - S_ST( 't', 3, 338, 0 ), /* 477 loopsta */ - S_ST( 'w', 3, 479, 472 ), /* 478 lo */ - S_ST( 'p', 3, 480, 0 ), /* 479 low */ - S_ST( 'r', 3, 481, 0 ), /* 480 lowp */ - S_ST( 'i', 3, 482, 0 ), /* 481 lowpr */ - S_ST( 'o', 3, 483, 0 ), /* 482 lowpri */ - S_ST( 't', 3, 484, 0 ), /* 483 lowprio */ - S_ST( 'r', 3, 485, 0 ), /* 484 lowpriot */ - S_ST( 'a', 3, 339, 0 ), /* 485 lowpriotr */ - S_ST( 'm', 3, 567, 247 ), /* 486 */ - S_ST( 'a', 3, 505, 0 ), /* 487 m */ - S_ST( 'n', 3, 489, 0 ), /* 488 ma */ - S_ST( 'y', 3, 490, 0 ), /* 489 man */ - S_ST( 'c', 3, 491, 0 ), /* 490 many */ - S_ST( 'a', 3, 492, 0 ), /* 491 manyc */ - S_ST( 's', 3, 493, 0 ), /* 492 manyca */ - S_ST( 't', 3, 499, 0 ), /* 493 manycas */ - S_ST( 'c', 3, 495, 0 ), /* 494 manycast */ - S_ST( 'l', 3, 496, 0 ), /* 495 manycastc */ - S_ST( 'i', 3, 497, 0 ), /* 496 manycastcl */ - S_ST( 'e', 3, 498, 0 ), /* 497 manycastcli */ - S_ST( 'n', 3, 340, 0 ), /* 498 manycastclie */ - S_ST( 's', 3, 500, 494 ), /* 499 manycast */ - S_ST( 'e', 3, 501, 0 ), /* 500 manycasts */ - S_ST( 'r', 3, 502, 0 ), /* 501 manycastse */ - S_ST( 'v', 3, 503, 0 ), /* 502 manycastser */ - S_ST( 'e', 3, 341, 0 ), /* 503 manycastserv */ - S_ST( 's', 3, 342, 488 ), /* 504 ma */ - S_ST( 'x', 3, 520, 504 ), /* 505 ma */ - S_ST( 'a', 3, 507, 0 ), /* 506 max */ - S_ST( 'g', 3, 343, 0 ), /* 507 maxa */ - S_ST( 'c', 3, 509, 506 ), /* 508 max */ - S_ST( 'l', 3, 510, 0 ), /* 509 maxc */ - S_ST( 'o', 3, 511, 0 ), /* 510 maxcl */ - S_ST( 'c', 3, 344, 0 ), /* 511 maxclo */ - S_ST( 'd', 3, 516, 508 ), /* 512 max */ - S_ST( 'e', 3, 514, 0 ), /* 513 maxd */ - S_ST( 'p', 3, 515, 0 ), /* 514 maxde */ - S_ST( 't', 3, 345, 0 ), /* 515 maxdep */ - S_ST( 'i', 3, 517, 513 ), /* 516 maxd */ - S_ST( 's', 3, 346, 0 ), /* 517 maxdi */ - S_ST( 'm', 3, 519, 512 ), /* 518 max */ - S_ST( 'e', 3, 347, 0 ), /* 519 maxm */ - S_ST( 'p', 3, 521, 518 ), /* 520 max */ - S_ST( 'o', 3, 522, 0 ), /* 521 maxp */ - S_ST( 'l', 3, 348, 0 ), /* 522 maxpo */ - S_ST( 'd', 3, 524, 487 ), /* 523 m */ - S_ST( 'n', 3, 525, 0 ), /* 524 md */ - S_ST( 's', 3, 526, 0 ), /* 525 mdn */ - S_ST( 't', 3, 527, 0 ), /* 526 mdns */ - S_ST( 'r', 3, 528, 0 ), /* 527 mdnst */ - S_ST( 'i', 3, 529, 0 ), /* 528 mdnstr */ - S_ST( 'e', 3, 349, 0 ), /* 529 mdnstri */ - S_ST( 'e', 3, 350, 523 ), /* 530 m */ - S_ST( 'l', 3, 532, 0 ), /* 531 mem */ - S_ST( 'o', 3, 533, 0 ), /* 532 meml */ - S_ST( 'c', 3, 351, 0 ), /* 533 memlo */ - S_ST( 'i', 3, 535, 530 ), /* 534 m */ - S_ST( 'n', 3, 552, 0 ), /* 535 mi */ - S_ST( 'c', 3, 537, 0 ), /* 536 min */ - S_ST( 'l', 3, 538, 0 ), /* 537 minc */ - S_ST( 'o', 3, 539, 0 ), /* 538 mincl */ - S_ST( 'c', 3, 352, 0 ), /* 539 minclo */ - S_ST( 'd', 3, 544, 536 ), /* 540 min */ - S_ST( 'e', 3, 542, 0 ), /* 541 mind */ - S_ST( 'p', 3, 543, 0 ), /* 542 minde */ - S_ST( 't', 3, 353, 0 ), /* 543 mindep */ - S_ST( 'i', 3, 545, 541 ), /* 544 mind */ - S_ST( 's', 3, 354, 0 ), /* 545 mindi */ - S_ST( 'i', 3, 547, 540 ), /* 546 min */ - S_ST( 'm', 3, 548, 0 ), /* 547 mini */ - S_ST( 'u', 3, 355, 0 ), /* 548 minim */ - S_ST( 'p', 3, 550, 546 ), /* 549 min */ - S_ST( 'o', 3, 551, 0 ), /* 550 minp */ - S_ST( 'l', 3, 356, 0 ), /* 551 minpo */ - S_ST( 's', 3, 553, 549 ), /* 552 min */ - S_ST( 'a', 3, 554, 0 ), /* 553 mins */ - S_ST( 'n', 3, 357, 0 ), /* 554 minsa */ - S_ST( 'o', 3, 557, 534 ), /* 555 m */ - S_ST( 'd', 3, 358, 0 ), /* 556 mo */ - S_ST( 'n', 3, 561, 556 ), /* 557 mo */ - S_ST( 'i', 3, 559, 0 ), /* 558 mon */ - S_ST( 't', 3, 560, 0 ), /* 559 moni */ - S_ST( 'o', 3, 360, 0 ), /* 560 monit */ - S_ST( 't', 3, 361, 558 ), /* 561 mon */ - S_ST( 'r', 3, 362, 555 ), /* 562 m */ - S_ST( 's', 3, 564, 562 ), /* 563 m */ - S_ST( 's', 3, 565, 0 ), /* 564 ms */ - S_ST( 'n', 3, 566, 0 ), /* 565 mss */ - S_ST( 't', 3, 330, 0 ), /* 566 mssn */ - S_ST( 'u', 3, 568, 563 ), /* 567 m */ - S_ST( 'l', 3, 569, 0 ), /* 568 mu */ - S_ST( 't', 3, 570, 0 ), /* 569 mul */ - S_ST( 'i', 3, 571, 0 ), /* 570 mult */ - S_ST( 'c', 3, 572, 0 ), /* 571 multi */ - S_ST( 'a', 3, 573, 0 ), /* 572 multic */ - S_ST( 's', 3, 574, 0 ), /* 573 multica */ - S_ST( 't', 3, 575, 0 ), /* 574 multicas */ - S_ST( 'c', 3, 576, 0 ), /* 575 multicast */ - S_ST( 'l', 3, 577, 0 ), /* 576 multicastc */ - S_ST( 'i', 3, 578, 0 ), /* 577 multicastcl */ - S_ST( 'e', 3, 579, 0 ), /* 578 multicastcli */ - S_ST( 'n', 3, 363, 0 ), /* 579 multicastclie */ - S_ST( 'n', 3, 623, 486 ), /* 580 */ - S_ST( 'i', 3, 364, 0 ), /* 581 n */ - S_ST( 'o', 3, 618, 581 ), /* 582 n */ - S_ST( 'l', 3, 584, 0 ), /* 583 no */ - S_ST( 'i', 3, 585, 0 ), /* 584 nol */ - S_ST( 'n', 3, 365, 0 ), /* 585 noli */ - S_ST( 'm', 3, 591, 583 ), /* 586 no */ - S_ST( 'o', 3, 588, 0 ), /* 587 nom */ - S_ST( 'd', 3, 589, 0 ), /* 588 nomo */ - S_ST( 'i', 3, 590, 0 ), /* 589 nomod */ - S_ST( 'f', 3, 366, 0 ), /* 590 nomodi */ - S_ST( 'r', 3, 592, 587 ), /* 591 nom */ - S_ST( 'u', 3, 593, 0 ), /* 592 nomr */ - S_ST( 'l', 3, 594, 0 ), /* 593 nomru */ - S_ST( 'i', 3, 595, 0 ), /* 594 nomrul */ - S_ST( 's', 3, 367, 0 ), /* 595 nomruli */ - S_ST( 'n', 3, 597, 586 ), /* 596 no */ - S_ST( 'v', 3, 598, 368 ), /* 597 non */ - S_ST( 'o', 3, 599, 0 ), /* 598 nonv */ - S_ST( 'l', 3, 600, 0 ), /* 599 nonvo */ - S_ST( 'a', 3, 601, 0 ), /* 600 nonvol */ - S_ST( 't', 3, 602, 0 ), /* 601 nonvola */ - S_ST( 'i', 3, 603, 0 ), /* 602 nonvolat */ - S_ST( 'l', 3, 369, 0 ), /* 603 nonvolati */ - S_ST( 'p', 3, 605, 596 ), /* 604 no */ - S_ST( 'e', 3, 606, 0 ), /* 605 nop */ - S_ST( 'e', 3, 370, 0 ), /* 606 nope */ - S_ST( 'q', 3, 608, 604 ), /* 607 no */ - S_ST( 'u', 3, 609, 0 ), /* 608 noq */ - S_ST( 'e', 3, 610, 0 ), /* 609 noqu */ - S_ST( 'r', 3, 371, 0 ), /* 610 noque */ - S_ST( 's', 3, 612, 607 ), /* 611 no */ - S_ST( 'e', 3, 616, 0 ), /* 612 nos */ - S_ST( 'l', 3, 614, 0 ), /* 613 nose */ - S_ST( 'e', 3, 615, 0 ), /* 614 nosel */ - S_ST( 'c', 3, 372, 0 ), /* 615 nosele */ - S_ST( 'r', 3, 617, 613 ), /* 616 nose */ - S_ST( 'v', 3, 373, 0 ), /* 617 noser */ - S_ST( 't', 3, 619, 611 ), /* 618 no */ - S_ST( 'r', 3, 621, 0 ), /* 619 not */ - S_ST( 'a', 3, 374, 0 ), /* 620 notr */ - S_ST( 'u', 3, 622, 620 ), /* 621 notr */ - S_ST( 's', 3, 375, 0 ), /* 622 notru */ - S_ST( 't', 3, 376, 582 ), /* 623 n */ - S_ST( 'p', 3, 625, 0 ), /* 624 ntp */ - S_ST( 'o', 3, 626, 0 ), /* 625 ntpp */ - S_ST( 'r', 3, 377, 0 ), /* 626 ntppo */ - S_ST( 's', 3, 628, 624 ), /* 627 ntp */ - S_ST( 'i', 3, 629, 0 ), /* 628 ntps */ - S_ST( 'g', 3, 630, 0 ), /* 629 ntpsi */ - S_ST( 'n', 3, 631, 0 ), /* 630 ntpsig */ - S_ST( 'd', 3, 632, 0 ), /* 631 ntpsign */ - S_ST( 's', 3, 633, 0 ), /* 632 ntpsignd */ - S_ST( 'o', 3, 634, 0 ), /* 633 ntpsignds */ - S_ST( 'c', 3, 635, 0 ), /* 634 ntpsigndso */ - S_ST( 'k', 3, 636, 0 ), /* 635 ntpsigndsoc */ - S_ST( 'e', 3, 378, 0 ), /* 636 ntpsigndsock */ - S_ST( 'o', 3, 638, 580 ), /* 637 */ - S_ST( 'r', 3, 639, 0 ), /* 638 o */ - S_ST( 'p', 3, 640, 0 ), /* 639 or */ - S_ST( 'h', 3, 641, 0 ), /* 640 orp */ - S_ST( 'a', 3, 379, 0 ), /* 641 orph */ - S_ST( 'w', 3, 643, 0 ), /* 642 orphan */ - S_ST( 'a', 3, 644, 0 ), /* 643 orphanw */ - S_ST( 'i', 3, 380, 0 ), /* 644 orphanwa */ - S_ST( 'p', 3, 393, 637 ), /* 645 */ - S_ST( 'a', 3, 647, 0 ), /* 646 p */ - S_ST( 'n', 3, 648, 0 ), /* 647 pa */ - S_ST( 'i', 3, 382, 0 ), /* 648 pan */ - S_ST( 'e', 3, 650, 646 ), /* 649 p */ - S_ST( 'e', 3, 383, 0 ), /* 650 pe */ - S_ST( '_', 3, 652, 0 ), /* 651 peer */ - S_ST( 'c', 3, 653, 0 ), /* 652 peer_ */ - S_ST( 'l', 3, 654, 0 ), /* 653 peer_c */ - S_ST( 'e', 3, 655, 0 ), /* 654 peer_cl */ - S_ST( 'a', 3, 656, 0 ), /* 655 peer_cle */ - S_ST( 'r', 3, 657, 0 ), /* 656 peer_clea */ - S_ST( '_', 3, 658, 0 ), /* 657 peer_clear */ - S_ST( 'd', 3, 659, 0 ), /* 658 peer_clear_ */ - S_ST( 'i', 3, 660, 0 ), /* 659 peer_clear_d */ - S_ST( 'g', 3, 661, 0 ), /* 660 peer_clear_di */ - S_ST( 'e', 3, 662, 0 ), /* 661 peer_clear_dig */ - S_ST( 's', 3, 663, 0 ), /* 662 peer_clear_dige */ - S_ST( 't', 3, 664, 0 ), /* 663 peer_clear_diges */ - S_ST( '_', 3, 665, 0 ), /* 664 peer_clear_digest */ - S_ST( 'e', 3, 666, 0 ), /* 665 peer_clear_digest_ */ - S_ST( 'a', 3, 667, 0 ), /* 666 peer_clear_digest_e */ - S_ST( 'r', 3, 668, 0 ), /* 667 peer_clear_digest_ea */ - S_ST( 'l', 3, 381, 0 ), /* 668 peer_clear_digest_ear */ - S_ST( 's', 3, 670, 651 ), /* 669 peer */ - S_ST( 't', 3, 671, 0 ), /* 670 peers */ - S_ST( 'a', 3, 672, 0 ), /* 671 peerst */ - S_ST( 't', 3, 384, 0 ), /* 672 peersta */ - S_ST( 'h', 3, 674, 649 ), /* 673 p */ - S_ST( 'o', 3, 675, 0 ), /* 674 ph */ - S_ST( 'n', 3, 385, 0 ), /* 675 pho */ - S_ST( 'i', 3, 386, 673 ), /* 676 p */ - S_ST( 'f', 3, 678, 0 ), /* 677 pid */ - S_ST( 'i', 3, 679, 0 ), /* 678 pidf */ - S_ST( 'l', 3, 387, 0 ), /* 679 pidfi */ - S_ST( 'o', 3, 682, 676 ), /* 680 p */ - S_ST( 'o', 3, 388, 0 ), /* 681 po */ - S_ST( 'r', 3, 389, 681 ), /* 682 po */ - S_ST( 'r', 3, 690, 680 ), /* 683 p */ - S_ST( 'e', 3, 688, 0 ), /* 684 pr */ - S_ST( 'e', 3, 686, 0 ), /* 685 pre */ - S_ST( 'm', 3, 687, 0 ), /* 686 pree */ - S_ST( 'p', 3, 390, 0 ), /* 687 preem */ - S_ST( 'f', 3, 689, 685 ), /* 688 pre */ - S_ST( 'e', 3, 391, 0 ), /* 689 pref */ - S_ST( 'o', 3, 703, 684 ), /* 690 pr */ - S_ST( 'c', 3, 692, 0 ), /* 691 pro */ - S_ST( '_', 3, 693, 0 ), /* 692 proc */ - S_ST( 'd', 3, 694, 0 ), /* 693 proc_ */ - S_ST( 'e', 3, 695, 0 ), /* 694 proc_d */ - S_ST( 'l', 3, 696, 0 ), /* 695 proc_de */ - S_ST( 'a', 3, 453, 0 ), /* 696 proc_del */ - S_ST( 'p', 3, 698, 691 ), /* 697 pro */ - S_ST( '_', 3, 699, 0 ), /* 698 prop */ - S_ST( 'd', 3, 700, 0 ), /* 699 prop_ */ - S_ST( 'e', 3, 701, 0 ), /* 700 prop_d */ - S_ST( 'l', 3, 702, 0 ), /* 701 prop_de */ - S_ST( 'a', 3, 452, 0 ), /* 702 prop_del */ - S_ST( 't', 3, 704, 697 ), /* 703 pro */ - S_ST( 'o', 3, 705, 0 ), /* 704 prot */ - S_ST( 's', 3, 706, 0 ), /* 705 proto */ - S_ST( 't', 3, 707, 0 ), /* 706 protos */ - S_ST( 'a', 3, 708, 0 ), /* 707 protost */ - S_ST( 't', 3, 392, 0 ), /* 708 protosta */ - S_ST( 'r', 3, 740, 645 ), /* 709 */ - S_ST( 'a', 3, 716, 0 ), /* 710 r */ - S_ST( 'n', 3, 712, 0 ), /* 711 ra */ - S_ST( 'd', 3, 713, 0 ), /* 712 ran */ - S_ST( 'f', 3, 714, 0 ), /* 713 rand */ - S_ST( 'i', 3, 715, 0 ), /* 714 randf */ - S_ST( 'l', 3, 394, 0 ), /* 715 randfi */ - S_ST( 'w', 3, 717, 711 ), /* 716 ra */ - S_ST( 's', 3, 718, 0 ), /* 717 raw */ - S_ST( 't', 3, 719, 0 ), /* 718 raws */ - S_ST( 'a', 3, 720, 0 ), /* 719 rawst */ - S_ST( 't', 3, 395, 0 ), /* 720 rawsta */ - S_ST( 'e', 3, 737, 710 ), /* 721 r */ - S_ST( 'f', 3, 723, 0 ), /* 722 re */ - S_ST( 'i', 3, 396, 0 ), /* 723 ref */ - S_ST( 'q', 3, 725, 722 ), /* 724 re */ - S_ST( 'u', 3, 726, 0 ), /* 725 req */ - S_ST( 'e', 3, 727, 0 ), /* 726 requ */ - S_ST( 's', 3, 728, 0 ), /* 727 reque */ - S_ST( 't', 3, 729, 0 ), /* 728 reques */ - S_ST( 'k', 3, 730, 0 ), /* 729 request */ - S_ST( 'e', 3, 397, 0 ), /* 730 requestk */ - S_ST( 's', 3, 733, 724 ), /* 731 re */ - S_ST( 'e', 3, 398, 0 ), /* 732 res */ - S_ST( 't', 3, 734, 732 ), /* 733 res */ - S_ST( 'r', 3, 735, 0 ), /* 734 rest */ - S_ST( 'i', 3, 736, 0 ), /* 735 restr */ - S_ST( 'c', 3, 399, 0 ), /* 736 restri */ - S_ST( 'v', 3, 738, 731 ), /* 737 re */ - S_ST( 'o', 3, 739, 0 ), /* 738 rev */ - S_ST( 'k', 3, 400, 0 ), /* 739 revo */ - S_ST( 'l', 3, 741, 721 ), /* 740 r */ - S_ST( 'i', 3, 742, 0 ), /* 741 rl */ - S_ST( 'm', 3, 743, 0 ), /* 742 rli */ - S_ST( 'i', 3, 401, 0 ), /* 743 rlim */ - S_ST( 's', 3, 817, 709 ), /* 744 */ - S_ST( 'a', 3, 746, 0 ), /* 745 s */ - S_ST( 'v', 3, 747, 0 ), /* 746 sa */ - S_ST( 'e', 3, 748, 0 ), /* 747 sav */ - S_ST( 'c', 3, 749, 0 ), /* 748 save */ - S_ST( 'o', 3, 750, 0 ), /* 749 savec */ - S_ST( 'n', 3, 751, 0 ), /* 750 saveco */ - S_ST( 'f', 3, 752, 0 ), /* 751 savecon */ - S_ST( 'i', 3, 753, 0 ), /* 752 saveconf */ - S_ST( 'g', 3, 754, 0 ), /* 753 saveconfi */ - S_ST( 'd', 3, 755, 0 ), /* 754 saveconfig */ - S_ST( 'i', 3, 402, 0 ), /* 755 saveconfigd */ - S_ST( 'e', 3, 766, 745 ), /* 756 s */ - S_ST( 'r', 3, 758, 0 ), /* 757 se */ - S_ST( 'v', 3, 759, 0 ), /* 758 ser */ - S_ST( 'e', 3, 403, 0 ), /* 759 serv */ - S_ST( '_', 3, 761, 0 ), /* 760 server */ - S_ST( 'o', 3, 762, 0 ), /* 761 server_ */ - S_ST( 'f', 3, 763, 0 ), /* 762 server_o */ - S_ST( 'f', 3, 764, 0 ), /* 763 server_of */ - S_ST( 's', 3, 765, 0 ), /* 764 server_off */ - S_ST( 'e', 3, 447, 0 ), /* 765 server_offs */ - S_ST( 't', 3, 767, 757 ), /* 766 se */ - S_ST( 'v', 3, 768, 0 ), /* 767 set */ - S_ST( 'a', 3, 404, 0 ), /* 768 setv */ - S_ST( 'i', 3, 770, 756 ), /* 769 s */ - S_ST( 'm', 3, 771, 0 ), /* 770 si */ - S_ST( 'u', 3, 772, 0 ), /* 771 sim */ - S_ST( 'l', 3, 773, 0 ), /* 772 simu */ - S_ST( 'a', 3, 774, 0 ), /* 773 simul */ - S_ST( 't', 3, 775, 0 ), /* 774 simula */ - S_ST( 'i', 3, 776, 444 ), /* 775 simulat */ - S_ST( 'o', 3, 777, 0 ), /* 776 simulati */ - S_ST( 'n', 3, 778, 0 ), /* 777 simulatio */ - S_ST( '_', 3, 779, 0 ), /* 778 simulation */ - S_ST( 'd', 3, 780, 0 ), /* 779 simulation_ */ - S_ST( 'u', 3, 781, 0 ), /* 780 simulation_d */ - S_ST( 'r', 3, 782, 0 ), /* 781 simulation_du */ - S_ST( 'a', 3, 783, 0 ), /* 782 simulation_dur */ - S_ST( 't', 3, 784, 0 ), /* 783 simulation_dura */ - S_ST( 'i', 3, 785, 0 ), /* 784 simulation_durat */ - S_ST( 'o', 3, 446, 0 ), /* 785 simulation_durati */ - S_ST( 'o', 3, 787, 769 ), /* 786 s */ - S_ST( 'u', 3, 788, 0 ), /* 787 so */ - S_ST( 'r', 3, 789, 0 ), /* 788 sou */ - S_ST( 'c', 3, 405, 0 ), /* 789 sour */ - S_ST( 't', 3, 813, 786 ), /* 790 s */ - S_ST( 'a', 3, 797, 0 ), /* 791 st */ - S_ST( 'c', 3, 793, 0 ), /* 792 sta */ - S_ST( 'k', 3, 794, 0 ), /* 793 stac */ - S_ST( 's', 3, 795, 0 ), /* 794 stack */ - S_ST( 'i', 3, 796, 0 ), /* 795 stacks */ - S_ST( 'z', 3, 406, 0 ), /* 796 stacksi */ - S_ST( 't', 3, 408, 792 ), /* 797 sta */ - S_ST( 'i', 3, 799, 0 ), /* 798 stat */ - S_ST( 's', 3, 800, 0 ), /* 799 stati */ - S_ST( 't', 3, 801, 0 ), /* 800 statis */ - S_ST( 'i', 3, 802, 0 ), /* 801 statist */ - S_ST( 'c', 3, 407, 0 ), /* 802 statisti */ - S_ST( 'd', 3, 804, 0 ), /* 803 stats */ - S_ST( 'i', 3, 409, 0 ), /* 804 statsd */ - S_ST( 'e', 3, 410, 791 ), /* 805 st */ - S_ST( 'b', 3, 807, 0 ), /* 806 step */ - S_ST( 'a', 3, 808, 0 ), /* 807 stepb */ - S_ST( 'c', 3, 411, 0 ), /* 808 stepba */ - S_ST( 'f', 3, 810, 806 ), /* 809 step */ - S_ST( 'w', 3, 412, 0 ), /* 810 stepf */ - S_ST( 'o', 3, 812, 809 ), /* 811 step */ - S_ST( 'u', 3, 413, 0 ), /* 812 stepo */ - S_ST( 'r', 3, 814, 805 ), /* 813 st */ - S_ST( 'a', 3, 815, 0 ), /* 814 str */ - S_ST( 't', 3, 816, 0 ), /* 815 stra */ - S_ST( 'u', 3, 414, 0 ), /* 816 strat */ - S_ST( 'y', 3, 416, 790 ), /* 817 s */ - S_ST( 's', 3, 819, 0 ), /* 818 sys */ - S_ST( 't', 3, 820, 0 ), /* 819 syss */ - S_ST( 'a', 3, 821, 0 ), /* 820 sysst */ - S_ST( 't', 3, 417, 0 ), /* 821 syssta */ - S_ST( 't', 3, 848, 744 ), /* 822 */ - S_ST( 'i', 3, 834, 0 ), /* 823 t */ - S_ST( 'c', 3, 418, 0 ), /* 824 ti */ - S_ST( 'm', 3, 827, 824 ), /* 825 ti */ - S_ST( 'e', 3, 421, 0 ), /* 826 tim */ - S_ST( 'i', 3, 828, 826 ), /* 827 tim */ - S_ST( 'n', 3, 829, 0 ), /* 828 timi */ - S_ST( 'g', 3, 830, 0 ), /* 829 timin */ - S_ST( 's', 3, 831, 0 ), /* 830 timing */ - S_ST( 't', 3, 832, 0 ), /* 831 timings */ - S_ST( 'a', 3, 833, 0 ), /* 832 timingst */ - S_ST( 't', 3, 422, 0 ), /* 833 timingsta */ - S_ST( 'n', 3, 835, 825 ), /* 834 ti */ - S_ST( 'k', 3, 836, 0 ), /* 835 tin */ - S_ST( 'e', 3, 423, 0 ), /* 836 tink */ - S_ST( 'o', 3, 424, 823 ), /* 837 t */ - S_ST( 'r', 3, 840, 837 ), /* 838 t */ - S_ST( 'a', 3, 425, 0 ), /* 839 tr */ - S_ST( 'u', 3, 841, 839 ), /* 840 tr */ - S_ST( 's', 3, 842, 426 ), /* 841 tru */ - S_ST( 't', 3, 843, 0 ), /* 842 trus */ - S_ST( 'e', 3, 844, 0 ), /* 843 trust */ - S_ST( 'd', 3, 845, 0 ), /* 844 truste */ - S_ST( 'k', 3, 846, 0 ), /* 845 trusted */ - S_ST( 'e', 3, 427, 0 ), /* 846 trustedk */ - S_ST( 't', 3, 428, 838 ), /* 847 t */ - S_ST( 'y', 3, 849, 847 ), /* 848 t */ - S_ST( 'p', 3, 429, 0 ), /* 849 ty */ - S_ST( 'u', 3, 851, 822 ), /* 850 */ - S_ST( 'n', 3, 857, 0 ), /* 851 u */ - S_ST( 'c', 3, 853, 0 ), /* 852 un */ - S_ST( 'o', 3, 854, 0 ), /* 853 unc */ - S_ST( 'n', 3, 855, 0 ), /* 854 unco */ - S_ST( 'f', 3, 856, 0 ), /* 855 uncon */ - S_ST( 'i', 3, 434, 0 ), /* 856 unconf */ - S_ST( 'p', 3, 858, 852 ), /* 857 un */ - S_ST( 'e', 3, 859, 0 ), /* 858 unp */ - S_ST( 'e', 3, 435, 0 ), /* 859 unpe */ - S_ST( '_', 3, 880, 0 ), /* 860 unpeer */ - S_ST( 'c', 3, 862, 0 ), /* 861 unpeer_ */ - S_ST( 'r', 3, 863, 0 ), /* 862 unpeer_c */ - S_ST( 'y', 3, 864, 0 ), /* 863 unpeer_cr */ - S_ST( 'p', 3, 865, 0 ), /* 864 unpeer_cry */ - S_ST( 't', 3, 866, 0 ), /* 865 unpeer_cryp */ - S_ST( 'o', 3, 867, 0 ), /* 866 unpeer_crypt */ - S_ST( '_', 3, 872, 0 ), /* 867 unpeer_crypto */ - S_ST( 'e', 3, 869, 0 ), /* 868 unpeer_crypto_ */ - S_ST( 'a', 3, 870, 0 ), /* 869 unpeer_crypto_e */ - S_ST( 'r', 3, 871, 0 ), /* 870 unpeer_crypto_ea */ - S_ST( 'l', 3, 431, 0 ), /* 871 unpeer_crypto_ear */ - S_ST( 'n', 3, 873, 868 ), /* 872 unpeer_crypto_ */ - S_ST( 'a', 3, 874, 0 ), /* 873 unpeer_crypto_n */ - S_ST( 'k', 3, 875, 0 ), /* 874 unpeer_crypto_na */ - S_ST( '_', 3, 876, 0 ), /* 875 unpeer_crypto_nak */ - S_ST( 'e', 3, 877, 0 ), /* 876 unpeer_crypto_nak_ */ - S_ST( 'a', 3, 878, 0 ), /* 877 unpeer_crypto_nak_e */ - S_ST( 'r', 3, 879, 0 ), /* 878 unpeer_crypto_nak_ea */ - S_ST( 'l', 3, 432, 0 ), /* 879 unpeer_crypto_nak_ear */ - S_ST( 'd', 3, 881, 861 ), /* 880 unpeer_ */ - S_ST( 'i', 3, 882, 0 ), /* 881 unpeer_d */ - S_ST( 'g', 3, 883, 0 ), /* 882 unpeer_di */ - S_ST( 'e', 3, 884, 0 ), /* 883 unpeer_dig */ - S_ST( 's', 3, 885, 0 ), /* 884 unpeer_dige */ - S_ST( 't', 3, 886, 0 ), /* 885 unpeer_diges */ - S_ST( '_', 3, 887, 0 ), /* 886 unpeer_digest */ - S_ST( 'e', 3, 888, 0 ), /* 887 unpeer_digest_ */ - S_ST( 'a', 3, 889, 0 ), /* 888 unpeer_digest_e */ - S_ST( 'r', 3, 890, 0 ), /* 889 unpeer_digest_ea */ - S_ST( 'l', 3, 433, 0 ), /* 890 unpeer_digest_ear */ - S_ST( 'v', 3, 892, 850 ), /* 891 */ - S_ST( 'e', 3, 893, 0 ), /* 892 v */ - S_ST( 'r', 3, 894, 0 ), /* 893 ve */ - S_ST( 's', 3, 895, 0 ), /* 894 ver */ - S_ST( 'i', 3, 896, 0 ), /* 895 vers */ - S_ST( 'o', 3, 436, 0 ), /* 896 versi */ - S_ST( 'w', 3, 904, 891 ), /* 897 */ - S_ST( 'a', 3, 899, 0 ), /* 898 w */ - S_ST( 'n', 3, 900, 0 ), /* 899 wa */ - S_ST( 'd', 3, 901, 0 ), /* 900 wan */ - S_ST( 'e', 3, 450, 0 ), /* 901 wand */ - S_ST( 'e', 3, 903, 898 ), /* 902 w */ - S_ST( 'e', 3, 438, 0 ), /* 903 we */ - S_ST( 'i', 3, 905, 902 ), /* 904 w */ - S_ST( 'l', 3, 906, 0 ), /* 905 wi */ - S_ST( 'd', 3, 907, 0 ), /* 906 wil */ - S_ST( 'c', 3, 908, 0 ), /* 907 wild */ - S_ST( 'a', 3, 909, 0 ), /* 908 wildc */ - S_ST( 'r', 3, 439, 0 ), /* 909 wildca */ - S_ST( 'x', 3, 911, 897 ), /* 910 */ - S_ST( 'l', 3, 912, 0 ), /* 911 x */ - S_ST( 'e', 3, 913, 0 ), /* 912 xl */ - S_ST( 'a', 3, 914, 0 ), /* 913 xle */ - S_ST( 'v', 3, 440, 0 ), /* 914 xlea */ - S_ST( 'y', 3, 916, 910 ), /* 915 [initial state] */ - S_ST( 'e', 3, 917, 0 ), /* 916 y */ - S_ST( 'a', 3, 441, 0 ) /* 917 ye */ + S_ST( 'e', 1, 0, 0 ), /* 267 T_Basedate */ + S_ST( 't', 0, 0, 0 ), /* 268 T_Bclient */ + S_ST( 'p', 0, 0, 0 ), /* 269 T_Bcpollbstep */ + S_ST( 'n', 0, 0, 0 ), /* 270 T_Beacon */ + S_ST( 't', 1, 71, 0 ), /* 271 T_Broadcast */ + S_ST( 't', 0, 0, 0 ), /* 272 T_Broadcastclient */ + S_ST( 'y', 0, 0, 0 ), /* 273 T_Broadcastdelay */ + S_ST( 't', 0, 0, 0 ), /* 274 T_Burst */ + S_ST( 'e', 0, 0, 0 ), /* 275 T_Calibrate */ + S_ST( 'g', 0, 0, 0 ), /* 276 T_Ceiling */ + S_ST( 's', 0, 0, 0 ), /* 277 T_Clockstats */ + S_ST( 't', 0, 0, 0 ), /* 278 T_Cohort */ + S_ST( 'y', 0, 0, 0 ), /* 279 T_ControlKey */ + S_ST( 'o', 0, 114, 0 ), /* 280 T_Crypto */ + S_ST( 's', 0, 0, 0 ), /* 281 T_Cryptostats */ + S_ST( 'l', 0, 0, 0 ), /* 282 T_Ctl */ + S_ST( 'y', 0, 0, 0 ), /* 283 T_Day */ + S_ST( 't', 0, 0, 0 ), /* 284 T_Default */ + S_ST( 't', 1, 0, 0 ), /* 285 T_Digest */ + S_ST( 'e', 0, 0, 0 ), /* 286 T_Disable */ + S_ST( 'd', 0, 0, 0 ), /* 287 T_Discard */ + S_ST( 'n', 0, 0, 0 ), /* 288 T_Dispersion */ + S_ST( 'r', 3, 297, 0 ), /* 289 ke */ + S_ST( 'e', 1, 0, 0 ), /* 290 T_Driftfile */ + S_ST( 'p', 0, 0, 0 ), /* 291 T_Drop */ + S_ST( 'p', 0, 0, 0 ), /* 292 T_Dscp */ + S_ST( '.', 0, 0, 0 ), /* 293 T_Ellipsis */ + S_ST( 'e', 0, 0, 0 ), /* 294 T_Enable */ + S_ST( 'd', 0, 0, 161 ), /* 295 T_End */ + S_ST( 'r', 0, 0, 0 ), /* 296 T_Epeer */ + S_ST( 'n', 3, 319, 0 ), /* 297 ker */ + S_ST( 'e', 1, 172, 0 ), /* 298 T_File */ + S_ST( 'n', 0, 0, 0 ), /* 299 T_Filegen */ + S_ST( 'm', 0, 0, 0 ), /* 300 T_Filenum */ + S_ST( '1', 0, 0, 0 ), /* 301 T_Flag1 */ + S_ST( '2', 0, 0, 301 ), /* 302 T_Flag2 */ + S_ST( '3', 0, 0, 302 ), /* 303 T_Flag3 */ + S_ST( '4', 0, 0, 303 ), /* 304 T_Flag4 */ + S_ST( 'e', 0, 0, 0 ), /* 305 T_Flake */ + S_ST( 'r', 0, 0, 0 ), /* 306 T_Floor */ + S_ST( 'q', 0, 182, 0 ), /* 307 T_Freq */ + S_ST( 'e', 1, 0, 0 ), /* 308 T_Fudge */ + S_ST( 't', 1, 0, 0 ), /* 309 T_Host */ + S_ST( 'f', 0, 0, 0 ), /* 310 T_Huffpuff */ + S_ST( 't', 0, 0, 0 ), /* 311 T_Iburst */ + S_ST( 't', 1, 0, 0 ), /* 312 T_Ident */ + S_ST( 'e', 0, 0, 0 ), /* 313 T_Ignore */ + S_ST( 'c', 0, 0, 0 ), /* 314 T_Incalloc */ + S_ST( 'm', 0, 0, 0 ), /* 315 T_Incmem */ + S_ST( 'c', 0, 0, 0 ), /* 316 T_Initalloc */ + S_ST( 'm', 0, 0, 0 ), /* 317 T_Initmem */ + S_ST( 'e', 1, 0, 0 ), /* 318 T_Includefile */ + S_ST( 'e', 3, 328, 0 ), /* 319 kern */ + S_ST( 'e', 0, 0, 0 ), /* 320 T_Interface */ + S_ST( 'd', 3, 419, 0 ), /* 321 keys */ + S_ST( 'o', 0, 0, 212 ), /* 322 T_Io */ + S_ST( 't', 0, 0, 0 ), /* 323 T_Ippeerlimit */ + S_ST( '4', 0, 0, 0 ), /* 324 T_Ipv4 */ + S_ST( '4', 0, 0, 0 ), /* 325 T_Ipv4_flag */ + S_ST( '6', 0, 0, 324 ), /* 326 T_Ipv6 */ + S_ST( '6', 0, 0, 325 ), /* 327 T_Ipv6_flag */ + S_ST( 'l', 0, 0, 0 ), /* 328 T_Kernel */ + S_ST( 'y', 0, 330, 289 ), /* 329 T_Key */ + S_ST( 's', 1, 321, 0 ), /* 330 T_Keys */ + S_ST( 'r', 1, 0, 0 ), /* 331 T_Keysdir */ + S_ST( 'd', 0, 0, 0 ), /* 332 T_Kod */ + S_ST( 'p', 0, 0, 0 ), /* 333 T_Mssntp */ + S_ST( 'e', 1, 0, 0 ), /* 334 T_Leapfile */ + S_ST( 'l', 0, 0, 0 ), /* 335 T_Leapsmearinterval */ + S_ST( 'd', 0, 0, 0 ), /* 336 T_Limited */ + S_ST( 'k', 0, 0, 0 ), /* 337 T_Link */ + S_ST( 'n', 0, 0, 0 ), /* 338 T_Listen */ + S_ST( 'g', 2, 0, 0 ), /* 339 T_Logconfig */ + S_ST( 'e', 1, 0, 0 ), /* 340 T_Logfile */ + S_ST( 's', 0, 0, 0 ), /* 341 T_Loopstats */ + S_ST( 'p', 0, 0, 0 ), /* 342 T_Lowpriotrap */ + S_ST( 't', 1, 0, 0 ), /* 343 T_Manycastclient */ + S_ST( 'r', 2, 0, 0 ), /* 344 T_Manycastserver */ + S_ST( 'k', 0, 0, 0 ), /* 345 T_Mask */ + S_ST( 'e', 0, 0, 0 ), /* 346 T_Maxage */ + S_ST( 'k', 0, 0, 0 ), /* 347 T_Maxclock */ + S_ST( 'h', 0, 0, 0 ), /* 348 T_Maxdepth */ + S_ST( 't', 0, 0, 0 ), /* 349 T_Maxdist */ + S_ST( 'm', 0, 0, 0 ), /* 350 T_Maxmem */ + S_ST( 'l', 0, 0, 0 ), /* 351 T_Maxpoll */ + S_ST( 's', 0, 0, 0 ), /* 352 T_Mdnstries */ + S_ST( 'm', 0, 552, 0 ), /* 353 T_Mem */ + S_ST( 'k', 0, 0, 0 ), /* 354 T_Memlock */ + S_ST( 'k', 0, 0, 0 ), /* 355 T_Minclock */ + S_ST( 'h', 0, 0, 0 ), /* 356 T_Mindepth */ + S_ST( 't', 0, 0, 0 ), /* 357 T_Mindist */ + S_ST( 'm', 0, 0, 0 ), /* 358 T_Minimum */ + S_ST( 'l', 0, 0, 0 ), /* 359 T_Minpoll */ + S_ST( 'e', 0, 0, 0 ), /* 360 T_Minsane */ + S_ST( 'e', 0, 362, 0 ), /* 361 T_Mode */ + S_ST( '7', 0, 0, 0 ), /* 362 T_Mode7 */ + S_ST( 'r', 0, 0, 0 ), /* 363 T_Monitor */ + S_ST( 'h', 0, 0, 0 ), /* 364 T_Month */ + S_ST( 'u', 0, 0, 0 ), /* 365 T_Mru */ + S_ST( 't', 2, 0, 0 ), /* 366 T_Multicastclient */ + S_ST( 'c', 0, 0, 0 ), /* 367 T_Nic */ + S_ST( 'k', 0, 0, 0 ), /* 368 T_Nolink */ + S_ST( 'y', 0, 0, 0 ), /* 369 T_Nomodify */ + S_ST( 't', 0, 0, 0 ), /* 370 T_Nomrulist */ + S_ST( 'e', 0, 0, 0 ), /* 371 T_None */ + S_ST( 'e', 0, 0, 0 ), /* 372 T_Nonvolatile */ + S_ST( 'r', 0, 0, 0 ), /* 373 T_Noepeer */ + S_ST( 'r', 0, 0, 0 ), /* 374 T_Nopeer */ + S_ST( 'y', 0, 0, 0 ), /* 375 T_Noquery */ + S_ST( 't', 0, 0, 0 ), /* 376 T_Noselect */ + S_ST( 'e', 0, 0, 0 ), /* 377 T_Noserve */ + S_ST( 'p', 0, 0, 0 ), /* 378 T_Notrap */ + S_ST( 't', 0, 0, 0 ), /* 379 T_Notrust */ + S_ST( 'p', 0, 652, 0 ), /* 380 T_Ntp */ + S_ST( 't', 0, 0, 0 ), /* 381 T_Ntpport */ + S_ST( 't', 1, 0, 0 ), /* 382 T_NtpSignDsocket */ + S_ST( 'n', 0, 667, 0 ), /* 383 T_Orphan */ + S_ST( 't', 0, 0, 0 ), /* 384 T_Orphanwait */ + S_ST( 'y', 0, 0, 0 ), /* 385 T_PCEdigest */ + S_ST( 'c', 0, 0, 0 ), /* 386 T_Panic */ + S_ST( 'r', 1, 694, 0 ), /* 387 T_Peer */ + S_ST( 's', 0, 0, 0 ), /* 388 T_Peerstats */ + S_ST( 'e', 2, 0, 0 ), /* 389 T_Phone */ + S_ST( 'd', 0, 702, 0 ), /* 390 T_Pid */ + S_ST( 'e', 1, 0, 0 ), /* 391 T_Pidfile */ + S_ST( 'l', 1, 0, 0 ), /* 392 T_Pool */ + S_ST( 't', 0, 0, 0 ), /* 393 T_Port */ + S_ST( 't', 0, 0, 0 ), /* 394 T_Preempt */ + S_ST( 'r', 0, 0, 0 ), /* 395 T_Prefer */ + S_ST( 's', 0, 0, 0 ), /* 396 T_Protostats */ + S_ST( 'w', 1, 0, 708 ), /* 397 T_Pw */ + S_ST( 'e', 1, 0, 0 ), /* 398 T_Randfile */ + S_ST( 's', 0, 0, 0 ), /* 399 T_Rawstats */ + S_ST( 'd', 1, 0, 0 ), /* 400 T_Refid */ + S_ST( 'y', 0, 0, 0 ), /* 401 T_Requestkey */ + S_ST( 't', 0, 0, 0 ), /* 402 T_Reset */ + S_ST( 't', 0, 0, 0 ), /* 403 T_Restrict */ + S_ST( 'e', 0, 0, 0 ), /* 404 T_Revoke */ + S_ST( 't', 0, 0, 0 ), /* 405 T_Rlimit */ + S_ST( 'r', 1, 0, 0 ), /* 406 T_Saveconfigdir */ + S_ST( 'r', 1, 785, 0 ), /* 407 T_Server */ + S_ST( 'r', 1, 0, 0 ), /* 408 T_Setvar */ + S_ST( 'e', 0, 0, 0 ), /* 409 T_Source */ + S_ST( 'e', 0, 0, 0 ), /* 410 T_Stacksize */ + S_ST( 's', 0, 0, 0 ), /* 411 T_Statistics */ + S_ST( 's', 0, 828, 823 ), /* 412 T_Stats */ + S_ST( 'r', 1, 0, 0 ), /* 413 T_Statsdir */ + S_ST( 'p', 0, 836, 0 ), /* 414 T_Step */ + S_ST( 'k', 0, 0, 0 ), /* 415 T_Stepback */ + S_ST( 'd', 0, 0, 0 ), /* 416 T_Stepfwd */ + S_ST( 't', 0, 0, 0 ), /* 417 T_Stepout */ + S_ST( 'm', 0, 0, 0 ), /* 418 T_Stratum */ + S_ST( 'i', 3, 331, 0 ), /* 419 keysd */ + S_ST( 's', 0, 843, 0 ), /* 420 T_Sys */ + S_ST( 's', 0, 0, 0 ), /* 421 T_Sysstats */ + S_ST( 'k', 0, 0, 0 ), /* 422 T_Tick */ + S_ST( '1', 0, 0, 0 ), /* 423 T_Time1 */ + S_ST( '2', 0, 0, 423 ), /* 424 T_Time2 */ + S_ST( 'r', 0, 0, 424 ), /* 425 T_Timer */ + S_ST( 's', 0, 0, 0 ), /* 426 T_Timingstats */ + S_ST( 'r', 0, 0, 0 ), /* 427 T_Tinker */ + S_ST( 's', 0, 0, 0 ), /* 428 T_Tos */ + S_ST( 'p', 1, 0, 0 ), /* 429 T_Trap */ + S_ST( 'e', 0, 0, 0 ), /* 430 T_True */ + S_ST( 'y', 0, 0, 0 ), /* 431 T_Trustedkey */ + S_ST( 'l', 0, 0, 0 ), /* 432 T_Ttl */ + S_ST( 'e', 0, 0, 0 ), /* 433 T_Type */ + S_ST( 'o', 3, 332, 257 ), /* 434 k */ + S_ST( 'y', 0, 0, 0 ), /* 435 T_UEcrypto */ + S_ST( 'y', 0, 0, 0 ), /* 436 T_UEcryptonak */ + S_ST( 'y', 0, 0, 0 ), /* 437 T_UEdigest */ + S_ST( 'g', 1, 0, 0 ), /* 438 T_Unconfig */ + S_ST( 'r', 1, 885, 0 ), /* 439 T_Unpeer */ + S_ST( 'n', 0, 0, 0 ), /* 440 T_Version */ + S_ST( 'l', 3, 483, 256 ), /* 441 */ + S_ST( 'k', 0, 0, 0 ), /* 442 T_Week */ + S_ST( 'd', 0, 0, 0 ), /* 443 T_Wildcard */ + S_ST( 'e', 0, 0, 0 ), /* 444 T_Xleave */ + S_ST( 'r', 0, 0, 0 ), /* 445 T_Year */ + S_ST( 'e', 3, 447, 0 ), /* 446 l */ + S_ST( 'a', 3, 458, 0 ), /* 447 le */ + S_ST( 'e', 0, 0, 0 ), /* 448 T_Simulate */ + S_ST( 'y', 0, 0, 0 ), /* 449 T_Beep_Delay */ + S_ST( 'n', 0, 0, 0 ), /* 450 T_Sim_Duration */ + S_ST( 't', 0, 0, 0 ), /* 451 T_Server_Offset */ + S_ST( 'n', 0, 0, 0 ), /* 452 T_Duration */ + S_ST( 't', 0, 0, 0 ), /* 453 T_Freq_Offset */ + S_ST( 'r', 0, 0, 0 ), /* 454 T_Wander */ + S_ST( 'r', 0, 0, 0 ), /* 455 T_Jitter */ + S_ST( 'y', 0, 0, 0 ), /* 456 T_Prop_Delay */ + S_ST( 'y', 0, 0, 0 ), /* 457 T_Proc_Delay */ + S_ST( 'p', 3, 462, 0 ), /* 458 lea */ + S_ST( 'f', 3, 460, 0 ), /* 459 leap */ + S_ST( 'i', 3, 461, 0 ), /* 460 leapf */ + S_ST( 'l', 3, 334, 0 ), /* 461 leapfi */ + S_ST( 's', 3, 463, 459 ), /* 462 leap */ + S_ST( 'm', 3, 464, 0 ), /* 463 leaps */ + S_ST( 'e', 3, 465, 0 ), /* 464 leapsm */ + S_ST( 'a', 3, 466, 0 ), /* 465 leapsme */ + S_ST( 'r', 3, 467, 0 ), /* 466 leapsmea */ + S_ST( 'i', 3, 468, 0 ), /* 467 leapsmear */ + S_ST( 'n', 3, 469, 0 ), /* 468 leapsmeari */ + S_ST( 't', 3, 470, 0 ), /* 469 leapsmearin */ + S_ST( 'e', 3, 471, 0 ), /* 470 leapsmearint */ + S_ST( 'r', 3, 472, 0 ), /* 471 leapsmearinte */ + S_ST( 'v', 3, 473, 0 ), /* 472 leapsmearinter */ + S_ST( 'a', 3, 335, 0 ), /* 473 leapsmearinterv */ + S_ST( 'i', 3, 480, 446 ), /* 474 l */ + S_ST( 'm', 3, 476, 0 ), /* 475 li */ + S_ST( 'i', 3, 477, 0 ), /* 476 lim */ + S_ST( 't', 3, 478, 0 ), /* 477 limi */ + S_ST( 'e', 3, 336, 0 ), /* 478 limit */ + S_ST( 'n', 3, 337, 475 ), /* 479 li */ + S_ST( 's', 3, 481, 479 ), /* 480 li */ + S_ST( 't', 3, 482, 0 ), /* 481 lis */ + S_ST( 'e', 3, 338, 0 ), /* 482 list */ + S_ST( 'o', 3, 499, 474 ), /* 483 l */ + S_ST( 'g', 3, 490, 0 ), /* 484 lo */ + S_ST( 'c', 3, 486, 0 ), /* 485 log */ + S_ST( 'o', 3, 487, 0 ), /* 486 logc */ + S_ST( 'n', 3, 488, 0 ), /* 487 logco */ + S_ST( 'f', 3, 489, 0 ), /* 488 logcon */ + S_ST( 'i', 3, 339, 0 ), /* 489 logconf */ + S_ST( 'f', 3, 491, 485 ), /* 490 log */ + S_ST( 'i', 3, 492, 0 ), /* 491 logf */ + S_ST( 'l', 3, 340, 0 ), /* 492 logfi */ + S_ST( 'o', 3, 494, 484 ), /* 493 lo */ + S_ST( 'p', 3, 495, 0 ), /* 494 loo */ + S_ST( 's', 3, 496, 0 ), /* 495 loop */ + S_ST( 't', 3, 497, 0 ), /* 496 loops */ + S_ST( 'a', 3, 498, 0 ), /* 497 loopst */ + S_ST( 't', 3, 341, 0 ), /* 498 loopsta */ + S_ST( 'w', 3, 500, 493 ), /* 499 lo */ + S_ST( 'p', 3, 501, 0 ), /* 500 low */ + S_ST( 'r', 3, 502, 0 ), /* 501 lowp */ + S_ST( 'i', 3, 503, 0 ), /* 502 lowpr */ + S_ST( 'o', 3, 504, 0 ), /* 503 lowpri */ + S_ST( 't', 3, 505, 0 ), /* 504 lowprio */ + S_ST( 'r', 3, 506, 0 ), /* 505 lowpriot */ + S_ST( 'a', 3, 342, 0 ), /* 506 lowpriotr */ + S_ST( 'm', 3, 588, 441 ), /* 507 */ + S_ST( 'a', 3, 526, 0 ), /* 508 m */ + S_ST( 'n', 3, 510, 0 ), /* 509 ma */ + S_ST( 'y', 3, 511, 0 ), /* 510 man */ + S_ST( 'c', 3, 512, 0 ), /* 511 many */ + S_ST( 'a', 3, 513, 0 ), /* 512 manyc */ + S_ST( 's', 3, 514, 0 ), /* 513 manyca */ + S_ST( 't', 3, 520, 0 ), /* 514 manycas */ + S_ST( 'c', 3, 516, 0 ), /* 515 manycast */ + S_ST( 'l', 3, 517, 0 ), /* 516 manycastc */ + S_ST( 'i', 3, 518, 0 ), /* 517 manycastcl */ + S_ST( 'e', 3, 519, 0 ), /* 518 manycastcli */ + S_ST( 'n', 3, 343, 0 ), /* 519 manycastclie */ + S_ST( 's', 3, 521, 515 ), /* 520 manycast */ + S_ST( 'e', 3, 522, 0 ), /* 521 manycasts */ + S_ST( 'r', 3, 523, 0 ), /* 522 manycastse */ + S_ST( 'v', 3, 524, 0 ), /* 523 manycastser */ + S_ST( 'e', 3, 344, 0 ), /* 524 manycastserv */ + S_ST( 's', 3, 345, 509 ), /* 525 ma */ + S_ST( 'x', 3, 541, 525 ), /* 526 ma */ + S_ST( 'a', 3, 528, 0 ), /* 527 max */ + S_ST( 'g', 3, 346, 0 ), /* 528 maxa */ + S_ST( 'c', 3, 530, 527 ), /* 529 max */ + S_ST( 'l', 3, 531, 0 ), /* 530 maxc */ + S_ST( 'o', 3, 532, 0 ), /* 531 maxcl */ + S_ST( 'c', 3, 347, 0 ), /* 532 maxclo */ + S_ST( 'd', 3, 537, 529 ), /* 533 max */ + S_ST( 'e', 3, 535, 0 ), /* 534 maxd */ + S_ST( 'p', 3, 536, 0 ), /* 535 maxde */ + S_ST( 't', 3, 348, 0 ), /* 536 maxdep */ + S_ST( 'i', 3, 538, 534 ), /* 537 maxd */ + S_ST( 's', 3, 349, 0 ), /* 538 maxdi */ + S_ST( 'm', 3, 540, 533 ), /* 539 max */ + S_ST( 'e', 3, 350, 0 ), /* 540 maxm */ + S_ST( 'p', 3, 542, 539 ), /* 541 max */ + S_ST( 'o', 3, 543, 0 ), /* 542 maxp */ + S_ST( 'l', 3, 351, 0 ), /* 543 maxpo */ + S_ST( 'd', 3, 545, 508 ), /* 544 m */ + S_ST( 'n', 3, 546, 0 ), /* 545 md */ + S_ST( 's', 3, 547, 0 ), /* 546 mdn */ + S_ST( 't', 3, 548, 0 ), /* 547 mdns */ + S_ST( 'r', 3, 549, 0 ), /* 548 mdnst */ + S_ST( 'i', 3, 550, 0 ), /* 549 mdnstr */ + S_ST( 'e', 3, 352, 0 ), /* 550 mdnstri */ + S_ST( 'e', 3, 353, 544 ), /* 551 m */ + S_ST( 'l', 3, 553, 0 ), /* 552 mem */ + S_ST( 'o', 3, 554, 0 ), /* 553 meml */ + S_ST( 'c', 3, 354, 0 ), /* 554 memlo */ + S_ST( 'i', 3, 556, 551 ), /* 555 m */ + S_ST( 'n', 3, 573, 0 ), /* 556 mi */ + S_ST( 'c', 3, 558, 0 ), /* 557 min */ + S_ST( 'l', 3, 559, 0 ), /* 558 minc */ + S_ST( 'o', 3, 560, 0 ), /* 559 mincl */ + S_ST( 'c', 3, 355, 0 ), /* 560 minclo */ + S_ST( 'd', 3, 565, 557 ), /* 561 min */ + S_ST( 'e', 3, 563, 0 ), /* 562 mind */ + S_ST( 'p', 3, 564, 0 ), /* 563 minde */ + S_ST( 't', 3, 356, 0 ), /* 564 mindep */ + S_ST( 'i', 3, 566, 562 ), /* 565 mind */ + S_ST( 's', 3, 357, 0 ), /* 566 mindi */ + S_ST( 'i', 3, 568, 561 ), /* 567 min */ + S_ST( 'm', 3, 569, 0 ), /* 568 mini */ + S_ST( 'u', 3, 358, 0 ), /* 569 minim */ + S_ST( 'p', 3, 571, 567 ), /* 570 min */ + S_ST( 'o', 3, 572, 0 ), /* 571 minp */ + S_ST( 'l', 3, 359, 0 ), /* 572 minpo */ + S_ST( 's', 3, 574, 570 ), /* 573 min */ + S_ST( 'a', 3, 575, 0 ), /* 574 mins */ + S_ST( 'n', 3, 360, 0 ), /* 575 minsa */ + S_ST( 'o', 3, 578, 555 ), /* 576 m */ + S_ST( 'd', 3, 361, 0 ), /* 577 mo */ + S_ST( 'n', 3, 582, 577 ), /* 578 mo */ + S_ST( 'i', 3, 580, 0 ), /* 579 mon */ + S_ST( 't', 3, 581, 0 ), /* 580 moni */ + S_ST( 'o', 3, 363, 0 ), /* 581 monit */ + S_ST( 't', 3, 364, 579 ), /* 582 mon */ + S_ST( 'r', 3, 365, 576 ), /* 583 m */ + S_ST( 's', 3, 585, 583 ), /* 584 m */ + S_ST( 's', 3, 586, 0 ), /* 585 ms */ + S_ST( 'n', 3, 587, 0 ), /* 586 mss */ + S_ST( 't', 3, 333, 0 ), /* 587 mssn */ + S_ST( 'u', 3, 589, 584 ), /* 588 m */ + S_ST( 'l', 3, 590, 0 ), /* 589 mu */ + S_ST( 't', 3, 591, 0 ), /* 590 mul */ + S_ST( 'i', 3, 592, 0 ), /* 591 mult */ + S_ST( 'c', 3, 593, 0 ), /* 592 multi */ + S_ST( 'a', 3, 594, 0 ), /* 593 multic */ + S_ST( 's', 3, 595, 0 ), /* 594 multica */ + S_ST( 't', 3, 596, 0 ), /* 595 multicas */ + S_ST( 'c', 3, 597, 0 ), /* 596 multicast */ + S_ST( 'l', 3, 598, 0 ), /* 597 multicastc */ + S_ST( 'i', 3, 599, 0 ), /* 598 multicastcl */ + S_ST( 'e', 3, 600, 0 ), /* 599 multicastcli */ + S_ST( 'n', 3, 366, 0 ), /* 600 multicastclie */ + S_ST( 'n', 3, 648, 507 ), /* 601 */ + S_ST( 'i', 3, 367, 0 ), /* 602 n */ + S_ST( 'o', 3, 643, 602 ), /* 603 n */ + S_ST( 'e', 3, 605, 0 ), /* 604 no */ + S_ST( 'p', 3, 606, 0 ), /* 605 noe */ + S_ST( 'e', 3, 607, 0 ), /* 606 noep */ + S_ST( 'e', 3, 373, 0 ), /* 607 noepe */ + S_ST( 'l', 3, 609, 604 ), /* 608 no */ + S_ST( 'i', 3, 610, 0 ), /* 609 nol */ + S_ST( 'n', 3, 368, 0 ), /* 610 noli */ + S_ST( 'm', 3, 616, 608 ), /* 611 no */ + S_ST( 'o', 3, 613, 0 ), /* 612 nom */ + S_ST( 'd', 3, 614, 0 ), /* 613 nomo */ + S_ST( 'i', 3, 615, 0 ), /* 614 nomod */ + S_ST( 'f', 3, 369, 0 ), /* 615 nomodi */ + S_ST( 'r', 3, 617, 612 ), /* 616 nom */ + S_ST( 'u', 3, 618, 0 ), /* 617 nomr */ + S_ST( 'l', 3, 619, 0 ), /* 618 nomru */ + S_ST( 'i', 3, 620, 0 ), /* 619 nomrul */ + S_ST( 's', 3, 370, 0 ), /* 620 nomruli */ + S_ST( 'n', 3, 622, 611 ), /* 621 no */ + S_ST( 'v', 3, 623, 371 ), /* 622 non */ + S_ST( 'o', 3, 624, 0 ), /* 623 nonv */ + S_ST( 'l', 3, 625, 0 ), /* 624 nonvo */ + S_ST( 'a', 3, 626, 0 ), /* 625 nonvol */ + S_ST( 't', 3, 627, 0 ), /* 626 nonvola */ + S_ST( 'i', 3, 628, 0 ), /* 627 nonvolat */ + S_ST( 'l', 3, 372, 0 ), /* 628 nonvolati */ + S_ST( 'p', 3, 630, 621 ), /* 629 no */ + S_ST( 'e', 3, 631, 0 ), /* 630 nop */ + S_ST( 'e', 3, 374, 0 ), /* 631 nope */ + S_ST( 'q', 3, 633, 629 ), /* 632 no */ + S_ST( 'u', 3, 634, 0 ), /* 633 noq */ + S_ST( 'e', 3, 635, 0 ), /* 634 noqu */ + S_ST( 'r', 3, 375, 0 ), /* 635 noque */ + S_ST( 's', 3, 637, 632 ), /* 636 no */ + S_ST( 'e', 3, 641, 0 ), /* 637 nos */ + S_ST( 'l', 3, 639, 0 ), /* 638 nose */ + S_ST( 'e', 3, 640, 0 ), /* 639 nosel */ + S_ST( 'c', 3, 376, 0 ), /* 640 nosele */ + S_ST( 'r', 3, 642, 638 ), /* 641 nose */ + S_ST( 'v', 3, 377, 0 ), /* 642 noser */ + S_ST( 't', 3, 644, 636 ), /* 643 no */ + S_ST( 'r', 3, 646, 0 ), /* 644 not */ + S_ST( 'a', 3, 378, 0 ), /* 645 notr */ + S_ST( 'u', 3, 647, 645 ), /* 646 notr */ + S_ST( 's', 3, 379, 0 ), /* 647 notru */ + S_ST( 't', 3, 380, 603 ), /* 648 n */ + S_ST( 'p', 3, 650, 0 ), /* 649 ntp */ + S_ST( 'o', 3, 651, 0 ), /* 650 ntpp */ + S_ST( 'r', 3, 381, 0 ), /* 651 ntppo */ + S_ST( 's', 3, 653, 649 ), /* 652 ntp */ + S_ST( 'i', 3, 654, 0 ), /* 653 ntps */ + S_ST( 'g', 3, 655, 0 ), /* 654 ntpsi */ + S_ST( 'n', 3, 656, 0 ), /* 655 ntpsig */ + S_ST( 'd', 3, 657, 0 ), /* 656 ntpsign */ + S_ST( 's', 3, 658, 0 ), /* 657 ntpsignd */ + S_ST( 'o', 3, 659, 0 ), /* 658 ntpsignds */ + S_ST( 'c', 3, 660, 0 ), /* 659 ntpsigndso */ + S_ST( 'k', 3, 661, 0 ), /* 660 ntpsigndsoc */ + S_ST( 'e', 3, 382, 0 ), /* 661 ntpsigndsock */ + S_ST( 'o', 3, 663, 601 ), /* 662 */ + S_ST( 'r', 3, 664, 0 ), /* 663 o */ + S_ST( 'p', 3, 665, 0 ), /* 664 or */ + S_ST( 'h', 3, 666, 0 ), /* 665 orp */ + S_ST( 'a', 3, 383, 0 ), /* 666 orph */ + S_ST( 'w', 3, 668, 0 ), /* 667 orphan */ + S_ST( 'a', 3, 669, 0 ), /* 668 orphanw */ + S_ST( 'i', 3, 384, 0 ), /* 669 orphanwa */ + S_ST( 'p', 3, 397, 662 ), /* 670 */ + S_ST( 'a', 3, 672, 0 ), /* 671 p */ + S_ST( 'n', 3, 673, 0 ), /* 672 pa */ + S_ST( 'i', 3, 386, 0 ), /* 673 pan */ + S_ST( 'e', 3, 675, 671 ), /* 674 p */ + S_ST( 'e', 3, 387, 0 ), /* 675 pe */ + S_ST( '_', 3, 677, 0 ), /* 676 peer */ + S_ST( 'c', 3, 678, 0 ), /* 677 peer_ */ + S_ST( 'l', 3, 679, 0 ), /* 678 peer_c */ + S_ST( 'e', 3, 680, 0 ), /* 679 peer_cl */ + S_ST( 'a', 3, 681, 0 ), /* 680 peer_cle */ + S_ST( 'r', 3, 682, 0 ), /* 681 peer_clea */ + S_ST( '_', 3, 683, 0 ), /* 682 peer_clear */ + S_ST( 'd', 3, 684, 0 ), /* 683 peer_clear_ */ + S_ST( 'i', 3, 685, 0 ), /* 684 peer_clear_d */ + S_ST( 'g', 3, 686, 0 ), /* 685 peer_clear_di */ + S_ST( 'e', 3, 687, 0 ), /* 686 peer_clear_dig */ + S_ST( 's', 3, 688, 0 ), /* 687 peer_clear_dige */ + S_ST( 't', 3, 689, 0 ), /* 688 peer_clear_diges */ + S_ST( '_', 3, 690, 0 ), /* 689 peer_clear_digest */ + S_ST( 'e', 3, 691, 0 ), /* 690 peer_clear_digest_ */ + S_ST( 'a', 3, 692, 0 ), /* 691 peer_clear_digest_e */ + S_ST( 'r', 3, 693, 0 ), /* 692 peer_clear_digest_ea */ + S_ST( 'l', 3, 385, 0 ), /* 693 peer_clear_digest_ear */ + S_ST( 's', 3, 695, 676 ), /* 694 peer */ + S_ST( 't', 3, 696, 0 ), /* 695 peers */ + S_ST( 'a', 3, 697, 0 ), /* 696 peerst */ + S_ST( 't', 3, 388, 0 ), /* 697 peersta */ + S_ST( 'h', 3, 699, 674 ), /* 698 p */ + S_ST( 'o', 3, 700, 0 ), /* 699 ph */ + S_ST( 'n', 3, 389, 0 ), /* 700 pho */ + S_ST( 'i', 3, 390, 698 ), /* 701 p */ + S_ST( 'f', 3, 703, 0 ), /* 702 pid */ + S_ST( 'i', 3, 704, 0 ), /* 703 pidf */ + S_ST( 'l', 3, 391, 0 ), /* 704 pidfi */ + S_ST( 'o', 3, 707, 701 ), /* 705 p */ + S_ST( 'o', 3, 392, 0 ), /* 706 po */ + S_ST( 'r', 3, 393, 706 ), /* 707 po */ + S_ST( 'r', 3, 715, 705 ), /* 708 p */ + S_ST( 'e', 3, 713, 0 ), /* 709 pr */ + S_ST( 'e', 3, 711, 0 ), /* 710 pre */ + S_ST( 'm', 3, 712, 0 ), /* 711 pree */ + S_ST( 'p', 3, 394, 0 ), /* 712 preem */ + S_ST( 'f', 3, 714, 710 ), /* 713 pre */ + S_ST( 'e', 3, 395, 0 ), /* 714 pref */ + S_ST( 'o', 3, 728, 709 ), /* 715 pr */ + S_ST( 'c', 3, 717, 0 ), /* 716 pro */ + S_ST( '_', 3, 718, 0 ), /* 717 proc */ + S_ST( 'd', 3, 719, 0 ), /* 718 proc_ */ + S_ST( 'e', 3, 720, 0 ), /* 719 proc_d */ + S_ST( 'l', 3, 721, 0 ), /* 720 proc_de */ + S_ST( 'a', 3, 457, 0 ), /* 721 proc_del */ + S_ST( 'p', 3, 723, 716 ), /* 722 pro */ + S_ST( '_', 3, 724, 0 ), /* 723 prop */ + S_ST( 'd', 3, 725, 0 ), /* 724 prop_ */ + S_ST( 'e', 3, 726, 0 ), /* 725 prop_d */ + S_ST( 'l', 3, 727, 0 ), /* 726 prop_de */ + S_ST( 'a', 3, 456, 0 ), /* 727 prop_del */ + S_ST( 't', 3, 729, 722 ), /* 728 pro */ + S_ST( 'o', 3, 730, 0 ), /* 729 prot */ + S_ST( 's', 3, 731, 0 ), /* 730 proto */ + S_ST( 't', 3, 732, 0 ), /* 731 protos */ + S_ST( 'a', 3, 733, 0 ), /* 732 protost */ + S_ST( 't', 3, 396, 0 ), /* 733 protosta */ + S_ST( 'r', 3, 765, 670 ), /* 734 */ + S_ST( 'a', 3, 741, 0 ), /* 735 r */ + S_ST( 'n', 3, 737, 0 ), /* 736 ra */ + S_ST( 'd', 3, 738, 0 ), /* 737 ran */ + S_ST( 'f', 3, 739, 0 ), /* 738 rand */ + S_ST( 'i', 3, 740, 0 ), /* 739 randf */ + S_ST( 'l', 3, 398, 0 ), /* 740 randfi */ + S_ST( 'w', 3, 742, 736 ), /* 741 ra */ + S_ST( 's', 3, 743, 0 ), /* 742 raw */ + S_ST( 't', 3, 744, 0 ), /* 743 raws */ + S_ST( 'a', 3, 745, 0 ), /* 744 rawst */ + S_ST( 't', 3, 399, 0 ), /* 745 rawsta */ + S_ST( 'e', 3, 762, 735 ), /* 746 r */ + S_ST( 'f', 3, 748, 0 ), /* 747 re */ + S_ST( 'i', 3, 400, 0 ), /* 748 ref */ + S_ST( 'q', 3, 750, 747 ), /* 749 re */ + S_ST( 'u', 3, 751, 0 ), /* 750 req */ + S_ST( 'e', 3, 752, 0 ), /* 751 requ */ + S_ST( 's', 3, 753, 0 ), /* 752 reque */ + S_ST( 't', 3, 754, 0 ), /* 753 reques */ + S_ST( 'k', 3, 755, 0 ), /* 754 request */ + S_ST( 'e', 3, 401, 0 ), /* 755 requestk */ + S_ST( 's', 3, 758, 749 ), /* 756 re */ + S_ST( 'e', 3, 402, 0 ), /* 757 res */ + S_ST( 't', 3, 759, 757 ), /* 758 res */ + S_ST( 'r', 3, 760, 0 ), /* 759 rest */ + S_ST( 'i', 3, 761, 0 ), /* 760 restr */ + S_ST( 'c', 3, 403, 0 ), /* 761 restri */ + S_ST( 'v', 3, 763, 756 ), /* 762 re */ + S_ST( 'o', 3, 764, 0 ), /* 763 rev */ + S_ST( 'k', 3, 404, 0 ), /* 764 revo */ + S_ST( 'l', 3, 766, 746 ), /* 765 r */ + S_ST( 'i', 3, 767, 0 ), /* 766 rl */ + S_ST( 'm', 3, 768, 0 ), /* 767 rli */ + S_ST( 'i', 3, 405, 0 ), /* 768 rlim */ + S_ST( 's', 3, 842, 734 ), /* 769 */ + S_ST( 'a', 3, 771, 0 ), /* 770 s */ + S_ST( 'v', 3, 772, 0 ), /* 771 sa */ + S_ST( 'e', 3, 773, 0 ), /* 772 sav */ + S_ST( 'c', 3, 774, 0 ), /* 773 save */ + S_ST( 'o', 3, 775, 0 ), /* 774 savec */ + S_ST( 'n', 3, 776, 0 ), /* 775 saveco */ + S_ST( 'f', 3, 777, 0 ), /* 776 savecon */ + S_ST( 'i', 3, 778, 0 ), /* 777 saveconf */ + S_ST( 'g', 3, 779, 0 ), /* 778 saveconfi */ + S_ST( 'd', 3, 780, 0 ), /* 779 saveconfig */ + S_ST( 'i', 3, 406, 0 ), /* 780 saveconfigd */ + S_ST( 'e', 3, 791, 770 ), /* 781 s */ + S_ST( 'r', 3, 783, 0 ), /* 782 se */ + S_ST( 'v', 3, 784, 0 ), /* 783 ser */ + S_ST( 'e', 3, 407, 0 ), /* 784 serv */ + S_ST( '_', 3, 786, 0 ), /* 785 server */ + S_ST( 'o', 3, 787, 0 ), /* 786 server_ */ + S_ST( 'f', 3, 788, 0 ), /* 787 server_o */ + S_ST( 'f', 3, 789, 0 ), /* 788 server_of */ + S_ST( 's', 3, 790, 0 ), /* 789 server_off */ + S_ST( 'e', 3, 451, 0 ), /* 790 server_offs */ + S_ST( 't', 3, 792, 782 ), /* 791 se */ + S_ST( 'v', 3, 793, 0 ), /* 792 set */ + S_ST( 'a', 3, 408, 0 ), /* 793 setv */ + S_ST( 'i', 3, 795, 781 ), /* 794 s */ + S_ST( 'm', 3, 796, 0 ), /* 795 si */ + S_ST( 'u', 3, 797, 0 ), /* 796 sim */ + S_ST( 'l', 3, 798, 0 ), /* 797 simu */ + S_ST( 'a', 3, 799, 0 ), /* 798 simul */ + S_ST( 't', 3, 800, 0 ), /* 799 simula */ + S_ST( 'i', 3, 801, 448 ), /* 800 simulat */ + S_ST( 'o', 3, 802, 0 ), /* 801 simulati */ + S_ST( 'n', 3, 803, 0 ), /* 802 simulatio */ + S_ST( '_', 3, 804, 0 ), /* 803 simulation */ + S_ST( 'd', 3, 805, 0 ), /* 804 simulation_ */ + S_ST( 'u', 3, 806, 0 ), /* 805 simulation_d */ + S_ST( 'r', 3, 807, 0 ), /* 806 simulation_du */ + S_ST( 'a', 3, 808, 0 ), /* 807 simulation_dur */ + S_ST( 't', 3, 809, 0 ), /* 808 simulation_dura */ + S_ST( 'i', 3, 810, 0 ), /* 809 simulation_durat */ + S_ST( 'o', 3, 450, 0 ), /* 810 simulation_durati */ + S_ST( 'o', 3, 812, 794 ), /* 811 s */ + S_ST( 'u', 3, 813, 0 ), /* 812 so */ + S_ST( 'r', 3, 814, 0 ), /* 813 sou */ + S_ST( 'c', 3, 409, 0 ), /* 814 sour */ + S_ST( 't', 3, 838, 811 ), /* 815 s */ + S_ST( 'a', 3, 822, 0 ), /* 816 st */ + S_ST( 'c', 3, 818, 0 ), /* 817 sta */ + S_ST( 'k', 3, 819, 0 ), /* 818 stac */ + S_ST( 's', 3, 820, 0 ), /* 819 stack */ + S_ST( 'i', 3, 821, 0 ), /* 820 stacks */ + S_ST( 'z', 3, 410, 0 ), /* 821 stacksi */ + S_ST( 't', 3, 412, 817 ), /* 822 sta */ + S_ST( 'i', 3, 824, 0 ), /* 823 stat */ + S_ST( 's', 3, 825, 0 ), /* 824 stati */ + S_ST( 't', 3, 826, 0 ), /* 825 statis */ + S_ST( 'i', 3, 827, 0 ), /* 826 statist */ + S_ST( 'c', 3, 411, 0 ), /* 827 statisti */ + S_ST( 'd', 3, 829, 0 ), /* 828 stats */ + S_ST( 'i', 3, 413, 0 ), /* 829 statsd */ + S_ST( 'e', 3, 414, 816 ), /* 830 st */ + S_ST( 'b', 3, 832, 0 ), /* 831 step */ + S_ST( 'a', 3, 833, 0 ), /* 832 stepb */ + S_ST( 'c', 3, 415, 0 ), /* 833 stepba */ + S_ST( 'f', 3, 835, 831 ), /* 834 step */ + S_ST( 'w', 3, 416, 0 ), /* 835 stepf */ + S_ST( 'o', 3, 837, 834 ), /* 836 step */ + S_ST( 'u', 3, 417, 0 ), /* 837 stepo */ + S_ST( 'r', 3, 839, 830 ), /* 838 st */ + S_ST( 'a', 3, 840, 0 ), /* 839 str */ + S_ST( 't', 3, 841, 0 ), /* 840 stra */ + S_ST( 'u', 3, 418, 0 ), /* 841 strat */ + S_ST( 'y', 3, 420, 815 ), /* 842 s */ + S_ST( 's', 3, 844, 0 ), /* 843 sys */ + S_ST( 't', 3, 845, 0 ), /* 844 syss */ + S_ST( 'a', 3, 846, 0 ), /* 845 sysst */ + S_ST( 't', 3, 421, 0 ), /* 846 syssta */ + S_ST( 't', 3, 873, 769 ), /* 847 */ + S_ST( 'i', 3, 859, 0 ), /* 848 t */ + S_ST( 'c', 3, 422, 0 ), /* 849 ti */ + S_ST( 'm', 3, 852, 849 ), /* 850 ti */ + S_ST( 'e', 3, 425, 0 ), /* 851 tim */ + S_ST( 'i', 3, 853, 851 ), /* 852 tim */ + S_ST( 'n', 3, 854, 0 ), /* 853 timi */ + S_ST( 'g', 3, 855, 0 ), /* 854 timin */ + S_ST( 's', 3, 856, 0 ), /* 855 timing */ + S_ST( 't', 3, 857, 0 ), /* 856 timings */ + S_ST( 'a', 3, 858, 0 ), /* 857 timingst */ + S_ST( 't', 3, 426, 0 ), /* 858 timingsta */ + S_ST( 'n', 3, 860, 850 ), /* 859 ti */ + S_ST( 'k', 3, 861, 0 ), /* 860 tin */ + S_ST( 'e', 3, 427, 0 ), /* 861 tink */ + S_ST( 'o', 3, 428, 848 ), /* 862 t */ + S_ST( 'r', 3, 865, 862 ), /* 863 t */ + S_ST( 'a', 3, 429, 0 ), /* 864 tr */ + S_ST( 'u', 3, 866, 864 ), /* 865 tr */ + S_ST( 's', 3, 867, 430 ), /* 866 tru */ + S_ST( 't', 3, 868, 0 ), /* 867 trus */ + S_ST( 'e', 3, 869, 0 ), /* 868 trust */ + S_ST( 'd', 3, 870, 0 ), /* 869 truste */ + S_ST( 'k', 3, 871, 0 ), /* 870 trusted */ + S_ST( 'e', 3, 431, 0 ), /* 871 trustedk */ + S_ST( 't', 3, 432, 863 ), /* 872 t */ + S_ST( 'y', 3, 874, 872 ), /* 873 t */ + S_ST( 'p', 3, 433, 0 ), /* 874 ty */ + S_ST( 'u', 3, 876, 847 ), /* 875 */ + S_ST( 'n', 3, 882, 0 ), /* 876 u */ + S_ST( 'c', 3, 878, 0 ), /* 877 un */ + S_ST( 'o', 3, 879, 0 ), /* 878 unc */ + S_ST( 'n', 3, 880, 0 ), /* 879 unco */ + S_ST( 'f', 3, 881, 0 ), /* 880 uncon */ + S_ST( 'i', 3, 438, 0 ), /* 881 unconf */ + S_ST( 'p', 3, 883, 877 ), /* 882 un */ + S_ST( 'e', 3, 884, 0 ), /* 883 unp */ + S_ST( 'e', 3, 439, 0 ), /* 884 unpe */ + S_ST( '_', 3, 905, 0 ), /* 885 unpeer */ + S_ST( 'c', 3, 887, 0 ), /* 886 unpeer_ */ + S_ST( 'r', 3, 888, 0 ), /* 887 unpeer_c */ + S_ST( 'y', 3, 889, 0 ), /* 888 unpeer_cr */ + S_ST( 'p', 3, 890, 0 ), /* 889 unpeer_cry */ + S_ST( 't', 3, 891, 0 ), /* 890 unpeer_cryp */ + S_ST( 'o', 3, 892, 0 ), /* 891 unpeer_crypt */ + S_ST( '_', 3, 897, 0 ), /* 892 unpeer_crypto */ + S_ST( 'e', 3, 894, 0 ), /* 893 unpeer_crypto_ */ + S_ST( 'a', 3, 895, 0 ), /* 894 unpeer_crypto_e */ + S_ST( 'r', 3, 896, 0 ), /* 895 unpeer_crypto_ea */ + S_ST( 'l', 3, 435, 0 ), /* 896 unpeer_crypto_ear */ + S_ST( 'n', 3, 898, 893 ), /* 897 unpeer_crypto_ */ + S_ST( 'a', 3, 899, 0 ), /* 898 unpeer_crypto_n */ + S_ST( 'k', 3, 900, 0 ), /* 899 unpeer_crypto_na */ + S_ST( '_', 3, 901, 0 ), /* 900 unpeer_crypto_nak */ + S_ST( 'e', 3, 902, 0 ), /* 901 unpeer_crypto_nak_ */ + S_ST( 'a', 3, 903, 0 ), /* 902 unpeer_crypto_nak_e */ + S_ST( 'r', 3, 904, 0 ), /* 903 unpeer_crypto_nak_ea */ + S_ST( 'l', 3, 436, 0 ), /* 904 unpeer_crypto_nak_ear */ + S_ST( 'd', 3, 906, 886 ), /* 905 unpeer_ */ + S_ST( 'i', 3, 907, 0 ), /* 906 unpeer_d */ + S_ST( 'g', 3, 908, 0 ), /* 907 unpeer_di */ + S_ST( 'e', 3, 909, 0 ), /* 908 unpeer_dig */ + S_ST( 's', 3, 910, 0 ), /* 909 unpeer_dige */ + S_ST( 't', 3, 911, 0 ), /* 910 unpeer_diges */ + S_ST( '_', 3, 912, 0 ), /* 911 unpeer_digest */ + S_ST( 'e', 3, 913, 0 ), /* 912 unpeer_digest_ */ + S_ST( 'a', 3, 914, 0 ), /* 913 unpeer_digest_e */ + S_ST( 'r', 3, 915, 0 ), /* 914 unpeer_digest_ea */ + S_ST( 'l', 3, 437, 0 ), /* 915 unpeer_digest_ear */ + S_ST( 'v', 3, 917, 875 ), /* 916 */ + S_ST( 'e', 3, 918, 0 ), /* 917 v */ + S_ST( 'r', 3, 919, 0 ), /* 918 ve */ + S_ST( 's', 3, 920, 0 ), /* 919 ver */ + S_ST( 'i', 3, 921, 0 ), /* 920 vers */ + S_ST( 'o', 3, 440, 0 ), /* 921 versi */ + S_ST( 'w', 3, 929, 916 ), /* 922 */ + S_ST( 'a', 3, 924, 0 ), /* 923 w */ + S_ST( 'n', 3, 925, 0 ), /* 924 wa */ + S_ST( 'd', 3, 926, 0 ), /* 925 wan */ + S_ST( 'e', 3, 454, 0 ), /* 926 wand */ + S_ST( 'e', 3, 928, 923 ), /* 927 w */ + S_ST( 'e', 3, 442, 0 ), /* 928 we */ + S_ST( 'i', 3, 930, 927 ), /* 929 w */ + S_ST( 'l', 3, 931, 0 ), /* 930 wi */ + S_ST( 'd', 3, 932, 0 ), /* 931 wil */ + S_ST( 'c', 3, 933, 0 ), /* 932 wild */ + S_ST( 'a', 3, 934, 0 ), /* 933 wildc */ + S_ST( 'r', 3, 443, 0 ), /* 934 wildca */ + S_ST( 'x', 3, 936, 922 ), /* 935 */ + S_ST( 'l', 3, 937, 0 ), /* 936 x */ + S_ST( 'e', 3, 938, 0 ), /* 937 xl */ + S_ST( 'a', 3, 939, 0 ), /* 938 xle */ + S_ST( 'v', 3, 444, 0 ), /* 939 xlea */ + S_ST( 'y', 3, 941, 935 ), /* 940 [initial state] */ + S_ST( 'e', 3, 942, 0 ), /* 941 y */ + S_ST( 'a', 3, 445, 0 ) /* 942 ye */ }; diff --git a/contrib/ntp/ntpd/ntp_leapsec.c b/contrib/ntp/ntpd/ntp_leapsec.c index 7a652f5..95a0673 100644 --- a/contrib/ntp/ntpd/ntp_leapsec.c +++ b/contrib/ntp/ntpd/ntp_leapsec.c @@ -743,14 +743,24 @@ add_range( const leap_info_t * pi) { /* If the table is full, make room by throwing out the oldest - * entry. But remember the accumulated leap seconds! Likewise, - * assume a positive leap insertion if this is the first entry - * in the table. This is not necessarily the best of all ideas, - * but it helps a great deal if a system does not have a leap - * table and gets updated from an upstream server. + * entry. But remember the accumulated leap seconds! + * + * Setting the first entry is a bit tricky, too: Simply assuming + * it is an insertion is wrong if the first entry is a dynamic + * leap second removal. So we decide on the sign -- if the first + * entry has a negative offset, we assume that it is a leap + * second removal. In both cases the table base offset is set + * accordingly to reflect the decision. + * + * In practice starting with a removal can only happen if the + * first entry is a dynamic request without having a leap file + * for the history proper. */ if (pt->head.size == 0) { - pt->head.base_tai = pi->taiof - 1; + if (pi->taiof >= 0) + pt->head.base_tai = pi->taiof - 1; + else + pt->head.base_tai = pi->taiof + 1; } else if (pt->head.size >= MAX_HIST) { pt->head.size = MAX_HIST - 1; pt->head.base_tai = pt->info[pt->head.size].taiof; diff --git a/contrib/ntp/ntpd/ntp_parser.c b/contrib/ntp/ntpd/ntp_parser.c index 7114a65..782019c 100644 --- a/contrib/ntp/ntpd/ntp_parser.c +++ b/contrib/ntp/ntpd/ntp_parser.c @@ -62,7 +62,7 @@ /* Copy the first part of user declarations. */ -#line 11 "ntp_parser.y" /* yacc.c:339 */ +#line 11 "../../ntpd/ntp_parser.y" /* yacc.c:339 */ #ifdef HAVE_CONFIG_H # include <config.h> @@ -116,8 +116,8 @@ /* In a future release of Bison, this section will be replaced by #include "y.tab.h". */ -#ifndef YY_YY_Y_TAB_H_INCLUDED -# define YY_YY_Y_TAB_H_INCLUDED +#ifndef YY_YY_NTP_PARSER_H_INCLUDED +# define YY_YY_NTP_PARSER_H_INCLUDED /* Debug traces. */ #ifndef YYDEBUG # define YYDEBUG 1 @@ -140,193 +140,197 @@ extern int yydebug; T_Autokey = 264, T_Automax = 265, T_Average = 266, - T_Bclient = 267, - T_Bcpollbstep = 268, - T_Beacon = 269, - T_Broadcast = 270, - T_Broadcastclient = 271, - T_Broadcastdelay = 272, - T_Burst = 273, - T_Calibrate = 274, - T_Ceiling = 275, - T_Clockstats = 276, - T_Cohort = 277, - T_ControlKey = 278, - T_Crypto = 279, - T_Cryptostats = 280, - T_Ctl = 281, - T_Day = 282, - T_Default = 283, - T_Digest = 284, - T_Disable = 285, - T_Discard = 286, - T_Dispersion = 287, - T_Double = 288, - T_Driftfile = 289, - T_Drop = 290, - T_Dscp = 291, - T_Ellipsis = 292, - T_Enable = 293, - T_End = 294, - T_False = 295, - T_File = 296, - T_Filegen = 297, - T_Filenum = 298, - T_Flag1 = 299, - T_Flag2 = 300, - T_Flag3 = 301, - T_Flag4 = 302, - T_Flake = 303, - T_Floor = 304, - T_Freq = 305, - T_Fudge = 306, - T_Host = 307, - T_Huffpuff = 308, - T_Iburst = 309, - T_Ident = 310, - T_Ignore = 311, - T_Incalloc = 312, - T_Incmem = 313, - T_Initalloc = 314, - T_Initmem = 315, - T_Includefile = 316, - T_Integer = 317, - T_Interface = 318, - T_Intrange = 319, - T_Io = 320, - T_Ipv4 = 321, - T_Ipv4_flag = 322, - T_Ipv6 = 323, - T_Ipv6_flag = 324, - T_Kernel = 325, - T_Key = 326, - T_Keys = 327, - T_Keysdir = 328, - T_Kod = 329, - T_Mssntp = 330, - T_Leapfile = 331, - T_Leapsmearinterval = 332, - T_Limited = 333, - T_Link = 334, - T_Listen = 335, - T_Logconfig = 336, - T_Logfile = 337, - T_Loopstats = 338, - T_Lowpriotrap = 339, - T_Manycastclient = 340, - T_Manycastserver = 341, - T_Mask = 342, - T_Maxage = 343, - T_Maxclock = 344, - T_Maxdepth = 345, - T_Maxdist = 346, - T_Maxmem = 347, - T_Maxpoll = 348, - T_Mdnstries = 349, - T_Mem = 350, - T_Memlock = 351, - T_Minclock = 352, - T_Mindepth = 353, - T_Mindist = 354, - T_Minimum = 355, - T_Minpoll = 356, - T_Minsane = 357, - T_Mode = 358, - T_Mode7 = 359, - T_Monitor = 360, - T_Month = 361, - T_Mru = 362, - T_Multicastclient = 363, - T_Nic = 364, - T_Nolink = 365, - T_Nomodify = 366, - T_Nomrulist = 367, - T_None = 368, - T_Nonvolatile = 369, - T_Nopeer = 370, - T_Noquery = 371, - T_Noselect = 372, - T_Noserve = 373, - T_Notrap = 374, - T_Notrust = 375, - T_Ntp = 376, - T_Ntpport = 377, - T_NtpSignDsocket = 378, - T_Orphan = 379, - T_Orphanwait = 380, - T_PCEdigest = 381, - T_Panic = 382, - T_Peer = 383, - T_Peerstats = 384, - T_Phone = 385, - T_Pid = 386, - T_Pidfile = 387, - T_Pool = 388, - T_Port = 389, - T_Preempt = 390, - T_Prefer = 391, - T_Protostats = 392, - T_Pw = 393, - T_Randfile = 394, - T_Rawstats = 395, - T_Refid = 396, - T_Requestkey = 397, - T_Reset = 398, - T_Restrict = 399, - T_Revoke = 400, - T_Rlimit = 401, - T_Saveconfigdir = 402, - T_Server = 403, - T_Setvar = 404, - T_Source = 405, - T_Stacksize = 406, - T_Statistics = 407, - T_Stats = 408, - T_Statsdir = 409, - T_Step = 410, - T_Stepback = 411, - T_Stepfwd = 412, - T_Stepout = 413, - T_Stratum = 414, - T_String = 415, - T_Sys = 416, - T_Sysstats = 417, - T_Tick = 418, - T_Time1 = 419, - T_Time2 = 420, - T_Timer = 421, - T_Timingstats = 422, - T_Tinker = 423, - T_Tos = 424, - T_Trap = 425, - T_True = 426, - T_Trustedkey = 427, - T_Ttl = 428, - T_Type = 429, - T_U_int = 430, - T_UEcrypto = 431, - T_UEcryptonak = 432, - T_UEdigest = 433, - T_Unconfig = 434, - T_Unpeer = 435, - T_Version = 436, - T_WanderThreshold = 437, - T_Week = 438, - T_Wildcard = 439, - T_Xleave = 440, - T_Year = 441, - T_Flag = 442, - T_EOC = 443, - T_Simulate = 444, - T_Beep_Delay = 445, - T_Sim_Duration = 446, - T_Server_Offset = 447, - T_Duration = 448, - T_Freq_Offset = 449, - T_Wander = 450, - T_Jitter = 451, - T_Prop_Delay = 452, - T_Proc_Delay = 453 + T_Basedate = 267, + T_Bclient = 268, + T_Bcpollbstep = 269, + T_Beacon = 270, + T_Broadcast = 271, + T_Broadcastclient = 272, + T_Broadcastdelay = 273, + T_Burst = 274, + T_Calibrate = 275, + T_Ceiling = 276, + T_Clockstats = 277, + T_Cohort = 278, + T_ControlKey = 279, + T_Crypto = 280, + T_Cryptostats = 281, + T_Ctl = 282, + T_Day = 283, + T_Default = 284, + T_Digest = 285, + T_Disable = 286, + T_Discard = 287, + T_Dispersion = 288, + T_Double = 289, + T_Driftfile = 290, + T_Drop = 291, + T_Dscp = 292, + T_Ellipsis = 293, + T_Enable = 294, + T_End = 295, + T_Epeer = 296, + T_False = 297, + T_File = 298, + T_Filegen = 299, + T_Filenum = 300, + T_Flag1 = 301, + T_Flag2 = 302, + T_Flag3 = 303, + T_Flag4 = 304, + T_Flake = 305, + T_Floor = 306, + T_Freq = 307, + T_Fudge = 308, + T_Host = 309, + T_Huffpuff = 310, + T_Iburst = 311, + T_Ident = 312, + T_Ignore = 313, + T_Incalloc = 314, + T_Incmem = 315, + T_Initalloc = 316, + T_Initmem = 317, + T_Includefile = 318, + T_Integer = 319, + T_Interface = 320, + T_Intrange = 321, + T_Io = 322, + T_Ippeerlimit = 323, + T_Ipv4 = 324, + T_Ipv4_flag = 325, + T_Ipv6 = 326, + T_Ipv6_flag = 327, + T_Kernel = 328, + T_Key = 329, + T_Keys = 330, + T_Keysdir = 331, + T_Kod = 332, + T_Mssntp = 333, + T_Leapfile = 334, + T_Leapsmearinterval = 335, + T_Limited = 336, + T_Link = 337, + T_Listen = 338, + T_Logconfig = 339, + T_Logfile = 340, + T_Loopstats = 341, + T_Lowpriotrap = 342, + T_Manycastclient = 343, + T_Manycastserver = 344, + T_Mask = 345, + T_Maxage = 346, + T_Maxclock = 347, + T_Maxdepth = 348, + T_Maxdist = 349, + T_Maxmem = 350, + T_Maxpoll = 351, + T_Mdnstries = 352, + T_Mem = 353, + T_Memlock = 354, + T_Minclock = 355, + T_Mindepth = 356, + T_Mindist = 357, + T_Minimum = 358, + T_Minpoll = 359, + T_Minsane = 360, + T_Mode = 361, + T_Mode7 = 362, + T_Monitor = 363, + T_Month = 364, + T_Mru = 365, + T_Multicastclient = 366, + T_Nic = 367, + T_Nolink = 368, + T_Nomodify = 369, + T_Nomrulist = 370, + T_None = 371, + T_Nonvolatile = 372, + T_Noepeer = 373, + T_Nopeer = 374, + T_Noquery = 375, + T_Noselect = 376, + T_Noserve = 377, + T_Notrap = 378, + T_Notrust = 379, + T_Ntp = 380, + T_Ntpport = 381, + T_NtpSignDsocket = 382, + T_Orphan = 383, + T_Orphanwait = 384, + T_PCEdigest = 385, + T_Panic = 386, + T_Peer = 387, + T_Peerstats = 388, + T_Phone = 389, + T_Pid = 390, + T_Pidfile = 391, + T_Pool = 392, + T_Port = 393, + T_Preempt = 394, + T_Prefer = 395, + T_Protostats = 396, + T_Pw = 397, + T_Randfile = 398, + T_Rawstats = 399, + T_Refid = 400, + T_Requestkey = 401, + T_Reset = 402, + T_Restrict = 403, + T_Revoke = 404, + T_Rlimit = 405, + T_Saveconfigdir = 406, + T_Server = 407, + T_Setvar = 408, + T_Source = 409, + T_Stacksize = 410, + T_Statistics = 411, + T_Stats = 412, + T_Statsdir = 413, + T_Step = 414, + T_Stepback = 415, + T_Stepfwd = 416, + T_Stepout = 417, + T_Stratum = 418, + T_String = 419, + T_Sys = 420, + T_Sysstats = 421, + T_Tick = 422, + T_Time1 = 423, + T_Time2 = 424, + T_Timer = 425, + T_Timingstats = 426, + T_Tinker = 427, + T_Tos = 428, + T_Trap = 429, + T_True = 430, + T_Trustedkey = 431, + T_Ttl = 432, + T_Type = 433, + T_U_int = 434, + T_UEcrypto = 435, + T_UEcryptonak = 436, + T_UEdigest = 437, + T_Unconfig = 438, + T_Unpeer = 439, + T_Version = 440, + T_WanderThreshold = 441, + T_Week = 442, + T_Wildcard = 443, + T_Xleave = 444, + T_Year = 445, + T_Flag = 446, + T_EOC = 447, + T_Simulate = 448, + T_Beep_Delay = 449, + T_Sim_Duration = 450, + T_Server_Offset = 451, + T_Duration = 452, + T_Freq_Offset = 453, + T_Wander = 454, + T_Jitter = 455, + T_Prop_Delay = 456, + T_Proc_Delay = 457 }; #endif /* Tokens. */ @@ -339,200 +343,204 @@ extern int yydebug; #define T_Autokey 264 #define T_Automax 265 #define T_Average 266 -#define T_Bclient 267 -#define T_Bcpollbstep 268 -#define T_Beacon 269 -#define T_Broadcast 270 -#define T_Broadcastclient 271 -#define T_Broadcastdelay 272 -#define T_Burst 273 -#define T_Calibrate 274 -#define T_Ceiling 275 -#define T_Clockstats 276 -#define T_Cohort 277 -#define T_ControlKey 278 -#define T_Crypto 279 -#define T_Cryptostats 280 -#define T_Ctl 281 -#define T_Day 282 -#define T_Default 283 -#define T_Digest 284 -#define T_Disable 285 -#define T_Discard 286 -#define T_Dispersion 287 -#define T_Double 288 -#define T_Driftfile 289 -#define T_Drop 290 -#define T_Dscp 291 -#define T_Ellipsis 292 -#define T_Enable 293 -#define T_End 294 -#define T_False 295 -#define T_File 296 -#define T_Filegen 297 -#define T_Filenum 298 -#define T_Flag1 299 -#define T_Flag2 300 -#define T_Flag3 301 -#define T_Flag4 302 -#define T_Flake 303 -#define T_Floor 304 -#define T_Freq 305 -#define T_Fudge 306 -#define T_Host 307 -#define T_Huffpuff 308 -#define T_Iburst 309 -#define T_Ident 310 -#define T_Ignore 311 -#define T_Incalloc 312 -#define T_Incmem 313 -#define T_Initalloc 314 -#define T_Initmem 315 -#define T_Includefile 316 -#define T_Integer 317 -#define T_Interface 318 -#define T_Intrange 319 -#define T_Io 320 -#define T_Ipv4 321 -#define T_Ipv4_flag 322 -#define T_Ipv6 323 -#define T_Ipv6_flag 324 -#define T_Kernel 325 -#define T_Key 326 -#define T_Keys 327 -#define T_Keysdir 328 -#define T_Kod 329 -#define T_Mssntp 330 -#define T_Leapfile 331 -#define T_Leapsmearinterval 332 -#define T_Limited 333 -#define T_Link 334 -#define T_Listen 335 -#define T_Logconfig 336 -#define T_Logfile 337 -#define T_Loopstats 338 -#define T_Lowpriotrap 339 -#define T_Manycastclient 340 -#define T_Manycastserver 341 -#define T_Mask 342 -#define T_Maxage 343 -#define T_Maxclock 344 -#define T_Maxdepth 345 -#define T_Maxdist 346 -#define T_Maxmem 347 -#define T_Maxpoll 348 -#define T_Mdnstries 349 -#define T_Mem 350 -#define T_Memlock 351 -#define T_Minclock 352 -#define T_Mindepth 353 -#define T_Mindist 354 -#define T_Minimum 355 -#define T_Minpoll 356 -#define T_Minsane 357 -#define T_Mode 358 -#define T_Mode7 359 -#define T_Monitor 360 -#define T_Month 361 -#define T_Mru 362 -#define T_Multicastclient 363 -#define T_Nic 364 -#define T_Nolink 365 -#define T_Nomodify 366 -#define T_Nomrulist 367 -#define T_None 368 -#define T_Nonvolatile 369 -#define T_Nopeer 370 -#define T_Noquery 371 -#define T_Noselect 372 -#define T_Noserve 373 -#define T_Notrap 374 -#define T_Notrust 375 -#define T_Ntp 376 -#define T_Ntpport 377 -#define T_NtpSignDsocket 378 -#define T_Orphan 379 -#define T_Orphanwait 380 -#define T_PCEdigest 381 -#define T_Panic 382 -#define T_Peer 383 -#define T_Peerstats 384 -#define T_Phone 385 -#define T_Pid 386 -#define T_Pidfile 387 -#define T_Pool 388 -#define T_Port 389 -#define T_Preempt 390 -#define T_Prefer 391 -#define T_Protostats 392 -#define T_Pw 393 -#define T_Randfile 394 -#define T_Rawstats 395 -#define T_Refid 396 -#define T_Requestkey 397 -#define T_Reset 398 -#define T_Restrict 399 -#define T_Revoke 400 -#define T_Rlimit 401 -#define T_Saveconfigdir 402 -#define T_Server 403 -#define T_Setvar 404 -#define T_Source 405 -#define T_Stacksize 406 -#define T_Statistics 407 -#define T_Stats 408 -#define T_Statsdir 409 -#define T_Step 410 -#define T_Stepback 411 -#define T_Stepfwd 412 -#define T_Stepout 413 -#define T_Stratum 414 -#define T_String 415 -#define T_Sys 416 -#define T_Sysstats 417 -#define T_Tick 418 -#define T_Time1 419 -#define T_Time2 420 -#define T_Timer 421 -#define T_Timingstats 422 -#define T_Tinker 423 -#define T_Tos 424 -#define T_Trap 425 -#define T_True 426 -#define T_Trustedkey 427 -#define T_Ttl 428 -#define T_Type 429 -#define T_U_int 430 -#define T_UEcrypto 431 -#define T_UEcryptonak 432 -#define T_UEdigest 433 -#define T_Unconfig 434 -#define T_Unpeer 435 -#define T_Version 436 -#define T_WanderThreshold 437 -#define T_Week 438 -#define T_Wildcard 439 -#define T_Xleave 440 -#define T_Year 441 -#define T_Flag 442 -#define T_EOC 443 -#define T_Simulate 444 -#define T_Beep_Delay 445 -#define T_Sim_Duration 446 -#define T_Server_Offset 447 -#define T_Duration 448 -#define T_Freq_Offset 449 -#define T_Wander 450 -#define T_Jitter 451 -#define T_Prop_Delay 452 -#define T_Proc_Delay 453 +#define T_Basedate 267 +#define T_Bclient 268 +#define T_Bcpollbstep 269 +#define T_Beacon 270 +#define T_Broadcast 271 +#define T_Broadcastclient 272 +#define T_Broadcastdelay 273 +#define T_Burst 274 +#define T_Calibrate 275 +#define T_Ceiling 276 +#define T_Clockstats 277 +#define T_Cohort 278 +#define T_ControlKey 279 +#define T_Crypto 280 +#define T_Cryptostats 281 +#define T_Ctl 282 +#define T_Day 283 +#define T_Default 284 +#define T_Digest 285 +#define T_Disable 286 +#define T_Discard 287 +#define T_Dispersion 288 +#define T_Double 289 +#define T_Driftfile 290 +#define T_Drop 291 +#define T_Dscp 292 +#define T_Ellipsis 293 +#define T_Enable 294 +#define T_End 295 +#define T_Epeer 296 +#define T_False 297 +#define T_File 298 +#define T_Filegen 299 +#define T_Filenum 300 +#define T_Flag1 301 +#define T_Flag2 302 +#define T_Flag3 303 +#define T_Flag4 304 +#define T_Flake 305 +#define T_Floor 306 +#define T_Freq 307 +#define T_Fudge 308 +#define T_Host 309 +#define T_Huffpuff 310 +#define T_Iburst 311 +#define T_Ident 312 +#define T_Ignore 313 +#define T_Incalloc 314 +#define T_Incmem 315 +#define T_Initalloc 316 +#define T_Initmem 317 +#define T_Includefile 318 +#define T_Integer 319 +#define T_Interface 320 +#define T_Intrange 321 +#define T_Io 322 +#define T_Ippeerlimit 323 +#define T_Ipv4 324 +#define T_Ipv4_flag 325 +#define T_Ipv6 326 +#define T_Ipv6_flag 327 +#define T_Kernel 328 +#define T_Key 329 +#define T_Keys 330 +#define T_Keysdir 331 +#define T_Kod 332 +#define T_Mssntp 333 +#define T_Leapfile 334 +#define T_Leapsmearinterval 335 +#define T_Limited 336 +#define T_Link 337 +#define T_Listen 338 +#define T_Logconfig 339 +#define T_Logfile 340 +#define T_Loopstats 341 +#define T_Lowpriotrap 342 +#define T_Manycastclient 343 +#define T_Manycastserver 344 +#define T_Mask 345 +#define T_Maxage 346 +#define T_Maxclock 347 +#define T_Maxdepth 348 +#define T_Maxdist 349 +#define T_Maxmem 350 +#define T_Maxpoll 351 +#define T_Mdnstries 352 +#define T_Mem 353 +#define T_Memlock 354 +#define T_Minclock 355 +#define T_Mindepth 356 +#define T_Mindist 357 +#define T_Minimum 358 +#define T_Minpoll 359 +#define T_Minsane 360 +#define T_Mode 361 +#define T_Mode7 362 +#define T_Monitor 363 +#define T_Month 364 +#define T_Mru 365 +#define T_Multicastclient 366 +#define T_Nic 367 +#define T_Nolink 368 +#define T_Nomodify 369 +#define T_Nomrulist 370 +#define T_None 371 +#define T_Nonvolatile 372 +#define T_Noepeer 373 +#define T_Nopeer 374 +#define T_Noquery 375 +#define T_Noselect 376 +#define T_Noserve 377 +#define T_Notrap 378 +#define T_Notrust 379 +#define T_Ntp 380 +#define T_Ntpport 381 +#define T_NtpSignDsocket 382 +#define T_Orphan 383 +#define T_Orphanwait 384 +#define T_PCEdigest 385 +#define T_Panic 386 +#define T_Peer 387 +#define T_Peerstats 388 +#define T_Phone 389 +#define T_Pid 390 +#define T_Pidfile 391 +#define T_Pool 392 +#define T_Port 393 +#define T_Preempt 394 +#define T_Prefer 395 +#define T_Protostats 396 +#define T_Pw 397 +#define T_Randfile 398 +#define T_Rawstats 399 +#define T_Refid 400 +#define T_Requestkey 401 +#define T_Reset 402 +#define T_Restrict 403 +#define T_Revoke 404 +#define T_Rlimit 405 +#define T_Saveconfigdir 406 +#define T_Server 407 +#define T_Setvar 408 +#define T_Source 409 +#define T_Stacksize 410 +#define T_Statistics 411 +#define T_Stats 412 +#define T_Statsdir 413 +#define T_Step 414 +#define T_Stepback 415 +#define T_Stepfwd 416 +#define T_Stepout 417 +#define T_Stratum 418 +#define T_String 419 +#define T_Sys 420 +#define T_Sysstats 421 +#define T_Tick 422 +#define T_Time1 423 +#define T_Time2 424 +#define T_Timer 425 +#define T_Timingstats 426 +#define T_Tinker 427 +#define T_Tos 428 +#define T_Trap 429 +#define T_True 430 +#define T_Trustedkey 431 +#define T_Ttl 432 +#define T_Type 433 +#define T_U_int 434 +#define T_UEcrypto 435 +#define T_UEcryptonak 436 +#define T_UEdigest 437 +#define T_Unconfig 438 +#define T_Unpeer 439 +#define T_Version 440 +#define T_WanderThreshold 441 +#define T_Week 442 +#define T_Wildcard 443 +#define T_Xleave 444 +#define T_Year 445 +#define T_Flag 446 +#define T_EOC 447 +#define T_Simulate 448 +#define T_Beep_Delay 449 +#define T_Sim_Duration 450 +#define T_Server_Offset 451 +#define T_Duration 452 +#define T_Freq_Offset 453 +#define T_Wander 454 +#define T_Jitter 455 +#define T_Prop_Delay 456 +#define T_Proc_Delay 457 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED union YYSTYPE { -#line 51 "ntp_parser.y" /* yacc.c:355 */ +#line 51 "../../ntpd/ntp_parser.y" /* yacc.c:355 */ char * String; double Double; @@ -551,7 +559,7 @@ union YYSTYPE script_info * Sim_script; script_info_fifo * Sim_script_fifo; -#line 555 "ntp_parser.c" /* yacc.c:355 */ +#line 563 "ntp_parser.c" /* yacc.c:355 */ }; typedef union YYSTYPE YYSTYPE; @@ -564,11 +572,11 @@ extern YYSTYPE yylval; int yyparse (void); -#endif /* !YY_YY_Y_TAB_H_INCLUDED */ +#endif /* !YY_YY_NTP_PARSER_H_INCLUDED */ /* Copy the second part of user declarations. */ -#line 572 "ntp_parser.c" /* yacc.c:358 */ +#line 580 "ntp_parser.c" /* yacc.c:358 */ #ifdef short # undef short @@ -808,23 +816,23 @@ union yyalloc #endif /* !YYCOPY_NEEDED */ /* YYFINAL -- State number of the termination state. */ -#define YYFINAL 215 +#define YYFINAL 216 /* YYLAST -- Last index in YYTABLE. */ -#define YYLAST 654 +#define YYLAST 662 /* YYNTOKENS -- Number of terminals. */ -#define YYNTOKENS 204 +#define YYNTOKENS 208 /* YYNNTS -- Number of nonterminals. */ -#define YYNNTS 105 +#define YYNNTS 107 /* YYNRULES -- Number of rules. */ -#define YYNRULES 318 +#define YYNRULES 324 /* YYNSTATES -- Number of states. */ -#define YYNSTATES 424 +#define YYNSTATES 436 /* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned by yylex, with out-of-bounds checking. */ #define YYUNDEFTOK 2 -#define YYMAXUTOK 453 +#define YYMAXUTOK 457 #define YYTRANSLATE(YYX) \ ((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK) @@ -837,15 +845,15 @@ static const yytype_uint8 yytranslate[] = 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 200, 201, 2, 2, 2, 2, 2, 2, 2, 2, + 204, 205, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 199, 2, 2, 2, 2, 2, 2, 2, 2, + 2, 203, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, - 2, 2, 2, 202, 2, 203, 2, 2, 2, 2, + 2, 2, 2, 206, 2, 207, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, @@ -878,45 +886,46 @@ static const yytype_uint8 yytranslate[] = 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, - 195, 196, 197, 198 + 195, 196, 197, 198, 199, 200, 201, 202 }; #if YYDEBUG /* YYRLINE[YYN] -- Source line where rule number YYN was defined. */ static const yytype_uint16 yyrline[] = { - 0, 371, 371, 375, 376, 377, 392, 393, 394, 395, - 396, 397, 398, 399, 400, 401, 402, 403, 404, 405, - 413, 423, 424, 425, 426, 427, 431, 432, 437, 442, - 444, 450, 451, 459, 460, 461, 465, 470, 471, 472, - 473, 474, 475, 476, 477, 481, 483, 488, 489, 490, - 491, 492, 493, 497, 502, 511, 521, 522, 532, 534, - 536, 538, 549, 556, 558, 563, 565, 567, 569, 571, - 580, 586, 587, 595, 597, 609, 610, 611, 612, 613, - 622, 627, 632, 640, 642, 644, 649, 650, 651, 652, - 653, 654, 655, 656, 657, 661, 662, 671, 673, 682, - 692, 697, 705, 706, 707, 708, 709, 710, 711, 712, - 717, 718, 726, 736, 745, 760, 765, 766, 770, 771, - 775, 776, 777, 778, 779, 780, 781, 790, 794, 798, - 806, 814, 822, 837, 852, 865, 866, 874, 875, 876, - 877, 878, 879, 880, 881, 882, 883, 884, 885, 886, - 887, 888, 892, 897, 905, 910, 911, 912, 916, 921, - 929, 934, 935, 936, 937, 938, 939, 940, 941, 949, - 959, 964, 972, 974, 976, 985, 987, 992, 993, 997, - 998, 999, 1000, 1008, 1013, 1018, 1026, 1031, 1032, 1033, - 1042, 1044, 1049, 1054, 1062, 1064, 1081, 1082, 1083, 1084, - 1085, 1086, 1090, 1091, 1092, 1093, 1094, 1095, 1103, 1108, - 1113, 1121, 1126, 1127, 1128, 1129, 1130, 1131, 1132, 1133, - 1134, 1135, 1144, 1145, 1146, 1153, 1160, 1167, 1183, 1202, - 1204, 1206, 1208, 1210, 1212, 1219, 1224, 1225, 1226, 1230, - 1234, 1243, 1244, 1248, 1249, 1250, 1254, 1265, 1279, 1291, - 1296, 1298, 1303, 1304, 1312, 1314, 1322, 1327, 1335, 1360, - 1367, 1377, 1378, 1382, 1383, 1384, 1385, 1389, 1390, 1391, - 1395, 1400, 1405, 1413, 1414, 1415, 1416, 1417, 1418, 1419, - 1429, 1434, 1442, 1447, 1455, 1457, 1461, 1466, 1471, 1479, - 1484, 1492, 1501, 1502, 1506, 1507, 1516, 1534, 1538, 1543, - 1551, 1556, 1557, 1561, 1566, 1574, 1579, 1584, 1589, 1594, - 1602, 1607, 1612, 1620, 1625, 1626, 1627, 1628, 1629 + 0, 377, 377, 381, 382, 383, 398, 399, 400, 401, + 402, 403, 404, 405, 406, 407, 408, 409, 410, 411, + 419, 429, 430, 431, 432, 433, 437, 438, 443, 448, + 450, 456, 457, 465, 466, 467, 471, 476, 477, 478, + 479, 480, 481, 482, 483, 487, 489, 494, 495, 496, + 497, 498, 499, 503, 508, 517, 527, 528, 538, 540, + 542, 544, 555, 562, 564, 569, 571, 573, 575, 577, + 587, 593, 594, 602, 604, 616, 617, 618, 619, 620, + 629, 634, 639, 647, 649, 651, 653, 658, 659, 660, + 661, 662, 663, 664, 665, 666, 670, 671, 680, 682, + 691, 701, 706, 714, 715, 716, 717, 718, 719, 720, + 721, 726, 727, 735, 745, 754, 769, 774, 775, 779, + 780, 784, 785, 786, 787, 788, 789, 790, 799, 803, + 807, 815, 823, 831, 846, 861, 874, 875, 895, 896, + 904, 905, 906, 907, 908, 909, 910, 911, 912, 913, + 914, 915, 916, 917, 918, 919, 920, 924, 929, 937, + 942, 943, 944, 948, 953, 961, 966, 967, 968, 969, + 970, 971, 972, 973, 981, 991, 996, 1004, 1006, 1008, + 1017, 1019, 1024, 1025, 1029, 1030, 1031, 1032, 1040, 1045, + 1050, 1058, 1063, 1064, 1065, 1074, 1076, 1081, 1086, 1094, + 1096, 1113, 1114, 1115, 1116, 1117, 1118, 1122, 1123, 1124, + 1125, 1126, 1127, 1135, 1140, 1145, 1153, 1158, 1159, 1160, + 1161, 1162, 1163, 1164, 1165, 1166, 1167, 1176, 1177, 1178, + 1185, 1192, 1199, 1215, 1234, 1236, 1238, 1240, 1242, 1244, + 1251, 1256, 1257, 1258, 1262, 1266, 1275, 1276, 1280, 1281, + 1282, 1286, 1297, 1315, 1327, 1332, 1334, 1339, 1340, 1348, + 1350, 1358, 1363, 1371, 1396, 1403, 1413, 1414, 1418, 1419, + 1420, 1421, 1425, 1426, 1427, 1431, 1436, 1441, 1449, 1450, + 1451, 1452, 1453, 1454, 1455, 1465, 1470, 1478, 1483, 1491, + 1493, 1497, 1502, 1507, 1515, 1520, 1528, 1537, 1538, 1542, + 1543, 1547, 1555, 1573, 1577, 1582, 1590, 1595, 1596, 1600, + 1605, 1613, 1618, 1623, 1628, 1633, 1641, 1646, 1651, 1659, + 1664, 1665, 1666, 1667, 1668 }; #endif @@ -927,53 +936,54 @@ static const char *const yytname[] = { "$end", "error", "$undefined", "T_Abbrev", "T_Age", "T_All", "T_Allan", "T_Allpeers", "T_Auth", "T_Autokey", "T_Automax", "T_Average", - "T_Bclient", "T_Bcpollbstep", "T_Beacon", "T_Broadcast", + "T_Basedate", "T_Bclient", "T_Bcpollbstep", "T_Beacon", "T_Broadcast", "T_Broadcastclient", "T_Broadcastdelay", "T_Burst", "T_Calibrate", "T_Ceiling", "T_Clockstats", "T_Cohort", "T_ControlKey", "T_Crypto", "T_Cryptostats", "T_Ctl", "T_Day", "T_Default", "T_Digest", "T_Disable", "T_Discard", "T_Dispersion", "T_Double", "T_Driftfile", "T_Drop", - "T_Dscp", "T_Ellipsis", "T_Enable", "T_End", "T_False", "T_File", - "T_Filegen", "T_Filenum", "T_Flag1", "T_Flag2", "T_Flag3", "T_Flag4", - "T_Flake", "T_Floor", "T_Freq", "T_Fudge", "T_Host", "T_Huffpuff", - "T_Iburst", "T_Ident", "T_Ignore", "T_Incalloc", "T_Incmem", - "T_Initalloc", "T_Initmem", "T_Includefile", "T_Integer", "T_Interface", - "T_Intrange", "T_Io", "T_Ipv4", "T_Ipv4_flag", "T_Ipv6", "T_Ipv6_flag", - "T_Kernel", "T_Key", "T_Keys", "T_Keysdir", "T_Kod", "T_Mssntp", - "T_Leapfile", "T_Leapsmearinterval", "T_Limited", "T_Link", "T_Listen", - "T_Logconfig", "T_Logfile", "T_Loopstats", "T_Lowpriotrap", - "T_Manycastclient", "T_Manycastserver", "T_Mask", "T_Maxage", - "T_Maxclock", "T_Maxdepth", "T_Maxdist", "T_Maxmem", "T_Maxpoll", - "T_Mdnstries", "T_Mem", "T_Memlock", "T_Minclock", "T_Mindepth", - "T_Mindist", "T_Minimum", "T_Minpoll", "T_Minsane", "T_Mode", "T_Mode7", - "T_Monitor", "T_Month", "T_Mru", "T_Multicastclient", "T_Nic", - "T_Nolink", "T_Nomodify", "T_Nomrulist", "T_None", "T_Nonvolatile", - "T_Nopeer", "T_Noquery", "T_Noselect", "T_Noserve", "T_Notrap", - "T_Notrust", "T_Ntp", "T_Ntpport", "T_NtpSignDsocket", "T_Orphan", - "T_Orphanwait", "T_PCEdigest", "T_Panic", "T_Peer", "T_Peerstats", - "T_Phone", "T_Pid", "T_Pidfile", "T_Pool", "T_Port", "T_Preempt", - "T_Prefer", "T_Protostats", "T_Pw", "T_Randfile", "T_Rawstats", - "T_Refid", "T_Requestkey", "T_Reset", "T_Restrict", "T_Revoke", - "T_Rlimit", "T_Saveconfigdir", "T_Server", "T_Setvar", "T_Source", - "T_Stacksize", "T_Statistics", "T_Stats", "T_Statsdir", "T_Step", - "T_Stepback", "T_Stepfwd", "T_Stepout", "T_Stratum", "T_String", "T_Sys", - "T_Sysstats", "T_Tick", "T_Time1", "T_Time2", "T_Timer", "T_Timingstats", - "T_Tinker", "T_Tos", "T_Trap", "T_True", "T_Trustedkey", "T_Ttl", - "T_Type", "T_U_int", "T_UEcrypto", "T_UEcryptonak", "T_UEdigest", - "T_Unconfig", "T_Unpeer", "T_Version", "T_WanderThreshold", "T_Week", - "T_Wildcard", "T_Xleave", "T_Year", "T_Flag", "T_EOC", "T_Simulate", - "T_Beep_Delay", "T_Sim_Duration", "T_Server_Offset", "T_Duration", - "T_Freq_Offset", "T_Wander", "T_Jitter", "T_Prop_Delay", "T_Proc_Delay", - "'='", "'('", "')'", "'{'", "'}'", "$accept", "configuration", - "command_list", "command", "server_command", "client_type", "address", - "ip_address", "address_fam", "option_list", "option", "option_flag", - "option_flag_keyword", "option_int", "option_int_keyword", "option_str", - "option_str_keyword", "unpeer_command", "unpeer_keyword", - "other_mode_command", "authentication_command", "crypto_command_list", - "crypto_command", "crypto_str_keyword", "orphan_mode_command", - "tos_option_list", "tos_option", "tos_option_int_keyword", - "tos_option_dbl_keyword", "monitoring_command", "stats_list", "stat", - "filegen_option_list", "filegen_option", "link_nolink", "enable_disable", - "filegen_type", "access_control_command", "ac_flag_list", + "T_Dscp", "T_Ellipsis", "T_Enable", "T_End", "T_Epeer", "T_False", + "T_File", "T_Filegen", "T_Filenum", "T_Flag1", "T_Flag2", "T_Flag3", + "T_Flag4", "T_Flake", "T_Floor", "T_Freq", "T_Fudge", "T_Host", + "T_Huffpuff", "T_Iburst", "T_Ident", "T_Ignore", "T_Incalloc", + "T_Incmem", "T_Initalloc", "T_Initmem", "T_Includefile", "T_Integer", + "T_Interface", "T_Intrange", "T_Io", "T_Ippeerlimit", "T_Ipv4", + "T_Ipv4_flag", "T_Ipv6", "T_Ipv6_flag", "T_Kernel", "T_Key", "T_Keys", + "T_Keysdir", "T_Kod", "T_Mssntp", "T_Leapfile", "T_Leapsmearinterval", + "T_Limited", "T_Link", "T_Listen", "T_Logconfig", "T_Logfile", + "T_Loopstats", "T_Lowpriotrap", "T_Manycastclient", "T_Manycastserver", + "T_Mask", "T_Maxage", "T_Maxclock", "T_Maxdepth", "T_Maxdist", + "T_Maxmem", "T_Maxpoll", "T_Mdnstries", "T_Mem", "T_Memlock", + "T_Minclock", "T_Mindepth", "T_Mindist", "T_Minimum", "T_Minpoll", + "T_Minsane", "T_Mode", "T_Mode7", "T_Monitor", "T_Month", "T_Mru", + "T_Multicastclient", "T_Nic", "T_Nolink", "T_Nomodify", "T_Nomrulist", + "T_None", "T_Nonvolatile", "T_Noepeer", "T_Nopeer", "T_Noquery", + "T_Noselect", "T_Noserve", "T_Notrap", "T_Notrust", "T_Ntp", "T_Ntpport", + "T_NtpSignDsocket", "T_Orphan", "T_Orphanwait", "T_PCEdigest", "T_Panic", + "T_Peer", "T_Peerstats", "T_Phone", "T_Pid", "T_Pidfile", "T_Pool", + "T_Port", "T_Preempt", "T_Prefer", "T_Protostats", "T_Pw", "T_Randfile", + "T_Rawstats", "T_Refid", "T_Requestkey", "T_Reset", "T_Restrict", + "T_Revoke", "T_Rlimit", "T_Saveconfigdir", "T_Server", "T_Setvar", + "T_Source", "T_Stacksize", "T_Statistics", "T_Stats", "T_Statsdir", + "T_Step", "T_Stepback", "T_Stepfwd", "T_Stepout", "T_Stratum", + "T_String", "T_Sys", "T_Sysstats", "T_Tick", "T_Time1", "T_Time2", + "T_Timer", "T_Timingstats", "T_Tinker", "T_Tos", "T_Trap", "T_True", + "T_Trustedkey", "T_Ttl", "T_Type", "T_U_int", "T_UEcrypto", + "T_UEcryptonak", "T_UEdigest", "T_Unconfig", "T_Unpeer", "T_Version", + "T_WanderThreshold", "T_Week", "T_Wildcard", "T_Xleave", "T_Year", + "T_Flag", "T_EOC", "T_Simulate", "T_Beep_Delay", "T_Sim_Duration", + "T_Server_Offset", "T_Duration", "T_Freq_Offset", "T_Wander", "T_Jitter", + "T_Prop_Delay", "T_Proc_Delay", "'='", "'('", "')'", "'{'", "'}'", + "$accept", "configuration", "command_list", "command", "server_command", + "client_type", "address", "ip_address", "address_fam", "option_list", + "option", "option_flag", "option_flag_keyword", "option_int", + "option_int_keyword", "option_str", "option_str_keyword", + "unpeer_command", "unpeer_keyword", "other_mode_command", + "authentication_command", "crypto_command_list", "crypto_command", + "crypto_str_keyword", "orphan_mode_command", "tos_option_list", + "tos_option", "tos_option_int_keyword", "tos_option_dbl_keyword", + "monitoring_command", "stats_list", "stat", "filegen_option_list", + "filegen_option", "link_nolink", "enable_disable", "filegen_type", + "access_control_command", "res_ippeerlimit", "ac_flag_list", "access_control_flag", "discard_option_list", "discard_option", "discard_option_keyword", "mru_option_list", "mru_option", "mru_option_keyword", "fudge_command", "fudge_factor_list", @@ -991,7 +1001,7 @@ static const char *const yytname[] = "nic_rule_action", "reset_command", "counter_set_list", "counter_set_keyword", "integer_list", "integer_list_range", "integer_list_range_elt", "integer_range", "string_list", "address_list", - "boolean", "number", "simulate_command", "sim_conf_start", + "boolean", "number", "basedate", "simulate_command", "sim_conf_start", "sim_init_statement_list", "sim_init_statement", "sim_init_keyword", "sim_server_list", "sim_server", "sim_server_offset", "sim_server_name", "sim_act_list", "sim_act", "sim_act_stmt_list", "sim_act_stmt", @@ -1023,15 +1033,15 @@ static const yytype_uint16 yytoknum[] = 415, 416, 417, 418, 419, 420, 421, 422, 423, 424, 425, 426, 427, 428, 429, 430, 431, 432, 433, 434, 435, 436, 437, 438, 439, 440, 441, 442, 443, 444, - 445, 446, 447, 448, 449, 450, 451, 452, 453, 61, - 40, 41, 123, 125 + 445, 446, 447, 448, 449, 450, 451, 452, 453, 454, + 455, 456, 457, 61, 40, 41, 123, 125 }; # endif -#define YYPACT_NINF -189 +#define YYPACT_NINF -215 #define yypact_value_is_default(Yystate) \ - (!!((Yystate) == (-189))) + (!!((Yystate) == (-215))) #define YYTABLE_NINF -7 @@ -1042,49 +1052,50 @@ static const yytype_uint16 yytoknum[] = STATE-NUM. */ static const yytype_int16 yypact[] = { - 18, -177, -45, -189, -189, -189, -40, -189, 32, 5, - -129, -189, 32, -189, 204, -44, -189, -117, -189, -110, - -101, -189, -189, -97, -189, -189, -44, -4, 495, -44, - -189, -189, -96, -189, -94, -189, -189, 8, 54, 258, - 10, -28, -189, -189, -89, 204, -86, -189, 270, 529, - -85, -56, 14, -189, -189, -189, 83, 207, -95, -189, - -44, -189, -44, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -7, 24, -73, -68, -189, -3, -189, - -189, -106, -189, -189, -189, 313, -189, -189, -189, -189, - -189, -189, -189, -189, -189, -189, -189, -189, 32, -189, - -189, -189, -189, -189, -189, 5, -189, 35, 65, -189, - 32, -189, -189, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, 110, -189, -59, 368, -189, -189, -189, - -97, -189, -189, -44, -189, -189, -189, -189, -189, -189, - -189, -189, -189, 495, -189, 44, -44, -189, -189, -51, - -189, -189, -189, -189, -189, -189, -189, -189, 54, -189, - -189, 86, 89, -189, -189, 33, -189, -189, -189, -189, - -28, -189, 49, -75, -189, 204, -189, -189, -189, -189, - -189, -189, -189, -189, -189, -189, -189, -189, 270, -189, - -7, -189, -189, -189, -33, -189, -189, -189, -189, -189, - -189, -189, -189, 529, -189, 66, -7, -189, -189, 67, - -56, -189, -189, -189, 68, -189, -53, -189, -189, -189, - -189, -189, -189, -189, -189, -189, -189, -189, -189, 16, - -153, -189, -189, -189, -189, -189, 77, -189, -18, -189, - -189, -189, -189, 226, -13, -189, -189, -189, -189, -8, - 97, -189, -189, 110, -189, -7, -33, -189, -189, -189, - -189, -189, -189, -189, -189, 449, -189, -189, 449, 449, - -85, -189, -189, 11, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -189, -49, 108, -189, -189, -189, 125, - -189, -189, -189, -189, -189, -189, -189, -189, -102, -20, - -30, -189, -189, -189, -189, 13, -189, -189, 9, -189, - -189, -189, -189, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -189, 449, 449, -189, 146, -85, 113, - -189, 116, -189, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -189, -189, -189, -189, -189, -189, -189, - -189, -54, -189, 23, -10, 6, -138, -189, -9, -189, - -7, -189, -189, -189, -189, -189, -189, -189, -189, -189, - 449, -189, -189, -189, -189, -17, -189, -189, -189, -44, - -189, -189, -189, 20, -189, -189, -189, 0, 21, -7, - 22, -173, -189, 25, -7, -189, -189, -189, 17, 7, - -189, -189, -189, -189, -189, 217, 39, 36, -189, 46, - -189, -7, -189, -189 + 11, -175, 2, -215, -215, -215, 3, -215, 93, 9, + -138, -215, 93, -215, 66, -40, -215, -93, -215, -87, + -82, -215, -215, -81, -215, -215, -40, 20, 210, -40, + -215, -215, -70, -215, -67, -215, -215, 34, 6, -13, + 47, -6, -215, -215, -48, 66, -45, -215, 412, 483, + -39, -60, 62, -215, -215, -215, 127, 203, -63, -215, + -40, -215, -40, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -215, -11, 75, -24, -22, -215, -18, -215, + -215, -53, -215, -215, -215, 48, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -215, 93, -215, + -215, -215, -215, -215, -215, 9, -215, 82, 120, -215, + 93, -215, -215, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -215, 86, -215, 4, 373, -215, -215, -215, + -81, -215, -215, -40, -215, -215, -215, -215, -215, -215, + -215, -215, -215, 210, -215, 106, -40, -215, -215, 15, + -215, -215, -215, -215, -215, -215, -215, -215, 6, -215, + 105, 146, 151, 105, -30, -215, -215, -215, -215, -6, + -215, 117, -21, -215, 66, -215, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, -215, 412, -215, -11, + 22, -215, -215, -215, -20, -215, -215, -215, -215, -215, + -215, -215, -215, 483, -215, 128, -11, -215, -215, -215, + 129, -60, -215, -215, -215, 132, -215, 10, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -215, -215, -215, + 1, -133, -215, -215, -215, -215, -215, 134, -215, 41, + -215, -215, -215, -215, -28, 42, -215, -215, -215, -215, + 45, 148, -215, -215, 86, -215, -11, -20, -215, -215, + -215, -215, -215, -215, -215, -215, 150, -215, 105, 105, + -215, -39, -215, -215, -215, 51, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -57, 178, -215, + -215, -215, 288, -215, -215, -215, -215, -215, -215, -215, + -215, -115, 25, 23, -215, -215, -215, -215, 61, -215, + -215, 21, -215, -215, -215, -215, -215, -215, -215, -215, + -215, -215, 477, -215, -215, 477, 105, 477, 201, -39, + 169, -215, 172, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -59, -215, 77, 36, 52, -100, -215, 39, + -215, -11, -215, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -215, -215, 477, + 477, -215, -215, -215, -215, -215, 43, -215, -215, -215, + -40, -215, -215, -215, 55, -215, 477, -215, -215, 49, + 56, -11, 54, -166, -215, 67, -11, -215, -215, -215, + 70, 63, -215, -215, -215, -215, -215, 124, 85, 64, + -215, 89, -215, -11, -215, -215 }; /* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM. @@ -1092,81 +1103,82 @@ static const yytype_int16 yypact[] = means the default is an error. */ static const yytype_uint16 yydefact[] = { - 0, 0, 0, 24, 58, 236, 0, 71, 0, 0, - 248, 239, 0, 229, 0, 0, 241, 0, 261, 0, - 0, 242, 240, 0, 243, 25, 0, 0, 0, 0, - 262, 237, 0, 23, 0, 244, 22, 0, 0, 0, - 0, 0, 245, 21, 0, 0, 0, 238, 0, 0, - 0, 0, 0, 56, 57, 297, 0, 2, 0, 7, + 0, 0, 0, 24, 58, 241, 0, 71, 0, 0, + 253, 244, 0, 234, 0, 0, 246, 0, 266, 0, + 0, 247, 245, 0, 248, 25, 0, 0, 0, 0, + 267, 242, 0, 23, 0, 249, 22, 0, 0, 0, + 0, 0, 250, 21, 0, 0, 0, 243, 0, 0, + 0, 0, 0, 56, 57, 303, 0, 2, 0, 7, 0, 8, 0, 9, 10, 13, 11, 12, 14, 15, - 16, 17, 18, 0, 0, 0, 0, 222, 0, 223, - 19, 0, 5, 62, 63, 64, 196, 197, 198, 199, - 202, 200, 201, 203, 204, 205, 206, 207, 191, 193, - 194, 195, 155, 156, 157, 127, 153, 0, 246, 230, - 190, 102, 103, 104, 105, 109, 106, 107, 108, 110, - 29, 30, 28, 0, 26, 0, 6, 65, 66, 258, - 231, 257, 290, 59, 61, 161, 162, 163, 164, 165, - 166, 167, 168, 128, 159, 0, 60, 70, 288, 232, - 67, 273, 274, 275, 276, 277, 278, 279, 270, 272, - 135, 29, 30, 135, 135, 26, 68, 189, 187, 188, - 183, 185, 0, 0, 233, 97, 101, 98, 212, 213, - 214, 215, 216, 217, 218, 219, 220, 221, 208, 210, - 0, 86, 87, 88, 0, 89, 90, 96, 91, 95, - 92, 93, 94, 80, 82, 0, 0, 252, 284, 0, - 69, 283, 285, 281, 235, 1, 0, 4, 31, 55, - 295, 294, 224, 225, 226, 227, 269, 268, 267, 0, - 0, 79, 75, 76, 77, 78, 0, 72, 0, 192, - 152, 154, 247, 99, 0, 179, 180, 181, 182, 0, - 0, 177, 178, 169, 171, 0, 0, 27, 228, 256, - 289, 158, 160, 287, 271, 131, 135, 135, 134, 129, - 0, 184, 186, 0, 100, 209, 211, 293, 291, 292, - 85, 81, 83, 84, 234, 0, 282, 280, 3, 20, - 263, 264, 265, 260, 266, 259, 301, 302, 0, 0, - 0, 74, 73, 119, 118, 0, 116, 117, 0, 111, - 114, 115, 175, 176, 174, 170, 172, 173, 137, 138, - 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, - 149, 150, 151, 136, 132, 133, 135, 251, 0, 0, - 253, 0, 37, 38, 39, 54, 47, 49, 48, 51, - 40, 41, 42, 43, 50, 52, 44, 32, 33, 36, - 34, 0, 35, 0, 0, 0, 0, 304, 0, 299, - 0, 112, 126, 122, 124, 120, 121, 123, 125, 113, - 130, 250, 249, 255, 254, 0, 45, 46, 53, 0, - 298, 296, 303, 0, 300, 286, 307, 0, 0, 0, - 0, 0, 309, 0, 0, 305, 308, 306, 0, 0, - 314, 315, 316, 317, 318, 0, 0, 0, 310, 0, - 312, 0, 311, 313 + 16, 17, 18, 0, 0, 0, 0, 227, 0, 228, + 19, 0, 5, 62, 63, 64, 201, 202, 203, 204, + 207, 205, 206, 208, 209, 210, 211, 212, 196, 198, + 199, 200, 160, 161, 162, 128, 158, 0, 251, 235, + 195, 103, 104, 105, 106, 110, 107, 108, 109, 111, + 29, 30, 28, 0, 26, 0, 6, 65, 66, 263, + 236, 262, 295, 59, 61, 166, 167, 168, 169, 170, + 171, 172, 173, 129, 164, 0, 60, 70, 293, 237, + 67, 278, 279, 280, 281, 282, 283, 284, 275, 277, + 136, 29, 30, 136, 136, 68, 194, 192, 193, 188, + 190, 0, 0, 238, 98, 102, 99, 217, 218, 219, + 220, 221, 222, 223, 224, 225, 226, 213, 215, 0, + 0, 87, 88, 89, 0, 90, 91, 97, 92, 96, + 93, 94, 95, 80, 82, 0, 0, 86, 257, 289, + 0, 69, 288, 290, 286, 240, 1, 0, 4, 31, + 55, 300, 299, 229, 230, 231, 232, 274, 273, 272, + 0, 0, 79, 75, 76, 77, 78, 0, 72, 0, + 197, 157, 159, 252, 100, 0, 184, 185, 186, 187, + 0, 0, 182, 183, 174, 176, 0, 0, 27, 233, + 261, 294, 163, 165, 292, 276, 0, 138, 136, 136, + 138, 0, 138, 189, 191, 0, 101, 214, 216, 301, + 298, 296, 297, 85, 81, 83, 84, 239, 0, 287, + 285, 3, 20, 268, 269, 270, 265, 271, 264, 307, + 308, 0, 0, 0, 74, 73, 120, 119, 0, 117, + 118, 0, 112, 115, 116, 180, 181, 179, 175, 177, + 178, 137, 132, 138, 138, 135, 136, 130, 256, 0, + 0, 258, 0, 37, 38, 39, 54, 47, 49, 48, + 51, 40, 41, 42, 43, 50, 52, 44, 32, 33, + 36, 34, 0, 35, 0, 0, 0, 0, 310, 0, + 305, 0, 113, 127, 123, 125, 121, 122, 124, 126, + 114, 140, 141, 142, 143, 144, 145, 146, 148, 149, + 147, 150, 151, 152, 153, 154, 155, 156, 139, 133, + 134, 138, 255, 254, 260, 259, 0, 45, 46, 53, + 0, 304, 302, 309, 0, 306, 131, 291, 313, 0, + 0, 0, 0, 0, 315, 0, 0, 311, 314, 312, + 0, 0, 320, 321, 322, 323, 324, 0, 0, 0, + 316, 0, 318, 0, 317, 319 }; /* YYPGOTO[NTERM-NUM]. */ static const yytype_int16 yypgoto[] = { - -189, -189, -189, -48, -189, -189, -15, -38, -189, -189, - -189, -189, -189, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -189, -189, -189, 37, -189, -189, -189, - -189, -42, -189, -189, -189, -189, -189, -189, -159, -189, - -189, 131, -189, -189, 96, -189, -189, -189, -6, -189, - -189, -189, -189, 74, -189, -189, 236, -71, -189, -189, - -189, -189, 62, -189, -189, -189, -189, -189, -189, -189, - -189, -189, -189, -189, -189, 122, -189, -189, -189, -189, - -189, -189, 95, -189, -189, 45, -189, -189, 225, 1, - -188, -189, -189, -189, -39, -189, -189, -103, -189, -189, - -189, -136, -189, -149, -189 + -215, -215, -215, -23, -215, -215, -15, -49, -215, -215, + -215, -215, -215, -215, -215, -215, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, 81, -215, -215, -215, + -215, -38, -215, -215, -215, -215, -215, -215, -154, -214, + -215, -215, 153, -215, -215, 142, -215, -215, -215, 32, + -215, -215, -215, -215, 121, -215, -215, 277, -35, -215, + -215, -215, -215, 107, -215, -215, -215, -215, -215, -215, + -215, -215, -215, -215, -215, -215, 163, -215, -215, -215, + -215, -215, -215, 137, -215, -215, 87, -215, -215, 267, + 53, -187, -215, -215, -215, -215, -2, -215, -215, -55, + -215, -215, -215, -109, -215, -121, -215 }; /* YYDEFGOTO[NTERM-NUM]. */ static const yytype_int16 yydefgoto[] = { - -1, 56, 57, 58, 59, 60, 132, 124, 125, 289, - 357, 358, 359, 360, 361, 362, 363, 61, 62, 63, - 64, 85, 237, 238, 65, 203, 204, 205, 206, 66, - 175, 119, 243, 309, 310, 311, 379, 67, 265, 333, - 105, 106, 107, 143, 144, 145, 68, 253, 254, 255, - 256, 69, 170, 171, 172, 70, 98, 99, 100, 101, - 71, 188, 189, 190, 72, 73, 74, 75, 76, 109, - 174, 382, 284, 340, 130, 131, 77, 78, 295, 229, - 79, 158, 159, 214, 210, 211, 212, 149, 133, 280, - 222, 80, 81, 298, 299, 300, 366, 367, 398, 368, - 401, 402, 415, 416, 417 + -1, 56, 57, 58, 59, 60, 132, 124, 125, 292, + 348, 349, 350, 351, 352, 353, 354, 61, 62, 63, + 64, 85, 238, 239, 65, 203, 204, 205, 206, 66, + 174, 119, 244, 312, 313, 314, 370, 67, 267, 322, + 388, 105, 106, 107, 143, 144, 145, 68, 254, 255, + 256, 257, 69, 169, 170, 171, 70, 98, 99, 100, + 101, 71, 187, 188, 189, 72, 73, 74, 75, 76, + 109, 173, 393, 287, 331, 130, 131, 77, 78, 298, + 230, 79, 158, 159, 215, 211, 212, 213, 149, 133, + 283, 223, 207, 80, 81, 301, 302, 303, 357, 358, + 410, 359, 413, 414, 427, 428, 429 }; /* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM. If @@ -1174,228 +1186,232 @@ static const yytype_int16 yydefgoto[] = number is the opposite. If YYTABLE_NINF, syntax error. */ static const yytype_int16 yytable[] = { - 123, 165, 276, 176, 268, 269, 208, 277, 386, 216, - 364, 82, 207, 372, 338, 167, 102, 83, 283, 1, - 400, 290, 84, 120, 164, 121, 220, 239, 2, 278, - 405, 108, 226, 3, 4, 5, 373, 296, 297, 239, - 86, 6, 7, 126, 87, 218, 364, 219, 8, 9, - 127, 88, 10, 227, 11, 221, 12, 13, 134, 128, - 14, 151, 152, 129, 147, 391, 148, 316, 168, 15, - 150, 173, 166, 16, 177, 122, 213, 228, 258, 17, - 153, 18, 291, 215, 292, 339, 223, 224, 296, 297, - 19, 20, 225, 217, 21, 22, 230, 241, 242, 23, - 24, 257, 89, 25, 26, 103, 262, 334, 335, 263, - 104, 272, 27, 244, 266, 374, 122, 267, 260, 154, - 270, 387, 375, 169, 273, 28, 29, 30, 282, 285, - 287, 260, 31, 274, 342, 288, 90, 91, 279, 301, - 376, 32, 302, 343, 209, 341, 33, 312, 34, 155, - 35, 36, 313, 92, 245, 246, 247, 248, 93, 314, - 37, 38, 39, 40, 41, 42, 43, 44, 369, 370, - 45, 337, 46, 371, 381, 384, 293, 380, 385, 344, - 345, 47, 394, 388, 395, 94, 48, 49, 50, 389, - 51, 52, 377, 393, 390, 378, 346, 53, 54, 399, - 294, 410, 411, 412, 413, 414, -6, 55, 95, 96, - 97, 403, 397, 407, 400, 156, 408, 2, 347, 409, - 157, 404, 3, 4, 5, 111, 348, 420, 349, 112, - 6, 7, 336, 423, 422, 421, 240, 8, 9, 261, - 281, 10, 350, 11, 271, 12, 13, 315, 110, 14, - 275, 249, 259, 264, 146, 286, 303, 317, 15, 365, - 351, 352, 16, 392, 304, 406, 419, 305, 17, 250, - 18, 0, 0, 0, 251, 252, 178, 0, 0, 19, - 20, 0, 0, 21, 22, 0, 160, 113, 23, 24, - 0, 0, 25, 26, 0, 0, 353, 0, 354, 0, - 383, 27, 179, 0, 0, 306, 355, 0, 0, 0, - 356, 0, 0, 0, 28, 29, 30, 0, 0, 0, - 180, 31, 0, 181, 0, 161, 0, 162, 0, 0, - 32, 0, 0, 114, 0, 33, 307, 34, 0, 35, - 36, 115, 231, 0, 116, 0, 0, 0, 0, 37, + 123, 208, 278, 306, 209, 397, 293, 175, 329, 270, + 272, 307, 1, 151, 152, 308, 160, 82, 227, 286, + 102, 2, 280, 221, 164, 363, 108, 3, 4, 5, + 120, 412, 121, 153, 217, 6, 7, 355, 266, 166, + 228, 417, 8, 9, 281, 219, 10, 220, 11, 364, + 12, 13, 355, 222, 309, 14, 325, 161, 327, 162, + 271, 299, 300, 240, 15, 229, 83, 84, 16, 319, + 294, 126, 295, 154, 17, 240, 18, 127, 232, 299, + 300, 330, 128, 129, 134, 310, 19, 20, 111, 245, + 21, 22, 112, 167, 147, 23, 24, 148, 150, 25, + 26, 86, 233, 259, 155, 234, 87, 402, 27, 389, + 390, 165, 103, 88, 323, 324, 172, 104, 261, 176, + 398, 28, 29, 30, 122, 122, 214, 216, 31, 218, + 365, 261, 246, 247, 248, 249, 276, 366, 32, 224, + 225, 163, 226, 33, 210, 34, 242, 35, 36, 168, + 311, 122, 113, 231, 243, 282, 367, 37, 38, 39, + 40, 41, 42, 43, 44, 296, 89, 45, 258, 46, + 263, 156, 391, 266, 405, 268, 157, 406, 47, 264, + 269, 274, 275, 48, 49, 50, 279, 51, 52, 297, + 235, 236, 285, 288, 53, 54, 290, 237, 304, 114, + 90, 91, 291, -6, 55, 305, 315, 115, 368, 316, + 116, 369, 317, 2, 321, 328, 332, 360, 92, 3, + 4, 5, 326, 93, 415, 362, 361, 6, 7, 420, + 392, 250, 117, 395, 8, 9, 396, 118, 10, 400, + 11, 399, 12, 13, 401, 404, 435, 14, 407, 251, + 94, 409, 411, 412, 252, 253, 15, 416, 241, 419, + 16, 422, 423, 424, 425, 426, 17, 433, 18, 135, + 136, 137, 138, 95, 96, 97, 421, 432, 19, 20, + 394, 434, 21, 22, 284, 262, 318, 23, 24, 110, + 273, 25, 26, 260, 277, 265, 146, 333, 289, 356, + 27, 139, 403, 140, 418, 141, 431, 334, 0, 0, + 320, 142, 0, 28, 29, 30, 0, 0, 0, 0, + 31, 0, 422, 423, 424, 425, 426, 0, 0, 0, + 32, 430, 0, 0, 0, 33, 0, 34, 0, 35, + 36, 0, 0, 0, 335, 336, 0, 0, 0, 37, 38, 39, 40, 41, 42, 43, 44, 0, 0, 45, - 0, 46, 0, 0, 0, 232, 117, 0, 233, 0, - 47, 118, 0, 0, 396, 48, 49, 50, 2, 51, - 52, 0, 0, 3, 4, 5, 53, 54, 0, 0, - 0, 6, 7, 0, 0, -6, 55, 182, 8, 9, - 308, 0, 10, 0, 11, 0, 12, 13, 163, 0, - 14, 410, 411, 412, 413, 414, 0, 0, 122, 15, - 418, 0, 0, 16, 0, 183, 184, 185, 186, 17, - 0, 18, 0, 187, 0, 0, 0, 0, 0, 0, - 19, 20, 0, 0, 21, 22, 0, 0, 0, 23, - 24, 234, 235, 25, 26, 0, 0, 0, 236, 0, - 0, 0, 27, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 28, 29, 30, 0, 0, - 0, 0, 31, 0, 0, 0, 0, 0, 0, 0, - 0, 32, 0, 0, 0, 0, 33, 318, 34, 0, - 35, 36, 0, 0, 0, 319, 0, 0, 0, 0, - 37, 38, 39, 40, 41, 42, 43, 44, 0, 0, - 45, 0, 46, 320, 321, 0, 0, 322, 0, 0, - 0, 47, 0, 323, 0, 0, 48, 49, 50, 0, - 51, 52, 191, 192, 0, 0, 0, 53, 54, 193, - 0, 194, 135, 136, 137, 138, 0, 55, 0, 0, - 324, 325, 0, 0, 326, 327, 0, 328, 329, 330, - 0, 331, 0, 0, 0, 0, 0, 0, 195, 0, - 0, 0, 0, 139, 0, 140, 0, 141, 0, 0, - 0, 0, 0, 142, 0, 0, 0, 0, 0, 0, + 0, 46, 337, 0, 0, 0, 0, 0, 0, 0, + 47, 0, 0, 0, 0, 48, 49, 50, 0, 51, + 52, 0, 0, 2, 338, 408, 53, 54, 0, 3, + 4, 5, 339, 0, 340, -6, 55, 6, 7, 0, + 0, 0, 0, 0, 8, 9, 0, 0, 10, 341, + 11, 0, 12, 13, 0, 0, 0, 14, 177, 0, + 0, 0, 0, 0, 0, 0, 15, 342, 343, 0, + 16, 0, 0, 0, 0, 0, 17, 0, 18, 0, + 0, 0, 0, 0, 0, 178, 0, 0, 19, 20, + 0, 0, 21, 22, 0, 0, 0, 23, 24, 0, + 0, 25, 26, 344, 179, 345, 0, 180, 0, 0, + 27, 0, 0, 346, 0, 0, 0, 347, 0, 0, + 0, 0, 0, 28, 29, 30, 0, 0, 0, 0, + 31, 0, 0, 0, 0, 190, 0, 191, 192, 0, + 32, 0, 0, 0, 193, 33, 194, 34, 0, 35, + 36, 0, 0, 0, 0, 0, 0, 0, 371, 37, + 38, 39, 40, 41, 42, 43, 44, 372, 0, 45, + 0, 46, 0, 0, 195, 373, 0, 0, 0, 0, + 47, 0, 0, 181, 0, 48, 49, 50, 0, 51, + 52, 0, 0, 0, 374, 375, 53, 54, 376, 0, + 0, 0, 0, 0, 377, 0, 55, 0, 0, 0, + 0, 182, 183, 184, 185, 196, 0, 197, 0, 186, + 0, 0, 0, 198, 0, 199, 0, 0, 200, 0, + 0, 378, 379, 0, 0, 380, 381, 382, 0, 383, + 384, 385, 0, 386, 0, 0, 0, 0, 0, 0, + 0, 201, 202, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 196, 0, - 197, 0, 0, 0, 0, 0, 198, 0, 199, 0, - 332, 200, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 201, 202 + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 387 }; static const yytype_int16 yycheck[] = { - 15, 39, 190, 45, 163, 164, 62, 40, 62, 57, - 148, 188, 50, 4, 63, 43, 11, 62, 206, 1, - 193, 5, 62, 67, 39, 69, 33, 98, 10, 62, - 203, 160, 35, 15, 16, 17, 27, 190, 191, 110, - 8, 23, 24, 160, 12, 60, 148, 62, 30, 31, - 160, 19, 34, 56, 36, 62, 38, 39, 62, 160, - 42, 7, 8, 160, 160, 203, 160, 255, 96, 51, - 62, 160, 62, 55, 160, 160, 62, 80, 126, 61, - 26, 63, 66, 0, 68, 134, 62, 160, 190, 191, - 72, 73, 160, 188, 76, 77, 202, 62, 33, 81, - 82, 160, 70, 85, 86, 100, 62, 266, 267, 160, - 105, 62, 94, 3, 28, 106, 160, 28, 133, 65, - 87, 175, 113, 151, 199, 107, 108, 109, 62, 62, - 62, 146, 114, 175, 9, 188, 104, 105, 171, 62, - 131, 123, 160, 18, 200, 37, 128, 160, 130, 95, - 132, 133, 160, 121, 44, 45, 46, 47, 126, 62, - 142, 143, 144, 145, 146, 147, 148, 149, 188, 199, - 152, 160, 154, 160, 28, 62, 160, 336, 62, 54, - 55, 163, 370, 160, 201, 153, 168, 169, 170, 199, - 172, 173, 183, 202, 188, 186, 71, 179, 180, 199, - 184, 194, 195, 196, 197, 198, 188, 189, 176, 177, - 178, 399, 192, 188, 193, 161, 404, 10, 93, 202, - 166, 199, 15, 16, 17, 21, 101, 188, 103, 25, - 23, 24, 270, 421, 188, 199, 105, 30, 31, 143, - 203, 34, 117, 36, 170, 38, 39, 253, 12, 42, - 188, 141, 130, 158, 29, 210, 30, 256, 51, 298, - 135, 136, 55, 366, 38, 401, 415, 41, 61, 159, - 63, -1, -1, -1, 164, 165, 6, -1, -1, 72, - 73, -1, -1, 76, 77, -1, 28, 83, 81, 82, - -1, -1, 85, 86, -1, -1, 171, -1, 173, -1, - 338, 94, 32, -1, -1, 79, 181, -1, -1, -1, - 185, -1, -1, -1, 107, 108, 109, -1, -1, -1, - 50, 114, -1, 53, -1, 67, -1, 69, -1, -1, - 123, -1, -1, 129, -1, 128, 110, 130, -1, 132, - 133, 137, 29, -1, 140, -1, -1, -1, -1, 142, - 143, 144, 145, 146, 147, 148, 149, -1, -1, 152, - -1, 154, -1, -1, -1, 52, 162, -1, 55, -1, - 163, 167, -1, -1, 389, 168, 169, 170, 10, 172, - 173, -1, -1, 15, 16, 17, 179, 180, -1, -1, - -1, 23, 24, -1, -1, 188, 189, 127, 30, 31, - 174, -1, 34, -1, 36, -1, 38, 39, 150, -1, - 42, 194, 195, 196, 197, 198, -1, -1, 160, 51, - 203, -1, -1, 55, -1, 155, 156, 157, 158, 61, - -1, 63, -1, 163, -1, -1, -1, -1, -1, -1, - 72, 73, -1, -1, 76, 77, -1, -1, -1, 81, - 82, 138, 139, 85, 86, -1, -1, -1, 145, -1, - -1, -1, 94, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, 107, 108, 109, -1, -1, - -1, -1, 114, -1, -1, -1, -1, -1, -1, -1, - -1, 123, -1, -1, -1, -1, 128, 48, 130, -1, - 132, 133, -1, -1, -1, 56, -1, -1, -1, -1, - 142, 143, 144, 145, 146, 147, 148, 149, -1, -1, - 152, -1, 154, 74, 75, -1, -1, 78, -1, -1, - -1, 163, -1, 84, -1, -1, 168, 169, 170, -1, - 172, 173, 13, 14, -1, -1, -1, 179, 180, 20, - -1, 22, 57, 58, 59, 60, -1, 189, -1, -1, - 111, 112, -1, -1, 115, 116, -1, 118, 119, 120, - -1, 122, -1, -1, -1, -1, -1, -1, 49, -1, - -1, -1, -1, 88, -1, 90, -1, 92, -1, -1, - -1, -1, -1, 98, -1, -1, -1, -1, -1, -1, + 15, 50, 189, 31, 64, 64, 5, 45, 65, 163, + 164, 39, 1, 7, 8, 43, 29, 192, 36, 206, + 11, 10, 42, 34, 39, 4, 164, 16, 17, 18, + 70, 197, 72, 27, 57, 24, 25, 152, 68, 45, + 58, 207, 31, 32, 64, 60, 35, 62, 37, 28, + 39, 40, 152, 64, 82, 44, 270, 70, 272, 72, + 90, 194, 195, 98, 53, 83, 64, 64, 57, 256, + 69, 164, 71, 67, 63, 110, 65, 164, 30, 194, + 195, 138, 164, 164, 64, 113, 75, 76, 22, 3, + 79, 80, 26, 99, 164, 84, 85, 164, 64, 88, + 89, 8, 54, 126, 98, 57, 13, 207, 97, 323, + 324, 64, 103, 20, 268, 269, 164, 108, 133, 164, + 179, 110, 111, 112, 164, 164, 64, 0, 117, 192, + 109, 146, 46, 47, 48, 49, 174, 116, 127, 64, + 164, 154, 164, 132, 204, 134, 64, 136, 137, 155, + 178, 164, 86, 206, 34, 175, 135, 146, 147, 148, + 149, 150, 151, 152, 153, 164, 73, 156, 164, 158, + 64, 165, 326, 68, 361, 29, 170, 391, 167, 164, + 29, 64, 203, 172, 173, 174, 164, 176, 177, 188, + 142, 143, 64, 64, 183, 184, 64, 149, 64, 133, + 107, 108, 192, 192, 193, 164, 164, 141, 187, 164, + 144, 190, 64, 10, 64, 164, 38, 192, 125, 16, + 17, 18, 271, 130, 411, 164, 203, 24, 25, 416, + 29, 145, 166, 64, 31, 32, 64, 171, 35, 203, + 37, 164, 39, 40, 192, 206, 433, 44, 205, 163, + 157, 196, 203, 197, 168, 169, 53, 203, 105, 192, + 57, 198, 199, 200, 201, 202, 63, 203, 65, 59, + 60, 61, 62, 180, 181, 182, 206, 192, 75, 76, + 329, 192, 79, 80, 203, 143, 254, 84, 85, 12, + 169, 88, 89, 130, 187, 158, 29, 9, 211, 301, + 97, 91, 357, 93, 413, 95, 427, 19, -1, -1, + 257, 101, -1, 110, 111, 112, -1, -1, -1, -1, + 117, -1, 198, 199, 200, 201, 202, -1, -1, -1, + 127, 207, -1, -1, -1, 132, -1, 134, -1, 136, + 137, -1, -1, -1, 56, 57, -1, -1, -1, 146, + 147, 148, 149, 150, 151, 152, 153, -1, -1, 156, + -1, 158, 74, -1, -1, -1, -1, -1, -1, -1, + 167, -1, -1, -1, -1, 172, 173, 174, -1, 176, + 177, -1, -1, 10, 96, 400, 183, 184, -1, 16, + 17, 18, 104, -1, 106, 192, 193, 24, 25, -1, + -1, -1, -1, -1, 31, 32, -1, -1, 35, 121, + 37, -1, 39, 40, -1, -1, -1, 44, 6, -1, + -1, -1, -1, -1, -1, -1, 53, 139, 140, -1, + 57, -1, -1, -1, -1, -1, 63, -1, 65, -1, + -1, -1, -1, -1, -1, 33, -1, -1, 75, 76, + -1, -1, 79, 80, -1, -1, -1, 84, 85, -1, + -1, 88, 89, 175, 52, 177, -1, 55, -1, -1, + 97, -1, -1, 185, -1, -1, -1, 189, -1, -1, + -1, -1, -1, 110, 111, 112, -1, -1, -1, -1, + 117, -1, -1, -1, -1, 12, -1, 14, 15, -1, + 127, -1, -1, -1, 21, 132, 23, 134, -1, 136, + 137, -1, -1, -1, -1, -1, -1, -1, 41, 146, + 147, 148, 149, 150, 151, 152, 153, 50, -1, 156, + -1, 158, -1, -1, 51, 58, -1, -1, -1, -1, + 167, -1, -1, 131, -1, 172, 173, 174, -1, 176, + 177, -1, -1, -1, 77, 78, 183, 184, 81, -1, + -1, -1, -1, -1, 87, -1, 193, -1, -1, -1, + -1, 159, 160, 161, 162, 92, -1, 94, -1, 167, + -1, -1, -1, 100, -1, 102, -1, -1, 105, -1, + -1, 114, 115, -1, -1, 118, 119, 120, -1, 122, + 123, 124, -1, 126, -1, -1, -1, -1, -1, -1, + -1, 128, 129, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, -1, -1, -1, -1, -1, 89, -1, - 91, -1, -1, -1, -1, -1, 97, -1, 99, -1, - 181, 102, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, - -1, -1, -1, 124, 125 + -1, -1, 185 }; /* YYSTOS[STATE-NUM] -- The (internal number of the) accessing symbol of state STATE-NUM. */ static const yytype_uint16 yystos[] = { - 0, 1, 10, 15, 16, 17, 23, 24, 30, 31, - 34, 36, 38, 39, 42, 51, 55, 61, 63, 72, - 73, 76, 77, 81, 82, 85, 86, 94, 107, 108, - 109, 114, 123, 128, 130, 132, 133, 142, 143, 144, - 145, 146, 147, 148, 149, 152, 154, 163, 168, 169, - 170, 172, 173, 179, 180, 189, 205, 206, 207, 208, - 209, 221, 222, 223, 224, 228, 233, 241, 250, 255, - 259, 264, 268, 269, 270, 271, 272, 280, 281, 284, - 295, 296, 188, 62, 62, 225, 8, 12, 19, 70, - 104, 105, 121, 126, 153, 176, 177, 178, 260, 261, - 262, 263, 11, 100, 105, 244, 245, 246, 160, 273, - 260, 21, 25, 83, 129, 137, 140, 162, 167, 235, - 67, 69, 160, 210, 211, 212, 160, 160, 160, 160, - 278, 279, 210, 292, 62, 57, 58, 59, 60, 88, - 90, 92, 98, 247, 248, 249, 292, 160, 160, 291, - 62, 7, 8, 26, 65, 95, 161, 166, 285, 286, - 28, 67, 69, 150, 210, 211, 62, 43, 96, 151, - 256, 257, 258, 160, 274, 234, 235, 160, 6, 32, - 50, 53, 127, 155, 156, 157, 158, 163, 265, 266, - 267, 13, 14, 20, 22, 49, 89, 91, 97, 99, - 102, 124, 125, 229, 230, 231, 232, 211, 62, 200, - 288, 289, 290, 62, 287, 0, 207, 188, 210, 210, - 33, 62, 294, 62, 160, 160, 35, 56, 80, 283, - 202, 29, 52, 55, 138, 139, 145, 226, 227, 261, - 245, 62, 33, 236, 3, 44, 45, 46, 47, 141, - 159, 164, 165, 251, 252, 253, 254, 160, 207, 279, - 210, 248, 62, 160, 286, 242, 28, 28, 242, 242, - 87, 257, 62, 199, 235, 266, 294, 40, 62, 171, - 293, 230, 62, 294, 276, 62, 289, 62, 188, 213, - 5, 66, 68, 160, 184, 282, 190, 191, 297, 298, - 299, 62, 160, 30, 38, 41, 79, 110, 174, 237, - 238, 239, 160, 160, 62, 252, 294, 293, 48, 56, - 74, 75, 78, 84, 111, 112, 115, 116, 118, 119, - 120, 122, 181, 243, 242, 242, 211, 160, 63, 134, - 277, 37, 9, 18, 54, 55, 71, 93, 101, 103, - 117, 135, 136, 171, 173, 181, 185, 214, 215, 216, - 217, 218, 219, 220, 148, 298, 300, 301, 303, 188, - 199, 160, 4, 27, 106, 113, 131, 183, 186, 240, - 242, 28, 275, 211, 62, 62, 62, 175, 160, 199, - 188, 203, 301, 202, 294, 201, 210, 192, 302, 199, - 193, 304, 305, 294, 199, 203, 305, 188, 294, 202, - 194, 195, 196, 197, 198, 306, 307, 308, 203, 307, - 188, 199, 188, 294 + 0, 1, 10, 16, 17, 18, 24, 25, 31, 32, + 35, 37, 39, 40, 44, 53, 57, 63, 65, 75, + 76, 79, 80, 84, 85, 88, 89, 97, 110, 111, + 112, 117, 127, 132, 134, 136, 137, 146, 147, 148, + 149, 150, 151, 152, 153, 156, 158, 167, 172, 173, + 174, 176, 177, 183, 184, 193, 209, 210, 211, 212, + 213, 225, 226, 227, 228, 232, 237, 245, 255, 260, + 264, 269, 273, 274, 275, 276, 277, 285, 286, 289, + 301, 302, 192, 64, 64, 229, 8, 13, 20, 73, + 107, 108, 125, 130, 157, 180, 181, 182, 265, 266, + 267, 268, 11, 103, 108, 249, 250, 251, 164, 278, + 265, 22, 26, 86, 133, 141, 144, 166, 171, 239, + 70, 72, 164, 214, 215, 216, 164, 164, 164, 164, + 283, 284, 214, 297, 64, 59, 60, 61, 62, 91, + 93, 95, 101, 252, 253, 254, 297, 164, 164, 296, + 64, 7, 8, 27, 67, 98, 165, 170, 290, 291, + 29, 70, 72, 154, 214, 64, 45, 99, 155, 261, + 262, 263, 164, 279, 238, 239, 164, 6, 33, 52, + 55, 131, 159, 160, 161, 162, 167, 270, 271, 272, + 12, 14, 15, 21, 23, 51, 92, 94, 100, 102, + 105, 128, 129, 233, 234, 235, 236, 300, 215, 64, + 204, 293, 294, 295, 64, 292, 0, 211, 192, 214, + 214, 34, 64, 299, 64, 164, 164, 36, 58, 83, + 288, 206, 30, 54, 57, 142, 143, 149, 230, 231, + 266, 250, 64, 34, 240, 3, 46, 47, 48, 49, + 145, 163, 168, 169, 256, 257, 258, 259, 164, 211, + 284, 214, 253, 64, 164, 291, 68, 246, 29, 29, + 246, 90, 246, 262, 64, 203, 239, 271, 299, 164, + 42, 64, 175, 298, 234, 64, 299, 281, 64, 294, + 64, 192, 217, 5, 69, 71, 164, 188, 287, 194, + 195, 303, 304, 305, 64, 164, 31, 39, 43, 82, + 113, 178, 241, 242, 243, 164, 164, 64, 257, 299, + 298, 64, 247, 246, 246, 247, 215, 247, 164, 65, + 138, 282, 38, 9, 19, 56, 57, 74, 96, 104, + 106, 121, 139, 140, 175, 177, 185, 189, 218, 219, + 220, 221, 222, 223, 224, 152, 304, 306, 307, 309, + 192, 203, 164, 4, 28, 109, 116, 135, 187, 190, + 244, 41, 50, 58, 77, 78, 81, 87, 114, 115, + 118, 119, 120, 122, 123, 124, 126, 185, 248, 247, + 247, 246, 29, 280, 215, 64, 64, 64, 179, 164, + 203, 192, 207, 307, 206, 299, 247, 205, 214, 196, + 308, 203, 197, 310, 311, 299, 203, 207, 311, 192, + 299, 206, 198, 199, 200, 201, 202, 312, 313, 314, + 207, 313, 192, 203, 192, 299 }; /* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */ static const yytype_uint16 yyr1[] = { - 0, 204, 205, 206, 206, 206, 207, 207, 207, 207, - 207, 207, 207, 207, 207, 207, 207, 207, 207, 207, - 208, 209, 209, 209, 209, 209, 210, 210, 211, 212, - 212, 213, 213, 214, 214, 214, 215, 216, 216, 216, - 216, 216, 216, 216, 216, 217, 217, 218, 218, 218, - 218, 218, 218, 219, 220, 221, 222, 222, 223, 223, - 223, 223, 224, 224, 224, 224, 224, 224, 224, 224, - 224, 225, 225, 226, 226, 227, 227, 227, 227, 227, - 228, 229, 229, 230, 230, 230, 231, 231, 231, 231, - 231, 231, 231, 231, 231, 232, 232, 233, 233, 233, - 234, 234, 235, 235, 235, 235, 235, 235, 235, 235, - 236, 236, 237, 237, 237, 237, 238, 238, 239, 239, - 240, 240, 240, 240, 240, 240, 240, 241, 241, 241, - 241, 241, 241, 241, 241, 242, 242, 243, 243, 243, - 243, 243, 243, 243, 243, 243, 243, 243, 243, 243, - 243, 243, 244, 244, 245, 246, 246, 246, 247, 247, - 248, 249, 249, 249, 249, 249, 249, 249, 249, 250, - 251, 251, 252, 252, 252, 252, 252, 253, 253, 254, - 254, 254, 254, 255, 256, 256, 257, 258, 258, 258, - 259, 259, 260, 260, 261, 261, 262, 262, 262, 262, - 262, 262, 263, 263, 263, 263, 263, 263, 264, 265, - 265, 266, 267, 267, 267, 267, 267, 267, 267, 267, - 267, 267, 268, 268, 268, 268, 268, 268, 268, 268, - 268, 268, 268, 268, 268, 268, 269, 269, 269, 270, - 270, 271, 271, 272, 272, 272, 273, 273, 273, 274, - 275, 275, 276, 276, 277, 277, 278, 278, 279, 280, - 280, 281, 281, 282, 282, 282, 282, 283, 283, 283, - 284, 285, 285, 286, 286, 286, 286, 286, 286, 286, - 287, 287, 288, 288, 289, 289, 290, 291, 291, 292, - 292, 293, 293, 293, 294, 294, 295, 296, 297, 297, - 298, 299, 299, 300, 300, 301, 302, 303, 304, 304, - 305, 306, 306, 307, 308, 308, 308, 308, 308 + 0, 208, 209, 210, 210, 210, 211, 211, 211, 211, + 211, 211, 211, 211, 211, 211, 211, 211, 211, 211, + 212, 213, 213, 213, 213, 213, 214, 214, 215, 216, + 216, 217, 217, 218, 218, 218, 219, 220, 220, 220, + 220, 220, 220, 220, 220, 221, 221, 222, 222, 222, + 222, 222, 222, 223, 224, 225, 226, 226, 227, 227, + 227, 227, 228, 228, 228, 228, 228, 228, 228, 228, + 228, 229, 229, 230, 230, 231, 231, 231, 231, 231, + 232, 233, 233, 234, 234, 234, 234, 235, 235, 235, + 235, 235, 235, 235, 235, 235, 236, 236, 237, 237, + 237, 238, 238, 239, 239, 239, 239, 239, 239, 239, + 239, 240, 240, 241, 241, 241, 241, 242, 242, 243, + 243, 244, 244, 244, 244, 244, 244, 244, 245, 245, + 245, 245, 245, 245, 245, 245, 246, 246, 247, 247, + 248, 248, 248, 248, 248, 248, 248, 248, 248, 248, + 248, 248, 248, 248, 248, 248, 248, 249, 249, 250, + 251, 251, 251, 252, 252, 253, 254, 254, 254, 254, + 254, 254, 254, 254, 255, 256, 256, 257, 257, 257, + 257, 257, 258, 258, 259, 259, 259, 259, 260, 261, + 261, 262, 263, 263, 263, 264, 264, 265, 265, 266, + 266, 267, 267, 267, 267, 267, 267, 268, 268, 268, + 268, 268, 268, 269, 270, 270, 271, 272, 272, 272, + 272, 272, 272, 272, 272, 272, 272, 273, 273, 273, + 273, 273, 273, 273, 273, 273, 273, 273, 273, 273, + 273, 274, 274, 274, 275, 275, 276, 276, 277, 277, + 277, 278, 278, 278, 279, 280, 280, 281, 281, 282, + 282, 283, 283, 284, 285, 285, 286, 286, 287, 287, + 287, 287, 288, 288, 288, 289, 290, 290, 291, 291, + 291, 291, 291, 291, 291, 292, 292, 293, 293, 294, + 294, 295, 296, 296, 297, 297, 298, 298, 298, 299, + 299, 300, 301, 302, 303, 303, 304, 305, 305, 306, + 306, 307, 308, 309, 310, 310, 311, 312, 312, 313, + 314, 314, 314, 314, 314 }; /* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN. */ @@ -1410,29 +1426,30 @@ static const yytype_uint8 yyr2[] = 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 2, 0, 2, 2, 2, 1, 1, 1, 1, 1, 2, 2, 1, 2, 2, 2, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 2, 2, 3, - 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 0, 2, 2, 2, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 2, 2, 3, - 5, 3, 4, 4, 3, 0, 2, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, + 3, 2, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 0, 2, 2, 2, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, + 4, 6, 4, 5, 5, 4, 0, 2, 0, 2, + 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 1, 1, 2, 1, 2, + 1, 1, 1, 2, 1, 2, 1, 1, 1, 1, + 1, 1, 1, 1, 3, 2, 1, 2, 2, 2, + 2, 2, 1, 1, 1, 1, 1, 1, 2, 2, + 1, 2, 1, 1, 1, 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 2, 1, 2, 1, 1, 1, 2, 1, - 2, 1, 1, 1, 1, 1, 1, 1, 1, 3, - 2, 1, 2, 2, 2, 2, 2, 1, 1, 1, 1, 1, 1, 2, 2, 1, 2, 1, 1, 1, - 2, 2, 2, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 1, 2, 2, - 1, 2, 1, 1, 1, 1, 1, 1, 1, 1, - 1, 1, 1, 1, 2, 2, 2, 2, 3, 1, - 2, 2, 2, 2, 3, 2, 1, 1, 1, 1, - 1, 1, 1, 1, 1, 1, 1, 2, 0, 4, - 1, 0, 0, 2, 2, 2, 2, 1, 1, 3, - 3, 1, 1, 1, 1, 1, 1, 1, 1, 1, - 2, 2, 1, 1, 1, 1, 1, 1, 1, 1, - 2, 1, 2, 1, 1, 1, 5, 2, 1, 2, - 1, 1, 1, 1, 1, 1, 5, 1, 3, 2, - 3, 1, 1, 2, 1, 5, 4, 3, 2, 1, - 6, 3, 2, 3, 1, 1, 1, 1, 1 + 1, 1, 1, 1, 1, 1, 1, 1, 1, 2, + 2, 2, 2, 3, 1, 2, 2, 2, 2, 3, + 2, 1, 1, 1, 1, 1, 1, 1, 1, 1, + 1, 1, 2, 0, 4, 1, 0, 0, 2, 2, + 2, 2, 1, 1, 3, 3, 1, 1, 1, 1, + 1, 1, 1, 1, 1, 2, 2, 1, 1, 1, + 1, 1, 1, 1, 1, 2, 1, 2, 1, 1, + 1, 5, 2, 1, 2, 1, 1, 1, 1, 1, + 1, 2, 5, 1, 3, 2, 3, 1, 1, 2, + 1, 5, 4, 3, 2, 1, 6, 3, 2, 3, + 1, 1, 1, 1, 1 }; @@ -2109,7 +2126,7 @@ yyreduce: switch (yyn) { case 5: -#line 378 "ntp_parser.y" /* yacc.c:1646 */ +#line 384 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { /* I will need to incorporate much more fine grained * error messages. The following should suffice for @@ -2122,85 +2139,85 @@ yyreduce: ip_ctx->errpos.nline, ip_ctx->errpos.ncol); } -#line 2126 "ntp_parser.c" /* yacc.c:1646 */ +#line 2143 "ntp_parser.c" /* yacc.c:1646 */ break; case 20: -#line 414 "ntp_parser.y" /* yacc.c:1646 */ +#line 420 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { peer_node *my_node; my_node = create_peer_node((yyvsp[-2].Integer), (yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo)); APPEND_G_FIFO(cfgt.peers, my_node); } -#line 2137 "ntp_parser.c" /* yacc.c:1646 */ +#line 2154 "ntp_parser.c" /* yacc.c:1646 */ break; case 27: -#line 433 "ntp_parser.y" /* yacc.c:1646 */ +#line 439 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Address_node) = create_address_node((yyvsp[0].String), (yyvsp[-1].Integer)); } -#line 2143 "ntp_parser.c" /* yacc.c:1646 */ +#line 2160 "ntp_parser.c" /* yacc.c:1646 */ break; case 28: -#line 438 "ntp_parser.y" /* yacc.c:1646 */ +#line 444 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Address_node) = create_address_node((yyvsp[0].String), AF_UNSPEC); } -#line 2149 "ntp_parser.c" /* yacc.c:1646 */ +#line 2166 "ntp_parser.c" /* yacc.c:1646 */ break; case 29: -#line 443 "ntp_parser.y" /* yacc.c:1646 */ +#line 449 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Integer) = AF_INET; } -#line 2155 "ntp_parser.c" /* yacc.c:1646 */ +#line 2172 "ntp_parser.c" /* yacc.c:1646 */ break; case 30: -#line 445 "ntp_parser.y" /* yacc.c:1646 */ +#line 451 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Integer) = AF_INET6; } -#line 2161 "ntp_parser.c" /* yacc.c:1646 */ +#line 2178 "ntp_parser.c" /* yacc.c:1646 */ break; case 31: -#line 450 "ntp_parser.y" /* yacc.c:1646 */ +#line 456 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; } -#line 2167 "ntp_parser.c" /* yacc.c:1646 */ +#line 2184 "ntp_parser.c" /* yacc.c:1646 */ break; case 32: -#line 452 "ntp_parser.y" /* yacc.c:1646 */ +#line 458 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2176 "ntp_parser.c" /* yacc.c:1646 */ +#line 2193 "ntp_parser.c" /* yacc.c:1646 */ break; case 36: -#line 466 "ntp_parser.y" /* yacc.c:1646 */ +#line 472 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); } -#line 2182 "ntp_parser.c" /* yacc.c:1646 */ +#line 2199 "ntp_parser.c" /* yacc.c:1646 */ break; case 45: -#line 482 "ntp_parser.y" /* yacc.c:1646 */ +#line 488 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 2188 "ntp_parser.c" /* yacc.c:1646 */ +#line 2205 "ntp_parser.c" /* yacc.c:1646 */ break; case 46: -#line 484 "ntp_parser.y" /* yacc.c:1646 */ +#line 490 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_uval((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 2194 "ntp_parser.c" /* yacc.c:1646 */ +#line 2211 "ntp_parser.c" /* yacc.c:1646 */ break; case 53: -#line 498 "ntp_parser.y" /* yacc.c:1646 */ +#line 504 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); } -#line 2200 "ntp_parser.c" /* yacc.c:1646 */ +#line 2217 "ntp_parser.c" /* yacc.c:1646 */ break; case 55: -#line 512 "ntp_parser.y" /* yacc.c:1646 */ +#line 518 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { unpeer_node *my_node; @@ -2208,125 +2225,126 @@ yyreduce: if (my_node) APPEND_G_FIFO(cfgt.unpeers, my_node); } -#line 2212 "ntp_parser.c" /* yacc.c:1646 */ +#line 2229 "ntp_parser.c" /* yacc.c:1646 */ break; case 58: -#line 533 "ntp_parser.y" /* yacc.c:1646 */ +#line 539 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.broadcastclient = 1; } -#line 2218 "ntp_parser.c" /* yacc.c:1646 */ +#line 2235 "ntp_parser.c" /* yacc.c:1646 */ break; case 59: -#line 535 "ntp_parser.y" /* yacc.c:1646 */ +#line 541 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.manycastserver, (yyvsp[0].Address_fifo)); } -#line 2224 "ntp_parser.c" /* yacc.c:1646 */ +#line 2241 "ntp_parser.c" /* yacc.c:1646 */ break; case 60: -#line 537 "ntp_parser.y" /* yacc.c:1646 */ +#line 543 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.multicastclient, (yyvsp[0].Address_fifo)); } -#line 2230 "ntp_parser.c" /* yacc.c:1646 */ +#line 2247 "ntp_parser.c" /* yacc.c:1646 */ break; case 61: -#line 539 "ntp_parser.y" /* yacc.c:1646 */ +#line 545 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.mdnstries = (yyvsp[0].Integer); } -#line 2236 "ntp_parser.c" /* yacc.c:1646 */ +#line 2253 "ntp_parser.c" /* yacc.c:1646 */ break; case 62: -#line 550 "ntp_parser.y" /* yacc.c:1646 */ +#line 556 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { attr_val *atrv; atrv = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); APPEND_G_FIFO(cfgt.vars, atrv); } -#line 2247 "ntp_parser.c" /* yacc.c:1646 */ +#line 2264 "ntp_parser.c" /* yacc.c:1646 */ break; case 63: -#line 557 "ntp_parser.y" /* yacc.c:1646 */ +#line 563 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.control_key = (yyvsp[0].Integer); } -#line 2253 "ntp_parser.c" /* yacc.c:1646 */ +#line 2270 "ntp_parser.c" /* yacc.c:1646 */ break; case 64: -#line 559 "ntp_parser.y" /* yacc.c:1646 */ +#line 565 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.cryptosw++; CONCAT_G_FIFOS(cfgt.auth.crypto_cmd_list, (yyvsp[0].Attr_val_fifo)); } -#line 2262 "ntp_parser.c" /* yacc.c:1646 */ +#line 2279 "ntp_parser.c" /* yacc.c:1646 */ break; case 65: -#line 564 "ntp_parser.y" /* yacc.c:1646 */ +#line 570 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.keys = (yyvsp[0].String); } -#line 2268 "ntp_parser.c" /* yacc.c:1646 */ +#line 2285 "ntp_parser.c" /* yacc.c:1646 */ break; case 66: -#line 566 "ntp_parser.y" /* yacc.c:1646 */ +#line 572 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.keysdir = (yyvsp[0].String); } -#line 2274 "ntp_parser.c" /* yacc.c:1646 */ +#line 2291 "ntp_parser.c" /* yacc.c:1646 */ break; case 67: -#line 568 "ntp_parser.y" /* yacc.c:1646 */ +#line 574 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.request_key = (yyvsp[0].Integer); } -#line 2280 "ntp_parser.c" /* yacc.c:1646 */ +#line 2297 "ntp_parser.c" /* yacc.c:1646 */ break; case 68: -#line 570 "ntp_parser.y" /* yacc.c:1646 */ +#line 576 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.revoke = (yyvsp[0].Integer); } -#line 2286 "ntp_parser.c" /* yacc.c:1646 */ +#line 2303 "ntp_parser.c" /* yacc.c:1646 */ break; case 69: -#line 572 "ntp_parser.y" /* yacc.c:1646 */ +#line 578 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { - cfgt.auth.trusted_key_list = (yyvsp[0].Attr_val_fifo); - - // if (!cfgt.auth.trusted_key_list) - // cfgt.auth.trusted_key_list = $2; - // else - // LINK_SLIST(cfgt.auth.trusted_key_list, $2, link); + /* [Bug 948] leaves it open if appending or + * replacing the trusted key list is the right + * way. In any case, either alternative should + * be coded correctly! + */ + DESTROY_G_FIFO(cfgt.auth.trusted_key_list, destroy_attr_val); /* remove for append */ + CONCAT_G_FIFOS(cfgt.auth.trusted_key_list, (yyvsp[0].Attr_val_fifo)); } -#line 2299 "ntp_parser.c" /* yacc.c:1646 */ +#line 2317 "ntp_parser.c" /* yacc.c:1646 */ break; case 70: -#line 581 "ntp_parser.y" /* yacc.c:1646 */ +#line 588 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { cfgt.auth.ntp_signd_socket = (yyvsp[0].String); } -#line 2305 "ntp_parser.c" /* yacc.c:1646 */ +#line 2323 "ntp_parser.c" /* yacc.c:1646 */ break; case 71: -#line 586 "ntp_parser.y" /* yacc.c:1646 */ +#line 593 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; } -#line 2311 "ntp_parser.c" /* yacc.c:1646 */ +#line 2329 "ntp_parser.c" /* yacc.c:1646 */ break; case 72: -#line 588 "ntp_parser.y" /* yacc.c:1646 */ +#line 595 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2320 "ntp_parser.c" /* yacc.c:1646 */ +#line 2338 "ntp_parser.c" /* yacc.c:1646 */ break; case 73: -#line 596 "ntp_parser.y" /* yacc.c:1646 */ +#line 603 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); } -#line 2326 "ntp_parser.c" /* yacc.c:1646 */ +#line 2344 "ntp_parser.c" /* yacc.c:1646 */ break; case 74: -#line 598 "ntp_parser.y" /* yacc.c:1646 */ +#line 605 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = NULL; cfgt.auth.revoke = (yyvsp[0].Integer); @@ -2335,59 +2353,65 @@ yyreduce: "please use 'revoke %d' instead.", cfgt.auth.revoke, cfgt.auth.revoke); } -#line 2339 "ntp_parser.c" /* yacc.c:1646 */ +#line 2357 "ntp_parser.c" /* yacc.c:1646 */ break; case 80: -#line 623 "ntp_parser.y" /* yacc.c:1646 */ +#line 630 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.orphan_cmds, (yyvsp[0].Attr_val_fifo)); } -#line 2345 "ntp_parser.c" /* yacc.c:1646 */ +#line 2363 "ntp_parser.c" /* yacc.c:1646 */ break; case 81: -#line 628 "ntp_parser.y" /* yacc.c:1646 */ +#line 635 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2354 "ntp_parser.c" /* yacc.c:1646 */ +#line 2372 "ntp_parser.c" /* yacc.c:1646 */ break; case 82: -#line 633 "ntp_parser.y" /* yacc.c:1646 */ +#line 640 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2363 "ntp_parser.c" /* yacc.c:1646 */ +#line 2381 "ntp_parser.c" /* yacc.c:1646 */ break; case 83: -#line 641 "ntp_parser.y" /* yacc.c:1646 */ +#line 648 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (double)(yyvsp[0].Integer)); } -#line 2369 "ntp_parser.c" /* yacc.c:1646 */ +#line 2387 "ntp_parser.c" /* yacc.c:1646 */ break; case 84: -#line 643 "ntp_parser.y" /* yacc.c:1646 */ +#line 650 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); } -#line 2375 "ntp_parser.c" /* yacc.c:1646 */ +#line 2393 "ntp_parser.c" /* yacc.c:1646 */ break; case 85: -#line 645 "ntp_parser.y" /* yacc.c:1646 */ +#line 652 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (double)(yyvsp[0].Integer)); } -#line 2381 "ntp_parser.c" /* yacc.c:1646 */ +#line 2399 "ntp_parser.c" /* yacc.c:1646 */ break; - case 97: -#line 672 "ntp_parser.y" /* yacc.c:1646 */ - { CONCAT_G_FIFOS(cfgt.stats_list, (yyvsp[0].Int_fifo)); } -#line 2387 "ntp_parser.c" /* yacc.c:1646 */ + case 86: +#line 654 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ + { (yyval.Attr_val) = create_attr_ival(T_Basedate, (yyvsp[0].Integer)); } +#line 2405 "ntp_parser.c" /* yacc.c:1646 */ break; case 98: -#line 674 "ntp_parser.y" /* yacc.c:1646 */ +#line 681 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ + { CONCAT_G_FIFOS(cfgt.stats_list, (yyvsp[0].Int_fifo)); } +#line 2411 "ntp_parser.c" /* yacc.c:1646 */ + break; + + case 99: +#line 683 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { cfgt.stats_dir = (yyvsp[0].String); @@ -2396,55 +2420,55 @@ yyreduce: yyerror("statsdir remote configuration ignored"); } } -#line 2400 "ntp_parser.c" /* yacc.c:1646 */ +#line 2424 "ntp_parser.c" /* yacc.c:1646 */ break; - case 99: -#line 683 "ntp_parser.y" /* yacc.c:1646 */ + case 100: +#line 692 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { filegen_node *fgn; fgn = create_filegen_node((yyvsp[-1].Integer), (yyvsp[0].Attr_val_fifo)); APPEND_G_FIFO(cfgt.filegen_opts, fgn); } -#line 2411 "ntp_parser.c" /* yacc.c:1646 */ +#line 2435 "ntp_parser.c" /* yacc.c:1646 */ break; - case 100: -#line 693 "ntp_parser.y" /* yacc.c:1646 */ + case 101: +#line 702 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Int_fifo) = (yyvsp[-1].Int_fifo); APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer))); } -#line 2420 "ntp_parser.c" /* yacc.c:1646 */ +#line 2444 "ntp_parser.c" /* yacc.c:1646 */ break; - case 101: -#line 698 "ntp_parser.y" /* yacc.c:1646 */ + case 102: +#line 707 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Int_fifo) = NULL; APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer))); } -#line 2429 "ntp_parser.c" /* yacc.c:1646 */ +#line 2453 "ntp_parser.c" /* yacc.c:1646 */ break; - case 110: -#line 717 "ntp_parser.y" /* yacc.c:1646 */ + case 111: +#line 726 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; } -#line 2435 "ntp_parser.c" /* yacc.c:1646 */ +#line 2459 "ntp_parser.c" /* yacc.c:1646 */ break; - case 111: -#line 719 "ntp_parser.y" /* yacc.c:1646 */ + case 112: +#line 728 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2444 "ntp_parser.c" /* yacc.c:1646 */ +#line 2468 "ntp_parser.c" /* yacc.c:1646 */ break; - case 112: -#line 727 "ntp_parser.y" /* yacc.c:1646 */ + case 113: +#line 736 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); @@ -2454,11 +2478,11 @@ yyreduce: yyerror("filegen file remote config ignored"); } } -#line 2458 "ntp_parser.c" /* yacc.c:1646 */ +#line 2482 "ntp_parser.c" /* yacc.c:1646 */ break; - case 113: -#line 737 "ntp_parser.y" /* yacc.c:1646 */ + case 114: +#line 746 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); @@ -2467,11 +2491,11 @@ yyreduce: yyerror("filegen type remote config ignored"); } } -#line 2471 "ntp_parser.c" /* yacc.c:1646 */ +#line 2495 "ntp_parser.c" /* yacc.c:1646 */ break; - case 114: -#line 746 "ntp_parser.y" /* yacc.c:1646 */ + case 115: +#line 755 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { const char *err; @@ -2486,69 +2510,69 @@ yyreduce: yyerror(err); } } -#line 2490 "ntp_parser.c" /* yacc.c:1646 */ +#line 2514 "ntp_parser.c" /* yacc.c:1646 */ break; - case 115: -#line 761 "ntp_parser.y" /* yacc.c:1646 */ + case 116: +#line 770 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); } -#line 2496 "ntp_parser.c" /* yacc.c:1646 */ +#line 2520 "ntp_parser.c" /* yacc.c:1646 */ break; - case 127: -#line 791 "ntp_parser.y" /* yacc.c:1646 */ + case 128: +#line 800 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.discard_opts, (yyvsp[0].Attr_val_fifo)); } -#line 2504 "ntp_parser.c" /* yacc.c:1646 */ +#line 2528 "ntp_parser.c" /* yacc.c:1646 */ break; - case 128: -#line 795 "ntp_parser.y" /* yacc.c:1646 */ + case 129: +#line 804 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.mru_opts, (yyvsp[0].Attr_val_fifo)); } -#line 2512 "ntp_parser.c" /* yacc.c:1646 */ +#line 2536 "ntp_parser.c" /* yacc.c:1646 */ break; - case 129: -#line 799 "ntp_parser.y" /* yacc.c:1646 */ + case 130: +#line 808 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { restrict_node *rn; - rn = create_restrict_node((yyvsp[-1].Address_node), NULL, (yyvsp[0].Int_fifo), + rn = create_restrict_node((yyvsp[-2].Address_node), NULL, (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline); APPEND_G_FIFO(cfgt.restrict_opts, rn); } -#line 2524 "ntp_parser.c" /* yacc.c:1646 */ +#line 2548 "ntp_parser.c" /* yacc.c:1646 */ break; - case 130: -#line 807 "ntp_parser.y" /* yacc.c:1646 */ + case 131: +#line 816 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { restrict_node *rn; - rn = create_restrict_node((yyvsp[-3].Address_node), (yyvsp[-1].Address_node), (yyvsp[0].Int_fifo), + rn = create_restrict_node((yyvsp[-4].Address_node), (yyvsp[-2].Address_node), (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline); APPEND_G_FIFO(cfgt.restrict_opts, rn); } -#line 2536 "ntp_parser.c" /* yacc.c:1646 */ +#line 2560 "ntp_parser.c" /* yacc.c:1646 */ break; - case 131: -#line 815 "ntp_parser.y" /* yacc.c:1646 */ + case 132: +#line 824 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { restrict_node *rn; - rn = create_restrict_node(NULL, NULL, (yyvsp[0].Int_fifo), + rn = create_restrict_node(NULL, NULL, (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline); APPEND_G_FIFO(cfgt.restrict_opts, rn); } -#line 2548 "ntp_parser.c" /* yacc.c:1646 */ +#line 2572 "ntp_parser.c" /* yacc.c:1646 */ break; - case 132: -#line 823 "ntp_parser.y" /* yacc.c:1646 */ + case 133: +#line 832 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { restrict_node *rn; @@ -2559,15 +2583,15 @@ yyreduce: create_address_node( estrdup("0.0.0.0"), AF_INET), - (yyvsp[0].Int_fifo), + (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline); APPEND_G_FIFO(cfgt.restrict_opts, rn); } -#line 2567 "ntp_parser.c" /* yacc.c:1646 */ +#line 2591 "ntp_parser.c" /* yacc.c:1646 */ break; - case 133: -#line 838 "ntp_parser.y" /* yacc.c:1646 */ + case 134: +#line 847 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { restrict_node *rn; @@ -2578,132 +2602,158 @@ yyreduce: create_address_node( estrdup("::"), AF_INET6), - (yyvsp[0].Int_fifo), + (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline); APPEND_G_FIFO(cfgt.restrict_opts, rn); } -#line 2586 "ntp_parser.c" /* yacc.c:1646 */ +#line 2610 "ntp_parser.c" /* yacc.c:1646 */ break; - case 134: -#line 853 "ntp_parser.y" /* yacc.c:1646 */ + case 135: +#line 862 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { restrict_node * rn; - APPEND_G_FIFO((yyvsp[0].Int_fifo), create_int_node((yyvsp[-1].Integer))); + APPEND_G_FIFO((yyvsp[0].Int_fifo), create_int_node((yyvsp[-2].Integer))); rn = create_restrict_node( - NULL, NULL, (yyvsp[0].Int_fifo), lex_current()->curpos.nline); + NULL, NULL, (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline); APPEND_G_FIFO(cfgt.restrict_opts, rn); } -#line 2599 "ntp_parser.c" /* yacc.c:1646 */ +#line 2623 "ntp_parser.c" /* yacc.c:1646 */ break; - case 135: -#line 865 "ntp_parser.y" /* yacc.c:1646 */ + case 136: +#line 874 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ + { (yyval.Integer) = -1; } +#line 2629 "ntp_parser.c" /* yacc.c:1646 */ + break; + + case 137: +#line 876 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ + { + if (((yyvsp[0].Integer) < -1) || ((yyvsp[0].Integer) > 100)) { + struct FILE_INFO * ip_ctx; + + ip_ctx = lex_current(); + msyslog(LOG_ERR, + "Unreasonable ippeerlimit value (%d) in %s line %d, column %d. Using 0.", + (yyvsp[0].Integer), + ip_ctx->fname, + ip_ctx->errpos.nline, + ip_ctx->errpos.ncol); + (yyvsp[0].Integer) = 0; + } + (yyval.Integer) = (yyvsp[0].Integer); + } +#line 2649 "ntp_parser.c" /* yacc.c:1646 */ + break; + + case 138: +#line 895 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Int_fifo) = NULL; } -#line 2605 "ntp_parser.c" /* yacc.c:1646 */ +#line 2655 "ntp_parser.c" /* yacc.c:1646 */ break; - case 136: -#line 867 "ntp_parser.y" /* yacc.c:1646 */ + case 139: +#line 897 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Int_fifo) = (yyvsp[-1].Int_fifo); APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer))); } -#line 2614 "ntp_parser.c" /* yacc.c:1646 */ +#line 2664 "ntp_parser.c" /* yacc.c:1646 */ break; - case 152: -#line 893 "ntp_parser.y" /* yacc.c:1646 */ + case 157: +#line 925 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2623 "ntp_parser.c" /* yacc.c:1646 */ +#line 2673 "ntp_parser.c" /* yacc.c:1646 */ break; - case 153: -#line 898 "ntp_parser.y" /* yacc.c:1646 */ + case 158: +#line 930 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2632 "ntp_parser.c" /* yacc.c:1646 */ +#line 2682 "ntp_parser.c" /* yacc.c:1646 */ break; - case 154: -#line 906 "ntp_parser.y" /* yacc.c:1646 */ + case 159: +#line 938 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 2638 "ntp_parser.c" /* yacc.c:1646 */ +#line 2688 "ntp_parser.c" /* yacc.c:1646 */ break; - case 158: -#line 917 "ntp_parser.y" /* yacc.c:1646 */ + case 163: +#line 949 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2647 "ntp_parser.c" /* yacc.c:1646 */ +#line 2697 "ntp_parser.c" /* yacc.c:1646 */ break; - case 159: -#line 922 "ntp_parser.y" /* yacc.c:1646 */ + case 164: +#line 954 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2656 "ntp_parser.c" /* yacc.c:1646 */ +#line 2706 "ntp_parser.c" /* yacc.c:1646 */ break; - case 160: -#line 930 "ntp_parser.y" /* yacc.c:1646 */ + case 165: +#line 962 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 2662 "ntp_parser.c" /* yacc.c:1646 */ +#line 2712 "ntp_parser.c" /* yacc.c:1646 */ break; - case 169: -#line 950 "ntp_parser.y" /* yacc.c:1646 */ + case 174: +#line 982 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { addr_opts_node *aon; aon = create_addr_opts_node((yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo)); APPEND_G_FIFO(cfgt.fudge, aon); } -#line 2673 "ntp_parser.c" /* yacc.c:1646 */ +#line 2723 "ntp_parser.c" /* yacc.c:1646 */ break; - case 170: -#line 960 "ntp_parser.y" /* yacc.c:1646 */ + case 175: +#line 992 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2682 "ntp_parser.c" /* yacc.c:1646 */ +#line 2732 "ntp_parser.c" /* yacc.c:1646 */ break; - case 171: -#line 965 "ntp_parser.y" /* yacc.c:1646 */ + case 176: +#line 997 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2691 "ntp_parser.c" /* yacc.c:1646 */ +#line 2741 "ntp_parser.c" /* yacc.c:1646 */ break; - case 172: -#line 973 "ntp_parser.y" /* yacc.c:1646 */ + case 177: +#line 1005 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); } -#line 2697 "ntp_parser.c" /* yacc.c:1646 */ +#line 2747 "ntp_parser.c" /* yacc.c:1646 */ break; - case 173: -#line 975 "ntp_parser.y" /* yacc.c:1646 */ + case 178: +#line 1007 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 2703 "ntp_parser.c" /* yacc.c:1646 */ +#line 2753 "ntp_parser.c" /* yacc.c:1646 */ break; - case 174: -#line 977 "ntp_parser.y" /* yacc.c:1646 */ + case 179: +#line 1009 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if ((yyvsp[0].Integer) >= 0 && (yyvsp[0].Integer) <= 16) { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); @@ -2712,89 +2762,89 @@ yyreduce: yyerror("fudge factor: stratum value not in [0..16], ignored"); } } -#line 2716 "ntp_parser.c" /* yacc.c:1646 */ +#line 2766 "ntp_parser.c" /* yacc.c:1646 */ break; - case 175: -#line 986 "ntp_parser.y" /* yacc.c:1646 */ + case 180: +#line 1018 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); } -#line 2722 "ntp_parser.c" /* yacc.c:1646 */ +#line 2772 "ntp_parser.c" /* yacc.c:1646 */ break; - case 176: -#line 988 "ntp_parser.y" /* yacc.c:1646 */ + case 181: +#line 1020 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); } -#line 2728 "ntp_parser.c" /* yacc.c:1646 */ +#line 2778 "ntp_parser.c" /* yacc.c:1646 */ break; - case 183: -#line 1009 "ntp_parser.y" /* yacc.c:1646 */ + case 188: +#line 1041 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.rlimit, (yyvsp[0].Attr_val_fifo)); } -#line 2734 "ntp_parser.c" /* yacc.c:1646 */ +#line 2784 "ntp_parser.c" /* yacc.c:1646 */ break; - case 184: -#line 1014 "ntp_parser.y" /* yacc.c:1646 */ + case 189: +#line 1046 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2743 "ntp_parser.c" /* yacc.c:1646 */ +#line 2793 "ntp_parser.c" /* yacc.c:1646 */ break; - case 185: -#line 1019 "ntp_parser.y" /* yacc.c:1646 */ + case 190: +#line 1051 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2752 "ntp_parser.c" /* yacc.c:1646 */ +#line 2802 "ntp_parser.c" /* yacc.c:1646 */ break; - case 186: -#line 1027 "ntp_parser.y" /* yacc.c:1646 */ + case 191: +#line 1059 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 2758 "ntp_parser.c" /* yacc.c:1646 */ +#line 2808 "ntp_parser.c" /* yacc.c:1646 */ break; - case 190: -#line 1043 "ntp_parser.y" /* yacc.c:1646 */ + case 195: +#line 1075 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.enable_opts, (yyvsp[0].Attr_val_fifo)); } -#line 2764 "ntp_parser.c" /* yacc.c:1646 */ +#line 2814 "ntp_parser.c" /* yacc.c:1646 */ break; - case 191: -#line 1045 "ntp_parser.y" /* yacc.c:1646 */ + case 196: +#line 1077 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.disable_opts, (yyvsp[0].Attr_val_fifo)); } -#line 2770 "ntp_parser.c" /* yacc.c:1646 */ +#line 2820 "ntp_parser.c" /* yacc.c:1646 */ break; - case 192: -#line 1050 "ntp_parser.y" /* yacc.c:1646 */ + case 197: +#line 1082 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2779 "ntp_parser.c" /* yacc.c:1646 */ +#line 2829 "ntp_parser.c" /* yacc.c:1646 */ break; - case 193: -#line 1055 "ntp_parser.y" /* yacc.c:1646 */ + case 198: +#line 1087 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2788 "ntp_parser.c" /* yacc.c:1646 */ +#line 2838 "ntp_parser.c" /* yacc.c:1646 */ break; - case 194: -#line 1063 "ntp_parser.y" /* yacc.c:1646 */ + case 199: +#line 1095 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); } -#line 2794 "ntp_parser.c" /* yacc.c:1646 */ +#line 2844 "ntp_parser.c" /* yacc.c:1646 */ break; - case 195: -#line 1065 "ntp_parser.y" /* yacc.c:1646 */ + case 200: +#line 1097 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); @@ -2808,74 +2858,74 @@ yyreduce: yyerror(err_str); } } -#line 2812 "ntp_parser.c" /* yacc.c:1646 */ +#line 2862 "ntp_parser.c" /* yacc.c:1646 */ break; - case 208: -#line 1104 "ntp_parser.y" /* yacc.c:1646 */ + case 213: +#line 1136 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.tinker, (yyvsp[0].Attr_val_fifo)); } -#line 2818 "ntp_parser.c" /* yacc.c:1646 */ +#line 2868 "ntp_parser.c" /* yacc.c:1646 */ break; - case 209: -#line 1109 "ntp_parser.y" /* yacc.c:1646 */ + case 214: +#line 1141 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2827 "ntp_parser.c" /* yacc.c:1646 */ +#line 2877 "ntp_parser.c" /* yacc.c:1646 */ break; - case 210: -#line 1114 "ntp_parser.y" /* yacc.c:1646 */ + case 215: +#line 1146 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 2836 "ntp_parser.c" /* yacc.c:1646 */ +#line 2886 "ntp_parser.c" /* yacc.c:1646 */ break; - case 211: -#line 1122 "ntp_parser.y" /* yacc.c:1646 */ + case 216: +#line 1154 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); } -#line 2842 "ntp_parser.c" /* yacc.c:1646 */ +#line 2892 "ntp_parser.c" /* yacc.c:1646 */ break; - case 224: -#line 1147 "ntp_parser.y" /* yacc.c:1646 */ + case 229: +#line 1179 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { attr_val *av; av = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); APPEND_G_FIFO(cfgt.vars, av); } -#line 2853 "ntp_parser.c" /* yacc.c:1646 */ +#line 2903 "ntp_parser.c" /* yacc.c:1646 */ break; - case 225: -#line 1154 "ntp_parser.y" /* yacc.c:1646 */ + case 230: +#line 1186 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { attr_val *av; av = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); APPEND_G_FIFO(cfgt.vars, av); } -#line 2864 "ntp_parser.c" /* yacc.c:1646 */ +#line 2914 "ntp_parser.c" /* yacc.c:1646 */ break; - case 226: -#line 1161 "ntp_parser.y" /* yacc.c:1646 */ + case 231: +#line 1193 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { attr_val *av; av = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); APPEND_G_FIFO(cfgt.vars, av); } -#line 2875 "ntp_parser.c" /* yacc.c:1646 */ +#line 2925 "ntp_parser.c" /* yacc.c:1646 */ break; - case 227: -#line 1168 "ntp_parser.y" /* yacc.c:1646 */ + case 232: +#line 1200 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { char error_text[64]; attr_val *av; @@ -2891,11 +2941,11 @@ yyreduce: yyerror(error_text); } } -#line 2895 "ntp_parser.c" /* yacc.c:1646 */ +#line 2945 "ntp_parser.c" /* yacc.c:1646 */ break; - case 228: -#line 1184 "ntp_parser.y" /* yacc.c:1646 */ + case 233: +#line 1216 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (!lex_from_file()) { YYFREE((yyvsp[-1].String)); /* avoid leak */ @@ -2914,68 +2964,68 @@ yyreduce: } YYFREE((yyvsp[-1].String)); /* avoid leak */ } -#line 2918 "ntp_parser.c" /* yacc.c:1646 */ +#line 2968 "ntp_parser.c" /* yacc.c:1646 */ break; - case 229: -#line 1203 "ntp_parser.y" /* yacc.c:1646 */ + case 234: +#line 1235 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { lex_flush_stack(); } -#line 2924 "ntp_parser.c" /* yacc.c:1646 */ +#line 2974 "ntp_parser.c" /* yacc.c:1646 */ break; - case 230: -#line 1205 "ntp_parser.y" /* yacc.c:1646 */ + case 235: +#line 1237 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { /* see drift_parm below for actions */ } -#line 2930 "ntp_parser.c" /* yacc.c:1646 */ +#line 2980 "ntp_parser.c" /* yacc.c:1646 */ break; - case 231: -#line 1207 "ntp_parser.y" /* yacc.c:1646 */ + case 236: +#line 1239 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.logconfig, (yyvsp[0].Attr_val_fifo)); } -#line 2936 "ntp_parser.c" /* yacc.c:1646 */ +#line 2986 "ntp_parser.c" /* yacc.c:1646 */ break; - case 232: -#line 1209 "ntp_parser.y" /* yacc.c:1646 */ + case 237: +#line 1241 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.phone, (yyvsp[0].String_fifo)); } -#line 2942 "ntp_parser.c" /* yacc.c:1646 */ +#line 2992 "ntp_parser.c" /* yacc.c:1646 */ break; - case 233: -#line 1211 "ntp_parser.y" /* yacc.c:1646 */ + case 238: +#line 1243 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { APPEND_G_FIFO(cfgt.setvar, (yyvsp[0].Set_var)); } -#line 2948 "ntp_parser.c" /* yacc.c:1646 */ +#line 2998 "ntp_parser.c" /* yacc.c:1646 */ break; - case 234: -#line 1213 "ntp_parser.y" /* yacc.c:1646 */ + case 239: +#line 1245 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { addr_opts_node *aon; aon = create_addr_opts_node((yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo)); APPEND_G_FIFO(cfgt.trap, aon); } -#line 2959 "ntp_parser.c" /* yacc.c:1646 */ +#line 3009 "ntp_parser.c" /* yacc.c:1646 */ break; - case 235: -#line 1220 "ntp_parser.y" /* yacc.c:1646 */ + case 240: +#line 1252 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.ttl, (yyvsp[0].Attr_val_fifo)); } -#line 2965 "ntp_parser.c" /* yacc.c:1646 */ +#line 3015 "ntp_parser.c" /* yacc.c:1646 */ break; - case 240: -#line 1235 "ntp_parser.y" /* yacc.c:1646 */ + case 245: +#line 1267 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { #ifndef LEAP_SMEAR yyerror("Built without LEAP_SMEAR support."); #endif } -#line 2975 "ntp_parser.c" /* yacc.c:1646 */ +#line 3025 "ntp_parser.c" /* yacc.c:1646 */ break; - case 246: -#line 1255 "ntp_parser.y" /* yacc.c:1646 */ + case 251: +#line 1287 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { attr_val *av; @@ -2986,11 +3036,11 @@ yyreduce: yyerror("driftfile remote configuration ignored"); } } -#line 2990 "ntp_parser.c" /* yacc.c:1646 */ +#line 3040 "ntp_parser.c" /* yacc.c:1646 */ break; - case 247: -#line 1266 "ntp_parser.y" /* yacc.c:1646 */ + case 252: +#line 1298 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { attr_val *av; @@ -2998,16 +3048,20 @@ yyreduce: APPEND_G_FIFO(cfgt.vars, av); av = create_attr_dval(T_WanderThreshold, (yyvsp[0].Double)); APPEND_G_FIFO(cfgt.vars, av); + msyslog(LOG_WARNING, + "'driftfile FILENAME WanderValue' is deprecated, " + "please use separate 'driftfile FILENAME' and " + "'nonvolatile WanderValue' lines instead."); } else { YYFREE((yyvsp[-1].String)); yyerror("driftfile remote configuration ignored"); } } -#line 3007 "ntp_parser.c" /* yacc.c:1646 */ +#line 3061 "ntp_parser.c" /* yacc.c:1646 */ break; - case 248: -#line 1279 "ntp_parser.y" /* yacc.c:1646 */ + case 253: +#line 1315 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if (lex_from_file()) { attr_val *av; @@ -3017,71 +3071,71 @@ yyreduce: yyerror("driftfile remote configuration ignored"); } } -#line 3021 "ntp_parser.c" /* yacc.c:1646 */ +#line 3075 "ntp_parser.c" /* yacc.c:1646 */ break; - case 249: -#line 1292 "ntp_parser.y" /* yacc.c:1646 */ + case 254: +#line 1328 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Set_var) = create_setvar_node((yyvsp[-3].String), (yyvsp[-1].String), (yyvsp[0].Integer)); } -#line 3027 "ntp_parser.c" /* yacc.c:1646 */ +#line 3081 "ntp_parser.c" /* yacc.c:1646 */ break; - case 251: -#line 1298 "ntp_parser.y" /* yacc.c:1646 */ + case 256: +#line 1334 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Integer) = 0; } -#line 3033 "ntp_parser.c" /* yacc.c:1646 */ +#line 3087 "ntp_parser.c" /* yacc.c:1646 */ break; - case 252: -#line 1303 "ntp_parser.y" /* yacc.c:1646 */ + case 257: +#line 1339 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; } -#line 3039 "ntp_parser.c" /* yacc.c:1646 */ +#line 3093 "ntp_parser.c" /* yacc.c:1646 */ break; - case 253: -#line 1305 "ntp_parser.y" /* yacc.c:1646 */ + case 258: +#line 1341 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 3048 "ntp_parser.c" /* yacc.c:1646 */ +#line 3102 "ntp_parser.c" /* yacc.c:1646 */ break; - case 254: -#line 1313 "ntp_parser.y" /* yacc.c:1646 */ + case 259: +#line 1349 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); } -#line 3054 "ntp_parser.c" /* yacc.c:1646 */ +#line 3108 "ntp_parser.c" /* yacc.c:1646 */ break; - case 255: -#line 1315 "ntp_parser.y" /* yacc.c:1646 */ + case 260: +#line 1351 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), estrdup((yyvsp[0].Address_node)->address)); destroy_address_node((yyvsp[0].Address_node)); } -#line 3063 "ntp_parser.c" /* yacc.c:1646 */ +#line 3117 "ntp_parser.c" /* yacc.c:1646 */ break; - case 256: -#line 1323 "ntp_parser.y" /* yacc.c:1646 */ + case 261: +#line 1359 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 3072 "ntp_parser.c" /* yacc.c:1646 */ +#line 3126 "ntp_parser.c" /* yacc.c:1646 */ break; - case 257: -#line 1328 "ntp_parser.y" /* yacc.c:1646 */ + case 262: +#line 1364 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 3081 "ntp_parser.c" /* yacc.c:1646 */ +#line 3135 "ntp_parser.c" /* yacc.c:1646 */ break; - case 258: -#line 1336 "ntp_parser.y" /* yacc.c:1646 */ + case 263: +#line 1372 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { char prefix; char * type; @@ -3103,141 +3157,141 @@ yyreduce: (yyval.Attr_val) = create_attr_sval(prefix, estrdup(type)); YYFREE((yyvsp[0].String)); } -#line 3107 "ntp_parser.c" /* yacc.c:1646 */ +#line 3161 "ntp_parser.c" /* yacc.c:1646 */ break; - case 259: -#line 1361 "ntp_parser.y" /* yacc.c:1646 */ + case 264: +#line 1397 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { nic_rule_node *nrn; nrn = create_nic_rule_node((yyvsp[0].Integer), NULL, (yyvsp[-1].Integer)); APPEND_G_FIFO(cfgt.nic_rules, nrn); } -#line 3118 "ntp_parser.c" /* yacc.c:1646 */ +#line 3172 "ntp_parser.c" /* yacc.c:1646 */ break; - case 260: -#line 1368 "ntp_parser.y" /* yacc.c:1646 */ + case 265: +#line 1404 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { nic_rule_node *nrn; nrn = create_nic_rule_node(0, (yyvsp[0].String), (yyvsp[-1].Integer)); APPEND_G_FIFO(cfgt.nic_rules, nrn); } -#line 3129 "ntp_parser.c" /* yacc.c:1646 */ +#line 3183 "ntp_parser.c" /* yacc.c:1646 */ break; - case 270: -#line 1396 "ntp_parser.y" /* yacc.c:1646 */ + case 275: +#line 1432 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { CONCAT_G_FIFOS(cfgt.reset_counters, (yyvsp[0].Int_fifo)); } -#line 3135 "ntp_parser.c" /* yacc.c:1646 */ +#line 3189 "ntp_parser.c" /* yacc.c:1646 */ break; - case 271: -#line 1401 "ntp_parser.y" /* yacc.c:1646 */ + case 276: +#line 1437 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Int_fifo) = (yyvsp[-1].Int_fifo); APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer))); } -#line 3144 "ntp_parser.c" /* yacc.c:1646 */ +#line 3198 "ntp_parser.c" /* yacc.c:1646 */ break; - case 272: -#line 1406 "ntp_parser.y" /* yacc.c:1646 */ + case 277: +#line 1442 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Int_fifo) = NULL; APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer))); } -#line 3153 "ntp_parser.c" /* yacc.c:1646 */ +#line 3207 "ntp_parser.c" /* yacc.c:1646 */ break; - case 280: -#line 1430 "ntp_parser.y" /* yacc.c:1646 */ + case 285: +#line 1466 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[0].Integer))); } -#line 3162 "ntp_parser.c" /* yacc.c:1646 */ +#line 3216 "ntp_parser.c" /* yacc.c:1646 */ break; - case 281: -#line 1435 "ntp_parser.y" /* yacc.c:1646 */ + case 286: +#line 1471 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[0].Integer))); } -#line 3171 "ntp_parser.c" /* yacc.c:1646 */ +#line 3225 "ntp_parser.c" /* yacc.c:1646 */ break; - case 282: -#line 1443 "ntp_parser.y" /* yacc.c:1646 */ + case 287: +#line 1479 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 3180 "ntp_parser.c" /* yacc.c:1646 */ +#line 3234 "ntp_parser.c" /* yacc.c:1646 */ break; - case 283: -#line 1448 "ntp_parser.y" /* yacc.c:1646 */ + case 288: +#line 1484 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val)); } -#line 3189 "ntp_parser.c" /* yacc.c:1646 */ +#line 3243 "ntp_parser.c" /* yacc.c:1646 */ break; - case 284: -#line 1456 "ntp_parser.y" /* yacc.c:1646 */ + case 289: +#line 1492 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_ival('i', (yyvsp[0].Integer)); } -#line 3195 "ntp_parser.c" /* yacc.c:1646 */ +#line 3249 "ntp_parser.c" /* yacc.c:1646 */ break; - case 286: -#line 1462 "ntp_parser.y" /* yacc.c:1646 */ + case 291: +#line 1498 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_rangeval('-', (yyvsp[-3].Integer), (yyvsp[-1].Integer)); } -#line 3201 "ntp_parser.c" /* yacc.c:1646 */ +#line 3255 "ntp_parser.c" /* yacc.c:1646 */ break; - case 287: -#line 1467 "ntp_parser.y" /* yacc.c:1646 */ + case 292: +#line 1503 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.String_fifo) = (yyvsp[-1].String_fifo); APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[0].String))); } -#line 3210 "ntp_parser.c" /* yacc.c:1646 */ +#line 3264 "ntp_parser.c" /* yacc.c:1646 */ break; - case 288: -#line 1472 "ntp_parser.y" /* yacc.c:1646 */ + case 293: +#line 1508 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.String_fifo) = NULL; APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[0].String))); } -#line 3219 "ntp_parser.c" /* yacc.c:1646 */ +#line 3273 "ntp_parser.c" /* yacc.c:1646 */ break; - case 289: -#line 1480 "ntp_parser.y" /* yacc.c:1646 */ + case 294: +#line 1516 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Address_fifo) = (yyvsp[-1].Address_fifo); APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[0].Address_node)); } -#line 3228 "ntp_parser.c" /* yacc.c:1646 */ +#line 3282 "ntp_parser.c" /* yacc.c:1646 */ break; - case 290: -#line 1485 "ntp_parser.y" /* yacc.c:1646 */ + case 295: +#line 1521 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Address_fifo) = NULL; APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[0].Address_node)); } -#line 3237 "ntp_parser.c" /* yacc.c:1646 */ +#line 3291 "ntp_parser.c" /* yacc.c:1646 */ break; - case 291: -#line 1493 "ntp_parser.y" /* yacc.c:1646 */ + case 296: +#line 1529 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { if ((yyvsp[0].Integer) != 0 && (yyvsp[0].Integer) != 1) { yyerror("Integer value is not boolean (0 or 1). Assuming 1"); @@ -3246,29 +3300,35 @@ yyreduce: (yyval.Integer) = (yyvsp[0].Integer); } } -#line 3250 "ntp_parser.c" /* yacc.c:1646 */ +#line 3304 "ntp_parser.c" /* yacc.c:1646 */ break; - case 292: -#line 1501 "ntp_parser.y" /* yacc.c:1646 */ + case 297: +#line 1537 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Integer) = 1; } -#line 3256 "ntp_parser.c" /* yacc.c:1646 */ +#line 3310 "ntp_parser.c" /* yacc.c:1646 */ break; - case 293: -#line 1502 "ntp_parser.y" /* yacc.c:1646 */ + case 298: +#line 1538 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Integer) = 0; } -#line 3262 "ntp_parser.c" /* yacc.c:1646 */ +#line 3316 "ntp_parser.c" /* yacc.c:1646 */ break; - case 294: -#line 1506 "ntp_parser.y" /* yacc.c:1646 */ + case 299: +#line 1542 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Double) = (double)(yyvsp[0].Integer); } -#line 3268 "ntp_parser.c" /* yacc.c:1646 */ +#line 3322 "ntp_parser.c" /* yacc.c:1646 */ break; - case 296: -#line 1517 "ntp_parser.y" /* yacc.c:1646 */ + case 301: +#line 1548 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ + { (yyval.Integer) = basedate_eval_string((yyvsp[0].String)); YYFREE((yyvsp[0].String)); } +#line 3328 "ntp_parser.c" /* yacc.c:1646 */ + break; + + case 302: +#line 1556 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { sim_node *sn; @@ -3278,125 +3338,125 @@ yyreduce: /* Revert from ; to \n for end-of-command */ old_config_style = 1; } -#line 3282 "ntp_parser.c" /* yacc.c:1646 */ +#line 3342 "ntp_parser.c" /* yacc.c:1646 */ break; - case 297: -#line 1534 "ntp_parser.y" /* yacc.c:1646 */ + case 303: +#line 1573 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { old_config_style = 0; } -#line 3288 "ntp_parser.c" /* yacc.c:1646 */ +#line 3348 "ntp_parser.c" /* yacc.c:1646 */ break; - case 298: -#line 1539 "ntp_parser.y" /* yacc.c:1646 */ + case 304: +#line 1578 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-2].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val)); } -#line 3297 "ntp_parser.c" /* yacc.c:1646 */ +#line 3357 "ntp_parser.c" /* yacc.c:1646 */ break; - case 299: -#line 1544 "ntp_parser.y" /* yacc.c:1646 */ + case 305: +#line 1583 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val)); } -#line 3306 "ntp_parser.c" /* yacc.c:1646 */ +#line 3366 "ntp_parser.c" /* yacc.c:1646 */ break; - case 300: -#line 1552 "ntp_parser.y" /* yacc.c:1646 */ + case 306: +#line 1591 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-2].Integer), (yyvsp[0].Double)); } -#line 3312 "ntp_parser.c" /* yacc.c:1646 */ +#line 3372 "ntp_parser.c" /* yacc.c:1646 */ break; - case 303: -#line 1562 "ntp_parser.y" /* yacc.c:1646 */ + case 309: +#line 1601 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Sim_server_fifo) = (yyvsp[-1].Sim_server_fifo); APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[0].Sim_server)); } -#line 3321 "ntp_parser.c" /* yacc.c:1646 */ +#line 3381 "ntp_parser.c" /* yacc.c:1646 */ break; - case 304: -#line 1567 "ntp_parser.y" /* yacc.c:1646 */ + case 310: +#line 1606 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Sim_server_fifo) = NULL; APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[0].Sim_server)); } -#line 3330 "ntp_parser.c" /* yacc.c:1646 */ +#line 3390 "ntp_parser.c" /* yacc.c:1646 */ break; - case 305: -#line 1575 "ntp_parser.y" /* yacc.c:1646 */ + case 311: +#line 1614 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Sim_server) = ONLY_SIM(create_sim_server((yyvsp[-4].Address_node), (yyvsp[-2].Double), (yyvsp[-1].Sim_script_fifo))); } -#line 3336 "ntp_parser.c" /* yacc.c:1646 */ +#line 3396 "ntp_parser.c" /* yacc.c:1646 */ break; - case 306: -#line 1580 "ntp_parser.y" /* yacc.c:1646 */ + case 312: +#line 1619 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Double) = (yyvsp[-1].Double); } -#line 3342 "ntp_parser.c" /* yacc.c:1646 */ +#line 3402 "ntp_parser.c" /* yacc.c:1646 */ break; - case 307: -#line 1585 "ntp_parser.y" /* yacc.c:1646 */ + case 313: +#line 1624 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Address_node) = (yyvsp[0].Address_node); } -#line 3348 "ntp_parser.c" /* yacc.c:1646 */ +#line 3408 "ntp_parser.c" /* yacc.c:1646 */ break; - case 308: -#line 1590 "ntp_parser.y" /* yacc.c:1646 */ + case 314: +#line 1629 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Sim_script_fifo) = (yyvsp[-1].Sim_script_fifo); APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[0].Sim_script)); } -#line 3357 "ntp_parser.c" /* yacc.c:1646 */ +#line 3417 "ntp_parser.c" /* yacc.c:1646 */ break; - case 309: -#line 1595 "ntp_parser.y" /* yacc.c:1646 */ + case 315: +#line 1634 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Sim_script_fifo) = NULL; APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[0].Sim_script)); } -#line 3366 "ntp_parser.c" /* yacc.c:1646 */ +#line 3426 "ntp_parser.c" /* yacc.c:1646 */ break; - case 310: -#line 1603 "ntp_parser.y" /* yacc.c:1646 */ + case 316: +#line 1642 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Sim_script) = ONLY_SIM(create_sim_script_info((yyvsp[-3].Double), (yyvsp[-1].Attr_val_fifo))); } -#line 3372 "ntp_parser.c" /* yacc.c:1646 */ +#line 3432 "ntp_parser.c" /* yacc.c:1646 */ break; - case 311: -#line 1608 "ntp_parser.y" /* yacc.c:1646 */ + case 317: +#line 1647 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = (yyvsp[-2].Attr_val_fifo); APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val)); } -#line 3381 "ntp_parser.c" /* yacc.c:1646 */ +#line 3441 "ntp_parser.c" /* yacc.c:1646 */ break; - case 312: -#line 1613 "ntp_parser.y" /* yacc.c:1646 */ + case 318: +#line 1652 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val_fifo) = NULL; APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val)); } -#line 3390 "ntp_parser.c" /* yacc.c:1646 */ +#line 3450 "ntp_parser.c" /* yacc.c:1646 */ break; - case 313: -#line 1621 "ntp_parser.y" /* yacc.c:1646 */ + case 319: +#line 1660 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */ { (yyval.Attr_val) = create_attr_dval((yyvsp[-2].Integer), (yyvsp[0].Double)); } -#line 3396 "ntp_parser.c" /* yacc.c:1646 */ +#line 3456 "ntp_parser.c" /* yacc.c:1646 */ break; -#line 3400 "ntp_parser.c" /* yacc.c:1646 */ +#line 3460 "ntp_parser.c" /* yacc.c:1646 */ default: break; } /* User semantic actions sometimes alter yychar, and that requires @@ -3624,7 +3684,7 @@ yyreturn: #endif return yyresult; } -#line 1632 "ntp_parser.y" /* yacc.c:1906 */ +#line 1671 "../../ntpd/ntp_parser.y" /* yacc.c:1906 */ void diff --git a/contrib/ntp/ntpd/ntp_parser.h b/contrib/ntp/ntpd/ntp_parser.h index 10c0cfd..308c2d4 100644 --- a/contrib/ntp/ntpd/ntp_parser.h +++ b/contrib/ntp/ntpd/ntp_parser.h @@ -30,8 +30,8 @@ This special exception was added by the Free Software Foundation in version 2.2 of Bison. */ -#ifndef YY_YY_Y_TAB_H_INCLUDED -# define YY_YY_Y_TAB_H_INCLUDED +#ifndef YY_YY_NTP_PARSER_H_INCLUDED +# define YY_YY_NTP_PARSER_H_INCLUDED /* Debug traces. */ #ifndef YYDEBUG # define YYDEBUG 1 @@ -54,193 +54,197 @@ extern int yydebug; T_Autokey = 264, T_Automax = 265, T_Average = 266, - T_Bclient = 267, - T_Bcpollbstep = 268, - T_Beacon = 269, - T_Broadcast = 270, - T_Broadcastclient = 271, - T_Broadcastdelay = 272, - T_Burst = 273, - T_Calibrate = 274, - T_Ceiling = 275, - T_Clockstats = 276, - T_Cohort = 277, - T_ControlKey = 278, - T_Crypto = 279, - T_Cryptostats = 280, - T_Ctl = 281, - T_Day = 282, - T_Default = 283, - T_Digest = 284, - T_Disable = 285, - T_Discard = 286, - T_Dispersion = 287, - T_Double = 288, - T_Driftfile = 289, - T_Drop = 290, - T_Dscp = 291, - T_Ellipsis = 292, - T_Enable = 293, - T_End = 294, - T_False = 295, - T_File = 296, - T_Filegen = 297, - T_Filenum = 298, - T_Flag1 = 299, - T_Flag2 = 300, - T_Flag3 = 301, - T_Flag4 = 302, - T_Flake = 303, - T_Floor = 304, - T_Freq = 305, - T_Fudge = 306, - T_Host = 307, - T_Huffpuff = 308, - T_Iburst = 309, - T_Ident = 310, - T_Ignore = 311, - T_Incalloc = 312, - T_Incmem = 313, - T_Initalloc = 314, - T_Initmem = 315, - T_Includefile = 316, - T_Integer = 317, - T_Interface = 318, - T_Intrange = 319, - T_Io = 320, - T_Ipv4 = 321, - T_Ipv4_flag = 322, - T_Ipv6 = 323, - T_Ipv6_flag = 324, - T_Kernel = 325, - T_Key = 326, - T_Keys = 327, - T_Keysdir = 328, - T_Kod = 329, - T_Mssntp = 330, - T_Leapfile = 331, - T_Leapsmearinterval = 332, - T_Limited = 333, - T_Link = 334, - T_Listen = 335, - T_Logconfig = 336, - T_Logfile = 337, - T_Loopstats = 338, - T_Lowpriotrap = 339, - T_Manycastclient = 340, - T_Manycastserver = 341, - T_Mask = 342, - T_Maxage = 343, - T_Maxclock = 344, - T_Maxdepth = 345, - T_Maxdist = 346, - T_Maxmem = 347, - T_Maxpoll = 348, - T_Mdnstries = 349, - T_Mem = 350, - T_Memlock = 351, - T_Minclock = 352, - T_Mindepth = 353, - T_Mindist = 354, - T_Minimum = 355, - T_Minpoll = 356, - T_Minsane = 357, - T_Mode = 358, - T_Mode7 = 359, - T_Monitor = 360, - T_Month = 361, - T_Mru = 362, - T_Multicastclient = 363, - T_Nic = 364, - T_Nolink = 365, - T_Nomodify = 366, - T_Nomrulist = 367, - T_None = 368, - T_Nonvolatile = 369, - T_Nopeer = 370, - T_Noquery = 371, - T_Noselect = 372, - T_Noserve = 373, - T_Notrap = 374, - T_Notrust = 375, - T_Ntp = 376, - T_Ntpport = 377, - T_NtpSignDsocket = 378, - T_Orphan = 379, - T_Orphanwait = 380, - T_PCEdigest = 381, - T_Panic = 382, - T_Peer = 383, - T_Peerstats = 384, - T_Phone = 385, - T_Pid = 386, - T_Pidfile = 387, - T_Pool = 388, - T_Port = 389, - T_Preempt = 390, - T_Prefer = 391, - T_Protostats = 392, - T_Pw = 393, - T_Randfile = 394, - T_Rawstats = 395, - T_Refid = 396, - T_Requestkey = 397, - T_Reset = 398, - T_Restrict = 399, - T_Revoke = 400, - T_Rlimit = 401, - T_Saveconfigdir = 402, - T_Server = 403, - T_Setvar = 404, - T_Source = 405, - T_Stacksize = 406, - T_Statistics = 407, - T_Stats = 408, - T_Statsdir = 409, - T_Step = 410, - T_Stepback = 411, - T_Stepfwd = 412, - T_Stepout = 413, - T_Stratum = 414, - T_String = 415, - T_Sys = 416, - T_Sysstats = 417, - T_Tick = 418, - T_Time1 = 419, - T_Time2 = 420, - T_Timer = 421, - T_Timingstats = 422, - T_Tinker = 423, - T_Tos = 424, - T_Trap = 425, - T_True = 426, - T_Trustedkey = 427, - T_Ttl = 428, - T_Type = 429, - T_U_int = 430, - T_UEcrypto = 431, - T_UEcryptonak = 432, - T_UEdigest = 433, - T_Unconfig = 434, - T_Unpeer = 435, - T_Version = 436, - T_WanderThreshold = 437, - T_Week = 438, - T_Wildcard = 439, - T_Xleave = 440, - T_Year = 441, - T_Flag = 442, - T_EOC = 443, - T_Simulate = 444, - T_Beep_Delay = 445, - T_Sim_Duration = 446, - T_Server_Offset = 447, - T_Duration = 448, - T_Freq_Offset = 449, - T_Wander = 450, - T_Jitter = 451, - T_Prop_Delay = 452, - T_Proc_Delay = 453 + T_Basedate = 267, + T_Bclient = 268, + T_Bcpollbstep = 269, + T_Beacon = 270, + T_Broadcast = 271, + T_Broadcastclient = 272, + T_Broadcastdelay = 273, + T_Burst = 274, + T_Calibrate = 275, + T_Ceiling = 276, + T_Clockstats = 277, + T_Cohort = 278, + T_ControlKey = 279, + T_Crypto = 280, + T_Cryptostats = 281, + T_Ctl = 282, + T_Day = 283, + T_Default = 284, + T_Digest = 285, + T_Disable = 286, + T_Discard = 287, + T_Dispersion = 288, + T_Double = 289, + T_Driftfile = 290, + T_Drop = 291, + T_Dscp = 292, + T_Ellipsis = 293, + T_Enable = 294, + T_End = 295, + T_Epeer = 296, + T_False = 297, + T_File = 298, + T_Filegen = 299, + T_Filenum = 300, + T_Flag1 = 301, + T_Flag2 = 302, + T_Flag3 = 303, + T_Flag4 = 304, + T_Flake = 305, + T_Floor = 306, + T_Freq = 307, + T_Fudge = 308, + T_Host = 309, + T_Huffpuff = 310, + T_Iburst = 311, + T_Ident = 312, + T_Ignore = 313, + T_Incalloc = 314, + T_Incmem = 315, + T_Initalloc = 316, + T_Initmem = 317, + T_Includefile = 318, + T_Integer = 319, + T_Interface = 320, + T_Intrange = 321, + T_Io = 322, + T_Ippeerlimit = 323, + T_Ipv4 = 324, + T_Ipv4_flag = 325, + T_Ipv6 = 326, + T_Ipv6_flag = 327, + T_Kernel = 328, + T_Key = 329, + T_Keys = 330, + T_Keysdir = 331, + T_Kod = 332, + T_Mssntp = 333, + T_Leapfile = 334, + T_Leapsmearinterval = 335, + T_Limited = 336, + T_Link = 337, + T_Listen = 338, + T_Logconfig = 339, + T_Logfile = 340, + T_Loopstats = 341, + T_Lowpriotrap = 342, + T_Manycastclient = 343, + T_Manycastserver = 344, + T_Mask = 345, + T_Maxage = 346, + T_Maxclock = 347, + T_Maxdepth = 348, + T_Maxdist = 349, + T_Maxmem = 350, + T_Maxpoll = 351, + T_Mdnstries = 352, + T_Mem = 353, + T_Memlock = 354, + T_Minclock = 355, + T_Mindepth = 356, + T_Mindist = 357, + T_Minimum = 358, + T_Minpoll = 359, + T_Minsane = 360, + T_Mode = 361, + T_Mode7 = 362, + T_Monitor = 363, + T_Month = 364, + T_Mru = 365, + T_Multicastclient = 366, + T_Nic = 367, + T_Nolink = 368, + T_Nomodify = 369, + T_Nomrulist = 370, + T_None = 371, + T_Nonvolatile = 372, + T_Noepeer = 373, + T_Nopeer = 374, + T_Noquery = 375, + T_Noselect = 376, + T_Noserve = 377, + T_Notrap = 378, + T_Notrust = 379, + T_Ntp = 380, + T_Ntpport = 381, + T_NtpSignDsocket = 382, + T_Orphan = 383, + T_Orphanwait = 384, + T_PCEdigest = 385, + T_Panic = 386, + T_Peer = 387, + T_Peerstats = 388, + T_Phone = 389, + T_Pid = 390, + T_Pidfile = 391, + T_Pool = 392, + T_Port = 393, + T_Preempt = 394, + T_Prefer = 395, + T_Protostats = 396, + T_Pw = 397, + T_Randfile = 398, + T_Rawstats = 399, + T_Refid = 400, + T_Requestkey = 401, + T_Reset = 402, + T_Restrict = 403, + T_Revoke = 404, + T_Rlimit = 405, + T_Saveconfigdir = 406, + T_Server = 407, + T_Setvar = 408, + T_Source = 409, + T_Stacksize = 410, + T_Statistics = 411, + T_Stats = 412, + T_Statsdir = 413, + T_Step = 414, + T_Stepback = 415, + T_Stepfwd = 416, + T_Stepout = 417, + T_Stratum = 418, + T_String = 419, + T_Sys = 420, + T_Sysstats = 421, + T_Tick = 422, + T_Time1 = 423, + T_Time2 = 424, + T_Timer = 425, + T_Timingstats = 426, + T_Tinker = 427, + T_Tos = 428, + T_Trap = 429, + T_True = 430, + T_Trustedkey = 431, + T_Ttl = 432, + T_Type = 433, + T_U_int = 434, + T_UEcrypto = 435, + T_UEcryptonak = 436, + T_UEdigest = 437, + T_Unconfig = 438, + T_Unpeer = 439, + T_Version = 440, + T_WanderThreshold = 441, + T_Week = 442, + T_Wildcard = 443, + T_Xleave = 444, + T_Year = 445, + T_Flag = 446, + T_EOC = 447, + T_Simulate = 448, + T_Beep_Delay = 449, + T_Sim_Duration = 450, + T_Server_Offset = 451, + T_Duration = 452, + T_Freq_Offset = 453, + T_Wander = 454, + T_Jitter = 455, + T_Prop_Delay = 456, + T_Proc_Delay = 457 }; #endif /* Tokens. */ @@ -253,200 +257,204 @@ extern int yydebug; #define T_Autokey 264 #define T_Automax 265 #define T_Average 266 -#define T_Bclient 267 -#define T_Bcpollbstep 268 -#define T_Beacon 269 -#define T_Broadcast 270 -#define T_Broadcastclient 271 -#define T_Broadcastdelay 272 -#define T_Burst 273 -#define T_Calibrate 274 -#define T_Ceiling 275 -#define T_Clockstats 276 -#define T_Cohort 277 -#define T_ControlKey 278 -#define T_Crypto 279 -#define T_Cryptostats 280 -#define T_Ctl 281 -#define T_Day 282 -#define T_Default 283 -#define T_Digest 284 -#define T_Disable 285 -#define T_Discard 286 -#define T_Dispersion 287 -#define T_Double 288 -#define T_Driftfile 289 -#define T_Drop 290 -#define T_Dscp 291 -#define T_Ellipsis 292 -#define T_Enable 293 -#define T_End 294 -#define T_False 295 -#define T_File 296 -#define T_Filegen 297 -#define T_Filenum 298 -#define T_Flag1 299 -#define T_Flag2 300 -#define T_Flag3 301 -#define T_Flag4 302 -#define T_Flake 303 -#define T_Floor 304 -#define T_Freq 305 -#define T_Fudge 306 -#define T_Host 307 -#define T_Huffpuff 308 -#define T_Iburst 309 -#define T_Ident 310 -#define T_Ignore 311 -#define T_Incalloc 312 -#define T_Incmem 313 -#define T_Initalloc 314 -#define T_Initmem 315 -#define T_Includefile 316 -#define T_Integer 317 -#define T_Interface 318 -#define T_Intrange 319 -#define T_Io 320 -#define T_Ipv4 321 -#define T_Ipv4_flag 322 -#define T_Ipv6 323 -#define T_Ipv6_flag 324 -#define T_Kernel 325 -#define T_Key 326 -#define T_Keys 327 -#define T_Keysdir 328 -#define T_Kod 329 -#define T_Mssntp 330 -#define T_Leapfile 331 -#define T_Leapsmearinterval 332 -#define T_Limited 333 -#define T_Link 334 -#define T_Listen 335 -#define T_Logconfig 336 -#define T_Logfile 337 -#define T_Loopstats 338 -#define T_Lowpriotrap 339 -#define T_Manycastclient 340 -#define T_Manycastserver 341 -#define T_Mask 342 -#define T_Maxage 343 -#define T_Maxclock 344 -#define T_Maxdepth 345 -#define T_Maxdist 346 -#define T_Maxmem 347 -#define T_Maxpoll 348 -#define T_Mdnstries 349 -#define T_Mem 350 -#define T_Memlock 351 -#define T_Minclock 352 -#define T_Mindepth 353 -#define T_Mindist 354 -#define T_Minimum 355 -#define T_Minpoll 356 -#define T_Minsane 357 -#define T_Mode 358 -#define T_Mode7 359 -#define T_Monitor 360 -#define T_Month 361 -#define T_Mru 362 -#define T_Multicastclient 363 -#define T_Nic 364 -#define T_Nolink 365 -#define T_Nomodify 366 -#define T_Nomrulist 367 -#define T_None 368 -#define T_Nonvolatile 369 -#define T_Nopeer 370 -#define T_Noquery 371 -#define T_Noselect 372 -#define T_Noserve 373 -#define T_Notrap 374 -#define T_Notrust 375 -#define T_Ntp 376 -#define T_Ntpport 377 -#define T_NtpSignDsocket 378 -#define T_Orphan 379 -#define T_Orphanwait 380 -#define T_PCEdigest 381 -#define T_Panic 382 -#define T_Peer 383 -#define T_Peerstats 384 -#define T_Phone 385 -#define T_Pid 386 -#define T_Pidfile 387 -#define T_Pool 388 -#define T_Port 389 -#define T_Preempt 390 -#define T_Prefer 391 -#define T_Protostats 392 -#define T_Pw 393 -#define T_Randfile 394 -#define T_Rawstats 395 -#define T_Refid 396 -#define T_Requestkey 397 -#define T_Reset 398 -#define T_Restrict 399 -#define T_Revoke 400 -#define T_Rlimit 401 -#define T_Saveconfigdir 402 -#define T_Server 403 -#define T_Setvar 404 -#define T_Source 405 -#define T_Stacksize 406 -#define T_Statistics 407 -#define T_Stats 408 -#define T_Statsdir 409 -#define T_Step 410 -#define T_Stepback 411 -#define T_Stepfwd 412 -#define T_Stepout 413 -#define T_Stratum 414 -#define T_String 415 -#define T_Sys 416 -#define T_Sysstats 417 -#define T_Tick 418 -#define T_Time1 419 -#define T_Time2 420 -#define T_Timer 421 -#define T_Timingstats 422 -#define T_Tinker 423 -#define T_Tos 424 -#define T_Trap 425 -#define T_True 426 -#define T_Trustedkey 427 -#define T_Ttl 428 -#define T_Type 429 -#define T_U_int 430 -#define T_UEcrypto 431 -#define T_UEcryptonak 432 -#define T_UEdigest 433 -#define T_Unconfig 434 -#define T_Unpeer 435 -#define T_Version 436 -#define T_WanderThreshold 437 -#define T_Week 438 -#define T_Wildcard 439 -#define T_Xleave 440 -#define T_Year 441 -#define T_Flag 442 -#define T_EOC 443 -#define T_Simulate 444 -#define T_Beep_Delay 445 -#define T_Sim_Duration 446 -#define T_Server_Offset 447 -#define T_Duration 448 -#define T_Freq_Offset 449 -#define T_Wander 450 -#define T_Jitter 451 -#define T_Prop_Delay 452 -#define T_Proc_Delay 453 +#define T_Basedate 267 +#define T_Bclient 268 +#define T_Bcpollbstep 269 +#define T_Beacon 270 +#define T_Broadcast 271 +#define T_Broadcastclient 272 +#define T_Broadcastdelay 273 +#define T_Burst 274 +#define T_Calibrate 275 +#define T_Ceiling 276 +#define T_Clockstats 277 +#define T_Cohort 278 +#define T_ControlKey 279 +#define T_Crypto 280 +#define T_Cryptostats 281 +#define T_Ctl 282 +#define T_Day 283 +#define T_Default 284 +#define T_Digest 285 +#define T_Disable 286 +#define T_Discard 287 +#define T_Dispersion 288 +#define T_Double 289 +#define T_Driftfile 290 +#define T_Drop 291 +#define T_Dscp 292 +#define T_Ellipsis 293 +#define T_Enable 294 +#define T_End 295 +#define T_Epeer 296 +#define T_False 297 +#define T_File 298 +#define T_Filegen 299 +#define T_Filenum 300 +#define T_Flag1 301 +#define T_Flag2 302 +#define T_Flag3 303 +#define T_Flag4 304 +#define T_Flake 305 +#define T_Floor 306 +#define T_Freq 307 +#define T_Fudge 308 +#define T_Host 309 +#define T_Huffpuff 310 +#define T_Iburst 311 +#define T_Ident 312 +#define T_Ignore 313 +#define T_Incalloc 314 +#define T_Incmem 315 +#define T_Initalloc 316 +#define T_Initmem 317 +#define T_Includefile 318 +#define T_Integer 319 +#define T_Interface 320 +#define T_Intrange 321 +#define T_Io 322 +#define T_Ippeerlimit 323 +#define T_Ipv4 324 +#define T_Ipv4_flag 325 +#define T_Ipv6 326 +#define T_Ipv6_flag 327 +#define T_Kernel 328 +#define T_Key 329 +#define T_Keys 330 +#define T_Keysdir 331 +#define T_Kod 332 +#define T_Mssntp 333 +#define T_Leapfile 334 +#define T_Leapsmearinterval 335 +#define T_Limited 336 +#define T_Link 337 +#define T_Listen 338 +#define T_Logconfig 339 +#define T_Logfile 340 +#define T_Loopstats 341 +#define T_Lowpriotrap 342 +#define T_Manycastclient 343 +#define T_Manycastserver 344 +#define T_Mask 345 +#define T_Maxage 346 +#define T_Maxclock 347 +#define T_Maxdepth 348 +#define T_Maxdist 349 +#define T_Maxmem 350 +#define T_Maxpoll 351 +#define T_Mdnstries 352 +#define T_Mem 353 +#define T_Memlock 354 +#define T_Minclock 355 +#define T_Mindepth 356 +#define T_Mindist 357 +#define T_Minimum 358 +#define T_Minpoll 359 +#define T_Minsane 360 +#define T_Mode 361 +#define T_Mode7 362 +#define T_Monitor 363 +#define T_Month 364 +#define T_Mru 365 +#define T_Multicastclient 366 +#define T_Nic 367 +#define T_Nolink 368 +#define T_Nomodify 369 +#define T_Nomrulist 370 +#define T_None 371 +#define T_Nonvolatile 372 +#define T_Noepeer 373 +#define T_Nopeer 374 +#define T_Noquery 375 +#define T_Noselect 376 +#define T_Noserve 377 +#define T_Notrap 378 +#define T_Notrust 379 +#define T_Ntp 380 +#define T_Ntpport 381 +#define T_NtpSignDsocket 382 +#define T_Orphan 383 +#define T_Orphanwait 384 +#define T_PCEdigest 385 +#define T_Panic 386 +#define T_Peer 387 +#define T_Peerstats 388 +#define T_Phone 389 +#define T_Pid 390 +#define T_Pidfile 391 +#define T_Pool 392 +#define T_Port 393 +#define T_Preempt 394 +#define T_Prefer 395 +#define T_Protostats 396 +#define T_Pw 397 +#define T_Randfile 398 +#define T_Rawstats 399 +#define T_Refid 400 +#define T_Requestkey 401 +#define T_Reset 402 +#define T_Restrict 403 +#define T_Revoke 404 +#define T_Rlimit 405 +#define T_Saveconfigdir 406 +#define T_Server 407 +#define T_Setvar 408 +#define T_Source 409 +#define T_Stacksize 410 +#define T_Statistics 411 +#define T_Stats 412 +#define T_Statsdir 413 +#define T_Step 414 +#define T_Stepback 415 +#define T_Stepfwd 416 +#define T_Stepout 417 +#define T_Stratum 418 +#define T_String 419 +#define T_Sys 420 +#define T_Sysstats 421 +#define T_Tick 422 +#define T_Time1 423 +#define T_Time2 424 +#define T_Timer 425 +#define T_Timingstats 426 +#define T_Tinker 427 +#define T_Tos 428 +#define T_Trap 429 +#define T_True 430 +#define T_Trustedkey 431 +#define T_Ttl 432 +#define T_Type 433 +#define T_U_int 434 +#define T_UEcrypto 435 +#define T_UEcryptonak 436 +#define T_UEdigest 437 +#define T_Unconfig 438 +#define T_Unpeer 439 +#define T_Version 440 +#define T_WanderThreshold 441 +#define T_Week 442 +#define T_Wildcard 443 +#define T_Xleave 444 +#define T_Year 445 +#define T_Flag 446 +#define T_EOC 447 +#define T_Simulate 448 +#define T_Beep_Delay 449 +#define T_Sim_Duration 450 +#define T_Server_Offset 451 +#define T_Duration 452 +#define T_Freq_Offset 453 +#define T_Wander 454 +#define T_Jitter 455 +#define T_Prop_Delay 456 +#define T_Proc_Delay 457 /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED union YYSTYPE { -#line 51 "ntp_parser.y" /* yacc.c:1909 */ +#line 51 "../../ntpd/ntp_parser.y" /* yacc.c:1909 */ char * String; double Double; @@ -465,7 +473,7 @@ union YYSTYPE script_info * Sim_script; script_info_fifo * Sim_script_fifo; -#line 469 "ntp_parser.h" /* yacc.c:1909 */ +#line 477 "ntp_parser.h" /* yacc.c:1909 */ }; typedef union YYSTYPE YYSTYPE; @@ -478,4 +486,4 @@ extern YYSTYPE yylval; int yyparse (void); -#endif /* !YY_YY_Y_TAB_H_INCLUDED */ +#endif /* !YY_YY_NTP_PARSER_H_INCLUDED */ diff --git a/contrib/ntp/ntpd/ntp_peer.c b/contrib/ntp/ntpd/ntp_peer.c index a296ea7..71c0936 100644 --- a/contrib/ntp/ntpd/ntp_peer.c +++ b/contrib/ntp/ntpd/ntp_peer.c @@ -117,7 +117,7 @@ static struct peer * findexistingpeer_name(const char *, u_short, struct peer *, int); static struct peer * findexistingpeer_addr(sockaddr_u *, struct peer *, int, - u_char); + u_char, int *); static void free_peer(struct peer *, int); static void getmorepeermem(void); static int score(struct peer *); @@ -203,17 +203,18 @@ findexistingpeer_addr( sockaddr_u * addr, struct peer * start_peer, int mode, - u_char cast_flags + u_char cast_flags, + int * ip_count ) { struct peer *peer; - DPRINTF(2, ("findexistingpeer_addr(%s, %s, %d, 0x%x)\n", + DPRINTF(2, ("findexistingpeer_addr(%s, %s, %d, 0x%x, %p)\n", sptoa(addr), (start_peer) ? sptoa(&start_peer->srcadr) : "NULL", - mode, (u_int)cast_flags)); + mode, (u_int)cast_flags, ip_count)); /* * start_peer is included so we can locate instances of the @@ -234,6 +235,11 @@ findexistingpeer_addr( DPRINTF(3, ("%s %s %d %d 0x%x 0x%x ", sptoa(addr), sptoa(&peer->srcadr), mode, peer->hmode, (u_int)cast_flags, (u_int)peer->cast_flags)); + if (ip_count) { + if (SOCK_EQ(addr, &peer->srcadr)) { + (*ip_count)++; + } + } if ((-1 == mode || peer->hmode == mode || ((MDF_BCLNT & peer->cast_flags) && (MDF_BCLNT & cast_flags))) && @@ -258,7 +264,8 @@ findexistingpeer( const char * hostname, struct peer * start_peer, int mode, - u_char cast_flags + u_char cast_flags, + int * ip_count ) { if (hostname != NULL) @@ -266,7 +273,7 @@ findexistingpeer( start_peer, mode); else return findexistingpeer_addr(addr, start_peer, mode, - cast_flags); + cast_flags, ip_count); } @@ -561,6 +568,7 @@ peer_config( sockaddr_u * srcadr, const char * hostname, endpt * dstadr, + int ippeerlimit, u_char hmode, u_char version, u_char minpoll, @@ -611,7 +619,7 @@ peer_config( flags |= FLAG_IBURST; if ((MDF_ACAST | MDF_POOL) & cast_flags) flags &= ~FLAG_PREEMPT; - return newpeer(srcadr, hostname, dstadr, hmode, version, + return newpeer(srcadr, hostname, dstadr, ippeerlimit, hmode, version, minpoll, maxpoll, flags, cast_flags, ttl, key, ident); } @@ -753,6 +761,7 @@ newpeer( sockaddr_u * srcadr, const char * hostname, endpt * dstadr, + int ippeerlimit, u_char hmode, u_char version, u_char minpoll, @@ -766,6 +775,8 @@ newpeer( { struct peer * peer; u_int hash; + int ip_count = 0; + DEBUG_REQUIRE(srcadr); @@ -799,11 +810,11 @@ newpeer( */ if (dstadr != NULL) { peer = findexistingpeer(srcadr, hostname, NULL, hmode, - cast_flags); + cast_flags, &ip_count); while (peer != NULL) { - if (peer->dstadr == dstadr || - ((MDF_BCLNT & cast_flags) && - (MDF_BCLNT & peer->cast_flags))) + if ( peer->dstadr == dstadr + || ( (MDF_BCLNT & cast_flags) + && (MDF_BCLNT & peer->cast_flags))) break; if (dstadr == ANY_INTERFACE_CHOOSE(srcadr) && @@ -811,12 +822,12 @@ newpeer( break; peer = findexistingpeer(srcadr, hostname, peer, - hmode, cast_flags); + hmode, cast_flags, &ip_count); } } else { /* no endpt address given */ peer = findexistingpeer(srcadr, hostname, NULL, hmode, - cast_flags); + cast_flags, &ip_count); } /* @@ -833,6 +844,30 @@ newpeer( return NULL; } +DPRINTF(1, ("newpeer(%s) found no existing and %d other associations\n", + (hostname) + ? hostname + : stoa(srcadr), + ip_count)); + + /* Check ippeerlimit wrt ip_count */ + if (ippeerlimit > -1) { + if (ip_count + 1 > ippeerlimit) { + DPRINTF(2, ("newpeer(%s) denied - ippeerlimit %d\n", + (hostname) + ? hostname + : stoa(srcadr), + ippeerlimit)); + return NULL; + } + } else { + DPRINTF(1, ("newpeer(%s) - ippeerlimit %d ignored\n", + (hostname) + ? hostname + : stoa(srcadr), + ippeerlimit)); + } + /* * Allocate a new peer structure. Some dirt here, since some of * the initialization requires knowlege of our system state. diff --git a/contrib/ntp/ntpd/ntp_proto.c b/contrib/ntp/ntpd/ntp_proto.c index c5d7cc6..fb8a837 100644 --- a/contrib/ntp/ntpd/ntp_proto.c +++ b/contrib/ntp/ntpd/ntp_proto.c @@ -1,7 +1,8 @@ /* * ntp_proto.c - NTP version 4 protocol machinery * - * ATTENTION: Get approval from Dave Mills on all changes to this file! + * ATTENTION: Get approval from Harlan on all changes to this file! + * (Harlan will be discussing these changes with Dave Mills.) * */ #ifdef HAVE_CONFIG_H @@ -37,29 +38,34 @@ #define AUTH(x, y) ((x) ? (y) == AUTH_OK \ : (y) == AUTH_OK || (y) == AUTH_NONE) -#define AUTH_NONE 0 /* authentication not required */ -#define AUTH_OK 1 /* authentication OK */ -#define AUTH_ERROR 2 /* authentication error */ -#define AUTH_CRYPTO 3 /* crypto_NAK */ +typedef enum +auth_state { + AUTH_UNKNOWN = -1, /* Unknown */ + AUTH_NONE, /* authentication not required */ + AUTH_OK, /* authentication OK */ + AUTH_ERROR, /* authentication error */ + AUTH_CRYPTO /* crypto_NAK */ +} auth_code; /* * Set up Kiss Code values */ -enum kiss_codes { +typedef enum +kiss_codes { NOKISS, /* No Kiss Code */ RATEKISS, /* Rate limit Kiss Code */ DENYKISS, /* Deny Kiss */ RSTRKISS, /* Restricted Kiss */ - XKISS, /* Experimental Kiss */ - UNKNOWNKISS /* Unknown Kiss Code */ -}; + XKISS /* Experimental Kiss */ +} kiss_code; -enum nak_error_codes { +typedef enum +nak_error_codes { NONAK, /* No NAK seen */ INVALIDNAK, /* NAK cannot be used */ VALIDNAK /* NAK is valid */ -}; +} nak_code; /* * traffic shaping parameters @@ -182,7 +188,7 @@ int unpeer_digest_early = 1; /* bad digest (TEST5) */ int dynamic_interleave = DYNAMIC_INTERLEAVE; /* Bug 2978 mitigation */ int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid); -enum nak_error_codes valid_NAK(struct peer *peer, struct recvbuf *rbufp, u_char hismode); +nak_code valid_NAK (struct peer *peer, struct recvbuf *rbufp, u_char hismode); static double root_distance (struct peer *); static void clock_combine (peer_select *, int, int); static void peer_xmit (struct peer *); @@ -260,19 +266,16 @@ kiss_code_check( return (RSTRKISS); } else if(memcmp(&refid,"X", 1) == 0) { return (XKISS); - } else { - return (UNKNOWNKISS); } - } else { - return (NOKISS); } + return (NOKISS); } /* * Check that NAK is valid */ -enum nak_error_codes +nak_code valid_NAK( struct peer *peer, struct recvbuf *rbufp, @@ -583,14 +586,15 @@ receive( u_char hisleap; /* packet leap indicator */ u_char hismode; /* packet mode */ u_char hisstratum; /* packet stratum */ + r4addr r4a; /* address restrictions */ u_short restrict_mask; /* restrict bits */ const char *hm_str; /* hismode string */ const char *am_str; /* association match string */ int kissCode = NOKISS; /* Kiss Code */ int has_mac; /* length of MAC field */ int authlen; /* offset of MAC field */ - int is_authentic = AUTH_NONE; /* cryptosum ok */ - int crypto_nak_test; /* result of crypto-NAK check */ + auth_code is_authentic = AUTH_UNKNOWN; /* Was AUTH_NONE */ + nak_code crypto_nak_test; /* result of crypto-NAK check */ int retcode = AM_NOMATCH; /* match code */ keyid_t skeyid = 0; /* key IDs */ u_int32 opcode = 0; /* extension field opcode */ @@ -612,6 +616,13 @@ receive( #endif /* HAVE_NTP_SIGND */ /* + * Note that there are many places we do not call record_raw_stats(). + * + * We only want to call it *after* we've sent a response, or perhaps + * when we've decided to drop a packet. + */ + + /* * Monitor the packet and get restrictions. Note that the packet * length for control and private mode packets must be checked * by the service routines. Some restrictions have to be handled @@ -626,25 +637,33 @@ receive( sys_badlength++; return; /* bogus port */ } - restrict_mask = restrictions(&rbufp->recv_srcadr); + restrictions(&rbufp->recv_srcadr, &r4a); + restrict_mask = r4a.rflags; + pkt = &rbufp->recv_pkt; - DPRINTF(2, ("receive: at %ld %s<-%s flags %x restrict %03x org %#010x.%08x xmt %#010x.%08x\n", - current_time, stoa(&rbufp->dstadr->sin), - stoa(&rbufp->recv_srcadr), rbufp->dstadr->flags, - restrict_mask, ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf), - ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf))); hisversion = PKT_VERSION(pkt->li_vn_mode); hisleap = PKT_LEAP(pkt->li_vn_mode); hismode = (int)PKT_MODE(pkt->li_vn_mode); hisstratum = PKT_TO_STRATUM(pkt->stratum); + DPRINTF(2, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s restrict %s org %#010x.%08x xmt %#010x.%08x\n", + current_time, stoa(&rbufp->dstadr->sin), + stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode, + build_iflags(rbufp->dstadr->flags), + build_rflags(restrict_mask), + ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf), + ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf))); + + /* See basic mode and broadcast checks, below */ INSIST(0 != hisstratum); if (restrict_mask & RES_IGNORE) { + DPRINTF(2, ("receive: drop: RES_IGNORE\n")); sys_restricted++; return; /* ignore everything */ } if (hismode == MODE_PRIVATE) { if (!ntp_mode7 || (restrict_mask & RES_NOQUERY)) { + DPRINTF(2, ("receive: drop: RES_NOQUERY\n")); sys_restricted++; return; /* no query private */ } @@ -654,6 +673,7 @@ receive( } if (hismode == MODE_CONTROL) { if (restrict_mask & RES_NOQUERY) { + DPRINTF(2, ("receive: drop: RES_NOQUERY\n")); sys_restricted++; return; /* no query control */ } @@ -661,6 +681,7 @@ receive( return; } if (restrict_mask & RES_DONTSERVE) { + DPRINTF(2, ("receive: drop: RES_DONTSERVE\n")); sys_restricted++; return; /* no time serve */ } @@ -671,12 +692,25 @@ receive( */ if (restrict_mask & RES_FLAKE) { if ((double)ntp_random() / 0x7fffffff < .1) { + DPRINTF(2, ("receive: drop: RES_FLAKE\n")); sys_restricted++; return; /* no flakeway */ } } /* + ** Format Layer Checks + ** + ** Validate the packet format. The packet size, packet header, + ** and any extension field lengths are checked. We identify + ** the beginning of the MAC, to identify the upper limit of + ** of the hash computation. + ** + ** In case of a format layer check violation, the packet is + ** discarded with no further processing. + */ + + /* * Version check must be after the query packets, since they * intentionally use an early version. */ @@ -686,6 +720,7 @@ receive( && hisversion >= NTP_OLDVERSION) { sys_oldversion++; /* previous version */ } else { + DPRINTF(2, ("receive: drop: RES_VERSION\n")); sys_badlength++; return; /* old version */ } @@ -700,6 +735,7 @@ receive( if (hisversion == NTP_OLDVERSION) { hismode = MODE_CLIENT; } else { + DPRINTF(2, ("receive: drop: MODE_UNSPEC\n")); sys_badlength++; return; /* invalid mode */ } @@ -716,6 +752,16 @@ receive( * is a runt and discarded forthwith. If greater than 6, an * extension field is present, so we subtract the length of the * field and go around again. + * + * Note the above description is lame. We should/could also check + * the two bytes that make up the EF type and subtype, and then + * check the two bytes that tell us the EF length. A legacy MAC + * has a 4 byte keyID, and for conforming symmetric keys its value + * must be <= 64k, meaning the top two bytes will always be zero. + * Since the EF Type of 0 is reserved/unused, there's no way a + * conforming legacy MAC could ever be misinterpreted as an EF. + * + * There is more, but this isn't the place to document it. */ authlen = LEN_PKT_NOMAC; @@ -728,9 +774,14 @@ receive( #endif /*AUTOKEY */ if (has_mac % 4 != 0 || has_mac < (int)MIN_MAC_LEN) { + DPRINTF(2, ("receive: drop: bad post-packet length\n")); sys_badlength++; return; /* bad length */ } + /* + * This next test is clearly wrong - it needlessly + * prohibits short EFs (which don't yet exist) + */ if (has_mac <= (int)MAX_MAC_LEN) { skeyid = ntohl(((u_int32 *)pkt)[authlen / 4]); break; @@ -741,6 +792,7 @@ receive( if ( len % 4 != 0 || len < 4 || (int)len + authlen > rbufp->recv_length) { + DPRINTF(2, ("receive: drop: bad EF length\n")); sys_badlength++; return; /* bad length */ } @@ -757,6 +809,7 @@ receive( if ( hostlen >= sizeof(hostname) || hostlen > len - offsetof(struct exten, pkt)) { + DPRINTF(2, ("receive: drop: bad autokey hostname length\n")); sys_badlength++; return; /* bad length */ } @@ -764,6 +817,7 @@ receive( hostname[hostlen] = '\0'; groupname = strchr(hostname, '@'); if (groupname == NULL) { + DPRINTF(2, ("receive: drop: empty autokey groupname\n")); sys_declined++; return; } @@ -779,14 +833,27 @@ receive( * If has_mac is < 0 we had a malformed packet. */ if (has_mac < 0) { + DPRINTF(2, ("receive: drop: post-packet under-read\n")); sys_badlength++; return; /* bad length */ } /* - * If authentication required, a MAC must be present. + ** Packet Data Verification Layer + ** + ** This layer verifies the packet data content. If + ** authentication is required, a MAC must be present. + ** If a MAC is present, it must validate. + ** Crypto-NAK? Look - a shiny thing! + ** + ** If authentication fails, we're done. + */ + + /* + * If authentication is explicitly required, a MAC must be present. */ if (restrict_mask & RES_DONTTRUST && has_mac == 0) { + DPRINTF(2, ("receive: drop: RES_DONTTRUST\n")); sys_restricted++; return; /* access denied */ } @@ -803,9 +870,12 @@ receive( if ( !(restrict_mask & RES_KOD) || MODE_BROADCAST == hismode || MODE_SERVER == hismode) { - if (MODE_SERVER == hismode) + if (MODE_SERVER == hismode) { DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n", stoa(&rbufp->recv_srcadr))); + } else { + DPRINTF(2, ("receive: drop: RES_KOD\n")); + } return; /* rate exceeded */ } if (hismode == MODE_CLIENT) @@ -837,6 +907,7 @@ receive( * multicaster, the broadcast address is null, so we use the * unicast address anyway. Don't ask. */ + peer = findpeer(rbufp, hismode, &retcode); dstadr_sin = &rbufp->dstadr->sin; NTOHL_FP(&pkt->org, &p_org); @@ -921,6 +992,14 @@ receive( #endif /* HAVE_NTP_SIGND */ } else { + /* + * has_mac is not 0 + * Not a VALID_NAK + * Not an MS-SNTP SIGND packet + * + * So there is a MAC here. + */ + restrict_mask &= ~RES_MSSNTP; #ifdef AUTOKEY /* @@ -956,6 +1035,7 @@ receive( * % can't happen */ if (has_mac < (int)MAX_MD5_LEN) { + DPRINTF(2, ("receive: drop: MD5 digest too short\n")); sys_badauth++; return; } @@ -972,6 +1052,7 @@ receive( if ( crypto_flags && rbufp->dstadr == ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) { + DPRINTF(2, ("receive: drop: BCAST from wildcard\n")); sys_restricted++; return; /* no wildcard */ } @@ -1033,6 +1114,80 @@ receive( ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf))); } + + /* + * Bug 3454: + * + * Now come at this from a different perspective: + * - If we expect a MAC and it's not there, we drop it. + * - If we expect one keyID and get another, we drop it. + * - If we have a MAC ahd it hasn't been validated yet, try. + * - if the provided MAC doesn't validate, we drop it. + * + * There might be more to this. + */ + if (0 != peer && 0 != peer->keyid) { + /* Should we msyslog() any of these? */ + + /* + * This should catch: + * - no keyID where one is expected, + * - different keyID than what we expect. + */ + if (peer->keyid != skeyid) { + DPRINTF(2, ("receive: drop: Wanted keyID %d, got %d from %s\n", + peer->keyid, skeyid, + stoa(&rbufp->recv_srcadr))); + sys_restricted++; + return; /* drop: access denied */ + } + + /* + * if has_mac != 0 ... + * - If it has not yet been validated, do so. + * (under what circumstances might that happen?) + * - if missing or bad MAC, log and drop. + */ + if (0 != has_mac) { + if (is_authentic == AUTH_UNKNOWN) { + /* How can this happen? */ + DPRINTF(2, ("receive: 3454 check: AUTH_UNKNOWN from %s\n", + stoa(&rbufp->recv_srcadr))); + if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen, + has_mac)) { + /* MAC invalid or not found */ + is_authentic = AUTH_ERROR; + } else { + is_authentic = AUTH_OK; + } + } + if (is_authentic != AUTH_OK) { + DPRINTF(2, ("receive: drop: missing or bad MAC from %s\n", + stoa(&rbufp->recv_srcadr))); + sys_restricted++; + return; /* drop: access denied */ + } + } + } + /**/ + + /* + ** On-Wire Protocol Layer + ** + ** Verify protocol operations consistent with the on-wire protocol. + ** The protocol discards bogus and duplicate packets as well as + ** minimizes disruptions doe to protocol restarts and dropped + ** packets. The operations are controlled by two timestamps: + ** the transmit timestamp saved in the client state variables, + ** and the origin timestamp in the server packet header. The + ** comparison of these two timestamps is called the loopback test. + ** The transmit timestamp functions as a nonce to verify that the + ** response corresponds to the original request. The transmit + ** timestamp also serves to discard replays of the most recent + ** packet. Upon failure of either test, the packet is discarded + ** with no further action. + */ + /* * The association matching rules are implemented by a set of * routines and an association table. A packet matching an @@ -1050,6 +1205,8 @@ receive( * an ordinary client, simply toss a server mode packet back * over the fence. If a manycast client, we have to work a * little harder. + * + * There are cases here where we do not call record_raw_stats(). */ case AM_FXMIT: @@ -1058,6 +1215,21 @@ receive( * send a crypto-NAK. */ if (!(rbufp->dstadr->flags & INT_MCASTOPEN)) { + /* HMS: would be nice to log FAST_XMIT|BADAUTH|RESTRICTED */ + record_raw_stats(&rbufp->recv_srcadr, + &rbufp->dstadr->sin, + &p_org, &p_rec, &p_xmt, &rbufp->recv_time, + PKT_LEAP(pkt->li_vn_mode), + PKT_VERSION(pkt->li_vn_mode), + PKT_MODE(pkt->li_vn_mode), + PKT_TO_STRATUM(pkt->stratum), + pkt->ppoll, + pkt->precision, + FPTOD(NTOHS_FP(pkt->rootdelay)), + FPTOD(NTOHS_FP(pkt->rootdisp)), + pkt->refid, + rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten); + if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) { fast_xmit(rbufp, MODE_SERVER, skeyid, @@ -1067,8 +1239,10 @@ receive( restrict_mask); sys_badauth++; } else { + DPRINTF(2, ("receive: AM_FXMIT drop: !mcast restricted\n")); sys_restricted++; } + return; /* hooray */ } @@ -1077,6 +1251,7 @@ receive( * configured as a manycast server. */ if (!sys_manycastserver) { + DPRINTF(2, ("receive: AM_FXMIT drop: Not manycastserver\n")); sys_restricted++; return; /* not enabled */ } @@ -1086,6 +1261,7 @@ receive( * Do not respond if not the same group. */ if (group_test(groupname, NULL)) { + DPRINTF(2, ("receive: AM_FXMIT drop: empty groupname\n")); sys_declined++; return; } @@ -1100,6 +1276,7 @@ receive( || sys_stratum >= hisstratum || (!sys_cohort && sys_stratum == hisstratum + 1) || rbufp->dstadr->addr_refid == pkt->refid) { + DPRINTF(2, ("receive: AM_FXMIT drop: LEAP_NOTINSYNC || stratum || loop\n")); sys_declined++; return; /* no help */ } @@ -1108,9 +1285,24 @@ receive( * Respond only if authentication succeeds. Don't do a * crypto-NAK, as that would not be useful. */ - if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) + if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) { + record_raw_stats(&rbufp->recv_srcadr, + &rbufp->dstadr->sin, + &p_org, &p_rec, &p_xmt, &rbufp->recv_time, + PKT_LEAP(pkt->li_vn_mode), + PKT_VERSION(pkt->li_vn_mode), + PKT_MODE(pkt->li_vn_mode), + PKT_TO_STRATUM(pkt->stratum), + pkt->ppoll, + pkt->precision, + FPTOD(NTOHS_FP(pkt->rootdelay)), + FPTOD(NTOHS_FP(pkt->rootdisp)), + pkt->refid, + rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten); + fast_xmit(rbufp, MODE_SERVER, skeyid, restrict_mask); + } return; /* hooray */ /* @@ -1131,6 +1323,8 @@ receive( * There is an implosion hazard at the manycast client, since * the manycast servers send the server packet immediately. If * the guy is already here, don't fire up a duplicate. + * + * There are cases here where we do not call record_raw_stats(). */ case AM_MANYCAST: @@ -1139,18 +1333,23 @@ receive( * Do not respond if not the same group. */ if (group_test(groupname, NULL)) { + DPRINTF(2, ("receive: AM_MANYCAST drop: empty groupname\n")); sys_declined++; return; } #endif /* AUTOKEY */ if ((peer2 = findmanycastpeer(rbufp)) == NULL) { + DPRINTF(2, ("receive: AM_MANYCAST drop: No manycast peer\n")); sys_restricted++; return; /* not enabled */ } if (!AUTH( (!(peer2->cast_flags & MDF_POOL) && sys_authenticate) || (restrict_mask & (RES_NOPEER | - RES_DONTTRUST)), is_authentic)) { + RES_DONTTRUST)), is_authentic) + /* MC: RES_NOEPEER? */ + ) { + DPRINTF(2, ("receive: AM_MANYCAST drop: bad auth || (NOPEER|DONTTRUST)\n")); sys_restricted++; return; /* access denied */ } @@ -1162,15 +1361,17 @@ receive( if ( hisleap == LEAP_NOTINSYNC || hisstratum < sys_floor || hisstratum >= sys_ceiling) { + DPRINTF(2, ("receive: AM_MANYCAST drop: unsync/stratum\n")); sys_declined++; return; /* no help */ } peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr, - MODE_CLIENT, hisversion, peer2->minpoll, - peer2->maxpoll, FLAG_PREEMPT | - (FLAG_IBURST & peer2->flags), MDF_UCAST | - MDF_UCLNT, 0, skeyid, sys_ident); + r4a.ippeerlimit, MODE_CLIENT, hisversion, + peer2->minpoll, peer2->maxpoll, + FLAG_PREEMPT | (FLAG_IBURST & peer2->flags), + MDF_UCAST | MDF_UCLNT, 0, skeyid, sys_ident); if (NULL == peer) { + DPRINTF(2, ("receive: AM_MANYCAST drop: duplicate\n")); sys_declined++; return; /* ignore duplicate */ } @@ -1197,6 +1398,8 @@ receive( * the packet is authentic and we are enabled as broadcast * client, mobilize a broadcast client association. We don't * kiss any frogs here. + * + * There are cases here where we do not call record_raw_stats(). */ case AM_NEWBCL: @@ -1205,16 +1408,21 @@ receive( * Do not respond if not the same group. */ if (group_test(groupname, sys_ident)) { + DPRINTF(2, ("receive: AM_NEWBCL drop: groupname mismatch\n")); sys_declined++; return; } #endif /* AUTOKEY */ if (sys_bclient == 0) { + DPRINTF(2, ("receive: AM_NEWBCL drop: not a bclient\n")); sys_restricted++; return; /* not enabled */ } if (!AUTH(sys_authenticate | (restrict_mask & - (RES_NOPEER | RES_DONTTRUST)), is_authentic)) { + (RES_NOPEER | RES_DONTTRUST)), is_authentic) + /* NEWBCL: RES_NOEPEER? */ + ) { + DPRINTF(2, ("receive: AM_NEWBCL drop: AUTH failed\n")); sys_restricted++; return; /* access denied */ } @@ -1226,6 +1434,7 @@ receive( if ( hisleap == LEAP_NOTINSYNC || hisstratum < sys_floor || hisstratum >= sys_ceiling) { + DPRINTF(2, ("receive: AM_NEWBCL drop: Unsync or bad stratum\n")); sys_declined++; return; /* no help */ } @@ -1237,6 +1446,7 @@ receive( */ if ( crypto_flags && skeyid > NTP_MAXKEY && (opcode & 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) { + DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not CRYPTO_ASSOC\n")); sys_declined++; return; /* protocol error */ } @@ -1267,6 +1477,7 @@ receive( */ if (crypto_flags && skeyid > NTP_MAXKEY) { sys_restricted++; + DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not 2-way\n")); return; /* no autokey */ } #endif /* AUTOKEY */ @@ -1275,11 +1486,12 @@ receive( * Do not execute the volley. Start out in * broadcast client mode. */ - peer = newpeer(&rbufp->recv_srcadr, NULL, - match_ep, MODE_BCLIENT, hisversion, - pkt->ppoll, pkt->ppoll, FLAG_PREEMPT, - MDF_BCLNT, 0, skeyid, sys_ident); + peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep, + r4a.ippeerlimit, MODE_BCLIENT, hisversion, + pkt->ppoll, pkt->ppoll, + FLAG_PREEMPT, MDF_BCLNT, 0, skeyid, sys_ident); if (NULL == peer) { + DPRINTF(2, ("receive: AM_NEWBCL drop: duplicate\n")); sys_restricted++; return; /* ignore duplicate */ @@ -1299,10 +1511,12 @@ receive( * is fixed at this value. */ peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep, - MODE_CLIENT, hisversion, pkt->ppoll, pkt->ppoll, + r4a.ippeerlimit, MODE_CLIENT, hisversion, + pkt->ppoll, pkt->ppoll, FLAG_BC_VOL | FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT, 0, skeyid, sys_ident); if (NULL == peer) { + DPRINTF(2, ("receive: AM_NEWBCL drop: empty newpeer() failed\n")); sys_restricted++; return; /* ignore duplicate */ } @@ -1316,8 +1530,11 @@ receive( /* * This is the first packet received from a symmetric active - * peer. If the packet is authentic and the first he sent, - * mobilize a passive association. If not, kiss the frog. + * peer. If the packet is authentic, the first he sent, and + * RES_NOEPEER is not enabled, mobilize a passive association + * If not, kiss the frog. + * + * There are cases here where we do not call record_raw_stats(). */ case AM_NEWPASS: @@ -1326,38 +1543,42 @@ receive( * Do not respond if not the same group. */ if (group_test(groupname, sys_ident)) { + DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n")); sys_declined++; return; } #endif /* AUTOKEY */ if (!AUTH(sys_authenticate | (restrict_mask & - (RES_NOPEER | RES_DONTTRUST)), is_authentic)) { - - /* - * If authenticated but cannot mobilize an - * association, send a symmetric passive - * response without mobilizing an association. - * This is for drat broken Windows clients. See - * Microsoft KB 875424 for preferred workaround. - */ - if (AUTH(restrict_mask & RES_DONTTRUST, - is_authentic)) { - fast_xmit(rbufp, MODE_PASSIVE, skeyid, - restrict_mask); - return; /* hooray */ - } - if (is_authentic == AUTH_ERROR) { - fast_xmit(rbufp, MODE_ACTIVE, 0, - restrict_mask); - sys_restricted++; - return; + (RES_NOPEER | RES_DONTTRUST)), is_authentic) + ) { + if (0 == (restrict_mask & RES_NOEPEER)) { + /* + * If authenticated but cannot mobilize an + * association, send a symmetric passive + * response without mobilizing an association. + * This is for drat broken Windows clients. See + * Microsoft KB 875424 for preferred workaround. + */ + if (AUTH(restrict_mask & RES_DONTTRUST, + is_authentic)) { + fast_xmit(rbufp, MODE_PASSIVE, skeyid, + restrict_mask); + return; /* hooray */ + } + if (is_authentic == AUTH_ERROR) { + fast_xmit(rbufp, MODE_ACTIVE, 0, + restrict_mask); + sys_restricted++; + return; + } } /* [Bug 2941] * If we got here, the packet isn't part of an - * existing association, it isn't correctly - * authenticated, and it didn't meet either of - * the previous two special cases so we should - * just drop it on the floor. For example, + * existing association, either isn't correctly + * authenticated or it is but we are refusing + * ephemeral peer requests, and it didn't meet + * either of the previous two special cases so we + * should just drop it on the floor. For example, * crypto-NAKs (is_authentic == AUTH_CRYPTO) * will make it this far. This is just * debug-printed and not logged to avoid log @@ -1384,18 +1605,21 @@ receive( */ if ( hisleap != LEAP_NOTINSYNC && (hisstratum < sys_floor || hisstratum >= sys_ceiling)) { + DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n")); sys_declined++; return; /* no help */ } /* * The message is correctly authenticated and allowed. - * Mobilize a symmetric passive association. + * Mobilize a symmetric passive association, if we won't + * exceed the ippeerlimit. */ - if ((peer = newpeer(&rbufp->recv_srcadr, NULL, - rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll, - NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid, - sys_ident)) == NULL) { + if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr, + r4a.ippeerlimit, MODE_PASSIVE, hisversion, + pkt->ppoll, NTP_MAXDPOLL, 0, MDF_UCAST, 0, + skeyid, sys_ident)) == NULL) { + DPRINTF(2, ("receive: AM_NEWPASS drop: newpeer() failed\n")); sys_declined++; return; /* ignore duplicate */ } @@ -1404,6 +1628,8 @@ receive( /* * Process regular packet. Nothing special. + * + * There are cases here where we do not call record_raw_stats(). */ case AM_PROCPKT: @@ -1412,6 +1638,7 @@ receive( * Do not respond if not the same group. */ if (group_test(groupname, peer->ident)) { + DPRINTF(2, ("receive: AM_PROCPKT drop: Autokey group mismatch\n")); sys_declined++; return; } @@ -1437,7 +1664,7 @@ receive( /* This is noteworthy, not error-worthy */ if (pkt->ppoll != peer->ppoll) { - msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %ud to %ud", + msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %u to %u", stoa(&rbufp->recv_srcadr), peer->ppoll, pkt->ppoll); } @@ -1445,7 +1672,7 @@ receive( /* This is error-worthy */ if (pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll ) { - msyslog(LOG_INFO, "receive: broadcast poll of %ud from %s is out-of-range (%d to %d)!", + msyslog(LOG_INFO, "receive: broadcast poll of %u from %s is out-of-range (%d to %d)!", pkt->ppoll, stoa(&rbufp->recv_srcadr), peer->minpoll, peer->maxpoll); ++bail; @@ -1520,6 +1747,7 @@ receive( } if (bail) { + DPRINTF(2, ("receive: AM_PROCPKT drop: bail\n")); peer->timelastrec = current_time; sys_declined++; return; @@ -1535,6 +1763,7 @@ receive( * attempt to deny service, just ignore it. */ case AM_ERR: + DPRINTF(2, ("receive: AM_ERR drop.\n")); sys_declined++; return; @@ -1542,6 +1771,7 @@ receive( * For everything else there is the bit bucket. */ default: + DPRINTF(2, ("receive: default drop.\n")); sys_declined++; return; } @@ -1555,6 +1785,7 @@ receive( if ( is_authentic != AUTH_CRYPTO && ( ((peer->flags & FLAG_SKEY) && skeyid <= NTP_MAXKEY) || (!(peer->flags & FLAG_SKEY) && skeyid > NTP_MAXKEY))) { + DPRINTF(2, ("receive: drop: Autokey but wrong/bad auth\n")); sys_badauth++; return; } @@ -1575,9 +1806,12 @@ receive( * A KoD packet we pay attention to cannot have a 0 transmit * timestamp. */ + + kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid); + if (L_ISZERO(&p_xmt)) { peer->flash |= TEST3; /* unsynch */ - if (STRATUM_UNSPEC == hisstratum) { /* KoD packet */ + if (kissCode != NOKISS) { /* KoD packet */ peer->bogusorg++; /* for TEST2 or TEST3 */ msyslog(LOG_INFO, "receive: Unexpected zero transmit timestamp in KoD from %s", @@ -1591,6 +1825,7 @@ receive( * the most recent packet, authenticated or not. */ } else if (L_ISEQU(&peer->xmt, &p_xmt)) { + DPRINTF(2, ("receive: drop: Duplicate xmit\n")); peer->flash |= TEST1; /* duplicate */ peer->oldpkt++; return; @@ -1601,13 +1836,13 @@ receive( * see if this is an interleave broadcast packet until after * we've validated the MAC that SHOULD be provided. * - * hisstratum should never be 0. + * hisstratum cannot be 0 - see assertion above. * If hisstratum is 15, then we'll advertise as UNSPEC but * at least we'll be able to sync with the broadcast server. */ } else if (hismode == MODE_BROADCAST) { - if ( 0 == hisstratum - || STRATUM_UNSPEC <= hisstratum) { + /* 0 is unexpected too, and impossible */ + if (STRATUM_UNSPEC <= hisstratum) { /* Is this a ++sys_declined or ??? */ msyslog(LOG_INFO, "receive: Unexpected stratum (%d) in broadcast from %s", @@ -1628,7 +1863,7 @@ receive( * (nonzero) org, rec, and xmt timestamps set to the xmt timestamp * that we have previously sent out. Watch interleave mode. */ - } else if (STRATUM_UNSPEC == hisstratum) { + } else if (kissCode != NOKISS) { DEBUG_INSIST(!L_ISZERO(&p_xmt)); if ( L_ISZERO(&p_org) /* We checked p_xmt above */ || L_ISZERO(&p_rec)) { @@ -1675,7 +1910,8 @@ receive( * should 'aorg' be all-zero because this really was the original * transmit timestamp, we'll ignore this reply. There is a window * of one nanosecond once every 136 years' time where this is - * possible. We currently ignore this situation. + * possible. We currently ignore this situation, as a completely + * zero timestamp is (quietly?) disallowed. * * Otherwise, check for bogus packet in basic mode. * If it is bogus, switch to interleaved mode and resynchronize, @@ -1684,11 +1920,11 @@ receive( * * This could also mean somebody is forging packets claiming to * be from us, attempting to cause our server to KoD us. + * + * We have earlier asserted that hisstratum cannot be 0. + * If hisstratum is STRATUM_UNSPEC, it means he's not sync'd. */ } else if (peer->flip == 0) { - INSIST(0 != hisstratum); - INSIST(STRATUM_UNSPEC != hisstratum); - if (0) { } else if (L_ISZERO(&p_org)) { const char *action; @@ -1767,10 +2003,13 @@ receive( */ } else if ( !L_ISZERO(&peer->dst) && !L_ISEQU(&p_org, &peer->dst)) { + DPRINTF(2, ("receive: drop: Bogus packet in interleaved symmetric mode\n")); peer->bogusorg++; peer->flags |= FLAG_XBOGUS; peer->flash |= TEST2; /* bogus */ +#ifdef BUG3453 return; /* Bogus packet, we are done */ +#endif } /**/ @@ -1788,6 +2027,7 @@ receive( if (unpeer_crypto_nak_early) { unpeer(peer); } + DPRINTF(2, ("receive: drop: PREEMPT crypto_NAK\n")); return; } #ifdef AUTOKEY @@ -1795,6 +2035,7 @@ receive( peer_clear(peer, "AUTH"); } #endif /* AUTOKEY */ + DPRINTF(2, ("receive: drop: crypto_NAK\n")); return; /* @@ -1832,6 +2073,7 @@ receive( peer_clear(peer, "AUTH"); } #endif /* AUTOKEY */ + DPRINTF(2, ("receive: drop: Bad or missing AUTH\n")); return; } @@ -1901,11 +2143,9 @@ receive( /* * Check for any kiss codes. Note this is only used when a server - * responds to a packet request + * responds to a packet request. */ - kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid); - /* * Check to see if this is a RATE Kiss Code * Currently this kiss code will accept whatever poll @@ -2204,11 +2444,12 @@ process_packet( /* * Capture the header values in the client/peer association.. */ - record_raw_stats(&peer->srcadr, peer->dstadr ? - &peer->dstadr->sin : NULL, + record_raw_stats(&peer->srcadr, + peer->dstadr ? &peer->dstadr->sin : NULL, &p_org, &p_rec, &p_xmt, &peer->dst, pleap, pversion, pmode, pstratum, pkt->ppoll, pkt->precision, - p_del, p_disp, pkt->refid); + p_del, p_disp, pkt->refid, + len - MIN_V4_PKT_LEN, (u_char *)&pkt->exten); peer->leap = pleap; peer->stratum = min(pstratum, STRATUM_UNSPEC); peer->pmode = pmode; @@ -4301,6 +4542,7 @@ pool_xmit( int rc; struct interface * lcladr; sockaddr_u * rmtadr; + r4addr r4a; int restrict_mask; struct peer * p; l_fp xmt_tx; @@ -4337,11 +4579,12 @@ pool_xmit( /* copy_addrinfo_list ai_addr points to a sockaddr_u */ rmtadr = (sockaddr_u *)(void *)pool->ai->ai_addr; pool->ai = pool->ai->ai_next; - p = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT, 0); + p = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT, 0, NULL); } while (p != NULL && pool->ai != NULL); if (p != NULL) return; /* out of addresses, re-query DNS next poll */ - restrict_mask = restrictions(rmtadr); + restrictions(rmtadr, &r4a); + restrict_mask = r4a.rflags; if (RES_FLAGS & restrict_mask) restrict_source(rmtadr, 0, current_time + POOL_SOLICIT_WINDOW + 1); @@ -4932,4 +5175,6 @@ proto_clr_stats(void) sys_badauth = 0; sys_limitrejected = 0; sys_kodsent = 0; + sys_lamport = 0; + sys_tsrounding = 0; } diff --git a/contrib/ntp/ntpd/ntp_refclock.c b/contrib/ntp/ntpd/ntp_refclock.c index bc38901..a0dbd4c 100644 --- a/contrib/ntp/ntpd/ntp_refclock.c +++ b/contrib/ntp/ntpd/ntp_refclock.c @@ -1044,7 +1044,7 @@ refclock_control( clktype = (u_char)REFCLOCKTYPE(srcadr); unit = REFCLOCKUNIT(srcadr); - peer = findexistingpeer(srcadr, NULL, NULL, -1, 0); + peer = findexistingpeer(srcadr, NULL, NULL, -1, 0, NULL); if (NULL == peer) return; @@ -1155,7 +1155,7 @@ refclock_buginfo( clktype = (u_char) REFCLOCKTYPE(srcadr); unit = REFCLOCKUNIT(srcadr); - peer = findexistingpeer(srcadr, NULL, NULL, -1, 0); + peer = findexistingpeer(srcadr, NULL, NULL, -1, 0, NULL); if (NULL == peer || NULL == peer->procptr) return; @@ -1247,16 +1247,24 @@ refclock_params( /* * If flag3 is lit, select the kernel PPS if we can. + * + * Note: EOPNOTSUPP is the only 'legal' error code we deal with; + * it is part of the 'if we can' strategy. Any other error + * indicates something more sinister and makes this function fail. */ if (mode & CLK_FLAG3) { if (time_pps_kcbind(ap->handle, PPS_KC_HARDPPS, ap->pps_params.mode & ~PPS_TSFMT_TSPEC, - PPS_TSFMT_TSPEC) < 0) { - msyslog(LOG_ERR, - "refclock_params: time_pps_kcbind: %m"); - return (0); + PPS_TSFMT_TSPEC) < 0) + { + if (errno != EOPNOTSUPP) { + msyslog(LOG_ERR, + "refclock_params: time_pps_kcbind: %m"); + return (0); + } + } else { + hardpps_enable = 1; } - hardpps_enable = 1; } return (1); } diff --git a/contrib/ntp/ntpd/ntp_request.c b/contrib/ntp/ntpd/ntp_request.c index 5e0e6f8..e541f7c 100644 --- a/contrib/ntp/ntpd/ntp_request.c +++ b/contrib/ntp/ntpd/ntp_request.c @@ -87,7 +87,7 @@ static void list_restrict (sockaddr_u *, endpt *, struct req_pkt *); static void do_resaddflags (sockaddr_u *, endpt *, struct req_pkt *); static void do_ressubflags (sockaddr_u *, endpt *, struct req_pkt *); static void do_unrestrict (sockaddr_u *, endpt *, struct req_pkt *); -static void do_restrict (sockaddr_u *, endpt *, struct req_pkt *, int); +static void do_restrict (sockaddr_u *, endpt *, struct req_pkt *, restrict_op); static void mon_getlist (sockaddr_u *, endpt *, struct req_pkt *); static void reset_stats (sockaddr_u *, endpt *, struct req_pkt *); static void reset_peer (sockaddr_u *, endpt *, struct req_pkt *); @@ -582,6 +582,7 @@ process_private( * him. If the wrong key was used, or packet doesn't * have mac, return. */ + /* XXX: Use authistrustedip(), or equivalent. */ if (!INFO_IS_AUTH(inpkt->auth_seq) || !info_auth_keyid || ntohl(tailinpkt->keyid) != info_auth_keyid) { DPRINTF(5, ("failed auth %d info_auth_keyid %u pkt keyid %u maclen %lu\n", @@ -837,7 +838,7 @@ peer_info ( #endif datap += item_sz; - pp = findexistingpeer(&addr, NULL, NULL, -1, 0); + pp = findexistingpeer(&addr, NULL, NULL, -1, 0, NULL); if (NULL == pp) continue; if (IS_IPV6(srcadr)) { @@ -981,7 +982,7 @@ peer_stats ( datap += item_sz; - pp = findexistingpeer(&addr, NULL, NULL, -1, 0); + pp = findexistingpeer(&addr, NULL, NULL, -1, 0, NULL); if (NULL == pp) continue; @@ -1150,6 +1151,8 @@ sys_stats( ss->badauth = htonl((u_int32)sys_badauth); ss->limitrejected = htonl((u_int32)sys_limitrejected); ss->received = htonl((u_int32)sys_received); + ss->lamport = htonl((u_int32)sys_lamport); + ss->tsrounding = htonl((u_int32)sys_tsrounding); (void) more_pkt(); flush_pkt(); } @@ -1366,10 +1369,13 @@ do_conf( * * - minpoll/maxpoll, but they are treated properly * for all cases internally. Checking not necessary. + * + * Note that we ignore any previously-specified ippeerlimit. + * If we're told to create the peer, we create the peer. */ /* finally create the peer */ - if (peer_config(&peeraddr, NULL, NULL, + if (peer_config(&peeraddr, NULL, NULL, -1, temp_cp.hmode, temp_cp.version, temp_cp.minpoll, temp_cp.maxpoll, fl, temp_cp.ttl, temp_cp.keyid, NULL) == 0) @@ -1449,7 +1455,7 @@ do_unconf( p = NULL; do { p = findexistingpeer( - &peeraddr, NULL, p, -1, 0); + &peeraddr, NULL, p, -1, 0, NULL); } while (p && !(FLAG_CONFIG & p->flags)); if (!loops && !p) { @@ -1653,7 +1659,7 @@ list_restrict4( pir->v6_flag = 0; pir->mask = htonl(res->u.v4.mask); pir->count = htonl(res->count); - pir->flags = htons(res->flags); + pir->rflags = htons(res->rflags); pir->mflags = htons(res->mflags); pir = (struct info_restrict *)more_pkt(); } @@ -1684,7 +1690,7 @@ list_restrict6( pir->mask6 = res->u.v6.mask; pir->v6_flag = 1; pir->count = htonl(res->count); - pir->flags = htons(res->flags); + pir->rflags = htons(res->rflags); pir->mflags = htons(res->mflags); pir = (struct info_restrict *)more_pkt(); } @@ -1773,7 +1779,7 @@ do_restrict( sockaddr_u *srcadr, endpt *inter, struct req_pkt *inpkt, - int op + restrict_op op ) { char * datap; @@ -1784,6 +1790,18 @@ do_restrict( sockaddr_u matchmask; int bad; + switch(op) { + case RESTRICT_FLAGS: + case RESTRICT_UNFLAG: + case RESTRICT_REMOVE: + case RESTRICT_REMOVEIF: + break; + + default: + req_ack(srcadr, inter, inpkt, INFO_ERR_FMT); + return; + } + /* * Do a check of the flags to make sure that only * the NTPPORT flag is set, if any. If not, complain @@ -1797,7 +1815,7 @@ do_restrict( return; } - bad = FALSE; + bad = 0; while (items-- > 0 && !bad) { memcpy(&cr, datap, item_sz); cr.flags = ntohs(cr.flags); @@ -1837,6 +1855,7 @@ do_restrict( memcpy(&cr, datap, item_sz); cr.flags = ntohs(cr.flags); cr.mflags = ntohs(cr.mflags); + cr.ippeerlimit = ntohs(cr.ippeerlimit); if (client_v6_capable && cr.v6_flag) { AF(&matchaddr) = AF_INET6; AF(&matchmask) = AF_INET6; @@ -1849,7 +1868,7 @@ do_restrict( NSRCADR(&matchmask) = cr.mask; } hack_restrict(op, &matchaddr, &matchmask, cr.mflags, - cr.flags, 0); + cr.ippeerlimit, cr.flags, 0); datap += item_sz; } @@ -1975,7 +1994,7 @@ reset_peer( #ifdef ISC_PLATFORM_HAVESALEN peeraddr.sa.sa_len = SOCKLEN(&peeraddr); #endif - p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0); + p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL); if (NULL == p) bad++; datap += item_sz; @@ -2008,10 +2027,10 @@ reset_peer( #ifdef ISC_PLATFORM_HAVESALEN peeraddr.sa.sa_len = SOCKLEN(&peeraddr); #endif - p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0); + p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL); while (p != NULL) { peer_reset(p); - p = findexistingpeer(&peeraddr, NULL, p, -1, 0); + p = findexistingpeer(&peeraddr, NULL, p, -1, 0, NULL); } datap += item_sz; } @@ -2492,7 +2511,7 @@ get_clock_info( while (items-- > 0 && ic) { NSRCADR(&addr) = *clkaddr++; if (!ISREFCLOCKADR(&addr) || NULL == - findexistingpeer(&addr, NULL, NULL, -1, 0)) { + findexistingpeer(&addr, NULL, NULL, -1, 0, NULL)) { req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); return; } @@ -2556,7 +2575,7 @@ set_clock_fudge( #endif SET_PORT(&addr, NTP_PORT); if (!ISREFCLOCKADR(&addr) || NULL == - findexistingpeer(&addr, NULL, NULL, -1, 0)) { + findexistingpeer(&addr, NULL, NULL, -1, 0, NULL)) { req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); return; } @@ -2631,7 +2650,7 @@ get_clkbug_info( while (items-- > 0 && ic) { NSRCADR(&addr) = *clkaddr++; if (!ISREFCLOCKADR(&addr) || NULL == - findexistingpeer(&addr, NULL, NULL, -1, 0)) { + findexistingpeer(&addr, NULL, NULL, -1, 0, NULL)) { req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA); return; } diff --git a/contrib/ntp/ntpd/ntp_restrict.c b/contrib/ntp/ntpd/ntp_restrict.c index ad6c82a..f3c1293 100644 --- a/contrib/ntp/ntpd/ntp_restrict.c +++ b/contrib/ntp/ntpd/ntp_restrict.c @@ -86,6 +86,8 @@ static u_long res_limited_refcnt; /* * Our default entries. + * + * We can make this cleaner with c99 support: see init_restrict(). */ static restrict_u restrict_def4; static restrict_u restrict_def6; @@ -94,8 +96,9 @@ static restrict_u restrict_def6; * "restrict source ..." enabled knob and restriction bits. */ static int restrict_source_enabled; -static u_short restrict_source_flags; +static u_short restrict_source_rflags; static u_short restrict_source_mflags; +static short restrict_source_ippeerlimit; /* * private functions @@ -111,9 +114,82 @@ static restrict_u * match_restrict6_addr(const struct in6_addr *, static restrict_u * match_restrict_entry(const restrict_u *, int); static int res_sorts_before4(restrict_u *, restrict_u *); static int res_sorts_before6(restrict_u *, restrict_u *); +static char * roptoa(restrict_op op); + + +void dump_restricts(void); + +/* + * dump_restrict - spit out a restrict_u + */ +static void +dump_restrict( + restrict_u * res, + int is_ipv6 + ) +{ + char as[INET6_ADDRSTRLEN]; + char ms[INET6_ADDRSTRLEN]; + + if (is_ipv6) { + inet_ntop(AF_INET6, &res->u.v6.addr, as, sizeof as); + inet_ntop(AF_INET6, &res->u.v6.mask, ms, sizeof ms); + } else { + struct in_addr sia = { htonl(res->u.v4.addr) }; + struct in_addr sim = { htonl(res->u.v4.mask) }; + + inet_ntop(AF_INET, &sia, as, sizeof as); + inet_ntop(AF_INET, &sim, ms, sizeof ms); + } + mprintf("restrict node at %p: %s/%s count %d, rflags %05x, mflags %05x, ippeerlimit %d, expire %lu, next %p\n", + res, as, ms, res->count, res->rflags, res->mflags, + res->ippeerlimit, res->expire, res->link); + return; +} /* + * dump_restricts - spit out the 'restrict' lines + */ +void +dump_restricts(void) +{ + int defaultv4_done = 0; + int defaultv6_done = 0; + restrict_u * res; + restrict_u * next; + + mprintf("dump_restrict: restrict_def4: %p\n", &restrict_def4); + /* Spit out 'restrict {,-4,-6} default ...' lines, if needed */ + for (res = &restrict_def4; res != NULL; res = next) { + dump_restrict(res, 0); + next = res->link; + } + + mprintf("dump_restrict: restrict_def6: %p\n", &restrict_def6); + for (res = &restrict_def6; res != NULL; res = next) { + dump_restrict(res, 1); + next = res->link; + } + + /* Spit out the IPv4 list */ + mprintf("dump_restrict: restrictlist4: %p\n", &restrictlist4); + for (res = restrictlist4; res != NULL; res = next) { + dump_restrict(res, 0); + next = res->link; + } + + /* Spit out the IPv6 list */ + mprintf("dump_restrict: restrictlist6: %p\n", &restrictlist6); + for (res = restrictlist6; res != NULL; res = next) { + dump_restrict(res, 1); + next = res->link; + } + + return; +} + +/* * init_restrict - initialize the restriction data structures */ void @@ -147,6 +223,10 @@ init_restrict(void) * behavior as but reversed implementation compared to the docs. * */ + + restrict_def4.ippeerlimit = -1; /* Cleaner if we have C99 */ + restrict_def6.ippeerlimit = -1; /* Cleaner if we have C99 */ + LINK_SLIST(restrictlist4, &restrict_def4, link); LINK_SLIST(restrictlist6, &restrict_def6, link); restrictcount = 2; @@ -215,7 +295,7 @@ free_res( restrict_u * unlinked; restrictcount--; - if (RES_LIMITED & res->flags) + if (RES_LIMITED & res->rflags) dec_res_limited(); if (v6) @@ -265,14 +345,21 @@ match_restrict4_addr( restrict_u * next; for (res = restrictlist4; res != NULL; res = next) { + struct in_addr sia = { htonl(res->u.v4.addr) }; + next = res->link; - if (res->expire && - res->expire <= current_time) - free_res(res, v6); - if (res->u.v4.addr == (addr & res->u.v4.mask) - && (!(RESM_NTPONLY & res->mflags) - || NTP_PORT == port)) + DPRINTF(2, ("match_restrict4_addr: Checking %s, port %d ... ", + inet_ntoa(sia), port)); + if ( res->expire + && res->expire <= current_time) + free_res(res, v6); /* zeroes the contents */ + if ( res->u.v4.addr == (addr & res->u.v4.mask) + && ( !(RESM_NTPONLY & res->mflags) + || NTP_PORT == port)) { + DPRINTF(2, ("MATCH: ippeerlimit %d\n", res->ippeerlimit)); break; + } + DPRINTF(2, ("doesn't match: ippeerlimit %d\n", res->ippeerlimit)); } return res; } @@ -410,19 +497,25 @@ res_sorts_before6( /* - * restrictions - return restrictions for this host + * restrictions - return restrictions for this host in *r4a */ -u_short +void restrictions( - sockaddr_u *srcadr + sockaddr_u *srcadr, + r4addr *r4a ) { restrict_u *match; struct in6_addr *pin6; - u_short flags; + + REQUIRE(NULL != r4a); res_calls++; - flags = 0; + r4a->rflags = RES_IGNORE; + r4a->ippeerlimit = 0; + + DPRINTF(1, ("restrictions: looking up %s\n", stoa(srcadr))); + /* IPv4 source address */ if (IS_IPV4(srcadr)) { /* @@ -430,8 +523,11 @@ restrictions( * (this should be done early in the receive process, * not later!) */ - if (IN_CLASSD(SRCADR(srcadr))) - return (int)RES_IGNORE; + if (IN_CLASSD(SRCADR(srcadr))) { + DPRINTF(1, ("restrictions: srcadr %s is multicast\n", stoa(srcadr))); + r4a->ippeerlimit = 2; /* XXX: we should use a better value */ + return; + } match = match_restrict4_addr(SRCADR(srcadr), SRCPORT(srcadr)); @@ -448,7 +544,8 @@ restrictions( res_not_found++; else res_found++; - flags = match->flags; + r4a->rflags = match->rflags; + r4a->ippeerlimit = match->ippeerlimit; } /* IPv6 source address */ @@ -461,7 +558,7 @@ restrictions( * not later!) */ if (IN6_IS_ADDR_MULTICAST(pin6)) - return (int)RES_IGNORE; + return; match = match_restrict6_addr(pin6, SRCPORT(srcadr)); INSIST(match != NULL); @@ -470,9 +567,29 @@ restrictions( res_not_found++; else res_found++; - flags = match->flags; + r4a->rflags = match->rflags; + r4a->ippeerlimit = match->ippeerlimit; + } + return; +} + + +/* + * roptoa - convert a restrict_op to a string + */ +char * +roptoa(restrict_op op) { + static char sb[30]; + + switch(op) { + case RESTRICT_FLAGS: return "RESTRICT_FLAGS"; + case RESTRICT_UNFLAG: return "RESTRICT_UNFLAGS"; + case RESTRICT_REMOVE: return "RESTRICT_REMOVE"; + case RESTRICT_REMOVEIF: return "RESTRICT_REMOVEIF"; + default: + snprintf(sb, sizeof sb, "**RESTRICT_#%d**", op); + return sb; } - return (flags); } @@ -481,11 +598,12 @@ restrictions( */ void hack_restrict( - int op, + restrict_op op, sockaddr_u * resaddr, sockaddr_u * resmask, + short ippeerlimit, u_short mflags, - u_short flags, + u_short rflags, u_long expire ) { @@ -494,14 +612,15 @@ hack_restrict( restrict_u * res; restrict_u ** plisthead; - DPRINTF(1, ("restrict: op %d addr %s mask %s mflags %08x flags %08x\n", - op, stoa(resaddr), stoa(resmask), mflags, flags)); + DPRINTF(1, ("hack_restrict: op %s addr %s mask %s ippeerlimit %d mflags %08x rflags %08x\n", + roptoa(op), stoa(resaddr), stoa(resmask), ippeerlimit, mflags, rflags)); if (NULL == resaddr) { REQUIRE(NULL == resmask); REQUIRE(RESTRICT_FLAGS == op); - restrict_source_flags = flags; + restrict_source_rflags = rflags; restrict_source_mflags = mflags; + restrict_source_ippeerlimit = ippeerlimit; restrict_source_enabled = 1; return; } @@ -538,8 +657,9 @@ hack_restrict( } else /* not IPv4 nor IPv6 */ REQUIRE(0); - match.flags = flags; + match.rflags = rflags; match.mflags = mflags; + match.ippeerlimit = ippeerlimit; match.expire = expire; res = match_restrict_entry(&match, v6); @@ -547,7 +667,7 @@ hack_restrict( case RESTRICT_FLAGS: /* - * Here we add bits to the flags. If this is a + * Here we add bits to the rflags. If this is a * new restriction add it. */ if (NULL == res) { @@ -569,26 +689,29 @@ hack_restrict( : res_sorts_before4(res, L_S_S_CUR()), link, restrict_u); restrictcount++; - if (RES_LIMITED & flags) + if (RES_LIMITED & rflags) inc_res_limited(); } else { - if ((RES_LIMITED & flags) && - !(RES_LIMITED & res->flags)) + if ( (RES_LIMITED & rflags) + && !(RES_LIMITED & res->rflags)) inc_res_limited(); - res->flags |= flags; + res->rflags |= rflags; } + + res->ippeerlimit = match.ippeerlimit; + break; case RESTRICT_UNFLAG: /* - * Remove some bits from the flags. If we didn't + * Remove some bits from the rflags. If we didn't * find this one, just return. */ if (res != NULL) { - if ((RES_LIMITED & res->flags) - && (RES_LIMITED & flags)) + if ( (RES_LIMITED & res->rflags) + && (RES_LIMITED & rflags)) dec_res_limited(); - res->flags &= ~flags; + res->rflags &= ~rflags; } break; @@ -639,7 +762,7 @@ restrict_source( SET_HOSTMASK(&onesmask, AF(addr)); if (farewell) { hack_restrict(RESTRICT_REMOVE, addr, &onesmask, - 0, 0, 0); + -2, 0, 0, 0); DPRINTF(1, ("restrict_source: %s removed", stoa(addr))); return; } @@ -672,8 +795,8 @@ restrict_source( return; hack_restrict(RESTRICT_FLAGS, addr, &onesmask, - restrict_source_mflags, restrict_source_flags, - expire); + restrict_source_ippeerlimit, restrict_source_mflags, + restrict_source_rflags, expire); DPRINTF(1, ("restrict_source: %s host restriction added\n", stoa(addr))); } diff --git a/contrib/ntp/ntpd/ntp_scanner.c b/contrib/ntp/ntpd/ntp_scanner.c index 6cfbeef..42b83c8 100644 --- a/contrib/ntp/ntpd/ntp_scanner.c +++ b/contrib/ntp/ntpd/ntp_scanner.c @@ -167,6 +167,7 @@ lex_getch( stream->backch = EOF; if (stream->fpi) conf_file_sum += ch; + stream->curpos.ncol++; } else if (stream->fpi) { /* fetch next 7-bit ASCII char (or EOF) from file */ while ((ch = fgetc(stream->fpi)) != EOF && ch > SCHAR_MAX) diff --git a/contrib/ntp/ntpd/ntp_util.c b/contrib/ntp/ntpd/ntp_util.c index 3a95819..d8798de 100644 --- a/contrib/ntp/ntpd/ntp_util.c +++ b/contrib/ntp/ntpd/ntp_util.c @@ -666,6 +666,8 @@ mprintf_clock_stats( * peer ip address * IP address * t1 t2 t3 t4 timestamps + * leap, version, mode, stratum, ppoll, precision, root delay, root dispersion, REFID + * length and hex dump of any EFs and any legacy MAC. */ void record_raw_stats( @@ -683,7 +685,9 @@ record_raw_stats( int precision, double root_delay, /* seconds */ double root_dispersion,/* seconds */ - u_int32 refid + u_int32 refid, + int len, + u_char *extra ) { l_fp now; @@ -697,13 +701,23 @@ record_raw_stats( day = now.l_ui / 86400 + MJD_1900; now.l_ui %= 86400; if (rawstats.fp != NULL) { - fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s\n", + fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s", day, ulfptoa(&now, 3), - stoa(srcadr), dstadr ? stoa(dstadr) : "-", + srcadr ? stoa(srcadr) : "-", + dstadr ? stoa(dstadr) : "-", ulfptoa(t1, 9), ulfptoa(t2, 9), ulfptoa(t3, 9), ulfptoa(t4, 9), leap, version, mode, stratum, ppoll, precision, root_delay, root_dispersion, refid_str(refid, stratum)); + if (len > 0) { + int i; + + fprintf(rawstats.fp, " %d: ", len); + for (i = 0; i < len; ++i) { + fprintf(rawstats.fp, "%02x", extra[i]); + } + } + fprintf(rawstats.fp, "\n"); fflush(rawstats.fp); } } diff --git a/contrib/ntp/ntpd/ntpd-opts.c b/contrib/ntp/ntpd/ntpd-opts.c index 82ce754..47b0808 100644 --- a/contrib/ntp/ntpd/ntpd-opts.c +++ b/contrib/ntp/ntpd/ntpd-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpd-opts.c) * - * It has been AutoGen-ed March 21, 2017 at 10:42:12 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:13:19 PM by AutoGen 5.18.5 * From the definitions ntpd-opts.def * and the template file options * @@ -75,7 +75,7 @@ extern FILE * option_usage_fp; * static const strings for ntpd options */ static char const ntpd_opt_strs[3132] = -/* 0 */ "ntpd 4.2.8p10\n" +/* 0 */ "ntpd 4.2.8p11\n" "Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -205,12 +205,12 @@ static char const ntpd_opt_strs[3132] = /* 2901 */ "output version information and exit\0" /* 2937 */ "version\0" /* 2945 */ "NTPD\0" -/* 2950 */ "ntpd - NTP daemon program - Ver. 4.2.8p10\n" +/* 2950 */ "ntpd - NTP daemon program - Ver. 4.2.8p11\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n" "\t\t[ <server1> ... <serverN> ]\n\0" /* 3082 */ "http://bugs.ntp.org, bugs@ntp.org\0" /* 3116 */ "\n\0" -/* 3118 */ "ntpd 4.2.8p10"; +/* 3118 */ "ntpd 4.2.8p11"; /** * ipv4 option description with @@ -1529,7 +1529,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via ntpdOptions.pzCopyright */ - puts(_("ntpd 4.2.8p10\n\ + puts(_("ntpd 4.2.8p11\n\ Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the NTP License, copies of which\n\ @@ -1670,7 +1670,7 @@ implied warranty.\n")); puts(_("output version information and exit")); /* referenced via ntpdOptions.pzUsageTitle */ - puts(_("ntpd - NTP daemon program - Ver. 4.2.8p10\n\ + puts(_("ntpd - NTP daemon program - Ver. 4.2.8p11\n\ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\ \t\t[ <server1> ... <serverN> ]\n")); @@ -1678,7 +1678,7 @@ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\ puts(_("\n")); /* referenced via ntpdOptions.pzFullVersion */ - puts(_("ntpd 4.2.8p10")); + puts(_("ntpd 4.2.8p11")); /* referenced via ntpdOptions.pzFullUsage */ puts(_("<<<NOT-FOUND>>>")); diff --git a/contrib/ntp/ntpd/ntpd-opts.h b/contrib/ntp/ntpd/ntpd-opts.h index a511857..3372d4d 100644 --- a/contrib/ntp/ntpd/ntpd-opts.h +++ b/contrib/ntp/ntpd/ntpd-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpd-opts.h) * - * It has been AutoGen-ed March 21, 2017 at 10:42:11 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:13:17 PM by AutoGen 5.18.5 * From the definitions ntpd-opts.def * and the template file options * @@ -106,9 +106,9 @@ typedef enum { /** count of all options for ntpd */ #define OPTION_CT 38 /** ntpd version */ -#define NTPD_VERSION "4.2.8p10" +#define NTPD_VERSION "4.2.8p11" /** Full ntpd version text */ -#define NTPD_FULL_VERSION "ntpd 4.2.8p10" +#define NTPD_FULL_VERSION "ntpd 4.2.8p11" /** * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/contrib/ntp/ntpd/ntpd.1ntpdman b/contrib/ntp/ntpd/ntpd.1ntpdman index a977bf0..ec02e0c 100644 --- a/contrib/ntp/ntpd/ntpd.1ntpdman +++ b/contrib/ntp/ntpd/ntpd.1ntpdman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpd 1ntpdman "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpd 1ntpdman "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wcairs/ag-fdaWls) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Ffa4WQ/ag-RfaWVQ) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:13 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:30 PM by AutoGen 5.18.5 .\" From the definitions ntpd-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/ntpd/ntpd.1ntpdmdoc b/contrib/ntp/ntpd/ntpd.1ntpdmdoc index 34ec086..339d2cf 100644 --- a/contrib/ntp/ntpd/ntpd.1ntpdmdoc +++ b/contrib/ntp/ntpd/ntpd.1ntpdmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPD 1ntpdmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:23 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:47 PM by AutoGen 5.18.5 .\" From the definitions ntpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/ntpd/ntpd.c b/contrib/ntp/ntpd/ntpd.c index a0880be..d4204ef 100644 --- a/contrib/ntp/ntpd/ntpd.c +++ b/contrib/ntp/ntpd/ntpd.c @@ -313,11 +313,16 @@ my_pthread_warmup(void) #if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \ defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) && \ defined(PTHREAD_STACK_MIN) - rc = pthread_attr_setstacksize(&thr_attr, PTHREAD_STACK_MIN); - if (0 != rc) - msyslog(LOG_ERR, - "my_pthread_warmup: pthread_attr_setstacksize() -> %s", - strerror(rc)); + { + size_t ssmin = 32*1024; /* 32kB should be minimum */ + if (ssmin < PTHREAD_STACK_MIN) + ssmin = PTHREAD_STACK_MIN; + rc = pthread_attr_setstacksize(&thr_attr, ssmin); + if (0 != rc) + msyslog(LOG_ERR, + "my_pthread_warmup: pthread_attr_setstacksize() -> %s", + strerror(rc)); + } #endif rc = pthread_create( &thread, &thr_attr, my_pthread_warmup_worker, NULL); diff --git a/contrib/ntp/ntpd/ntpd.html b/contrib/ntp/ntpd/ntpd.html index e6aadd4..3af0cc5 100644 --- a/contrib/ntp/ntpd/ntpd.html +++ b/contrib/ntp/ntpd/ntpd.html @@ -39,7 +39,7 @@ The program can operate in any of several modes, including client/server, symmetric and broadcast modes, and with both symmetric-key and public-key cryptography. - <p>This document applies to version 4.2.8p10 of <code>ntpd</code>. + <p>This document applies to version 4.2.8p11 of <code>ntpd</code>. <ul class="menu"> <li><a accesskey="1" href="#ntpd-Description">ntpd Description</a>: Description @@ -220,7 +220,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntpd - NTP daemon program - Ver. 4.2.8p10-beta +<pre class="example">ntpd - NTP daemon program - Ver. 4.2.8p10 Usage: ntpd [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \ [ <server1> ... <serverN> ] Flg Arg Option-Name Description diff --git a/contrib/ntp/ntpd/ntpd.man.in b/contrib/ntp/ntpd/ntpd.man.in index c4a9200..d3f94c6 100644 --- a/contrib/ntp/ntpd/ntpd.man.in +++ b/contrib/ntp/ntpd/ntpd.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpd @NTPD_MS@ "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpd @NTPD_MS@ "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wcairs/ag-fdaWls) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Ffa4WQ/ag-RfaWVQ) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:13 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:30 PM by AutoGen 5.18.5 .\" From the definitions ntpd-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/ntpd/ntpd.mdoc.in b/contrib/ntp/ntpd/ntpd.mdoc.in index 52fcef0..53b1f41 100644 --- a/contrib/ntp/ntpd/ntpd.mdoc.in +++ b/contrib/ntp/ntpd/ntpd.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPD @NTPD_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:23 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:47 PM by AutoGen 5.18.5 .\" From the definitions ntpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/ntpd/ntpsim.c b/contrib/ntp/ntpd/ntpsim.c index b7c3218..5ae05b7 100644 --- a/contrib/ntp/ntpd/ntpsim.c +++ b/contrib/ntp/ntpd/ntpsim.c @@ -79,6 +79,7 @@ void create_server_associations(void) NULL, loopback_interface, MODE_CLIENT, + -1, NTP_VERSION, NTP_MINDPOLL, NTP_MAXDPOLL, diff --git a/contrib/ntp/ntpd/refclock_gpsdjson.c b/contrib/ntp/ntpd/refclock_gpsdjson.c index 00cd3fc..c2d41ff 100644 --- a/contrib/ntp/ntpd/refclock_gpsdjson.c +++ b/contrib/ntp/ntpd/refclock_gpsdjson.c @@ -1891,7 +1891,7 @@ gpsd_init_socket( */ ov = 1; rc = setsockopt(up->fdt, IPPROTO_TCP, TCP_NODELAY, - (char*)&ov, sizeof(ov)); + (void *)&ov, sizeof(ov)); if (-1 == rc) { if (syslogok(pp, up)) msyslog(LOG_INFO, @@ -1999,7 +1999,7 @@ gpsd_test_socket( /* check for socket error */ ec = 0; lc = sizeof(ec); - rc = getsockopt(up->fdt, SOL_SOCKET, SO_ERROR, &ec, &lc); + rc = getsockopt(up->fdt, SOL_SOCKET, SO_ERROR, (void *)&ec, &lc); if (-1 == rc || 0 != ec) { const char *errtxt; if (0 == ec) diff --git a/contrib/ntp/ntpd/refclock_jjy.c b/contrib/ntp/ntpd/refclock_jjy.c index 22636a0..a73cdd8 100644 --- a/contrib/ntp/ntpd/refclock_jjy.c +++ b/contrib/ntp/ntpd/refclock_jjy.c @@ -110,6 +110,11 @@ /* [Fix] C-DEX JST2000 */ /* Thanks to Mr. Kuramatsu for the report and the patch. */ /* */ +/* 2017/04/30 */ +/* [Change] Avoid a wrong report of the coverity static analysis */ +/* tool. ( The code is harmless and has no bug. ) */ +/* teljjy_conn_send() */ +/* */ /**********************************************************************/ #ifdef HAVE_CONFIG_H @@ -393,6 +398,7 @@ struct refclock refclock_jjy = { #define JJY_CLOCKSTATS_MARK_ATTENTION 5 #define JJY_CLOCKSTATS_MARK_WARNING 6 #define JJY_CLOCKSTATS_MARK_ERROR 7 +#define JJY_CLOCKSTATS_MARK_BUG 8 /* Local constants definition for the clockstats messages */ @@ -3299,6 +3305,7 @@ teljjy_conn_send ( struct peer *peer, struct refclockproc *pp, struct jjyunit *u const char * pCmd ; int i, iLen, iNextClockState ; + char sLog [ 120 ] ; DEBUG_TELJJY_PRINTF( "teljjy_conn_send" ) ; @@ -3327,8 +3334,8 @@ teljjy_conn_send ( struct peer *peer, struct refclockproc *pp, struct jjyunit *u /* Loopback character comes */ #ifdef DEBUG if ( debug ) { - printf( "refclock_jjy.c : teljjy_conn_send : iLoopbackCount=%d\n", - up->iLoopbackCount ) ; + printf( "refclock_jjy.c : teljjy_conn_send : iClockCommandSeq=%d iLoopbackCount=%d\n", + up->iClockCommandSeq, up->iLoopbackCount ) ; } #endif @@ -3351,8 +3358,18 @@ teljjy_conn_send ( struct peer *peer, struct refclockproc *pp, struct jjyunit *u if ( teljjy_command_sequence[up->iClockCommandSeq].iExpectedReplyType == TELJJY_REPLY_LOOPBACK ) { /* Loopback character and timestamp */ - gettimeofday( &(up->sendTime[up->iLoopbackCount]), NULL ) ; - up->bLoopbackMode = TRUE ; + if ( up->iLoopbackCount < MAX_LOOPBACK ) { + gettimeofday( &(up->sendTime[up->iLoopbackCount]), NULL ) ; + up->bLoopbackMode = TRUE ; + } else { + /* This else-block is never come. */ + /* This code avoid wrong report of the coverity static analysis scan tool. */ + snprintf( sLog, sizeof(sLog)-1, "refclock_jjy.c ; teljjy_conn_send ; iClockCommandSeq=%d iLoopbackCount=%d MAX_LOOPBACK=%d", + up->iClockCommandSeq, up->iLoopbackCount, MAX_LOOPBACK ) ; + jjy_write_clockstats( peer, JJY_CLOCKSTATS_MARK_BUG, sLog ) ; + msyslog ( LOG_ERR, "%s", sLog ) ; + up->bLoopbackMode = FALSE ; + } } else { /* Regular command */ up->bLoopbackMode = FALSE ; @@ -4383,6 +4400,9 @@ jjy_write_clockstats ( struct peer *peer, int iMark, const char *pData ) case JJY_CLOCKSTATS_MARK_ERROR : pMark = "-X- " ; break ; + case JJY_CLOCKSTATS_MARK_BUG : + pMark = "!!! " ; + break ; default : pMark = "" ; break ; diff --git a/contrib/ntp/ntpd/refclock_palisade.c b/contrib/ntp/ntpd/refclock_palisade.c index 921c815..d69ce94 100644 --- a/contrib/ntp/ntpd/refclock_palisade.c +++ b/contrib/ntp/ntpd/refclock_palisade.c @@ -80,10 +80,6 @@ extern int async_write(int, const void *, unsigned int); #endif #include "refclock_palisade.h" -/* Table to get from month to day of the year */ -const int days_of_year [12] = { - 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334 -}; #ifdef DEBUG const char * Tracking_Status[15][15] = { @@ -107,7 +103,7 @@ struct refclock refclock_palisade = { NOFLAGS /* not used */ }; -int day_of_year (char *dt); +static int decode_date(struct refclockproc *pp, const char *cp); /* Extract the clock type from the mode setting */ #define CLK_TYPE(x) ((int)(((x)->ttl) & 0x7F)) @@ -226,7 +222,7 @@ init_thunderbolt ( sendetx (&tx, fd); /* activate packets 0x8F-AB and 0x8F-AC */ - sendsupercmd (&tx, 0x8F, 0xA5); + sendsupercmd (&tx, 0x8E, 0xA5); sendint (&tx, 0x5); sendetx (&tx, fd); @@ -400,33 +396,78 @@ palisade_shutdown ( } - /* - * unpack_date - get day and year from date + * unpack helpers */ -int -day_of_year ( - char * dt - ) -{ - int day, mon, year; - mon = dt[1]; - /* Check month is inside array bounds */ - if ((mon < 1) || (mon > 12)) - return -1; +static inline uint8_t +get_u8( + const char *cp) +{ + return ((const u_char*)cp)[0]; +} - day = dt[0] + days_of_year[mon - 1]; - year = getint((u_char *) (dt + 2)); +static inline uint16_t +get_u16( + const char *cp) +{ + return ((uint16_t)get_u8(cp) << 8) | get_u8(cp + 1); +} - if ( !(year % 4) && ((year % 100) || - (!(year % 100) && !(year%400))) - &&(mon > 2)) - day ++; /* leap year and March or later */ +/* + * unpack & fix date (the receiver provides a valid time for 1024 weeks + * after 1997-12-14 and therefore folds back in 2017, 2037,...) + * + * Returns -1 on error, day-of-month + (month * 32) othertwise. + */ +int +decode_date( + struct refclockproc *pp, + const char *cp) +{ + static int32_t s_baseday = 0; + + struct calendar jd; + int32_t rd; + + if (0 == s_baseday) { + if (!ntpcal_get_build_date(&jd)) { + jd.year = 2015; + jd.month = 1; + jd.monthday = 1; + } + s_baseday = ntpcal_date_to_rd(&jd); + } - return day; + /* get date fields and convert to RDN */ + jd.monthday = get_u8 ( cp ); + jd.month = get_u8 (cp + 1); + jd.year = get_u16(cp + 2); + rd = ntpcal_date_to_rd(&jd); + + /* for the paranoid: do reverse calculation and cross-check */ + ntpcal_rd_to_date(&jd, rd); + if ((jd.monthday != get_u8 ( cp )) || + (jd.month != get_u8 (cp + 1)) || + (jd.year != get_u16(cp + 2)) ) + return - 1; + + /* calculate cycle shift to base day and calculate re-folded + * date + * + * One could do a proper modulo calculation here, but a counting + * loop is probably faster for the next few rollovers... + */ + while (rd < s_baseday) + rd += 7*1024; + ntpcal_rd_to_date(&jd, rd); + + /* fill refclock structure & indicate success */ + pp->day = jd.yearday; + pp->year = jd.year; + return ((int)jd.month << 5) | jd.monthday; } - + /* * TSIP_decode - decode the TSIP data packets @@ -441,7 +482,8 @@ TSIP_decode ( double secs; double secfrac; unsigned short event = 0; - + int mmday; + struct palisade_unit *up; struct refclockproc *pp; @@ -535,16 +577,16 @@ TSIP_decode ( pp->minute = secint / 60; secint %= 60; pp->second = secint % 60; - - if ((pp->day = day_of_year(&mb(11))) < 0) break; - pp->year = getint((u_char *) &mb(13)); + mmday = decode_date(pp, &mb(11)); + if (mmday < 0) + break; #ifdef DEBUG if (debug > 1) printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d UTC %02d\n", up->unit, mb(0) & 0xff, event, pp->hour, pp->minute, - pp->second, pp->nsec, mb(12), mb(11), pp->year, GPS_UTC_Offset); + pp->second, pp->nsec, (mmday >> 5), (mmday & 31), pp->year, GPS_UTC_Offset); #endif /* Only use this packet when no * 8F-AD's are being received @@ -584,7 +626,11 @@ TSIP_decode ( break; } - up->month = mb(15); + mmday = decode_date(pp, &mb(14)); + if (mmday < 0) + break; + up->month = (mmday >> 5); /* Save for LEAP check */ + if ( (up->leap_status & PALISADE_LEAP_PENDING) && /* Avoid early announce: https://bugs.ntp.org/2773 */ (6 == up->month || 12 == up->month) ) { @@ -612,19 +658,15 @@ TSIP_decode ( pp->nsec = (long) (getdbl((u_char *) &mb(3)) * 1000000000); - if ((pp->day = day_of_year(&mb(14))) < 0) - break; - pp->year = getint((u_char *) &mb(16)); pp->hour = mb(11); pp->minute = mb(12); pp->second = mb(13); - up->month = mb(14); /* Save for LEAP check */ #ifdef DEBUG if (debug > 1) printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d UTC %02x %s\n", up->unit, mb(0) & 0xff, event, pp->hour, pp->minute, - pp->second, pp->nsec, mb(15), mb(14), pp->year, + pp->second, pp->nsec, (mmday >> 5), (mmday & 31), pp->year, mb(19), *Tracking_Status[st]); #endif return 1; @@ -750,17 +792,17 @@ TSIP_decode ( printf (" Time is from GPS\n\n"); #endif - if ((pp->day = day_of_year(&mb(13))) < 0) + mmday = decode_date(pp, &mb(13)); + if (mmday < 0) break; tow = getlong((u_char *) &mb(1)); #ifdef DEBUG if (debug > 1) { printf("pp->day: %d\n", pp->day); printf("TOW: %ld\n", tow); - printf("DAY: %d\n", mb(13)); + printf("DAY: %d\n", (mmday & 31)); } #endif - pp->year = getint((u_char *) &mb(15)); pp->hour = mb(12); pp->minute = mb(11); pp->second = mb(10); @@ -768,7 +810,9 @@ TSIP_decode ( #ifdef DEBUG if (debug > 1) - printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d ",up->unit, mb(0) & 0xff, event, pp->hour, pp->minute, pp->second, pp->nsec, mb(14), mb(13), pp->year); + printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d ", + up->unit, mb(0) & 0xff, event, pp->hour, pp->minute, pp->second, + pp->nsec, (mmday >> 5), (mmday & 31), pp->year); #endif return 1; break; diff --git a/contrib/ntp/ntpd/refclock_parse.c b/contrib/ntp/ntpd/refclock_parse.c index cf81e40..cfe2a89 100644 --- a/contrib/ntp/ntpd/refclock_parse.c +++ b/contrib/ntp/ntpd/refclock_parse.c @@ -3614,7 +3614,9 @@ parse_control( } else { - int count = tmpctl.parseformat.parse_count - 1; + int count = tmpctl.parseformat.parse_count; + if (count) + --count; start = tt = add_var(&out->kv_list, 80, RO|DEF); tt = ap(start, 80, tt, "refclock_format=\""); @@ -3780,9 +3782,14 @@ parse_process( } else { + unsigned int count = tmpctl.parsegettc.parse_count; + if (count) + --count; ERR(ERR_BADDATA) - msyslog(LOG_WARNING, "PARSE receiver #%d: FAILED TIMECODE: \"%s\" (check receiver configuration / wiring)", - CLK_UNIT(parse->peer), mkascii(buffer, sizeof buffer, tmpctl.parsegettc.parse_buffer, (unsigned)(tmpctl.parsegettc.parse_count - 1))); + msyslog(LOG_WARNING, "PARSE receiver #%d: FAILED TIMECODE: \"%s\" (check receiver configuration / wiring)", + CLK_UNIT(parse->peer), + mkascii(buffer, sizeof(buffer), + tmpctl.parsegettc.parse_buffer, count)); } /* copy status to show only changes in case of failures */ parse->timedata.parse_status = parsetime->parse_status; diff --git a/contrib/ntp/ntpdate/Makefile.in b/contrib/ntp/ntpdate/Makefile.in index df32051..a913e1a 100644 --- a/contrib/ntp/ntpdate/Makefile.in +++ b/contrib/ntp/ntpdate/Makefile.in @@ -106,6 +106,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -974,7 +975,6 @@ install-exec-hook: # check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/ntpdc/Makefile.in b/contrib/ntp/ntpdc/Makefile.in index f4c270e..1ae94fa 100644 --- a/contrib/ntp/ntpdc/Makefile.in +++ b/contrib/ntp/ntpdc/Makefile.in @@ -107,6 +107,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -1246,7 +1247,6 @@ check-libopts: ../sntp/libopts/libopts.la -cd ../sntp/libopts && $(MAKE) $(AM_MAKEFLAGS) libopts.la check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/ntpdc/invoke-ntpdc.texi b/contrib/ntp/ntpdc/invoke-ntpdc.texi index 953b850..94e4230 100644 --- a/contrib/ntp/ntpdc/invoke-ntpdc.texi +++ b/contrib/ntp/ntpdc/invoke-ntpdc.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpdc.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:44:50 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:15:06 PM by AutoGen 5.18.5 # From the definitions ntpdc-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -76,7 +76,7 @@ with a status code of 0. @exampleindent 0 @example -ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10-beta +ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11 Usage: ntpdc [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [ host ...] Flg Arg Option-Name Description -4 no ipv4 Force IPv4 DNS name resolution diff --git a/contrib/ntp/ntpdc/layout.std b/contrib/ntp/ntpdc/layout.std index 6117f52..f07f79f 100644 --- a/contrib/ntp/ntpdc/layout.std +++ b/contrib/ntp/ntpdc/layout.std @@ -168,7 +168,7 @@ offsetof(v6_flag) = 56 offsetof(unused4) = 60 offsetof(peer6) = 64 -sizeof(struct info_sys_stats) = 44 +sizeof(struct info_sys_stats) = 52 offsetof(timeup) = 0 offsetof(timereset) = 4 offsetof(denied) = 8 @@ -180,6 +180,8 @@ offsetof(processed) = 28 offsetof(badauth) = 32 offsetof(received) = 36 offsetof(limitrejected) = 40 +offsetof(lamport) = 44 +offsetof(tsrounding) = 48 sizeof(struct old_info_sys_stats) = 40 offsetof(timeup) = 0 @@ -260,21 +262,22 @@ sizeof(struct info_restrict) = 56 offsetof(addr) = 0 offsetof(mask) = 4 offsetof(count) = 8 -offsetof(flags) = 12 +offsetof(rflags) = 12 offsetof(mflags) = 14 offsetof(v6_flag) = 16 offsetof(unused1) = 20 offsetof(addr6) = 24 offsetof(mask6) = 40 -sizeof(struct conf_restrict) = 48 +sizeof(struct conf_restrict) = 52 offsetof(addr) = 0 offsetof(mask) = 4 -offsetof(flags) = 8 -offsetof(mflags) = 10 -offsetof(v6_flag) = 12 -offsetof(addr6) = 16 -offsetof(mask6) = 32 +offsetof(ippeerlimit) = 8 +offsetof(flags) = 10 +offsetof(mflags) = 12 +offsetof(v6_flag) = 16 +offsetof(addr6) = 20 +offsetof(mask6) = 36 sizeof(struct info_monitor_1) = 72 offsetof(avg_int) = 0 diff --git a/contrib/ntp/ntpdc/ntpdc-opts.c b/contrib/ntp/ntpdc/ntpdc-opts.c index 1b728b4..4b7c102 100644 --- a/contrib/ntp/ntpdc/ntpdc-opts.c +++ b/contrib/ntp/ntpdc/ntpdc-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpdc-opts.c) * - * It has been AutoGen-ed March 21, 2017 at 10:44:44 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:14:56 PM by AutoGen 5.18.5 * From the definitions ntpdc-opts.def * and the template file options * @@ -69,7 +69,7 @@ extern FILE * option_usage_fp; * static const strings for ntpdc options */ static char const ntpdc_opt_strs[1914] = -/* 0 */ "ntpdc 4.2.8p10\n" +/* 0 */ "ntpdc 4.2.8p11\n" "Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -128,14 +128,14 @@ static char const ntpdc_opt_strs[1914] = /* 1695 */ "no-load-opts\0" /* 1708 */ "no\0" /* 1711 */ "NTPDC\0" -/* 1717 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10\n" +/* 1717 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n\0" /* 1848 */ "$HOME\0" /* 1854 */ ".\0" /* 1856 */ ".ntprc\0" /* 1863 */ "http://bugs.ntp.org, bugs@ntp.org\0" /* 1897 */ "\n\0" -/* 1899 */ "ntpdc 4.2.8p10"; +/* 1899 */ "ntpdc 4.2.8p11"; /** * ipv4 option description with @@ -796,7 +796,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via ntpdcOptions.pzCopyright */ - puts(_("ntpdc 4.2.8p10\n\ + puts(_("ntpdc 4.2.8p11\n\ Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the NTP License, copies of which\n\ @@ -862,14 +862,14 @@ implied warranty.\n")); puts(_("load options from a config file")); /* referenced via ntpdcOptions.pzUsageTitle */ - puts(_("ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10\n\ + puts(_("ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11\n\ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n")); /* referenced via ntpdcOptions.pzExplain */ puts(_("\n")); /* referenced via ntpdcOptions.pzFullVersion */ - puts(_("ntpdc 4.2.8p10")); + puts(_("ntpdc 4.2.8p11")); /* referenced via ntpdcOptions.pzFullUsage */ puts(_("<<<NOT-FOUND>>>")); diff --git a/contrib/ntp/ntpdc/ntpdc-opts.h b/contrib/ntp/ntpdc/ntpdc-opts.h index fb23a96..f0c4978 100644 --- a/contrib/ntp/ntpdc/ntpdc-opts.h +++ b/contrib/ntp/ntpdc/ntpdc-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpdc-opts.h) * - * It has been AutoGen-ed March 21, 2017 at 10:44:43 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:14:56 PM by AutoGen 5.18.5 * From the definitions ntpdc-opts.def * and the template file options * @@ -83,9 +83,9 @@ typedef enum { /** count of all options for ntpdc */ #define OPTION_CT 15 /** ntpdc version */ -#define NTPDC_VERSION "4.2.8p10" +#define NTPDC_VERSION "4.2.8p11" /** Full ntpdc version text */ -#define NTPDC_FULL_VERSION "ntpdc 4.2.8p10" +#define NTPDC_FULL_VERSION "ntpdc 4.2.8p11" /** * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/contrib/ntp/ntpdc/ntpdc.1ntpdcman b/contrib/ntp/ntpdc/ntpdc.1ntpdcman index a0cfc1f..6e19ef6 100644 --- a/contrib/ntp/ntpdc/ntpdc.1ntpdcman +++ b/contrib/ntp/ntpdc/ntpdc.1ntpdcman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpdc 1ntpdcman "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpdc 1ntpdcman "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-T2aicv/ag-q4aGav) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-MnaqKS/ag-YnaiJS) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:50 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:03 PM by AutoGen 5.18.5 .\" From the definitions ntpdc-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc b/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc index 7388d63..9b38582 100644 --- a/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc +++ b/contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPDC 1ntpdcmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:57 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:09 PM by AutoGen 5.18.5 .\" From the definitions ntpdc-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/ntpdc/ntpdc.c b/contrib/ntp/ntpdc/ntpdc.c index 0375d36..3aeaddc 100644 --- a/contrib/ntp/ntpdc/ntpdc.c +++ b/contrib/ntp/ntpdc/ntpdc.c @@ -499,7 +499,7 @@ openhost( int optionValue = SO_SYNCHRONOUS_NONALERT; int err; - err = setsockopt(INVALID_SOCKET, SOL_SOCKET, SO_OPENTYPE, (char *)&optionValue, sizeof(optionValue)); + err = setsockopt(INVALID_SOCKET, SOL_SOCKET, SO_OPENTYPE, (void *)&optionValue, sizeof(optionValue)); if (err != NO_ERROR) { (void) fprintf(stderr, "cannot open nonoverlapped sockets\n"); exit(1); @@ -519,7 +519,7 @@ openhost( int rbufsize = INITDATASIZE + 2048; /* 2K for slop */ if (setsockopt(sockfd, SOL_SOCKET, SO_RCVBUF, - &rbufsize, sizeof(int)) == -1) + (void *)&rbufsize, sizeof(int)) == -1) error("setsockopt"); } # endif diff --git a/contrib/ntp/ntpdc/ntpdc.html b/contrib/ntp/ntpdc/ntpdc.html index 73260a6..e133ec7 100644 --- a/contrib/ntp/ntpdc/ntpdc.html +++ b/contrib/ntp/ntpdc/ntpdc.html @@ -36,7 +36,7 @@ display the time offset of the system clock relative to the server clock. Run as root, it can correct the system clock to this offset as well. It can be run as an interactive command or from a cron job. - <p>This document applies to version 4.2.8p10 of <code>ntpdc</code>. + <p>This document applies to version 4.2.8p11 of <code>ntpdc</code>. <p>The program implements the SNTP protocol as defined by RFC 5905, the NTPv4 IETF specification. @@ -152,7 +152,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10-beta +<pre class="example">ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11 Usage: ntpdc [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...] Flg Arg Option-Name Description -4 no ipv4 Force IPv4 DNS name resolution diff --git a/contrib/ntp/ntpdc/ntpdc.man.in b/contrib/ntp/ntpdc/ntpdc.man.in index 19d3da0..4b31f2e 100644 --- a/contrib/ntp/ntpdc/ntpdc.man.in +++ b/contrib/ntp/ntpdc/ntpdc.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpdc @NTPDC_MS@ "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpdc @NTPDC_MS@ "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-T2aicv/ag-q4aGav) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-MnaqKS/ag-YnaiJS) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:50 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:03 PM by AutoGen 5.18.5 .\" From the definitions ntpdc-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/ntpdc/ntpdc.mdoc.in b/contrib/ntp/ntpdc/ntpdc.mdoc.in index 19facb2..3720f93 100644 --- a/contrib/ntp/ntpdc/ntpdc.mdoc.in +++ b/contrib/ntp/ntpdc/ntpdc.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPDC @NTPDC_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:57 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:09 PM by AutoGen 5.18.5 .\" From the definitions ntpdc-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/ntpdc/ntpdc_ops.c b/contrib/ntp/ntpdc/ntpdc_ops.c index 1a400ec..586ed7f0 100644 --- a/contrib/ntp/ntpdc/ntpdc_ops.c +++ b/contrib/ntp/ntpdc/ntpdc_ops.c @@ -1683,7 +1683,7 @@ reslist( const char *mask; struct resflags *rf; u_int32 count; - u_short flags; + u_short rflags; u_short mflags; char flagstr[300]; static const char *comma = ", "; @@ -1730,7 +1730,7 @@ again: ((pcmd->argval->ival == 4) && (rl->v6_flag == 0))) skip = 0; count = ntohl(rl->count); - flags = ntohs(rl->flags); + rflags = ntohs(rl->rflags); mflags = ntohs(rl->mflags); flagstr[0] = '\0'; @@ -1753,7 +1753,7 @@ again: : &resflagsV3[0]; while (rf->bit != 0) { - if (flags & rf->bit) { + if (rflags & rf->bit) { if (!res) strlcat(flagstr, comma, sizeof(flagstr)); diff --git a/contrib/ntp/ntpq/Makefile.am b/contrib/ntp/ntpq/Makefile.am index 06018fc..074bdce 100644 --- a/contrib/ntp/ntpq/Makefile.am +++ b/contrib/ntp/ntpq/Makefile.am @@ -21,9 +21,13 @@ ntpq_LDADD = version.o $(LIBOPTS_LDADD) ntpq_LDADD += ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) ntpq_LDADD += $(PTHREAD_LIBS) $(EDITLINE_LIBS) ntpq_LDADD += $(LDADD_NTP) +ntpq_LDADD += $(NTP_HARD_LDFLAGS) noinst_HEADERS= ntpq.h noinst_LIBRARIES= libntpq.a -libntpq_a_CFLAGS= -DNO_MAIN_ALLOWED -DBUILD_AS_LIB +libntpq_a_CFLAGS= $(AM_CFLAGS) +libntpq_a_CFLAGS+= -DNO_MAIN_ALLOWED -DBUILD_AS_LIB +libntpq_a_CPPFLAGS= $(AM_CPPFLAGS) +libntpq_a_LDFLAGS= $(AM_LDFLAGS) CLEANFILES= DISTCLEANFILES= .version version.c config.log $(man_MANS) ETAGS_ARGS= Makefile.am diff --git a/contrib/ntp/ntpq/Makefile.in b/contrib/ntp/ntpq/Makefile.in index 2bddc00..b208853 100644 --- a/contrib/ntp/ntpq/Makefile.in +++ b/contrib/ntp/ntpq/Makefile.in @@ -108,6 +108,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -167,7 +168,7 @@ am__DEPENDENCIES_1 = ntpq_DEPENDENCIES = version.o $(am__DEPENDENCIES_1) ../libntp/libntp.a \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \ - $(am__DEPENDENCIES_1) + $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) AM_V_lt = $(am__v_lt_@AM_V@) am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) am__v_lt_0 = --silent @@ -547,10 +548,12 @@ AM_LDFLAGS = $(LDFLAGS_NTP) $(NTP_HARD_LDFLAGS) # LDADD might need RESLIB and ADJLIB ntpq_LDADD = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a \ $(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS) $(EDITLINE_LIBS) \ - $(LDADD_NTP) + $(LDADD_NTP) $(NTP_HARD_LDFLAGS) noinst_HEADERS = ntpq.h noinst_LIBRARIES = libntpq.a -libntpq_a_CFLAGS = -DNO_MAIN_ALLOWED -DBUILD_AS_LIB +libntpq_a_CFLAGS = $(AM_CFLAGS) -DNO_MAIN_ALLOWED -DBUILD_AS_LIB +libntpq_a_CPPFLAGS = $(AM_CPPFLAGS) +libntpq_a_LDFLAGS = $(AM_LDFLAGS) CLEANFILES = check-libopts check-libntp .deps-ver DISTCLEANFILES = .version version.c config.log $(man_MANS) ETAGS_ARGS = Makefile.am @@ -828,32 +831,32 @@ distclean-compile: @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< libntpq_a-libntpq.o: libntpq.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq.Tpo $(DEPDIR)/libntpq_a-libntpq.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq.c' object='libntpq_a-libntpq.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c libntpq_a-libntpq.obj: libntpq.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq.Tpo $(DEPDIR)/libntpq_a-libntpq.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq.c' object='libntpq_a-libntpq.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi` libntpq_a-libntpq_subs.o: libntpq_subs.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq_subs.Tpo $(DEPDIR)/libntpq_a-libntpq_subs.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq_subs.c' object='libntpq_a-libntpq_subs.o' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c libntpq_a-libntpq_subs.obj: libntpq_subs.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi` +@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi` @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq_subs.Tpo $(DEPDIR)/libntpq_a-libntpq_subs.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq_subs.c' object='libntpq_a-libntpq_subs.obj' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi` +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi` mostlyclean-libtool: -rm -f *.lo @@ -1272,7 +1275,6 @@ check-libopts: ../sntp/libopts/libopts.la -cd ../sntp/libopts && $(MAKE) $(AM_MAKEFLAGS) libopts.la check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/ntpq/invoke-ntpq.texi b/contrib/ntp/ntpq/invoke-ntpq.texi index 3cee868..69f2088 100644 --- a/contrib/ntp/ntpq/invoke-ntpq.texi +++ b/contrib/ntp/ntpq/invoke-ntpq.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpq.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:45:28 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:15:26 PM by AutoGen 5.18.5 # From the definitions ntpq-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -14,13 +14,9 @@ The @code{ntpq} -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -64,6 +60,16 @@ one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. +Note that in contexts where a host name is expected, a +@code{-4} +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +@code{-6} +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +@quotedblleft{}NTP Debugging Techniques@quotedblright{} +page. + Specifying a command line option other than @code{-i} @@ -76,7 +82,9 @@ Otherwise, @code{ntpq} will attempt to read interactive format commands from the standard input. + @subsubsection Internal Commands + Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to @@ -86,41 +94,36 @@ A number of interactive format commands are executed entirely within the @code{ntpq} -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. @table @asis -@item @code{?} @code{[@kbd{command_keyword}]} -@item @code{help} @code{[@kbd{command_keyword}]} +@item @code{?} @code{[@kbd{command}]} +@item @code{help} @code{[@kbd{command}]} A @quoteleft{}?@quoteright{} -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to @code{ntpq} A @quoteleft{}?@quoteright{} -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -@code{ntpq} -than this manual -page. -@item @code{addvars} @kbd{variable_name}@code{[@code{=value}]} @code{...} -@item @code{rmvars} @kbd{variable_name} @code{...} +@item @code{addvars} @kbd{name}@code{[=@kbd{value}]}@code{[,...]} +@item @code{rmvars} @kbd{name}@code{[,...]} @item @code{clearvars} @item @code{showvars} -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -@quoteleft{}variable_name=value@quoteright{}, +@kbd{name}@code{[=@kbd{value}]}, where the -@quoteleft{}=value@quoteright{} +.No = Ns Ar value is ignored, and can be omitted, in requests to the server to read variables. The @code{ntpq} -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the @code{readlist} and @code{writelist} @@ -135,35 +138,31 @@ The @code{rmvars} command can be used to remove individual variables from the list, while the -@code{clearlist} +@code{clearvars} command removes all variables from the list. The @code{showvars} command displays the current list of optional variables. -@item @code{authenticate} @code{[yes | no]} +@item @code{authenticate} @code{[@code{yes}|@code{no}]} Normally @code{ntpq} does not authenticate requests unless they are write requests. The command -@quoteleft{}authenticate yes@quoteright{} +@code{authenticate} @code{yes} causes @code{ntpq} to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -@code{peer} -display. +requests slightly differently. The command -@quoteleft{}authenticate@quoteright{} +@code{authenticate} causes @code{ntpq} to display whether or not -@code{ntpq} -is currently autheinticating requests. +it is currently authenticating requests. @item @code{cooked} Causes output from query commands to be "cooked", so that variables which are recognized by @@ -172,13 +171,13 @@ will have their values reformatted for human consumption. Variables which @code{ntpq} -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing @quoteleft{}?@quoteright{}. -@item @code{debug} @code{[@code{more} | @code{less} | @code{off}]} +@item @code{debug} @code{[@code{more}|@code{less}|@code{off}]} With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. -@item @code{delay} @kbd{milliseconds} +Otherwise, the debugging level is changed as indicated. +@item @code{delay} @code{[@kbd{milliseconds}]} Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -187,14 +186,21 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +@item @code{drefid} @code{[@code{hash}|@code{ipv4}]} +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. @item @code{exit} Exit @code{ntpq} -@item @code{host} @kbd{hostname} +@item @code{host} @code{[@kbd{name}]} Set the host to which future queries will be sent. -@kbd{hostname} +The +@kbd{name} may be either a host name or a numeric address. -@item @code{hostnames} @code{[@code{yes} | @code{no}]} +Without any arguments, displays the current host. +@item @code{hostnames} @code{[@code{yes}|@code{no}]} If @code{yes} is specified, host names are printed in @@ -209,7 +215,9 @@ unless modified using the command line @code{-n} switch. -@item @code{keyid} @kbd{keyid} +Without any arguments, displays whether host names or numeric addresses +are shown. +@item @code{keyid} @code{[@kbd{keyid}]} This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -217,18 +225,20 @@ to the @code{controlkey} key number the server has been configured to use for this purpose. -@item @code{keytype} @code{[@code{md5} | @code{OpenSSLDigestType}]} -Specify the type of key to use for authenticating requests. -@code{md5} -is alway supported. +Without any arguments, displays the current +@kbd{keyid}. +@item @code{keytype} @code{[@kbd{digest}]} +Specify the digest algorithm to use for authenticating requests, with default +@code{MD5}. If @code{ntpq} -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +@kbd{digest} +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -@code{keytype} -is displayed. -@item @code{ntpversion} @code{[@code{1} | @code{2} | @code{3} | @code{4}]} +@code{keytype} @kbd{digest} +algorithm used is displayed. +@item @code{ntpversion} @code{[@code{1}|@code{2}|@code{3}|@code{4}]} Sets the NTP version number which @code{ntpq} claims in @@ -246,9 +256,11 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -@code{poll} +@item @code{poll} @code{[@kbd{n}]} @code{[@code{verbose}]} +Poll an NTP server in client mode @kbd{n} -@code{verbose} +times. +Poll not implemented yet. @item @code{quit} Exit @code{ntpq} @@ -258,24 +270,28 @@ from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. -@item @code{timeout} @kbd{milliseconds} +@item @code{timeout} @code{[@kbd{milliseconds}]} Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since @code{ntpq} retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. @item @code{version} -Print the version of the +Display the version of the @code{ntpq} program. @end table @subsubsection Control Message Commands -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the @code{peers} command, which sends a series of messages, @@ -285,63 +301,121 @@ and @code{mreadvar} commands, which iterate over a range of associations. @table @asis +@item @code{apeers} +Display a list of peers in the form: +@example +[tally]remote refid assid st t when pool reach delay offset jitter +@end example +where the output is just like the +@code{peers} +command except that the +@code{refid} +is displayed in hex format and the association number is also displayed. @item @code{associations} Display a list of mobilized associations in the form: @example ind assid status conf reach auth condition last_event cnt @end example @table @asis -@item Sy String Ta Sy Description +@item Sy Variable Ta Sy Description @item @code{ind} @code{Ta} @code{index} @code{on} @code{this} @code{list} -@item @code{assid} @code{Ta} @code{association} @code{ID} +@item @code{assid} @code{Ta} @code{association} @code{id} @item @code{status} @code{Ta} @code{peer} @code{status} @code{word} -@item @code{conf} @code{Ta} @code{yes}: @code{persistent,} @code{no}: @code{ephemeral} -@item @code{reach} @code{Ta} @code{yes}: @code{reachable,} @code{no}: @code{unreachable} -@item @code{auth} @code{Ta} @code{ok}, @code{yes}, @code{bad} @code{and} @code{none} -@item @code{condition} @code{Ta} @code{selection} @code{status} @code{(see} @code{the} @code{select} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)} -@item @code{last_event} @code{Ta} @code{event} @code{report} @code{(see} @code{the} @code{event} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)} -@item @code{cnt} @code{Ta} @code{event} @code{count} @code{(see} @code{the} @code{count} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)} +@item @code{conf} @code{Ta} @code{yes}: @code{No} @code{persistent,} @code{no}: @code{No} @code{ephemeral} +@item @code{reach} @code{Ta} @code{yes}: @code{No} @code{reachable,} @code{no}: @code{No} @code{unreachable} +@item @code{auth} @code{Ta} @code{ok}, @code{yes}, @code{bad} @code{No} @code{and} @code{none} +@item @code{condition} @code{Ta} @code{selection} @code{status} @code{(see} @code{the} @code{select} @code{No} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)} +@item @code{last_event} @code{Ta} @code{event} @code{report} @code{(see} @code{the} @code{event} @code{No} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)} +@item @code{cnt} @code{Ta} @code{event} @code{count} @code{(see} @code{the} @code{count} @code{No} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)} @end table @item @code{authinfo} -Display the authentication statistics. -@item @code{clockvar} @kbd{assocID} @code{[@kbd{name}@code{[@code{=}@kbd{value}]}]} @code{[...]} -@item @code{cv} @kbd{assocID} @code{[@kbd{name}@code{[@code{=}@kbd{value}]}]} @code{[...]} -Display a list of clock variables for those associations supporting a reference clock. -@item @code{:config} @code{[...]} -Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +@item @code{clocklist} @code{[@kbd{associd}]} +@item @code{cl} @code{[@kbd{associd}]} +Display all clock variables in the variable list for those associations +supporting a reference clock. +@item @code{clockvar} @code{[@kbd{associd}]} @code{[@kbd{name}@code{[=@kbd{value}]}]}@code{[,...]} +@item @code{cv} @code{[@kbd{associd}]} @code{[@kbd{name}@code{[=@kbd{value}]}]}@code{[,...]} +Display a list of clock variables for those associations supporting a +reference clock. +@item @code{:config} @kbd{configuration command line} +Send the remainder of the command line, including whitespace, to the +server as a run-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. @item @code{config-from-file} @kbd{filename} -Send the each line of +Send each line of @kbd{filename} -to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. @item @code{ifstats} -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. @item @code{iostats} -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. @item @code{kerninfo} -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. @item @code{lassociations} -Perform the same function as the associations command, except display mobilized and unmobilized associations. -@item @code{lopeers} @code{[@code{-4} | @code{-6}]} -Obtain and print a list of all peers and clients showing -@kbd{dstadr} -(associated with any given IP version). -@item @code{lpeers} @code{[@code{-4} | @code{-6}]} -Print a peer spreadsheet for the appropriate IP version(s). -@kbd{dstadr} -(associated with any given IP version). +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. +@item @code{lopeers} @code{[@code{-4}|@code{-6}]} +Display a list of all peers and clients showing +@code{dstadr} +(associated with the given IP version). +@item @code{lpassociations} +Display the last obtained list of associations, including all clients. +@item @code{lpeers} @code{[@code{-4}|@code{-6}]} +Display a list of all peers and clients (associated with the given IP version). @item @code{monstats} -Display monitor facility statistics. -@item @code{mrulist} @code{[@code{limited} | @code{kod} | @code{mincount}=@kbd{count} | @code{laddr}=@kbd{localaddr} | @code{sort}=@kbd{sortorder} | @code{resany}=@kbd{hexmask} | @code{resall}=@kbd{hexmask}]} -Obtain and print traffic counts collected and maintained by the monitor facility. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +@item @code{mreadlist} @kbd{associdlo} @kbd{associdhi} +@item @code{mrl} @kbd{associdlo} @kbd{associdhi} +Perform the same function as the +@code{readlist} +command for a range of association ids. +@item @code{mreadvar} @kbd{associdlo} @kbd{associdhi} @code{[@kbd{name}]}@code{[,...]} +This range may be determined from the list displayed by any +command showing associations. +@item @code{mrv} @kbd{associdlo} @kbd{associdhi} @code{[@kbd{name}]}@code{[,...]} +Perform the same function as the +@code{readvar} +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +@item @code{mrulist} @code{[@code{limited} | @code{kod} | @code{mincount}=@kbd{count} | @code{laddr}=@kbd{localaddr} | @code{sort}=@code{[-]}@kbd{sortorder} | @code{resany}=@kbd{hexmask} | @code{resall}=@kbd{hexmask}]} +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -@code{sort}=@kbd{sortorder}, +@code{sort}=@code{[-]}@kbd{sortorder}, the options filter the list returned by -@code{ntpd.} +@code{ntpd(8)}. The @code{limited} and @code{kod} -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The @code{mincount}=@kbd{count} option filters entries representing less than @@ -362,18 +436,21 @@ The @kbd{sortorder} defaults to @code{lstint} -and may be any of +and may be @code{addr}, -@code{count}, @code{avgint}, +@code{count}, @code{lstint}, -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +@quoteleft{}-@quoteright{} +to reverse the sort order. The output columns are: @table @asis @item Column Description @item @code{lstint} -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by @code{ntpq} @item @code{avgint} Average interval in s between packets from this address. @@ -381,7 +458,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching @code{restrict} -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. @item @code{r} Rate control indicator, either a period, @@ -399,23 +477,15 @@ Packets received from this address. @item @code{rport} Source port of last packet from this address. @item @code{remote} @code{address} -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. @end table -@item @code{mreadvar} @code{assocID} @code{assocID} @code{[@kbd{variable_name}@code{[=@kbd{value}]} ...]} -@item @code{mrv} @code{assocID} @code{assocID} @code{[@kbd{variable_name}@code{[=@kbd{value}]} ...]} -Perform the same function as the -@code{readvar} -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -@code{associations} -command. @item @code{opeers} @code{[@code{-4} | @code{-6}]} Obtain and print the old-style list of all peers and clients showing -@kbd{dstadr} -(associated with any given IP version), +@code{dstadr} +(associated with the given IP version), rather than the -@kbd{refid}. +@code{refid}. @item @code{passociations} Perform the same function as the @code{associations} @@ -436,21 +506,25 @@ field of the .Lk decode.html#peer "peer status word" @item @code{remote} host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +@code{ntpq} @code{-w} -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. @item @code{refid} -association ID or +source IP address or .Lk decode.html#kiss "'kiss code" @item @code{st} -stratum +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks @item @code{t} @code{u}: unicast or manycast client, @code{b}: broadcast or multicast client, +@code{p}: +pool source, @code{l}: local (reference clock), @code{s}: @@ -462,9 +536,12 @@ broadcast server, @code{M}: multicast server @item @code{when} -sec/min/hr since last received packet +time in seconds, minutes, hours, or days since the last packet +was received, or +@quoteleft{}-@quoteright{} +if a packet has never been received @item @code{poll} -poll interval (log2 s) +poll interval (s) @item @code{reach} reach shift register (octal) @item @code{delay} @@ -472,110 +549,124 @@ roundtrip delay @item @code{offset} offset of server relative to this host @item @code{jitter} -jitter +offset RMS error estimate. @end table -@item @code{apeers} -Display a list of peers in the form: -@example -[tally]remote refid assid st t when pool reach delay offset jitter -@end example -where the output is just like the -@code{peers} -command except that the -@code{refid} -is displayed in hex format and the association number is also displayed. -@item @code{pstats} @kbd{assocID} -Show the statistics for the peer with the given -@kbd{assocID}. -@item @code{readlist} @kbd{assocID} -@item @code{rl} @kbd{assocID} -Read the system or peer variables included in the variable list. -@item @code{readvar} @kbd{assocID} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]} -@item @code{rv} @kbd{assocID} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]} -Display the specified variables. +@item @code{pstats} @kbd{associd} +Display the statistics for the peer with the given +@kbd{associd}: +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. +@item @code{readlist} @code{[@kbd{associd}]} +@item @code{rl} @code{[@kbd{associd}]} +Display all system or peer variables. +If the +@kbd{associd} +is omitted, it is assumed to be zero. +@item @code{readvar} @code{[@kbd{associd} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]}]} +@item @code{rv} @code{[@kbd{associd} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]}]} +Display the specified system or peer variables. If -@kbd{assocID} +@kbd{associd} is zero, the variables are from the @ref{System Variables} name space, otherwise they are from the @ref{Peer Variables} name space. The -@kbd{assocID} +@kbd{associd} is required, as the same name can occur in both spaces. If no @kbd{name} is included, all operative variables in the name space are displayed. - In this case only, if the -@kbd{assocID} -is omitted, it is assumed zero. +@kbd{associd} +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +@kbd{YYYY}@kbd{MM} @kbd{DD} @kbd{TTTT}, +where +@kbd{YYYY} +is the year, +@kbd{MM} +the month of year, +@kbd{DD} +the day of month and +@kbd{TTTT} +the time of day. @item @code{reslist} -Show the access control (restrict) list for +Display the access control (restrict) list for @code{ntpq} - +Authentication is required. @item @code{saveconfig} @kbd{filename} -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by @code{:config} or @code{config-from-file}, -to the ntpd host's file +to the NTP server host file @kbd{filename}. This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -@code{ntpd} +@code{ntpd(8)} configuration file. @kbd{filename} can use -@code{strftime()} -format specifies to substitute the current date and time, for example, -@code{q]saveconfig} @code{ntp-%Y%m%d-%H%M%S.confq]}. +@code{date(1)} +format specifiers to substitute the current date and time, for +example, +@example +@code{saveconfig} @file{ntp-%Y%m%d-%H%M%S.conf}. +@end example The filename used is stored in system variable @code{savedconfig}. Authentication is required. +@item @code{sysinfo} +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +@item @code{sysstats} +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. @item @code{timerstats} -Display interval timer counters. -@item @code{writelist} @kbd{assocID} -Write the system or peer variables included in the variable list. -@item @code{writevar} @kbd{assocID} @kbd{name}=@kbd{value} @code{[, ...]} -Write the specified variables. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. +@item @code{writelist} @kbd{associd} +Set all system or peer variables included in the variable list. +@item @code{writevar} @kbd{associd} @kbd{name}=@kbd{value} @code{[, ...]} +Set the specified variables in the variable list. If the -@kbd{assocID} +@kbd{associd} is zero, the variables are from the @ref{System Variables} name space, otherwise they are from the @ref{Peer Variables} name space. The -@kbd{assocID} +@kbd{associd} is required, as the same name can occur in both spaces. -@item @code{sysinfo} -Display operational summary. -@item @code{sysstats} -Print statistics counters maintained in the protocol module. +Authentication is required. @end table @subsubsection Status Words and Kiss Codes - The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per-association basis. -These words are displayed in the -@code{rv} +These words are displayed by the +@code{readlist} and -@code{as} +@code{associations} commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -593,9 +684,10 @@ in the reference identifier field in various billboards. @subsubsection System Variables The following system variables appear in the -@code{rv} +@code{readlist} billboard. Not all variables are displayed in some configurations. + @table @asis @item Variable Description @@ -617,25 +709,25 @@ precision (log2 s) total roundtrip delay to the primary reference clock @item @code{rootdisp} total dispersion to the primary reference clock +@item @code{refid} +reference id or +.Lk decode.html#kiss "kiss code" +@item @code{reftime} +reference time +@item @code{clock} +date and time of day @item @code{peer} -system peer association ID +system peer association id @item @code{tc} time constant and poll exponent (log2 s) (3-17) @item @code{mintc} minimum time constant (log2 s) (3-10) -@item @code{clock} -date and time of day -@item @code{refid} -reference ID or -.Lk decode.html#kiss "kiss code" -@item @code{reftime} -reference time @item @code{offset} -combined offset of server relative to this host +combined offset of server relative to this host +@item @code{frequency} +frequency drift (PPM) relative to hardware clock @item @code{sys_jitter} combined system jitter -@item @code{frequency} -frequency offset (PPM) relative to hardware clock @item @code{clk_wander} clock frequency wander (PPM) @item @code{clk_jitter} @@ -655,7 +747,6 @@ When the NTPv4 daemon is compiled with the OpenSSL software library, additional system variables are displayed, including some or all of the following, depending on the particular Autokey dance: - @table @asis @item Variable Description @@ -678,7 +769,7 @@ NTP seconds when the certificate expires @end table @subsubsection Peer Variables The following peer variables appear in the -@code{rv} +@code{readlist} billboard for each association. Not all variables are displayed in some configurations. @@ -686,7 +777,7 @@ Not all variables are displayed in some configurations. @item Variable Description @item @code{associd} -association ID +association id @item @code{status} .Lk decode.html#peer "peer status word" @item @code{srcadr} @@ -708,10 +799,12 @@ total roundtrip delay to the primary reference clock @item @code{rootdisp} total root dispersion to the primary reference clock @item @code{refid} -reference ID or +reference id or .Lk decode.html#kiss "kiss code" @item @code{reftime} reference time +@item @code{rec} +last packet received time @item @code{reach} reach register (octal) @item @code{unreach} @@ -729,6 +822,8 @@ headway (see .Lk rate.html "Rate Management and the Kiss-o'-Death Packet" ) @item @code{flash} .Lk decode.html#flash "flash status word" +@item @code{keyid} +symmetric key id @item @code{offset} filter offset @item @code{delay} @@ -737,8 +832,6 @@ filter delay filter dispersion @item @code{jitter} filter jitter -@item @code{ident} -Autokey group name for this association @item @code{bias} unicast/broadcast bias @item @code{xleave} @@ -749,7 +842,8 @@ The @code{bias} variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The @code{xleave} variable appears only for the interleaved symmetric and interleaved modes. @@ -770,23 +864,25 @@ peer flags (see Autokey specification) @item @code{signature} OpenSSL digest/signature scheme @item @code{initsequence} -initial key ID +initial key id @item @code{initkey} initial key index @item @code{timestamp} Autokey signature timestamp +@item @code{ident} +Autokey group name for this association @end table @subsubsection Clock Variables The following clock variables appear in the -@code{cv} +@code{clocklist} billboard for each association with a reference clock. Not all variables are displayed in some configurations. @table @asis @item Variable Description @item @code{associd} -association ID +association id @item @code{status} .Lk decode.html#clock "clock status word" @item @code{device} @@ -808,7 +904,7 @@ fudge time 2 @item @code{stratum} driver stratum @item @code{refid} -driver reference ID +driver reference id @item @code{flags} driver flags @end table @@ -848,12 +944,12 @@ with a status code of 0. @exampleindent 0 @example -ntpq - standard NTP query program - Ver. 4.2.8p10-beta +ntpq - standard NTP query program - Ver. 4.2.8p11 Usage: ntpq [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [ host ...] Flg Arg Option-Name Description - -4 no ipv4 Force IPv4 DNS name resolution + -4 no ipv4 Force IPv4 name resolution - prohibits the option 'ipv6' - -6 no ipv6 Force IPv6 DNS name resolution + -6 no ipv6 Force IPv6 name resolution - prohibits the option 'ipv4' -c Str command run a command and exit - may appear multiple times @@ -899,7 +995,7 @@ Please send bug reports to: <http://bugs.ntp.org, bugs@@ntp.org> @subsection ipv4 option (-4) @cindex ntpq-ipv4 -This is the ``force ipv4 dns name resolution'' option. +This is the ``force ipv4 name resolution'' option. @noindent This option has some usage constraints. It: @@ -909,13 +1005,13 @@ must not appear in combination with any of the following options: ipv6. @end itemize -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv4 namespace. @node ntpq ipv6 @subsection ipv6 option (-6) @cindex ntpq-ipv6 -This is the ``force ipv6 dns name resolution'' option. +This is the ``force ipv6 name resolution'' option. @noindent This option has some usage constraints. It: @@ -925,7 +1021,7 @@ must not appear in combination with any of the following options: ipv4. @end itemize -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv6 namespace. @node ntpq command @subsection command option (-c) @@ -967,7 +1063,7 @@ commands read from the standard input. This is the ``numeric host addresses'' option. Output all host addresses in dotted-quad numeric format rather than -converting to the canonical host names. +converting to the canonical host names. @node ntpq old-rv @subsection old-rv option @cindex ntpq-old-rv diff --git a/contrib/ntp/ntpq/ntpq-opts.c b/contrib/ntp/ntpq/ntpq-opts.c index b2f9431..602d40f 100644 --- a/contrib/ntp/ntpq/ntpq-opts.c +++ b/contrib/ntp/ntpq/ntpq-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpq-opts.c) * - * It has been AutoGen-ed March 21, 2017 at 10:45:05 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:15:12 PM by AutoGen 5.18.5 * From the definitions ntpq-opts.def * and the template file options * @@ -68,8 +68,8 @@ extern FILE * option_usage_fp; /** * static const strings for ntpq options */ -static char const ntpq_opt_strs[1985] = -/* 0 */ "ntpq 4.2.8p10\n" +static char const ntpq_opt_strs[1977] = +/* 0 */ "ntpq 4.2.8p11\n" "Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -86,60 +86,60 @@ static char const ntpq_opt_strs[1985] = "Time Foundation makes no representations about the suitability this\n" "software for any purpose. It is provided \"as is\" without express or\n" "implied warranty.\n\0" -/* 1009 */ "Force IPv4 DNS name resolution\0" -/* 1040 */ "IPV4\0" -/* 1045 */ "ipv4\0" -/* 1050 */ "Force IPv6 DNS name resolution\0" -/* 1081 */ "IPV6\0" -/* 1086 */ "ipv6\0" -/* 1091 */ "run a command and exit\0" -/* 1114 */ "COMMAND\0" -/* 1122 */ "command\0" -/* 1130 */ "Increase debug verbosity level\0" -/* 1161 */ "DEBUG_LEVEL\0" -/* 1173 */ "debug-level\0" -/* 1185 */ "Set the debug verbosity level\0" -/* 1215 */ "SET_DEBUG_LEVEL\0" -/* 1231 */ "set-debug-level\0" -/* 1247 */ "Force ntpq to operate in interactive mode\0" -/* 1289 */ "INTERACTIVE\0" -/* 1301 */ "interactive\0" -/* 1313 */ "numeric host addresses\0" -/* 1336 */ "NUMERIC\0" -/* 1344 */ "numeric\0" -/* 1352 */ "Always output status line with readvar\0" -/* 1391 */ "OLD_RV\0" -/* 1398 */ "old-rv\0" -/* 1405 */ "Print a list of the peers\0" -/* 1431 */ "PEERS\0" -/* 1437 */ "peers\0" -/* 1443 */ "Set default display type for S2+ refids\0" -/* 1483 */ "REFID\0" -/* 1489 */ "refid\0" -/* 1495 */ "Display the full 'remote' value\0" -/* 1527 */ "WIDE\0" -/* 1532 */ "wide\0" -/* 1537 */ "display extended usage information and exit\0" -/* 1581 */ "help\0" -/* 1586 */ "extended usage information passed thru pager\0" -/* 1631 */ "more-help\0" -/* 1641 */ "output version information and exit\0" -/* 1677 */ "version\0" -/* 1685 */ "save the option state to a config file\0" -/* 1724 */ "save-opts\0" -/* 1734 */ "load options from a config file\0" -/* 1766 */ "LOAD_OPTS\0" -/* 1776 */ "no-load-opts\0" -/* 1789 */ "no\0" -/* 1792 */ "NTPQ\0" -/* 1797 */ "ntpq - standard NTP query program - Ver. 4.2.8p10\n" +/* 1009 */ "Force IPv4 name resolution\0" +/* 1036 */ "IPV4\0" +/* 1041 */ "ipv4\0" +/* 1046 */ "Force IPv6 name resolution\0" +/* 1073 */ "IPV6\0" +/* 1078 */ "ipv6\0" +/* 1083 */ "run a command and exit\0" +/* 1106 */ "COMMAND\0" +/* 1114 */ "command\0" +/* 1122 */ "Increase debug verbosity level\0" +/* 1153 */ "DEBUG_LEVEL\0" +/* 1165 */ "debug-level\0" +/* 1177 */ "Set the debug verbosity level\0" +/* 1207 */ "SET_DEBUG_LEVEL\0" +/* 1223 */ "set-debug-level\0" +/* 1239 */ "Force ntpq to operate in interactive mode\0" +/* 1281 */ "INTERACTIVE\0" +/* 1293 */ "interactive\0" +/* 1305 */ "numeric host addresses\0" +/* 1328 */ "NUMERIC\0" +/* 1336 */ "numeric\0" +/* 1344 */ "Always output status line with readvar\0" +/* 1383 */ "OLD_RV\0" +/* 1390 */ "old-rv\0" +/* 1397 */ "Print a list of the peers\0" +/* 1423 */ "PEERS\0" +/* 1429 */ "peers\0" +/* 1435 */ "Set default display type for S2+ refids\0" +/* 1475 */ "REFID\0" +/* 1481 */ "refid\0" +/* 1487 */ "Display the full 'remote' value\0" +/* 1519 */ "WIDE\0" +/* 1524 */ "wide\0" +/* 1529 */ "display extended usage information and exit\0" +/* 1573 */ "help\0" +/* 1578 */ "extended usage information passed thru pager\0" +/* 1623 */ "more-help\0" +/* 1633 */ "output version information and exit\0" +/* 1669 */ "version\0" +/* 1677 */ "save the option state to a config file\0" +/* 1716 */ "save-opts\0" +/* 1726 */ "load options from a config file\0" +/* 1758 */ "LOAD_OPTS\0" +/* 1768 */ "no-load-opts\0" +/* 1781 */ "no\0" +/* 1784 */ "NTPQ\0" +/* 1789 */ "ntpq - standard NTP query program - Ver. 4.2.8p11\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n\0" -/* 1917 */ "$HOME\0" -/* 1923 */ ".\0" -/* 1925 */ ".ntprc\0" -/* 1932 */ "http://bugs.ntp.org, bugs@ntp.org\0" -/* 1966 */ "ntpq 4.2.8p10\0" -/* 1980 */ "hash"; +/* 1909 */ "$HOME\0" +/* 1915 */ ".\0" +/* 1917 */ ".ntprc\0" +/* 1924 */ "http://bugs.ntp.org, bugs@ntp.org\0" +/* 1958 */ "ntpq 4.2.8p11\0" +/* 1972 */ "hash"; /** * ipv4 option description with @@ -148,9 +148,9 @@ static char const ntpq_opt_strs[1985] = /** Descriptive text for the ipv4 option */ #define IPV4_DESC (ntpq_opt_strs+1009) /** Upper-cased name for the ipv4 option */ -#define IPV4_NAME (ntpq_opt_strs+1040) +#define IPV4_NAME (ntpq_opt_strs+1036) /** Name string for the ipv4 option */ -#define IPV4_name (ntpq_opt_strs+1045) +#define IPV4_name (ntpq_opt_strs+1041) /** Other options that appear in conjunction with the ipv4 option */ static int const aIpv4CantList[] = { INDEX_OPT_IPV6, NO_EQUIVALENT }; @@ -162,11 +162,11 @@ static int const aIpv4CantList[] = { * "Must also have options" and "Incompatible options": */ /** Descriptive text for the ipv6 option */ -#define IPV6_DESC (ntpq_opt_strs+1050) +#define IPV6_DESC (ntpq_opt_strs+1046) /** Upper-cased name for the ipv6 option */ -#define IPV6_NAME (ntpq_opt_strs+1081) +#define IPV6_NAME (ntpq_opt_strs+1073) /** Name string for the ipv6 option */ -#define IPV6_name (ntpq_opt_strs+1086) +#define IPV6_name (ntpq_opt_strs+1078) /** Other options that appear in conjunction with the ipv6 option */ static int const aIpv6CantList[] = { INDEX_OPT_IPV4, NO_EQUIVALENT }; @@ -177,11 +177,11 @@ static int const aIpv6CantList[] = { * command option description: */ /** Descriptive text for the command option */ -#define COMMAND_DESC (ntpq_opt_strs+1091) +#define COMMAND_DESC (ntpq_opt_strs+1083) /** Upper-cased name for the command option */ -#define COMMAND_NAME (ntpq_opt_strs+1114) +#define COMMAND_NAME (ntpq_opt_strs+1106) /** Name string for the command option */ -#define COMMAND_name (ntpq_opt_strs+1122) +#define COMMAND_name (ntpq_opt_strs+1114) /** Compiled in flag settings for the command option */ #define COMMAND_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) @@ -190,11 +190,11 @@ static int const aIpv6CantList[] = { * debug-level option description: */ /** Descriptive text for the debug-level option */ -#define DEBUG_LEVEL_DESC (ntpq_opt_strs+1130) +#define DEBUG_LEVEL_DESC (ntpq_opt_strs+1122) /** Upper-cased name for the debug-level option */ -#define DEBUG_LEVEL_NAME (ntpq_opt_strs+1161) +#define DEBUG_LEVEL_NAME (ntpq_opt_strs+1153) /** Name string for the debug-level option */ -#define DEBUG_LEVEL_name (ntpq_opt_strs+1173) +#define DEBUG_LEVEL_name (ntpq_opt_strs+1165) /** Compiled in flag settings for the debug-level option */ #define DEBUG_LEVEL_FLAGS (OPTST_DISABLED) @@ -202,11 +202,11 @@ static int const aIpv6CantList[] = { * set-debug-level option description: */ /** Descriptive text for the set-debug-level option */ -#define SET_DEBUG_LEVEL_DESC (ntpq_opt_strs+1185) +#define SET_DEBUG_LEVEL_DESC (ntpq_opt_strs+1177) /** Upper-cased name for the set-debug-level option */ -#define SET_DEBUG_LEVEL_NAME (ntpq_opt_strs+1215) +#define SET_DEBUG_LEVEL_NAME (ntpq_opt_strs+1207) /** Name string for the set-debug-level option */ -#define SET_DEBUG_LEVEL_name (ntpq_opt_strs+1231) +#define SET_DEBUG_LEVEL_name (ntpq_opt_strs+1223) /** Compiled in flag settings for the set-debug-level option */ #define SET_DEBUG_LEVEL_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) @@ -216,11 +216,11 @@ static int const aIpv6CantList[] = { * "Must also have options" and "Incompatible options": */ /** Descriptive text for the interactive option */ -#define INTERACTIVE_DESC (ntpq_opt_strs+1247) +#define INTERACTIVE_DESC (ntpq_opt_strs+1239) /** Upper-cased name for the interactive option */ -#define INTERACTIVE_NAME (ntpq_opt_strs+1289) +#define INTERACTIVE_NAME (ntpq_opt_strs+1281) /** Name string for the interactive option */ -#define INTERACTIVE_name (ntpq_opt_strs+1301) +#define INTERACTIVE_name (ntpq_opt_strs+1293) /** Other options that appear in conjunction with the interactive option */ static int const aInteractiveCantList[] = { INDEX_OPT_COMMAND, @@ -232,11 +232,11 @@ static int const aInteractiveCantList[] = { * numeric option description: */ /** Descriptive text for the numeric option */ -#define NUMERIC_DESC (ntpq_opt_strs+1313) +#define NUMERIC_DESC (ntpq_opt_strs+1305) /** Upper-cased name for the numeric option */ -#define NUMERIC_NAME (ntpq_opt_strs+1336) +#define NUMERIC_NAME (ntpq_opt_strs+1328) /** Name string for the numeric option */ -#define NUMERIC_name (ntpq_opt_strs+1344) +#define NUMERIC_name (ntpq_opt_strs+1336) /** Compiled in flag settings for the numeric option */ #define NUMERIC_FLAGS (OPTST_DISABLED) @@ -244,11 +244,11 @@ static int const aInteractiveCantList[] = { * old-rv option description: */ /** Descriptive text for the old-rv option */ -#define OLD_RV_DESC (ntpq_opt_strs+1352) +#define OLD_RV_DESC (ntpq_opt_strs+1344) /** Upper-cased name for the old-rv option */ -#define OLD_RV_NAME (ntpq_opt_strs+1391) +#define OLD_RV_NAME (ntpq_opt_strs+1383) /** Name string for the old-rv option */ -#define OLD_RV_name (ntpq_opt_strs+1398) +#define OLD_RV_name (ntpq_opt_strs+1390) /** Compiled in flag settings for the old-rv option */ #define OLD_RV_FLAGS (OPTST_DISABLED) @@ -257,11 +257,11 @@ static int const aInteractiveCantList[] = { * "Must also have options" and "Incompatible options": */ /** Descriptive text for the peers option */ -#define PEERS_DESC (ntpq_opt_strs+1405) +#define PEERS_DESC (ntpq_opt_strs+1397) /** Upper-cased name for the peers option */ -#define PEERS_NAME (ntpq_opt_strs+1431) +#define PEERS_NAME (ntpq_opt_strs+1423) /** Name string for the peers option */ -#define PEERS_name (ntpq_opt_strs+1437) +#define PEERS_name (ntpq_opt_strs+1429) /** Other options that appear in conjunction with the peers option */ static int const aPeersCantList[] = { INDEX_OPT_INTERACTIVE, NO_EQUIVALENT }; @@ -272,11 +272,11 @@ static int const aPeersCantList[] = { * refid option description: */ /** Descriptive text for the refid option */ -#define REFID_DESC (ntpq_opt_strs+1443) +#define REFID_DESC (ntpq_opt_strs+1435) /** Upper-cased name for the refid option */ -#define REFID_NAME (ntpq_opt_strs+1483) +#define REFID_NAME (ntpq_opt_strs+1475) /** Name string for the refid option */ -#define REFID_name (ntpq_opt_strs+1489) +#define REFID_name (ntpq_opt_strs+1481) /** The compiled in default value for the refid option argument */ #define REFID_DFT_ARG ((char const*)REFID_IPV4) /** Compiled in flag settings for the refid option */ @@ -287,22 +287,22 @@ static int const aPeersCantList[] = { * wide option description: */ /** Descriptive text for the wide option */ -#define WIDE_DESC (ntpq_opt_strs+1495) +#define WIDE_DESC (ntpq_opt_strs+1487) /** Upper-cased name for the wide option */ -#define WIDE_NAME (ntpq_opt_strs+1527) +#define WIDE_NAME (ntpq_opt_strs+1519) /** Name string for the wide option */ -#define WIDE_name (ntpq_opt_strs+1532) +#define WIDE_name (ntpq_opt_strs+1524) /** Compiled in flag settings for the wide option */ #define WIDE_FLAGS (OPTST_DISABLED) /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (ntpq_opt_strs+1537) -#define HELP_name (ntpq_opt_strs+1581) +#define HELP_DESC (ntpq_opt_strs+1529) +#define HELP_name (ntpq_opt_strs+1573) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (ntpq_opt_strs+1586) -#define MORE_HELP_name (ntpq_opt_strs+1631) +#define MORE_HELP_DESC (ntpq_opt_strs+1578) +#define MORE_HELP_name (ntpq_opt_strs+1623) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC HELP_DESC @@ -315,14 +315,14 @@ static int const aPeersCantList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (ntpq_opt_strs+1641) -#define VER_name (ntpq_opt_strs+1677) -#define SAVE_OPTS_DESC (ntpq_opt_strs+1685) -#define SAVE_OPTS_name (ntpq_opt_strs+1724) -#define LOAD_OPTS_DESC (ntpq_opt_strs+1734) -#define LOAD_OPTS_NAME (ntpq_opt_strs+1766) -#define NO_LOAD_OPTS_name (ntpq_opt_strs+1776) -#define LOAD_OPTS_pfx (ntpq_opt_strs+1789) +#define VER_DESC (ntpq_opt_strs+1633) +#define VER_name (ntpq_opt_strs+1669) +#define SAVE_OPTS_DESC (ntpq_opt_strs+1677) +#define SAVE_OPTS_name (ntpq_opt_strs+1716) +#define LOAD_OPTS_DESC (ntpq_opt_strs+1726) +#define LOAD_OPTS_NAME (ntpq_opt_strs+1758) +#define NO_LOAD_OPTS_name (ntpq_opt_strs+1768) +#define LOAD_OPTS_pfx (ntpq_opt_strs+1781) #define LOAD_OPTS_name (NO_LOAD_OPTS_name + 3) /** * Declare option callback procedures @@ -543,24 +543,24 @@ static tOptDesc optDesc[OPTION_CT] = { /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /** Reference to the upper cased version of ntpq. */ -#define zPROGNAME (ntpq_opt_strs+1792) +#define zPROGNAME (ntpq_opt_strs+1784) /** Reference to the title line for ntpq usage. */ -#define zUsageTitle (ntpq_opt_strs+1797) +#define zUsageTitle (ntpq_opt_strs+1789) /** ntpq configuration file name. */ -#define zRcName (ntpq_opt_strs+1925) +#define zRcName (ntpq_opt_strs+1917) /** Directories to search for ntpq config files. */ static char const * const apzHomeList[3] = { - ntpq_opt_strs+1917, - ntpq_opt_strs+1923, + ntpq_opt_strs+1909, + ntpq_opt_strs+1915, NULL }; /** The ntpq program bug email address. */ -#define zBugsAddr (ntpq_opt_strs+1932) +#define zBugsAddr (ntpq_opt_strs+1924) /** Clarification/explanation of what ntpq does. */ #define zExplain (NULL) /** Extra detail explaining what ntpq does. */ #define zDetail (NULL) /** The full version string for ntpq. */ -#define zFullVersion (ntpq_opt_strs+1966) +#define zFullVersion (ntpq_opt_strs+1958) /* extracted from optcode.tlib near line 364 */ #if defined(ENABLE_NLS) @@ -633,7 +633,7 @@ doOptRefid(tOptions* pOptions, tOptDesc* pOptDesc) /* extracted from optmain.tlib near line 945 */ static char const * const names[2] = { - ntpq_opt_strs+1980, ntpq_opt_strs+1045 }; + ntpq_opt_strs+1972, ntpq_opt_strs+1041 }; if (pOptions <= OPTPROC_EMIT_LIMIT) { (void) optionEnumerationVal(pOptions, pOptDesc, names, 2); @@ -841,7 +841,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via ntpqOptions.pzCopyright */ - puts(_("ntpq 4.2.8p10\n\ + puts(_("ntpq 4.2.8p11\n\ Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the NTP License, copies of which\n\ @@ -862,10 +862,10 @@ software for any purpose. It is provided \"as is\" without express or\n\ implied warranty.\n")); /* referenced via ntpqOptions.pOptDesc->pzText */ - puts(_("Force IPv4 DNS name resolution")); + puts(_("Force IPv4 name resolution")); /* referenced via ntpqOptions.pOptDesc->pzText */ - puts(_("Force IPv6 DNS name resolution")); + puts(_("Force IPv6 name resolution")); /* referenced via ntpqOptions.pOptDesc->pzText */ puts(_("run a command and exit")); @@ -910,11 +910,11 @@ implied warranty.\n")); puts(_("load options from a config file")); /* referenced via ntpqOptions.pzUsageTitle */ - puts(_("ntpq - standard NTP query program - Ver. 4.2.8p10\n\ + puts(_("ntpq - standard NTP query program - Ver. 4.2.8p11\n\ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n")); /* referenced via ntpqOptions.pzFullVersion */ - puts(_("ntpq 4.2.8p10")); + puts(_("ntpq 4.2.8p11")); /* referenced via ntpqOptions.pzFullUsage */ puts(_("<<<NOT-FOUND>>>")); diff --git a/contrib/ntp/ntpq/ntpq-opts.def b/contrib/ntp/ntpq/ntpq-opts.def index 9232268..f34653d 100644 --- a/contrib/ntp/ntpq/ntpq-opts.def +++ b/contrib/ntp/ntpq/ntpq-opts.def @@ -14,9 +14,9 @@ flag = { name = ipv4; flags-cant = ipv6; value = 4; - descrip = "Force IPv4 DNS name resolution"; + descrip = "Force IPv4 name resolution"; doc = <<- _EndOfDoc_ - Force DNS resolution of following host names on the command line + Force resolution of following host names on the command line to the IPv4 namespace. _EndOfDoc_; }; @@ -25,9 +25,9 @@ flag = { name = ipv6; flags-cant = ipv4; value = 6; - descrip = "Force IPv6 DNS name resolution"; + descrip = "Force IPv6 name resolution"; doc = <<- _EndOfDoc_ - Force DNS resolution of following host names on the command line + Force resolution of following host names on the command line to the IPv6 namespace. _EndOfDoc_; }; @@ -67,7 +67,7 @@ flag = { descrip = "numeric host addresses"; doc = <<- _EndOfDoc_ Output all host addresses in dotted-quad numeric format rather than - converting to the canonical host names. + converting to the canonical host names. _EndOfDoc_; }; @@ -126,16 +126,12 @@ doc-section = { ds-type = 'DESCRIPTION'; ds-format = 'mdoc'; ds-text = <<- _END_PROG_MDOC_DESCRIP - +.Pp The .Nm -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -146,7 +142,7 @@ The utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. - +.Pp If one or more request options is included on the command line when .Nm @@ -164,7 +160,7 @@ The .Nm utility will prompt for commands if the standard input is a terminal device. - +.Pp .Nm uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on @@ -178,7 +174,17 @@ utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. - +.Pp +Note that in contexts where a host name is expected, a +.Fl 4 +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +.Fl 6 +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +.Dq NTP Debugging Techniques +page. +.Pp Specifying a command line option other than .Fl i @@ -191,53 +197,48 @@ Otherwise, .Nm will attempt to read interactive format commands from the standard input. + .Ss "Internal Commands" +.Pp Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. - +.Pp A number of interactive format commands are executed entirely within the .Nm -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. -.Bl -tag -width "? [command_keyword]" -compact -offset indent -.It Ic ? Op Ar command_keyword -.It Ic help Op Ar command_keyword +.Bl -tag -width "help [command]" -compact -offset indent +.It Ic ? Op Ar command +.It Ic help Op Ar command A .Ql \&? -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to .Nm . A .Ql \&? -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -.Nm -than this manual -page. -.It Ic addvars Ar variable_name Ns Xo Op Ic =value -.Ic ... -.Xc -.It Ic rmvars Ar variable_name Ic ... +.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,... +.It Ic rmvars Ar name Ns Op ,... .It Ic clearvars .It Ic showvars -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -.Ql variable_name=value , +.Ar name Ns Op \&= Ns Ar value , where the -.Ql =value +.No \&= Ns Ar value is ignored, and can be omitted, in requests to the server to read variables. The .Nm -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the .Ic readlist and .Ic writelist @@ -252,35 +253,31 @@ The .Ic rmvars command can be used to remove individual variables from the list, while the -.Ic clearlist +.Ic clearvars command removes all variables from the list. The .Ic showvars command displays the current list of optional variables. -.It Ic authenticate Op yes | no +.It Ic authenticate Op Cm yes Ns | Ns Cm no Normally .Nm does not authenticate requests unless they are write requests. The command -.Ql authenticate yes +.Ic authenticate Cm yes causes .Nm to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -.Ic peer -display. +requests slightly differently. The command -.Ql authenticate +.Ic authenticate causes .Nm to display whether or not -.Nm -is currently autheinticating requests. +it is currently authenticating requests. .It Ic cooked Causes output from query commands to be "cooked", so that variables which are recognized by @@ -289,20 +286,13 @@ will have their values reformatted for human consumption. Variables which .Nm -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing .Ql \&? . -.It Xo -.Ic debug -.Oo -.Cm more | -.Cm less | -.Cm off -.Oc -.Xc +.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. -.It Ic delay Ar milliseconds +Otherwise, the debugging level is changed as indicated. +.It Ic delay Op Ar milliseconds Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -311,14 +301,21 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +.It Ic drefid Op Cm hash Ns | Ns Cm ipv4 +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. .It Ic exit Exit .Nm . -.It Ic host Ar hostname +.It Ic host Op Ar name Set the host to which future queries will be sent. -.Ar hostname +The +.Ar name may be either a host name or a numeric address. -.It Ic hostnames Op Cm yes | Cm no +Without any arguments, displays the current host. +.It Ic hostnames Op Cm yes Ns | Ns Cm no If .Cm yes is specified, host names are printed in @@ -333,7 +330,9 @@ unless modified using the command line .Fl n switch. -.It Ic keyid Ar keyid +Without any arguments, displays whether host names or numeric addresses +are shown. +.It Ic keyid Op Ar keyid This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -341,28 +340,20 @@ to the .Cm controlkey key number the server has been configured to use for this purpose. -.It Ic keytype Xo Oo -.Cm md5 | -.Cm OpenSSLDigestType -.Oc -.Xc -Specify the type of key to use for authenticating requests. -.Cm md5 -is alway supported. +Without any arguments, displays the current +.Ar keyid . +.It Ic keytype Op Ar digest +Specify the digest algorithm to use for authenticating requests, with default +.Cm MD5 . If .Nm -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +.Ar digest +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -.Ic keytype -is displayed. -.It Ic ntpversion Xo Oo -.Cm 1 | -.Cm 2 | -.Cm 3 | -.Cm 4 -.Oc -.Xc +.Ic keytype Ar digest +algorithm used is displayed. +.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4 Sets the NTP version number which .Nm claims in @@ -380,13 +371,11 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -.\" Not yet implemented. -.\" .It Ic poll -.\" .Op Ar n -.\" .Op Ic verbose -.\" Poll an NTP server in client mode -.\" .Ar n -.\" times. +.It Ic poll Oo Ar n Oc Op Cm verbose +Poll an NTP server in client mode +.Ar n +times. +Poll not implemented yet. .It Ic quit Exit .Nm . @@ -396,96 +385,151 @@ from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. -.It Ic timeout Ar milliseconds +.It Ic timeout Op Ar milliseconds Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since .Nm retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. .It Ic version -Print the version of the +Display the version of the .Nm program. .El .Ss "Control Message Commands" -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the -.Li peers +.Ic peers command, which sends a series of messages, and the -.Li mreadlist +.Ic mreadlist and -.Li mreadvar +.Ic mreadvar commands, which iterate over a range of associations. .Bl -tag -width "something" -compact -offset indent -.It Cm associations +.It Ic apeers +Display a list of peers in the form: +.Dl [tally]remote refid assid st t when pool reach delay offset jitter +where the output is just like the +.Ic peers +command except that the +.Cm refid +is displayed in hex format and the association number is also displayed. +.It Ic associations Display a list of mobilized associations in the form: .Dl ind assid status conf reach auth condition last_event cnt -.Bl -column -offset indent ".Sy Variable" ".Sy Description" -.It Sy String Ta Sy Description -.It Li ind Ta index on this list -.It Li assid Ta association ID -.It Li status Ta peer status word -.It Li conf Ta Li yes : persistent, Li no : ephemeral -.It Li reach Ta Li yes : reachable, Li no : unreachable -.It Li auth Ta Li ok , Li yes , Li bad and Li none -.It Li condition Ta selection status (see the Li select field of the peer status word) -.It Li last_event Ta event report (see the Li event field of the peer status word) -.It Li cnt Ta event count (see the Li count field of the peer status word) +.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word" +.It Sy Variable Ta Sy Description +.It Cm ind Ta index on this list +.It Cm assid Ta association id +.It Cm status Ta peer status word +.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral +.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable +.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none +.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&) +.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&) +.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&) .El -.It Cm authinfo -Display the authentication statistics. -.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -Display a list of clock variables for those associations supporting a reference clock. -.It Cm :config Op ... -Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -.It Cm config-from-file Ar filename -Send the each line of +.It Ic authinfo +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +.It Ic clocklist Op Ar associd +.It Ic cl Op Ar associd +Display all clock variables in the variable list for those associations +supporting a reference clock. +.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +Display a list of clock variables for those associations supporting a +reference clock. +.It Ic :config Ar "configuration command line" +Send the remainder of the command line, including whitespace, to the +server as a run-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. +.It Ic config-from-file Ar filename +Send each line of .Ar filename -to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. .It Ic ifstats -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. .It Ic iostats -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. .It Ic kerninfo -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. .It Ic lassociations -Perform the same function as the associations command, except display mobilized and unmobilized associations. -.It Ic lopeers Xo -.Oo Ic -4 | -.Ic -6 -.Oc -.Xc -Obtain and print a list of all peers and clients showing -.Ar dstadr -(associated with any given IP version). -.It Ic lpeers Xo -.Oo Ic -4 | -.Ic -6 -.Oc -.Xc -Print a peer spreadsheet for the appropriate IP version(s). -.Ar dstadr -(associated with any given IP version). +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. +.It Ic lopeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients showing +.Cm dstadr +(associated with the given IP version). +.It Ic lpassociations +Display the last obtained list of associations, including all clients. +.It Ic lpeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients (associated with the given IP version). .It Ic monstats -Display monitor facility statistics. -.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc -Obtain and print traffic counts collected and maintained by the monitor facility. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +.It Ic mreadlist Ar associdlo Ar associdhi +.It Ic mrl Ar associdlo Ar associdhi +Perform the same function as the +.Ic readlist +command for a range of association ids. +.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +This range may be determined from the list displayed by any +command showing associations. +.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +Perform the same function as the +.Ic readvar +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count | +.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&- Oc Ns Ar sortorder | +.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc +.Xc +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -.Cm sort Ns = Ns Ar sortorder , +.Cm sort Ns \&= Ns Oo \&- Oc Ns Ar sortorder , the options filter the list returned by -.Cm ntpd. +.Xr ntpd 8 . The .Cm limited and .Cm kod -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The .Cm mincount Ns = Ns Ar count option filters entries representing less than @@ -506,18 +550,21 @@ The .Ar sortorder defaults to .Cm lstint -and may be any of +and may be .Cm addr , -.Cm count , .Cm avgint , +.Cm count , .Cm lstint , -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +.Ql \&- +to reverse the sort order. The output columns are: .Bl -tag -width "something" -compact -offset indent .It Column Description .It Ic lstint -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by .Nm . .It Ic avgint Average interval in s between packets from this address. @@ -525,7 +572,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching .Ic restrict -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. .It Ic r Rate control indicator, either a period, @@ -543,27 +591,15 @@ Packets received from this address. .It Ic rport Source port of last packet from this address. .It Ic remote address -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. .El -.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -Perform the same function as the -.Ic readvar -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -.Ic associations -command. -.It Ic opeers Xo -.Oo Ic -4 | -.Ic -6 -.Oc -.Xc +.It Ic opeers Op Fl 4 | Fl 6 Obtain and print the old-style list of all peers and clients showing -.Ar dstadr -(associated with any given IP version), +.Cm dstadr +(associated with the given IP version), rather than the -.Ar refid . +.Cm refid . .It Ic passociations Perform the same function as the .Ic associations @@ -575,28 +611,32 @@ Display a list of peers in the form: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic [tally] +.It Cm [tally] single-character code indicating current value of the .Ic select field of the .Lk decode.html#peer "peer status word" -.It Ic remote +.It Cm remote host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +.Nm .Fl w -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. -.It Ic refid -association ID or +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. +.It Cm refid +source IP address or .Lk decode.html#kiss "'kiss code" -.It Ic st -stratum -.It Ic t +.It Cm st +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks +.It Cm t .Ic u : unicast or manycast client, .Ic b : broadcast or multicast client, +.Ic p : +pool source, .Ic l : local (reference clock), .Ic s : @@ -607,119 +647,136 @@ manycast server, broadcast server, .Ic M : multicast server -.It Ic when -sec/min/hr since last received packet -.It Ic poll -poll interval (log2 s) -.It Ic reach +.It Cm when +time in seconds, minutes, hours, or days since the last packet +was received, or +.Ql \&- +if a packet has never been received +.It Cm poll +poll interval (s) +.It Cm reach reach shift register (octal) -.It Ic delay +.It Cm delay roundtrip delay -.It Ic offset +.It Cm offset offset of server relative to this host -.It Ic jitter -jitter +.It Cm jitter +offset RMS error estimate. .El -.It Ic apeers -Display a list of peers in the form: -.Dl [tally]remote refid assid st t when pool reach delay offset jitter -where the output is just like the -.Ic peers -command except that the -.Ic refid -is displayed in hex format and the association number is also displayed. -.It Ic pstats Ar assocID -Show the statistics for the peer with the given -.Ar assocID . -.It Ic readlist Ar assocID -.It Ic rl Ar assocID -Read the system or peer variables included in the variable list. -.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -Display the specified variables. +.It Ic pstats Ar associd +Display the statistics for the peer with the given +.Ar associd : +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. +.It Ic readlist Op Ar associd +.It Ic rl Op Ar associd +Display all system or peer variables. +If the +.Ar associd +is omitted, it is assumed to be zero. +.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +Display the specified system or peer variables. If -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. If no .Ar name is included, all operative variables in the name space are displayed. - In this case only, if the -.Ar assocID -is omitted, it is assumed zero. +.Ar associd +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +.Ar YYYY Ns Ar MM Ar DD Ar TTTT , +where +.Ar YYYY +is the year, +.Ar MM +the month of year, +.Ar DD +the day of month and +.Ar TTTT +the time of day. .It Ic reslist -Show the access control (restrict) list for +Display the access control (restrict) list for .Nm . - +Authentication is required. .It Ic saveconfig Ar filename -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by .Ic :config or .Ic config-from-file , -to the ntpd host's file +to the NTP server host file .Ar filename . This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -.Ic ntpd +.Xr ntpd 8 configuration file. .Ar filename can use -.Xr strftime -format specifies to substitute the current date and time, for example, -.Ic q]saveconfig ntp-%Y%m%d-%H%M%S.confq] . +.Xr date 1 +format specifiers to substitute the current date and time, for +example, +.D1 Ic saveconfig Pa ntp-%Y%m%d-%H%M%S.conf . The filename used is stored in system variable -.Ic savedconfig . +.Cm savedconfig . Authentication is required. +.It Ic sysinfo +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +.It Ic sysstats +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. .It Ic timerstats -Display interval timer counters. -.It Ic writelist Ar assocID -Write the system or peer variables included in the variable list. -.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ... -Write the specified variables. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. +.It Ic writelist Ar associd +Set all system or peer variables included in the variable list. +.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ... +Set the specified variables in the variable list. If the -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. -.It Ic sysinfo -Display operational summary. -.It Ic sysstats -Print statistics counters maintained in the protocol module. +Authentication is required. .El .Ss Status Words and Kiss Codes - The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per-association basis. -These words are displayed in the -.Ic rv +These words are displayed by the +.Ic readlist and -.Ic as +.Ic associations commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -737,58 +794,59 @@ in the reference identifier field in various billboards. .Ss System Variables The following system variables appear in the -.Ic rv +.Ic readlist billboard. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic status +.It Cm status .Lk decode.html#sys "system status word" -.It Ic version +.It Cm version NTP software version and build time -.It Ic processor +.It Cm processor hardware platform and version -.It Ic system +.It Cm system operating system and version -.It Ic leap +.It Cm leap leap warning indicator (0-3) -.It Ic stratum +.It Cm stratum stratum (1-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total dispersion to the primary reference clock -.It Ic peer -system peer association ID -.It Ic tc -time constant and poll exponent (log2 s) (3-17) -.It Ic mintc -minimum time constant (log2 s) (3-10) -.It Ic clock -date and time of day -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic offset -combined offset of server relative to this host -.It Ic sys_jitter +.It Ic clock +date and time of day +.It Cm peer +system peer association id +.It Cm tc +time constant and poll exponent (log2 s) (3-17) +.It Cm mintc +minimum time constant (log2 s) (3-10) +.It Cm offset +combined offset of server relative to this host +.It Cm frequency +frequency drift (PPM) relative to hardware clock +.It Cm sys_jitter combined system jitter -.It Ic frequency -frequency offset (PPM) relative to hardware clock -.It Ic clk_wander +.It Cm clk_wander clock frequency wander (PPM) -.It Ic clk_jitter +.It Cm clk_jitter clock jitter -.It Ic tai +.It Cm tai TAI-UTC offset (s) -.It Ic leapsec +.It Cm leapsec NTP seconds when the next leap second is/was inserted -.It Ic expire +.It Cm expire NTP seconds when the NIST leapseconds file expires .El The jitter and wander statistics are exponentially-weighted RMS averages. @@ -799,103 +857,105 @@ When the NTPv4 daemon is compiled with the OpenSSL software library, additional system variables are displayed, including some or all of the following, depending on the particular Autokey dance: - .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic host +.It Cm host Autokey host name for this host -.It Ic ident +.It Cm ident Autokey group name for this host -.It Ic flags +.It Cm flags host flags (see Autokey specification) -.It Ic digest +.It Cm digest OpenSSL message digest algorithm -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic update +.It Cm update NTP seconds at last signature update -.It Ic cert +.It Cm cert certificate subject, issuer and certificate flags -.It Ic until +.It Cm until NTP seconds when the certificate expires .El .Ss Peer Variables The following peer variables appear in the -.Ic rv +.Ic readlist billboard for each association. Not all variables are displayed in some configurations. - +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#peer "peer status word" -.It Ic srcadr +.It Cm srcadr source (remote) IP address -.It Ic srcport +.It Cm srcport source (remote) port -.It Ic dstadr +.It Cm dstadr destination (local) IP address -.It Ic dstport +.It Cm dstport destination (local) port -.It Ic leap +.It Cm leap leap indicator (0-3) -.It Ic stratum +.It Cm stratum stratum (0-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total root dispersion to the primary reference clock -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic reach +.It Cm rec +last packet received time +.It Cm reach reach register (octal) -.It Ic unreach +.It Cm unreach unreach counter -.It Ic hmode +.It Cm hmode host mode (1-6) -.It Ic pmode +.It Cm pmode peer mode (1-5) -.It Ic hpoll +.It Cm hpoll host poll exponent (log2 s) (3-17) -.It Ic ppoll +.It Cm ppoll peer poll exponent (log2 s) (3-17) -.It Ic headway +.It Cm headway headway (see .Lk rate.html "Rate Management and the Kiss-o'-Death Packet" ) -.It Ic flash +.It Cm flash .Lk decode.html#flash "flash status word" -.It Ic offset +.It Cm keyid +symmetric key id +.It Cm offset filter offset -.It Ic delay +.It Cm delay filter delay -.It Ic dispersion +.It Cm dispersion filter dispersion -.It Ic jitter +.It Cm jitter filter jitter -.It Ic ident -Autokey group name for this association -.It Ic bias +.It Cm bias unicast/broadcast bias -.It Ic xleave +.It Cm xleave interleave delay (see .Lk xleave.html "NTP Interleaved Modes" ) .El The -.Ic bias +.Cm bias variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The -.Ic xleave +.Cm xleave variable appears only for the interleaved symmetric and interleaved modes. It represents the internal queuing, buffering and transmission delays for the preceding packet. @@ -905,55 +965,57 @@ additional peer variables are displayed, including the following: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic host +.It Cm host Autokey server name -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic initsequence -initial key ID -.It Ic initkey +.It Cm initsequence +initial key id +.It Cm initkey initial key index -.It Ic timestamp +.It Cm timestamp Autokey signature timestamp +.It Cm ident +Autokey group name for this association .El .Ss Clock Variables The following clock variables appear in the -.Ic cv +.Ic clocklist billboard for each association with a reference clock. Not all variables are displayed in some configurations. .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#clock "clock status word" -.It Ic device +.It Cm device device description -.It Ic timecode +.It Cm timecode ASCII time code string (specific to device) -.It Ic poll +.It Cm poll poll messages sent -.It Ic noreply +.It Cm noreply no reply -.It Ic badformat +.It Cm badformat bad format -.It Ic baddata +.It Cm baddata bad date or time -.It Ic fudgetime1 +.It Cm fudgetime1 fudge time 1 -.It Ic fudgetime2 +.It Cm fudgetime2 fudge time 2 -.It Ic stratum +.It Cm stratum driver stratum -.It Ic refid -driver reference ID -.It Ic flags +.It Cm refid +driver reference id +.It Cm flags driver flags .El _END_PROG_MDOC_DESCRIP; diff --git a/contrib/ntp/ntpq/ntpq-opts.h b/contrib/ntp/ntpq/ntpq-opts.h index 60c4c20..ce90e50 100644 --- a/contrib/ntp/ntpq/ntpq-opts.h +++ b/contrib/ntp/ntpq/ntpq-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpq-opts.h) * - * It has been AutoGen-ed March 21, 2017 at 10:45:04 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:15:12 PM by AutoGen 5.18.5 * From the definitions ntpq-opts.def * and the template file options * @@ -84,9 +84,9 @@ typedef enum { /** count of all options for ntpq */ #define OPTION_CT 16 /** ntpq version */ -#define NTPQ_VERSION "4.2.8p10" +#define NTPQ_VERSION "4.2.8p11" /** Full ntpq version text */ -#define NTPQ_FULL_VERSION "ntpq 4.2.8p10" +#define NTPQ_FULL_VERSION "ntpq 4.2.8p11" /** * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/contrib/ntp/ntpq/ntpq-subs.c b/contrib/ntp/ntpq/ntpq-subs.c index 08f9d42..acc175d1 100644 --- a/contrib/ntp/ntpq/ntpq-subs.c +++ b/contrib/ntp/ntpq/ntpq-subs.c @@ -307,12 +307,12 @@ typedef struct ifstats_row_tag { sockaddr_u bcast; int enabled; u_int flags; - int mcast_count; + u_int mcast_count; char name[32]; - int peer_count; - int received; - int sent; - int send_errors; + u_int peer_count; + u_int received; + u_int sent; + u_int send_errors; u_int ttl; u_int uptime; } ifstats_row; @@ -1452,6 +1452,8 @@ when( else return 0; + if (ts->l_ui < lasttime->l_ui) + return -1; return (ts->l_ui - lasttime->l_ui); } @@ -1490,7 +1492,14 @@ prettyinterval( } diff = (diff + 11) / 24; - snprintf(buf, cb, "%ldd", diff); + if (diff <= 999) { + snprintf(buf, cb, "%ldd", diff); + return buf; + } + + /* years are only approximated... */ + diff = (long)floor(diff / 365.25 + 0.5); + snprintf(buf, cb, "%ldy", diff); return buf; } @@ -1833,8 +1842,12 @@ doprintpeers( if (!have_srchost) strlcpy(clock_name, nntohost(&srcadr), sizeof(clock_name)); + /* wide and long source - space over on next line */ + /* allow for host + sp if > 1 and regular tally + source + sp */ if (wideremote && 15 < strlen(clock_name)) - fprintf(fp, "%c%s\n ", c, clock_name); + fprintf(fp, "%c%s\n%*s", c, clock_name, + ((numhosts > 1) ? (int)maxhostlen + 1 : 0) + + 1 + 15 + 1, ""); else fprintf(fp, "%c%-15.15s ", c, clock_name); if (!have_da_rid) { @@ -2225,14 +2238,13 @@ config ( col = -1; if (1 == sscanf(resp, "column %d syntax error", &col) && col >= 0 && (size_t)col <= strlen(cfgcmd) + 1) { - if (interactive) { - printf("______"); /* "ntpq> " */ - printf("________"); /* ":config " */ - } else + if (interactive) + fputs(" *", stdout); /* "ntpq> :config " */ + else printf("%s\n", cfgcmd); - for (i = 1; i < col; i++) - putchar('_'); - printf("^\n"); + for (i = 0; i < col; i++) + fputc('_', stdout); + fputs("^\n", stdout); } printf("%s\n", resp); free(resp); @@ -3277,7 +3289,7 @@ validate_ifnum( return; if (prow->ifnum + 1 <= ifnum) { if (*pfields < IFSTATS_FIELDS) - fprintf(fp, "Warning: incomplete row with %d (of %d) fields", + fprintf(fp, "Warning: incomplete row with %d (of %d) fields\n", *pfields, IFSTATS_FIELDS); *pfields = 0; prow->ifnum = ifnum; @@ -3314,7 +3326,7 @@ another_ifstats_field( "==============================================================================\n"); */ fprintf(fp, - "%3u %-24.24s %c %4x %3d %2d %6d %6d %6d %5d %8d\n" + "%3u %-24.24s %c %4x %3u %2u %6u %6u %6u %5u %8d\n" " %s\n", prow->ifnum, prow->name, (prow->enabled) @@ -3414,7 +3426,7 @@ ifstats( case 'm': if (1 == sscanf(tag, mc_fmt, &ui) && - 1 == sscanf(val, "%d", &row.mcast_count)) + 1 == sscanf(val, "%u", &row.mcast_count)) comprende = TRUE; break; @@ -3435,31 +3447,31 @@ ifstats( case 'p': if (1 == sscanf(tag, pc_fmt, &ui) && - 1 == sscanf(val, "%d", &row.peer_count)) + 1 == sscanf(val, "%u", &row.peer_count)) comprende = TRUE; break; case 'r': if (1 == sscanf(tag, rx_fmt, &ui) && - 1 == sscanf(val, "%d", &row.received)) + 1 == sscanf(val, "%u", &row.received)) comprende = TRUE; break; case 't': if (1 == sscanf(tag, tl_fmt, &ui) && - 1 == sscanf(val, "%d", &row.ttl)) + 1 == sscanf(val, "%u", &row.ttl)) comprende = TRUE; else if (1 == sscanf(tag, tx_fmt, &ui) && - 1 == sscanf(val, "%d", &row.sent)) + 1 == sscanf(val, "%u", &row.sent)) comprende = TRUE; else if (1 == sscanf(tag, txerr_fmt, &ui) && - 1 == sscanf(val, "%d", &row.send_errors)) + 1 == sscanf(val, "%u", &row.send_errors)) comprende = TRUE; break; case 'u': if (1 == sscanf(tag, up_fmt, &ui) && - 1 == sscanf(val, "%d", &row.uptime)) + 1 == sscanf(val, "%u", &row.uptime)) comprende = TRUE; break; } @@ -3472,7 +3484,7 @@ ifstats( } } if (fields != IFSTATS_FIELDS) - fprintf(fp, "Warning: incomplete row with %d (of %d) fields", + fprintf(fp, "Warning: incomplete row with %d (of %d) fields\n", fields, IFSTATS_FIELDS); fflush(fp); @@ -3847,6 +3859,10 @@ sysstats( VDC_INIT("ss_limited", "rate limited: ", NTP_STR), VDC_INIT("ss_kodsent", "KoD responses: ", NTP_STR), VDC_INIT("ss_processed", "processed for time: ", NTP_STR), +#if 0 + VDC_INIT("ss_lamport", "Lamport violations: ", NTP_STR), + VDC_INIT("ss_tsrounding", "bad timestamp rounding:", NTP_STR), +#endif VDC_INIT(NULL, NULL, 0) }; diff --git a/contrib/ntp/ntpq/ntpq.1ntpqman b/contrib/ntp/ntpq/ntpq.1ntpqman index 05c801b..2ef8a32 100644 --- a/contrib/ntp/ntpq/ntpq.1ntpqman +++ b/contrib/ntp/ntpq/ntpq.1ntpqman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpq 1ntpqman "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpq 1ntpqman "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-P4aWgw/ag-p5aWew) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-D4aGRT/ag-Q4ayQT) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:26 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:22 PM by AutoGen 5.18.5 .\" From the definitions ntpq-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -31,15 +31,14 @@ .ne 2 .SH DESCRIPTION +.sp \n(Ppu +.ne 2 + The \f\*[B-Font]ntpq\fP -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -50,6 +49,9 @@ The utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. +.sp \n(Ppu +.ne 2 + If one or more request options is included on the command line when \f\*[B-Font]ntpq\fP @@ -67,6 +69,9 @@ The \f\*[B-Font]ntpq\fP utility will prompt for commands if the standard input is a terminal device. +.sp \n(Ppu +.ne 2 + \f\*[B-Font]ntpq\fP uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on @@ -80,6 +85,21 @@ utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. +.sp \n(Ppu +.ne 2 + +Note that in contexts where a host name is expected, a +\f\*[B-Font]\-4\f[] +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +\f\*[B-Font]\-6\f[] +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +\*[Lq]NTP Debugging Techniques\*[Rq] +page. +.sp \n(Ppu +.ne 2 + Specifying a command line option other than \f\*[B-Font]\-i\f[] @@ -93,64 +113,65 @@ Otherwise, will attempt to read interactive format commands from the standard input. .SS "Internal Commands" +.sp \n(Ppu +.ne 2 + Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. +.sp \n(Ppu +.ne 2 + A number of interactive format commands are executed entirely within the \f\*[B-Font]ntpq\fP -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. -.TP 20 -.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command_keyword\f[]] +.TP 15 +.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command\f[]] .br .ns -.TP 20 -.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command_keyword\f[]] +.TP 15 +.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command\f[]] A \[oq]\&?\[cq] -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to \f\*[B-Font]ntpq\fP. A \[oq]\&?\[cq] -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -\f\*[B-Font]ntpq\fP -than this manual -page. .br .ns -.TP 20 -.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]variable_name\f[][\f\*[B-Font]=value\f[]] \f\*[B-Font]...\f[] +.TP 15 +.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][,...] .br .ns -.TP 20 -.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]variable_name\f[] \f\*[B-Font]...\f[] +.TP 15 +.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]name\f[][,...] .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]clearvars\f[] .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]showvars\f[] -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -\[oq]variable_name=value\[cq], +\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]], where the -\[oq]=value\[cq] +.NOP \&=\f\*[I-Font]value\f[] is ignored, and can be omitted, in requests to the server to read variables. The \f\*[B-Font]ntpq\fP -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the \f\*[B-Font]readlist\f[] and \f\*[B-Font]writelist\f[] @@ -165,7 +186,7 @@ The \f\*[B-Font]rmvars\f[] command can be used to remove individual variables from the list, while the -\f\*[B-Font]clearlist\f[] +\f\*[B-Font]clearvars\f[] command removes all variables from the list. The @@ -173,33 +194,29 @@ The command displays the current list of optional variables. .br .ns -.TP 20 -.NOP \f\*[B-Font]authenticate\f[] [yes | no] +.TP 15 +.NOP \f\*[B-Font]authenticate\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]] Normally \f\*[B-Font]ntpq\fP does not authenticate requests unless they are write requests. The command -\[oq]authenticate yes\[cq] +\f\*[B-Font]authenticate\f[] \f\*[B-Font]yes\f[] causes \f\*[B-Font]ntpq\fP to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -\f\*[B-Font]peer\f[] -display. +requests slightly differently. The command -\[oq]authenticate\[cq] +\f\*[B-Font]authenticate\f[] causes \f\*[B-Font]ntpq\fP to display whether or not -\f\*[B-Font]ntpq\fP -is currently autheinticating requests. +it is currently authenticating requests. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]cooked\f[] Causes output from query commands to be "cooked", so that variables which are recognized by @@ -208,19 +225,19 @@ will have their values reformatted for human consumption. Variables which \f\*[B-Font]ntpq\fP -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing \[oq]\&?\[cq]. .br .ns -.TP 20 -.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[] | \f\*[B-Font]less\f[] | \f\*[B-Font]off\f[]] +.TP 15 +.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[]|\f\*[B-Font]less\f[]|\f\*[B-Font]off\f[]] With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. +Otherwise, the debugging level is changed as indicated. .br .ns -.TP 20 -.NOP \f\*[B-Font]delay\f[] \f\*[I-Font]milliseconds\f[] +.TP 15 +.NOP \f\*[B-Font]delay\f[] [\f\*[I-Font]milliseconds\f[]] Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -229,23 +246,33 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +.br +.ns +.TP 15 +.NOP \f\*[B-Font]drefid\f[] [\f\*[B-Font]hash\f[]|\f\*[B-Font]ipv4\f[]] +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]exit\f[] Exit \f\*[B-Font]ntpq\fP. .br .ns -.TP 20 -.NOP \f\*[B-Font]host\f[] \f\*[I-Font]hostname\f[] +.TP 15 +.NOP \f\*[B-Font]host\f[] [\f\*[I-Font]name\f[]] Set the host to which future queries will be sent. -\f\*[I-Font]hostname\f[] +The +\f\*[I-Font]name\f[] may be either a host name or a numeric address. +Without any arguments, displays the current host. .br .ns -.TP 20 -.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[] | \f\*[B-Font]no\f[]] +.TP 15 +.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]] If \f\*[B-Font]yes\f[] is specified, host names are printed in @@ -260,10 +287,12 @@ unless modified using the command line \f\*[B-Font]\-n\f[] switch. +Without any arguments, displays whether host names or numeric addresses +are shown. .br .ns -.TP 20 -.NOP \f\*[B-Font]keyid\f[] \f\*[I-Font]keyid\f[] +.TP 15 +.NOP \f\*[B-Font]keyid\f[] [\f\*[I-Font]keyid\f[]] This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -271,24 +300,26 @@ to the \f\*[B-Font]controlkey\f[] key number the server has been configured to use for this purpose. +Without any arguments, displays the current +\f\*[I-Font]keyid\f[]. .br .ns -.TP 20 -.NOP \f\*[B-Font]keytype\f[] [\f\*[B-Font]md5\f[] | \f\*[B-Font]OpenSSLDigestType\f[]] -Specify the type of key to use for authenticating requests. -\f\*[B-Font]md5\f[] -is alway supported. +.TP 15 +.NOP \f\*[B-Font]keytype\f[] [\f\*[I-Font]digest\f[]] +Specify the digest algorithm to use for authenticating requests, with default +\f\*[B-Font]MD5\f[]. If \f\*[B-Font]ntpq\fP -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +\f\*[I-Font]digest\f[] +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -\f\*[B-Font]keytype\f[] -is displayed. +\f\*[B-Font]keytype\f[] \f\*[I-Font]digest\f[] +algorithm used is displayed. .br .ns -.TP 20 -.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[] | \f\*[B-Font]2\f[] | \f\*[B-Font]3\f[] | \f\*[B-Font]4\f[]] +.TP 15 +.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[]|\f\*[B-Font]2\f[]|\f\*[B-Font]3\f[]|\f\*[B-Font]4\f[]] Sets the NTP version number which \f\*[B-Font]ntpq\fP claims in @@ -301,7 +332,7 @@ With no argument, displays the current NTP version that will be used when communicating with servers. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]passwd\f[] This command prompts you to type in a password (which will not be echoed) which will be used to authenticate configuration @@ -309,22 +340,23 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -.\" Not yet implemented. -.\" .It Ic poll -.\" .Op Ar n -.\" .Op Ic verbose -.\" Poll an NTP server in client mode -.\" .Ar n -.\" times. .br .ns -.TP 20 +.TP 15 +.NOP \f\*[B-Font]poll\f[] [\f\*[I-Font]n\f[]] [\f\*[B-Font]verbose\f[]] +Poll an NTP server in client mode +\f\*[I-Font]n\f[] +times. +Poll not implemented yet. +.br +.ns +.TP 15 .NOP \f\*[B-Font]quit\f[] Exit \f\*[B-Font]ntpq\fP. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]raw\f[] Causes all output from query commands is printed as received from the remote server. @@ -333,130 +365,214 @@ the data is to transform nonascii data into a printable (but barely understandable) form. .br .ns -.TP 20 -.NOP \f\*[B-Font]timeout\f[] \f\*[I-Font]milliseconds\f[] +.TP 15 +.NOP \f\*[B-Font]timeout\f[] [\f\*[I-Font]milliseconds\f[]] Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since \f\*[B-Font]ntpq\fP retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]version\f[] -Print the version of the +Display the version of the \f\*[B-Font]ntpq\fP program. .PP .SS "Control Message Commands" -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the -\f[C]peers\f[] +\f\*[B-Font]peers\f[] command, which sends a series of messages, and the -\f[C]mreadlist\f[] +\f\*[B-Font]mreadlist\f[] and -\f[C]mreadvar\f[] +\f\*[B-Font]mreadvar\f[] commands, which iterate over a range of associations. .TP 10 +.NOP \f\*[B-Font]apeers\f[] +Display a list of peers in the form: +.Dl [tally]remote refid assid st t when pool reach delay offset jitter +where the output is just like the +\f\*[B-Font]peers\f[] +command except that the +\f\*[B-Font]refid\f[] +is displayed in hex format and the association number is also displayed. +.br +.ns +.TP 10 .NOP \f\*[B-Font]associations\f[] Display a list of mobilized associations in the form: .Dl ind assid status conf reach auth condition last_event cnt .RS .IP \fB\(bu\fP 2 -.IP \fB\(bu\fP 2 \f[C]ind\f[] \f[C]Ta\f[] \f[C]index\f[] \f[C]on\f[] \f[C]this\f[] \f[C]list\f[] -.IP \fB\(bu\fP 2 \f[C]assid\f[] \f[C]Ta\f[] \f[C]association\f[] \f[C]ID\f[] -.IP \fB\(bu\fP 2 \f[C]status\f[] \f[C]Ta\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word\f[] -.IP \fB\(bu\fP 2 \f[C]conf\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]persistent,\f[] \f[C]no\f[]: \f[C]ephemeral\f[] -.IP \fB\(bu\fP 2 \f[C]reach\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]reachable,\f[] \f[C]no\f[]: \f[C]unreachable\f[] -.IP \fB\(bu\fP 2 \f[C]auth\f[] \f[C]Ta\f[] \f[C]ok\f[], \f[C]yes\f[], \f[C]bad\f[] \f[C]and\f[] \f[C]none\f[] -.IP \fB\(bu\fP 2 \f[C]condition\f[] \f[C]Ta\f[] \f[C]selection\f[] \f[C]status\f[] \f[C](see\f[] \f[C]the\f[] \f[C]select\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[] -.IP \fB\(bu\fP 2 \f[C]last_event\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]report\f[] \f[C](see\f[] \f[C]the\f[] \f[C]event\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[] -.IP \fB\(bu\fP 2 \f[C]cnt\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]count\f[] \f[C](see\f[] \f[C]the\f[] \f[C]count\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]ind\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]index\f[] \f\*[B-Font]on\f[] \f\*[B-Font]this\f[] \f\*[B-Font]list\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]assid\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]association\f[] \f\*[B-Font]id\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]status\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]conf\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]persistent,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]ephemeral\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]reach\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]reachable,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]unreachable\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]auth\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]ok\f[], \f\*[B-Font]yes\f[], \f\*[B-Font]bad\f[] \f\*[B-Font]No\f[] \f\*[B-Font]and\f[] \f\*[B-Font]none\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]condition\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]selection\f[] \f\*[B-Font]status\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]select\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]last_event\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]report\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]event\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]cnt\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]count\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]count\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[] .RE .br .ns .TP 10 .NOP \f\*[B-Font]authinfo\f[] -Display the authentication statistics. +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]clocklist\f[] [\f\*[I-Font]associd\f[]] .br .ns .TP 10 -.NOP \f\*[B-Font]clockvar\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...] +.NOP \f\*[B-Font]cl\f[] [\f\*[I-Font]associd\f[]] +Display all clock variables in the variable list for those associations +supporting a reference clock. .br .ns .TP 10 -.NOP \f\*[B-Font]cv\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...] -Display a list of clock variables for those associations supporting a reference clock. +.NOP \f\*[B-Font]clockvar\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...] .br .ns .TP 10 -.NOP \f\*[B-Font]:config\f[] [...] -Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. +.NOP \f\*[B-Font]cv\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...] +Display a list of clock variables for those associations supporting a +reference clock. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]:config\f[] \f\*[I-Font]configuration command line\f[] +Send the remainder of the command line, including whitespace, to the +server as a run-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. .br .ns .TP 10 .NOP \f\*[B-Font]config-from-file\f[] \f\*[I-Font]filename\f[] -Send the each line of +Send each line of \f\*[I-Font]filename\f[] -to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. .br .ns .TP 10 .NOP \f\*[B-Font]ifstats\f[] -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. .br .ns .TP 10 .NOP \f\*[B-Font]iostats\f[] -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. .br .ns .TP 10 .NOP \f\*[B-Font]kerninfo\f[] -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. .br .ns .TP 10 .NOP \f\*[B-Font]lassociations\f[] -Perform the same function as the associations command, except display mobilized and unmobilized associations. +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. .br .ns .TP 10 -.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]] -Obtain and print a list of all peers and clients showing -\f\*[I-Font]dstadr\f[] -(associated with any given IP version). +.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]] +Display a list of all peers and clients showing +\f\*[B-Font]dstadr\f[] +(associated with the given IP version). .br .ns .TP 10 -.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]] -Print a peer spreadsheet for the appropriate IP version(s). -\f\*[I-Font]dstadr\f[] -(associated with any given IP version). +.NOP \f\*[B-Font]lpassociations\f[] +Display the last obtained list of associations, including all clients. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]] +Display a list of all peers and clients (associated with the given IP version). .br .ns .TP 10 .NOP \f\*[B-Font]monstats\f[] -Display monitor facility statistics. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mreadlist\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mrl\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] +Perform the same function as the +\f\*[B-Font]readlist\f[] +command for a range of association ids. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mreadvar\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...] +This range may be determined from the list displayed by any +command showing associations. .br .ns .TP 10 -.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]=\f\*[I-Font]hexmask\f[]] -Obtain and print traffic counts collected and maintained by the monitor facility. +.NOP \f\*[B-Font]mrv\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...] +Perform the same function as the +\f\*[B-Font]readvar\f[] +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]\&=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]\&=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]\&=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]\&=\f\*[I-Font]hexmask\f[]] +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -\f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[], +\f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[], the options filter the list returned by -\f\*[B-Font]ntpd.\f[] +\fCntpd\f[]\fR(8)\f[]. The \f\*[B-Font]limited\f[] and \f\*[B-Font]kod\f[] -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The \f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[] option filters entries representing less than @@ -477,12 +593,14 @@ The \f\*[I-Font]sortorder\f[] defaults to \f\*[B-Font]lstint\f[] -and may be any of +and may be \f\*[B-Font]addr\f[], -\f\*[B-Font]count\f[], \f\*[B-Font]avgint\f[], +\f\*[B-Font]count\f[], \f\*[B-Font]lstint\f[], -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +\[oq]\&-\[cq] +to reverse the sort order. The output columns are: .RS .TP 10 @@ -492,7 +610,8 @@ Description .ns .TP 10 .NOP \f\*[B-Font]lstint\f[] -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by \f\*[B-Font]ntpq\fP. .br .ns @@ -506,7 +625,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching \f\*[B-Font]restrict\f[] -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. .br .ns .TP 10 @@ -542,32 +662,18 @@ Source port of last packet from this address. .ns .TP 10 .NOP \f\*[B-Font]remote\f[] \f\*[B-Font]address\f[] -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. .RE .br .ns .TP 10 -.NOP \f\*[B-Font]mreadvar\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ... -.br -.ns -.TP 10 -.NOP \f\*[B-Font]mrv\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ... -Perform the same function as the -\f\*[B-Font]readvar\f[] -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -\f\*[B-Font]associations\f[] -command. -.br -.ns -.TP 10 .NOP \f\*[B-Font]opeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]] Obtain and print the old-style list of all peers and clients showing -\f\*[I-Font]dstadr\f[] -(associated with any given IP version), +\f\*[B-Font]dstadr\f[] +(associated with the given IP version), rather than the -\f\*[I-Font]refid\f[]. +\f\*[B-Font]refid\f[]. .br .ns .TP 10 @@ -599,22 +705,24 @@ field of the .TP 10 .NOP \f\*[B-Font]remote\f[] host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +\f\*[B-Font]ntpq\fP \f\*[B-Font]\-w\f[] -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. .br .ns .TP 10 .NOP \f\*[B-Font]refid\f[] -association ID or +source IP address or .Lk decode.html#kiss "'kiss code" .br .ns .TP 10 .NOP \f\*[B-Font]st\f[] -stratum +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks .br .ns .TP 10 @@ -623,6 +731,8 @@ stratum unicast or manycast client, \f\*[B-Font]b\f[]: broadcast or multicast client, +\f\*[B-Font]p\f[]: +pool source, \f\*[B-Font]l\f[]: local (reference clock), \f\*[B-Font]s\f[]: @@ -637,12 +747,15 @@ multicast server .ns .TP 10 .NOP \f\*[B-Font]when\f[] -sec/min/hr since last received packet +time in seconds, minutes, hours, or days since the last packet +was received, or +\[oq]\&-\[cq] +if a packet has never been received .br .ns .TP 10 .NOP \f\*[B-Font]poll\f[] -poll interval (log2 s) +poll interval (s) .br .ns .TP 10 @@ -662,143 +775,159 @@ offset of server relative to this host .ns .TP 10 .NOP \f\*[B-Font]jitter\f[] -jitter +offset RMS error estimate. .RE .br .ns .TP 10 -.NOP \f\*[B-Font]apeers\f[] -Display a list of peers in the form: -.Dl [tally]remote refid assid st t when pool reach delay offset jitter -where the output is just like the -\f\*[B-Font]peers\f[] -command except that the -\f\*[B-Font]refid\f[] -is displayed in hex format and the association number is also displayed. -.br -.ns -.TP 10 -.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]assocID\f[] -Show the statistics for the peer with the given -\f\*[I-Font]assocID\f[]. +.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]associd\f[] +Display the statistics for the peer with the given +\f\*[I-Font]associd\f[]: +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. .br .ns .TP 10 -.NOP \f\*[B-Font]readlist\f[] \f\*[I-Font]assocID\f[] +.NOP \f\*[B-Font]readlist\f[] [\f\*[I-Font]associd\f[]] .br .ns .TP 10 -.NOP \f\*[B-Font]rl\f[] \f\*[I-Font]assocID\f[] -Read the system or peer variables included in the variable list. +.NOP \f\*[B-Font]rl\f[] [\f\*[I-Font]associd\f[]] +Display all system or peer variables. +If the +\f\*[I-Font]associd\f[] +is omitted, it is assumed to be zero. .br .ns .TP 10 -.NOP \f\*[B-Font]readvar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...] +.NOP \f\*[B-Font]readvar\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]] .br .ns .TP 10 -.NOP \f\*[B-Font]rv\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...] -Display the specified variables. +.NOP \f\*[B-Font]rv\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]] +Display the specified system or peer variables. If -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is zero, the variables are from the \fISystem\f[] \fIVariables\f[] name space, otherwise they are from the \fIPeer\f[] \fIVariables\f[] name space. The -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is required, as the same name can occur in both spaces. If no \f\*[I-Font]name\f[] is included, all operative variables in the name space are displayed. In this case only, if the -\f\*[I-Font]assocID\f[] -is omitted, it is assumed zero. +\f\*[I-Font]associd\f[] +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +\f\*[I-Font]YYYY\f[]\f\*[I-Font]MM\f[] \f\*[I-Font]DD\f[] \f\*[I-Font]TTTT\f[], +where +\f\*[I-Font]YYYY\f[] +is the year, +\f\*[I-Font]MM\f[] +the month of year, +\f\*[I-Font]DD\f[] +the day of month and +\f\*[I-Font]TTTT\f[] +the time of day. .br .ns .TP 10 .NOP \f\*[B-Font]reslist\f[] -Show the access control (restrict) list for +Display the access control (restrict) list for \f\*[B-Font]ntpq\fP. +Authentication is required. .br .ns .TP 10 .NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[] -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by \f\*[B-Font]:config\f[] or \f\*[B-Font]config-from-file\f[], -to the ntpd host's file +to the NTP server host file \f\*[I-Font]filename\f[]. This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -\f\*[B-Font]ntpd\f[] +\fCntpd\f[]\fR(8)\f[] configuration file. \f\*[I-Font]filename\f[] can use -\fCstrftime\f[]\fR()\f[] -format specifies to substitute the current date and time, for example, -\f\*[B-Font]q]saveconfig\f[] \f\*[B-Font]ntp-%Y%m%d-%H%M%S.confq]\f[]. +\fCdate\f[]\fR(1)\f[] +format specifiers to substitute the current date and time, for +example, +.in +4 +\f\*[B-Font]saveconfig\f[] \fIntp-%Y%m%d-%H%M%S.conf\f[]. +.in -4 The filename used is stored in system variable \f\*[B-Font]savedconfig\f[]. Authentication is required. .br .ns .TP 10 +.NOP \f\*[B-Font]sysinfo\f[] +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]sysstats\f[] +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. +.br +.ns +.TP 10 .NOP \f\*[B-Font]timerstats\f[] -Display interval timer counters. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. .br .ns .TP 10 -.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]assocID\f[] -Write the system or peer variables included in the variable list. +.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]associd\f[] +Set all system or peer variables included in the variable list. .br .ns .TP 10 -.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...] -Write the specified variables. +.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]associd\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...] +Set the specified variables in the variable list. If the -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is zero, the variables are from the \fISystem\f[] \fIVariables\f[] name space, otherwise they are from the \fIPeer\f[] \fIVariables\f[] name space. The -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is required, as the same name can occur in both spaces. -.br -.ns -.TP 10 -.NOP \f\*[B-Font]sysinfo\f[] -Display operational summary. -.br -.ns -.TP 10 -.NOP \f\*[B-Font]sysstats\f[] -Print statistics counters maintained in the protocol module. +Authentication is required. .PP .SS Status Words and Kiss Codes The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per-association basis. -These words are displayed in the -\f\*[B-Font]rv\f[] +These words are displayed by the +\f\*[B-Font]readlist\f[] and -\f\*[B-Font]as\f[] +\f\*[B-Font]associations\f[] commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -817,9 +946,12 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards. .SS System Variables The following system variables appear in the -\f\*[B-Font]rv\f[] +\f\*[B-Font]readlist\f[] billboard. Not all variables are displayed in some configurations. +.sp \n(Ppu +.ne 2 + .TP 10 .NOP Variable Description @@ -871,49 +1003,49 @@ total dispersion to the primary reference clock .br .ns .TP 10 -.NOP \f\*[B-Font]peer\f[] -system peer association ID +.NOP \f\*[B-Font]refid\f[] +reference id or +.Lk decode.html#kiss "kiss code" .br .ns .TP 10 -.NOP \f\*[B-Font]tc\f[] -time constant and poll exponent (log2 s) (3-17) +.NOP \f\*[B-Font]reftime\f[] +reference time .br .ns .TP 10 -.NOP \f\*[B-Font]mintc\f[] -minimum time constant (log2 s) (3-10) +.NOP \f\*[B-Font]clock\f[] +date and time of day .br .ns .TP 10 -.NOP \f\*[B-Font]clock\f[] -date and time of day +.NOP \f\*[B-Font]peer\f[] +system peer association id .br .ns .TP 10 -.NOP \f\*[B-Font]refid\f[] -reference ID or -.Lk decode.html#kiss "kiss code" +.NOP \f\*[B-Font]tc\f[] +time constant and poll exponent (log2 s) (3-17) .br .ns .TP 10 -.NOP \f\*[B-Font]reftime\f[] -reference time +.NOP \f\*[B-Font]mintc\f[] +minimum time constant (log2 s) (3-10) .br .ns .TP 10 .NOP \f\*[B-Font]offset\f[] -combined offset of server relative to this host +combined offset of server relative to this host .br .ns .TP 10 -.NOP \f\*[B-Font]sys_jitter\f[] -combined system jitter +.NOP \f\*[B-Font]frequency\f[] +frequency drift (PPM) relative to hardware clock .br .ns .TP 10 -.NOP \f\*[B-Font]frequency\f[] -frequency offset (PPM) relative to hardware clock +.NOP \f\*[B-Font]sys_jitter\f[] +combined system jitter .br .ns .TP 10 @@ -996,9 +1128,12 @@ NTP seconds when the certificate expires .PP .SS Peer Variables The following peer variables appear in the -\f\*[B-Font]rv\f[] +\f\*[B-Font]readlist\f[] billboard for each association. Not all variables are displayed in some configurations. +.sp \n(Ppu +.ne 2 + .TP 10 .NOP Variable Description @@ -1006,7 +1141,7 @@ Description .ns .TP 10 .NOP \f\*[B-Font]associd\f[] -association ID +association id .br .ns .TP 10 @@ -1061,7 +1196,7 @@ total root dispersion to the primary reference clock .ns .TP 10 .NOP \f\*[B-Font]refid\f[] -reference ID or +reference id or .Lk decode.html#kiss "kiss code" .br .ns @@ -1071,6 +1206,11 @@ reference time .br .ns .TP 10 +.NOP \f\*[B-Font]rec\f[] +last packet received time +.br +.ns +.TP 10 .NOP \f\*[B-Font]reach\f[] reach register (octal) .br @@ -1112,6 +1252,11 @@ headway (see .br .ns .TP 10 +.NOP \f\*[B-Font]keyid\f[] +symmetric key id +.br +.ns +.TP 10 .NOP \f\*[B-Font]offset\f[] filter offset .br @@ -1132,11 +1277,6 @@ filter jitter .br .ns .TP 10 -.NOP \f\*[B-Font]ident\f[] -Autokey group name for this association -.br -.ns -.TP 10 .NOP \f\*[B-Font]bias\f[] unicast/broadcast bias .br @@ -1150,7 +1290,8 @@ The \f\*[B-Font]bias\f[] variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The \f\*[B-Font]xleave\f[] variable appears only for the interleaved symmetric and interleaved modes. @@ -1188,7 +1329,7 @@ OpenSSL digest/signature scheme .ns .TP 10 .NOP \f\*[B-Font]initsequence\f[] -initial key ID +initial key id .br .ns .TP 10 @@ -1199,10 +1340,15 @@ initial key index .TP 10 .NOP \f\*[B-Font]timestamp\f[] Autokey signature timestamp +.br +.ns +.TP 10 +.NOP \f\*[B-Font]ident\f[] +Autokey group name for this association .PP .SS Clock Variables The following clock variables appear in the -\f\*[B-Font]cv\f[] +\f\*[B-Font]clocklist\f[] billboard for each association with a reference clock. Not all variables are displayed in some configurations. .TP 10 @@ -1212,7 +1358,7 @@ Description .ns .TP 10 .NOP \f\*[B-Font]associd\f[] -association ID +association id .br .ns .TP 10 @@ -1267,7 +1413,7 @@ driver stratum .ns .TP 10 .NOP \f\*[B-Font]refid\f[] -driver reference ID +driver reference id .br .ns .TP 10 @@ -1277,19 +1423,19 @@ driver flags .SH "OPTIONS" .TP .NOP \f\*[B-Font]\-4\f[], \f\*[B-Font]\-\-ipv4\f[] -Force IPv4 DNS name resolution. +Force IPv4 name resolution. This option must not appear in combination with any of the following options: ipv6. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv4 namespace. .TP .NOP \f\*[B-Font]\-6\f[], \f\*[B-Font]\-\-ipv6\f[] -Force IPv6 DNS name resolution. +Force IPv6 name resolution. This option must not appear in combination with any of the following options: ipv4. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv6 namespace. .TP .NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]cmd\f[], \f\*[B-Font]\-\-command\f[]=\f\*[I-Font]cmd\f[] @@ -1324,7 +1470,7 @@ commands read from the standard input. numeric host addresses. .sp Output all host addresses in dotted-quad numeric format rather than -converting to the canonical host names. +converting to the canonical host names. .TP .NOP \f\*[B-Font]\-\-old\-rv\f[] Always output status line with readvar. diff --git a/contrib/ntp/ntpq/ntpq.1ntpqmdoc b/contrib/ntp/ntpq/ntpq.1ntpqmdoc index 6badce0..1d801e9 100644 --- a/contrib/ntp/ntpq/ntpq.1ntpqmdoc +++ b/contrib/ntp/ntpq/ntpq.1ntpqmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPQ 1ntpqmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:31 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:28 PM by AutoGen 5.18.5 .\" From the definitions ntpq-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -18,15 +18,12 @@ [ host ...] .Pp .Sh DESCRIPTION +.Pp The .Nm -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -37,6 +34,7 @@ The utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. +.Pp If one or more request options is included on the command line when .Nm @@ -54,6 +52,7 @@ The .Nm utility will prompt for commands if the standard input is a terminal device. +.Pp .Nm uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on @@ -67,6 +66,17 @@ utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. +.Pp +Note that in contexts where a host name is expected, a +.Fl 4 +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +.Fl 6 +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +.Dq NTP Debugging Techniques +page. +.Pp Specifying a command line option other than .Fl i @@ -80,51 +90,46 @@ Otherwise, will attempt to read interactive format commands from the standard input. .Ss "Internal Commands" +.Pp Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. +.Pp A number of interactive format commands are executed entirely within the .Nm -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. -.Bl -tag -width "? [command_keyword]" -compact -offset indent -.It Ic ? Op Ar command_keyword -.It Ic help Op Ar command_keyword +.Bl -tag -width "help [command]" -compact -offset indent +.It Ic ? Op Ar command +.It Ic help Op Ar command A .Ql \&? -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to .Nm . A .Ql \&? -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -.Nm -than this manual -page. -.It Ic addvars Ar variable_name Ns Xo Op Ic =value -.Ic ... -.Xc -.It Ic rmvars Ar variable_name Ic ... +.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,... +.It Ic rmvars Ar name Ns Op ,... .It Ic clearvars .It Ic showvars -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -.Ql variable_name=value , +.Ar name Ns Op \&= Ns Ar value , where the -.Ql =value +.No \&= Ns Ar value is ignored, and can be omitted, in requests to the server to read variables. The .Nm -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the .Ic readlist and .Ic writelist @@ -139,35 +144,31 @@ The .Ic rmvars command can be used to remove individual variables from the list, while the -.Ic clearlist +.Ic clearvars command removes all variables from the list. The .Ic showvars command displays the current list of optional variables. -.It Ic authenticate Op yes | no +.It Ic authenticate Op Cm yes Ns | Ns Cm no Normally .Nm does not authenticate requests unless they are write requests. The command -.Ql authenticate yes +.Ic authenticate Cm yes causes .Nm to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -.Ic peer -display. +requests slightly differently. The command -.Ql authenticate +.Ic authenticate causes .Nm to display whether or not -.Nm -is currently autheinticating requests. +it is currently authenticating requests. .It Ic cooked Causes output from query commands to be "cooked", so that variables which are recognized by @@ -176,20 +177,13 @@ will have their values reformatted for human consumption. Variables which .Nm -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing .Ql \&? . -.It Xo -.Ic debug -.Oo -.Cm more | -.Cm less | -.Cm off -.Oc -.Xc +.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. -.It Ic delay Ar milliseconds +Otherwise, the debugging level is changed as indicated. +.It Ic delay Op Ar milliseconds Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -198,14 +192,21 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +.It Ic drefid Op Cm hash Ns | Ns Cm ipv4 +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. .It Ic exit Exit .Nm . -.It Ic host Ar hostname +.It Ic host Op Ar name Set the host to which future queries will be sent. -.Ar hostname +The +.Ar name may be either a host name or a numeric address. -.It Ic hostnames Op Cm yes | Cm no +Without any arguments, displays the current host. +.It Ic hostnames Op Cm yes Ns | Ns Cm no If .Cm yes is specified, host names are printed in @@ -220,7 +221,9 @@ unless modified using the command line .Fl n switch. -.It Ic keyid Ar keyid +Without any arguments, displays whether host names or numeric addresses +are shown. +.It Ic keyid Op Ar keyid This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -228,28 +231,20 @@ to the .Cm controlkey key number the server has been configured to use for this purpose. -.It Ic keytype Xo Oo -.Cm md5 | -.Cm OpenSSLDigestType -.Oc -.Xc -Specify the type of key to use for authenticating requests. -.Cm md5 -is alway supported. +Without any arguments, displays the current +.Ar keyid . +.It Ic keytype Op Ar digest +Specify the digest algorithm to use for authenticating requests, with default +.Cm MD5 . If .Nm -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +.Ar digest +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -.Ic keytype -is displayed. -.It Ic ntpversion Xo Oo -.Cm 1 | -.Cm 2 | -.Cm 3 | -.Cm 4 -.Oc -.Xc +.Ic keytype Ar digest +algorithm used is displayed. +.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4 Sets the NTP version number which .Nm claims in @@ -267,13 +262,11 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -.\" Not yet implemented. -.\" .It Ic poll -.\" .Op Ar n -.\" .Op Ic verbose -.\" Poll an NTP server in client mode -.\" .Ar n -.\" times. +.It Ic poll Oo Ar n Oc Op Cm verbose +Poll an NTP server in client mode +.Ar n +times. +Poll not implemented yet. .It Ic quit Exit .Nm . @@ -283,95 +276,150 @@ from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. -.It Ic timeout Ar milliseconds +.It Ic timeout Op Ar milliseconds Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since .Nm retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. .It Ic version -Print the version of the +Display the version of the .Nm program. .El .Ss "Control Message Commands" -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode\-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the -.Li peers +.Ic peers command, which sends a series of messages, and the -.Li mreadlist +.Ic mreadlist and -.Li mreadvar +.Ic mreadvar commands, which iterate over a range of associations. .Bl -tag -width "something" -compact -offset indent -.It Cm associations +.It Ic apeers +Display a list of peers in the form: +.Dl [tally]remote refid assid st t when pool reach delay offset jitter +where the output is just like the +.Ic peers +command except that the +.Cm refid +is displayed in hex format and the association number is also displayed. +.It Ic associations Display a list of mobilized associations in the form: .Dl ind assid status conf reach auth condition last_event cnt -.Bl -column -offset indent ".Sy Variable" ".Sy Description" -.It Sy String Ta Sy Description -.It Li ind Ta index on this list -.It Li assid Ta association ID -.It Li status Ta peer status word -.It Li conf Ta Li yes : persistent, Li no : ephemeral -.It Li reach Ta Li yes : reachable, Li no : unreachable -.It Li auth Ta Li ok , Li yes , Li bad and Li none -.It Li condition Ta selection status (see the Li select field of the peer status word) -.It Li last_event Ta event report (see the Li event field of the peer status word) -.It Li cnt Ta event count (see the Li count field of the peer status word) +.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word" +.It Sy Variable Ta Sy Description +.It Cm ind Ta index on this list +.It Cm assid Ta association id +.It Cm status Ta peer status word +.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral +.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable +.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none +.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&) +.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&) +.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&) .El -.It Cm authinfo -Display the authentication statistics. -.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -Display a list of clock variables for those associations supporting a reference clock. -.It Cm :config Op ... -Send the remainder of the command line, including whitespace, to the server as a run\-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -.It Cm config\-from\-file Ar filename -Send the each line of +.It Ic authinfo +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +.It Ic clocklist Op Ar associd +.It Ic cl Op Ar associd +Display all clock variables in the variable list for those associations +supporting a reference clock. +.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +Display a list of clock variables for those associations supporting a +reference clock. +.It Ic :config Ar "configuration command line" +Send the remainder of the command line, including whitespace, to the +server as a run\-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. +.It Ic config\-from\-file Ar filename +Send each line of .Ar filename -to the server as run\-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run\-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. .It Ic ifstats -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. .It Ic iostats -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. .It Ic kerninfo -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. .It Ic lassociations -Perform the same function as the associations command, except display mobilized and unmobilized associations. -.It Ic lopeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc -Obtain and print a list of all peers and clients showing -.Ar dstadr -(associated with any given IP version). -.It Ic lpeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc -Print a peer spreadsheet for the appropriate IP version(s). -.Ar dstadr -(associated with any given IP version). +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. +.It Ic lopeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients showing +.Cm dstadr +(associated with the given IP version). +.It Ic lpassociations +Display the last obtained list of associations, including all clients. +.It Ic lpeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients (associated with the given IP version). .It Ic monstats -Display monitor facility statistics. -.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc -Obtain and print traffic counts collected and maintained by the monitor facility. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +.It Ic mreadlist Ar associdlo Ar associdhi +.It Ic mrl Ar associdlo Ar associdhi +Perform the same function as the +.Ic readlist +command for a range of association ids. +.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +This range may be determined from the list displayed by any +command showing associations. +.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +Perform the same function as the +.Ic readvar +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count | +.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder | +.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc +.Xc +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -.Cm sort Ns = Ns Ar sortorder , +.Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder , the options filter the list returned by -.Cm ntpd. +.Xr ntpd 8 . The .Cm limited and .Cm kod -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The .Cm mincount Ns = Ns Ar count option filters entries representing less than @@ -392,18 +440,21 @@ The .Ar sortorder defaults to .Cm lstint -and may be any of +and may be .Cm addr , -.Cm count , .Cm avgint , +.Cm count , .Cm lstint , -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +.Ql \&\- +to reverse the sort order. The output columns are: .Bl -tag -width "something" -compact -offset indent .It Column Description .It Ic lstint -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by .Nm . .It Ic avgint Average interval in s between packets from this address. @@ -411,7 +462,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching .Ic restrict -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. .It Ic r Rate control indicator, either a period, @@ -429,27 +481,15 @@ Packets received from this address. .It Ic rport Source port of last packet from this address. .It Ic remote address -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. .El -.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -Perform the same function as the -.Ic readvar -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -.Ic associations -command. -.It Ic opeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc +.It Ic opeers Op Fl 4 | Fl 6 Obtain and print the old\-style list of all peers and clients showing -.Ar dstadr -(associated with any given IP version), +.Cm dstadr +(associated with the given IP version), rather than the -.Ar refid . +.Cm refid . .It Ic passociations Perform the same function as the .Ic associations @@ -461,28 +501,32 @@ Display a list of peers in the form: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic [tally] +.It Cm [tally] single\-character code indicating current value of the .Ic select field of the .Lk decode.html#peer "peer status word" -.It Ic remote +.It Cm remote host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +.Nm .Fl w -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. -.It Ic refid -association ID or +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. +.It Cm refid +source IP address or .Lk decode.html#kiss "'kiss code" -.It Ic st -stratum -.It Ic t +.It Cm st +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks +.It Cm t .Ic u : unicast or manycast client, .Ic b : broadcast or multicast client, +.Ic p : +pool source, .Ic l : local (reference clock), .Ic s : @@ -493,115 +537,135 @@ manycast server, broadcast server, .Ic M : multicast server -.It Ic when -sec/min/hr since last received packet -.It Ic poll -poll interval (log2 s) -.It Ic reach +.It Cm when +time in seconds, minutes, hours, or days since the last packet +was received, or +.Ql \&\- +if a packet has never been received +.It Cm poll +poll interval (s) +.It Cm reach reach shift register (octal) -.It Ic delay +.It Cm delay roundtrip delay -.It Ic offset +.It Cm offset offset of server relative to this host -.It Ic jitter -jitter +.It Cm jitter +offset RMS error estimate. .El -.It Ic apeers -Display a list of peers in the form: -.Dl [tally]remote refid assid st t when pool reach delay offset jitter -where the output is just like the -.Ic peers -command except that the -.Ic refid -is displayed in hex format and the association number is also displayed. -.It Ic pstats Ar assocID -Show the statistics for the peer with the given -.Ar assocID . -.It Ic readlist Ar assocID -.It Ic rl Ar assocID -Read the system or peer variables included in the variable list. -.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -Display the specified variables. +.It Ic pstats Ar associd +Display the statistics for the peer with the given +.Ar associd : +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. +.It Ic readlist Op Ar associd +.It Ic rl Op Ar associd +Display all system or peer variables. +If the +.Ar associd +is omitted, it is assumed to be zero. +.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +Display the specified system or peer variables. If -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. If no .Ar name is included, all operative variables in the name space are displayed. In this case only, if the -.Ar assocID -is omitted, it is assumed zero. +.Ar associd +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts\-per\-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +.Ar YYYY Ns Ar MM Ar DD Ar TTTT , +where +.Ar YYYY +is the year, +.Ar MM +the month of year, +.Ar DD +the day of month and +.Ar TTTT +the time of day. .It Ic reslist -Show the access control (restrict) list for +Display the access control (restrict) list for .Nm . +Authentication is required. .It Ic saveconfig Ar filename -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by .Ic :config or .Ic config\-from\-file , -to the ntpd host's file +to the NTP server host file .Ar filename . This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -.Ic ntpd +.Xr ntpd 8 configuration file. .Ar filename can use -.Xr strftime -format specifies to substitute the current date and time, for example, -.Ic q]saveconfig ntp\-%Y%m%d\-%H%M%S.confq] . +.Xr date 1 +format specifiers to substitute the current date and time, for +example, +.D1 Ic saveconfig Pa ntp\-%Y%m%d\-%H%M%S.conf . The filename used is stored in system variable -.Ic savedconfig . +.Cm savedconfig . Authentication is required. +.It Ic sysinfo +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +.It Ic sysstats +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. .It Ic timerstats -Display interval timer counters. -.It Ic writelist Ar assocID -Write the system or peer variables included in the variable list. -.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ... -Write the specified variables. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. +.It Ic writelist Ar associd +Set all system or peer variables included in the variable list. +.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ... +Set the specified variables in the variable list. If the -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. -.It Ic sysinfo -Display operational summary. -.It Ic sysstats -Print statistics counters maintained in the protocol module. +Authentication is required. .El .Ss Status Words and Kiss Codes The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per\-association basis. -These words are displayed in the -.Ic rv +These words are displayed by the +.Ic readlist and -.Ic as +.Ic associations commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -618,58 +682,59 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards. .Ss System Variables The following system variables appear in the -.Ic rv +.Ic readlist billboard. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic status +.It Cm status .Lk decode.html#sys "system status word" -.It Ic version +.It Cm version NTP software version and build time -.It Ic processor +.It Cm processor hardware platform and version -.It Ic system +.It Cm system operating system and version -.It Ic leap +.It Cm leap leap warning indicator (0\-3) -.It Ic stratum +.It Cm stratum stratum (1\-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total dispersion to the primary reference clock -.It Ic peer -system peer association ID -.It Ic tc -time constant and poll exponent (log2 s) (3\-17) -.It Ic mintc -minimum time constant (log2 s) (3\-10) -.It Ic clock -date and time of day -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic offset -combined offset of server relative to this host -.It Ic sys_jitter +.It Ic clock +date and time of day +.It Cm peer +system peer association id +.It Cm tc +time constant and poll exponent (log2 s) (3\-17) +.It Cm mintc +minimum time constant (log2 s) (3\-10) +.It Cm offset +combined offset of server relative to this host +.It Cm frequency +frequency drift (PPM) relative to hardware clock +.It Cm sys_jitter combined system jitter -.It Ic frequency -frequency offset (PPM) relative to hardware clock -.It Ic clk_wander +.It Cm clk_wander clock frequency wander (PPM) -.It Ic clk_jitter +.It Cm clk_jitter clock jitter -.It Ic tai +.It Cm tai TAI\-UTC offset (s) -.It Ic leapsec +.It Cm leapsec NTP seconds when the next leap second is/was inserted -.It Ic expire +.It Cm expire NTP seconds when the NIST leapseconds file expires .El The jitter and wander statistics are exponentially\-weighted RMS averages. @@ -683,98 +748,102 @@ depending on the particular Autokey dance: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic host +.It Cm host Autokey host name for this host -.It Ic ident +.It Cm ident Autokey group name for this host -.It Ic flags +.It Cm flags host flags (see Autokey specification) -.It Ic digest +.It Cm digest OpenSSL message digest algorithm -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic update +.It Cm update NTP seconds at last signature update -.It Ic cert +.It Cm cert certificate subject, issuer and certificate flags -.It Ic until +.It Cm until NTP seconds when the certificate expires .El .Ss Peer Variables The following peer variables appear in the -.Ic rv +.Ic readlist billboard for each association. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#peer "peer status word" -.It Ic srcadr +.It Cm srcadr source (remote) IP address -.It Ic srcport +.It Cm srcport source (remote) port -.It Ic dstadr +.It Cm dstadr destination (local) IP address -.It Ic dstport +.It Cm dstport destination (local) port -.It Ic leap +.It Cm leap leap indicator (0\-3) -.It Ic stratum +.It Cm stratum stratum (0\-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total root dispersion to the primary reference clock -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic reach +.It Cm rec +last packet received time +.It Cm reach reach register (octal) -.It Ic unreach +.It Cm unreach unreach counter -.It Ic hmode +.It Cm hmode host mode (1\-6) -.It Ic pmode +.It Cm pmode peer mode (1\-5) -.It Ic hpoll +.It Cm hpoll host poll exponent (log2 s) (3\-17) -.It Ic ppoll +.It Cm ppoll peer poll exponent (log2 s) (3\-17) -.It Ic headway +.It Cm headway headway (see .Lk rate.html "Rate Management and the Kiss\-o'\-Death Packet" ) -.It Ic flash +.It Cm flash .Lk decode.html#flash "flash status word" -.It Ic offset +.It Cm keyid +symmetric key id +.It Cm offset filter offset -.It Ic delay +.It Cm delay filter delay -.It Ic dispersion +.It Cm dispersion filter dispersion -.It Ic jitter +.It Cm jitter filter jitter -.It Ic ident -Autokey group name for this association -.It Ic bias +.It Cm bias unicast/broadcast bias -.It Ic xleave +.It Cm xleave interleave delay (see .Lk xleave.html "NTP Interleaved Modes" ) .El The -.Ic bias +.Cm bias variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The -.Ic xleave +.Cm xleave variable appears only for the interleaved symmetric and interleaved modes. It represents the internal queuing, buffering and transmission delays for the preceding packet. @@ -784,71 +853,73 @@ additional peer variables are displayed, including the following: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic host +.It Cm host Autokey server name -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic initsequence -initial key ID -.It Ic initkey +.It Cm initsequence +initial key id +.It Cm initkey initial key index -.It Ic timestamp +.It Cm timestamp Autokey signature timestamp +.It Cm ident +Autokey group name for this association .El .Ss Clock Variables The following clock variables appear in the -.Ic cv +.Ic clocklist billboard for each association with a reference clock. Not all variables are displayed in some configurations. .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#clock "clock status word" -.It Ic device +.It Cm device device description -.It Ic timecode +.It Cm timecode ASCII time code string (specific to device) -.It Ic poll +.It Cm poll poll messages sent -.It Ic noreply +.It Cm noreply no reply -.It Ic badformat +.It Cm badformat bad format -.It Ic baddata +.It Cm baddata bad date or time -.It Ic fudgetime1 +.It Cm fudgetime1 fudge time 1 -.It Ic fudgetime2 +.It Cm fudgetime2 fudge time 2 -.It Ic stratum +.It Cm stratum driver stratum -.It Ic refid -driver reference ID -.It Ic flags +.It Cm refid +driver reference id +.It Cm flags driver flags .El .Sh "OPTIONS" .Bl -tag .It Fl 4 , Fl \-ipv4 -Force IPv4 DNS name resolution. +Force IPv4 name resolution. This option must not appear in combination with any of the following options: ipv6. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv4 namespace. .It Fl 6 , Fl \-ipv6 -Force IPv6 DNS name resolution. +Force IPv6 name resolution. This option must not appear in combination with any of the following options: ipv4. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv6 namespace. .It Fl c Ar cmd , Fl \-command Ns = Ns Ar cmd run a command and exit. @@ -878,7 +949,7 @@ commands read from the standard input. numeric host addresses. .sp Output all host addresses in dotted\-quad numeric format rather than -converting to the canonical host names. +converting to the canonical host names. .It Fl \-old\-rv Always output status line with readvar. .sp diff --git a/contrib/ntp/ntpq/ntpq.c b/contrib/ntp/ntpq/ntpq.c index 547f3cc..17c2f17 100644 --- a/contrib/ntp/ntpq/ntpq.c +++ b/contrib/ntp/ntpq/ntpq.c @@ -2,10 +2,11 @@ * ntpq - query an NTP server using mode 6 commands */ #include <config.h> -#include <stdio.h> #include <ctype.h> #include <signal.h> #include <setjmp.h> +#include <stddef.h> +#include <stdio.h> #include <sys/types.h> #include <sys/time.h> #ifdef HAVE_UNISTD_H @@ -34,7 +35,15 @@ #include "openssl/evp.h" #include "openssl/objects.h" #include "openssl/err.h" +#ifdef SYS_WINNT +# include "openssl/opensslv.h" +# if !defined(HAVE_EVP_MD_DO_ALL_SORTED) && OPENSSL_VERSION_NUMBER > 0x10000000L +# define HAVE_EVP_MD_DO_ALL_SORTED 1 +# endif +#endif #include "libssl_compat.h" + +#define CMAC "AES128CMAC" #endif #include <ssl_applink.c> @@ -189,7 +198,7 @@ static int getarg (const char *, int, arg_v *); static int findcmd (const char *, struct xcmd *, struct xcmd *, struct xcmd **); static int rtdatetolfp (char *, l_fp *); -static int decodearr (char *, int *, l_fp *); +static int decodearr (char *, int *, l_fp *, int); static void help (struct parse *, FILE *); static int helpsort (const void *, const void *); static void printusage (struct xcmd *, FILE *); @@ -227,12 +236,23 @@ static void on_ctrlc (void); static int my_easprintf (char**, const char *, ...) NTP_PRINTF(2, 3); void ntpq_custom_opt_handler (tOptions *, tOptDesc *); +/* read a character from memory and expand to integer */ +static inline int +pgetc( + const char *cp + ) +{ + return (int)*(const unsigned char*)cp; +} + + #ifdef OPENSSL # ifdef HAVE_EVP_MD_DO_ALL_SORTED static void list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg ); # endif #endif +static char *insert_cmac(char *list); static char *list_digest_names(void); /* @@ -450,6 +470,7 @@ main( } #endif + #ifndef BUILD_AS_LIB int ntpqmain( @@ -484,14 +505,16 @@ ntpqmain( char *msg; list = list_digest_names(); - for (icmd = 0; icmd < sizeof(builtins)/sizeof(builtins[0]); icmd++) { - if (strcmp("keytype", builtins[icmd].keyword) == 0) + + for (icmd = 0; icmd < sizeof(builtins)/sizeof(*builtins); icmd++) { + if (strcmp("keytype", builtins[icmd].keyword) == 0) { break; + } } /* CID: 1295478 */ /* This should only "trip" if "keytype" is removed from builtins */ - INSIST(icmd < sizeof(builtins)/sizeof(builtins[0])); + INSIST(icmd < sizeof(builtins)/sizeof(*builtins)); #ifdef OPENSSL builtins[icmd].desc[0] = "digest-name"; @@ -584,9 +607,15 @@ ntpqmain( getcmds(); } else { for (ihost = 0; ihost < numhosts; ihost++) { - if (openhost(chosts[ihost].name, chosts[ihost].fam)) - for (icmd = 0; icmd < numcmds; icmd++) + if (openhost(chosts[ihost].name, chosts[ihost].fam)) { + if (ihost) + fputc('\n', current_output); + for (icmd = 0; icmd < numcmds; icmd++) { + if (icmd) + fputc('\n', current_output); docmd(ccmds[icmd]); + } + } } } #ifdef SYS_WINNT @@ -719,7 +748,7 @@ openhost( int err; err = setsockopt(INVALID_SOCKET, SOL_SOCKET, SO_OPENTYPE, - (char *)&optionValue, sizeof(optionValue)); + (void *)&optionValue, sizeof(optionValue)); if (err) { mfprintf(stderr, "setsockopt(SO_SYNCHRONOUS_NONALERT)" @@ -743,7 +772,7 @@ openhost( # ifdef SO_RCVBUF { int rbufsize = DATASIZE + 2048; /* 2K for slop */ if (setsockopt(sockfd, SOL_SOCKET, SO_RCVBUF, - &rbufsize, sizeof(int)) == -1) + (void *)&rbufsize, sizeof(int)) == -1) error("setsockopt"); } # endif @@ -2014,7 +2043,7 @@ rtdatetolfp( * d[d]-Mth-y[y[y[y]]] hh:mm:ss */ cp = str; - if (!isdigit((int)*cp)) { + if (!isdigit(pgetc(cp))) { if (*cp == '-') { /* * Catch special case @@ -2026,7 +2055,7 @@ rtdatetolfp( } cal.monthday = (u_char) (*cp++ - '0'); /* ascii dependent */ - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.monthday = (u_char)((cal.monthday << 3) + (cal.monthday << 1)); cal.monthday = (u_char)(cal.monthday + *cp++ - '0'); } @@ -2048,18 +2077,18 @@ rtdatetolfp( if (*cp++ != '-') return 0; - if (!isdigit((int)*cp)) + if (!isdigit(pgetc(cp))) return 0; cal.year = (u_short)(*cp++ - '0'); - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.year = (u_short)((cal.year << 3) + (cal.year << 1)); cal.year = (u_short)(*cp++ - '0'); } - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.year = (u_short)((cal.year << 3) + (cal.year << 1)); cal.year = (u_short)(cal.year + *cp++ - '0'); } - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.year = (u_short)((cal.year << 3) + (cal.year << 1)); cal.year = (u_short)(cal.year + *cp++ - '0'); } @@ -2072,26 +2101,26 @@ rtdatetolfp( return 1; } - if (*cp++ != ' ' || !isdigit((int)*cp)) + if (*cp++ != ' ' || !isdigit(pgetc(cp))) return 0; cal.hour = (u_char)(*cp++ - '0'); - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.hour = (u_char)((cal.hour << 3) + (cal.hour << 1)); cal.hour = (u_char)(cal.hour + *cp++ - '0'); } - if (*cp++ != ':' || !isdigit((int)*cp)) + if (*cp++ != ':' || !isdigit(pgetc(cp))) return 0; cal.minute = (u_char)(*cp++ - '0'); - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.minute = (u_char)((cal.minute << 3) + (cal.minute << 1)); cal.minute = (u_char)(cal.minute + *cp++ - '0'); } - if (*cp++ != ':' || !isdigit((int)*cp)) + if (*cp++ != ':' || !isdigit(pgetc(cp))) return 0; cal.second = (u_char)(*cp++ - '0'); - if (isdigit((int)*cp)) { + if (isdigit(pgetc(cp))) { cal.second = (u_char)((cal.second << 3) + (cal.second << 1)); cal.second = (u_char)(cal.second + *cp++ - '0'); } @@ -2215,34 +2244,36 @@ decodeuint( */ static int decodearr( - char *str, - int *narr, - l_fp *lfparr + char *cp, + int *narr, + l_fp *lfpa, + int amax ) { - register char *cp, *bp; - register l_fp *lfp; + char *bp; char buf[60]; - lfp = lfparr; - cp = str; *narr = 0; - while (*narr < 8) { - while (isspace((int)*cp)) - cp++; - if (*cp == '\0') - break; - - bp = buf; - while (!isspace((int)*cp) && *cp != '\0') - *bp++ = *cp++; - *bp++ = '\0'; + while (*narr < amax && *cp) { + if (isspace(pgetc(cp))) { + do + ++cp; + while (*cp && isspace(pgetc(cp))); + } else { + bp = buf; + do { + if (bp != (buf + sizeof(buf) - 1)) + *bp++ = *cp; + ++cp; + } while (*cp && !isspace(pgetc(cp))); + *bp = '\0'; - if (!decodetime(buf, lfp)) - return 0; - (*narr)++; - lfp++; + if (!decodetime(buf, lfpa)) + return 0; + ++(*narr); + ++lfpa; + } } return 1; } @@ -3049,7 +3080,7 @@ nextvar( /* * Space past commas and white space */ - while (cp < cpend && (*cp == ',' || isspace((int)*cp))) + while (cp < cpend && (*cp == ',' || isspace(pgetc(cp)))) cp++; if (cp >= cpend) return 0; @@ -3061,7 +3092,7 @@ nextvar( srclen = strcspn(cp, ",=\r\n"); srclen = min(srclen, (size_t)(cpend - cp)); len = srclen; - while (len > 0 && isspace((unsigned char)cp[len - 1])) + while (len > 0 && isspace(pgetc(&cp[len - 1]))) len--; if (len >= sizeof(name)) return 0; @@ -3087,7 +3118,7 @@ nextvar( * So far, so good. Copy out the value */ cp++; /* past '=' */ - while (cp < cpend && (isspace((unsigned char)*cp) && *cp != '\r' && *cp != '\n')) + while (cp < cpend && (isspace(pgetc(cp)) && *cp != '\r' && *cp != '\n')) cp++; np = cp; if ('"' == *np) { @@ -3108,7 +3139,7 @@ nextvar( /* * Trim off any trailing whitespace */ - while (len > 0 && isspace((unsigned char)value[len - 1])) + while (len > 0 && isspace(pgetc(&value[len - 1]))) len--; value[len] = '\0'; @@ -3191,7 +3222,7 @@ rawprint( */ if (cp == (cpend - 1) || *(cp + 1) != '\n') makeascii(1, cp, fp); - } else if (isspace((unsigned char)*cp) || isprint((unsigned char)*cp)) + } else if (isspace(pgetc(cp)) || isprint(pgetc(cp))) putc(*cp, fp); else makeascii(1, cp, fp); @@ -3399,7 +3430,7 @@ cookedprint( break; case TS: - if (!decodets(value, &lfp)) + if (!value || !decodets(value, &lfp)) output_raw = '?'; else output(fp, name, prettydate(&lfp)); @@ -3407,7 +3438,7 @@ cookedprint( case HA: /* fallthru */ case NA: - if (!decodenetnum(value, &hval)) { + if (!value || !decodenetnum(value, &hval)) { output_raw = '?'; } else if (fmt == HA){ output(fp, name, nntohost(&hval)); @@ -3417,7 +3448,9 @@ cookedprint( break; case RF: - if (decodenetnum(value, &hval)) { + if (!value) { + output_raw = '?'; + } else if (decodenetnum(value, &hval)) { if (ISREFCLOCKADR(&hval)) output(fp, name, refnumtoa(&hval)); @@ -3431,7 +3464,7 @@ cookedprint( break; case LP: - if (!decodeuint(value, &uval) || uval > 3) { + if (!value || !decodeuint(value, &uval) || uval > 3) { output_raw = '?'; } else { b[0] = (0x2 & uval) @@ -3446,7 +3479,7 @@ cookedprint( break; case OC: - if (!decodeuint(value, &uval)) { + if (!value || !decodeuint(value, &uval)) { output_raw = '?'; } else { snprintf(b, sizeof(b), "%03lo", uval); @@ -3455,14 +3488,14 @@ cookedprint( break; case AR: - if (!decodearr(value, &narr, lfparr)) + if (!value || !decodearr(value, &narr, lfparr, 8)) output_raw = '?'; else outputarr(fp, name, narr, lfparr); break; case FX: - if (!decodeuint(value, &uval)) + if (!value || !decodeuint(value, &uval)) output_raw = '?'; else output(fp, name, tstflags(uval)); @@ -3584,81 +3617,205 @@ ntpq_custom_opt_handler( * Obtain list of digest names */ +#if defined(OPENSSL) && !defined(HAVE_EVP_MD_DO_ALL_SORTED) +# if defined(_MSC_VER) && OPENSSL_VERSION_NUMBER >= 0x10100000L +# define HAVE_EVP_MD_DO_ALL_SORTED +# endif +#endif + #ifdef OPENSSL # ifdef HAVE_EVP_MD_DO_ALL_SORTED +# define K_PER_LINE 8 +# define K_NL_PFX_STR "\n " +# define K_DELIM_STR ", " + struct hstate { char *list; const char **seen; int idx; }; -#define K_PER_LINE 8 -#define K_NL_PFX_STR "\n " -#define K_DELIM_STR ", " -static void list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg ) + + +static void +list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg) { - size_t len, n; - const char *name, *cp, **seen; + size_t len, n, digest_len; + const char *name, **seen; struct hstate *hstate = arg; - EVP_MD_CTX *ctx; - u_int digest_len; - u_char digest[EVP_MAX_MD_SIZE]; + char *cp; - if (!m) + /* m is MD obj, from is name or alias, to is base name for alias */ + if (!m || !from || to) { return; /* Ignore aliases */ + } + + /* Discard MACs that NTP won't accept. */ + /* Keep this consistent with keytype_from_text() in ssl_init.c. */ + if (EVP_MD_size(m) > (MAX_MAC_LEN - sizeof(keyid_t))) { + return; + } name = EVP_MD_name(m); /* Lowercase names aren't accepted by keytype_from_text in ssl_init.c */ - for( cp = name; *cp; cp++ ) { - if( islower((unsigned char)*cp) ) + for (cp = name; *cp; cp++) { + if (islower((unsigned char)*cp)) { return; + } } + len = (cp - name) + 1; /* There are duplicates. Discard if name has been seen. */ - for (seen = hstate->seen; *seen; seen++) - if (!strcmp(*seen, name)) + for (seen = hstate->seen; *seen; seen++) { + if (!strcmp(*seen, name)) { return; + } + } + n = (seen - hstate->seen) + 2; hstate->seen = erealloc(hstate->seen, n * sizeof(*seen)); hstate->seen[n-2] = name; hstate->seen[n-1] = NULL; - /* Discard MACs that NTP won't accept. - * Keep this consistent with keytype_from_text() in ssl_init.c. - */ - - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_get_digestbyname(name)); - EVP_DigestFinal(ctx, digest, &digest_len); - EVP_MD_CTX_free(ctx); - if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t))) - return; - - if (hstate->list != NULL) + if (hstate->list != NULL) { len += strlen(hstate->list); - len += (hstate->idx >= K_PER_LINE)? strlen(K_NL_PFX_STR): strlen(K_DELIM_STR); + } + + len += (hstate->idx >= K_PER_LINE) + ? strlen(K_NL_PFX_STR) + : strlen(K_DELIM_STR); if (hstate->list == NULL) { - hstate->list = (char *)emalloc(len); + hstate->list = (char *)emalloc(len); hstate->list[0] = '\0'; - } else + } else { hstate->list = (char *)erealloc(hstate->list, len); + } sprintf(hstate->list + strlen(hstate->list), "%s%s", - ((hstate->idx >= K_PER_LINE)? K_NL_PFX_STR : K_DELIM_STR), + ((hstate->idx >= K_PER_LINE) ? K_NL_PFX_STR : K_DELIM_STR), name); - if (hstate->idx >= K_PER_LINE) + + if (hstate->idx >= K_PER_LINE) { hstate->idx = 1; - else + } else { hstate->idx++; + } +} + + +/* Insert CMAC into SSL digests list */ +static char * +insert_cmac(char *list) +{ + int insert; + size_t len; + + + /* If list empty, we need to insert CMAC on new line */ + insert = (!list || !*list); + + if (insert) { + len = strlen(K_NL_PFX_STR) + strlen(CMAC); + list = (char *)erealloc(list, len + 1); + sprintf(list, "%s%s", K_NL_PFX_STR, CMAC); + } else { /* List not empty */ + /* Check if CMAC already in list - future proofing */ + const char *cmac_sn; + char *cmac_p; + + cmac_sn = OBJ_nid2sn(NID_cmac); + cmac_p = list; + insert = cmac_sn != NULL && *cmac_sn != '\0'; + + /* CMAC in list if found, followed by nul char or ',' */ + while (insert && NULL != (cmac_p = strstr(cmac_p, cmac_sn))) { + cmac_p += strlen(cmac_sn); + /* Still need to insert if not nul and not ',' */ + insert = *cmac_p && ',' != *cmac_p; + } + + /* Find proper insertion point */ + if (insert) { + char *last_nl; + char *point; + char *delim; + int found; + + /* Default to start if list empty */ + found = 0; + delim = list; + len = strlen(list); + + /* While new lines */ + while (delim < list + len && *delim && + !strncmp(K_NL_PFX_STR, delim, strlen(K_NL_PFX_STR))) { + point = delim + strlen(K_NL_PFX_STR); + + /* While digest names on line */ + while (point < list + len && *point) { + /* Another digest after on same or next line? */ + delim = strstr( point, K_DELIM_STR); + last_nl = strstr( point, K_NL_PFX_STR); + + /* No - end of list */ + if (!delim && !last_nl) { + delim = list + len; + } else + /* New line and no delim or before delim? */ + if (last_nl && (!delim || last_nl < delim)) { + delim = last_nl; + } + + /* Found insertion point where CMAC before entry? */ + if (strncmp(CMAC, point, delim - point) < 0) { + found = 1; + break; + } + + if (delim < list + len && *delim && + !strncmp(K_DELIM_STR, delim, strlen(K_DELIM_STR))) { + point += strlen(K_DELIM_STR); + } else { + break; + } + } /* While digest names on line */ + } /* While new lines */ + + /* If found in list */ + if (found) { + /* insert cmac and delim */ + /* Space for list could move - save offset */ + ptrdiff_t p_offset = point - list; + len += strlen(CMAC) + strlen(K_DELIM_STR); + list = (char *)erealloc(list, len + 1); + point = list + p_offset; + /* move to handle src/dest overlap */ + memmove(point + strlen(CMAC) + strlen(K_DELIM_STR), + point, strlen(point) + 1); + strncpy(point, CMAC, strlen(CMAC)); + strncpy(point + strlen(CMAC), K_DELIM_STR, strlen(K_DELIM_STR)); + } else { /* End of list */ + /* append delim and cmac */ + len += strlen(K_DELIM_STR) + strlen(CMAC); + list = (char *)erealloc(list, len + 1); + strcpy(list + strlen(list), K_DELIM_STR); + strcpy(list + strlen(list), CMAC); + } + } /* insert */ + } /* List not empty */ + + return list; } # endif #endif -static char *list_digest_names(void) + +static char * +list_digest_names(void) { char *list = NULL; @@ -3666,12 +3823,16 @@ static char *list_digest_names(void) # ifdef HAVE_EVP_MD_DO_ALL_SORTED struct hstate hstate = { NULL, NULL, K_PER_LINE+1 }; - hstate.seen = (const char **) emalloc_zero(1*sizeof( const char * )); // replaces -> calloc(1, sizeof( const char * )); + /* replace calloc(1, sizeof(const char *)) */ + hstate.seen = (const char **)emalloc_zero(sizeof(const char *)); INIT_SSL(); EVP_MD_do_all_sorted(list_md_fn, &hstate); list = hstate.list; free(hstate.seen); + + list = insert_cmac(list); /* Insert CMAC into SSL digests list */ + # else list = (char *)emalloc(sizeof("md5, others (upgrade to OpenSSL-1.0 for full list)")); strcpy(list, "md5, others (upgrade to OpenSSL-1.0 for full list)"); diff --git a/contrib/ntp/ntpq/ntpq.html b/contrib/ntp/ntpq/ntpq.html index d8f6dd6..55aafc8 100644 --- a/contrib/ntp/ntpq/ntpq.html +++ b/contrib/ntp/ntpq/ntpq.html @@ -44,7 +44,7 @@ monitor the operational status and determine the performance of <code>ntpd</code>, the NTP daemon. - <p>This document applies to version 4.2.8p10 of <code>ntpq</code>. + <p>This document applies to version 4.2.8p11 of <code>ntpq</code>. <ul class="menu"> <li><a accesskey="1" href="#ntpq-Description">ntpq Description</a> @@ -97,13 +97,9 @@ The description on this page is for the NTPv4 variables. <p>The <code>ntpq</code> -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -147,6 +143,16 @@ one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. + <p>Note that in contexts where a host name is expected, a +<code>-4</code> +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +<code>-6</code> +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +NTP Debugging Techniques +page. + <p>Specifying a command line option other than <code>-i</code> @@ -171,35 +177,30 @@ uniquely identify the command need be typed. number of interactive format commands are executed entirely within the <code>ntpq</code> -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. <dl> -<dt><code>?</code> <code>[</code><kbd>command_keyword</kbd><code>]</code><br><dt><code>help</code> <code>[</code><kbd>command_keyword</kbd><code>]</code><dd>A +<dt><code>?</code> <code>[</code><kbd>command</kbd><code>]</code><br><dt><code>help</code> <code>[</code><kbd>command</kbd><code>]</code><dd>A ? -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to <code>ntpq</code> A ? -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -<code>ntpq</code> -than this manual -page. -<br><dt><code>addvars</code> <kbd>variable_name</kbd><code>[=value]</code> <code>...</code><br><dt><code>rmvars</code> <kbd>variable_name</kbd> <code>...</code><br><dt><code>clearvars</code><br><dt><code>showvars</code><dd>The data carried by NTP mode 6 messages consists of a list of +<br><dt><code>addvars</code> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code><code>[,...]</code><br><dt><code>rmvars</code> <kbd>name</kbd><code>[,...]</code><br><dt><code>clearvars</code><br><dt><code>showvars</code><dd>The arguments to this command consist of a list of items of the form -variable_name=value, +<kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code>, where the -=value +.No = Ns Ar value is ignored, and can be omitted, in requests to the server to read variables. The <code>ntpq</code> -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the <code>readlist</code> and <code>writelist</code> @@ -214,34 +215,30 @@ The <code>rmvars</code> command can be used to remove individual variables from the list, while the -<code>clearlist</code> +<code>clearvars</code> command removes all variables from the list. The <code>showvars</code> command displays the current list of optional variables. -<br><dt><code>authenticate</code> <code>[yes | no]</code><dd>Normally +<br><dt><code>authenticate</code> <code>[yes|no]</code><dd>Normally <code>ntpq</code> does not authenticate requests unless they are write requests. The command -authenticate yes +<code>authenticate</code> <code>yes</code> causes <code>ntpq</code> to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -<code>peer</code> -display. +requests slightly differently. The command -authenticate +<code>authenticate</code> causes <code>ntpq</code> to display whether or not -<code>ntpq</code> -is currently autheinticating requests. +it is currently authenticating requests. <br><dt><code>cooked</code><dd>Causes output from query commands to be "cooked", so that variables which are recognized by <code>ntpq</code> @@ -249,12 +246,12 @@ will have their values reformatted for human consumption. Variables which <code>ntpq</code> -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing ?. -<br><dt><code>debug</code> <code>[more | less | off]</code><dd>With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. -<br><dt><code>delay</code> <kbd>milliseconds</kbd><dd>Specify a time interval to be added to timestamps included in +<br><dt><code>debug</code> <code>[more|less|off]</code><dd>With no argument, displays the current debug level. +Otherwise, the debugging level is changed as indicated. +<br><dt><code>delay</code> <code>[</code><kbd>milliseconds</kbd><code>]</code><dd>Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable (unreliable) server reconfiguration over long delay network paths @@ -262,12 +259,18 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +<br><dt><code>drefid</code> <code>[hash|ipv4]</code><dd>Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. <br><dt><code>exit</code><dd>Exit <code>ntpq</code> -<br><dt><code>host</code> <kbd>hostname</kbd><dd>Set the host to which future queries will be sent. -<kbd>hostname</kbd> +<br><dt><code>host</code> <code>[</code><kbd>name</kbd><code>]</code><dd>Set the host to which future queries will be sent. +The +<kbd>name</kbd> may be either a host name or a numeric address. -<br><dt><code>hostnames</code> <code>[yes | no]</code><dd>If +Without any arguments, displays the current host. +<br><dt><code>hostnames</code> <code>[yes|no]</code><dd>If <code>yes</code> is specified, host names are printed in information displays. @@ -281,24 +284,28 @@ unless modified using the command line <code>-n</code> switch. -<br><dt><code>keyid</code> <kbd>keyid</kbd><dd>This command allows the specification of a key number to be +Without any arguments, displays whether host names or numeric addresses +are shown. +<br><dt><code>keyid</code> <code>[</code><kbd>keyid</kbd><code>]</code><dd>This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond to the <code>controlkey</code> key number the server has been configured to use for this purpose. -<br><dt><code>keytype</code> <code>[md5 | OpenSSLDigestType]</code><dd>Specify the type of key to use for authenticating requests. -<code>md5</code> -is alway supported. +Without any arguments, displays the current +<kbd>keyid</kbd>. +<br><dt><code>keytype</code> <code>[</code><kbd>digest</kbd><code>]</code><dd>Specify the digest algorithm to use for authenticating requests, with default +<code>MD5</code>. If <code>ntpq</code> -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +<kbd>digest</kbd> +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -<code>keytype</code> -is displayed. -<br><dt><code>ntpversion</code> <code>[1 | 2 | 3 | 4]</code><dd>Sets the NTP version number which +<code>keytype</code> <kbd>digest</kbd> +algorithm used is displayed. +<br><dt><code>ntpversion</code> <code>[1|2|3|4]</code><dd>Sets the NTP version number which <code>ntpq</code> claims in packets. @@ -314,9 +321,10 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -<code>poll</code> +<br><dt><code>poll</code> <code>[</code><kbd>n</kbd><code>]</code> <code>[verbose]</code><dd>Poll an NTP server in client mode <kbd>n</kbd> -<code>verbose</code> +times. +Poll not implemented yet. <br><dt><code>quit</code><dd>Exit <code>ntpq</code> <br><dt><code>raw</code><dd>Causes all output from query commands is printed as received @@ -324,23 +332,27 @@ from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. -<br><dt><code>timeout</code> <kbd>milliseconds</kbd><dd>Specify a timeout period for responses to server queries. +<br><dt><code>timeout</code> <code>[</code><kbd>milliseconds</kbd><code>]</code><dd>Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since <code>ntpq</code> retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. -<br><dt><code>version</code><dd>Print the version of the +<br><dt><code>version</code><dd>Display the version of the <code>ntpq</code> program. </dl> <h5 class="subsubsection">Control Message Commands</h5> -<p>Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode-6 message to the server and expect a single response message. +<p>Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the <code>peers</code> command, which sends a series of messages, @@ -350,38 +362,87 @@ and <code>mreadvar</code> commands, which iterate over a range of associations. <dl> -<dt><code>associations</code><dd>Display a list of mobilized associations in the form: +<dt><code>apeers</code><dd>Display a list of peers in the form: + <pre class="example"> [tally]remote refid assid st t when pool reach delay offset jitter + </pre> + <p>where the output is just like the +<code>peers</code> +command except that the +<code>refid</code> +is displayed in hex format and the association number is also displayed. +<br><dt><code>associations</code><dd>Display a list of mobilized associations in the form: <pre class="example"> ind assid status conf reach auth condition last_event cnt </pre> <dl> -<dt>Sy String Ta Sy Description<br><dt><code>ind</code> <code>Ta</code> <code>index</code> <code>on</code> <code>this</code> <code>list</code><br><dt><code>assid</code> <code>Ta</code> <code>association</code> <code>ID</code><br><dt><code>status</code> <code>Ta</code> <code>peer</code> <code>status</code> <code>word</code><br><dt><code>conf</code> <code>Ta</code> <code>yes</code>: <code>persistent,</code> <code>no</code>: <code>ephemeral</code><br><dt><code>reach</code> <code>Ta</code> <code>yes</code>: <code>reachable,</code> <code>no</code>: <code>unreachable</code><br><dt><code>auth</code> <code>Ta</code> <code>ok</code>, <code>yes</code>, <code>bad</code> <code>and</code> <code>none</code><br><dt><code>condition</code> <code>Ta</code> <code>selection</code> <code>status</code> <code>(see</code> <code>the</code> <code>select</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>last_event</code> <code>Ta</code> <code>event</code> <code>report</code> <code>(see</code> <code>the</code> <code>event</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>cnt</code> <code>Ta</code> <code>event</code> <code>count</code> <code>(see</code> <code>the</code> <code>count</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><dd></dl> - <br><dt><code>authinfo</code><dd>Display the authentication statistics. -<br><dt><code>clockvar</code> <kbd>assocID</kbd> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code> <code>[...]</code><br><dt><code>cv</code> <kbd>assocID</kbd> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code> <code>[...]</code><dd>Display a list of clock variables for those associations supporting a reference clock. -<br><dt><code>:config</code> <code>[...]</code><dd>Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -<br><dt><code>config-from-file</code> <kbd>filename</kbd><dd>Send the each line of +<dt>Sy Variable Ta Sy Description<br><dt><code>ind</code> <code>Ta</code> <code>index</code> <code>on</code> <code>this</code> <code>list</code><br><dt><code>assid</code> <code>Ta</code> <code>association</code> <code>id</code><br><dt><code>status</code> <code>Ta</code> <code>peer</code> <code>status</code> <code>word</code><br><dt><code>conf</code> <code>Ta</code> <code>yes</code>: <code>No</code> <code>persistent,</code> <code>no</code>: <code>No</code> <code>ephemeral</code><br><dt><code>reach</code> <code>Ta</code> <code>yes</code>: <code>No</code> <code>reachable,</code> <code>no</code>: <code>No</code> <code>unreachable</code><br><dt><code>auth</code> <code>Ta</code> <code>ok</code>, <code>yes</code>, <code>bad</code> <code>No</code> <code>and</code> <code>none</code><br><dt><code>condition</code> <code>Ta</code> <code>selection</code> <code>status</code> <code>(see</code> <code>the</code> <code>select</code> <code>No</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>last_event</code> <code>Ta</code> <code>event</code> <code>report</code> <code>(see</code> <code>the</code> <code>event</code> <code>No</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>cnt</code> <code>Ta</code> <code>event</code> <code>count</code> <code>(see</code> <code>the</code> <code>count</code> <code>No</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><dd></dl> + <br><dt><code>authinfo</code><dd>Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +<br><dt><code>clocklist</code> <code>[</code><kbd>associd</kbd><code>]</code><br><dt><code>cl</code> <code>[</code><kbd>associd</kbd><code>]</code><dd>Display all clock variables in the variable list for those associations +supporting a reference clock. +<br><dt><code>clockvar</code> <code>[</code><kbd>associd</kbd><code>]</code> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code><code>[,...]</code><br><dt><code>cv</code> <code>[</code><kbd>associd</kbd><code>]</code> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code><code>[,...]</code><dd>Display a list of clock variables for those associations supporting a +reference clock. +<br><dt><code>:config</code> <kbd>configuration command line</kbd><dd>Send the remainder of the command line, including whitespace, to the +server as a run-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. +<br><dt><code>config-from-file</code> <kbd>filename</kbd><dd>Send each line of <kbd>filename</kbd> -to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. -<br><dt><code>ifstats</code><dd>Display statistics for each local network address. Authentication is required. -<br><dt><code>iostats</code><dd>Display network and reference clock I/O statistics. -<br><dt><code>kerninfo</code><dd>Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. -<br><dt><code>lassociations</code><dd>Perform the same function as the associations command, except display mobilized and unmobilized associations. -<br><dt><code>lopeers</code> <code>[-4 | -6]</code><dd>Obtain and print a list of all peers and clients showing -<kbd>dstadr</kbd> -(associated with any given IP version). -<br><dt><code>lpeers</code> <code>[-4 | -6]</code><dd>Print a peer spreadsheet for the appropriate IP version(s). -<kbd>dstadr</kbd> -(associated with any given IP version). -<br><dt><code>monstats</code><dd>Display monitor facility statistics. -<br><dt><code>mrulist</code> <code>[limited | kod | mincount=</code><kbd>count</kbd><code> | laddr=</code><kbd>localaddr</kbd><code> | sort=</code><kbd>sortorder</kbd><code> | resany=</code><kbd>hexmask</kbd><code> | resall=</code><kbd>hexmask</kbd><code>]</code><dd>Obtain and print traffic counts collected and maintained by the monitor facility. +to the server as run-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. +<br><dt><code>ifstats</code><dd>Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. +<br><dt><code>iostats</code><dd>Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. +<br><dt><code>kerninfo</code><dd>Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. +<br><dt><code>lassociations</code><dd>Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. +<br><dt><code>lopeers</code> <code>[-4|-6]</code><dd>Display a list of all peers and clients showing +<code>dstadr</code> +(associated with the given IP version). +<br><dt><code>lpassociations</code><dd>Display the last obtained list of associations, including all clients. +<br><dt><code>lpeers</code> <code>[-4|-6]</code><dd>Display a list of all peers and clients (associated with the given IP version). +<br><dt><code>monstats</code><dd>Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +<br><dt><code>mreadlist</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd><br><dt><code>mrl</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd><dd>Perform the same function as the +<code>readlist</code> +command for a range of association ids. +<br><dt><code>mreadvar</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd> <code>[</code><kbd>name</kbd><code>]</code><code>[,...]</code><dd>This range may be determined from the list displayed by any +command showing associations. +<br><dt><code>mrv</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd> <code>[</code><kbd>name</kbd><code>]</code><code>[,...]</code><dd>Perform the same function as the +<code>readvar</code> +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +<br><dt><code>mrulist</code> <code>[limited | kod | mincount=</code><kbd>count</kbd><code> | laddr=</code><kbd>localaddr</kbd><code> | sort=[-]</code><kbd>sortorder</kbd><code> | resany=</code><kbd>hexmask</kbd><code> | resall=</code><kbd>hexmask</kbd><code>]</code><dd>Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -<code>sort</code>=<kbd>sortorder</kbd>, +<code>sort</code>=<code>[-]</code><kbd>sortorder</kbd>, the options filter the list returned by -<code>ntpd.</code> +<code>ntpd(8)</code>. The <code>limited</code> and <code>kod</code> -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The <code>mincount</code>=<kbd>count</kbd> option filters entries representing less than @@ -402,22 +463,26 @@ The <kbd>sortorder</kbd> defaults to <code>lstint</code> -and may be any of +and may be <code>addr</code>, -<code>count</code>, <code>avgint</code>, +<code>count</code>, <code>lstint</code>, -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +- +to reverse the sort order. The output columns are: <dl> <dt>Column<dd>Description -<br><dt><code>lstint</code><dd>Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +<br><dt><code>lstint</code><dd>Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by <code>ntpq</code> <br><dt><code>avgint</code><dd>Average interval in s between packets from this address. <br><dt><code>rstr</code><dd>Restriction flags associated with this address. Most are copied unchanged from the matching <code>restrict</code> -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. <br><dt><code>r</code><dd>Rate control indicator, either a period, <code>L</code> @@ -429,20 +494,14 @@ rate limiting by discarding, or rate limiting with a KoD response, respectively. <br><dt><code>v</code><dd>Packet version number. <br><dt><code>count</code><dd>Packets received from this address. <br><dt><code>rport</code><dd>Source port of last packet from this address. -<br><dt><code>remote</code> <code>address</code><dd>DNS name, numeric address, or address followed by +<br><dt><code>remote</code> <code>address</code><dd>host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. </dl> - <br><dt><code>mreadvar</code> <code>assocID</code> <code>assocID</code> <code>[</code><kbd>variable_name</kbd><code>[=</code><kbd>value</kbd><code>] ...]</code><br><dt><code>mrv</code> <code>assocID</code> <code>assocID</code> <code>[</code><kbd>variable_name</kbd><code>[=</code><kbd>value</kbd><code>] ...]</code><dd>Perform the same function as the -<code>readvar</code> -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -<code>associations</code> -command. -<br><dt><code>opeers</code> <code>[-4 | -6]</code><dd>Obtain and print the old-style list of all peers and clients showing -<kbd>dstadr</kbd> -(associated with any given IP version), + <br><dt><code>opeers</code> <code>[-4 | -6]</code><dd>Obtain and print the old-style list of all peers and clients showing +<code>dstadr</code> +(associated with the given IP version), rather than the -<kbd>refid</kbd>. +<code>refid</code>. <br><dt><code>passociations</code><dd>Perform the same function as the <code>associations</code> command, @@ -457,18 +516,22 @@ except that it uses previously stored data rather than making a new query. field of the .Lk decode.html#peer "peer status word" <br><dt><code>remote</code><dd>host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +<code>ntpq</code> <code>-w</code> -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. -<br><dt><code>refid</code><dd>association ID or +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. +<br><dt><code>refid</code><dd>source IP address or .Lk decode.html#kiss "'kiss code" -<br><dt><code>st</code><dd>stratum +<br><dt><code>st</code><dd>stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks <br><dt><code>t</code><dd><code>u</code>: unicast or manycast client, <code>b</code>: broadcast or multicast client, +<code>p</code>: +pool source, <code>l</code>: local (reference clock), <code>s</code>: @@ -479,89 +542,108 @@ manycast server, broadcast server, <code>M</code>: multicast server -<br><dt><code>when</code><dd>sec/min/hr since last received packet -<br><dt><code>poll</code><dd>poll interval (log2 s) +<br><dt><code>when</code><dd>time in seconds, minutes, hours, or days since the last packet +was received, or +- +if a packet has never been received +<br><dt><code>poll</code><dd>poll interval (s) <br><dt><code>reach</code><dd>reach shift register (octal) <br><dt><code>delay</code><dd>roundtrip delay <br><dt><code>offset</code><dd>offset of server relative to this host -<br><dt><code>jitter</code><dd>jitter +<br><dt><code>jitter</code><dd>offset RMS error estimate. </dl> - <br><dt><code>apeers</code><dd>Display a list of peers in the form: - <pre class="example"> [tally]remote refid assid st t when pool reach delay offset jitter - </pre> - <p>where the output is just like the -<code>peers</code> -command except that the -<code>refid</code> -is displayed in hex format and the association number is also displayed. -<br><dt><code>pstats</code> <kbd>assocID</kbd><dd>Show the statistics for the peer with the given -<kbd>assocID</kbd>. -<br><dt><code>readlist</code> <kbd>assocID</kbd><br><dt><code>rl</code> <kbd>assocID</kbd><dd>Read the system or peer variables included in the variable list. -<br><dt><code>readvar</code> <kbd>assocID</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code> <code>[, ...]</code><br><dt><code>rv</code> <kbd>assocID</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code> <code>[, ...]</code><dd>Display the specified variables. + <br><dt><code>pstats</code> <kbd>associd</kbd><dd>Display the statistics for the peer with the given +<kbd>associd</kbd>: +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. +<br><dt><code>readlist</code> <code>[</code><kbd>associd</kbd><code>]</code><br><dt><code>rl</code> <code>[</code><kbd>associd</kbd><code>]</code><dd>Display all system or peer variables. +If the +<kbd>associd</kbd> +is omitted, it is assumed to be zero. +<br><dt><code>readvar</code> <code>[</code><kbd>associd</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>] [, ...]]</code><br><dt><code>rv</code> <code>[</code><kbd>associd</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>] [, ...]]</code><dd>Display the specified system or peer variables. If -<kbd>assocID</kbd> +<kbd>associd</kbd> is zero, the variables are from the <a href="#System-Variables">System Variables</a> name space, otherwise they are from the <a href="#Peer-Variables">Peer Variables</a> name space. The -<kbd>assocID</kbd> +<kbd>associd</kbd> is required, as the same name can occur in both spaces. If no <kbd>name</kbd> -is included, all operative variables in the name space are displayed. - - <p>In this case only, if the -<kbd>assocID</kbd> -is omitted, it is assumed zero. +is included, all operative variables in the name space are displayed. +In this case only, if the +<kbd>associd</kbd> +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. -<br><dt><code>reslist</code><dd>Show the access control (restrict) list for +<kbd>YYYY</kbd><kbd>MM</kbd> <kbd>DD</kbd> <kbd>TTTT</kbd>, +where +<kbd>YYYY</kbd> +is the year, +<kbd>MM</kbd> +the month of year, +<kbd>DD</kbd> +the day of month and +<kbd>TTTT</kbd> +the time of day. +<br><dt><code>reslist</code><dd>Display the access control (restrict) list for <code>ntpq</code> - - <br><dt><code>saveconfig</code> <kbd>filename</kbd><dd>Write the current configuration, -including any runtime modifications given with +Authentication is required. +<br><dt><code>saveconfig</code> <kbd>filename</kbd><dd>Save the current configuration, +including any runtime modifications made by <code>:config</code> or <code>config-from-file</code>, -to the ntpd host's file +to the NTP server host file <kbd>filename</kbd>. This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -<code>ntpd</code> +<code>ntpd(8)</code> configuration file. <kbd>filename</kbd> can use -<code>strftime()</code> -format specifies to substitute the current date and time, for example, -<code>q]saveconfig</code> <code>ntp-%Y%m%d-%H%M%S.confq]</code>. -The filename used is stored in system variable +<code>date(1)</code> +format specifiers to substitute the current date and time, for +example, + <pre class="example"> <code>saveconfig</code> <span class="file">ntp-%Y%m%d-%H%M%S.conf</span>. + </pre> + <p>The filename used is stored in system variable <code>savedconfig</code>. Authentication is required. -<br><dt><code>timerstats</code><dd>Display interval timer counters. -<br><dt><code>writelist</code> <kbd>assocID</kbd><dd>Write the system or peer variables included in the variable list. -<br><dt><code>writevar</code> <kbd>assocID</kbd> <kbd>name</kbd>=<kbd>value</kbd> <code>[, ...]</code><dd>Write the specified variables. +<br><dt><code>sysinfo</code><dd>Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +<br><dt><code>sysstats</code><dd>Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. +<br><dt><code>timerstats</code><dd>Display interval timer counters: +time since reset, timer overruns, calls to transmit. +<br><dt><code>writelist</code> <kbd>associd</kbd><dd>Set all system or peer variables included in the variable list. +<br><dt><code>writevar</code> <kbd>associd</kbd> <kbd>name</kbd>=<kbd>value</kbd> <code>[, ...]</code><dd>Set the specified variables in the variable list. If the -<kbd>assocID</kbd> +<kbd>associd</kbd> is zero, the variables are from the <a href="#System-Variables">System Variables</a> name space, otherwise they are from the <a href="#Peer-Variables">Peer Variables</a> name space. The -<kbd>assocID</kbd> +<kbd>associd</kbd> is required, as the same name can occur in both spaces. -<br><dt><code>sysinfo</code><dd>Display operational summary. -<br><dt><code>sysstats</code><dd>Print statistics counters maintained in the protocol module. +Authentication is required. </dl> <h5 class="subsubsection">Status Words and Kiss Codes</h5> @@ -570,10 +652,10 @@ is required, as the same name can occur in both spaces. in a set of status words maintained by the system. Status information is also available on a per-association basis. -These words are displayed in the -<code>rv</code> +These words are displayed by the +<code>readlist</code> and -<code>as</code> +<code>associations</code> commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -592,9 +674,10 @@ in the reference identifier field in various billboards. <h5 class="subsubsection">System Variables</h5> <p>The following system variables appear in the -<code>rv</code> +<code>readlist</code> billboard. Not all variables are displayed in some configurations. + <dl> <dt>Variable<dd>Description <br><dt><code>status</code><dd>.Lk decode.html#sys "system status word" @@ -606,16 +689,16 @@ Not all variables are displayed in some configurations. <br><dt><code>precision</code><dd>precision (log2 s) <br><dt><code>rootdelay</code><dd>total roundtrip delay to the primary reference clock <br><dt><code>rootdisp</code><dd>total dispersion to the primary reference clock -<br><dt><code>peer</code><dd>system peer association ID -<br><dt><code>tc</code><dd>time constant and poll exponent (log2 s) (3-17) -<br><dt><code>mintc</code><dd>minimum time constant (log2 s) (3-10) -<br><dt><code>clock</code><dd>date and time of day -<br><dt><code>refid</code><dd>reference ID or +<br><dt><code>refid</code><dd>reference id or .Lk decode.html#kiss "kiss code" <br><dt><code>reftime</code><dd>reference time -<br><dt><code>offset</code><dd>combined offset of server relative to this host +<br><dt><code>clock</code><dd>date and time of day +<br><dt><code>peer</code><dd>system peer association id +<br><dt><code>tc</code><dd>time constant and poll exponent (log2 s) (3-17) +<br><dt><code>mintc</code><dd>minimum time constant (log2 s) (3-10) +<br><dt><code>offset</code><dd>combined offset of server relative to this host +<br><dt><code>frequency</code><dd>frequency drift (PPM) relative to hardware clock <br><dt><code>sys_jitter</code><dd>combined system jitter -<br><dt><code>frequency</code><dd>frequency offset (PPM) relative to hardware clock <br><dt><code>clk_wander</code><dd>clock frequency wander (PPM) <br><dt><code>clk_jitter</code><dd>clock jitter <br><dt><code>tai</code><dd>TAI-UTC offset (s) @@ -630,7 +713,6 @@ the clock jitter statistic is computed by the clock discipline module. additional system variables are displayed, including some or all of the following, depending on the particular Autokey dance: - <dl> <dt>Variable<dd>Description <br><dt><code>host</code><dd>Autokey host name for this host @@ -646,13 +728,13 @@ depending on the particular Autokey dance: <h5 class="subsubsection">Peer Variables</h5> <p>The following peer variables appear in the -<code>rv</code> +<code>readlist</code> billboard for each association. Not all variables are displayed in some configurations. <dl> <dt>Variable<dd>Description -<br><dt><code>associd</code><dd>association ID +<br><dt><code>associd</code><dd>association id <br><dt><code>status</code><dd>.Lk decode.html#peer "peer status word" <br><dt><code>srcadr</code><dd>source (remote) IP address <br><dt><code>srcport</code><dd>source (remote) port @@ -663,9 +745,10 @@ Not all variables are displayed in some configurations. <br><dt><code>precision</code><dd>precision (log2 s) <br><dt><code>rootdelay</code><dd>total roundtrip delay to the primary reference clock <br><dt><code>rootdisp</code><dd>total root dispersion to the primary reference clock -<br><dt><code>refid</code><dd>reference ID or +<br><dt><code>refid</code><dd>reference id or .Lk decode.html#kiss "kiss code" <br><dt><code>reftime</code><dd>reference time +<br><dt><code>rec</code><dd>last packet received time <br><dt><code>reach</code><dd>reach register (octal) <br><dt><code>unreach</code><dd>unreach counter <br><dt><code>hmode</code><dd>host mode (1-6) @@ -675,11 +758,11 @@ Not all variables are displayed in some configurations. <br><dt><code>headway</code><dd>headway (see .Lk rate.html "Rate Management and the Kiss-o'-Death Packet" ) <br><dt><code>flash</code><dd>.Lk decode.html#flash "flash status word" +<br><dt><code>keyid</code><dd>symmetric key id <br><dt><code>offset</code><dd>filter offset <br><dt><code>delay</code><dd>filter delay <br><dt><code>dispersion</code><dd>filter dispersion <br><dt><code>jitter</code><dd>filter jitter -<br><dt><code>ident</code><dd>Autokey group name for this association <br><dt><code>bias</code><dd>unicast/broadcast bias <br><dt><code>xleave</code><dd>interleave delay (see .Lk xleave.html "NTP Interleaved Modes" ) @@ -688,7 +771,8 @@ Not all variables are displayed in some configurations. <code>bias</code> variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The <code>xleave</code> variable appears only for the interleaved symmetric and interleaved modes. @@ -703,20 +787,21 @@ additional peer variables are displayed, including the following: <br><dt><code>host</code><dd>Autokey server name <br><dt><code>flags</code><dd>peer flags (see Autokey specification) <br><dt><code>signature</code><dd>OpenSSL digest/signature scheme -<br><dt><code>initsequence</code><dd>initial key ID +<br><dt><code>initsequence</code><dd>initial key id <br><dt><code>initkey</code><dd>initial key index <br><dt><code>timestamp</code><dd>Autokey signature timestamp +<br><dt><code>ident</code><dd>Autokey group name for this association </dl> <h5 class="subsubsection">Clock Variables</h5> <p>The following clock variables appear in the -<code>cv</code> +<code>clocklist</code> billboard for each association with a reference clock. Not all variables are displayed in some configurations. <dl> <dt>Variable<dd>Description -<br><dt><code>associd</code><dd>association ID +<br><dt><code>associd</code><dd>association id <br><dt><code>status</code><dd>.Lk decode.html#clock "clock status word" <br><dt><code>device</code><dd>device description <br><dt><code>timecode</code><dd>ASCII time code string (specific to device) @@ -727,7 +812,7 @@ Not all variables are displayed in some configurations. <br><dt><code>fudgetime1</code><dd>fudge time 1 <br><dt><code>fudgetime2</code><dd>fudge time 2 <br><dt><code>stratum</code><dd>driver stratum -<br><dt><code>refid</code><dd>driver reference ID +<br><dt><code>refid</code><dd>driver reference id <br><dt><code>flags</code><dd>driver flags </dl> @@ -770,12 +855,12 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntpq - standard NTP query program - Ver. 4.2.8p10-beta +<pre class="example">ntpq - standard NTP query program - Ver. 4.2.8p10 Usage: ntpq [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...] Flg Arg Option-Name Description - -4 no ipv4 Force IPv4 DNS name resolution + -4 no ipv4 Force IPv4 name resolution - prohibits the option 'ipv6' - -6 no ipv6 Force IPv6 DNS name resolution + -6 no ipv6 Force IPv6 name resolution - prohibits the option 'ipv4' -c Str command run a command and exit - may appear multiple times @@ -826,7 +911,7 @@ Up: <a rel="up" accesskey="u" href="#ntpq-Invocation">ntpq Invocation</a> <h4 class="subsection">ipv4 option (-4)</h4> <p><a name="index-ntpq_002dipv4-4"></a> -This is the “force ipv4 dns name resolution” option. +This is the “force ipv4 name resolution” option. <p class="noindent">This option has some usage constraints. It: <ul> @@ -834,7 +919,7 @@ This is the “force ipv4 dns name resolution” option. ipv6. </ul> - <p>Force DNS resolution of following host names on the command line + <p>Force resolution of following host names on the command line to the IPv4 namespace. <div class="node"> <p><hr> @@ -847,7 +932,7 @@ Up: <a rel="up" accesskey="u" href="#ntpq-Invocation">ntpq Invocation</a> <h4 class="subsection">ipv6 option (-6)</h4> <p><a name="index-ntpq_002dipv6-5"></a> -This is the “force ipv6 dns name resolution” option. +This is the “force ipv6 name resolution” option. <p class="noindent">This option has some usage constraints. It: <ul> @@ -855,7 +940,7 @@ This is the “force ipv6 dns name resolution” option. ipv4. </ul> - <p>Force DNS resolution of following host names on the command line + <p>Force resolution of following host names on the command line to the IPv6 namespace. <div class="node"> <p><hr> @@ -1185,7 +1270,7 @@ This must correspond to a key ID configured in <code>ntp.conf</code> for this pu with default <code>MD5</code>. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. -The current selections are: <code>MD2</code>, <code>MD4</code>, <code>MD5</code>, <code>MDC2</code>, <code>RIPEMD160</code>, <code>SHA</code> and <code>SHA1</code>. +The current selections are: <code>AES128CMAC</code>, <code>MD2</code>, <code>MD4</code>, <code>MD5</code>, <code>MDC2</code>, <code>RIPEMD160</code>, <code>SHA</code> and <code>SHA1</code>. <br><dt><code><a name="ntpversion"></a> ntpversion 1 | 2 | 3 | 4</code><dd>Sets the NTP version number which <code>ntpq</code> claims in packets. Defaults to 2. diff --git a/contrib/ntp/ntpq/ntpq.man.in b/contrib/ntp/ntpq/ntpq.man.in index 60c62a7..d28d30c 100644 --- a/contrib/ntp/ntpq/ntpq.man.in +++ b/contrib/ntp/ntpq/ntpq.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpq @NTPQ_MS@ "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpq @NTPQ_MS@ "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-P4aWgw/ag-p5aWew) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-D4aGRT/ag-Q4ayQT) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:26 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:22 PM by AutoGen 5.18.5 .\" From the definitions ntpq-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -31,15 +31,14 @@ .ne 2 .SH DESCRIPTION +.sp \n(Ppu +.ne 2 + The \f\*[B-Font]ntpq\fP -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -50,6 +49,9 @@ The utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. +.sp \n(Ppu +.ne 2 + If one or more request options is included on the command line when \f\*[B-Font]ntpq\fP @@ -67,6 +69,9 @@ The \f\*[B-Font]ntpq\fP utility will prompt for commands if the standard input is a terminal device. +.sp \n(Ppu +.ne 2 + \f\*[B-Font]ntpq\fP uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on @@ -80,6 +85,21 @@ utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. +.sp \n(Ppu +.ne 2 + +Note that in contexts where a host name is expected, a +\f\*[B-Font]\-4\f[] +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +\f\*[B-Font]\-6\f[] +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +\*[Lq]NTP Debugging Techniques\*[Rq] +page. +.sp \n(Ppu +.ne 2 + Specifying a command line option other than \f\*[B-Font]\-i\f[] @@ -93,64 +113,65 @@ Otherwise, will attempt to read interactive format commands from the standard input. .SS "Internal Commands" +.sp \n(Ppu +.ne 2 + Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. +.sp \n(Ppu +.ne 2 + A number of interactive format commands are executed entirely within the \f\*[B-Font]ntpq\fP -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. -.TP 20 -.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command_keyword\f[]] +.TP 15 +.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command\f[]] .br .ns -.TP 20 -.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command_keyword\f[]] +.TP 15 +.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command\f[]] A \[oq]\&?\[cq] -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to \f\*[B-Font]ntpq\fP. A \[oq]\&?\[cq] -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -\f\*[B-Font]ntpq\fP -than this manual -page. .br .ns -.TP 20 -.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]variable_name\f[][\f\*[B-Font]=value\f[]] \f\*[B-Font]...\f[] +.TP 15 +.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][,...] .br .ns -.TP 20 -.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]variable_name\f[] \f\*[B-Font]...\f[] +.TP 15 +.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]name\f[][,...] .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]clearvars\f[] .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]showvars\f[] -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -\[oq]variable_name=value\[cq], +\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]], where the -\[oq]=value\[cq] +.NOP \&=\f\*[I-Font]value\f[] is ignored, and can be omitted, in requests to the server to read variables. The \f\*[B-Font]ntpq\fP -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the \f\*[B-Font]readlist\f[] and \f\*[B-Font]writelist\f[] @@ -165,7 +186,7 @@ The \f\*[B-Font]rmvars\f[] command can be used to remove individual variables from the list, while the -\f\*[B-Font]clearlist\f[] +\f\*[B-Font]clearvars\f[] command removes all variables from the list. The @@ -173,33 +194,29 @@ The command displays the current list of optional variables. .br .ns -.TP 20 -.NOP \f\*[B-Font]authenticate\f[] [yes | no] +.TP 15 +.NOP \f\*[B-Font]authenticate\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]] Normally \f\*[B-Font]ntpq\fP does not authenticate requests unless they are write requests. The command -\[oq]authenticate yes\[cq] +\f\*[B-Font]authenticate\f[] \f\*[B-Font]yes\f[] causes \f\*[B-Font]ntpq\fP to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -\f\*[B-Font]peer\f[] -display. +requests slightly differently. The command -\[oq]authenticate\[cq] +\f\*[B-Font]authenticate\f[] causes \f\*[B-Font]ntpq\fP to display whether or not -\f\*[B-Font]ntpq\fP -is currently autheinticating requests. +it is currently authenticating requests. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]cooked\f[] Causes output from query commands to be "cooked", so that variables which are recognized by @@ -208,19 +225,19 @@ will have their values reformatted for human consumption. Variables which \f\*[B-Font]ntpq\fP -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing \[oq]\&?\[cq]. .br .ns -.TP 20 -.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[] | \f\*[B-Font]less\f[] | \f\*[B-Font]off\f[]] +.TP 15 +.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[]|\f\*[B-Font]less\f[]|\f\*[B-Font]off\f[]] With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. +Otherwise, the debugging level is changed as indicated. .br .ns -.TP 20 -.NOP \f\*[B-Font]delay\f[] \f\*[I-Font]milliseconds\f[] +.TP 15 +.NOP \f\*[B-Font]delay\f[] [\f\*[I-Font]milliseconds\f[]] Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -229,23 +246,33 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +.br +.ns +.TP 15 +.NOP \f\*[B-Font]drefid\f[] [\f\*[B-Font]hash\f[]|\f\*[B-Font]ipv4\f[]] +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]exit\f[] Exit \f\*[B-Font]ntpq\fP. .br .ns -.TP 20 -.NOP \f\*[B-Font]host\f[] \f\*[I-Font]hostname\f[] +.TP 15 +.NOP \f\*[B-Font]host\f[] [\f\*[I-Font]name\f[]] Set the host to which future queries will be sent. -\f\*[I-Font]hostname\f[] +The +\f\*[I-Font]name\f[] may be either a host name or a numeric address. +Without any arguments, displays the current host. .br .ns -.TP 20 -.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[] | \f\*[B-Font]no\f[]] +.TP 15 +.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]] If \f\*[B-Font]yes\f[] is specified, host names are printed in @@ -260,10 +287,12 @@ unless modified using the command line \f\*[B-Font]\-n\f[] switch. +Without any arguments, displays whether host names or numeric addresses +are shown. .br .ns -.TP 20 -.NOP \f\*[B-Font]keyid\f[] \f\*[I-Font]keyid\f[] +.TP 15 +.NOP \f\*[B-Font]keyid\f[] [\f\*[I-Font]keyid\f[]] This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -271,24 +300,26 @@ to the \f\*[B-Font]controlkey\f[] key number the server has been configured to use for this purpose. +Without any arguments, displays the current +\f\*[I-Font]keyid\f[]. .br .ns -.TP 20 -.NOP \f\*[B-Font]keytype\f[] [\f\*[B-Font]md5\f[] | \f\*[B-Font]OpenSSLDigestType\f[]] -Specify the type of key to use for authenticating requests. -\f\*[B-Font]md5\f[] -is alway supported. +.TP 15 +.NOP \f\*[B-Font]keytype\f[] [\f\*[I-Font]digest\f[]] +Specify the digest algorithm to use for authenticating requests, with default +\f\*[B-Font]MD5\f[]. If \f\*[B-Font]ntpq\fP -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +\f\*[I-Font]digest\f[] +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -\f\*[B-Font]keytype\f[] -is displayed. +\f\*[B-Font]keytype\f[] \f\*[I-Font]digest\f[] +algorithm used is displayed. .br .ns -.TP 20 -.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[] | \f\*[B-Font]2\f[] | \f\*[B-Font]3\f[] | \f\*[B-Font]4\f[]] +.TP 15 +.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[]|\f\*[B-Font]2\f[]|\f\*[B-Font]3\f[]|\f\*[B-Font]4\f[]] Sets the NTP version number which \f\*[B-Font]ntpq\fP claims in @@ -301,7 +332,7 @@ With no argument, displays the current NTP version that will be used when communicating with servers. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]passwd\f[] This command prompts you to type in a password (which will not be echoed) which will be used to authenticate configuration @@ -309,22 +340,23 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -.\" Not yet implemented. -.\" .It Ic poll -.\" .Op Ar n -.\" .Op Ic verbose -.\" Poll an NTP server in client mode -.\" .Ar n -.\" times. .br .ns -.TP 20 +.TP 15 +.NOP \f\*[B-Font]poll\f[] [\f\*[I-Font]n\f[]] [\f\*[B-Font]verbose\f[]] +Poll an NTP server in client mode +\f\*[I-Font]n\f[] +times. +Poll not implemented yet. +.br +.ns +.TP 15 .NOP \f\*[B-Font]quit\f[] Exit \f\*[B-Font]ntpq\fP. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]raw\f[] Causes all output from query commands is printed as received from the remote server. @@ -333,130 +365,214 @@ the data is to transform nonascii data into a printable (but barely understandable) form. .br .ns -.TP 20 -.NOP \f\*[B-Font]timeout\f[] \f\*[I-Font]milliseconds\f[] +.TP 15 +.NOP \f\*[B-Font]timeout\f[] [\f\*[I-Font]milliseconds\f[]] Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since \f\*[B-Font]ntpq\fP retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. .br .ns -.TP 20 +.TP 15 .NOP \f\*[B-Font]version\f[] -Print the version of the +Display the version of the \f\*[B-Font]ntpq\fP program. .PP .SS "Control Message Commands" -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the -\f[C]peers\f[] +\f\*[B-Font]peers\f[] command, which sends a series of messages, and the -\f[C]mreadlist\f[] +\f\*[B-Font]mreadlist\f[] and -\f[C]mreadvar\f[] +\f\*[B-Font]mreadvar\f[] commands, which iterate over a range of associations. .TP 10 +.NOP \f\*[B-Font]apeers\f[] +Display a list of peers in the form: +.Dl [tally]remote refid assid st t when pool reach delay offset jitter +where the output is just like the +\f\*[B-Font]peers\f[] +command except that the +\f\*[B-Font]refid\f[] +is displayed in hex format and the association number is also displayed. +.br +.ns +.TP 10 .NOP \f\*[B-Font]associations\f[] Display a list of mobilized associations in the form: .Dl ind assid status conf reach auth condition last_event cnt .RS .IP \fB\(bu\fP 2 -.IP \fB\(bu\fP 2 \f[C]ind\f[] \f[C]Ta\f[] \f[C]index\f[] \f[C]on\f[] \f[C]this\f[] \f[C]list\f[] -.IP \fB\(bu\fP 2 \f[C]assid\f[] \f[C]Ta\f[] \f[C]association\f[] \f[C]ID\f[] -.IP \fB\(bu\fP 2 \f[C]status\f[] \f[C]Ta\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word\f[] -.IP \fB\(bu\fP 2 \f[C]conf\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]persistent,\f[] \f[C]no\f[]: \f[C]ephemeral\f[] -.IP \fB\(bu\fP 2 \f[C]reach\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]reachable,\f[] \f[C]no\f[]: \f[C]unreachable\f[] -.IP \fB\(bu\fP 2 \f[C]auth\f[] \f[C]Ta\f[] \f[C]ok\f[], \f[C]yes\f[], \f[C]bad\f[] \f[C]and\f[] \f[C]none\f[] -.IP \fB\(bu\fP 2 \f[C]condition\f[] \f[C]Ta\f[] \f[C]selection\f[] \f[C]status\f[] \f[C](see\f[] \f[C]the\f[] \f[C]select\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[] -.IP \fB\(bu\fP 2 \f[C]last_event\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]report\f[] \f[C](see\f[] \f[C]the\f[] \f[C]event\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[] -.IP \fB\(bu\fP 2 \f[C]cnt\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]count\f[] \f[C](see\f[] \f[C]the\f[] \f[C]count\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]ind\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]index\f[] \f\*[B-Font]on\f[] \f\*[B-Font]this\f[] \f\*[B-Font]list\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]assid\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]association\f[] \f\*[B-Font]id\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]status\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]conf\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]persistent,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]ephemeral\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]reach\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]reachable,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]unreachable\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]auth\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]ok\f[], \f\*[B-Font]yes\f[], \f\*[B-Font]bad\f[] \f\*[B-Font]No\f[] \f\*[B-Font]and\f[] \f\*[B-Font]none\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]condition\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]selection\f[] \f\*[B-Font]status\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]select\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]last_event\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]report\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]event\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[] +.IP \fB\(bu\fP 2 \f\*[B-Font]cnt\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]count\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]count\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[] .RE .br .ns .TP 10 .NOP \f\*[B-Font]authinfo\f[] -Display the authentication statistics. +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]clocklist\f[] [\f\*[I-Font]associd\f[]] .br .ns .TP 10 -.NOP \f\*[B-Font]clockvar\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...] +.NOP \f\*[B-Font]cl\f[] [\f\*[I-Font]associd\f[]] +Display all clock variables in the variable list for those associations +supporting a reference clock. .br .ns .TP 10 -.NOP \f\*[B-Font]cv\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...] -Display a list of clock variables for those associations supporting a reference clock. +.NOP \f\*[B-Font]clockvar\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...] .br .ns .TP 10 -.NOP \f\*[B-Font]:config\f[] [...] -Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. +.NOP \f\*[B-Font]cv\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...] +Display a list of clock variables for those associations supporting a +reference clock. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]:config\f[] \f\*[I-Font]configuration command line\f[] +Send the remainder of the command line, including whitespace, to the +server as a run-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. .br .ns .TP 10 .NOP \f\*[B-Font]config-from-file\f[] \f\*[I-Font]filename\f[] -Send the each line of +Send each line of \f\*[I-Font]filename\f[] -to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. .br .ns .TP 10 .NOP \f\*[B-Font]ifstats\f[] -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. .br .ns .TP 10 .NOP \f\*[B-Font]iostats\f[] -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. .br .ns .TP 10 .NOP \f\*[B-Font]kerninfo\f[] -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. .br .ns .TP 10 .NOP \f\*[B-Font]lassociations\f[] -Perform the same function as the associations command, except display mobilized and unmobilized associations. +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. .br .ns .TP 10 -.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]] -Obtain and print a list of all peers and clients showing -\f\*[I-Font]dstadr\f[] -(associated with any given IP version). +.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]] +Display a list of all peers and clients showing +\f\*[B-Font]dstadr\f[] +(associated with the given IP version). .br .ns .TP 10 -.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]] -Print a peer spreadsheet for the appropriate IP version(s). -\f\*[I-Font]dstadr\f[] -(associated with any given IP version). +.NOP \f\*[B-Font]lpassociations\f[] +Display the last obtained list of associations, including all clients. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]] +Display a list of all peers and clients (associated with the given IP version). .br .ns .TP 10 .NOP \f\*[B-Font]monstats\f[] -Display monitor facility statistics. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mreadlist\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mrl\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] +Perform the same function as the +\f\*[B-Font]readlist\f[] +command for a range of association ids. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mreadvar\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...] +This range may be determined from the list displayed by any +command showing associations. .br .ns .TP 10 -.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]=\f\*[I-Font]hexmask\f[]] -Obtain and print traffic counts collected and maintained by the monitor facility. +.NOP \f\*[B-Font]mrv\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...] +Perform the same function as the +\f\*[B-Font]readvar\f[] +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]\&=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]\&=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]\&=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]\&=\f\*[I-Font]hexmask\f[]] +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -\f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[], +\f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[], the options filter the list returned by -\f\*[B-Font]ntpd.\f[] +\fCntpd\f[]\fR(8)\f[]. The \f\*[B-Font]limited\f[] and \f\*[B-Font]kod\f[] -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The \f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[] option filters entries representing less than @@ -477,12 +593,14 @@ The \f\*[I-Font]sortorder\f[] defaults to \f\*[B-Font]lstint\f[] -and may be any of +and may be \f\*[B-Font]addr\f[], -\f\*[B-Font]count\f[], \f\*[B-Font]avgint\f[], +\f\*[B-Font]count\f[], \f\*[B-Font]lstint\f[], -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +\[oq]\&-\[cq] +to reverse the sort order. The output columns are: .RS .TP 10 @@ -492,7 +610,8 @@ Description .ns .TP 10 .NOP \f\*[B-Font]lstint\f[] -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by \f\*[B-Font]ntpq\fP. .br .ns @@ -506,7 +625,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching \f\*[B-Font]restrict\f[] -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. .br .ns .TP 10 @@ -542,32 +662,18 @@ Source port of last packet from this address. .ns .TP 10 .NOP \f\*[B-Font]remote\f[] \f\*[B-Font]address\f[] -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. .RE .br .ns .TP 10 -.NOP \f\*[B-Font]mreadvar\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ... -.br -.ns -.TP 10 -.NOP \f\*[B-Font]mrv\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ... -Perform the same function as the -\f\*[B-Font]readvar\f[] -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -\f\*[B-Font]associations\f[] -command. -.br -.ns -.TP 10 .NOP \f\*[B-Font]opeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]] Obtain and print the old-style list of all peers and clients showing -\f\*[I-Font]dstadr\f[] -(associated with any given IP version), +\f\*[B-Font]dstadr\f[] +(associated with the given IP version), rather than the -\f\*[I-Font]refid\f[]. +\f\*[B-Font]refid\f[]. .br .ns .TP 10 @@ -599,22 +705,24 @@ field of the .TP 10 .NOP \f\*[B-Font]remote\f[] host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +\f\*[B-Font]ntpq\fP \f\*[B-Font]\-w\f[] -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. .br .ns .TP 10 .NOP \f\*[B-Font]refid\f[] -association ID or +source IP address or .Lk decode.html#kiss "'kiss code" .br .ns .TP 10 .NOP \f\*[B-Font]st\f[] -stratum +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks .br .ns .TP 10 @@ -623,6 +731,8 @@ stratum unicast or manycast client, \f\*[B-Font]b\f[]: broadcast or multicast client, +\f\*[B-Font]p\f[]: +pool source, \f\*[B-Font]l\f[]: local (reference clock), \f\*[B-Font]s\f[]: @@ -637,12 +747,15 @@ multicast server .ns .TP 10 .NOP \f\*[B-Font]when\f[] -sec/min/hr since last received packet +time in seconds, minutes, hours, or days since the last packet +was received, or +\[oq]\&-\[cq] +if a packet has never been received .br .ns .TP 10 .NOP \f\*[B-Font]poll\f[] -poll interval (log2 s) +poll interval (s) .br .ns .TP 10 @@ -662,143 +775,159 @@ offset of server relative to this host .ns .TP 10 .NOP \f\*[B-Font]jitter\f[] -jitter +offset RMS error estimate. .RE .br .ns .TP 10 -.NOP \f\*[B-Font]apeers\f[] -Display a list of peers in the form: -.Dl [tally]remote refid assid st t when pool reach delay offset jitter -where the output is just like the -\f\*[B-Font]peers\f[] -command except that the -\f\*[B-Font]refid\f[] -is displayed in hex format and the association number is also displayed. -.br -.ns -.TP 10 -.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]assocID\f[] -Show the statistics for the peer with the given -\f\*[I-Font]assocID\f[]. +.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]associd\f[] +Display the statistics for the peer with the given +\f\*[I-Font]associd\f[]: +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. .br .ns .TP 10 -.NOP \f\*[B-Font]readlist\f[] \f\*[I-Font]assocID\f[] +.NOP \f\*[B-Font]readlist\f[] [\f\*[I-Font]associd\f[]] .br .ns .TP 10 -.NOP \f\*[B-Font]rl\f[] \f\*[I-Font]assocID\f[] -Read the system or peer variables included in the variable list. +.NOP \f\*[B-Font]rl\f[] [\f\*[I-Font]associd\f[]] +Display all system or peer variables. +If the +\f\*[I-Font]associd\f[] +is omitted, it is assumed to be zero. .br .ns .TP 10 -.NOP \f\*[B-Font]readvar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...] +.NOP \f\*[B-Font]readvar\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]] .br .ns .TP 10 -.NOP \f\*[B-Font]rv\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...] -Display the specified variables. +.NOP \f\*[B-Font]rv\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]] +Display the specified system or peer variables. If -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is zero, the variables are from the \fISystem\f[] \fIVariables\f[] name space, otherwise they are from the \fIPeer\f[] \fIVariables\f[] name space. The -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is required, as the same name can occur in both spaces. If no \f\*[I-Font]name\f[] is included, all operative variables in the name space are displayed. In this case only, if the -\f\*[I-Font]assocID\f[] -is omitted, it is assumed zero. +\f\*[I-Font]associd\f[] +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts-per-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +\f\*[I-Font]YYYY\f[]\f\*[I-Font]MM\f[] \f\*[I-Font]DD\f[] \f\*[I-Font]TTTT\f[], +where +\f\*[I-Font]YYYY\f[] +is the year, +\f\*[I-Font]MM\f[] +the month of year, +\f\*[I-Font]DD\f[] +the day of month and +\f\*[I-Font]TTTT\f[] +the time of day. .br .ns .TP 10 .NOP \f\*[B-Font]reslist\f[] -Show the access control (restrict) list for +Display the access control (restrict) list for \f\*[B-Font]ntpq\fP. +Authentication is required. .br .ns .TP 10 .NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[] -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by \f\*[B-Font]:config\f[] or \f\*[B-Font]config-from-file\f[], -to the ntpd host's file +to the NTP server host file \f\*[I-Font]filename\f[]. This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -\f\*[B-Font]ntpd\f[] +\fCntpd\f[]\fR(8)\f[] configuration file. \f\*[I-Font]filename\f[] can use -\fCstrftime\f[]\fR()\f[] -format specifies to substitute the current date and time, for example, -\f\*[B-Font]q]saveconfig\f[] \f\*[B-Font]ntp-%Y%m%d-%H%M%S.confq]\f[]. +\fCdate\f[]\fR(1)\f[] +format specifiers to substitute the current date and time, for +example, +.in +4 +\f\*[B-Font]saveconfig\f[] \fIntp-%Y%m%d-%H%M%S.conf\f[]. +.in -4 The filename used is stored in system variable \f\*[B-Font]savedconfig\f[]. Authentication is required. .br .ns .TP 10 +.NOP \f\*[B-Font]sysinfo\f[] +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +.br +.ns +.TP 10 +.NOP \f\*[B-Font]sysstats\f[] +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. +.br +.ns +.TP 10 .NOP \f\*[B-Font]timerstats\f[] -Display interval timer counters. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. .br .ns .TP 10 -.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]assocID\f[] -Write the system or peer variables included in the variable list. +.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]associd\f[] +Set all system or peer variables included in the variable list. .br .ns .TP 10 -.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...] -Write the specified variables. +.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]associd\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...] +Set the specified variables in the variable list. If the -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is zero, the variables are from the \fISystem\f[] \fIVariables\f[] name space, otherwise they are from the \fIPeer\f[] \fIVariables\f[] name space. The -\f\*[I-Font]assocID\f[] +\f\*[I-Font]associd\f[] is required, as the same name can occur in both spaces. -.br -.ns -.TP 10 -.NOP \f\*[B-Font]sysinfo\f[] -Display operational summary. -.br -.ns -.TP 10 -.NOP \f\*[B-Font]sysstats\f[] -Print statistics counters maintained in the protocol module. +Authentication is required. .PP .SS Status Words and Kiss Codes The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per-association basis. -These words are displayed in the -\f\*[B-Font]rv\f[] +These words are displayed by the +\f\*[B-Font]readlist\f[] and -\f\*[B-Font]as\f[] +\f\*[B-Font]associations\f[] commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -817,9 +946,12 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards. .SS System Variables The following system variables appear in the -\f\*[B-Font]rv\f[] +\f\*[B-Font]readlist\f[] billboard. Not all variables are displayed in some configurations. +.sp \n(Ppu +.ne 2 + .TP 10 .NOP Variable Description @@ -871,49 +1003,49 @@ total dispersion to the primary reference clock .br .ns .TP 10 -.NOP \f\*[B-Font]peer\f[] -system peer association ID +.NOP \f\*[B-Font]refid\f[] +reference id or +.Lk decode.html#kiss "kiss code" .br .ns .TP 10 -.NOP \f\*[B-Font]tc\f[] -time constant and poll exponent (log2 s) (3-17) +.NOP \f\*[B-Font]reftime\f[] +reference time .br .ns .TP 10 -.NOP \f\*[B-Font]mintc\f[] -minimum time constant (log2 s) (3-10) +.NOP \f\*[B-Font]clock\f[] +date and time of day .br .ns .TP 10 -.NOP \f\*[B-Font]clock\f[] -date and time of day +.NOP \f\*[B-Font]peer\f[] +system peer association id .br .ns .TP 10 -.NOP \f\*[B-Font]refid\f[] -reference ID or -.Lk decode.html#kiss "kiss code" +.NOP \f\*[B-Font]tc\f[] +time constant and poll exponent (log2 s) (3-17) .br .ns .TP 10 -.NOP \f\*[B-Font]reftime\f[] -reference time +.NOP \f\*[B-Font]mintc\f[] +minimum time constant (log2 s) (3-10) .br .ns .TP 10 .NOP \f\*[B-Font]offset\f[] -combined offset of server relative to this host +combined offset of server relative to this host .br .ns .TP 10 -.NOP \f\*[B-Font]sys_jitter\f[] -combined system jitter +.NOP \f\*[B-Font]frequency\f[] +frequency drift (PPM) relative to hardware clock .br .ns .TP 10 -.NOP \f\*[B-Font]frequency\f[] -frequency offset (PPM) relative to hardware clock +.NOP \f\*[B-Font]sys_jitter\f[] +combined system jitter .br .ns .TP 10 @@ -996,9 +1128,12 @@ NTP seconds when the certificate expires .PP .SS Peer Variables The following peer variables appear in the -\f\*[B-Font]rv\f[] +\f\*[B-Font]readlist\f[] billboard for each association. Not all variables are displayed in some configurations. +.sp \n(Ppu +.ne 2 + .TP 10 .NOP Variable Description @@ -1006,7 +1141,7 @@ Description .ns .TP 10 .NOP \f\*[B-Font]associd\f[] -association ID +association id .br .ns .TP 10 @@ -1061,7 +1196,7 @@ total root dispersion to the primary reference clock .ns .TP 10 .NOP \f\*[B-Font]refid\f[] -reference ID or +reference id or .Lk decode.html#kiss "kiss code" .br .ns @@ -1071,6 +1206,11 @@ reference time .br .ns .TP 10 +.NOP \f\*[B-Font]rec\f[] +last packet received time +.br +.ns +.TP 10 .NOP \f\*[B-Font]reach\f[] reach register (octal) .br @@ -1112,6 +1252,11 @@ headway (see .br .ns .TP 10 +.NOP \f\*[B-Font]keyid\f[] +symmetric key id +.br +.ns +.TP 10 .NOP \f\*[B-Font]offset\f[] filter offset .br @@ -1132,11 +1277,6 @@ filter jitter .br .ns .TP 10 -.NOP \f\*[B-Font]ident\f[] -Autokey group name for this association -.br -.ns -.TP 10 .NOP \f\*[B-Font]bias\f[] unicast/broadcast bias .br @@ -1150,7 +1290,8 @@ The \f\*[B-Font]bias\f[] variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The \f\*[B-Font]xleave\f[] variable appears only for the interleaved symmetric and interleaved modes. @@ -1188,7 +1329,7 @@ OpenSSL digest/signature scheme .ns .TP 10 .NOP \f\*[B-Font]initsequence\f[] -initial key ID +initial key id .br .ns .TP 10 @@ -1199,10 +1340,15 @@ initial key index .TP 10 .NOP \f\*[B-Font]timestamp\f[] Autokey signature timestamp +.br +.ns +.TP 10 +.NOP \f\*[B-Font]ident\f[] +Autokey group name for this association .PP .SS Clock Variables The following clock variables appear in the -\f\*[B-Font]cv\f[] +\f\*[B-Font]clocklist\f[] billboard for each association with a reference clock. Not all variables are displayed in some configurations. .TP 10 @@ -1212,7 +1358,7 @@ Description .ns .TP 10 .NOP \f\*[B-Font]associd\f[] -association ID +association id .br .ns .TP 10 @@ -1267,7 +1413,7 @@ driver stratum .ns .TP 10 .NOP \f\*[B-Font]refid\f[] -driver reference ID +driver reference id .br .ns .TP 10 @@ -1277,19 +1423,19 @@ driver flags .SH "OPTIONS" .TP .NOP \f\*[B-Font]\-4\f[], \f\*[B-Font]\-\-ipv4\f[] -Force IPv4 DNS name resolution. +Force IPv4 name resolution. This option must not appear in combination with any of the following options: ipv6. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv4 namespace. .TP .NOP \f\*[B-Font]\-6\f[], \f\*[B-Font]\-\-ipv6\f[] -Force IPv6 DNS name resolution. +Force IPv6 name resolution. This option must not appear in combination with any of the following options: ipv4. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv6 namespace. .TP .NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]cmd\f[], \f\*[B-Font]\-\-command\f[]=\f\*[I-Font]cmd\f[] @@ -1324,7 +1470,7 @@ commands read from the standard input. numeric host addresses. .sp Output all host addresses in dotted-quad numeric format rather than -converting to the canonical host names. +converting to the canonical host names. .TP .NOP \f\*[B-Font]\-\-old\-rv\f[] Always output status line with readvar. diff --git a/contrib/ntp/ntpq/ntpq.mdoc.in b/contrib/ntp/ntpq/ntpq.mdoc.in index 4ad00f8..e0804f1 100644 --- a/contrib/ntp/ntpq/ntpq.mdoc.in +++ b/contrib/ntp/ntpq/ntpq.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPQ @NTPQ_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:31 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:28 PM by AutoGen 5.18.5 .\" From the definitions ntpq-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -18,15 +18,12 @@ [ host ...] .Pp .Sh DESCRIPTION +.Pp The .Nm -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -37,6 +34,7 @@ The utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. +.Pp If one or more request options is included on the command line when .Nm @@ -54,6 +52,7 @@ The .Nm utility will prompt for commands if the standard input is a terminal device. +.Pp .Nm uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on @@ -67,6 +66,17 @@ utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. +.Pp +Note that in contexts where a host name is expected, a +.Fl 4 +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +.Fl 6 +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +.Dq NTP Debugging Techniques +page. +.Pp Specifying a command line option other than .Fl i @@ -80,51 +90,46 @@ Otherwise, will attempt to read interactive format commands from the standard input. .Ss "Internal Commands" +.Pp Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. +.Pp A number of interactive format commands are executed entirely within the .Nm -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. -.Bl -tag -width "? [command_keyword]" -compact -offset indent -.It Ic ? Op Ar command_keyword -.It Ic help Op Ar command_keyword +.Bl -tag -width "help [command]" -compact -offset indent +.It Ic ? Op Ar command +.It Ic help Op Ar command A .Ql \&? -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to .Nm . A .Ql \&? -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -.Nm -than this manual -page. -.It Ic addvars Ar variable_name Ns Xo Op Ic =value -.Ic ... -.Xc -.It Ic rmvars Ar variable_name Ic ... +.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,... +.It Ic rmvars Ar name Ns Op ,... .It Ic clearvars .It Ic showvars -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -.Ql variable_name=value , +.Ar name Ns Op \&= Ns Ar value , where the -.Ql =value +.No \&= Ns Ar value is ignored, and can be omitted, in requests to the server to read variables. The .Nm -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the .Ic readlist and .Ic writelist @@ -139,35 +144,31 @@ The .Ic rmvars command can be used to remove individual variables from the list, while the -.Ic clearlist +.Ic clearvars command removes all variables from the list. The .Ic showvars command displays the current list of optional variables. -.It Ic authenticate Op yes | no +.It Ic authenticate Op Cm yes Ns | Ns Cm no Normally .Nm does not authenticate requests unless they are write requests. The command -.Ql authenticate yes +.Ic authenticate Cm yes causes .Nm to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -.Ic peer -display. +requests slightly differently. The command -.Ql authenticate +.Ic authenticate causes .Nm to display whether or not -.Nm -is currently autheinticating requests. +it is currently authenticating requests. .It Ic cooked Causes output from query commands to be "cooked", so that variables which are recognized by @@ -176,20 +177,13 @@ will have their values reformatted for human consumption. Variables which .Nm -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing .Ql \&? . -.It Xo -.Ic debug -.Oo -.Cm more | -.Cm less | -.Cm off -.Oc -.Xc +.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. -.It Ic delay Ar milliseconds +Otherwise, the debugging level is changed as indicated. +.It Ic delay Op Ar milliseconds Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -198,14 +192,21 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +.It Ic drefid Op Cm hash Ns | Ns Cm ipv4 +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. .It Ic exit Exit .Nm . -.It Ic host Ar hostname +.It Ic host Op Ar name Set the host to which future queries will be sent. -.Ar hostname +The +.Ar name may be either a host name or a numeric address. -.It Ic hostnames Op Cm yes | Cm no +Without any arguments, displays the current host. +.It Ic hostnames Op Cm yes Ns | Ns Cm no If .Cm yes is specified, host names are printed in @@ -220,7 +221,9 @@ unless modified using the command line .Fl n switch. -.It Ic keyid Ar keyid +Without any arguments, displays whether host names or numeric addresses +are shown. +.It Ic keyid Op Ar keyid This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -228,28 +231,20 @@ to the .Cm controlkey key number the server has been configured to use for this purpose. -.It Ic keytype Xo Oo -.Cm md5 | -.Cm OpenSSLDigestType -.Oc -.Xc -Specify the type of key to use for authenticating requests. -.Cm md5 -is alway supported. +Without any arguments, displays the current +.Ar keyid . +.It Ic keytype Op Ar digest +Specify the digest algorithm to use for authenticating requests, with default +.Cm MD5 . If .Nm -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +.Ar digest +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -.Ic keytype -is displayed. -.It Ic ntpversion Xo Oo -.Cm 1 | -.Cm 2 | -.Cm 3 | -.Cm 4 -.Oc -.Xc +.Ic keytype Ar digest +algorithm used is displayed. +.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4 Sets the NTP version number which .Nm claims in @@ -267,13 +262,11 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -.\" Not yet implemented. -.\" .It Ic poll -.\" .Op Ar n -.\" .Op Ic verbose -.\" Poll an NTP server in client mode -.\" .Ar n -.\" times. +.It Ic poll Oo Ar n Oc Op Cm verbose +Poll an NTP server in client mode +.Ar n +times. +Poll not implemented yet. .It Ic quit Exit .Nm . @@ -283,95 +276,150 @@ from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. -.It Ic timeout Ar milliseconds +.It Ic timeout Op Ar milliseconds Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since .Nm retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. .It Ic version -Print the version of the +Display the version of the .Nm program. .El .Ss "Control Message Commands" -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode\-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the -.Li peers +.Ic peers command, which sends a series of messages, and the -.Li mreadlist +.Ic mreadlist and -.Li mreadvar +.Ic mreadvar commands, which iterate over a range of associations. .Bl -tag -width "something" -compact -offset indent -.It Cm associations +.It Ic apeers +Display a list of peers in the form: +.Dl [tally]remote refid assid st t when pool reach delay offset jitter +where the output is just like the +.Ic peers +command except that the +.Cm refid +is displayed in hex format and the association number is also displayed. +.It Ic associations Display a list of mobilized associations in the form: .Dl ind assid status conf reach auth condition last_event cnt -.Bl -column -offset indent ".Sy Variable" ".Sy Description" -.It Sy String Ta Sy Description -.It Li ind Ta index on this list -.It Li assid Ta association ID -.It Li status Ta peer status word -.It Li conf Ta Li yes : persistent, Li no : ephemeral -.It Li reach Ta Li yes : reachable, Li no : unreachable -.It Li auth Ta Li ok , Li yes , Li bad and Li none -.It Li condition Ta selection status (see the Li select field of the peer status word) -.It Li last_event Ta event report (see the Li event field of the peer status word) -.It Li cnt Ta event count (see the Li count field of the peer status word) +.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word" +.It Sy Variable Ta Sy Description +.It Cm ind Ta index on this list +.It Cm assid Ta association id +.It Cm status Ta peer status word +.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral +.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable +.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none +.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&) +.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&) +.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&) .El -.It Cm authinfo -Display the authentication statistics. -.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -Display a list of clock variables for those associations supporting a reference clock. -.It Cm :config Op ... -Send the remainder of the command line, including whitespace, to the server as a run\-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -.It Cm config\-from\-file Ar filename -Send the each line of +.It Ic authinfo +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +.It Ic clocklist Op Ar associd +.It Ic cl Op Ar associd +Display all clock variables in the variable list for those associations +supporting a reference clock. +.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +Display a list of clock variables for those associations supporting a +reference clock. +.It Ic :config Ar "configuration command line" +Send the remainder of the command line, including whitespace, to the +server as a run\-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. +.It Ic config\-from\-file Ar filename +Send each line of .Ar filename -to the server as run\-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run\-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. .It Ic ifstats -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. .It Ic iostats -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. .It Ic kerninfo -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. .It Ic lassociations -Perform the same function as the associations command, except display mobilized and unmobilized associations. -.It Ic lopeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc -Obtain and print a list of all peers and clients showing -.Ar dstadr -(associated with any given IP version). -.It Ic lpeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc -Print a peer spreadsheet for the appropriate IP version(s). -.Ar dstadr -(associated with any given IP version). +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. +.It Ic lopeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients showing +.Cm dstadr +(associated with the given IP version). +.It Ic lpassociations +Display the last obtained list of associations, including all clients. +.It Ic lpeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients (associated with the given IP version). .It Ic monstats -Display monitor facility statistics. -.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc -Obtain and print traffic counts collected and maintained by the monitor facility. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +.It Ic mreadlist Ar associdlo Ar associdhi +.It Ic mrl Ar associdlo Ar associdhi +Perform the same function as the +.Ic readlist +command for a range of association ids. +.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +This range may be determined from the list displayed by any +command showing associations. +.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +Perform the same function as the +.Ic readvar +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count | +.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder | +.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc +.Xc +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -.Cm sort Ns = Ns Ar sortorder , +.Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder , the options filter the list returned by -.Cm ntpd. +.Xr ntpd 8 . The .Cm limited and .Cm kod -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The .Cm mincount Ns = Ns Ar count option filters entries representing less than @@ -392,18 +440,21 @@ The .Ar sortorder defaults to .Cm lstint -and may be any of +and may be .Cm addr , -.Cm count , .Cm avgint , +.Cm count , .Cm lstint , -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +.Ql \&\- +to reverse the sort order. The output columns are: .Bl -tag -width "something" -compact -offset indent .It Column Description .It Ic lstint -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by .Nm . .It Ic avgint Average interval in s between packets from this address. @@ -411,7 +462,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching .Ic restrict -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. .It Ic r Rate control indicator, either a period, @@ -429,27 +481,15 @@ Packets received from this address. .It Ic rport Source port of last packet from this address. .It Ic remote address -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. .El -.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -Perform the same function as the -.Ic readvar -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -.Ic associations -command. -.It Ic opeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc +.It Ic opeers Op Fl 4 | Fl 6 Obtain and print the old\-style list of all peers and clients showing -.Ar dstadr -(associated with any given IP version), +.Cm dstadr +(associated with the given IP version), rather than the -.Ar refid . +.Cm refid . .It Ic passociations Perform the same function as the .Ic associations @@ -461,28 +501,32 @@ Display a list of peers in the form: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic [tally] +.It Cm [tally] single\-character code indicating current value of the .Ic select field of the .Lk decode.html#peer "peer status word" -.It Ic remote +.It Cm remote host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +.Nm .Fl w -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. -.It Ic refid -association ID or +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. +.It Cm refid +source IP address or .Lk decode.html#kiss "'kiss code" -.It Ic st -stratum -.It Ic t +.It Cm st +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks +.It Cm t .Ic u : unicast or manycast client, .Ic b : broadcast or multicast client, +.Ic p : +pool source, .Ic l : local (reference clock), .Ic s : @@ -493,115 +537,135 @@ manycast server, broadcast server, .Ic M : multicast server -.It Ic when -sec/min/hr since last received packet -.It Ic poll -poll interval (log2 s) -.It Ic reach +.It Cm when +time in seconds, minutes, hours, or days since the last packet +was received, or +.Ql \&\- +if a packet has never been received +.It Cm poll +poll interval (s) +.It Cm reach reach shift register (octal) -.It Ic delay +.It Cm delay roundtrip delay -.It Ic offset +.It Cm offset offset of server relative to this host -.It Ic jitter -jitter +.It Cm jitter +offset RMS error estimate. .El -.It Ic apeers -Display a list of peers in the form: -.Dl [tally]remote refid assid st t when pool reach delay offset jitter -where the output is just like the -.Ic peers -command except that the -.Ic refid -is displayed in hex format and the association number is also displayed. -.It Ic pstats Ar assocID -Show the statistics for the peer with the given -.Ar assocID . -.It Ic readlist Ar assocID -.It Ic rl Ar assocID -Read the system or peer variables included in the variable list. -.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -Display the specified variables. +.It Ic pstats Ar associd +Display the statistics for the peer with the given +.Ar associd : +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. +.It Ic readlist Op Ar associd +.It Ic rl Op Ar associd +Display all system or peer variables. +If the +.Ar associd +is omitted, it is assumed to be zero. +.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +Display the specified system or peer variables. If -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. If no .Ar name is included, all operative variables in the name space are displayed. In this case only, if the -.Ar assocID -is omitted, it is assumed zero. +.Ar associd +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts\-per\-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +.Ar YYYY Ns Ar MM Ar DD Ar TTTT , +where +.Ar YYYY +is the year, +.Ar MM +the month of year, +.Ar DD +the day of month and +.Ar TTTT +the time of day. .It Ic reslist -Show the access control (restrict) list for +Display the access control (restrict) list for .Nm . +Authentication is required. .It Ic saveconfig Ar filename -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by .Ic :config or .Ic config\-from\-file , -to the ntpd host's file +to the NTP server host file .Ar filename . This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -.Ic ntpd +.Xr ntpd 8 configuration file. .Ar filename can use -.Xr strftime -format specifies to substitute the current date and time, for example, -.Ic q]saveconfig ntp\-%Y%m%d\-%H%M%S.confq] . +.Xr date 1 +format specifiers to substitute the current date and time, for +example, +.D1 Ic saveconfig Pa ntp\-%Y%m%d\-%H%M%S.conf . The filename used is stored in system variable -.Ic savedconfig . +.Cm savedconfig . Authentication is required. +.It Ic sysinfo +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +.It Ic sysstats +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. .It Ic timerstats -Display interval timer counters. -.It Ic writelist Ar assocID -Write the system or peer variables included in the variable list. -.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ... -Write the specified variables. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. +.It Ic writelist Ar associd +Set all system or peer variables included in the variable list. +.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ... +Set the specified variables in the variable list. If the -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. -.It Ic sysinfo -Display operational summary. -.It Ic sysstats -Print statistics counters maintained in the protocol module. +Authentication is required. .El .Ss Status Words and Kiss Codes The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per\-association basis. -These words are displayed in the -.Ic rv +These words are displayed by the +.Ic readlist and -.Ic as +.Ic associations commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -618,58 +682,59 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards. .Ss System Variables The following system variables appear in the -.Ic rv +.Ic readlist billboard. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic status +.It Cm status .Lk decode.html#sys "system status word" -.It Ic version +.It Cm version NTP software version and build time -.It Ic processor +.It Cm processor hardware platform and version -.It Ic system +.It Cm system operating system and version -.It Ic leap +.It Cm leap leap warning indicator (0\-3) -.It Ic stratum +.It Cm stratum stratum (1\-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total dispersion to the primary reference clock -.It Ic peer -system peer association ID -.It Ic tc -time constant and poll exponent (log2 s) (3\-17) -.It Ic mintc -minimum time constant (log2 s) (3\-10) -.It Ic clock -date and time of day -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic offset -combined offset of server relative to this host -.It Ic sys_jitter +.It Ic clock +date and time of day +.It Cm peer +system peer association id +.It Cm tc +time constant and poll exponent (log2 s) (3\-17) +.It Cm mintc +minimum time constant (log2 s) (3\-10) +.It Cm offset +combined offset of server relative to this host +.It Cm frequency +frequency drift (PPM) relative to hardware clock +.It Cm sys_jitter combined system jitter -.It Ic frequency -frequency offset (PPM) relative to hardware clock -.It Ic clk_wander +.It Cm clk_wander clock frequency wander (PPM) -.It Ic clk_jitter +.It Cm clk_jitter clock jitter -.It Ic tai +.It Cm tai TAI\-UTC offset (s) -.It Ic leapsec +.It Cm leapsec NTP seconds when the next leap second is/was inserted -.It Ic expire +.It Cm expire NTP seconds when the NIST leapseconds file expires .El The jitter and wander statistics are exponentially\-weighted RMS averages. @@ -683,98 +748,102 @@ depending on the particular Autokey dance: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic host +.It Cm host Autokey host name for this host -.It Ic ident +.It Cm ident Autokey group name for this host -.It Ic flags +.It Cm flags host flags (see Autokey specification) -.It Ic digest +.It Cm digest OpenSSL message digest algorithm -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic update +.It Cm update NTP seconds at last signature update -.It Ic cert +.It Cm cert certificate subject, issuer and certificate flags -.It Ic until +.It Cm until NTP seconds when the certificate expires .El .Ss Peer Variables The following peer variables appear in the -.Ic rv +.Ic readlist billboard for each association. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#peer "peer status word" -.It Ic srcadr +.It Cm srcadr source (remote) IP address -.It Ic srcport +.It Cm srcport source (remote) port -.It Ic dstadr +.It Cm dstadr destination (local) IP address -.It Ic dstport +.It Cm dstport destination (local) port -.It Ic leap +.It Cm leap leap indicator (0\-3) -.It Ic stratum +.It Cm stratum stratum (0\-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total root dispersion to the primary reference clock -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic reach +.It Cm rec +last packet received time +.It Cm reach reach register (octal) -.It Ic unreach +.It Cm unreach unreach counter -.It Ic hmode +.It Cm hmode host mode (1\-6) -.It Ic pmode +.It Cm pmode peer mode (1\-5) -.It Ic hpoll +.It Cm hpoll host poll exponent (log2 s) (3\-17) -.It Ic ppoll +.It Cm ppoll peer poll exponent (log2 s) (3\-17) -.It Ic headway +.It Cm headway headway (see .Lk rate.html "Rate Management and the Kiss\-o'\-Death Packet" ) -.It Ic flash +.It Cm flash .Lk decode.html#flash "flash status word" -.It Ic offset +.It Cm keyid +symmetric key id +.It Cm offset filter offset -.It Ic delay +.It Cm delay filter delay -.It Ic dispersion +.It Cm dispersion filter dispersion -.It Ic jitter +.It Cm jitter filter jitter -.It Ic ident -Autokey group name for this association -.It Ic bias +.It Cm bias unicast/broadcast bias -.It Ic xleave +.It Cm xleave interleave delay (see .Lk xleave.html "NTP Interleaved Modes" ) .El The -.Ic bias +.Cm bias variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The -.Ic xleave +.Cm xleave variable appears only for the interleaved symmetric and interleaved modes. It represents the internal queuing, buffering and transmission delays for the preceding packet. @@ -784,71 +853,73 @@ additional peer variables are displayed, including the following: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic host +.It Cm host Autokey server name -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic initsequence -initial key ID -.It Ic initkey +.It Cm initsequence +initial key id +.It Cm initkey initial key index -.It Ic timestamp +.It Cm timestamp Autokey signature timestamp +.It Cm ident +Autokey group name for this association .El .Ss Clock Variables The following clock variables appear in the -.Ic cv +.Ic clocklist billboard for each association with a reference clock. Not all variables are displayed in some configurations. .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#clock "clock status word" -.It Ic device +.It Cm device device description -.It Ic timecode +.It Cm timecode ASCII time code string (specific to device) -.It Ic poll +.It Cm poll poll messages sent -.It Ic noreply +.It Cm noreply no reply -.It Ic badformat +.It Cm badformat bad format -.It Ic baddata +.It Cm baddata bad date or time -.It Ic fudgetime1 +.It Cm fudgetime1 fudge time 1 -.It Ic fudgetime2 +.It Cm fudgetime2 fudge time 2 -.It Ic stratum +.It Cm stratum driver stratum -.It Ic refid -driver reference ID -.It Ic flags +.It Cm refid +driver reference id +.It Cm flags driver flags .El .Sh "OPTIONS" .Bl -tag .It Fl 4 , Fl \-ipv4 -Force IPv4 DNS name resolution. +Force IPv4 name resolution. This option must not appear in combination with any of the following options: ipv6. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv4 namespace. .It Fl 6 , Fl \-ipv6 -Force IPv6 DNS name resolution. +Force IPv6 name resolution. This option must not appear in combination with any of the following options: ipv4. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv6 namespace. .It Fl c Ar cmd , Fl \-command Ns = Ns Ar cmd run a command and exit. @@ -878,7 +949,7 @@ commands read from the standard input. numeric host addresses. .sp Output all host addresses in dotted\-quad numeric format rather than -converting to the canonical host names. +converting to the canonical host names. .It Fl \-old\-rv Always output status line with readvar. .sp diff --git a/contrib/ntp/ntpq/ntpq.texi b/contrib/ntp/ntpq/ntpq.texi index ac79dcc..5526178 100644 --- a/contrib/ntp/ntpq/ntpq.texi +++ b/contrib/ntp/ntpq/ntpq.texi @@ -168,7 +168,7 @@ Specify the digest algorithm to use for authenticated requests, with default @code{MD5}. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. -The current selections are: @code{MD2}, @code{MD4}, @code{MD5}, @code{MDC2}, @code{RIPEMD160}, @code{SHA} and @code{SHA1}. +The current selections are: @code{AES128CMAC}, @code{MD2}, @code{MD4}, @code{MD5}, @code{MDC2}, @code{RIPEMD160}, @code{SHA} and @code{SHA1}. @item @anchor{ntpversion} @code{ntpversion 1 | 2 | 3 | 4} Sets the NTP version number which @code{ntpq} claims in packets. diff --git a/contrib/ntp/ntpsnmpd/Makefile.in b/contrib/ntp/ntpsnmpd/Makefile.in index 11df09f..7a05aa9 100644 --- a/contrib/ntp/ntpsnmpd/Makefile.in +++ b/contrib/ntp/ntpsnmpd/Makefile.in @@ -106,6 +106,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -1198,7 +1199,6 @@ install-exec-hook: # check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi b/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi index 10d06c2..90fd00d 100644 --- a/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi +++ b/contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpsnmpd.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:15:36 PM by AutoGen 5.18.5 # From the definitions ntpsnmpd-opts.def # and the template file agtexi-cmd.tpl @end ignore diff --git a/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c b/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c index 4311bac..44fad1a 100644 --- a/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c +++ b/contrib/ntp/ntpsnmpd/netsnmp_daemonize.c @@ -194,7 +194,7 @@ netsnmp_daemonize(int quit_immediately, int stderr_log) int i = 0; int saved_errno; - DEBUGMSGT(("daemonize","deamonizing...\n")); + DEBUGMSGT(("daemonize","daemonizing...\n")); #ifdef HAVE_WORKING_FORK /* * Fork to return control to the invoking process and to diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c index 215c6c8..8e957bc 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.c) * - * It has been AutoGen-ed March 21, 2017 at 10:45:37 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:15:31 PM by AutoGen 5.18.5 * From the definitions ntpsnmpd-opts.def * and the template file options * @@ -61,7 +61,7 @@ extern FILE * option_usage_fp; * static const strings for ntpsnmpd options */ static char const ntpsnmpd_opt_strs[1613] = -/* 0 */ "ntpsnmpd 4.2.8p10\n" +/* 0 */ "ntpsnmpd 4.2.8p11\n" "Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -101,14 +101,14 @@ static char const ntpsnmpd_opt_strs[1613] = /* 1415 */ "no-load-opts\0" /* 1428 */ "no\0" /* 1431 */ "NTPSNMPD\0" -/* 1440 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p10\n" +/* 1440 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p11\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" /* 1544 */ "$HOME\0" /* 1550 */ ".\0" /* 1552 */ ".ntprc\0" /* 1559 */ "http://bugs.ntp.org, bugs@ntp.org\0" /* 1593 */ "\n\0" -/* 1595 */ "ntpsnmpd 4.2.8p10"; +/* 1595 */ "ntpsnmpd 4.2.8p11"; /** * nofork option description: @@ -554,7 +554,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via ntpsnmpdOptions.pzCopyright */ - puts(_("ntpsnmpd 4.2.8p10\n\ + puts(_("ntpsnmpd 4.2.8p11\n\ Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the NTP License, copies of which\n\ @@ -599,14 +599,14 @@ implied warranty.\n")); puts(_("load options from a config file")); /* referenced via ntpsnmpdOptions.pzUsageTitle */ - puts(_("ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p10\n\ + puts(_("ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p11\n\ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n")); /* referenced via ntpsnmpdOptions.pzExplain */ puts(_("\n")); /* referenced via ntpsnmpdOptions.pzFullVersion */ - puts(_("ntpsnmpd 4.2.8p10")); + puts(_("ntpsnmpd 4.2.8p11")); /* referenced via ntpsnmpdOptions.pzFullUsage */ puts(_("<<<NOT-FOUND>>>")); diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h index 1008250..5219659 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.h) * - * It has been AutoGen-ed March 21, 2017 at 10:45:36 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:15:31 PM by AutoGen 5.18.5 * From the definitions ntpsnmpd-opts.def * and the template file options * @@ -76,9 +76,9 @@ typedef enum { /** count of all options for ntpsnmpd */ #define OPTION_CT 8 /** ntpsnmpd version */ -#define NTPSNMPD_VERSION "4.2.8p10" +#define NTPSNMPD_VERSION "4.2.8p11" /** Full ntpsnmpd version text */ -#define NTPSNMPD_FULL_VERSION "ntpsnmpd 4.2.8p10" +#define NTPSNMPD_FULL_VERSION "ntpsnmpd 4.2.8p11" /** * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman index 7454f57..2d50156 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpsnmpd 1ntpsnmpdman "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpsnmpd 1ntpsnmpdman "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-yhaGex/ag-6haacx) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-_Ia4FU/ag-lJaWEU) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:33 PM by AutoGen 5.18.5 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc index ca3b710..b7aa23e 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPSNMPD 1ntpsnmpdmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:39 PM by AutoGen 5.18.5 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.html b/contrib/ntp/ntpsnmpd/ntpsnmpd.html index 71c46d4..c12d766 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd.html +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.html @@ -42,7 +42,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <p>The <code>ntpsnmpd</code> utility program is used to monitor NTP daemon <code>ntpd</code> operations and determine performance. It uses the standard NTP mode 6 control - <p>This document applies to version 4.2.8p10 of <code>ntpsnmpd</code>. + <p>This document applies to version 4.2.8p11 of <code>ntpsnmpd</code>. <ul class="menu"> <li><a accesskey="1" href="#ntpsnmpd-Description">ntpsnmpd Description</a>: Description diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in b/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in index cbd3228..4c4a392 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpsnmpd @NTPSNMPD_MS@ "21 Mar 2017" "4.2.8p10" "User Commands" +.TH ntpsnmpd @NTPSNMPD_MS@ "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-yhaGex/ag-6haacx) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-_Ia4FU/ag-lJaWEU) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:33 PM by AutoGen 5.18.5 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in b/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in index fec785a..e383e0c 100644 --- a/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in +++ b/contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPSNMPD @NTPSNMPD_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:39 PM by AutoGen 5.18.5 .\" From the definitions ntpsnmpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/packageinfo.sh b/contrib/ntp/packageinfo.sh index df276a4..0f45fbf 100644 --- a/contrib/ntp/packageinfo.sh +++ b/contrib/ntp/packageinfo.sh @@ -83,7 +83,7 @@ CLTAG=NTP_4_2_0 # - Numeric values increment # - empty 'increments' to 1 # - NEW 'increments' to empty -point=10 +point=11 ### betapoint is normally modified by script. # ntp-stable Beta number (betapoint) diff --git a/contrib/ntp/parseutil/Makefile.in b/contrib/ntp/parseutil/Makefile.in index 73e7a83..42a24fd 100644 --- a/contrib/ntp/parseutil/Makefile.in +++ b/contrib/ntp/parseutil/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/Makefile.in b/contrib/ntp/scripts/Makefile.in index 4ddf56c..f185b9d 100644 --- a/contrib/ntp/scripts/Makefile.in +++ b/contrib/ntp/scripts/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/build/Makefile.in b/contrib/ntp/scripts/build/Makefile.in index 0afcfa4..eb5d28c 100644 --- a/contrib/ntp/scripts/build/Makefile.in +++ b/contrib/ntp/scripts/build/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/build/UpdatePoint b/contrib/ntp/scripts/build/UpdatePoint index 61c0349..1b11539 100755 --- a/contrib/ntp/scripts/build/UpdatePoint +++ b/contrib/ntp/scripts/build/UpdatePoint @@ -127,6 +127,7 @@ case "$repo" in stable) case "$prerelease" in '') + # echo "Checking <$betapoint::$rcpoint::$point>" case "$betapoint::$rcpoint::$point" in *::*::NEW) # new minor release (no p) @@ -148,6 +149,14 @@ case "$repo" in # bp=1 # bbp=0 ;; + ::[Gg][Oo]::*) + # echo "Good - betapoint is empty. Look in $0 and figure out what's going on here." + crcp=z + ;; + *::[Gg][Oo]::*) + echo "betapoint is NOT empty. Look in $0 and figure out what's going on here." + test=1 + ;; *) echo "betapoint is <$betapoint>, rcpoint is <$rcpoint>" echo "betapoint must be 0 and rcpoint must be empty to start the" echo "beta cycle." @@ -265,7 +274,18 @@ case "$crcp::$rcpoint" in ;; z::*) newrcpoint= - newbetapoint=0 + case "$repo" in + dev) + newbetapoint=0 + ;; + stable) + newbetapoint= + ;; + *) + echo "crcp::rcpoint - bogus repo <$repo>" + exit 1 + ;; + esac ;; *) echo "Unexpected value for 'crcp::rcpoint' <$crcp::$rcpoint>!" exit 1 diff --git a/contrib/ntp/scripts/calc_tickadj/Makefile.in b/contrib/ntp/scripts/calc_tickadj/Makefile.in index 1b560bb..cd49b68 100644 --- a/contrib/ntp/scripts/calc_tickadj/Makefile.in +++ b/contrib/ntp/scripts/calc_tickadj/Makefile.in @@ -102,6 +102,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman index d4cef9e..33c6a43 100644 --- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman +++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH calc_tickadj 1calc_tickadjman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH calc_tickadj 1calc_tickadjman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bsaa0i/ag-osaiZi) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-mfaiQP/ag-zfaqPP) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:39:52 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:40 AM by AutoGen 5.18.5 .\" From the definitions calc_tickadj-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc index 7ddf507..0755240 100644 --- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc +++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt CALC_TICKADJ 1calc_tickadjmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (calc_tickadj-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:39:54 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:43 AM by AutoGen 5.18.5 .\" From the definitions calc_tickadj-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html index 82286ea..930d90c 100644 --- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html +++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.html @@ -31,7 +31,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <h2 class="unnumbered">calc_tickadj User's Manual</h2> <p>This document describes the use of the NTP Project's <code>calc_tickadj</code> program. -This document applies to version 4.2.8p10 of <code>calc_tickadj</code>. +This document applies to version 4.2.8p11 of <code>calc_tickadj</code>. <div class="shortcontents"> <h2>Short Contents</h2> diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in index d4cef9e..33c6a43 100644 --- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in +++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH calc_tickadj 1calc_tickadjman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH calc_tickadj 1calc_tickadjman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bsaa0i/ag-osaiZi) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-mfaiQP/ag-zfaqPP) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:39:52 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:40 AM by AutoGen 5.18.5 .\" From the definitions calc_tickadj-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in index 7ddf507..0755240 100644 --- a/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in +++ b/contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt CALC_TICKADJ 1calc_tickadjmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (calc_tickadj-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:39:54 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:43 AM by AutoGen 5.18.5 .\" From the definitions calc_tickadj-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi b/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi index 74898f8..9c4b7ed 100644 --- a/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi +++ b/contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-calc_tickadj.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:39:57 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:49:45 AM by AutoGen 5.18.5 # From the definitions calc_tickadj-opts.def # and the template file agtexi-cmd.tpl @end ignore diff --git a/contrib/ntp/scripts/invoke-plot_summary.texi b/contrib/ntp/scripts/invoke-plot_summary.texi index aea5cd4..e2c7d95 100644 --- a/contrib/ntp/scripts/invoke-plot_summary.texi +++ b/contrib/ntp/scripts/invoke-plot_summary.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-plot_summary.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:40:40 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 04:55:58 PM by AutoGen 5.18.5 # From the definitions plot_summary-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -41,7 +41,7 @@ with a status code of 0. @exampleindent 0 @example -plot_summary - plot statistics generated by summary script - Ver. 4.2.8p10 +plot_summary - plot statistics generated by summary script - Ver. 4.2.8p11 USAGE: plot_summary [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... --directory=str Where the summary files are diff --git a/contrib/ntp/scripts/invoke-summary.texi b/contrib/ntp/scripts/invoke-summary.texi index ab56bea..2a6d5a4 100644 --- a/contrib/ntp/scripts/invoke-summary.texi +++ b/contrib/ntp/scripts/invoke-summary.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-summary.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:40:46 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 04:56:04 PM by AutoGen 5.18.5 # From the definitions summary-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -42,7 +42,7 @@ with a status code of 0. @exampleindent 0 @example -summary - compute various stastics from NTP stat files - Ver. 4.2.8p10 +summary - compute various stastics from NTP stat files - Ver. 4.2.8p11 USAGE: summary [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... --directory=str Directory containing stat files diff --git a/contrib/ntp/scripts/lib/Makefile.in b/contrib/ntp/scripts/lib/Makefile.in index 08f59a6..3cafdf8 100644 --- a/contrib/ntp/scripts/lib/Makefile.in +++ b/contrib/ntp/scripts/lib/Makefile.in @@ -100,6 +100,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/ntp-wait/Makefile.in b/contrib/ntp/scripts/ntp-wait/Makefile.in index 1e60256..9df58c5 100644 --- a/contrib/ntp/scripts/ntp-wait/Makefile.in +++ b/contrib/ntp/scripts/ntp-wait/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi b/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi index f7e2751..786f3b7 100644 --- a/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi +++ b/contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp-wait.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:40:05 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:49:53 AM by AutoGen 5.18.5 # From the definitions ntp-wait-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -61,7 +61,7 @@ with a status code of 0. @exampleindent 0 @example -ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p10 +ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p11 USAGE: ntp-wait [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... -n, --tries=num Number of times to check ntpd diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait-opts b/contrib/ntp/scripts/ntp-wait/ntp-wait-opts index fbb996b..4e6c4a0 100644 --- a/contrib/ntp/scripts/ntp-wait/ntp-wait-opts +++ b/contrib/ntp/scripts/ntp-wait/ntp-wait-opts @@ -1,6 +1,6 @@ # EDIT THIS FILE WITH CAUTION (ntp-wait-opts) # -# It has been AutoGen-ed March 21, 2017 at 10:40:00 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:49:48 AM by AutoGen 5.18.5 # From the definitions ntp-wait-opts.def # and the template file perlopt @@ -40,7 +40,7 @@ sub processOptions { 'help|?', 'more-help')); $usage = <<'USAGE'; -ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p10 +ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p11 USAGE: ntp-wait [ -<flag> [<val>] | --<name>[{=| }<val>] ]... -n, --tries=num Number of times to check ntpd diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman index afe765e..43158be 100644 --- a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman +++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp-wait 1ntp-waitman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntp-wait 1ntp-waitman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-xOaq.j/ag-KOay9j) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-tuay0Q/ag-GuaGZQ) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:02 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:50 AM by AutoGen 5.18.5 .\" From the definitions ntp-wait-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc index 4a4e70e..bd33fc9 100644 --- a/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc +++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_WAIT 1ntp-waitmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:07 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:55 AM by AutoGen 5.18.5 .\" From the definitions ntp-wait-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.html b/contrib/ntp/scripts/ntp-wait/ntp-wait.html index 40da9a5..ef8e53e 100644 --- a/contrib/ntp/scripts/ntp-wait/ntp-wait.html +++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.html @@ -39,7 +39,7 @@ until the system's time has stabilized and synchronized, and only then start any applicaitons (like database servers) that require accurate and stable time. - <p>This document applies to version 4.2.8p10 of <code>ntp-wait</code>. + <p>This document applies to version 4.2.8p11 of <code>ntp-wait</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -114,7 +114,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p10 +<pre class="example">ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p11 USAGE: ntp-wait [ -<flag> [<val>] | --<name>[{=| }<val>] ]... -n, --tries=num Number of times to check ntpd diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in b/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in index 29abed7..c113287 100644 --- a/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in +++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp-wait @NTP_WAIT_MS@ "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntp-wait @NTP_WAIT_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-xOaq.j/ag-KOay9j) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-tuay0Q/ag-GuaGZQ) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:02 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:50 AM by AutoGen 5.18.5 .\" From the definitions ntp-wait-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in b/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in index db53d44..c792715 100644 --- a/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in +++ b/contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_WAIT @NTP_WAIT_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:07 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:49:55 AM by AutoGen 5.18.5 .\" From the definitions ntp-wait-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/ntpsweep/Makefile.in b/contrib/ntp/scripts/ntpsweep/Makefile.in index 6357f66..45c56c0 100644 --- a/contrib/ntp/scripts/ntpsweep/Makefile.in +++ b/contrib/ntp/scripts/ntpsweep/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi b/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi index d926bf6..17a7b6e 100644 --- a/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi +++ b/contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntpsweep.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:40:11 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:49:59 AM by AutoGen 5.18.5 # From the definitions ntpsweep-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -45,7 +45,7 @@ with a status code of 0. @exampleindent 0 @example -ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p10 +ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p11 USAGE: ntpsweep [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostfile] -l, --host-list=str Host to execute actions on diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep-opts b/contrib/ntp/scripts/ntpsweep/ntpsweep-opts index 46a566b..06dc7ce 100644 --- a/contrib/ntp/scripts/ntpsweep/ntpsweep-opts +++ b/contrib/ntp/scripts/ntpsweep/ntpsweep-opts @@ -1,6 +1,6 @@ # EDIT THIS FILE WITH CAUTION (ntpsweep-opts) # -# It has been AutoGen-ed March 21, 2017 at 10:40:09 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:49:57 AM by AutoGen 5.18.5 # From the definitions ntpsweep-opts.def # and the template file perlopt @@ -43,7 +43,7 @@ sub processOptions { 'help|?', 'more-help')); $usage = <<'USAGE'; -ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p10 +ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p11 USAGE: ntpsweep [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [hostfile] -l, --host-list=str Host to execute actions on diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman index 7aa27dd..34a48a8 100644 --- a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman +++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpsweep 1ntpsweepman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntpsweep 1ntpsweepman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cxaykl/ag-pxaGjl) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cfaGaS/ag-pfaO_R) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:13 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:01 AM by AutoGen 5.18.5 .\" From the definitions ntpsweep-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc index e0b1008..d3b142f 100644 --- a/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc +++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPSWEEP 1ntpsweepmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpsweep-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:16 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:04 AM by AutoGen 5.18.5 .\" From the definitions ntpsweep-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.html b/contrib/ntp/scripts/ntpsweep/ntpsweep.html index 33b6d15..b44457b 100644 --- a/contrib/ntp/scripts/ntpsweep/ntpsweep.html +++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.html @@ -30,7 +30,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <p>This document describes the use of the NTP Project's <code>ntpsweep</code> program. - <p>This document applies to version 4.2.8p10 of <code>ntpsweep</code>. + <p>This document applies to version 4.2.8p11 of <code>ntpsweep</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -90,7 +90,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p10 +<pre class="example">ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p11 USAGE: ntpsweep [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [hostfile] -l, --host-list=str Host to execute actions on diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in b/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in index 7aa27dd..34a48a8 100644 --- a/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in +++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntpsweep 1ntpsweepman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntpsweep 1ntpsweepman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cxaykl/ag-pxaGjl) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cfaGaS/ag-pfaO_R) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:13 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:01 AM by AutoGen 5.18.5 .\" From the definitions ntpsweep-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in b/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in index e0b1008..d3b142f 100644 --- a/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in +++ b/contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPSWEEP 1ntpsweepmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpsweep-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:16 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:04 AM by AutoGen 5.18.5 .\" From the definitions ntpsweep-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/ntptrace/Makefile.in b/contrib/ntp/scripts/ntptrace/Makefile.in index 05fd131..7ce2614 100644 --- a/contrib/ntp/scripts/ntptrace/Makefile.in +++ b/contrib/ntp/scripts/ntptrace/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi b/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi index 01f84be..f10f347 100644 --- a/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi +++ b/contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntptrace.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:40:23 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:50:11 AM by AutoGen 5.18.5 # From the definitions ntptrace-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -62,7 +62,7 @@ with a status code of 0. @exampleindent 0 @example -ntptrace - Trace peers of an NTP server - Ver. 4.2.8p10 +ntptrace - Trace peers of an NTP server - Ver. 4.2.8p11 USAGE: ntptrace [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [host] -n, --numeric Print IP addresses instead of hostnames diff --git a/contrib/ntp/scripts/ntptrace/ntptrace-opts b/contrib/ntp/scripts/ntptrace/ntptrace-opts index dd37d7b..17f513a 100644 --- a/contrib/ntp/scripts/ntptrace/ntptrace-opts +++ b/contrib/ntp/scripts/ntptrace/ntptrace-opts @@ -1,6 +1,6 @@ # EDIT THIS FILE WITH CAUTION (ntptrace-opts) # -# It has been AutoGen-ed March 21, 2017 at 10:40:18 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 10:50:06 AM by AutoGen 5.18.5 # From the definitions ntptrace-opts.def # and the template file perlopt @@ -40,7 +40,7 @@ sub processOptions { 'help|?', 'more-help')); $usage = <<'USAGE'; -ntptrace - Trace peers of an NTP server - Ver. 4.2.8p10 +ntptrace - Trace peers of an NTP server - Ver. 4.2.8p11 USAGE: ntptrace [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [host] -n, --numeric Print IP addresses instead of hostnames diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman index 0cab960..2c4e1b0 100644 --- a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman +++ b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntptrace 1ntptraceman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntptrace 1ntptraceman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-y.a4mm/ag-W.aamm) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wXa4cT/ag-JXaacT) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:19 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:08 AM by AutoGen 5.18.5 .\" From the definitions ntptrace-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc index 9f17766..f4c355c 100644 --- a/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc +++ b/contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPTRACE 1ntptracemdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntptrace-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:25 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:13 AM by AutoGen 5.18.5 .\" From the definitions ntptrace-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.html b/contrib/ntp/scripts/ntptrace/ntptrace.html index e755595..53a16e9 100644 --- a/contrib/ntp/scripts/ntptrace/ntptrace.html +++ b/contrib/ntp/scripts/ntptrace/ntptrace.html @@ -31,7 +31,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <h2 class="unnumbered">Simple Network Time Protocol User Manual</h2> <p>This document describes the use of the NTP Project's <code>ntptrace</code> program. -This document applies to version 4.2.8p10 of <code>ntptrace</code>. +This document applies to version 4.2.8p11 of <code>ntptrace</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -107,7 +107,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntptrace - Trace peers of an NTP server - Ver. 4.2.8p10 +<pre class="example">ntptrace - Trace peers of an NTP server - Ver. 4.2.8p11 USAGE: ntptrace [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [host] -n, --numeric Print IP addresses instead of hostnames diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.man.in b/contrib/ntp/scripts/ntptrace/ntptrace.man.in index 50519ea..756e60e 100644 --- a/contrib/ntp/scripts/ntptrace/ntptrace.man.in +++ b/contrib/ntp/scripts/ntptrace/ntptrace.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntptrace @NTPTRACE_MS@ "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntptrace @NTPTRACE_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-y.a4mm/ag-W.aamm) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wXa4cT/ag-JXaacT) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:19 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:08 AM by AutoGen 5.18.5 .\" From the definitions ntptrace-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in b/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in index 7736e8b..7a50caf 100644 --- a/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in +++ b/contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPTRACE @NTPTRACE_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntptrace-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:25 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:13 AM by AutoGen 5.18.5 .\" From the definitions ntptrace-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/plot_summary-opts b/contrib/ntp/scripts/plot_summary-opts index 26cafd4..462150b 100644 --- a/contrib/ntp/scripts/plot_summary-opts +++ b/contrib/ntp/scripts/plot_summary-opts @@ -1,6 +1,6 @@ # EDIT THIS FILE WITH CAUTION (plot_summary-opts) # -# It has been AutoGen-ed March 21, 2017 at 10:40:37 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 04:55:55 PM by AutoGen 5.18.5 # From the definitions plot_summary-opts.def # and the template file perlopt @@ -46,7 +46,7 @@ sub processOptions { 'help|?', 'more-help')); $usage = <<'USAGE'; -plot_summary - plot statistics generated by summary script - Ver. 4.2.8p10 +plot_summary - plot statistics generated by summary script - Ver. 4.2.8p11 USAGE: plot_summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]... --directory=str Where the summary files are diff --git a/contrib/ntp/scripts/plot_summary.1plot_summaryman b/contrib/ntp/scripts/plot_summary.1plot_summaryman index b13c3cf..f3a2a8e 100644 --- a/contrib/ntp/scripts/plot_summary.1plot_summaryman +++ b/contrib/ntp/scripts/plot_summary.1plot_summaryman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH plot_summary 1plot_summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH plot_summary 1plot_summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-BEaaJo/ag-OEaiIo) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-NpayvG/ag-0paGuG) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:42 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:00 PM by AutoGen 5.18.5 .\" From the definitions plot_summary-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/plot_summary.1plot_summarymdoc b/contrib/ntp/scripts/plot_summary.1plot_summarymdoc index d7647a7..f2ff40f 100644 --- a/contrib/ntp/scripts/plot_summary.1plot_summarymdoc +++ b/contrib/ntp/scripts/plot_summary.1plot_summarymdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt PLOT_SUMMARY 1plot_summarymdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (plot_summary-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:44 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:02 PM by AutoGen 5.18.5 .\" From the definitions plot_summary-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/plot_summary.html b/contrib/ntp/scripts/plot_summary.html index 72f2273..6a2fac5 100644 --- a/contrib/ntp/scripts/plot_summary.html +++ b/contrib/ntp/scripts/plot_summary.html @@ -31,7 +31,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <h2 class="unnumbered">Plot_summary User Manual</h2> <p>This document describes the use of the NTP Project's <code>plot_summary</code> program. -This document applies to version 4.2.8p10 of <code>plot_summary</code>. +This document applies to version 4.2.8p11 of <code>plot_summary</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -89,7 +89,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">plot_summary - plot statistics generated by summary script - Ver. 4.2.8p10 +<pre class="example">plot_summary - plot statistics generated by summary script - Ver. 4.2.8p11 USAGE: plot_summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]... --directory=str Where the summary files are diff --git a/contrib/ntp/scripts/plot_summary.man.in b/contrib/ntp/scripts/plot_summary.man.in index b13c3cf..f3a2a8e 100644 --- a/contrib/ntp/scripts/plot_summary.man.in +++ b/contrib/ntp/scripts/plot_summary.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH plot_summary 1plot_summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH plot_summary 1plot_summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-BEaaJo/ag-OEaiIo) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-NpayvG/ag-0paGuG) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:42 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:00 PM by AutoGen 5.18.5 .\" From the definitions plot_summary-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/plot_summary.mdoc.in b/contrib/ntp/scripts/plot_summary.mdoc.in index d7647a7..f2ff40f 100644 --- a/contrib/ntp/scripts/plot_summary.mdoc.in +++ b/contrib/ntp/scripts/plot_summary.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt PLOT_SUMMARY 1plot_summarymdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (plot_summary-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:44 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:02 PM by AutoGen 5.18.5 .\" From the definitions plot_summary-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/summary-opts b/contrib/ntp/scripts/summary-opts index 336d2e1..08effab 100644 --- a/contrib/ntp/scripts/summary-opts +++ b/contrib/ntp/scripts/summary-opts @@ -1,6 +1,6 @@ # EDIT THIS FILE WITH CAUTION (summary-opts) # -# It has been AutoGen-ed March 21, 2017 at 10:40:38 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 04:55:57 PM by AutoGen 5.18.5 # From the definitions summary-opts.def # and the template file perlopt @@ -44,7 +44,7 @@ sub processOptions { 'help|?', 'more-help')); $usage = <<'USAGE'; -summary - compute various stastics from NTP stat files - Ver. 4.2.8p10 +summary - compute various stastics from NTP stat files - Ver. 4.2.8p11 USAGE: summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]... --directory=str Directory containing stat files diff --git a/contrib/ntp/scripts/summary.1summaryman b/contrib/ntp/scripts/summary.1summaryman index c1cdeb5..d4011fb 100644 --- a/contrib/ntp/scripts/summary.1summaryman +++ b/contrib/ntp/scripts/summary.1summaryman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH summary 1summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH summary 1summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-41aOWo/ag-h2aWVo) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-AMaaJG/ag-NMaiIG) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:48 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:06 PM by AutoGen 5.18.5 .\" From the definitions summary-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/summary.1summarymdoc b/contrib/ntp/scripts/summary.1summarymdoc index b9a95d9..6c8eee7 100644 --- a/contrib/ntp/scripts/summary.1summarymdoc +++ b/contrib/ntp/scripts/summary.1summarymdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt SUMMARY 1summarymdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (summary-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:49 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:08 PM by AutoGen 5.18.5 .\" From the definitions summary-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/summary.html b/contrib/ntp/scripts/summary.html index ebf5acb..b6c226c 100644 --- a/contrib/ntp/scripts/summary.html +++ b/contrib/ntp/scripts/summary.html @@ -31,7 +31,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <h2 class="unnumbered">Summary User Manual</h2> <p>This document describes the use of the NTP Project's <code>summary</code> program. -This document applies to version 4.2.8p10 of <code>summary</code>. +This document applies to version 4.2.8p11 of <code>summary</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -88,7 +88,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">summary - compute various stastics from NTP stat files - Ver. 4.2.8p10 +<pre class="example">summary - compute various stastics from NTP stat files - Ver. 4.2.8p11 USAGE: summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]... --directory=str Directory containing stat files diff --git a/contrib/ntp/scripts/summary.man.in b/contrib/ntp/scripts/summary.man.in index c1cdeb5..d4011fb 100644 --- a/contrib/ntp/scripts/summary.man.in +++ b/contrib/ntp/scripts/summary.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH summary 1summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH summary 1summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-41aOWo/ag-h2aWVo) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-AMaaJG/ag-NMaiIG) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:48 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:06 PM by AutoGen 5.18.5 .\" From the definitions summary-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/summary.mdoc.in b/contrib/ntp/scripts/summary.mdoc.in index b9a95d9..6c8eee7 100644 --- a/contrib/ntp/scripts/summary.mdoc.in +++ b/contrib/ntp/scripts/summary.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt SUMMARY 1summarymdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (summary-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:49 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:56:08 PM by AutoGen 5.18.5 .\" From the definitions summary-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/update-leap/Makefile.in b/contrib/ntp/scripts/update-leap/Makefile.in index b2d4eef..3a42d80 100644 --- a/contrib/ntp/scripts/update-leap/Makefile.in +++ b/contrib/ntp/scripts/update-leap/Makefile.in @@ -101,6 +101,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ diff --git a/contrib/ntp/scripts/update-leap/invoke-update-leap.texi b/contrib/ntp/scripts/update-leap/invoke-update-leap.texi index 6e76564..002193a 100644 --- a/contrib/ntp/scripts/update-leap/invoke-update-leap.texi +++ b/contrib/ntp/scripts/update-leap/invoke-update-leap.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-update-leap.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:40:30 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 04:55:50 PM by AutoGen 5.18.5 # From the definitions update-leap-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -70,56 +70,81 @@ with a status code of 0. @exampleindent 0 @example - update-leap - Usage: $0 [options] [leapfile] - - Verifies and if necessary, updates leap-second definition file - - All arguments are optional: Default (or current value) shown: -s - Specify the URL of the master copy to download $LEAPSRC -d Specify - the filename on the local system $LEAPFILE -e Specify how long (in - days) before expiration the file is to be refreshed. Note that - larger values imply more frequent refreshes. "$PREFETCH" -f Specify - location of ntp.conf (used to make sure leapfile directive is - present and to default leapfile) $NTPCONF -F Force update even if - current file is OK and not close to expiring. -r Specify number of - times to retry on get failure $MAXTRIES -i Specify number of minutes - between retries $INTERVAL -l Use syslog for output (Implied if - CRONJOB is set) -L Don't use syslog for output -P Specify the syslog - facility for logging $LOGFAC -t Name of temporary file used in - validation $TMPFILE -q Only report errors to stdout -v Verbose - output - - The following options are not (yet) implemented in the perl version: - -4 Use only IPv4 -6 Use only IPv6 -c Command to restart NTP after - installing a new file <none> - ntpd checks file daily -p 4|6 Prefer - IPv4 or IPv6 (as specified) addresses, but use either -z Specify - path for utilities $PATHLIST -Z Only use system path - - $0 will validate the file currently on the local system - - Ordinarily, the file is found using the "leapfile" directive in - $NTPCONF. However, an alternate location can be specified on the - command line. - - If the file does not exist, is not valid, has expired, or is - expiring soon, a new copy will be downloaded. If the new copy - validates, it is installed and NTP is (optionally) restarted. - - If the current file is acceptable, no download or restart occurs. - - -c can also be used to invoke another script to perform - administrative functions, e.g. to copy the file to other local - systems. - - This can be run as a cron job. As the file is rarely updated, and - leap seconds are announced at least one month in advance (usually - longer), it need not be run more frequently than about once every - three weeks. - - For cron-friendly behavior, define CRONJOB=1 in the crontab. - - Version $VERSION + +Usage: update-leap [options] + +Verifies and if necessary, updates leap-second definition file + +All arguments are optional: Default (or current value) shown: + -C Absolute path to CA Cert (see SSL/TLS Considerations) + -D Path to a CAdir (see SSL/TLS Considerations) + -e Specify how long (in days) before expiration the file is to be + refreshed. Note that larger values imply more frequent refreshes. + 60 + -F Force update even if current file is OK and not close to expiring. + -f Absolute path ntp.conf file (default /etc/ntp.conf) + /etc/ntp.conf + -h show help + -i Specify number of minutes between retries + 10 + -L Absolute path to leapfile on the local system + (overrides value in ntp.conf) + -l Specify the syslog(3) facility for logging + LOG_USER + -q Only report errors (cannot be used with -v) + -r Specify number of attempts to retrieve file + 6 + -s Send output to syslog(3) - implied if STDOUT has no tty or redirected + -t Send output to terminal - implied if STDOUT attached to terminal + -u Specify the URL of the master copy to download + https://www.ietf.org/timezones/data/leap-seconds.list + -v Verbose - show debug messages (cannot be used with -q) + +The following options are not (yet) implemented in the perl version: + -4 Use only IPv4 + -6 Use only IPv6 + -c Command to restart NTP after installing a new file + <none> - ntpd checks file daily + -p 4|6 + Prefer IPv4 or IPv6 (as specified) addresses, but use either + +update-leap will validate the file currently on the local system. + +Ordinarily, the leapfile is found using the 'leapfile' directive in +/etc/ntp.conf. However, an alternate location can be specified on the +command line with the -L flag. + +If the leapfile does not exist, is not valid, has expired, or is +expiring soon, a new copy will be downloaded. If the new copy is +valid, it is installed. + +If the current file is acceptable, no download or restart occurs. + +This can be run as a cron job. As the file is rarely updated, and +leap seconds are announced at least one month in advance (usually +longer), it need not be run more frequently than about once every +three weeks. + +SSL/TLS Considerations +----------------------- +The perl modules can usually locate the CA certificate used to verify +the peer's identity. + +On BSDs, the default is typically the file /etc/ssl/certs.pem. On +Linux, the location is typically a path to a CAdir - a directory of +symlinks named according to a hash of the certificates' subject names. + +The -C or -D options are available to pass in a location if no CA cert +is found in the default location. + +External Dependencies +--------------------- +The following perl modules are required: +HTTP::Tiny - version >= 0.056 +IO::Socket::SSL - version >= 1.56 +NET::SSLeay - version >= 1.49 + +Version: 1.004 @end example @exampleindent 4 diff --git a/contrib/ntp/scripts/update-leap/update-leap-opts b/contrib/ntp/scripts/update-leap/update-leap-opts index 6e7d957..ef461c3 100644 --- a/contrib/ntp/scripts/update-leap/update-leap-opts +++ b/contrib/ntp/scripts/update-leap/update-leap-opts @@ -1,6 +1,6 @@ # EDIT THIS FILE WITH CAUTION (update-leap-opts) # -# It has been AutoGen-ed March 21, 2017 at 10:40:36 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 04:32:15 PM by AutoGen 5.18.5 # From the definitions update-leap-opts.def # and the template file perlopt @@ -46,7 +46,7 @@ sub processOptions { 'help|?', 'more-help')); $usage = <<'USAGE'; -update-leap - leap-seconds file manager/updater - Ver. 4.2.8p10 +update-leap - leap-seconds file manager/updater - Ver. 4.2.8p11 USAGE: update-leap [ -<flag> [<val>] | --<name>[{=| }<val>] ]... -s, --source-url=str The URL of the master copy of the leapseconds file diff --git a/contrib/ntp/scripts/update-leap/update-leap.1update-leapman b/contrib/ntp/scripts/update-leap/update-leap.1update-leapman index bd62871..380774a 100644 --- a/contrib/ntp/scripts/update-leap/update-leap.1update-leapman +++ b/contrib/ntp/scripts/update-leap/update-leap.1update-leapman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH update-leap 1update-leapman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH update-leap 1update-leapman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-6XaW6m/ag-hYa45m) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cKaOWT/ag-pKaWVT) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:27 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:15 AM by AutoGen 5.18.5 .\" From the definitions update-leap-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc b/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc index 2bb1d59..1af0cd3 100644 --- a/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc +++ b/contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt UPDATE_LEAP 1update-leapmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (update-leap-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:35 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:55:53 PM by AutoGen 5.18.5 .\" From the definitions update-leap-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/scripts/update-leap/update-leap.html b/contrib/ntp/scripts/update-leap/update-leap.html index 5e9aef1..0303530 100644 --- a/contrib/ntp/scripts/update-leap/update-leap.html +++ b/contrib/ntp/scripts/update-leap/update-leap.html @@ -30,7 +30,7 @@ Up: <a rel="up" accesskey="u" href="#dir">(dir)</a> <p>This document describes the use of the NTP Project's <code>update-leap</code> program. - <p>This document applies to version 4.2.8p10 of <code>update-leap</code>. + <p>This document applies to version 4.2.8p11 of <code>update-leap</code>. <div class="shortcontents"> <h2>Short Contents</h2> @@ -114,56 +114,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example"> update-leap - Usage: $0 [options] [leapfile] - - Verifies and if necessary, updates leap-second definition file - - All arguments are optional: Default (or current value) shown: -s - Specify the URL of the master copy to download $LEAPSRC -d Specify - the filename on the local system $LEAPFILE -e Specify how long (in - days) before expiration the file is to be refreshed. Note that - larger values imply more frequent refreshes. "$PREFETCH" -f Specify - location of ntp.conf (used to make sure leapfile directive is - present and to default leapfile) $NTPCONF -F Force update even if - current file is OK and not close to expiring. -r Specify number of - times to retry on get failure $MAXTRIES -i Specify number of minutes - between retries $INTERVAL -l Use syslog for output (Implied if - CRONJOB is set) -L Don't use syslog for output -P Specify the syslog - facility for logging $LOGFAC -t Name of temporary file used in - validation $TMPFILE -q Only report errors to stdout -v Verbose - output - - The following options are not (yet) implemented in the perl version: - -4 Use only IPv4 -6 Use only IPv6 -c Command to restart NTP after - installing a new file <none> - ntpd checks file daily -p 4|6 Prefer - IPv4 or IPv6 (as specified) addresses, but use either -z Specify - path for utilities $PATHLIST -Z Only use system path - - $0 will validate the file currently on the local system - - Ordinarily, the file is found using the "leapfile" directive in - $NTPCONF. However, an alternate location can be specified on the - command line. - - If the file does not exist, is not valid, has expired, or is - expiring soon, a new copy will be downloaded. If the new copy - validates, it is installed and NTP is (optionally) restarted. - - If the current file is acceptable, no download or restart occurs. - - -c can also be used to invoke another script to perform - administrative functions, e.g. to copy the file to other local - systems. - - This can be run as a cron job. As the file is rarely updated, and - leap seconds are announced at least one month in advance (usually - longer), it need not be run more frequently than about once every - three weeks. - - For cron-friendly behavior, define CRONJOB=1 in the crontab. - - Version $VERSION +<pre class="example"> </pre> <div class="node"> <p><hr> diff --git a/contrib/ntp/scripts/update-leap/update-leap.in b/contrib/ntp/scripts/update-leap/update-leap.in index bd7ed18..abf1134 100755 --- a/contrib/ntp/scripts/update-leap/update-leap.in +++ b/contrib/ntp/scripts/update-leap/update-leap.in @@ -1,427 +1,474 @@ #! @PATH_PERL@ -w -# Copyright (C) 2015 Network Time Foundation +# Copyright (C) 2015, 2017 Network Time Foundation # Author: Harlan Stenn - +# +# General cleanup and https support: Paul McMath +# # Original shell version: # Copyright (C) 2014 Timothe Litt litt at acm dot org - +# # This script may be freely copied, used and modified providing that # this notice and the copyright statement are included in all copies # and derivative works. No warranty is offered, and use is entirely at # your own risk. Bugfixes and improvements would be appreciated by the # author. +######## BEGIN ######### use strict; +# Core modules use Digest::SHA qw(sha1_hex); +use File::Basename; use File::Copy qw(move); -use File::Fetch; +use File::Temp qw(tempfile); use Getopt::Long qw(:config auto_help no_ignore_case bundling); -use Sys::Syslog; +use Sys::Syslog qw(:standard :macros); -my $VERSION="1.003"; +# External modules +use HTTP::Tiny 0.056; +use Net::SSLeay 1.49; +use IO::Socket::SSL 1.56; -# leap-seconds file manager/updater +my $VERSION = '1.004'; -# ########## Default configuration ########## -# +my $RUN_DIR = '/tmp'; +my $RUN_UID = 0; +my $TMP_FILE; +my $TMP_FH; +my $FILE_MODE = 0644; + +######## DEFAULT CONFIGURATION ########## +# LEAP FILE SRC URIS +# HTTPS - (default) +# https://www.ietf.org/timezones/data/leap-seconds +# HTTP - No TLS/SSL - (not recommended) +# http://www.ietf.org/timezones/data/leap-seconds.list -my $CRONJOB = $ENV{'CRONJOB'}; -$CRONJOB = "" unless defined($CRONJOB); -my $LOGGER; -my $QUIET = ""; -my $VERBOSE = ""; - -# Where to get the file -# Choices: -# https://www.ietf.org/timezones/data/leap-seconds.list -# ftp://time.nist.gov/pub/leap-seconds.list -my $LEAPSRC="https://www.ietf.org/timezones/data/leap-seconds.list"; +my $LEAPSRC = 'https://www.ietf.org/timezones/data/leap-seconds.list'; my $LEAPFILE; # How many times to try to download new file -my $MAXTRIES=6; -my $INTERVAL=10; +my $MAXTRIES = 6; +my $INTERVAL = 10; -# Where to find ntp config file -my $NTPCONF="/etc/ntp.conf"; +my $NTPCONF='/etc/ntp.conf'; # How long (in days) before expiration to get updated file -my $PREFETCH="60"; +my $PREFETCH = 60; +my $EXPIRES; +my $FORCE; + +# Output Flags +my $QUIET; +my $DEBUG; +my $SYSLOG; +my $TOTERM; +my $LOGFAC = 'LOG_USER'; + +######### PARSE/SET OPTIONS ######### +my %SSL_OPTS; +my %SSL_ATTRS = ( + verify_SSL => 1, + SSL_options => \%SSL_OPTS, +); -# How to restart NTP - older NTP: service ntpd? try-restart | condrestart -# Recent NTP checks for new file daily, so there's nothing to do -my $RESTART=""; +our(%opt); -my $EXPIRES; -my $FORCE = ""; +GetOptions(\%opt, + 'C=s', + 'D=s', + 'e:60', + 'F', + 'f=s', + 'h|help', + 'i:10', + 'L=s', + 'l=s', + 'q', + 'r:6', + 's', + 't', + 'u=s', + 'v', + ); -# Where to put temporary copy before it's validated -my $TMPFILE="/tmp/leap-seconds.$$.tmp"; +$LOGFAC = $opt{l} if defined $opt{l}; +$LEAPSRC = $opt{u} if defined $opt{u}; +$LEAPFILE = $opt{L} if defined $opt{L}; +$PREFETCH = $opt{e} if defined $opt{e}; +$NTPCONF = $opt{f} if defined $opt{f}; +$MAXTRIES = $opt{r} if defined $opt{r}; +$INTERVAL = $opt{i} if defined $opt{i}; + +$FORCE = 1 if defined $opt{F}; +$DEBUG = 1 if defined $opt{v}; +$QUIET = 1 if defined $opt{q}; +$SYSLOG = 1 if defined $opt{s}; +$TOTERM = 1 if defined $opt{t}; + +$SSL_OPTS{SSL_ca_file} = $opt{C} if (defined($opt{C})); +$SSL_OPTS{SSL_ca_path} = $opt{D} if (defined($opt{D})); + +############### +## START MAIN +############### +my $PROG = basename($0); + +# Logging - Default is to use syslog(3) if STDOUT isn't +# connected to a tty. +if ($SYSLOG || !-t STDOUT) { + $SYSLOG = 1; + openlog($PROG, 'pid', $LOGFAC); +} +else { + $TOTERM = 1; +} -# Syslog facility -my $LOGFAC="daemon"; +if (defined $opt{q} && defined $opt{v}) { + log_fatal(LOG_ERR, '-q and -v options mutually exclusive'); +} -# ########################################### +if (defined $opt{L} && defined $opt{f}) { + log_fatal(LOG_ERR, '-L and -f options mutually exclusive'); +} -=item update-leap +$SIG{INT} = \&signal_catcher; +$SIG{TERM} = \&signal_catcher; +$SIG{QUIT} = \&signal_catcher; -Usage: $0 [options] [leapfile] +# Take some security precautions +close STDIN; -Verifies and if necessary, updates leap-second definition file +# Show help +if (defined $opt{h}) { + show_help(); + exit 0; +} -All arguments are optional: Default (or current value) shown: - -s Specify the URL of the master copy to download - $LEAPSRC - -d Specify the filename on the local system - $LEAPFILE - -e Specify how long (in days) before expiration the file is to be - refreshed. Note that larger values imply more frequent refreshes. - "$PREFETCH" - -f Specify location of ntp.conf (used to make sure leapfile directive is - present and to default leapfile) - $NTPCONF - -F Force update even if current file is OK and not close to expiring. - -r Specify number of times to retry on get failure - $MAXTRIES - -i Specify number of minutes between retries - $INTERVAL - -l Use syslog for output (Implied if CRONJOB is set) - -L Don't use syslog for output - -P Specify the syslog facility for logging - $LOGFAC - -t Name of temporary file used in validation - $TMPFILE - -q Only report errors to stdout - -v Verbose output +if ($< != $RUN_UID) { + log_fatal(LOG_ERR, 'User ' . getpwuid($<) . " (UID $<) tried to run $PROG"); +} -The following options are not (yet) implemented in the perl version: - -4 Use only IPv4 - -6 Use only IPv6 - -c Command to restart NTP after installing a new file - <none> - ntpd checks file daily - -p 4|6 - Prefer IPv4 or IPv6 (as specified) addresses, but use either - -z Specify path for utilities - $PATHLIST - -Z Only use system path +chdir $RUN_DIR || log_fatal("Failed to change dir to $RUN_DIR"); -$0 will validate the file currently on the local system +# Parse ntp.conf for path to leapfile if not set by user +if (! $LEAPFILE) { -Ordinarily, the file is found using the "leapfile" directive in $NTPCONF. -However, an alternate location can be specified on the command line. + open my $LF, '<', $NTPCONF || log_fatal(LOG_ERR, "Can't open <$NTPCONF>: $!"); -If the file does not exist, is not valid, has expired, or is expiring soon, -a new copy will be downloaded. If the new copy validates, it is installed and -NTP is (optionally) restarted. + while (<$LF>) { + chomp; + $LEAPFILE = $1 if /^ *leapfile\s+"(\S+)"/; + } + close $LF; -If the current file is acceptable, no download or restart occurs. + if (! $LEAPFILE) { + log_fatal(LOG_ERR, "No leapfile directive in $NTPCONF; leapfile location not known"); + } +} --c can also be used to invoke another script to perform administrative -functions, e.g. to copy the file to other local systems. +-s $LEAPFILE || logger(LOG_DEBUG, "Leapfile $LEAPFILE is empty"); -This can be run as a cron job. As the file is rarely updated, and leap -seconds are announced at least one month in advance (usually longer), it -need not be run more frequently than about once every three weeks. +# Download new file if: +# 1. file doesn't exist +# 2. invoked w/ force flag (-F) +# 3. current file isn't valid +# 4. current file expired or expires soon -For cron-friendly behavior, define CRONJOB=1 in the crontab. +if ( !-e $LEAPFILE || $FORCE || ! verifySHA($LEAPFILE) || + ( $EXPIRES lt ( $PREFETCH * 86400 + time() ) )) { -Version $VERSION -=cut + for (my $try = 1; $try <= $MAXTRIES; $try++) { + logger(LOG_DEBUG, "Attempting download from $LEAPSRC, try $try.."); -# Default: Use syslog for logging if running under cron + ($TMP_FH, $TMP_FILE) = tempfile(UNLINK => 1, SUFFIX => '.list'); -my $SYSLOG = $CRONJOB; + if (retrieve_file($TMP_FH)) { -# Parse options + if ( verifySHA($TMP_FILE) ) { + move_file($TMP_FILE, $LEAPFILE); + chmod $FILE_MODE, $LEAPFILE; + logger(LOG_INFO, "Installed new $LEAPFILE from $LEAPSRC"); + } + else { + logger(LOG_ERR, "Downloaded file $TMP_FILE rejected -- saved for diagnosis"); + move_file($TMP_FILE, 'leap-seconds.list_corrupt'); + exit 1; + } + # Fall through + exit 0; + } -our(%opt); + # Failure + unlink $TMP_FILE; + logger(LOG_INFO, "Download failed. Waiting $INTERVAL minutes before retrying..."); + sleep $INTERVAL * 60 ; + } -GetOptions(\%opt, - 'c=s', - 'e:60', - 'F', - 'f=s', - 'i:10', - 'L', - 'l', - 'P=s', - 'q', - 'r:6', - 's=s', - 't=s', - 'v' - ); + # Failed and out of retries + log_fatal(LOG_ERR, "Download from $LEAPSRC failed after $MAXTRIES attempts"); +} -$LOGFAC=$opt{P} if (defined($opt{P})); -$LEAPSRC=$opt{s} if (defined($opt{s})); -$PREFETCH=$opt{e} if (defined($opt{e})); -$NTPCONF=$opt{f} if (defined($opt{f})); -$FORCE="Y" if (defined($opt{F})); -$RESTART=$opt{c} if (defined($opt{c})); -$MAXTRIES=$opt{r} if (defined($opt{r})); -$INTERVAL=$opt{i} if (defined($opt{i})); -$TMPFILE=$opt{t} if (defined($opt{t})); -$SYSLOG="Y" if (defined($opt{l})); -$SYSLOG="" if (defined($opt{L})); -$QUIET="Y" if (defined($opt{q})); -$VERBOSE="Y" if (defined($opt{v})); +logger(LOG_INFO, "Not time to replace $LEAPFILE"); -# export PATH="$PATHLIST$PATH" +exit 0; + +######## SUB ROUTINES ######### +sub move_file { + + (my $src, my $dst) = @_; + + if ( move($src, $dst) ) { + logger(LOG_DEBUG, "Moved $src to $dst"); + } + else { + log_fatal(LOG_ERR, "Moving $src to $dst failed: $!"); + } +} -# Handle logging +# Removes temp file if terminating signal recv'd +sub signal_catcher { + my $signame = shift; -openlog($0, 'pid', $LOGFAC); + close $TMP_FH; + unlink $TMP_FILE; + log_fatal(LOG_INFO, "Recv'd SIG${signame}. Terminating."); +} + +sub log_fatal { + my ($p, $msg) = @_; + logger($p, $msg); + exit 1; +} sub logger { - my ($priority, $message) = @_; - - # "priority" "message" - # - # Stdout unless syslog specified or logger isn't available - # - if ($SYSLOG eq "" or $LOGGER eq "") { - if ($QUIET ne "" and ( $priority eq "info" or $priority eq "notice" or $priority eq "debug" ) ) { - return 0 + my ($p, $msg) = @_; + + # Suppress LOG_DEBUG msgs unless $DEBUG set + return if (!$DEBUG && $p eq LOG_DEBUG); + + # Suppress all but LOG_ERR msgs if $QUIET set + return if ($QUIET && $p ne LOG_ERR); + + if ($TOTERM) { + if ($p eq LOG_ERR) { # errors should go to STDERR + print STDERR "$msg\n"; + } + else { + print STDOUT "$msg\n"; } - printf "%s: $message\n", uc $priority; - return 0; } - # Also log to stdout if cron job && notice or higher - if (($CRONJOB ne "" and ($priority ne "info" ) and ($priority ne "debug" )) || ($VERBOSE ne "")) { - # Log to stderr as well - print STDERR "$0: $priority: $message\n"; + if ($SYSLOG) { + syslog($p, $msg) } - syslog($priority, $message); } -# Verify interval -# INTERVAL=$(( $INTERVAL *1 )) +################################# +# Connect to server and retrieve file +# +# Since we make as many as $MAXTRIES attempts to connect to the remote +# server to download the file, the network socket should be closed after +# each attempt, rather than let it be reused (because it may be in some +# unknown state). +# +# HTTP::Tiny doesn't export a method to explicitly close a connected +# socket, therefore, we instantiate the lexically scoped $http object in +# a function; when the function returns, the object goes out of scope +# and is destroyed, closing the socket. +sub retrieve_file { + + my $fh = shift; + my $http; + + if ($LEAPSRC =~ /^https\S+/) { + $http = HTTP::Tiny->new(%SSL_ATTRS); + (my $ok, my $why) = $http->can_ssl; + log_fatal(LOG_ERR, "TLS/SSL config error: $why") if ! $ok; + } + else { + $http = HTTP::Tiny->new(); + } + my $reply = $http->get($LEAPSRC); + + if ($reply->{success}) { + logger(LOG_DEBUG, "Download of $LEAPSRC succeeded"); + print $fh $reply->{content} || + log_fatal(LOG_ERR, "Couldn't write new file contents to temp file: $!"); + close $fh; + return 1; + } + else { + close $fh; + return 0; + } +} + +######################## # Validate a leap-seconds file checksum # -# File format: (full description in files) -# # marks comments, except: -# #$ number : the NTP date of the last update -# #@ number : the NTP date that the file expires -# Date (seconds since 1900) leaps : leaps is the # of seconds to add for times >= Date +# File format: (full description in file) +# Pound sign (#) marks comments, EXCEPT: +# #$ number : the NTP date of the last update +# #@ number : the NTP date that the file expires +# #h hex hex hex hex hex : the SHA-1 checksum of the data & dates, +# excluding whitespace w/o leading zeroes +# +# Date (seconds since 1900) leaps : leaps is the # of seconds to add +# for times >= Date # Date lines have comments. -# #h hex hex hex hex hex is the SHA-1 checksum of the data & dates, excluding whitespace w/o leading zeroes # # Returns: -# 0 File is valid -# 1 Invalid Checksum -# 2 Expired +# 0 Invalid Checksum/Expired +# 1 File is valid sub verifySHA { - my ($file, $verbose) = @_; - my $raw = ""; - my $data = ""; + my $file = shift; + my $fh; + my $data; my $FSHA; + open $fh, '<', $file || log_fatal(LOG_ERR, "Can't open $file: $!"); + # Remove comments, except those that are markers for last update, # expires and hash - - unless (open(LF, $file)) { - warn "Can't open <$file>: $!\n"; - print "Will try and create that file.\n"; - return 1; - }; - while (<LF>) { + while (<$fh>) { if (/^#\$/) { - $raw .= $_; - s/^..//; - $data .= $_; + s/^..//; + $data .= $_; } elsif (/^#\@/) { - $raw .= $_; - s/^..//; - $data .= $_; - s/\s+//g; - $EXPIRES = $_ - 2208988800; + s/^..//; + $data .= $_; + s/\s+//g; + $EXPIRES = $_ - 2208988800; } elsif (/^#h\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)/) { - chomp; - $raw .= $_; - $FSHA = sprintf("%08s%08s%08s%08s%08s", $1, $2, $3, $4, $5); + chomp; + $FSHA = sprintf("%08s%08s%08s%08s%08s", $1, $2, $3, $4, $5); } elsif (/^#/) { - # ignore it + # ignore it } elsif (/^\d/) { - s/#.*$//; - $raw .= $_; - $data .= $_; - } else { - chomp; - print "Unexpected line: <$_>\n"; + s/#.*$//; + $data .= $_; + } + else { + chomp; + print "Unexpected line: <$_>\n"; } } - close LF; + close $fh; + + if ( $EXPIRES < time() ) { + logger(LOG_DEBUG, 'File expired on ' . gmtime($EXPIRES)); + return 0; + } + + if (! $FSHA) { + logger(LOG_NOTICE, "no checksum record found in file"); + return 0; + } # Remove all white space $data =~ s/\s//g; # Compute the SHA hash of the data, removing the marker and filename # Computed in binary mode, which shouldn't matter since whitespace has been removed - my $DSHA = sha1_hex($data); - # Extract the file's hash. Restore any leading zeroes in hash segments. - - if ( ( "$FSHA" ne "" ) && ( $FSHA eq $DSHA ) ) { - if ( $verbose ne "" ) { - logger("info", "Checksum of $file validated"); - } - } else { - logger("error", "Checksum of $file is invalid:"); - $FSHA="(no checksum record found in file)" - if ( $FSHA eq ""); - logger("error", "EXPECTED: $FSHA"); - logger("error", "COMPUTED: $DSHA"); - return 1; - } - - # Check the expiration date, converting NTP epoch to Unix epoch used by date - - if ( $EXPIRES < time() ) { - logger("notice", "File expired on " . gmtime($EXPIRES)); - return 2; + if ($FSHA eq $DSHA) { + logger(LOG_DEBUG, "Checksum of $file validated"); + return 1; + } + else { + logger(LOG_NOTICE, "Checksum of $file is invalid EXPECTED: $FSHA COMPUTED: $DSHA"); + return 0; } - return 0; } -# Verify ntp.conf - --r $NTPCONF || die "Missing ntp configuration: $NTPCONF\n"; +sub show_help { +print <<EOF -# Parse ntp.conf for leapfile directive +Usage: $PROG [options] -open(LF, $NTPCONF) || die "Can't open <$NTPCONF>: $!\n"; -while (<LF>) { - chomp; - if (/^ *leapfile\s+"(\S+)"/) { - $LEAPFILE = $1; - } -} -close LF; +Verifies and if necessary, updates leap-second definition file --s $LEAPFILE || warn "$NTPCONF specifies $LEAPFILE as a leapfile, which is empty.\n"; +All arguments are optional: Default (or current value) shown: + -C Absolute path to CA Cert (see SSL/TLS Considerations) + -D Path to a CAdir (see SSL/TLS Considerations) + -e Specify how long (in days) before expiration the file is to be + refreshed. Note that larger values imply more frequent refreshes. + $PREFETCH + -F Force update even if current file is OK and not close to expiring. + -f Absolute path ntp.conf file (default /etc/ntp.conf) + $NTPCONF + -h show help + -i Specify number of minutes between retries + $INTERVAL + -L Absolute path to leapfile on the local system + (overrides value in ntp.conf) + -l Specify the syslog(3) facility for logging + $LOGFAC + -q Only report errors (cannot be used with -v) + -r Specify number of attempts to retrieve file + $MAXTRIES + -s Send output to syslog(3) - implied if STDOUT has no tty or redirected + -t Send output to terminal - implied if STDOUT attached to terminal + -u Specify the URL of the master copy to download + $LEAPSRC + -v Verbose - show debug messages (cannot be used with -q) -# Allow placing the file someplace else - testing +The following options are not (yet) implemented in the perl version: + -4 Use only IPv4 + -6 Use only IPv6 + -c Command to restart NTP after installing a new file + <none> - ntpd checks file daily + -p 4|6 + Prefer IPv4 or IPv6 (as specified) addresses, but use either -if ( defined $ARGV[0] ) { - if ( $ARGV[0] ne $LEAPFILE ) { - logger("notice", "Requested install to $ARGV[0], but $NTPCONF specifies $LEAPFILE"); - } - $LEAPFILE = $ARGV[0]; -} +$PROG will validate the file currently on the local system. -# Verify the current file -# If it is missing, doesn't validate or expired -# Or is expiring soon -# Download a new one - -if ( $FORCE ne "" || verifySHA($LEAPFILE, $VERBOSE) || ( $EXPIRES lt ( $PREFETCH * 86400 + time() ) )) { - my $TRY = 0; - my $ff = File::Fetch->new(uri => $LEAPSRC) || die "Fetch failed.\n"; - while (1) { - ++$TRY; - logger("info", "Attempting download from $LEAPSRC, try $TRY..") - if ($VERBOSE ne ""); - my $where = $ff->fetch( to => '/tmp' ); - - if ($where) { - logger("info", "Download of $LEAPSRC succeeded"); - - if ( verifySHA($where, $VERBOSE )) { - # There is no point in retrying, as the file on the - # server is almost certainly corrupt. - - logger("warning", "Downloaded file $where rejected -- saved for diagnosis"); - exit 1; - } +Ordinarily, the leapfile is found using the 'leapfile' directive in +$NTPCONF. However, an alternate location can be specified on the +command line with the -L flag. - # While the shell script version will set correct permissions - # on temporary file, for the perl version that's harder, so - # for now at least one should run this script as the - # appropriate user. - - # REFFILE="$LEAPFILE" - # if [ ! -f $LEAPFILE ]; then - # logger "notice" "$LEAPFILE was missing, creating new copy - check permissions" - # touch $LEAPFILE - # # Can't copy permissions from old file, copy from NTPCONF instead - # REFFILE="$NTPCONF" - # fi - # chmod --reference $REFFILE $TMPFILE - # chown --reference $REFFILE $TMPFILE - # ( which selinuxenabled && selinuxenabled && which chcon ) >/dev/null 2>&1 - # if [ $? == 0 ] ; then - # chcon --reference $REFFILE $TMPFILE - # fi - - # Replace current file with validated new one - - if ( move $where, $LEAPFILE ) { - logger("notice", "Installed new $LEAPFILE from $LEAPSRC"); - } else { - logger("error", "Install $where => $LEAPFILE failed -- saved for diagnosis: $!"); - exit 1; - } +If the leapfile does not exist, is not valid, has expired, or is +expiring soon, a new copy will be downloaded. If the new copy is +valid, it is installed. - # Restart NTP (or whatever else is specified) - - if ( $RESTART ne "" ) { - if ( $VERBOSE ne "" ) { - logger("info", "Attempting restart action: $RESTART"); - } - -# XXX - #R="$( 2>&1 $RESTART )" - #if [ $? -eq 0 ]; then - # logger "notice" "Restart action succeeded" - # if [ -n "$VERBOSE" -a -n "$R" ]; then - # logger "info" "$R" - # fi - #else - # logger "error" "Restart action failed" - # if [ -n "$R" ]; then - # logger "error" "$R" - # fi - # exit 2 - #fi - } - exit 0; - } +If the current file is acceptable, no download or restart occurs. - # Failed to download. See about trying again +This can be run as a cron job. As the file is rarely updated, and +leap seconds are announced at least one month in advance (usually +longer), it need not be run more frequently than about once every +three weeks. - # rm -f $TMPFILE - if ( $TRY ge $MAXTRIES ) { - last; - } - if ( $VERBOSE ne "" ) { - logger("info", "Waiting $INTERVAL minutes before retrying..."); - } - sleep $INTERVAL * 60 ; - } +SSL/TLS Considerations +----------------------- +The perl modules can usually locate the CA certificate used to verify +the peer's identity. - # Failed and out of retries +On BSDs, the default is typically the file /etc/ssl/certs.pem. On +Linux, the location is typically a path to a CAdir - a directory of +symlinks named according to a hash of the certificates' subject names. - logger("warning", "Download from $LEAPSRC failed after $TRY attempts"); - exit 1; -} +The -C or -D options are available to pass in a location if no CA cert +is found in the default location. -print "FORCE is <$FORCE>\n"; -print "verifySHA is " . verifySHA($LEAPFILE, "") . "\n"; -print "EXPIRES <$EXPIRES> vs ". ( $PREFETCH * 86400 + time() ) . "\n"; +External Dependencies +--------------------- +The following perl modules are required: +HTTP::Tiny - version >= 0.056 +IO::Socket::SSL - version >= 1.56 +NET::SSLeay - version >= 1.49 -logger("info", "Not time to replace $LEAPFILE"); +Version: $VERSION -exit 0; +EOF +} -# EOF diff --git a/contrib/ntp/scripts/update-leap/update-leap.man.in b/contrib/ntp/scripts/update-leap/update-leap.man.in index bd62871..380774a 100644 --- a/contrib/ntp/scripts/update-leap/update-leap.man.in +++ b/contrib/ntp/scripts/update-leap/update-leap.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH update-leap 1update-leapman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH update-leap 1update-leapman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-6XaW6m/ag-hYa45m) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cKaOWT/ag-pKaWVT) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:27 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 10:50:15 AM by AutoGen 5.18.5 .\" From the definitions update-leap-opts.def .\" and the template file agman-cmd.tpl .SH NAME diff --git a/contrib/ntp/scripts/update-leap/update-leap.mdoc.in b/contrib/ntp/scripts/update-leap/update-leap.mdoc.in index 2bb1d59..1af0cd3 100644 --- a/contrib/ntp/scripts/update-leap/update-leap.mdoc.in +++ b/contrib/ntp/scripts/update-leap/update-leap.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt UPDATE_LEAP 1update-leapmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (update-leap-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:40:35 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 04:55:53 PM by AutoGen 5.18.5 .\" From the definitions update-leap-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/contrib/ntp/sntp/Makefile.in b/contrib/ntp/sntp/Makefile.in index b0ae025..2085ace 100644 --- a/contrib/ntp/sntp/Makefile.in +++ b/contrib/ntp/sntp/Makefile.in @@ -1632,7 +1632,6 @@ install-exec-hook: # check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/sntp/check-libntp.mf b/contrib/ntp/sntp/check-libntp.mf index b867a3a..d387968 100644 --- a/contrib/ntp/sntp/check-libntp.mf +++ b/contrib/ntp/sntp/check-libntp.mf @@ -8,7 +8,6 @@ BUILT_SOURCES += check-libntp CLEANFILES += check-libntp check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/sntp/configure b/contrib/ntp/sntp/configure index 8026831..d9e02fa 100755 --- a/contrib/ntp/sntp/configure +++ b/contrib/ntp/sntp/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for sntp 4.2.8p10. +# Generated by GNU Autoconf 2.69 for sntp 4.2.8p11. # # Report bugs to <http://bugs.ntp.org./>. # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='sntp' PACKAGE_TARNAME='sntp' -PACKAGE_VERSION='4.2.8p10' -PACKAGE_STRING='sntp 4.2.8p10' +PACKAGE_VERSION='4.2.8p11' +PACKAGE_STRING='sntp 4.2.8p11' PACKAGE_BUGREPORT='http://bugs.ntp.org./' PACKAGE_URL='http://www.ntp.org./' @@ -895,6 +895,7 @@ ac_user_opts=' enable_option_checking enable_silent_rules enable_dependency_tracking +with_hardenfile with_locfile with_gnu_ld with_lineeditlibs @@ -1483,7 +1484,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures sntp 4.2.8p10 to adapt to many kinds of systems. +\`configure' configures sntp 4.2.8p11 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1553,7 +1554,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of sntp 4.2.8p10:";; + short | recursive ) echo "Configuration of sntp 4.2.8p11:";; esac cat <<\_ACEOF @@ -1593,6 +1594,7 @@ Optional Features: Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --with-hardenfile=XXX os-specific or "/dev/null" --with-locfile=XXX os-specific or "legacy" --with-gnu-ld assume the C compiler uses GNU ld [default=no] --with-lineeditlibs edit,editline (readline may be specified if desired) @@ -1700,7 +1702,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -sntp configure 4.2.8p10 +sntp configure 4.2.8p11 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2409,7 +2411,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by sntp $as_me 4.2.8p10, which was +It was created by sntp $as_me 4.2.8p11, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3406,7 +3408,7 @@ fi # Define the identity of the package. PACKAGE='sntp' - VERSION='4.2.8p10' + VERSION='4.2.8p11' cat >>confdefs.h <<_ACEOF @@ -6089,11 +6091,11 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu $as_echo_n "checking for compile/link hardening flags... " >&6; } -# Check whether --with-locfile was given. -if test "${with_locfile+set}" = set; then : - withval=$with_locfile; +# Check whether --with-hardenfile was given. +if test "${with_hardenfile+set}" = set; then : + withval=$with_hardenfile; else - with_locfile=no + with_hardenfile=no fi @@ -6101,12 +6103,12 @@ fi ( \ SENTINEL_DIR="$PWD" && \ cd $srcdir/ && \ - case "$with_locfile" in \ + case "$with_hardenfile" in \ yes|no|'') \ scripts/genHardFlags -d "$SENTINEL_DIR" \ ;; \ *) \ - scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \ + scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \ ;; \ esac \ ) > genHardFlags.i 2> genHardFlags.err @@ -24723,8 +24725,13 @@ $as_echo_n "checking if libevent $ntp_libevent_min_version or later is installed if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent then ntp_use_local_libevent=no - { $as_echo "$as_me:${as_lineno-$LINENO}: Using the installed libevent" >&5 -$as_echo "$as_me: Using the installed libevent" >&6;} + ntp_libevent_version="`$PKG_CONFIG --modversion libevent`" + case "$ntp_libevent_version" in + *.*) ;; + *) ntp_libevent_version='(unknown)' ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_libevent_version" >&5 +$as_echo "yes, version $ntp_libevent_version" >&6; } CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads` CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent` # HMS: I hope the following is accurate. @@ -24752,8 +24759,6 @@ $as_echo "$as_me: Using the installed libevent" >&6;} LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads" esac LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } else ntp_use_local_libevent=yes # HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS @@ -25130,8 +25135,13 @@ $as_echo_n "checking pkg-config for $pkg... " >&6; } VER_SUFFIX=o ntp_openssl=yes ntp_openssl_from_pkg_config=yes - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } + ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`" + case "$ntp_openssl_version" in + *.*) ;; + *) ntp_openssl_version='(unknown)' ;; + esac + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_openssl_version" >&5 +$as_echo "yes, version $ntp_openssl_version" >&6; } break fi @@ -27068,7 +27078,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by sntp $as_me 4.2.8p10, which was +This file was extended by sntp $as_me 4.2.8p11, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -27135,7 +27145,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -sntp config.status 4.2.8p10 +sntp config.status 4.2.8p11 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/ntp/sntp/crypto.c b/contrib/ntp/sntp/crypto.c index e45b213..ce5d136 100644 --- a/contrib/ntp/sntp/crypto.c +++ b/contrib/ntp/sntp/crypto.c @@ -1,77 +1,196 @@ +/* + * HMS: we need to test: + * - OpenSSL versions, if we are building with them + * - our versions + * + * We may need to test with(out) OPENSSL separately. + */ + #include <config.h> #include "crypto.h" #include <ctype.h> #include "isc/string.h" #include "ntp_md5.h" +/* HMS: We may not have OpenSSL, but we have our own AES-128-CMAC */ +#define CMAC "AES128CMAC" +#ifdef OPENSSL +# include "openssl/cmac.h" +# define AES_128_KEY_SIZE 16 +#endif /* OPENSSL */ + +#ifndef EVP_MAX_MD_SIZE +# define EVP_MAX_MD_SIZE 32 +#endif + struct key *key_ptr; size_t key_cnt = 0; +typedef struct key Key_T; + +static u_int +compute_mac( + u_char digest[EVP_MAX_MD_SIZE], + char const * macname, + void const * pkt_data, + u_int pkt_size, + void const * key_data, + u_int key_size + ) +{ + u_int len = 0; + size_t slen = 0; + int key_type; + + INIT_SSL(); + key_type = keytype_from_text(macname, NULL); + +#ifdef OPENSSL + /* Check if CMAC key type specific code required */ + if (key_type == NID_cmac) { + CMAC_CTX * ctx = NULL; + u_char keybuf[AES_128_KEY_SIZE]; + + /* adjust key size (zero padded buffer) if necessary */ + if (AES_128_KEY_SIZE > key_size) { + memcpy(keybuf, key_data, key_size); + memset((keybuf + key_size), 0, + (AES_128_KEY_SIZE - key_size)); + key_data = keybuf; + } + + if (!(ctx = CMAC_CTX_new())) { + msyslog(LOG_ERR, "make_mac: CMAC %s CTX new failed.", CMAC); + } + else if (!CMAC_Init(ctx, key_data, AES_128_KEY_SIZE, + EVP_aes_128_cbc(), NULL)) { + msyslog(LOG_ERR, "make_mac: CMAC %s Init failed.", CMAC); + } + else if (!CMAC_Update(ctx, pkt_data, (size_t)pkt_size)) { + msyslog(LOG_ERR, "make_mac: CMAC %s Update failed.", CMAC); + } + else if (!CMAC_Final(ctx, digest, &slen)) { + msyslog(LOG_ERR, "make_mac: CMAC %s Final failed.", CMAC); + slen = 0; + } + len = (u_int)slen; + + CMAC_CTX_cleanup(ctx); + /* Test our AES-128-CMAC implementation */ + + } else /* MD5 MAC handling */ +#endif + { + EVP_MD_CTX * ctx; + + if (!(ctx = EVP_MD_CTX_new())) { + msyslog(LOG_ERR, "make_mac: MAC %s Digest CTX new failed.", + macname); + goto mac_fail; + } +#ifdef OPENSSL /* OpenSSL 1 supports return codes 0 fail, 1 okay */ +# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); +# endif + /* [Bug 3457] DON'T use plain EVP_DigestInit! It would + * kill the flags! */ + if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(key_type), NULL)) { + msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.", + macname); + goto mac_fail; + } + if (!EVP_DigestUpdate(ctx, key_data, key_size)) { + msyslog(LOG_ERR, "make_mac: MAC %s Digest Update key failed.", + macname); + goto mac_fail; + } + if (!EVP_DigestUpdate(ctx, pkt_data, pkt_size)) { + msyslog(LOG_ERR, "make_mac: MAC %s Digest Update data failed.", + macname); + goto mac_fail; + } + if (!EVP_DigestFinal(ctx, digest, &len)) { + msyslog(LOG_ERR, "make_mac: MAC %s Digest Final failed.", + macname); + len = 0; + } +#else /* !OPENSSL */ + EVP_DigestInit(ctx, EVP_get_digestbynid(key_type)); + EVP_DigestUpdate(ctx, key_data, key_size); + EVP_DigestUpdate(ctx, pkt_data, pkt_size); + EVP_DigestFinal(ctx, digest, &len); +#endif + mac_fail: + EVP_MD_CTX_free(ctx); + } + + return len; +} + int make_mac( - const void *pkt_data, - int pkt_size, - int mac_size, - const struct key *cmp_key, - void * digest + const void * pkt_data, + int pkt_size, + int mac_size, + Key_T const * cmp_key, + void * digest ) { - u_int len = mac_size; - int key_type; - EVP_MD_CTX * ctx; + u_int len; + u_char dbuf[EVP_MAX_MD_SIZE]; - if (cmp_key->key_len > 64) + if (cmp_key->key_len > 64 || mac_size <= 0) return 0; if (pkt_size % 4 != 0) return 0; - INIT_SSL(); - key_type = keytype_from_text(cmp_key->type, NULL); - - ctx = EVP_MD_CTX_new(); - EVP_DigestInit(ctx, EVP_get_digestbynid(key_type)); - EVP_DigestUpdate(ctx, (const u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len); - EVP_DigestUpdate(ctx, pkt_data, (u_int)pkt_size); - EVP_DigestFinal(ctx, digest, &len); - EVP_MD_CTX_free(ctx); - + len = compute_mac(dbuf, cmp_key->typen, + pkt_data, (u_int)pkt_size, + cmp_key->key_seq, (u_int)cmp_key->key_len); + + + if (len) { + if (len > (u_int)mac_size) + len = (u_int)mac_size; + memcpy(digest, dbuf, len); + } return (int)len; } -/* Generates a md5 digest of the key specified in keyid concatenated with the +/* Generates a md5 digest of the key specified in keyid concatenated with the * ntp packet (exluding the MAC) and compares this digest to the digest in - * the packet's MAC. If they're equal this function returns 1 (packet is + * the packet's MAC. If they're equal this function returns 1 (packet is * authentic) or else 0 (not authentic). */ int auth_md5( - const void *pkt_data, - int pkt_size, - int mac_size, - const struct key *cmp_key + void const * pkt_data, + int pkt_size, + int mac_size, + Key_T const * cmp_key ) { - int hash_len; - int authentic; - char digest[20]; - const u_char *pkt_ptr; - if (mac_size > (int)sizeof(digest)) - return 0; - pkt_ptr = pkt_data; - hash_len = make_mac(pkt_ptr, pkt_size, sizeof(digest), cmp_key, - digest); - if (!hash_len) { - authentic = FALSE; - } else { - /* isc_tsmemcmp will be better when its easy to link - * with. sntp is a 1-shot program, so snooping for - * timing attacks is Harder. - */ - authentic = !memcmp(digest, (const char*)pkt_data + pkt_size + 4, - hash_len); - } - return authentic; + u_int len = 0; + u_char const * pkt_ptr = pkt_data; + u_char dbuf[EVP_MAX_MD_SIZE]; + + if (mac_size <= 0 || (size_t)mac_size > sizeof(dbuf)) + return FALSE; + + len = compute_mac(dbuf, cmp_key->typen, + pkt_ptr, (u_int)pkt_size, + cmp_key->key_seq, (u_int)cmp_key->key_len); + + pkt_ptr += pkt_size + 4; + if (len > (u_int)mac_size) + len = (u_int)mac_size; + + /* isc_tsmemcmp will be better when its easy to link with. sntp + * is a 1-shot program, so snooping for timing attacks is + * Harder. + */ + return ((u_int)mac_size == len) && !memcmp(dbuf, pkt_ptr, len); } static int @@ -94,7 +213,7 @@ hex_val( } /* Load keys from the specified keyfile into the key structures. - * Returns -1 if the reading failed, otherwise it returns the + * Returns -1 if the reading failed, otherwise it returns the * number of keys it read */ int @@ -103,12 +222,15 @@ auth_init( struct key **keys ) { - FILE *keyf = fopen(keyfile, "r"); + FILE *keyf = fopen(keyfile, "r"); struct key *prev = NULL; - int scan_cnt, line_cnt = 0; + int scan_cnt, line_cnt = 1; char kbuf[200]; char keystring[129]; + /* HMS: Is it OK to do this later, after we know we have a key file? */ + INIT_SSL(); + if (keyf == NULL) { if (debug) printf("sntp auth_init: Couldn't open key file %s for reading!\n", keyfile); @@ -134,18 +256,19 @@ auth_init( if (octothorpe) *octothorpe = '\0'; act = emalloc(sizeof(*act)); - scan_cnt = sscanf(kbuf, "%d %9s %128s", &act->key_id, act->type, keystring); + /* keep width 15 = sizeof struct key.typen - 1 synced */ + scan_cnt = sscanf(kbuf, "%d %15s %128s", + &act->key_id, act->typen, keystring); if (scan_cnt == 3) { int len = strlen(keystring); + goodline = 1; /* assume best for now */ if (len <= 20) { act->key_len = len; memcpy(act->key_seq, keystring, len + 1); - goodline = 1; } else if ((len & 1) != 0) { goodline = 0; /* it's bad */ } else { int j; - goodline = 1; act->key_len = len >> 1; for (j = 0; j < len; j+=2) { int val; @@ -158,6 +281,13 @@ auth_init( act->key_seq[j>>1] = (char)val; } } + act->typei = keytype_from_text(act->typen, NULL); + if (0 == act->typei) { + printf("%s: line %d: key %d, %s not supported - ignoring\n", + keyfile, line_cnt, + act->key_id, act->typen); + goodline = 0; /* it's bad */ + } } if (goodline) { act->next = NULL; @@ -168,19 +298,21 @@ auth_init( prev = act; key_cnt++; } else { - msyslog(LOG_DEBUG, "auth_init: scanf %d items, skipping line %d.", - scan_cnt, line_cnt); + if (debug) { + printf("auth_init: scanf %d items, skipping line %d.", + scan_cnt, line_cnt); + } free(act); } line_cnt++; } fclose(keyf); - + key_ptr = *keys; return key_cnt; } -/* Looks for the key with keyid key_id and sets the d_key pointer to the +/* Looks for the key with keyid key_id and sets the d_key pointer to the * address of the key. If no matching key is found the pointer is not touched. */ void diff --git a/contrib/ntp/sntp/crypto.h b/contrib/ntp/sntp/crypto.h index 19cdbc4..961dca0 100644 --- a/contrib/ntp/sntp/crypto.h +++ b/contrib/ntp/sntp/crypto.h @@ -20,7 +20,8 @@ struct key { struct key * next; int key_id; int key_len; - char type[10]; + int typei; + char typen[20]; char key_seq[64]; }; diff --git a/contrib/ntp/sntp/harden/linux b/contrib/ntp/sntp/harden/linux index db23544..5f9c4e9 100644 --- a/contrib/ntp/sntp/harden/linux +++ b/contrib/ntp/sntp/harden/linux @@ -1,4 +1,4 @@ # generic linux hardening flags -NTP_HARD_CFLAGS="-pie -fPIE -fPIC -fstack-protector-all -O1" +NTP_HARD_CFLAGS="-fPIE -fPIC -fstack-protector-all -O1" NTP_HARD_CPPFLAGS="-D_FORTIFY_SOURCE=2" -NTP_HARD_LDFLAGS="-z relro -z now" +NTP_HARD_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" diff --git a/contrib/ntp/sntp/include/version.def b/contrib/ntp/sntp/include/version.def index 605c02f..22657d4 100644 --- a/contrib/ntp/sntp/include/version.def +++ b/contrib/ntp/sntp/include/version.def @@ -1 +1 @@ -version = '4.2.8p10'; +version = '4.2.8p11'; diff --git a/contrib/ntp/sntp/include/version.texi b/contrib/ntp/sntp/include/version.texi index 41e1324..ba520bf 100644 --- a/contrib/ntp/sntp/include/version.texi +++ b/contrib/ntp/sntp/include/version.texi @@ -1,3 +1,3 @@ -@set UPDATED 21 March 2017 -@set EDITION 4.2.8p10 -@set VERSION 4.2.8p10 +@set UPDATED 27 February 2018 +@set EDITION 4.2.8p11 +@set VERSION 4.2.8p11 diff --git a/contrib/ntp/sntp/invoke-sntp.texi b/contrib/ntp/sntp/invoke-sntp.texi index ec2ff9a..a79b62f 100644 --- a/contrib/ntp/sntp/invoke-sntp.texi +++ b/contrib/ntp/sntp/invoke-sntp.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-sntp.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:36:49 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:13:11 PM by AutoGen 5.18.5 # From the definitions sntp-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -101,58 +101,62 @@ with a status code of 0. @exampleindent 0 @example -sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10 -Usage: sntp [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \ +sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p245 +USAGE: sntp [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \ [ hostname-or-IP ...] Flg Arg Option-Name Description -4 no ipv4 Force IPv4 DNS name resolution - - prohibits the option 'ipv6' + - prohibits these options: + ipv6 -6 no ipv6 Force IPv6 DNS name resolution - - prohibits the option 'ipv4' - -a Num authentication Enable authentication with the key auth-keynumber + - prohibits these options: + ipv4 + -a Num authentication Enable authentication with the key @@var@{auth-keynumber@} + -B Num bctimeout The number of seconds to wait for broadcasts -b Str broadcast Listen to the address specified for broadcast time sync - may appear multiple times -c Str concurrent Concurrently query all IPs returned for host-name - may appear multiple times -d no debug-level Increase debug verbosity level - may appear multiple times - -D Num set-debug-level Set the debug verbosity level + -D Str set-debug-level Set the debug verbosity level - may appear multiple times -g Num gap The gap (in milliseconds) between time requests -K Fil kod KoD history filename - -k Fil keyfile Look in this file for the key specified with -a + -k Fil keyfile Look in this file for the key specified with @@option@{-a@} -l Fil logfile Log to specified logfile - -M Num steplimit Adjustments less than steplimit msec will be slewed - - it must be in the range: + -M Num steplimit Adjustments less than @@var@{steplimit@} msec will be slewed + - It must be in the range: greater than or equal to 0 - -o Num ntpversion Send int as our NTP protocol version - - it must be in the range: + -o Num ntpversion Send @@var@{int@} as our NTP version + - It must be in the range: 0 to 7 -r no usereservedport Use the NTP Reserved Port (port 123) - -S no step OK to 'step' the time with settimeofday(2) - -s no slew OK to 'slew' the time with adjtime(2) - -t Num timeout The number of seconds to wait for responses + -S no step OK to 'step' the time with @@command@{settimeofday(2)@} + -s no slew OK to 'slew' the time with @@command@{adjtime(2)@} + -u Num uctimeout The number of seconds to wait for unicast responses no wait Wait for pending replies (if not setting the time) - - disabled as '--no-wait' + - disabled as --no-wait - enabled by default - opt version output version information and exit - -? no help display extended usage information and exit - -! no more-help extended usage information passed thru pager - -> opt save-opts save the option state to a config file - -< Str load-opts load options from a config file - - disabled as '--no-load-opts' + opt version Output version information and exit + -? no help Display extended usage information and exit + -! no more-help Extended usage information passed thru pager + -> opt save-opts Save the option state to a config file + -< Str load-opts Load options from a config file + - disabled as --no-load-opts - may appear multiple times Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. + The following option preset mechanisms are supported: - reading file $HOME/.ntprc - reading file ./.ntprc - examining environment variables named SNTP_* -Please send bug reports to: <http://bugs.ntp.org, bugs@@ntp.org> +please send bug reports to: http://bugs.ntp.org, bugs@@ntp.org @end example @exampleindent 4 diff --git a/contrib/ntp/sntp/m4/ntp_af_unspec.m4 b/contrib/ntp/sntp/m4/ntp_af_unspec.m4 new file mode 100644 index 0000000..cdb453d --- /dev/null +++ b/contrib/ntp/sntp/m4/ntp_af_unspec.m4 @@ -0,0 +1,23 @@ +dnl ###################################################################### +dnl AF_UNSPEC checks +AC_DEFUN([NTP_AF_UNSPEC], [ + +# We could do a cv check here, but is it worth it? + +AC_COMPILE_IFELSE( + [AC_LANG_PROGRAM( + [[ + #include <sys/socket.h> + #ifndef AF_UNSPEC + #include "Bletch: AF_UNSPEC is undefined!" + #endif + #if AF_UNSPEC != 0 + #include "Bletch: AF_UNSPEC != 0" + #endif + ]], + [AC_MSG_NOTICE([AF_UNSPEC is zero, as expected.])], + [AC_MSG_ERROR([AF_UNSPEC is not zero on this platform!])] + )] +)]) + +dnl ###################################################################### diff --git a/contrib/ntp/sntp/m4/ntp_harden.m4 b/contrib/ntp/sntp/m4/ntp_harden.m4 index e6d5f36..06aebc0 100644 --- a/contrib/ntp/sntp/m4/ntp_harden.m4 +++ b/contrib/ntp/sntp/m4/ntp_harden.m4 @@ -10,24 +10,24 @@ AC_DEFUN([NTP_HARDEN], [ AC_MSG_CHECKING([for compile/link hardening flags]) AC_ARG_WITH( - [locfile], + [hardenfile], [AS_HELP_STRING( - [--with-locfile=XXX], - [os-specific or "legacy"] + [--with-hardenfile=XXX], + [os-specific or "/dev/null"] )], [], - [with_locfile=no] + [with_hardenfile=no] ) ( \ SENTINEL_DIR="$PWD" && \ cd $srcdir/$1 && \ - case "$with_locfile" in \ + case "$with_hardenfile" in \ yes|no|'') \ scripts/genHardFlags -d "$SENTINEL_DIR" \ ;; \ *) \ - scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \ + scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \ ;; \ esac \ ) > genHardFlags.i 2> genHardFlags.err diff --git a/contrib/ntp/sntp/m4/ntp_libevent.m4 b/contrib/ntp/sntp/m4/ntp_libevent.m4 index 69325ef..14b614b4 100644 --- a/contrib/ntp/sntp/m4/ntp_libevent.m4 +++ b/contrib/ntp/sntp/m4/ntp_libevent.m4 @@ -78,7 +78,12 @@ case "$ntp_use_local_libevent" in if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent then ntp_use_local_libevent=no - AC_MSG_NOTICE([Using the installed libevent]) + ntp_libevent_version="`$PKG_CONFIG --modversion libevent`" + case "$ntp_libevent_version" in + *.*) ;; + *) ntp_libevent_version='(unknown)' ;; + esac + AC_MSG_RESULT([yes, version $ntp_libevent_version]) CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads` CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent` # HMS: I hope the following is accurate. @@ -106,7 +111,6 @@ case "$ntp_use_local_libevent" in LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads" esac LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core" - AC_MSG_RESULT([yes]) else ntp_use_local_libevent=yes # HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS diff --git a/contrib/ntp/sntp/m4/ntp_openssl.m4 b/contrib/ntp/sntp/m4/ntp_openssl.m4 index 33554f3..112b7a2 100644 --- a/contrib/ntp/sntp/m4/ntp_openssl.m4 +++ b/contrib/ntp/sntp/m4/ntp_openssl.m4 @@ -85,7 +85,12 @@ case "$with_crypto:${PKG_CONFIG:+notempty}:${with_openssl_libdir-notgiven}:${wit VER_SUFFIX=o ntp_openssl=yes ntp_openssl_from_pkg_config=yes - AC_MSG_RESULT([yes]) + ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`" + case "$ntp_openssl_version" in + *.*) ;; + *) ntp_openssl_version='(unknown)' ;; + esac + AC_MSG_RESULT([yes, version $ntp_openssl_version]) break fi diff --git a/contrib/ntp/sntp/m4/version.m4 b/contrib/ntp/sntp/m4/version.m4 index d40b412..4ebd02c 100644 --- a/contrib/ntp/sntp/m4/version.m4 +++ b/contrib/ntp/sntp/m4/version.m4 @@ -1 +1 @@ -m4_define([VERSION_NUMBER],[4.2.8p10]) +m4_define([VERSION_NUMBER],[4.2.8p11]) diff --git a/contrib/ntp/sntp/main.c b/contrib/ntp/sntp/main.c index 78ed7c2..098a696 100644 --- a/contrib/ntp/sntp/main.c +++ b/contrib/ntp/sntp/main.c @@ -207,9 +207,8 @@ sntp_main ( */ kod_init_kod_db(OPT_ARG(KOD), FALSE); - // HMS: Should we use arg-defalt for this too? - if (HAVE_OPT(KEYFILE)) - auth_init(OPT_ARG(KEYFILE), &keys); + /* HMS: Check and see what happens if KEYFILE doesn't exist */ + auth_init(OPT_ARG(KEYFILE), &keys); /* ** Considering employing a variable that prevents functions of doing @@ -379,7 +378,6 @@ handle_lookup( { struct addrinfo hints; /* Local copy is OK */ struct dns_ctx *ctx; - long l; char * name_copy; size_t name_sz; size_t octets; @@ -405,15 +403,19 @@ handle_lookup( ctx->name = name_copy; // point to it... ctx->flags = flags; ctx->timeout = response_tv; + ctx->key = NULL; /* The following should arguably be passed in... */ - if (ENABLED_OPT(AUTHENTICATION) && - atoint(OPT_ARG(AUTHENTICATION), &l)) { - ctx->key_id = l; + if (ENABLED_OPT(AUTHENTICATION)) { + ctx->key_id = OPT_VALUE_AUTHENTICATION; get_key(ctx->key_id, &ctx->key); + if (NULL == ctx->key) { + fprintf(stderr, "%s: Authentication with keyID %d requested, but no matching keyID found in <%s>!\n", + progname, ctx->key_id, OPT_ARG(KEYFILE)); + exit(1); + } } else { ctx->key_id = -1; - ctx->key = NULL; } ++n_pending_dns; @@ -1132,13 +1134,21 @@ generate_pkt ( x_pkt->ppoll = 8; /* FIXME! Modus broadcast + adr. check -> bdr. pkt */ set_li_vn_mode(x_pkt, LEAP_NOTINSYNC, ntpver, 3); + if (debug > 0) { + printf("generate_pkt: key_id %d, key pointer %p\n", key_id, pkt_key); + } if (pkt_key != NULL) { x_pkt->exten[0] = htonl(key_id); - mac_size = 20; /* max room for MAC */ - mac_size = make_mac(x_pkt, pkt_len, mac_size, + mac_size = make_mac(x_pkt, pkt_len, MAX_MDG_LEN, pkt_key, (char *)&x_pkt->exten[1]); if (mac_size > 0) - pkt_len += mac_size + 4; + pkt_len += mac_size + KEY_MAC_LEN; +#ifdef DEBUG + if (debug > 0) { + printf("generate_pkt: mac_size is %d\n", mac_size); + } +#endif + } return pkt_len; } diff --git a/contrib/ntp/sntp/networking.c b/contrib/ntp/sntp/networking.c index 21cf09a..ecac15c 100644 --- a/contrib/ntp/sntp/networking.c +++ b/contrib/ntp/sntp/networking.c @@ -135,6 +135,8 @@ process_pkt ( func_name, pkt_len); return PACKET_UNUSEABLE; } + + /* HMS: the following needs a bit of work */ /* Note: pkt_len must be a multiple of 4 at this point! */ packet_end = (void*)((char*)rpkt + pkt_len); exten_end = skip_efields(rpkt->exten, packet_end); @@ -144,18 +146,20 @@ process_pkt ( func_name); return PACKET_UNUSEABLE; } + /* get size of MAC in cells; can be zero */ exten_len = (u_int)(packet_end - exten_end); /* deduce action required from remaining length */ switch (exten_len) { - case 0: /* no MAC at all */ + case 0: /* no Legacy MAC */ break; case 1: /* crypto NAK */ + /* Only if the keyID is 0 and there were no EFs */ key_id = ntohl(*exten_end); - printf("Crypto NAK = 0x%08x\n", key_id); + printf("Crypto NAK = 0x%08x from %s\n", key_id, stoa(sender)); break; case 3: /* key ID + 3DES MAC -- unsupported! */ diff --git a/contrib/ntp/sntp/sntp-opts.c b/contrib/ntp/sntp/sntp-opts.c index 09c2600..404068a 100644 --- a/contrib/ntp/sntp/sntp-opts.c +++ b/contrib/ntp/sntp/sntp-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (sntp-opts.c) * - * It has been AutoGen-ed March 21, 2017 at 10:36:29 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 10:25:32 AM by AutoGen 5.18.5 * From the definitions sntp-opts.def * and the template file options * @@ -69,8 +69,8 @@ extern FILE * option_usage_fp; /** * static const strings for sntp options */ -static char const sntp_opt_strs[2552] = -/* 0 */ "sntp 4.2.8p10\n" +static char const sntp_opt_strs[2566] = +/* 0 */ "sntp 4.2.8p11\n" "Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -118,52 +118,53 @@ static char const sntp_opt_strs[2552] = /* 1537 */ "Look in this file for the key specified with -a\0" /* 1585 */ "KEYFILE\0" /* 1593 */ "keyfile\0" -/* 1601 */ "Log to specified logfile\0" -/* 1626 */ "LOGFILE\0" -/* 1634 */ "logfile\0" -/* 1642 */ "Adjustments less than steplimit msec will be slewed\0" -/* 1694 */ "STEPLIMIT\0" -/* 1704 */ "steplimit\0" -/* 1714 */ "Send int as our NTP protocol version\0" -/* 1751 */ "NTPVERSION\0" -/* 1762 */ "ntpversion\0" -/* 1773 */ "Use the NTP Reserved Port (port 123)\0" -/* 1810 */ "USERESERVEDPORT\0" -/* 1826 */ "usereservedport\0" -/* 1842 */ "OK to 'step' the time with settimeofday(2)\0" -/* 1885 */ "STEP\0" -/* 1890 */ "step\0" -/* 1895 */ "OK to 'slew' the time with adjtime(2)\0" -/* 1933 */ "SLEW\0" -/* 1938 */ "slew\0" -/* 1943 */ "The number of seconds to wait for responses\0" -/* 1987 */ "TIMEOUT\0" -/* 1995 */ "timeout\0" -/* 2003 */ "Wait for pending replies (if not setting the time)\0" -/* 2054 */ "WAIT\0" -/* 2059 */ "no-wait\0" -/* 2067 */ "no\0" -/* 2070 */ "display extended usage information and exit\0" -/* 2114 */ "help\0" -/* 2119 */ "extended usage information passed thru pager\0" -/* 2164 */ "more-help\0" -/* 2174 */ "output version information and exit\0" -/* 2210 */ "version\0" -/* 2218 */ "save the option state to a config file\0" -/* 2257 */ "save-opts\0" -/* 2267 */ "load options from a config file\0" -/* 2299 */ "LOAD_OPTS\0" -/* 2309 */ "no-load-opts\0" -/* 2322 */ "SNTP\0" -/* 2327 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10\n" +/* 1601 */ "/etc/ntp.keys\0" +/* 1615 */ "Log to specified logfile\0" +/* 1640 */ "LOGFILE\0" +/* 1648 */ "logfile\0" +/* 1656 */ "Adjustments less than steplimit msec will be slewed\0" +/* 1708 */ "STEPLIMIT\0" +/* 1718 */ "steplimit\0" +/* 1728 */ "Send int as our NTP protocol version\0" +/* 1765 */ "NTPVERSION\0" +/* 1776 */ "ntpversion\0" +/* 1787 */ "Use the NTP Reserved Port (port 123)\0" +/* 1824 */ "USERESERVEDPORT\0" +/* 1840 */ "usereservedport\0" +/* 1856 */ "OK to 'step' the time with settimeofday(2)\0" +/* 1899 */ "STEP\0" +/* 1904 */ "step\0" +/* 1909 */ "OK to 'slew' the time with adjtime(2)\0" +/* 1947 */ "SLEW\0" +/* 1952 */ "slew\0" +/* 1957 */ "The number of seconds to wait for responses\0" +/* 2001 */ "TIMEOUT\0" +/* 2009 */ "timeout\0" +/* 2017 */ "Wait for pending replies (if not setting the time)\0" +/* 2068 */ "WAIT\0" +/* 2073 */ "no-wait\0" +/* 2081 */ "no\0" +/* 2084 */ "display extended usage information and exit\0" +/* 2128 */ "help\0" +/* 2133 */ "extended usage information passed thru pager\0" +/* 2178 */ "more-help\0" +/* 2188 */ "output version information and exit\0" +/* 2224 */ "version\0" +/* 2232 */ "save the option state to a config file\0" +/* 2271 */ "save-opts\0" +/* 2281 */ "load options from a config file\0" +/* 2313 */ "LOAD_OPTS\0" +/* 2323 */ "no-load-opts\0" +/* 2336 */ "SNTP\0" +/* 2341 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p11\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n" "\t\t[ hostname-or-IP ...]\n\0" -/* 2487 */ "$HOME\0" -/* 2493 */ ".\0" -/* 2495 */ ".ntprc\0" -/* 2502 */ "http://bugs.ntp.org, bugs@ntp.org\0" -/* 2536 */ "\n\0" -/* 2538 */ "sntp 4.2.8p10"; +/* 2501 */ "$HOME\0" +/* 2507 */ ".\0" +/* 2509 */ ".ntprc\0" +/* 2516 */ "http://bugs.ntp.org, bugs@ntp.org\0" +/* 2550 */ "\n\0" +/* 2552 */ "sntp 4.2.8p11"; /** * ipv4 option description with @@ -300,6 +301,8 @@ static int const aIpv6CantList[] = { #define KEYFILE_NAME (sntp_opt_strs+1585) /** Name string for the keyfile option */ #define KEYFILE_name (sntp_opt_strs+1593) +/** The compiled in default value for the keyfile option argument */ +#define KEYFILE_DFT_ARG (sntp_opt_strs+1601) /** Compiled in flag settings for the keyfile option */ #define KEYFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) @@ -308,11 +311,11 @@ static int const aIpv6CantList[] = { * logfile option description: */ /** Descriptive text for the logfile option */ -#define LOGFILE_DESC (sntp_opt_strs+1601) +#define LOGFILE_DESC (sntp_opt_strs+1615) /** Upper-cased name for the logfile option */ -#define LOGFILE_NAME (sntp_opt_strs+1626) +#define LOGFILE_NAME (sntp_opt_strs+1640) /** Name string for the logfile option */ -#define LOGFILE_name (sntp_opt_strs+1634) +#define LOGFILE_name (sntp_opt_strs+1648) /** Compiled in flag settings for the logfile option */ #define LOGFILE_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_FILE)) @@ -321,11 +324,11 @@ static int const aIpv6CantList[] = { * steplimit option description: */ /** Descriptive text for the steplimit option */ -#define STEPLIMIT_DESC (sntp_opt_strs+1642) +#define STEPLIMIT_DESC (sntp_opt_strs+1656) /** Upper-cased name for the steplimit option */ -#define STEPLIMIT_NAME (sntp_opt_strs+1694) +#define STEPLIMIT_NAME (sntp_opt_strs+1708) /** Name string for the steplimit option */ -#define STEPLIMIT_name (sntp_opt_strs+1704) +#define STEPLIMIT_name (sntp_opt_strs+1718) /** Compiled in flag settings for the steplimit option */ #define STEPLIMIT_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) @@ -334,11 +337,11 @@ static int const aIpv6CantList[] = { * ntpversion option description: */ /** Descriptive text for the ntpversion option */ -#define NTPVERSION_DESC (sntp_opt_strs+1714) +#define NTPVERSION_DESC (sntp_opt_strs+1728) /** Upper-cased name for the ntpversion option */ -#define NTPVERSION_NAME (sntp_opt_strs+1751) +#define NTPVERSION_NAME (sntp_opt_strs+1765) /** Name string for the ntpversion option */ -#define NTPVERSION_name (sntp_opt_strs+1762) +#define NTPVERSION_name (sntp_opt_strs+1776) /** The compiled in default value for the ntpversion option argument */ #define NTPVERSION_DFT_ARG ((char const*)4) /** Compiled in flag settings for the ntpversion option */ @@ -349,11 +352,11 @@ static int const aIpv6CantList[] = { * usereservedport option description: */ /** Descriptive text for the usereservedport option */ -#define USERESERVEDPORT_DESC (sntp_opt_strs+1773) +#define USERESERVEDPORT_DESC (sntp_opt_strs+1787) /** Upper-cased name for the usereservedport option */ -#define USERESERVEDPORT_NAME (sntp_opt_strs+1810) +#define USERESERVEDPORT_NAME (sntp_opt_strs+1824) /** Name string for the usereservedport option */ -#define USERESERVEDPORT_name (sntp_opt_strs+1826) +#define USERESERVEDPORT_name (sntp_opt_strs+1840) /** Compiled in flag settings for the usereservedport option */ #define USERESERVEDPORT_FLAGS (OPTST_DISABLED) @@ -361,11 +364,11 @@ static int const aIpv6CantList[] = { * step option description: */ /** Descriptive text for the step option */ -#define STEP_DESC (sntp_opt_strs+1842) +#define STEP_DESC (sntp_opt_strs+1856) /** Upper-cased name for the step option */ -#define STEP_NAME (sntp_opt_strs+1885) +#define STEP_NAME (sntp_opt_strs+1899) /** Name string for the step option */ -#define STEP_name (sntp_opt_strs+1890) +#define STEP_name (sntp_opt_strs+1904) /** Compiled in flag settings for the step option */ #define STEP_FLAGS (OPTST_DISABLED) @@ -373,11 +376,11 @@ static int const aIpv6CantList[] = { * slew option description: */ /** Descriptive text for the slew option */ -#define SLEW_DESC (sntp_opt_strs+1895) +#define SLEW_DESC (sntp_opt_strs+1909) /** Upper-cased name for the slew option */ -#define SLEW_NAME (sntp_opt_strs+1933) +#define SLEW_NAME (sntp_opt_strs+1947) /** Name string for the slew option */ -#define SLEW_name (sntp_opt_strs+1938) +#define SLEW_name (sntp_opt_strs+1952) /** Compiled in flag settings for the slew option */ #define SLEW_FLAGS (OPTST_DISABLED) @@ -385,11 +388,11 @@ static int const aIpv6CantList[] = { * timeout option description: */ /** Descriptive text for the timeout option */ -#define TIMEOUT_DESC (sntp_opt_strs+1943) +#define TIMEOUT_DESC (sntp_opt_strs+1957) /** Upper-cased name for the timeout option */ -#define TIMEOUT_NAME (sntp_opt_strs+1987) +#define TIMEOUT_NAME (sntp_opt_strs+2001) /** Name string for the timeout option */ -#define TIMEOUT_name (sntp_opt_strs+1995) +#define TIMEOUT_name (sntp_opt_strs+2009) /** The compiled in default value for the timeout option argument */ #define TIMEOUT_DFT_ARG ((char const*)5) /** Compiled in flag settings for the timeout option */ @@ -400,13 +403,13 @@ static int const aIpv6CantList[] = { * wait option description: */ /** Descriptive text for the wait option */ -#define WAIT_DESC (sntp_opt_strs+2003) +#define WAIT_DESC (sntp_opt_strs+2017) /** Upper-cased name for the wait option */ -#define WAIT_NAME (sntp_opt_strs+2054) +#define WAIT_NAME (sntp_opt_strs+2068) /** disablement name for the wait option */ -#define NOT_WAIT_name (sntp_opt_strs+2059) +#define NOT_WAIT_name (sntp_opt_strs+2073) /** disablement prefix for the wait option */ -#define NOT_WAIT_PFX (sntp_opt_strs+2067) +#define NOT_WAIT_PFX (sntp_opt_strs+2081) /** Name string for the wait option */ #define WAIT_name (NOT_WAIT_name + 3) /** Compiled in flag settings for the wait option */ @@ -415,11 +418,11 @@ static int const aIpv6CantList[] = { /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (sntp_opt_strs+2070) -#define HELP_name (sntp_opt_strs+2114) +#define HELP_DESC (sntp_opt_strs+2084) +#define HELP_name (sntp_opt_strs+2128) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (sntp_opt_strs+2119) -#define MORE_HELP_name (sntp_opt_strs+2164) +#define MORE_HELP_DESC (sntp_opt_strs+2133) +#define MORE_HELP_name (sntp_opt_strs+2178) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC HELP_DESC @@ -432,14 +435,14 @@ static int const aIpv6CantList[] = { # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (sntp_opt_strs+2174) -#define VER_name (sntp_opt_strs+2210) -#define SAVE_OPTS_DESC (sntp_opt_strs+2218) -#define SAVE_OPTS_name (sntp_opt_strs+2257) -#define LOAD_OPTS_DESC (sntp_opt_strs+2267) -#define LOAD_OPTS_NAME (sntp_opt_strs+2299) -#define NO_LOAD_OPTS_name (sntp_opt_strs+2309) -#define LOAD_OPTS_pfx (sntp_opt_strs+2067) +#define VER_DESC (sntp_opt_strs+2188) +#define VER_name (sntp_opt_strs+2224) +#define SAVE_OPTS_DESC (sntp_opt_strs+2232) +#define SAVE_OPTS_name (sntp_opt_strs+2271) +#define LOAD_OPTS_DESC (sntp_opt_strs+2281) +#define LOAD_OPTS_NAME (sntp_opt_strs+2313) +#define NO_LOAD_OPTS_name (sntp_opt_strs+2323) +#define LOAD_OPTS_pfx (sntp_opt_strs+2081) #define LOAD_OPTS_name (NO_LOAD_OPTS_name + 3) /** * Declare option callback procedures @@ -574,7 +577,7 @@ static tOptDesc optDesc[OPTION_CT] = { /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, /* opt state flags */ KEYFILE_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --keyfile */ + /* last opt argumnt */ { KEYFILE_DFT_ARG }, /* arg list/cookie */ NULL, /* must/cannot opts */ NULL, NULL, /* option proc */ doOptKeyfile, @@ -745,24 +748,24 @@ static tOptDesc optDesc[OPTION_CT] = { /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /** Reference to the upper cased version of sntp. */ -#define zPROGNAME (sntp_opt_strs+2322) +#define zPROGNAME (sntp_opt_strs+2336) /** Reference to the title line for sntp usage. */ -#define zUsageTitle (sntp_opt_strs+2327) +#define zUsageTitle (sntp_opt_strs+2341) /** sntp configuration file name. */ -#define zRcName (sntp_opt_strs+2495) +#define zRcName (sntp_opt_strs+2509) /** Directories to search for sntp config files. */ static char const * const apzHomeList[3] = { - sntp_opt_strs+2487, - sntp_opt_strs+2493, + sntp_opt_strs+2501, + sntp_opt_strs+2507, NULL }; /** The sntp program bug email address. */ -#define zBugsAddr (sntp_opt_strs+2502) +#define zBugsAddr (sntp_opt_strs+2516) /** Clarification/explanation of what sntp does. */ -#define zExplain (sntp_opt_strs+2536) +#define zExplain (sntp_opt_strs+2550) /** Extra detail explaining what sntp does. */ #define zDetail (NULL) /** The full version string for sntp. */ -#define zFullVersion (sntp_opt_strs+2538) +#define zFullVersion (sntp_opt_strs+2552) /* extracted from optcode.tlib near line 364 */ #if defined(ENABLE_NLS) @@ -1173,7 +1176,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via sntpOptions.pzCopyright */ - puts(_("sntp 4.2.8p10\n\ + puts(_("sntp 4.2.8p11\n\ Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the NTP License, copies of which\n\ @@ -1263,7 +1266,7 @@ implied warranty.\n")); puts(_("load options from a config file")); /* referenced via sntpOptions.pzUsageTitle */ - puts(_("sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10\n\ + puts(_("sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p11\n\ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\ \t\t[ hostname-or-IP ...]\n")); @@ -1271,7 +1274,7 @@ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\ puts(_("\n")); /* referenced via sntpOptions.pzFullVersion */ - puts(_("sntp 4.2.8p10")); + puts(_("sntp 4.2.8p11")); /* referenced via sntpOptions.pzFullUsage */ puts(_("<<<NOT-FOUND>>>")); diff --git a/contrib/ntp/sntp/sntp-opts.def b/contrib/ntp/sntp/sntp-opts.def index fcfeaaf..7664b1b 100644 --- a/contrib/ntp/sntp/sntp-opts.def +++ b/contrib/ntp/sntp/sntp-opts.def @@ -128,6 +128,7 @@ flag = { descrip = "Look in this file for the key specified with @option{-a}"; arg-type = file; arg-name = "file-name"; + arg-default = "/etc/ntp.keys"; doc = <<- _EndOfDoc_ This option specifies the keyfile. @code{sntp} will search for the key specified with @option{-a} diff --git a/contrib/ntp/sntp/sntp-opts.h b/contrib/ntp/sntp/sntp-opts.h index 4117ee7..25e2fe8 100644 --- a/contrib/ntp/sntp/sntp-opts.h +++ b/contrib/ntp/sntp/sntp-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (sntp-opts.h) * - * It has been AutoGen-ed March 21, 2017 at 10:36:28 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 10:25:31 AM by AutoGen 5.18.5 * From the definitions sntp-opts.def * and the template file options * @@ -91,9 +91,9 @@ typedef enum { /** count of all options for sntp */ #define OPTION_CT 23 /** sntp version */ -#define SNTP_VERSION "4.2.8p10" +#define SNTP_VERSION "4.2.8p11" /** Full sntp version text */ -#define SNTP_FULL_VERSION "sntp 4.2.8p10" +#define SNTP_FULL_VERSION "sntp 4.2.8p11" /** * Interface defines for all options. Replace "n" with the UPPER_CASED diff --git a/contrib/ntp/sntp/sntp.1sntpman b/contrib/ntp/sntp/sntp.1sntpman index 029f188..8378d45 100644 --- a/contrib/ntp/sntp/sntp.1sntpman +++ b/contrib/ntp/sntp/sntp.1sntpman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH sntp 1sntpman "21 Mar 2017" "4.2.8p10" "User Commands" +.TH sntp 1sntpman "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-aQaqbX/ag-nQaiaX) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-eaayfN/ag-qaaqeN) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:36:45 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:13:07 PM by AutoGen 5.18.5 .\" From the definitions sntp-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -162,6 +162,11 @@ warning message will be displayed. The file will not be created. .TP .NOP \f\*[B-Font]\-k\f[] \f\*[I-Font]file\-name\f[], \f\*[B-Font]\-\-keyfile\f[]=\f\*[I-Font]file\-name\f[] Look in this file for the key specified with \fB-a\fP. +The default +\f\*[I-Font]file\-name\f[] +for this option is: +.ti +4 + /etc/ntp.keys .sp This option specifies the keyfile. \fBsntp\fP will search for the key specified with \fB-a\fP diff --git a/contrib/ntp/sntp/sntp.1sntpmdoc b/contrib/ntp/sntp/sntp.1sntpmdoc index 97092d5..8c9f1a5 100644 --- a/contrib/ntp/sntp/sntp.1sntpmdoc +++ b/contrib/ntp/sntp/sntp.1sntpmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt SNTP 1sntpmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:36:52 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:13:14 PM by AutoGen 5.18.5 .\" From the definitions sntp-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -138,6 +138,11 @@ responses received from servers. If the file does not exist, a warning message will be displayed. The file will not be created. .It Fl k Ar file\-name , Fl \-keyfile Ns = Ns Ar file\-name Look in this file for the key specified with \fB\-a\fP. +The default +.Ar file\-name +for this option is: +.ti +4 + /etc/ntp.keys .sp This option specifies the keyfile. \fBsntp\fP will search for the key specified with \fB\-a\fP diff --git a/contrib/ntp/sntp/sntp.html b/contrib/ntp/sntp/sntp.html index a472333..9121504 100644 --- a/contrib/ntp/sntp/sntp.html +++ b/contrib/ntp/sntp/sntp.html @@ -36,7 +36,7 @@ display the time offset of the system clock relative to the server clock. Run as root, it can correct the system clock to this offset as well. It can be run as an interactive command or from a cron job. - <p>This document applies to version 4.2.8p10 of <code>sntp</code>. + <p>This document applies to version 4.2.8p11 of <code>sntp</code>. <p>The program implements the SNTP protocol as defined by RFC 5905, the NTPv4 IETF specification. @@ -176,58 +176,62 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10 -Usage: sntp [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \ +<pre class="example">sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p245 +USAGE: sntp [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \ [ hostname-or-IP ...] Flg Arg Option-Name Description -4 no ipv4 Force IPv4 DNS name resolution - - prohibits the option 'ipv6' + - prohibits these options: + ipv6 -6 no ipv6 Force IPv6 DNS name resolution - - prohibits the option 'ipv4' - -a Num authentication Enable authentication with the key auth-keynumber + - prohibits these options: + ipv4 + -a Num authentication Enable authentication with the key @var{auth-keynumber} + -B Num bctimeout The number of seconds to wait for broadcasts -b Str broadcast Listen to the address specified for broadcast time sync - may appear multiple times -c Str concurrent Concurrently query all IPs returned for host-name - may appear multiple times -d no debug-level Increase debug verbosity level - may appear multiple times - -D Num set-debug-level Set the debug verbosity level + -D Str set-debug-level Set the debug verbosity level - may appear multiple times -g Num gap The gap (in milliseconds) between time requests -K Fil kod KoD history filename - -k Fil keyfile Look in this file for the key specified with -a + -k Fil keyfile Look in this file for the key specified with @option{-a} -l Fil logfile Log to specified logfile - -M Num steplimit Adjustments less than steplimit msec will be slewed - - it must be in the range: + -M Num steplimit Adjustments less than @var{steplimit} msec will be slewed + - It must be in the range: greater than or equal to 0 - -o Num ntpversion Send int as our NTP protocol version - - it must be in the range: + -o Num ntpversion Send @var{int} as our NTP version + - It must be in the range: 0 to 7 -r no usereservedport Use the NTP Reserved Port (port 123) - -S no step OK to 'step' the time with settimeofday(2) - -s no slew OK to 'slew' the time with adjtime(2) - -t Num timeout The number of seconds to wait for responses + -S no step OK to 'step' the time with @command{settimeofday(2)} + -s no slew OK to 'slew' the time with @command{adjtime(2)} + -u Num uctimeout The number of seconds to wait for unicast responses no wait Wait for pending replies (if not setting the time) - - disabled as '--no-wait' + - disabled as --no-wait - enabled by default - opt version output version information and exit - -? no help display extended usage information and exit - -! no more-help extended usage information passed thru pager - -> opt save-opts save the option state to a config file - -< Str load-opts load options from a config file - - disabled as '--no-load-opts' + opt version Output version information and exit + -? no help Display extended usage information and exit + -! no more-help Extended usage information passed thru pager + -> opt save-opts Save the option state to a config file + -< Str load-opts Load options from a config file + - disabled as --no-load-opts - may appear multiple times Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. + The following option preset mechanisms are supported: - reading file $HOME/.ntprc - reading file ./.ntprc - examining environment variables named SNTP_* -Please send bug reports to: <http://bugs.ntp.org, bugs@ntp.org> +please send bug reports to: http://bugs.ntp.org, bugs@ntp.org </pre> <div class="node"> <p><hr> diff --git a/contrib/ntp/sntp/sntp.man.in b/contrib/ntp/sntp/sntp.man.in index 518f690..9156d05 100644 --- a/contrib/ntp/sntp/sntp.man.in +++ b/contrib/ntp/sntp/sntp.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH sntp @SNTP_MS@ "21 Mar 2017" "4.2.8p10" "User Commands" +.TH sntp @SNTP_MS@ "27 Feb 2018" "4.2.8p11" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-aQaqbX/ag-nQaiaX) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-eaayfN/ag-qaaqeN) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:36:45 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:13:07 PM by AutoGen 5.18.5 .\" From the definitions sntp-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -162,6 +162,11 @@ warning message will be displayed. The file will not be created. .TP .NOP \f\*[B-Font]\-k\f[] \f\*[I-Font]file\-name\f[], \f\*[B-Font]\-\-keyfile\f[]=\f\*[I-Font]file\-name\f[] Look in this file for the key specified with \fB-a\fP. +The default +\f\*[I-Font]file\-name\f[] +for this option is: +.ti +4 + /etc/ntp.keys .sp This option specifies the keyfile. \fBsntp\fP will search for the key specified with \fB-a\fP diff --git a/contrib/ntp/sntp/sntp.mdoc.in b/contrib/ntp/sntp/sntp.mdoc.in index 81a3ff5..a5f9095 100644 --- a/contrib/ntp/sntp/sntp.mdoc.in +++ b/contrib/ntp/sntp/sntp.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt SNTP @SNTP_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:36:52 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:13:14 PM by AutoGen 5.18.5 .\" From the definitions sntp-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -138,6 +138,11 @@ responses received from servers. If the file does not exist, a warning message will be displayed. The file will not be created. .It Fl k Ar file\-name , Fl \-keyfile Ns = Ns Ar file\-name Look in this file for the key specified with \fB\-a\fP. +The default +.Ar file\-name +for this option is: +.ti +4 + /etc/ntp.keys .sp This option specifies the keyfile. \fBsntp\fP will search for the key specified with \fB\-a\fP diff --git a/contrib/ntp/sntp/tests/Makefile.am b/contrib/ntp/sntp/tests/Makefile.am index f7e4815..0a0d280 100644 --- a/contrib/ntp/sntp/tests/Makefile.am +++ b/contrib/ntp/sntp/tests/Makefile.am @@ -21,11 +21,12 @@ DISTCLEANFILES = \ testLogfile2.log \ $(NULL) -std_unity_list = \ - $(srcdir)/../unity/auto/generate_test_runner.rb \ +std_unity_list = \ + $(abs_top_srcdir)/unity/auto/generate_test_runner.rb \ + $(abs_srcdir)/testconf.yml \ $(NULL) -run_unity = cd $(srcdir) && ruby ../unity/auto/generate_test_runner.rb +run_unity = ruby $(std_unity_list) # Use EXTRA_PROGRAMS for test files that are under development but # not production-ready @@ -69,6 +70,7 @@ EXTRA_DIST = \ data/kod-test-blanks \ data/kod-test-correct \ data/kod-test-empty \ + testconf.yml \ $(NULL) CLEANFILES += \ @@ -187,31 +189,31 @@ test_log_SOURCES = \ $(srcdir)/run-kodFile.c: $(srcdir)/kodFile.c $(std_unity_list) - $(run_unity) kodFile.c run-kodFile.c + $(run_unity) $< $@ $(srcdir)/run-keyFile.c: $(srcdir)/keyFile.c $(std_unity_list) - $(run_unity) keyFile.c run-keyFile.c + $(run_unity) $< $@ $(srcdir)/run-kodDatabase.c: $(srcdir)/kodDatabase.c $(std_unity_list) - $(run_unity) kodDatabase.c run-kodDatabase.c + $(run_unity) $< $@ $(srcdir)/run-networking.c: $(srcdir)/networking.c $(std_unity_list) - $(run_unity) networking.c run-networking.c + $(run_unity) $< $@ $(srcdir)/run-packetProcessing.c: $(srcdir)/packetProcessing.c $(std_unity_list) - $(run_unity) packetProcessing.c run-packetProcessing.c + $(run_unity) $< $@ $(srcdir)/run-packetHandling.c: $(srcdir)/packetHandling.c $(std_unity_list) - $(run_unity) packetHandling.c run-packetHandling.c + $(run_unity) $< $@ $(srcdir)/run-utilities.c: $(srcdir)/utilities.c $(std_unity_list) - $(run_unity) utilities.c run-utilities.c + $(run_unity) $< $@ $(srcdir)/run-crypto.c: $(srcdir)/crypto.c $(std_unity_list) - $(run_unity) crypto.c run-crypto.c + $(run_unity) $< $@ $(srcdir)/run-t-log.c: $(srcdir)/t-log.c $(std_unity_list) - $(run_unity) t-log.c run-t-log.c + $(run_unity) $< $@ #$(srcdir)/../version.c: $(srcdir)/../version.c diff --git a/contrib/ntp/sntp/tests/Makefile.in b/contrib/ntp/sntp/tests/Makefile.in index d5a1fec..bd776d8 100644 --- a/contrib/ntp/sntp/tests/Makefile.in +++ b/contrib/ntp/sntp/tests/Makefile.in @@ -749,10 +749,11 @@ DISTCLEANFILES = \ $(NULL) std_unity_list = \ - $(srcdir)/../unity/auto/generate_test_runner.rb \ + $(abs_top_srcdir)/unity/auto/generate_test_runner.rb \ + $(abs_srcdir)/testconf.yml \ $(NULL) -run_unity = cd $(srcdir) && ruby ../unity/auto/generate_test_runner.rb +run_unity = ruby $(std_unity_list) noinst_HEADERS = \ sntptest.h \ $(NULL) @@ -772,6 +773,7 @@ EXTRA_DIST = \ data/kod-test-blanks \ data/kod-test-correct \ data/kod-test-empty \ + testconf.yml \ $(NULL) @@ -1499,31 +1501,31 @@ uninstall-am: $(srcdir)/run-kodFile.c: $(srcdir)/kodFile.c $(std_unity_list) - $(run_unity) kodFile.c run-kodFile.c + $(run_unity) $< $@ $(srcdir)/run-keyFile.c: $(srcdir)/keyFile.c $(std_unity_list) - $(run_unity) keyFile.c run-keyFile.c + $(run_unity) $< $@ $(srcdir)/run-kodDatabase.c: $(srcdir)/kodDatabase.c $(std_unity_list) - $(run_unity) kodDatabase.c run-kodDatabase.c + $(run_unity) $< $@ $(srcdir)/run-networking.c: $(srcdir)/networking.c $(std_unity_list) - $(run_unity) networking.c run-networking.c + $(run_unity) $< $@ $(srcdir)/run-packetProcessing.c: $(srcdir)/packetProcessing.c $(std_unity_list) - $(run_unity) packetProcessing.c run-packetProcessing.c + $(run_unity) $< $@ $(srcdir)/run-packetHandling.c: $(srcdir)/packetHandling.c $(std_unity_list) - $(run_unity) packetHandling.c run-packetHandling.c + $(run_unity) $< $@ $(srcdir)/run-utilities.c: $(srcdir)/utilities.c $(std_unity_list) - $(run_unity) utilities.c run-utilities.c + $(run_unity) $< $@ $(srcdir)/run-crypto.c: $(srcdir)/crypto.c $(std_unity_list) - $(run_unity) crypto.c run-crypto.c + $(run_unity) $< $@ $(srcdir)/run-t-log.c: $(srcdir)/t-log.c $(std_unity_list) - $(run_unity) t-log.c run-t-log.c + $(run_unity) $< $@ check-libsntp: ../libsntp.a @echo stamp > $@ diff --git a/contrib/ntp/sntp/tests/crypto.c b/contrib/ntp/sntp/tests/crypto.c index fb2dc62..64c784d 100644 --- a/contrib/ntp/sntp/tests/crypto.c +++ b/contrib/ntp/sntp/tests/crypto.c @@ -5,17 +5,25 @@ #include "sntptest.h" #include "crypto.h" +#define CMAC "AES128CMAC" + #define MD5_LENGTH 16 #define SHA1_LENGTH 20 +#define CMAC_LENGTH 16 void test_MakeMd5Mac(void); void test_MakeSHA1Mac(void); +void test_MakeCMac(void); void test_VerifyCorrectMD5(void); void test_VerifySHA1(void); +void test_VerifyCMAC(void); void test_VerifyFailure(void); void test_PacketSizeNotMultipleOfFourBytes(void); +void VerifyLocalCMAC(struct key *cmac); +void VerifyOpenSSLCMAC(struct key *cmac); + void test_MakeMd5Mac(void) @@ -31,8 +39,9 @@ test_MakeMd5Mac(void) md5.key_id = 10; md5.key_len = 6; memcpy(&md5.key_seq, "md5seq", md5.key_len); - memcpy(&md5.type, "MD5", 4); - + strlcpy(md5.typen, "MD5", sizeof(md5.typen)); + md5.typei = keytype_from_text(md5.typen, NULL); + TEST_ASSERT_EQUAL(MD5_LENGTH, make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual)); @@ -57,7 +66,8 @@ test_MakeSHA1Mac(void) sha1.key_id = 20; sha1.key_len = 7; memcpy(&sha1.key_seq, "sha1seq", sha1.key_len); - memcpy(&sha1.type, "SHA1", 5); + strlcpy(sha1.typen, "SHA1", sizeof(sha1.typen)); + sha1.typei = keytype_from_text(sha1.typen, NULL); TEST_ASSERT_EQUAL(SHA1_LENGTH, make_mac(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1, actual)); @@ -73,6 +83,38 @@ test_MakeSHA1Mac(void) void +test_MakeCMac(void) +{ +#ifdef OPENSSL + + const char* PKT_DATA = "abcdefgh0123"; + const int PKT_LEN = strlen(PKT_DATA); + const char* EXPECTED_DIGEST = + "\xdd\x35\xd5\xf5\x14\x23\xd9\xd6" + "\x38\x5d\x29\x80\xfe\x51\xb9\x6b"; + char actual[CMAC_LENGTH]; + + struct key cmac; + cmac.next = NULL; + cmac.key_id = 30; + cmac.key_len = CMAC_LENGTH; + memcpy(&cmac.key_seq, "aes-128-cmac-seq", cmac.key_len); + memcpy(&cmac.typen, CMAC, strlen(CMAC) + 1); + + TEST_ASSERT_EQUAL(CMAC_LENGTH, + make_mac(PKT_DATA, PKT_LEN, CMAC_LENGTH, &cmac, actual)); + + TEST_ASSERT_EQUAL_MEMORY(EXPECTED_DIGEST, actual, CMAC_LENGTH); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); + +#endif /* OPENSSL */ +} + + +void test_VerifyCorrectMD5(void) { const char* PKT_DATA = @@ -87,7 +129,8 @@ test_VerifyCorrectMD5(void) md5.key_id = 0; md5.key_len = 6; memcpy(&md5.key_seq, "md5key", md5.key_len); - memcpy(&md5.type, "MD5", 4); + strlcpy(md5.typen, "MD5", sizeof(md5.typen)); + md5.typei = keytype_from_text(md5.typen, NULL); TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5)); } @@ -110,7 +153,8 @@ test_VerifySHA1(void) sha1.key_id = 0; sha1.key_len = 7; memcpy(&sha1.key_seq, "sha1key", sha1.key_len); - memcpy(&sha1.type, "SHA1", 5); + strlcpy(sha1.typen, "SHA1", sizeof(sha1.typen)); + sha1.typei = keytype_from_text(sha1.typen, NULL); TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1)); @@ -121,6 +165,60 @@ test_VerifySHA1(void) #endif /* OPENSSL */ } + +void +test_VerifyCMAC(void) +{ + const char* PKT_DATA = + "sometestdata" /* Data */ + "\0\0\0\0" /* Key-ID (unused) */ + "\x4e\x0c\xf0\xe2\xc7\x8e\xbb\xbf" /* MAC */ + "\x79\xfc\x87\xc7\x8b\xb7\x4a\x0b"; + const int PKT_LEN = 12; + struct key cmac; + + cmac.next = NULL; + cmac.key_id = 0; + cmac.key_len = CMAC_LENGTH; + memcpy(&cmac.key_seq, "aes-128-cmac-key", cmac.key_len); + memcpy(&cmac.typen, CMAC, strlen(CMAC) + 1); + + VerifyOpenSSLCMAC(&cmac); + VerifyLocalCMAC(&cmac); +} + + +void +VerifyOpenSSLCMAC(struct key *cmac) +{ +#ifdef OPENSSL + + /* XXX: HMS: auth_md5 must be renamed/incorrect. */ + // TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, CMAC_LENGTH, cmac)); + TEST_IGNORE_MESSAGE("VerifyOpenSSLCMAC needs to be implemented, skipping..."); + +#else + + TEST_IGNORE_MESSAGE("OpenSSL not found, skipping..."); + +#endif /* OPENSSL */ + return; +} + + +void +VerifyLocalCMAC(struct key *cmac) +{ + + /* XXX: HMS: auth_md5 must be renamed/incorrect. */ + // TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, CMAC_LENGTH, cmac)); + + TEST_IGNORE_MESSAGE("Hook in the local AES-128-CMAC check!"); + + return; +} + + void test_VerifyFailure(void) { @@ -139,7 +237,8 @@ test_VerifyFailure(void) md5.key_id = 0; md5.key_len = 6; memcpy(&md5.key_seq, "md5key", md5.key_len); - memcpy(&md5.type, "MD5", 4); + strlcpy(md5.typen, "MD5", sizeof(md5.typen)); + md5.typei = keytype_from_text(md5.typen, NULL); TEST_ASSERT_FALSE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5)); } @@ -157,7 +256,8 @@ test_PacketSizeNotMultipleOfFourBytes(void) md5.key_id = 10; md5.key_len = 6; memcpy(&md5.key_seq, "md5seq", md5.key_len); - memcpy(&md5.type, "MD5", 4); + strlcpy(md5.typen, "MD5", sizeof(md5.typen)); + md5.typei = keytype_from_text(md5.typen, NULL); TEST_ASSERT_EQUAL(0, make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual)); } diff --git a/contrib/ntp/sntp/tests/keyFile.c b/contrib/ntp/sntp/tests/keyFile.c index 395ca0d..af5acc7 100644 --- a/contrib/ntp/sntp/tests/keyFile.c +++ b/contrib/ntp/sntp/tests/keyFile.c @@ -32,9 +32,9 @@ CompareKeys( expected.key_len, actual.key_len); return FALSE; } - if (strcmp(expected.type, actual.type) != 0) { + if (strcmp(expected.typen, actual.typen) != 0) { printf("Expected key_type: %s but was: %s\n", - expected.type, actual.type); + expected.typen, actual.typen); return FALSE; } @@ -59,7 +59,7 @@ CompareKeysAlternative( temp.key_id = key_id; temp.key_len = key_len; - strlcpy(temp.type, type, sizeof(temp.type)); + strlcpy(temp.typen, type, sizeof(temp.typen)); memcpy(temp.key_seq, key_seq, key_len); return CompareKeys(temp, actual); diff --git a/contrib/ntp/sntp/tests/packetHandling.c b/contrib/ntp/sntp/tests/packetHandling.c index 595efa3..6787eea 100644 --- a/contrib/ntp/sntp/tests/packetHandling.c +++ b/contrib/ntp/sntp/tests/packetHandling.c @@ -84,7 +84,8 @@ test_GenerateAuthenticatedPacket(void) testkey.key_id = 30; testkey.key_len = 9; memcpy(testkey.key_seq, "123456789", testkey.key_len); - memcpy(testkey.type, "MD5", 3); + strlcpy(testkey.typen, "MD5", sizeof(testkey.typen)); + testkey.typei = keytype_from_text(testkey.typen, NULL); GETTIMEOFDAY(&xmt, NULL); xmt.tv_sec += JAN_1970; @@ -106,7 +107,7 @@ test_GenerateAuthenticatedPacket(void) TEST_ASSERT_EQUAL(testkey.key_id, ntohl(testpkt.exten[0])); TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, /* Remove the key_id, only keep the mac. */ - make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN, &testkey, expected_mac)); + make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN-4, &testkey, expected_mac)); TEST_ASSERT_EQUAL_MEMORY(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4); } diff --git a/contrib/ntp/sntp/tests/packetProcessing.c b/contrib/ntp/sntp/tests/packetProcessing.c index 660b5b6..910c561 100644 --- a/contrib/ntp/sntp/tests/packetProcessing.c +++ b/contrib/ntp/sntp/tests/packetProcessing.c @@ -5,6 +5,9 @@ #include "ntp_stdlib.h" #include "unity.h" +#define CMAC "AES128CMAC" +#define CMAC_LENGTH 16 + const char * Version = "stub unit test Version string"; @@ -35,6 +38,7 @@ void test_AcceptNoSentPacketBroadcastMode(void); void test_CorrectUnauthenticatedPacket(void); void test_CorrectAuthenticatedPacketMD5(void); void test_CorrectAuthenticatedPacketSHA1(void); +void test_CorrectAuthenticatedPacketCMAC(void); /* [Bug 2998] There are some issues whith the definition of 'struct pkt' * when AUTOKEY is undefined -- the formal struct is too small to hold @@ -76,7 +80,7 @@ PrepareAuthenticationTest( key_ptr->next = NULL; key_ptr->key_id = key_id; key_ptr->key_len = key_len; - memcpy(key_ptr->type, "MD5", 3); + memcpy(key_ptr->typen, type, strlen(type) + 1); TEST_ASSERT_TRUE(key_len < sizeof(key_ptr->key_seq)); @@ -231,7 +235,7 @@ test_AuthenticatedPacketInvalid(void) testpkt.p.exten[0] = htonl(50); int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MD5_LEN, key_ptr, + MAX_MD5_LEN - KEY_MAC_LEN, key_ptr, &testpkt.p.exten[1]); pkt_len += 4 + mac_len; @@ -259,9 +263,9 @@ test_AuthenticatedPacketUnknownKey(void) testpkt.p.exten[0] = htonl(50); int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MD5_LEN, key_ptr, + MAX_MD5_LEN - KEY_MAC_LEN, key_ptr, &testpkt.p.exten[1]); - pkt_len += 4 + mac_len; + pkt_len += KEY_MAC_LEN + mac_len; TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL, process_pkt(&testpkt.p, &testsock, pkt_len, @@ -424,10 +428,10 @@ test_CorrectAuthenticatedPacketMD5(void) /* Prepare the packet. */ testpkt.p.exten[0] = htonl(10); int mac_len = make_mac(&testpkt.p, pkt_len, - MAX_MD5_LEN, key_ptr, + MAX_MD5_LEN - KEY_MAC_LEN, key_ptr, &testpkt.p.exten[1]); - pkt_len += 4 + mac_len; + pkt_len += KEY_MAC_LEN + mac_len; TEST_ASSERT_EQUAL(pkt_len, process_pkt(&testpkt.p, &testsock, pkt_len, @@ -446,6 +450,28 @@ test_CorrectAuthenticatedPacketSHA1(void) /* Prepare the packet. */ testpkt.p.exten[0] = htonl(20); int mac_len = make_mac(&testpkt.p, pkt_len, + MAX_MDG_LEN, key_ptr, + &testpkt.p.exten[1]); + + pkt_len += KEY_MAC_LEN + mac_len; + + TEST_ASSERT_EQUAL(pkt_len, + process_pkt(&testpkt.p, &testsock, pkt_len, + MODE_SERVER, &testspkt.p, "UnitTest")); +} + + +void +test_CorrectAuthenticatedPacketCMAC(void) +{ + PrepareAuthenticationTest(30, CMAC_LENGTH, CMAC, "abcdefghijklmnop"); + TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION)); + + int pkt_len = LEN_PKT_NOMAC; + + /* Prepare the packet. */ + testpkt.p.exten[0] = htonl(30); + int mac_len = make_mac(&testpkt.p, pkt_len, MAX_MAC_LEN, key_ptr, &testpkt.p.exten[1]); @@ -455,3 +481,4 @@ test_CorrectAuthenticatedPacketSHA1(void) process_pkt(&testpkt.p, &testsock, pkt_len, MODE_SERVER, &testspkt.p, "UnitTest")); } + diff --git a/contrib/ntp/sntp/tests/run-crypto.c b/contrib/ntp/sntp/tests/run-crypto.c index 8b2a735..0d4e94d 100644 --- a/contrib/ntp/sntp/tests/run-crypto.c +++ b/contrib/ntp/sntp/tests/run-crypto.c @@ -32,12 +32,21 @@ extern void setUp(void); extern void tearDown(void); extern void test_MakeMd5Mac(void); extern void test_MakeSHA1Mac(void); +extern void test_MakeCMac(void); extern void test_VerifyCorrectMD5(void); extern void test_VerifySHA1(void); +extern void test_VerifyCMAC(void); extern void test_VerifyFailure(void); extern void test_PacketSizeNotMultipleOfFourBytes(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -53,13 +62,16 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("crypto.c"); - RUN_TEST(test_MakeMd5Mac, 12); - RUN_TEST(test_MakeSHA1Mac, 13); - RUN_TEST(test_VerifyCorrectMD5, 14); - RUN_TEST(test_VerifySHA1, 15); - RUN_TEST(test_VerifyFailure, 16); - RUN_TEST(test_PacketSizeNotMultipleOfFourBytes, 17); + RUN_TEST(test_MakeMd5Mac, 15); + RUN_TEST(test_MakeSHA1Mac, 16); + RUN_TEST(test_MakeCMac, 17); + RUN_TEST(test_VerifyCorrectMD5, 18); + RUN_TEST(test_VerifySHA1, 19); + RUN_TEST(test_VerifyCMAC, 20); + RUN_TEST(test_VerifyFailure, 21); + RUN_TEST(test_PacketSizeNotMultipleOfFourBytes, 22); return (UnityEnd()); } diff --git a/contrib/ntp/sntp/tests/run-keyFile.c b/contrib/ntp/sntp/tests/run-keyFile.c index 8629109..6c1848e 100644 --- a/contrib/ntp/sntp/tests/run-keyFile.c +++ b/contrib/ntp/sntp/tests/run-keyFile.c @@ -38,6 +38,13 @@ extern void test_ReadKeyFileWithComments(void); extern void test_ReadKeyFileWithInvalidHex(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -53,6 +60,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("keyFile.c"); RUN_TEST(test_ReadEmptyKeyFile, 12); RUN_TEST(test_ReadASCIIKeys, 13); diff --git a/contrib/ntp/sntp/tests/run-kodDatabase.c b/contrib/ntp/sntp/tests/run-kodDatabase.c index f655a6a..0d86ee3 100644 --- a/contrib/ntp/sntp/tests/run-kodDatabase.c +++ b/contrib/ntp/sntp/tests/run-kodDatabase.c @@ -41,6 +41,13 @@ extern void test_AddDuplicate(void); extern void test_DeleteEntry(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -56,6 +63,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("kodDatabase.c"); RUN_TEST(test_SingleEntryHandling, 14); RUN_TEST(test_MultipleEntryHandling, 15); diff --git a/contrib/ntp/sntp/tests/run-kodFile.c b/contrib/ntp/sntp/tests/run-kodFile.c index 3943550..07a32d7 100644 --- a/contrib/ntp/sntp/tests/run-kodFile.c +++ b/contrib/ntp/sntp/tests/run-kodFile.c @@ -39,6 +39,13 @@ extern void test_WriteFileWithSingleEntry(void); extern void test_WriteFileWithMultipleEntries(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -54,6 +61,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("kodFile.c"); RUN_TEST(test_ReadEmptyFile, 19); RUN_TEST(test_ReadCorrectFile, 20); diff --git a/contrib/ntp/sntp/tests/run-networking.c b/contrib/ntp/sntp/tests/run-networking.c index 70caaa0..0083ec3 100644 --- a/contrib/ntp/sntp/tests/run-networking.c +++ b/contrib/ntp/sntp/tests/run-networking.c @@ -31,6 +31,13 @@ extern void setUp(void); extern void tearDown(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -46,6 +53,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("networking.c"); return (UnityEnd()); diff --git a/contrib/ntp/sntp/tests/run-packetHandling.c b/contrib/ntp/sntp/tests/run-packetHandling.c index bc20d7f..4cca13b 100644 --- a/contrib/ntp/sntp/tests/run-packetHandling.c +++ b/contrib/ntp/sntp/tests/run-packetHandling.c @@ -47,6 +47,13 @@ extern void test_HandleKodRate(void); extern void test_HandleCorrectPacket(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -62,6 +69,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("packetHandling.c"); RUN_TEST(test_GenerateUnauthenticatedPacket, 17); RUN_TEST(test_GenerateAuthenticatedPacket, 18); diff --git a/contrib/ntp/sntp/tests/run-packetProcessing.c b/contrib/ntp/sntp/tests/run-packetProcessing.c index 38f8552..50144ed 100644 --- a/contrib/ntp/sntp/tests/run-packetProcessing.c +++ b/contrib/ntp/sntp/tests/run-packetProcessing.c @@ -48,8 +48,16 @@ extern void test_AcceptNoSentPacketBroadcastMode(void); extern void test_CorrectUnauthenticatedPacket(void); extern void test_CorrectAuthenticatedPacketMD5(void); extern void test_CorrectAuthenticatedPacketSHA1(void); +extern void test_CorrectAuthenticatedPacketCMAC(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -65,25 +73,27 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("packetProcessing.c"); - RUN_TEST(test_TooShortLength, 20); - RUN_TEST(test_LengthNotMultipleOfFour, 21); - RUN_TEST(test_TooShortExtensionFieldLength, 22); - RUN_TEST(test_UnauthenticatedPacketReject, 23); - RUN_TEST(test_CryptoNAKPacketReject, 24); - RUN_TEST(test_AuthenticatedPacketInvalid, 25); - RUN_TEST(test_AuthenticatedPacketUnknownKey, 26); - RUN_TEST(test_ServerVersionTooOld, 27); - RUN_TEST(test_ServerVersionTooNew, 28); - RUN_TEST(test_NonWantedMode, 29); - RUN_TEST(test_KoDRate, 30); - RUN_TEST(test_KoDDeny, 31); - RUN_TEST(test_RejectUnsyncedServer, 32); - RUN_TEST(test_RejectWrongResponseServerMode, 33); - RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 34); - RUN_TEST(test_CorrectUnauthenticatedPacket, 35); - RUN_TEST(test_CorrectAuthenticatedPacketMD5, 36); - RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 37); + RUN_TEST(test_TooShortLength, 23); + RUN_TEST(test_LengthNotMultipleOfFour, 24); + RUN_TEST(test_TooShortExtensionFieldLength, 25); + RUN_TEST(test_UnauthenticatedPacketReject, 26); + RUN_TEST(test_CryptoNAKPacketReject, 27); + RUN_TEST(test_AuthenticatedPacketInvalid, 28); + RUN_TEST(test_AuthenticatedPacketUnknownKey, 29); + RUN_TEST(test_ServerVersionTooOld, 30); + RUN_TEST(test_ServerVersionTooNew, 31); + RUN_TEST(test_NonWantedMode, 32); + RUN_TEST(test_KoDRate, 33); + RUN_TEST(test_KoDDeny, 34); + RUN_TEST(test_RejectUnsyncedServer, 35); + RUN_TEST(test_RejectWrongResponseServerMode, 36); + RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 37); + RUN_TEST(test_CorrectUnauthenticatedPacket, 38); + RUN_TEST(test_CorrectAuthenticatedPacketMD5, 39); + RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 40); + RUN_TEST(test_CorrectAuthenticatedPacketCMAC, 41); return (UnityEnd()); } diff --git a/contrib/ntp/sntp/tests/run-t-log.c b/contrib/ntp/sntp/tests/run-t-log.c index 8d12345..3532c4e 100644 --- a/contrib/ntp/sntp/tests/run-t-log.c +++ b/contrib/ntp/sntp/tests/run-t-log.c @@ -33,6 +33,13 @@ extern void testOpenLogfileTest(void); extern void testWriteInCustomLogfile(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -48,6 +55,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("t-log.c"); RUN_TEST(testChangePrognameInMysyslog, 10); RUN_TEST(testOpenLogfileTest, 11); diff --git a/contrib/ntp/sntp/tests/run-utilities.c b/contrib/ntp/sntp/tests/run-utilities.c index 7c2237b..0f38845 100644 --- a/contrib/ntp/sntp/tests/run-utilities.c +++ b/contrib/ntp/sntp/tests/run-utilities.c @@ -41,6 +41,13 @@ extern void test_LfpOutputBinaryFormat(void); extern void test_LfpOutputDecimalFormat(void); +//=======Suite Setup===== +static void suite_setup(void) +{ +extern int change_logfile(const char*, int); +change_logfile("stderr", 0); +} + //=======Test Reset Option===== void resetTest(void); void resetTest(void) @@ -56,6 +63,7 @@ char const *progname; int main(int argc, char *argv[]) { progname = argv[0]; + suite_setup(); UnityBegin("utilities.c"); RUN_TEST(test_IPv4Address, 16); RUN_TEST(test_IPv6Address, 17); diff --git a/contrib/ntp/sntp/tests/testconf.yml b/contrib/ntp/sntp/tests/testconf.yml new file mode 100644 index 0000000..6140daa --- /dev/null +++ b/contrib/ntp/sntp/tests/testconf.yml @@ -0,0 +1,9 @@ +# configure the test runner generator to properly set up the tests +# - avoid cluttering the syslogs + +--- +:unity: + :suite_setup: + - extern int change_logfile(const char*, int); + - change_logfile("stderr", 0); + diff --git a/contrib/ntp/sntp/unity/auto/generate_test_runner.rb b/contrib/ntp/sntp/unity/auto/generate_test_runner.rb index 5b1d451..22d10db 100644 --- a/contrib/ntp/sntp/unity/auto/generate_test_runner.rb +++ b/contrib/ntp/sntp/unity/auto/generate_test_runner.rb @@ -246,7 +246,7 @@ class UnityTestRunnerGenerator def create_suite_setup_and_teardown(output) unless (@options[:suite_setup].nil?) output.puts("\n//=======Suite Setup=====") - output.puts("static int suite_setup(void)") + output.puts("static void suite_setup(void)") output.puts("{") output.puts(@options[:suite_setup]) output.puts("}") @@ -323,13 +323,13 @@ class UnityTestRunnerGenerator output.puts(" progname = argv[0];\n") - + modname = filename.split(/[\/\\]/).last output.puts(" suite_setup();") unless @options[:suite_setup].nil? - output.puts(" UnityBegin(\"#{filename}\");") + output.puts(" UnityBegin(\"#{modname}\");") if (@options[:use_param_tests]) tests.each do |test| diff --git a/contrib/ntp/sntp/utilities.c b/contrib/ntp/sntp/utilities.c index 591c4f7..43cd786 100644 --- a/contrib/ntp/sntp/utilities.c +++ b/contrib/ntp/sntp/utilities.c @@ -23,7 +23,7 @@ pkt_output ( if (a > 0 && a % 8 == 0) fprintf(output, "\n"); - fprintf(output, "%d: %x \t", a, pkt[a]); + fprintf(output, "%3d: %02x ", a, pkt[a]); } fprintf(output, "\n"); diff --git a/contrib/ntp/sntp/version.c b/contrib/ntp/sntp/version.c index fba447e..25d4b14 100644 --- a/contrib/ntp/sntp/version.c +++ b/contrib/ntp/sntp/version.c @@ -2,4 +2,4 @@ * version file for sntp */ #include <config.h> -const char * Version = "sntp 4.2.8p10-beta@1.3728-o Tue Mar 21 14:36:42 UTC 2017 (43)"; +const char * Version = "sntp 4.2.8p11@1.3728-o Tue Feb 27 22:59:12 UTC 2018 (50)"; diff --git a/contrib/ntp/util/Makefile.in b/contrib/ntp/util/Makefile.in index 0e11d0d..a7ab7ee 100644 --- a/contrib/ntp/util/Makefile.in +++ b/contrib/ntp/util/Makefile.in @@ -110,6 +110,7 @@ am__aclocal_m4_deps = $(top_srcdir)/sntp/libopts/m4/libopts.m4 \ $(top_srcdir)/sntp/m4/ltsugar.m4 \ $(top_srcdir)/sntp/m4/ltversion.m4 \ $(top_srcdir)/sntp/m4/lt~obsolete.m4 \ + $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \ $(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \ $(top_srcdir)/sntp/m4/ntp_compiler.m4 \ $(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \ @@ -1365,7 +1366,6 @@ install-exec-hook: # check-libntp: ../libntp/libntp.a - @echo stamp > $@ ../libntp/libntp.a: cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a diff --git a/contrib/ntp/util/invoke-ntp-keygen.texi b/contrib/ntp/util/invoke-ntp-keygen.texi index 33af826..2a8d401 100644 --- a/contrib/ntp/util/invoke-ntp-keygen.texi +++ b/contrib/ntp/util/invoke-ntp-keygen.texi @@ -6,7 +6,7 @@ # # EDIT THIS FILE WITH CAUTION (invoke-ntp-keygen.texi) # -# It has been AutoGen-ed March 21, 2017 at 10:45:57 AM by AutoGen 5.18.5 +# It has been AutoGen-ed February 27, 2018 at 05:15:57 PM by AutoGen 5.18.5 # From the definitions ntp-keygen-opts.def # and the template file agtexi-cmd.tpl @end ignore @@ -15,26 +15,29 @@ This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. -All files are in PEM-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. -When used to generate message digest keys, the program produces a file -containing ten pseudo-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -54,222 +57,132 @@ other than Autokey. Some files used by this program are encrypted using a private password. The @code{-p} -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the @code{-q} -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -@code{gethostname()} -function, normally the DNS name of the host is used. +@code{hostname(1)} +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +@code{ntp-keygen} +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. The -@kbd{pw} +@code{pw} option of the -@kbd{crypto} +@code{crypto} +@code{ntpd(1ntpdmdoc)} configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -@kbd{ntpd} -without password but only on the same host. +@code{ntpd(1ntpdmdoc)} +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -@kbd{ntp.keys}, +@file{ntp.keys}, is usually installed in @file{/etc}. Other files and links are usually installed in @file{/usr/local/etc}, which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -@kbd{keysdir} -configuration command in such cases. -Normally, this is in -@file{/etc}. +In these cases, NFS clients can specify the files in another +directory such as +@file{/etc} +using the +@code{keysdir} +@code{ntpd(1ntpdmdoc)} +configuration file command. This program directs commentary and error messages to the standard error stream -@kbd{stderr} +@file{stderr} and remote files to the standard output stream -@kbd{stdout} +@file{stdout} where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -@kbd{ntpkey} +@file{ntpkey*} and include the file type, generating host and filestamp, as described in the -@quotedblleft{}Cryptographic Data Files@quotedblright{} +@ref{Cryptographic Data Files} section below. -@subsubsection Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -@file{/usr/local/etc} -When run for the first time, or if all files with names beginning with -@kbd{ntpkey} -have been removed, use the -@code{ntp-keygen} -command without arguments to generate a -default RSA host key and matching RSA-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. - -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using -@code{ntp-keygen} -with the -@code{-T} -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -@code{-S} -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -@code{-c} -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken-and-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball-and-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re-generated. - -Additional information on trusted groups and identity schemes is on the -@quotedblleft{}Autokey Public-Key Authentication@quotedblright{} -page. - - - -The -@code{ntpd(1ntpdmdoc)} -configuration command -@code{crypto} @code{pw} @kbd{password} -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. - - -File names begin with the prefix -@code{ntpkey_} -and end with the postfix -@kbd{_hostname.filestamp}, -where -@kbd{hostname} -is the owner name, usually the string returned -by the Unix gethostname() routine, and -@kbd{filestamp} -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -@code{rm} @code{ntpkey*} -command or all files generated -at a specific time can be removed by a -@code{rm} -@kbd{*filestamp} -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. - -All files are installed by default in the keys directory -@file{/usr/local/etc}, -which is normally in a shared filesystem -in NFS-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. - -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. - -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -@code{ntpd(1ntpdmdoc)} -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -@code{ntp-keygen} -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -@subsubsection Running the program +@subsubsection Running the Program The safest way to run the @code{ntp-keygen} program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually +The recommended procedure is change to the +@kbd{keys} +directory, usually @file{/usr/local/etc}, then run the program. -When run for the first time, -or if all -@code{ntpkey} -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, + +To test and gain experience with Autokey concepts, log in as root and +change to the +@kbd{keys} +directory, usually +@file{/usr/local/etc}. +When run for the first time, or if all files with names beginning with +@file{ntpkey*} +have been removed, use the +@code{ntp-keygen} +command without arguments to generate a default +@code{RSA} +host key and matching +@code{RSA-MD5} +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +@code{RSA} +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +@code{RSA} +or +@code{DSA} +type. +By default, the message digest type is +@code{MD5}, +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +@code{AES128CMAC}, @code{MD2}, @code{MD5}, @code{MDC2}, @code{SHA}, @code{SHA1} +and +@code{RIPE160} +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +@code{RSA} +sign keys; +however, only +@code{SHA} +and +@code{SHA1} +certificates are compatible with +@code{DSA} +sign keys. Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. @@ -280,19 +193,19 @@ However, the identification parameter files, although encoded as the other files, are probably not compatible with anything other than Autokey. Running the program as other than root and using the Unix -@code{su} +@code{su(1)} command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -@code{.rnd} +@file{.rnd} in the user home directory. However, there should be only one -@code{.rnd}, +@file{.rnd}, most conveniently in the root directory, so it is convenient to define the -@code{$RANDFILE} +.Ev RANDFILE environment variable used by the OpenSSL library as the path to -@code{/.rnd}. +@file{.rnd}. Installing the keys as root might not work in NFS-mounted shared file systems, as NFS clients may not be able to write @@ -302,7 +215,8 @@ directory such as @file{/etc} using the @code{keysdir} -command. +@code{ntpd(1ntpdmdoc)} +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -317,7 +231,6 @@ as the subject and issuer fields, respectively, of the certificate. The owner name is also used for the host and sign key files, while the trusted name is used for the identity files. - All files are installed by default in the keys directory @file{/usr/local/etc}, which is normally in a shared filesystem @@ -336,8 +249,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +@kbd{hostname} +and +@kbd{filestamp} +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. The recommended practice is to keep the file name extensions @@ -346,107 +262,112 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +@code{ntpd(1ntpdmdoc)} +follows it to the file name to extract the +@kbd{filestamp}. If a link is not present, @code{ntpd(1ntpdmdoc)} -extracts the filestamp from the file itself. +extracts the +@kbd{filestamp} +from the file itself. This allows clients to verify that the file and generation times are always current. The @code{ntp-keygen} -program uses the same timestamp extension for all files generated +program uses the same +@kbd{filestamp} +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -@subsubsection Running the program -The safest way to run the + +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using @code{ntp-keygen} -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -@file{/usr/local/etc}, -then run the program. -When run for the first time, -or if all -@code{ntpkey} -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +with the +@code{-T} +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +@code{-S} +option and this can be either +@code{RSA} +or +@code{DSA} +type. +By default, the signature +message digest type is +@code{MD5}, +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +@code{-c} +option. -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. -Running the program as other than root and using the Unix -@code{su} -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -@code{.rnd} -in the user home directory. -However, there should be only one -@code{.rnd}, -most conveniently -in the root directory, so it is convenient to define the -@code{$RANDFILE} -environment variable used by the OpenSSL library as the path to -@code{/.rnd}. +Additional information on trusted groups and identity schemes is on the +@quotedblleft{}Autokey Public-Key Authentication@quotedblright{} +page. -Installing the keys as root might not work in NFS-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -@file{/etc} -using the -@code{keysdir} +File names begin with the prefix +@file{ntpkey}_ +and end with the suffix +@file{_}@kbd{hostname}. @kbd{filestamp}, +where +@kbd{hostname} +is the owner name, usually the string returned +by the Unix +@code{hostname(1)} +command, and +@kbd{filestamp} +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +@code{rm} @file{ntpkey*} +command or all files generated +at a specific time can be removed by a +@code{rm} @file{*}@kbd{filestamp} command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. - -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. -s Trusted Hosts and Groups +@subsubsection Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the @ref{Authentication Options} section of @code{ntp.conf(5)}. -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +@code{RSA} +encryption, +@code{MD5} +message digest +and +@code{TC} +identification. First, configure a NTP subnet including one or more low-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -464,7 +385,7 @@ section of On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -@code{ntpkey} +@file{ntpkey} files. Then run @code{ntp-keygen} @@ -489,7 +410,9 @@ is either @code{RSA} or @code{DSA}. -The most often need to do this is when a DSA-signed certificate is used. +The most frequent need to do this is when a +@code{DSA}-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run @code{ntp-keygen} @@ -498,17 +421,17 @@ with the option and selected @kbd{scheme} as needed. -f +If @code{ntp-keygen} is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. After setting up the environment it is advisable to update certificates from time to time, if only to extend the validity interval. Simply run @code{ntp-keygen} with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, @code{ntpd(1ntpdmdoc)} should be restarted. @@ -517,15 +440,18 @@ When is restarted, it loads any new files and restarts the protocol. Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. + @subsubsection Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +@code{TC} +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -"Identification Schemes" -page -(maybe available at -@code{http://www.eecis.udel.edu/%7emills/keygen.html}). +including +@code{PC}, @code{IFF}, @code{GQ} +and +@code{MV} +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -550,12 +476,15 @@ On trusted host alice run @code{-P} @code{-p} @kbd{password} to generate the host key file -@file{ntpkey_RSAkey_}@kbd{alice.filestamp} +@file{ntpkey}_ @code{RSA} @file{key_alice.} @kbd{filestamp} and trusted private certificate file -@file{ntpkey_RSA-MD5_cert_}@kbd{alice.filestamp}. +@file{ntpkey}_ @code{RSA-MD5} @code{_} @file{cert_alice.} @kbd{filestamp}, +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +@kbd{bob} +install a soft link from the generic name @file{ntpkey_host_}@kbd{bob} to the host key file and soft link @file{ntpkey_cert_}@kbd{bob} @@ -564,26 +493,34 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. -For the IFF scheme proceed as in the TC scheme to generate keys +For the +@code{IFF} +scheme proceed as in the +@code{TC} +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +@code{IFF} +parameter file. On trusted host alice run @code{ntp-keygen} @code{-T} @code{-I} @code{-p} @kbd{password} to produce her parameter file -@file{ntpkey_IFFpar_}@kbd{alice.filestamp}, +@file{ntpkey_IFFpar_alice.}@kbd{filestamp}, which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -@file{ntpkey_iff_}@kbd{alice} +@file{ntpkey_iff_alice} to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +@code{IFF} +scheme is independent of keys and certificates, these files can be refreshed as needed. If a rogue client has the parameter file, it could masquerade @@ -593,37 +530,53 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run @code{ntp-keygen} @code{-e} -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -@file{ntpkey_iff_}@kbd{alice} +@file{ntpkey_iff_alice} to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. -For the GQ scheme proceed as in the TC scheme to generate keys +For the +@code{GQ} +scheme proceed as in the +@code{TC} +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +@code{IFF} +parameter file. On trusted host alice run @code{ntp-keygen} @code{-T} @code{-G} @code{-p} @kbd{password} to produce her parameter file -@file{ntpkey_GQpar_}@kbd{alice.filestamp}, +@file{ntpkey_GQpar_alice.}@kbd{filestamp}, which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -@file{ntpkey_gq_}@kbd{alice} +@file{ntpkey_gq_alice} to this file. -In addition, on each host bob install a soft link +In addition, on each host +@kbd{bob} +install a soft link from generic @file{ntpkey_gq_}@kbd{bob} to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +@code{GQ} +scheme updates the +@code{GQ} +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. -For the MV scheme, proceed as in the TC scheme to generate keys +For the +@code{MV} +scheme, proceed as in the +@code{TC} +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -635,9 +588,9 @@ where @kbd{n} is the number of revokable keys (typically 5) to produce the parameter file -@file{ntpkeys_MVpar_}@kbd{trish.filestamp} +@file{ntpkeys_MVpar_trish.}@kbd{filestamp} and client key files -@file{ntpkeys_MVkeyd_}@kbd{trish.filestamp} +@file{ntpkeys_MVkey}@kbd{d} @kbd{_} @file{trish.} @kbd{filestamp} where @kbd{d} is the key number (0 < @@ -646,81 +599,220 @@ is the key number (0 < @kbd{n}). Copy the parameter file to alice and install a soft link from the generic -@file{ntpkey_mv_}@kbd{alice} +@file{ntpkey_mv_alice} to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -@file{ntpkey_mvkey_}@kbd{bob} +@file{ntpkey_mvkey_bob} to the client key file. -As the MV scheme is independent of keys and certificates, +As the +@code{MV} +scheme is independent of keys and certificates, these files can be refreshed as needed. + @subsubsection Command Line Options @table @asis -@item @code{-c} @kbd{scheme} -Select certificate message digest/signature encryption scheme. +@item @code{-b} @code{--imbits}= @kbd{modulus} +Set the number of bits in the identity modulus for generating identity keys to +@kbd{modulus} +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +@item @code{-c} @code{--certificate}= @kbd{scheme} +Select certificate signature encryption/message digest scheme. The @kbd{scheme} can be one of the following: -. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +@code{RSA-MD2}, @code{RSA-MD5}, @code{RSA-MDC2}, @code{RSA-SHA}, @code{RSA-SHA1}, @code{RSA-RIPEMD160}, @code{DSA-SHA}, or @code{DSA-SHA1}. -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +@code{RSA} +schemes must be used with an +@code{RSA} +sign key and +@code{DSA} +schemes must be used with a +@code{DSA} +sign key. The default without this option is @code{RSA-MD5}. -@item @code{-d} -Enable debugging. +If compatibility with FIPS 140-2 is required, either the +@code{DSA-SHA} +or +@code{DSA-SHA1} +scheme must be used. +@item @code{-C} @code{--cipher}= @kbd{cipher} +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three-key triple DES in CBC mode, +@code{des-ede3-cbc}. +The +@code{openssl} @code{-h} +command provided with OpenSSL displays available ciphers. +@item @code{-d} @code{--debug-level} +Increase debugging verbosity level. This option displays the cryptographic data produced in eye-friendly billboards. -@item @code{-e} -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. -@item @code{-G} -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. -@item @code{-g} -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. -@item @code{-H} -Generate new host keys, obsoleting any that may exist. -@item @code{-I} -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. -@item @code{-i} @kbd{name} -Set the suject name to -@kbd{name}. -This is used as the subject field in certificates -and in the file name for host and sign keys. -@item @code{-M} -Generate MD5 keys, obsoleting any that may exist. -@item @code{-P} -Generate a private certificate. +@item @code{-D} @code{--set-debug-level}= @kbd{level} +Set the debugging verbosity to +@kbd{level}. +This option displays the cryptographic data produced in eye-friendly billboards. +@item @code{-e} @code{--id-key} +Write the +@code{IFF} +or +@code{GQ} +public parameters from the +@kbd{IFFkey} @kbd{or} @kbd{GQkey} +client keys file previously specified +as unencrypted data to the standard output stream +@file{stdout}. +This is intended for automatic key distribution by email. +@item @code{-G} @code{--gq-params} +Generate a new encrypted +@code{GQ} +parameters and key file for the Guillou-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +@code{-I} +and +@code{-V} +options. +@item @code{-H} @code{--host-key} +Generate a new encrypted +@code{RSA} +public/private host key file. +@item @code{-I} @code{--iffkey} +Generate a new encrypted +@code{IFF} +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +@code{-G} +and +Fl V +options. +@item @code{-i} @code{--ident}= @kbd{group} +Set the optional Autokey group name to +@kbd{group}. +This is used in the identity scheme parameter file names of +@code{IFF}, @code{GQ}, +and +@code{MV} +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +@code{-i} +or +@code{-s} +following an +@quoteleft{}@@@quoteright{} +character, is also used in certificate subject and issuer names in the form +@kbd{host} @kbd{@@} @kbd{group} +and should match the group specified via +@code{crypto} @code{ident} +or +@code{server} @code{ident} +in the ntpd configuration file. +@item @code{-l} @code{--lifetime}= @kbd{days} +Set the lifetime for certificate expiration to +@kbd{days}. +The default lifetime is one year (365 days). +@item @code{-m} @code{--modulus}= @kbd{bits} +Set the number of bits in the prime modulus for generating files to +@kbd{bits}. +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +@item @code{-M} @code{--md5key} +Generate a new symmetric keys file containing 10 +@code{MD5} +keys, and if OpenSSL is available, 10 +@code{SHA} +keys. +An +@code{MD5} +key is a string of 20 random printable ASCII characters, while a +@code{SHA} +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. +@item @code{-p} @code{--password}= @kbd{passwd} +Set the password for reading and writing encrypted files to +@kbd{passwd}. +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +@code{hostname} +command. +@item @code{-P} @code{--pvt-cert} +Generate a new private certificate used by the +@code{PC} +identity scheme. By default, the program generates public certificates. -@item @code{-p} @kbd{password} -Encrypt generated files containing private data with -@kbd{password} -and the DES-CBC algorithm. -@item @code{-q} -Set the password for reading files to password. -@item @code{-S} @code{[@code{RSA} | @code{DSA}]} -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. -@item @code{-s} @kbd{name} -Set the issuer name to -@kbd{name}. -This is used for the issuer field in certificates -and in the file name for identity files. -@item @code{-T} +Note: the PC identity scheme is not recommended for new installations. +@item @code{-q} @code{--export-passwd}= @kbd{passwd} +Set the password for writing encrypted +@code{IFF}, @code{GQ} @code{and} @code{MV} +identity files redirected to +@file{stdout} +to +@kbd{passwd}. +In effect, these files are decrypted with the +@code{-p} +password, then encrypted with the +@code{-q} +password. +By default, the password is the string returned by the Unix +@code{hostname} +command. +@item @code{-s} @code{--subject-key}= @code{[host]} @code{[@@ @kbd{group}]} +Specify the Autokey host name, where +@kbd{host} +is the optional host name and +@kbd{group} +is the optional group name. +The host name, and if provided, group name are used in +@kbd{host} @kbd{@@} @kbd{group} +form as certificate subject and issuer. +Specifying +@code{-s} @code{-@@} @kbd{group} +is allowed, and results in leaving the host name unchanged, as with +@code{-i} @kbd{group}. +The group name, or if no group is provided, the host name are also used in the +file names of +@code{IFF}, @code{GQ}, +and +@code{MV} +identity scheme client parameter files. +If +@kbd{host} +is not specified, the default host name is the string returned by the Unix +@code{hostname} +command. +@item @code{-S} @code{--sign-key}= @code{[@code{RSA} | @code{DSA}]} +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140-2 is required, the sign key type must be +@code{DSA}. +@item @code{-T} @code{--trusted-cert} Generate a trusted certificate. By default, the program generates a non-trusted certificate. -@item @code{-V} @kbd{nkeys} -Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. +@item @code{-V} @code{--mv-params} @kbd{nkeys} +Generate +@kbd{nkeys} +encrypted server keys and parameters for the Mu-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +@code{-I} +and +@code{-G} +options. +Note: support for this option should be considered a work in progress. @end table + @subsubsection Random Seed File All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize @@ -743,7 +835,7 @@ but are outside the scope of this page. The entropy seed used by the OpenSSL library is contained in a file, usually called -@code{.rnd}, +@file{.rnd}, which must be available when starting the NTP daemon or the @code{ntp-keygen} @@ -766,46 +858,124 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -@code{.rnd} +@file{.rnd} file in the user home directory. +Since both the +@code{ntp-keygen} +program and +@code{ntpd(1ntpdmdoc)} +daemon must run as root, the logical place to put this file is in +@file{/.rnd} +or +@file{/root/.rnd}. If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. + @subsubsection Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +@file{ntpkey_}@kbd{key} @kbd{_} @kbd{name}. @kbd{filestamp}, +where +@kbd{key} +is the key or parameter type, +@kbd{name} +is the host or group name and +@kbd{filestamp} +is the filestamp (NTP seconds) when the file was created. +By convention, +@kbd{key} +names in generated file names include both upper and lower case +characters, while +@kbd{key} +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +@file{date} +format. +Lines beginning with +@quoteleft{}#@quoteright{} +are considered comments and ignored by the @code{ntp-keygen} program and @code{ntpd(1ntpdmdoc)} daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM-encoded -printable ASCII format preceded and followed by MIME content identifier lines. - -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format + +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. + +The format of the symmetric keys file, ordinarily named +@file{ntp.keys}, +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +@verbatim +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 + +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +@end verbatim +@example +Figure 1. Typical Symmetric Key File +@end example + +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format @example @kbd{keyno} @kbd{type} @kbd{key} @end example where @kbd{keyno} -is a positive integer in the range 1-65,535, +is a positive integer in the range 1-65534; @kbd{type} -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +@code{MD5} +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140-2 is required, +the key type must be either +@code{SHA} +or +@code{SHA1}; @kbd{key} is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +@quoteleft{}@quoteright{}! +through +@quoteleft{}~@quoteright{} +) excluding space and the +@quoteleft{}#@quoteright{} +character, and terminated by whitespace or a @quoteleft{}#@quoteright{} character. +An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which +is truncated as necessary. Note that the keys used by the @code{ntpq(1ntpqmdoc)} @@ -818,8 +988,8 @@ in human readable ASCII format. The @code{ntp-keygen} -program generates a MD5 symmetric keys file -@file{ntpkey_MD5key_}@kbd{hostname.filestamp}. +program generates a symmetric keys file +@file{ntpkey_MD5key_}@kbd{hostname}. @kbd{filestamp}. Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -853,13 +1023,13 @@ This software is released under the NTP license, <http://ntp.org/license>. * ntp-keygen iffkey:: iffkey option (-I) * ntp-keygen ident:: ident option (-i) * ntp-keygen lifetime:: lifetime option (-l) -* ntp-keygen md5key:: md5key option (-M) * ntp-keygen modulus:: modulus option (-m) +* ntp-keygen md5key:: md5key option (-M) * ntp-keygen pvt-cert:: pvt-cert option (-P) * ntp-keygen password:: password option (-p) * ntp-keygen export-passwd:: export-passwd option (-q) -* ntp-keygen sign-key:: sign-key option (-S) * ntp-keygen subject-name:: subject-name option (-s) +* ntp-keygen sign-key:: sign-key option (-S) * ntp-keygen trusted-cert:: trusted-cert option (-T) * ntp-keygen mv-params:: mv-params option (-V) * ntp-keygen mv-keys:: mv-keys option (-v) @@ -886,17 +1056,14 @@ with a status code of 0. @exampleindent 0 @example -ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10-beta -Usage: ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... +ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p245 +USAGE: ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... Flg Arg Option-Name Description - -b Num imbits identity modulus bits - - it must be in the range: - 256 to 2048 -c Str certificate certificate scheme -C Str cipher privatekey cipher -d no debug-level Increase debug verbosity level - may appear multiple times - -D Num set-debug-level Set the debug verbosity level + -D Str set-debug-level Set the debug verbosity level - may appear multiple times -e no id-key Write IFF or GQ identity keys -G no gq-params Generate GQ parameters and keys @@ -906,34 +1073,35 @@ Usage: ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... -l Num lifetime set certificate lifetime -M no md5key generate MD5 keys -m Num modulus modulus - - it must be in the range: + - It must be in the range: 256 to 2048 -P no pvt-cert generate PC private certificate - -p Str password local private password - -q Str export-passwd export IFF or GQ group keys with password + -p Str pvt-passwd output private password + -q Str get-pvt-passwd input private password -S Str sign-key generate sign key (RSA or DSA) -s Str subject-name set host and optionally group name -T no trusted-cert trusted certificate (TC scheme) -V Num mv-params generate <num> MV parameters -v Num mv-keys update <num> MV keys - opt version output version information and exit - -? no help display extended usage information and exit - -! no more-help extended usage information passed thru pager - -> opt save-opts save the option state to a config file - -< Str load-opts load options from a config file - - disabled as '--no-load-opts' + opt version Output version information and exit + -? no help Display extended usage information and exit + -! no more-help Extended usage information passed thru pager + -> opt save-opts Save the option state to a config file + -< Str load-opts Load options from a config file + - disabled as --no-load-opts - may appear multiple times Options are specified by doubled hyphens and their name or by a single hyphen and the flag character. + The following option preset mechanisms are supported: - reading file $HOME/.ntprc - reading file ./.ntprc - examining environment variables named NTP_KEYGEN_* -Please send bug reports to: <http://bugs.ntp.org, bugs@@ntp.org> +please send bug reports to: http://bugs.ntp.org, bugs@@ntp.org @end example @exampleindent 4 @@ -967,10 +1135,10 @@ must be compiled in by defining @code{AUTOKEY} during the compilation. @end itemize scheme is one of -RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, +RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160, DSA-SHA, or DSA-SHA1. -Select the certificate message digest/signature encryption scheme. +Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA-MD5. @@ -990,7 +1158,7 @@ must be compiled in by defining @code{AUTOKEY} during the compilation. Select the cipher which is used to encrypt the files containing private keys. The default is three-key triple DES in CBC mode, -equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers +equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers available in "@code{openssl -h}" output. @node ntp-keygen id-key @subsection id-key option (-e) @@ -1005,8 +1173,9 @@ This option has some usage constraints. It: must be compiled in by defining @code{AUTOKEY} during the compilation. @end itemize -Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. +Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. @node ntp-keygen gq-params @subsection gq-params option (-G) @cindex ntp-keygen-gq-params @@ -1069,11 +1238,11 @@ Set the optional Autokey group name to name. This is used in the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using @code{-i/--ident} or -using @code{-s/--subject-name} following an '@code{@}' character, -is also a part of the self-signed host certificate's subject and -issuer names in the form @code{host@group} and should match the -'@code{crypto ident}' or '@code{server ident}' configuration in -@code{ntpd}'s configuration file. +using @code{-s/--subject-name} following an '@code{@@}' character, +is also a part of the self-signed host certificate subject and +issuer names in the form @code{host@@group} and should match the +'@code{crypto ident}' or '@code{server ident}' configuration in the +@code{ntpd} configuration file. @node ntp-keygen lifetime @subsection lifetime option (-l) @cindex ntp-keygen-lifetime @@ -1089,17 +1258,11 @@ must be compiled in by defining @code{AUTOKEY} during the compilation. @end itemize Set the certificate expiration to lifetime days from now. -@node ntp-keygen md5key -@subsection md5key option (-M) -@cindex ntp-keygen-md5key - -This is the ``generate md5 keys'' option. -Generate MD5 keys, obsoleting any that may exist. @node ntp-keygen modulus @subsection modulus option (-m) @cindex ntp-keygen-modulus -This is the ``modulus'' option. +This is the ``prime modulus'' option. This option takes a number argument @file{modulus}. @noindent @@ -1110,6 +1273,12 @@ must be compiled in by defining @code{AUTOKEY} during the compilation. @end itemize The number of bits in the prime modulus. The default is 512. +@node ntp-keygen md5key +@subsection md5key option (-M) +@cindex ntp-keygen-md5key + +This is the ``generate symmetric keys'' option. +Generate symmetric keys, obsoleting any that may exist. @node ntp-keygen pvt-cert @subsection pvt-cert option (-P) @cindex ntp-keygen-pvt-cert @@ -1163,23 +1332,6 @@ encrypted with the DES-CBC algorithm and the specified password. The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option --id-key (-e) for unencrypted exports. -@node ntp-keygen sign-key -@subsection sign-key option (-S) -@cindex ntp-keygen-sign-key - -This is the ``generate sign key (rsa or dsa)'' option. -This option takes a string argument @file{sign}. - -@noindent -This option has some usage constraints. It: -@itemize @bullet -@item -must be compiled in by defining @code{AUTOKEY} during the compilation. -@end itemize - -Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. @node ntp-keygen subject-name @subsection subject-name option (-s) @cindex ntp-keygen-subject-name @@ -1195,15 +1347,32 @@ must be compiled in by defining @code{AUTOKEY} during the compilation. @end itemize Set the Autokey host name, and optionally, group name specified -following an '@code{@}' character. The host name is used in the file +following an '@code{@@}' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used -in @code{host@group} form for the host certificate's subject and issuer -fields. Specifying '@code{-s @group}' is allowed, and results in -leaving the host name unchanged while appending @code{@group} to the +in @code{host@@group} form for the host certificate subject and issuer +fields. Specifying '@code{-s @@group}' is allowed, and results in +leaving the host name unchanged while appending @code{@@group} to the subject and issuer fields, as with @code{-i group}. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. +@node ntp-keygen sign-key +@subsection sign-key option (-S) +@cindex ntp-keygen-sign-key + +This is the ``generate sign key (rsa or dsa)'' option. +This option takes a string argument @file{sign}. + +@noindent +This option has some usage constraints. It: +@itemize @bullet +@item +must be compiled in by defining @code{AUTOKEY} during the compilation. +@end itemize + +Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. @node ntp-keygen trusted-cert @subsection trusted-cert option (-T) @cindex ntp-keygen-trusted-cert diff --git a/contrib/ntp/util/ntp-keygen-opts.c b/contrib/ntp/util/ntp-keygen-opts.c index d3ab3ff..6c07f97 100644 --- a/contrib/ntp/util/ntp-keygen-opts.c +++ b/contrib/ntp/util/ntp-keygen-opts.c @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.c) * - * It has been AutoGen-ed March 21, 2017 at 10:45:48 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:15:44 PM by AutoGen 5.18.5 * From the definitions ntp-keygen-opts.def * and the template file options * @@ -71,8 +71,8 @@ extern FILE * option_usage_fp; /** * static const strings for ntp-keygen options */ -static char const ntp_keygen_opt_strs[2422] = -/* 0 */ "ntp-keygen (ntp) 4.2.8p10\n" +static char const ntp_keygen_opt_strs[2442] = +/* 0 */ "ntp-keygen (ntp) 4.2.8p11\n" "Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n" "This is free software. It is licensed for use, modification and\n" "redistribution under the terms of the NTP License, copies of which\n" @@ -122,56 +122,57 @@ static char const ntp_keygen_opt_strs[2422] = /* 1458 */ "set certificate lifetime\0" /* 1483 */ "LIFETIME\0" /* 1492 */ "lifetime\0" -/* 1501 */ "generate MD5 keys\0" -/* 1519 */ "MD5KEY\0" -/* 1526 */ "md5key\0" -/* 1533 */ "modulus\0" -/* 1541 */ "MODULUS\0" -/* 1549 */ "generate PC private certificate\0" -/* 1581 */ "PVT_CERT\0" -/* 1590 */ "pvt-cert\0" -/* 1599 */ "local private password\0" -/* 1622 */ "PASSWORD\0" -/* 1631 */ "password\0" -/* 1640 */ "export IFF or GQ group keys with password\0" -/* 1682 */ "EXPORT_PASSWD\0" -/* 1696 */ "export-passwd\0" -/* 1710 */ "generate sign key (RSA or DSA)\0" -/* 1741 */ "SIGN_KEY\0" -/* 1750 */ "sign-key\0" -/* 1759 */ "set host and optionally group name\0" -/* 1794 */ "SUBJECT_NAME\0" -/* 1807 */ "subject-name\0" -/* 1820 */ "trusted certificate (TC scheme)\0" -/* 1852 */ "TRUSTED_CERT\0" -/* 1865 */ "trusted-cert\0" -/* 1878 */ "generate <num> MV parameters\0" -/* 1907 */ "MV_PARAMS\0" -/* 1917 */ "mv-params\0" -/* 1927 */ "update <num> MV keys\0" -/* 1948 */ "MV_KEYS\0" -/* 1956 */ "mv-keys\0" -/* 1964 */ "display extended usage information and exit\0" -/* 2008 */ "help\0" -/* 2013 */ "extended usage information passed thru pager\0" -/* 2058 */ "more-help\0" -/* 2068 */ "output version information and exit\0" -/* 2104 */ "version\0" -/* 2112 */ "save the option state to a config file\0" -/* 2151 */ "save-opts\0" -/* 2161 */ "load options from a config file\0" -/* 2193 */ "LOAD_OPTS\0" -/* 2203 */ "no-load-opts\0" -/* 2216 */ "no\0" -/* 2219 */ "NTP_KEYGEN\0" -/* 2230 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10\n" +/* 1501 */ "prime modulus\0" +/* 1515 */ "MODULUS\0" +/* 1523 */ "modulus\0" +/* 1531 */ "generate symmetric keys\0" +/* 1555 */ "MD5KEY\0" +/* 1562 */ "md5key\0" +/* 1569 */ "generate PC private certificate\0" +/* 1601 */ "PVT_CERT\0" +/* 1610 */ "pvt-cert\0" +/* 1619 */ "local private password\0" +/* 1642 */ "PASSWORD\0" +/* 1651 */ "password\0" +/* 1660 */ "export IFF or GQ group keys with password\0" +/* 1702 */ "EXPORT_PASSWD\0" +/* 1716 */ "export-passwd\0" +/* 1730 */ "set host and optionally group name\0" +/* 1765 */ "SUBJECT_NAME\0" +/* 1778 */ "subject-name\0" +/* 1791 */ "generate sign key (RSA or DSA)\0" +/* 1822 */ "SIGN_KEY\0" +/* 1831 */ "sign-key\0" +/* 1840 */ "trusted certificate (TC scheme)\0" +/* 1872 */ "TRUSTED_CERT\0" +/* 1885 */ "trusted-cert\0" +/* 1898 */ "generate <num> MV parameters\0" +/* 1927 */ "MV_PARAMS\0" +/* 1937 */ "mv-params\0" +/* 1947 */ "update <num> MV keys\0" +/* 1968 */ "MV_KEYS\0" +/* 1976 */ "mv-keys\0" +/* 1984 */ "display extended usage information and exit\0" +/* 2028 */ "help\0" +/* 2033 */ "extended usage information passed thru pager\0" +/* 2078 */ "more-help\0" +/* 2088 */ "output version information and exit\0" +/* 2124 */ "version\0" +/* 2132 */ "save the option state to a config file\0" +/* 2171 */ "save-opts\0" +/* 2181 */ "load options from a config file\0" +/* 2213 */ "LOAD_OPTS\0" +/* 2223 */ "no-load-opts\0" +/* 2236 */ "no\0" +/* 2239 */ "NTP_KEYGEN\0" +/* 2250 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p11\n" "Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0" -/* 2345 */ "$HOME\0" -/* 2351 */ ".\0" -/* 2353 */ ".ntprc\0" -/* 2360 */ "http://bugs.ntp.org, bugs@ntp.org\0" -/* 2394 */ "\n\0" -/* 2396 */ "ntp-keygen (ntp) 4.2.8p10"; +/* 2365 */ "$HOME\0" +/* 2371 */ ".\0" +/* 2373 */ ".ntprc\0" +/* 2380 */ "http://bugs.ntp.org, bugs@ntp.org\0" +/* 2414 */ "\n\0" +/* 2416 */ "ntp-keygen (ntp) 4.2.8p11"; /** * imbits option description: @@ -384,27 +385,15 @@ static char const ntp_keygen_opt_strs[2422] = #endif /* AUTOKEY */ /** - * md5key option description: - */ -/** Descriptive text for the md5key option */ -#define MD5KEY_DESC (ntp_keygen_opt_strs+1501) -/** Upper-cased name for the md5key option */ -#define MD5KEY_NAME (ntp_keygen_opt_strs+1519) -/** Name string for the md5key option */ -#define MD5KEY_name (ntp_keygen_opt_strs+1526) -/** Compiled in flag settings for the md5key option */ -#define MD5KEY_FLAGS (OPTST_DISABLED) - -/** * modulus option description: */ #ifdef AUTOKEY /** Descriptive text for the modulus option */ -#define MODULUS_DESC (ntp_keygen_opt_strs+1533) +#define MODULUS_DESC (ntp_keygen_opt_strs+1501) /** Upper-cased name for the modulus option */ -#define MODULUS_NAME (ntp_keygen_opt_strs+1541) +#define MODULUS_NAME (ntp_keygen_opt_strs+1515) /** Name string for the modulus option */ -#define MODULUS_name (ntp_keygen_opt_strs+1533) +#define MODULUS_name (ntp_keygen_opt_strs+1523) /** Compiled in flag settings for the modulus option */ #define MODULUS_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) @@ -417,15 +406,27 @@ static char const ntp_keygen_opt_strs[2422] = #endif /* AUTOKEY */ /** + * md5key option description: + */ +/** Descriptive text for the md5key option */ +#define MD5KEY_DESC (ntp_keygen_opt_strs+1531) +/** Upper-cased name for the md5key option */ +#define MD5KEY_NAME (ntp_keygen_opt_strs+1555) +/** Name string for the md5key option */ +#define MD5KEY_name (ntp_keygen_opt_strs+1562) +/** Compiled in flag settings for the md5key option */ +#define MD5KEY_FLAGS (OPTST_DISABLED) + +/** * pvt-cert option description: */ #ifdef AUTOKEY /** Descriptive text for the pvt-cert option */ -#define PVT_CERT_DESC (ntp_keygen_opt_strs+1549) +#define PVT_CERT_DESC (ntp_keygen_opt_strs+1569) /** Upper-cased name for the pvt-cert option */ -#define PVT_CERT_NAME (ntp_keygen_opt_strs+1581) +#define PVT_CERT_NAME (ntp_keygen_opt_strs+1601) /** Name string for the pvt-cert option */ -#define PVT_CERT_name (ntp_keygen_opt_strs+1590) +#define PVT_CERT_name (ntp_keygen_opt_strs+1610) /** Compiled in flag settings for the pvt-cert option */ #define PVT_CERT_FLAGS (OPTST_DISABLED) @@ -441,11 +442,11 @@ static char const ntp_keygen_opt_strs[2422] = */ #ifdef AUTOKEY /** Descriptive text for the password option */ -#define PASSWORD_DESC (ntp_keygen_opt_strs+1599) +#define PASSWORD_DESC (ntp_keygen_opt_strs+1619) /** Upper-cased name for the password option */ -#define PASSWORD_NAME (ntp_keygen_opt_strs+1622) +#define PASSWORD_NAME (ntp_keygen_opt_strs+1642) /** Name string for the password option */ -#define PASSWORD_name (ntp_keygen_opt_strs+1631) +#define PASSWORD_name (ntp_keygen_opt_strs+1651) /** Compiled in flag settings for the password option */ #define PASSWORD_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) @@ -462,11 +463,11 @@ static char const ntp_keygen_opt_strs[2422] = */ #ifdef AUTOKEY /** Descriptive text for the export-passwd option */ -#define EXPORT_PASSWD_DESC (ntp_keygen_opt_strs+1640) +#define EXPORT_PASSWD_DESC (ntp_keygen_opt_strs+1660) /** Upper-cased name for the export-passwd option */ -#define EXPORT_PASSWD_NAME (ntp_keygen_opt_strs+1682) +#define EXPORT_PASSWD_NAME (ntp_keygen_opt_strs+1702) /** Name string for the export-passwd option */ -#define EXPORT_PASSWD_name (ntp_keygen_opt_strs+1696) +#define EXPORT_PASSWD_name (ntp_keygen_opt_strs+1716) /** Compiled in flag settings for the export-passwd option */ #define EXPORT_PASSWD_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) @@ -479,36 +480,15 @@ static char const ntp_keygen_opt_strs[2422] = #endif /* AUTOKEY */ /** - * sign-key option description: - */ -#ifdef AUTOKEY -/** Descriptive text for the sign-key option */ -#define SIGN_KEY_DESC (ntp_keygen_opt_strs+1710) -/** Upper-cased name for the sign-key option */ -#define SIGN_KEY_NAME (ntp_keygen_opt_strs+1741) -/** Name string for the sign-key option */ -#define SIGN_KEY_name (ntp_keygen_opt_strs+1750) -/** Compiled in flag settings for the sign-key option */ -#define SIGN_KEY_FLAGS (OPTST_DISABLED \ - | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) - -#else /* disable sign-key */ -#define SIGN_KEY_FLAGS (OPTST_OMITTED | OPTST_NO_INIT) -#define SIGN_KEY_NAME NULL -#define SIGN_KEY_DESC NULL -#define SIGN_KEY_name NULL -#endif /* AUTOKEY */ - -/** * subject-name option description: */ #ifdef AUTOKEY /** Descriptive text for the subject-name option */ -#define SUBJECT_NAME_DESC (ntp_keygen_opt_strs+1759) +#define SUBJECT_NAME_DESC (ntp_keygen_opt_strs+1730) /** Upper-cased name for the subject-name option */ -#define SUBJECT_NAME_NAME (ntp_keygen_opt_strs+1794) +#define SUBJECT_NAME_NAME (ntp_keygen_opt_strs+1765) /** Name string for the subject-name option */ -#define SUBJECT_NAME_name (ntp_keygen_opt_strs+1807) +#define SUBJECT_NAME_name (ntp_keygen_opt_strs+1778) /** Compiled in flag settings for the subject-name option */ #define SUBJECT_NAME_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) @@ -521,15 +501,36 @@ static char const ntp_keygen_opt_strs[2422] = #endif /* AUTOKEY */ /** + * sign-key option description: + */ +#ifdef AUTOKEY +/** Descriptive text for the sign-key option */ +#define SIGN_KEY_DESC (ntp_keygen_opt_strs+1791) +/** Upper-cased name for the sign-key option */ +#define SIGN_KEY_NAME (ntp_keygen_opt_strs+1822) +/** Name string for the sign-key option */ +#define SIGN_KEY_name (ntp_keygen_opt_strs+1831) +/** Compiled in flag settings for the sign-key option */ +#define SIGN_KEY_FLAGS (OPTST_DISABLED \ + | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING)) + +#else /* disable sign-key */ +#define SIGN_KEY_FLAGS (OPTST_OMITTED | OPTST_NO_INIT) +#define SIGN_KEY_NAME NULL +#define SIGN_KEY_DESC NULL +#define SIGN_KEY_name NULL +#endif /* AUTOKEY */ + +/** * trusted-cert option description: */ #ifdef AUTOKEY /** Descriptive text for the trusted-cert option */ -#define TRUSTED_CERT_DESC (ntp_keygen_opt_strs+1820) +#define TRUSTED_CERT_DESC (ntp_keygen_opt_strs+1840) /** Upper-cased name for the trusted-cert option */ -#define TRUSTED_CERT_NAME (ntp_keygen_opt_strs+1852) +#define TRUSTED_CERT_NAME (ntp_keygen_opt_strs+1872) /** Name string for the trusted-cert option */ -#define TRUSTED_CERT_name (ntp_keygen_opt_strs+1865) +#define TRUSTED_CERT_name (ntp_keygen_opt_strs+1885) /** Compiled in flag settings for the trusted-cert option */ #define TRUSTED_CERT_FLAGS (OPTST_DISABLED) @@ -545,11 +546,11 @@ static char const ntp_keygen_opt_strs[2422] = */ #ifdef AUTOKEY /** Descriptive text for the mv-params option */ -#define MV_PARAMS_DESC (ntp_keygen_opt_strs+1878) +#define MV_PARAMS_DESC (ntp_keygen_opt_strs+1898) /** Upper-cased name for the mv-params option */ -#define MV_PARAMS_NAME (ntp_keygen_opt_strs+1907) +#define MV_PARAMS_NAME (ntp_keygen_opt_strs+1927) /** Name string for the mv-params option */ -#define MV_PARAMS_name (ntp_keygen_opt_strs+1917) +#define MV_PARAMS_name (ntp_keygen_opt_strs+1937) /** Compiled in flag settings for the mv-params option */ #define MV_PARAMS_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) @@ -566,11 +567,11 @@ static char const ntp_keygen_opt_strs[2422] = */ #ifdef AUTOKEY /** Descriptive text for the mv-keys option */ -#define MV_KEYS_DESC (ntp_keygen_opt_strs+1927) +#define MV_KEYS_DESC (ntp_keygen_opt_strs+1947) /** Upper-cased name for the mv-keys option */ -#define MV_KEYS_NAME (ntp_keygen_opt_strs+1948) +#define MV_KEYS_NAME (ntp_keygen_opt_strs+1968) /** Name string for the mv-keys option */ -#define MV_KEYS_name (ntp_keygen_opt_strs+1956) +#define MV_KEYS_name (ntp_keygen_opt_strs+1976) /** Compiled in flag settings for the mv-keys option */ #define MV_KEYS_FLAGS (OPTST_DISABLED \ | OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC)) @@ -585,11 +586,11 @@ static char const ntp_keygen_opt_strs[2422] = /* * Help/More_Help/Version option descriptions: */ -#define HELP_DESC (ntp_keygen_opt_strs+1964) -#define HELP_name (ntp_keygen_opt_strs+2008) +#define HELP_DESC (ntp_keygen_opt_strs+1984) +#define HELP_name (ntp_keygen_opt_strs+2028) #ifdef HAVE_WORKING_FORK -#define MORE_HELP_DESC (ntp_keygen_opt_strs+2013) -#define MORE_HELP_name (ntp_keygen_opt_strs+2058) +#define MORE_HELP_DESC (ntp_keygen_opt_strs+2033) +#define MORE_HELP_name (ntp_keygen_opt_strs+2078) #define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT) #else #define MORE_HELP_DESC HELP_DESC @@ -602,14 +603,14 @@ static char const ntp_keygen_opt_strs[2422] = # define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \ OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT) #endif -#define VER_DESC (ntp_keygen_opt_strs+2068) -#define VER_name (ntp_keygen_opt_strs+2104) -#define SAVE_OPTS_DESC (ntp_keygen_opt_strs+2112) -#define SAVE_OPTS_name (ntp_keygen_opt_strs+2151) -#define LOAD_OPTS_DESC (ntp_keygen_opt_strs+2161) -#define LOAD_OPTS_NAME (ntp_keygen_opt_strs+2193) -#define NO_LOAD_OPTS_name (ntp_keygen_opt_strs+2203) -#define LOAD_OPTS_pfx (ntp_keygen_opt_strs+2216) +#define VER_DESC (ntp_keygen_opt_strs+2088) +#define VER_name (ntp_keygen_opt_strs+2124) +#define SAVE_OPTS_DESC (ntp_keygen_opt_strs+2132) +#define SAVE_OPTS_name (ntp_keygen_opt_strs+2171) +#define LOAD_OPTS_DESC (ntp_keygen_opt_strs+2181) +#define LOAD_OPTS_NAME (ntp_keygen_opt_strs+2213) +#define NO_LOAD_OPTS_name (ntp_keygen_opt_strs+2223) +#define LOAD_OPTS_pfx (ntp_keygen_opt_strs+2236) #define LOAD_OPTS_name (NO_LOAD_OPTS_name + 3) /** * Declare option callback procedures @@ -772,28 +773,28 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ LIFETIME_DESC, LIFETIME_NAME, LIFETIME_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 11, VALUE_OPT_MD5KEY, - /* equiv idx, value */ 11, VALUE_OPT_MD5KEY, + { /* entry idx, value */ 11, VALUE_OPT_MODULUS, + /* equiv idx, value */ 11, VALUE_OPT_MODULUS, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ MD5KEY_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --md5key */ + /* opt state flags */ MODULUS_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --modulus */ /* arg list/cookie */ NULL, /* must/cannot opts */ NULL, NULL, - /* option proc */ NULL, - /* desc, NAME, name */ MD5KEY_DESC, MD5KEY_NAME, MD5KEY_name, + /* option proc */ doOptModulus, + /* desc, NAME, name */ MODULUS_DESC, MODULUS_NAME, MODULUS_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 12, VALUE_OPT_MODULUS, - /* equiv idx, value */ 12, VALUE_OPT_MODULUS, + { /* entry idx, value */ 12, VALUE_OPT_MD5KEY, + /* equiv idx, value */ 12, VALUE_OPT_MD5KEY, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ MODULUS_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --modulus */ + /* opt state flags */ MD5KEY_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --md5key */ /* arg list/cookie */ NULL, /* must/cannot opts */ NULL, NULL, - /* option proc */ doOptModulus, - /* desc, NAME, name */ MODULUS_DESC, MODULUS_NAME, MODULUS_name, + /* option proc */ NULL, + /* desc, NAME, name */ MD5KEY_DESC, MD5KEY_NAME, MD5KEY_name, /* disablement strs */ NULL, NULL }, { /* entry idx, value */ 13, VALUE_OPT_PVT_CERT, @@ -832,28 +833,28 @@ static tOptDesc optDesc[OPTION_CT] = { /* desc, NAME, name */ EXPORT_PASSWD_DESC, EXPORT_PASSWD_NAME, EXPORT_PASSWD_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 16, VALUE_OPT_SIGN_KEY, - /* equiv idx, value */ 16, VALUE_OPT_SIGN_KEY, + { /* entry idx, value */ 16, VALUE_OPT_SUBJECT_NAME, + /* equiv idx, value */ 16, VALUE_OPT_SUBJECT_NAME, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ SIGN_KEY_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --sign-key */ + /* opt state flags */ SUBJECT_NAME_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --subject-name */ /* arg list/cookie */ NULL, /* must/cannot opts */ NULL, NULL, /* option proc */ NULL, - /* desc, NAME, name */ SIGN_KEY_DESC, SIGN_KEY_NAME, SIGN_KEY_name, + /* desc, NAME, name */ SUBJECT_NAME_DESC, SUBJECT_NAME_NAME, SUBJECT_NAME_name, /* disablement strs */ NULL, NULL }, - { /* entry idx, value */ 17, VALUE_OPT_SUBJECT_NAME, - /* equiv idx, value */ 17, VALUE_OPT_SUBJECT_NAME, + { /* entry idx, value */ 17, VALUE_OPT_SIGN_KEY, + /* equiv idx, value */ 17, VALUE_OPT_SIGN_KEY, /* equivalenced to */ NO_EQUIVALENT, /* min, max, act ct */ 0, 1, 0, - /* opt state flags */ SUBJECT_NAME_FLAGS, 0, - /* last opt argumnt */ { NULL }, /* --subject-name */ + /* opt state flags */ SIGN_KEY_FLAGS, 0, + /* last opt argumnt */ { NULL }, /* --sign-key */ /* arg list/cookie */ NULL, /* must/cannot opts */ NULL, NULL, /* option proc */ NULL, - /* desc, NAME, name */ SUBJECT_NAME_DESC, SUBJECT_NAME_NAME, SUBJECT_NAME_name, + /* desc, NAME, name */ SIGN_KEY_DESC, SIGN_KEY_NAME, SIGN_KEY_name, /* disablement strs */ NULL, NULL }, { /* entry idx, value */ 18, VALUE_OPT_TRUSTED_CERT, @@ -960,24 +961,24 @@ static tOptDesc optDesc[OPTION_CT] = { /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ /** Reference to the upper cased version of ntp-keygen. */ -#define zPROGNAME (ntp_keygen_opt_strs+2219) +#define zPROGNAME (ntp_keygen_opt_strs+2239) /** Reference to the title line for ntp-keygen usage. */ -#define zUsageTitle (ntp_keygen_opt_strs+2230) +#define zUsageTitle (ntp_keygen_opt_strs+2250) /** ntp-keygen configuration file name. */ -#define zRcName (ntp_keygen_opt_strs+2353) +#define zRcName (ntp_keygen_opt_strs+2373) /** Directories to search for ntp-keygen config files. */ static char const * const apzHomeList[3] = { - ntp_keygen_opt_strs+2345, - ntp_keygen_opt_strs+2351, + ntp_keygen_opt_strs+2365, + ntp_keygen_opt_strs+2371, NULL }; /** The ntp-keygen program bug email address. */ -#define zBugsAddr (ntp_keygen_opt_strs+2360) +#define zBugsAddr (ntp_keygen_opt_strs+2380) /** Clarification/explanation of what ntp-keygen does. */ -#define zExplain (ntp_keygen_opt_strs+2394) +#define zExplain (ntp_keygen_opt_strs+2414) /** Extra detail explaining what ntp-keygen does. */ #define zDetail (NULL) /** The full version string for ntp-keygen. */ -#define zFullVersion (ntp_keygen_opt_strs+2396) +#define zFullVersion (ntp_keygen_opt_strs+2416) /* extracted from optcode.tlib near line 364 */ #if defined(ENABLE_NLS) @@ -1309,7 +1310,7 @@ static void bogus_function(void) { translate option names. */ /* referenced via ntp_keygenOptions.pzCopyright */ - puts(_("ntp-keygen (ntp) 4.2.8p10\n\ + puts(_("ntp-keygen (ntp) 4.2.8p11\n\ Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\ This is free software. It is licensed for use, modification and\n\ redistribution under the terms of the NTP License, copies of which\n\ @@ -1363,10 +1364,10 @@ implied warranty.\n")); puts(_("set certificate lifetime")); /* referenced via ntp_keygenOptions.pOptDesc->pzText */ - puts(_("generate MD5 keys")); + puts(_("prime modulus")); /* referenced via ntp_keygenOptions.pOptDesc->pzText */ - puts(_("modulus")); + puts(_("generate symmetric keys")); /* referenced via ntp_keygenOptions.pOptDesc->pzText */ puts(_("generate PC private certificate")); @@ -1378,10 +1379,10 @@ implied warranty.\n")); puts(_("export IFF or GQ group keys with password")); /* referenced via ntp_keygenOptions.pOptDesc->pzText */ - puts(_("generate sign key (RSA or DSA)")); + puts(_("set host and optionally group name")); /* referenced via ntp_keygenOptions.pOptDesc->pzText */ - puts(_("set host and optionally group name")); + puts(_("generate sign key (RSA or DSA)")); /* referenced via ntp_keygenOptions.pOptDesc->pzText */ puts(_("trusted certificate (TC scheme)")); @@ -1408,14 +1409,14 @@ implied warranty.\n")); puts(_("load options from a config file")); /* referenced via ntp_keygenOptions.pzUsageTitle */ - puts(_("ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10\n\ + puts(_("ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p11\n\ Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n")); /* referenced via ntp_keygenOptions.pzExplain */ puts(_("\n")); /* referenced via ntp_keygenOptions.pzFullVersion */ - puts(_("ntp-keygen (ntp) 4.2.8p10")); + puts(_("ntp-keygen (ntp) 4.2.8p11")); /* referenced via ntp_keygenOptions.pzFullUsage */ puts(_("<<<NOT-FOUND>>>")); diff --git a/contrib/ntp/util/ntp-keygen-opts.def b/contrib/ntp/util/ntp-keygen-opts.def index 3088cf5..f8c39c4 100644 --- a/contrib/ntp/util/ntp-keygen-opts.def +++ b/contrib/ntp/util/ntp-keygen-opts.def @@ -35,10 +35,10 @@ flag = { descrip = "certificate scheme"; doc = <<- _EndOfDoc_ scheme is one of - RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, + RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160, DSA-SHA, or DSA-SHA1. - Select the certificate message digest/signature encryption scheme. + Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA-MD5. @@ -55,7 +55,7 @@ flag = { doc = <<- _EndOfDoc_ Select the cipher which is used to encrypt the files containing private keys. The default is three-key triple DES in CBC mode, - equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers + equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers available in "@code{openssl -h}" output. _EndOfDoc_; }; @@ -68,8 +68,9 @@ flag = { ifdef = AUTOKEY; descrip = "Write IFF or GQ identity keys"; doc = <<- _EndOfDoc_ - Write the IFF or GQ client keys to the standard output. This is - intended for automatic key distribution by mail. + Write the public parameters from the IFF or GQ client keys to + the standard output. + This is intended for automatic key distribution by email. _EndOfDoc_; }; @@ -117,11 +118,11 @@ flag = { the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using @code{-i/--ident} or - using @code{-s/--subject-name} following an '@code{@}' character, - is also a part of the self-signed host certificate's subject and - issuer names in the form @code{host@group} and should match the - '@code{crypto ident}' or '@code{server ident}' configuration in - @code{ntpd}'s configuration file. + using @code{-s/--subject-name} following an '@code{@@}' character, + is also a part of the self-signed host certificate subject and + issuer names in the form @code{host@@group} and should match the + '@code{crypto ident}' or '@code{server ident}' configuration in the + @code{ntpd} configuration file. _EndOfDoc_; }; @@ -138,28 +139,28 @@ flag = { }; flag = { - value = M; - name = md5key; - descrip = "generate MD5 keys"; - doc = <<- _EndOfDoc_ - Generate MD5 keys, obsoleting any that may exist. - _EndOfDoc_; -}; - -flag = { value = m; name = modulus; arg-type = number; arg-name = modulus; arg-range = '256->2048'; ifdef = AUTOKEY; - descrip = "modulus"; + descrip = "prime modulus"; doc = <<- _EndOfDoc_ The number of bits in the prime modulus. The default is 512. _EndOfDoc_; }; flag = { + value = M; + name = md5key; + descrip = "generate symmetric keys"; + doc = <<- _EndOfDoc_ + Generate symmetric keys, obsoleting any that may exist. + _EndOfDoc_; +}; + +flag = { value = P; name = pvt-cert; ifdef = AUTOKEY; @@ -203,20 +204,6 @@ flag = { }; flag = { - value = S; - name = sign-key; - arg-type = string; - arg-name = sign; - ifdef = AUTOKEY; - descrip = "generate sign key (RSA or DSA)"; - doc = <<- _EndOfDoc_ - Generate a new sign key of the designated type, obsoleting any - that may exist. By default, the program uses the host key as the - sign key. - _EndOfDoc_; -}; - -flag = { value = s; name = subject-name; arg-type = string; @@ -225,12 +212,12 @@ flag = { descrip = "set host and optionally group name"; doc = <<- _EndOfDoc_ Set the Autokey host name, and optionally, group name specified - following an '@code{@}' character. The host name is used in the file + following an '@code{@@}' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used - in @code{host@group} form for the host certificate's subject and issuer - fields. Specifying '@code{-s @group}' is allowed, and results in - leaving the host name unchanged while appending @code{@group} to the + in @code{host@@group} form for the host certificate subject and issuer + fields. Specifying '@code{-s @@group}' is allowed, and results in + leaving the host name unchanged while appending @code{@@group} to the subject and issuer fields, as with @code{-i group}. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. @@ -238,6 +225,20 @@ flag = { }; flag = { + value = S; + name = sign-key; + arg-type = string; + arg-name = sign; + ifdef = AUTOKEY; + descrip = "generate sign key (RSA or DSA)"; + doc = <<- _EndOfDoc_ + Generate a new sign key of the designated type, obsoleting any + that may exist. By default, the program uses the host key as the + sign key. + _EndOfDoc_; +}; + +flag = { value = T; name = trusted-cert; ifdef = AUTOKEY; @@ -280,26 +281,29 @@ doc-section = { ds-text = <<- _END_PROG_MDOC_DESCRIP This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .Pp -All files are in PEM-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. .Pp -When used to generate message digest keys, the program produces a file -containing ten pseudo-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -319,222 +323,132 @@ other than Autokey. Some files used by this program are encrypted using a private password. The .Fl p -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the .Fl q -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -.Fn gethostname -function, normally the DNS name of the host is used. +.Xr hostname 1 +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +.Nm +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. .Pp The -.Ar pw +.Cm pw option of the -.Ar crypto +.Ic crypto +.Xr ntpd 1ntpdmdoc configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -.Ar ntpd -without password but only on the same host. +.Xr ntpd 1ntpdmdoc +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. .Pp Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -.Ar ntp.keys , +.Pa ntp.keys , is usually installed in .Pa /etc . Other files and links are usually installed in .Pa /usr/local/etc , which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -.Ar keysdir -configuration command in such cases. -Normally, this is in -.Pa /etc . +In these cases, NFS clients can specify the files in another +directory such as +.Pa /etc +using the +.Ic keysdir +.Xr ntpd 1ntpdmdoc +configuration file command. .Pp This program directs commentary and error messages to the standard error stream -.Ar stderr +.Pa stderr and remote files to the standard output stream -.Ar stdout +.Pa stdout where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -.Ar ntpkey +.Pa ntpkey\&* and include the file type, generating host and filestamp, as described in the -.Dq Cryptographic Data Files +.Sx "Cryptographic Data Files" section below. -.Ss Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -.Pa /usr/local/etc -When run for the first time, or if all files with names beginning with -.Ar ntpkey -have been removed, use the -.Nm -command without arguments to generate a -default RSA host key and matching RSA-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. -.Pp -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using -.Nm -with the -.Fl T -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -.Pp -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -.Fl S -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -.Fl c -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken-and-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball-and-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re-generated. -.Pp -Additional information on trusted groups and identity schemes is on the -.Dq Autokey Public-Key Authentication -page. - -.Pp -The -.Xr ntpd 1ntpdmdoc -configuration command -.Ic crypto pw Ar password -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. - -.Pp -File names begin with the prefix -.Cm ntpkey_ -and end with the postfix -.Ar _hostname.filestamp , -where -.Ar hostname -is the owner name, usually the string returned -by the Unix gethostname() routine, and -.Ar filestamp -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -.Ic rm ntpkey\&* -command or all files generated -at a specific time can be removed by a -.Ic rm -.Ar \&*filestamp -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. -.Pp -All files are installed by default in the keys directory -.Pa /usr/local/etc , -which is normally in a shared filesystem -in NFS-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. -.Pp -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. -.Pp -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -.Xr ntpd 1ntpdmdoc -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -.Nm -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -.Ss Running the program +.Ss Running the Program The safest way to run the .Nm program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually +The recommended procedure is change to the +.Ar keys +directory, usually .Pa /usr/local/etc , then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, +.Pp +To test and gain experience with Autokey concepts, log in as root and +change to the +.Ar keys +directory, usually +.Pa /usr/local/etc . +When run for the first time, or if all files with names beginning with +.Pa ntpkey\&* +have been removed, use the +.Nm +command without arguments to generate a default +.Cm RSA +host key and matching +.Cm RSA-MD5 +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +.Cm RSA +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +.Cm RSA +or +.Cm DSA +type. +By default, the message digest type is +.Cm MD5 , +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1 +and +.Cm RIPE160 +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +.Cm RSA +sign keys; +however, only +.Cm SHA +and +.Cm SHA1 +certificates are compatible with +.Cm DSA +sign keys. .Pp Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. @@ -545,19 +459,19 @@ However, the identification parameter files, although encoded as the other files, are probably not compatible with anything other than Autokey. .Pp Running the program as other than root and using the Unix -.Ic su +.Xr su 1 command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -.Cm .rnd +.Pa .rnd in the user home directory. However, there should be only one -.Cm .rnd , +.Pa .rnd , most conveniently in the root directory, so it is convenient to define the -.Cm $RANDFILE +.Ev RANDFILE environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +.Pa .rnd . .Pp Installing the keys as root might not work in NFS-mounted shared file systems, as NFS clients may not be able to write @@ -567,7 +481,8 @@ directory such as .Pa /etc using the .Ic keysdir -command. +.Xr ntpd 1ntpdmdoc +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -581,7 +496,6 @@ It is convenient to designate the owner name and trusted name as the subject and issuer fields, respectively, of the certificate. The owner name is also used for the host and sign key files, while the trusted name is used for the identity files. - .Pp All files are installed by default in the keys directory .Pa /usr/local/etc , @@ -601,8 +515,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +.Ar hostname +and +.Ar filestamp +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. .Pp The recommended practice is to keep the file name extensions @@ -611,107 +528,112 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +.Xr ntpd 1ntpdmdoc +follows it to the file name to extract the +.Ar filestamp . If a link is not present, .Xr ntpd 1ntpdmdoc -extracts the filestamp from the file itself. +extracts the +.Ar filestamp +from the file itself. This allows clients to verify that the file and generation times are always current. The .Nm -program uses the same timestamp extension for all files generated +program uses the same +.Ar filestamp +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -.Ss Running the program -The safest way to run the +.Pp +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using .Nm -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -.Pa /usr/local/etc , -then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +with the +.Fl T +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +.Fl S +option and this can be either +.Cm RSA +or +.Cm DSA +type. +By default, the signature +message digest type is +.Cm MD5 , +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +.Fl c +option. .Pp -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. .Pp -Running the program as other than root and using the Unix -.Ic su -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -.Cm .rnd -in the user home directory. -However, there should be only one -.Cm .rnd , -most conveniently -in the root directory, so it is convenient to define the -.Cm $RANDFILE -environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +Additional information on trusted groups and identity schemes is on the +.Dq Autokey Public-Key Authentication +page. .Pp -Installing the keys as root might not work in NFS-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -.Pa /etc -using the -.Ic keysdir +File names begin with the prefix +.Pa ntpkey Ns _ +and end with the suffix +.Pa _ Ns Ar hostname . Ar filestamp , +where +.Ar hostname +is the owner name, usually the string returned +by the Unix +.Xr hostname 1 +command, and +.Ar filestamp +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +.Ic rm Pa ntpkey\&* +command or all files generated +at a specific time can be removed by a +.Ic rm Pa \&* Ns Ar filestamp command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. -.Pp -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. -s Trusted Hosts and Groups +.Ss Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the .Sx Authentication Options section of .Xr ntp.conf 5 . -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +.Cm RSA +encryption, +.Cm MD5 +message digest +and +.Cm TC +identification. First, configure a NTP subnet including one or more low-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -729,7 +651,7 @@ section of .Pp On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -.Cm ntpkey +.Pa ntpkey files. Then run .Nm @@ -754,7 +676,9 @@ is either .Cm RSA or .Cm DSA . -The most often need to do this is when a DSA-signed certificate is used. +The most frequent need to do this is when a +.Cm DSA Ns -signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run .Nm @@ -763,17 +687,17 @@ with the option and selected .Ar scheme as needed. -f +If .Nm is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. .Pp After setting up the environment it is advisable to update certificates from time to time, if only to extend the validity interval. Simply run .Nm with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, .Xr ntpd 1ntpdmdoc should be restarted. @@ -782,15 +706,18 @@ When is restarted, it loads any new files and restarts the protocol. Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. + .Ss Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +.Cm TC +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -.Qq Identification Schemes -page -(maybe available at -.Li http://www.eecis.udel.edu/%7emills/keygen.html ) . +including +.Cm PC , IFF , GQ +and +.Cm MV +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -815,12 +742,15 @@ On trusted host alice run .Fl P .Fl p Ar password to generate the host key file -.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp +.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp and trusted private certificate file -.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp . +.Pa ntpkey Ns _ Cm RSA-MD5 _ Pa cert_alice. Ar filestamp , +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +.Ar bob +install a soft link from the generic name .Pa ntpkey_host_ Ns Ar bob to the host key file and soft link .Pa ntpkey_cert_ Ns Ar bob @@ -829,26 +759,34 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. .Pp -For the IFF scheme proceed as in the TC scheme to generate keys +For the +.Cm IFF +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl I .Fl p Ar password to produce her parameter file -.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp , +.Pa ntpkey_IFFpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +.Cm IFF +scheme is independent of keys and certificates, these files can be refreshed as needed. .Pp If a rogue client has the parameter file, it could masquerade @@ -858,37 +796,53 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run .Nm .Fl e -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. .Pp -For the GQ scheme proceed as in the TC scheme to generate keys +For the +.Cm GQ +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl G .Fl p Ar password to produce her parameter file -.Pa ntpkey_GQpar_ Ns Ar alice.filestamp , +.Pa ntpkey_GQpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -.Pa ntpkey_gq_ Ns Ar alice +.Pa ntpkey_gq_alice to this file. -In addition, on each host bob install a soft link +In addition, on each host +.Ar bob +install a soft link from generic .Pa ntpkey_gq_ Ns Ar bob to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +.Cm GQ +scheme updates the +.Cm GQ +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. .Pp -For the MV scheme, proceed as in the TC scheme to generate keys +For the +.Cm MV +scheme, proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -900,9 +854,9 @@ where .Ar n is the number of revokable keys (typically 5) to produce the parameter file -.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp +.Pa ntpkeys_MVpar_trish. Ns Ar filestamp and client key files -.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp +.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp where .Ar d is the key number (0 \&< @@ -911,81 +865,220 @@ is the key number (0 \&< .Ar n ) . Copy the parameter file to alice and install a soft link from the generic -.Pa ntpkey_mv_ Ns Ar alice +.Pa ntpkey_mv_alice to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -.Pa ntpkey_mvkey_ Ns Ar bob +.Pa ntpkey_mvkey_bob to the client key file. -As the MV scheme is independent of keys and certificates, +As the +.Cm MV +scheme is independent of keys and certificates, these files can be refreshed as needed. + .Ss Command Line Options .Bl -tag -width indent -.It Fl c Ar scheme -Select certificate message digest/signature encryption scheme. +.It Fl b Fl -imbits Ns = Ar modulus +Set the number of bits in the identity modulus for generating identity keys to +.Ar modulus +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl c Fl -certificate Ns = Ar scheme +Select certificate signature encryption/message digest scheme. The .Ar scheme can be one of the following: -. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +.Cm RSA-MD2 , RSA-MD5 , RSA-MDC2 , RSA-SHA , RSA-SHA1 , RSA-RIPEMD160 , DSA-SHA , or .Cm DSA-SHA1 . -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +.Cm RSA +schemes must be used with an +.Cm RSA +sign key and +.Cm DSA +schemes must be used with a +.Cm DSA +sign key. The default without this option is .Cm RSA-MD5 . -.It Fl d -Enable debugging. +If compatibility with FIPS 140-2 is required, either the +.Cm DSA-SHA +or +.Cm DSA-SHA1 +scheme must be used. +.It Fl C Fl -cipher Ns = Ar cipher +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three-key triple DES in CBC mode, +.Cm des-ede3-cbc . +The +.Ic openssl Fl h +command provided with OpenSSL displays available ciphers. +.It Fl d Fl -debug-level +Increase debugging verbosity level. +This option displays the cryptographic data produced in eye-friendly billboards. +.It Fl D Fl -set-debug-level Ns = Ar level +Set the debugging verbosity to +.Ar level . This option displays the cryptographic data produced in eye-friendly billboards. -.It Fl e -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. -.It Fl G -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. -.It Fl g -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. -.It Fl H -Generate new host keys, obsoleting any that may exist. -.It Fl I -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. -.It Fl i Ar name -Set the suject name to -.Ar name . -This is used as the subject field in certificates -and in the file name for host and sign keys. -.It Fl M -Generate MD5 keys, obsoleting any that may exist. -.It Fl P -Generate a private certificate. +.It Fl e Fl -id-key +Write the +.Cm IFF +or +.Cm GQ +public parameters from the +.Ar IFFkey or GQkey +client keys file previously specified +as unencrypted data to the standard output stream +.Pa stdout . +This is intended for automatic key distribution by email. +.It Fl G Fl -gq-params +Generate a new encrypted +.Cm GQ +parameters and key file for the Guillou-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl V +options. +.It Fl H Fl -host-key +Generate a new encrypted +.Cm RSA +public/private host key file. +.It Fl I Fl -iffkey +Generate a new encrypted +.Cm IFF +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +.Fl G +and +Fl V +options. +.It Fl i Fl -ident Ns = Ar group +Set the optional Autokey group name to +.Ar group . +This is used in the identity scheme parameter file names of +.Cm IFF , GQ , +and +.Cm MV +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +.Fl i +or +.Fl s +following an +.Ql @@ +character, is also used in certificate subject and issuer names in the form +.Ar host @@ group +and should match the group specified via +.Ic crypto Cm ident +or +.Ic server Cm ident +in the ntpd configuration file. +.It Fl l Fl -lifetime Ns = Ar days +Set the lifetime for certificate expiration to +.Ar days . +The default lifetime is one year (365 days). +.It Fl m Fl -modulus Ns = Ar bits +Set the number of bits in the prime modulus for generating files to +.Ar bits . +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl M Fl -md5key +Generate a new symmetric keys file containing 10 +.Cm MD5 +keys, and if OpenSSL is available, 10 +.Cm SHA +keys. +An +.Cm MD5 +key is a string of 20 random printable ASCII characters, while a +.Cm SHA +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. +.It Fl p Fl -password Ns = Ar passwd +Set the password for reading and writing encrypted files to +.Ar passwd . +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl P Fl -pvt-cert +Generate a new private certificate used by the +.Cm PC +identity scheme. By default, the program generates public certificates. -.It Fl p Ar password -Encrypt generated files containing private data with -.Ar password -and the DES-CBC algorithm. -.It Fl q -Set the password for reading files to password. -.It Fl S Oo Cm RSA | DSA Oc -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. -.It Fl s Ar name -Set the issuer name to -.Ar name . -This is used for the issuer field in certificates -and in the file name for identity files. -.It Fl T +Note: the PC identity scheme is not recommended for new installations. +.It Fl q Fl -export-passwd Ns = Ar passwd +Set the password for writing encrypted +.Cm IFF , GQ and MV +identity files redirected to +.Pa stdout +to +.Ar passwd . +In effect, these files are decrypted with the +.Fl p +password, then encrypted with the +.Fl q +password. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl s Fl -subject-key Ns = Ar Oo host Oc Op @@ Ar group +Specify the Autokey host name, where +.Ar host +is the optional host name and +.Ar group +is the optional group name. +The host name, and if provided, group name are used in +.Ar host @@ group +form as certificate subject and issuer. +Specifying +.Fl s @@ Ar group +is allowed, and results in leaving the host name unchanged, as with +.Fl i Ar group . +The group name, or if no group is provided, the host name are also used in the +file names of +.Cm IFF , GQ , +and +.Cm MV +identity scheme client parameter files. +If +.Ar host +is not specified, the default host name is the string returned by the Unix +.Ic hostname +command. +.It Fl S Fl -sign-key Ns = Op Cm RSA | DSA +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140-2 is required, the sign key type must be +.Cm DSA . +.It Fl T Fl -trusted-cert Generate a trusted certificate. By default, the program generates a non-trusted certificate. -.It Fl V Ar nkeys -Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. +.It Fl V Fl -mv-params Ar nkeys +Generate +.Ar nkeys +encrypted server keys and parameters for the Mu-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl G +options. +Note: support for this option should be considered a work in progress. .El + .Ss Random Seed File All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize @@ -1008,14 +1101,14 @@ but are outside the scope of this page. .Pp The entropy seed used by the OpenSSL library is contained in a file, usually called -.Cm .rnd , +.Pa .rnd , which must be available when starting the NTP daemon or the .Nm program. The NTP daemon will first look for the file using the path specified by the -.Ic randfile +.Cm randfile subcommand of the .Ic crypto configuration command. @@ -1031,44 +1124,120 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -.Cm .rnd +.Pa .rnd file in the user home directory. +Since both the +.Nm +program and +.Xr ntpd 1ntpdmdoc +daemon must run as root, the logical place to put this file is in +.Pa /.rnd +or +.Pa /root/.rnd . If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. + .Ss Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp , +where +.Ar key +is the key or parameter type, +.Ar name +is the host or group name and +.Ar filestamp +is the filestamp (NTP seconds) when the file was created. +By convention, +.Ar key +names in generated file names include both upper and lower case +characters, while +.Ar key +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +.Pa date +format. +Lines beginning with +.Ql # +are considered comments and ignored by the .Nm program and .Xr ntpd 1ntpdmdoc daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM-encoded -printable ASCII format preceded and followed by MIME content identifier lines. .Pp -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format -.D1 Ar keyno type key +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. +.Pp +The format of the symmetric keys file, ordinarily named +.Pa ntp.keys , +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +.Bd -literal -unfilled -offset center +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 + +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +.Ed +.D1 Figure 1. Typical Symmetric Key File +.Pp +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format +.D1 Ar keyno Ar type Ar key where .Ar keyno -is a positive integer in the range 1-65,535, +is a positive integer in the range 1-65534; .Ar type -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +.Cm MD5 +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140-2 is required, +the key type must be either +.Cm SHA +or +.Cm SHA1 ; .Ar key is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +.Ql ! +through +.Ql ~ +\&) excluding space and the +.Ql # +character, and terminated by whitespace or a .Ql # character. +An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which +is truncated as necessary. .Pp Note that the keys used by the .Xr ntpq 1ntpqmdoc @@ -1081,8 +1250,8 @@ in human readable ASCII format. .Pp The .Nm -program generates a MD5 symmetric keys file -.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp . +program generates a symmetric keys file +.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp . Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -1107,18 +1276,6 @@ doc-section = { ds-type = 'USAGE'; ds-format = 'mdoc'; ds-text = <<- _END_MDOC_USAGE -The -.Fl p Ar password -option specifies the write password and -.Fl q Ar password -option the read password for previously encrypted files. -The -.Nm -program prompts for the password if it reads an encrypted file -and the password is missing or incorrect. -If an encrypted file is read successfully and -no write password is specified, the read password is used -as the write password by default. _END_MDOC_USAGE; }; @@ -1134,10 +1291,7 @@ doc-section = { ds-type = 'BUGS'; ds-format = 'mdoc'; ds-text = <<- _END_MDOC_BUGS -It can take quite a while to generate some cryptographic values, -from one to several minutes with modern architectures -such as UltraSPARC and up to tens of minutes to an hour -with older architectures such as SPARC IPC. +It can take quite a while to generate some cryptographic values. .Pp Please report bugs to http://bugs.ntp.org . _END_MDOC_BUGS; diff --git a/contrib/ntp/util/ntp-keygen-opts.h b/contrib/ntp/util/ntp-keygen-opts.h index 15881c2..ab9e8ca 100644 --- a/contrib/ntp/util/ntp-keygen-opts.h +++ b/contrib/ntp/util/ntp-keygen-opts.h @@ -1,7 +1,7 @@ /* * EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.h) * - * It has been AutoGen-ed March 21, 2017 at 10:45:47 AM by AutoGen 5.18.5 + * It has been AutoGen-ed February 27, 2018 at 05:15:43 PM by AutoGen 5.18.5 * From the definitions ntp-keygen-opts.def * and the template file options * @@ -75,13 +75,13 @@ typedef enum { INDEX_OPT_IFFKEY = 8, INDEX_OPT_IDENT = 9, INDEX_OPT_LIFETIME = 10, - INDEX_OPT_MD5KEY = 11, - INDEX_OPT_MODULUS = 12, + INDEX_OPT_MODULUS = 11, + INDEX_OPT_MD5KEY = 12, INDEX_OPT_PVT_CERT = 13, INDEX_OPT_PASSWORD = 14, INDEX_OPT_EXPORT_PASSWD = 15, - INDEX_OPT_SIGN_KEY = 16, - INDEX_OPT_SUBJECT_NAME = 17, + INDEX_OPT_SUBJECT_NAME = 16, + INDEX_OPT_SIGN_KEY = 17, INDEX_OPT_TRUSTED_CERT = 18, INDEX_OPT_MV_PARAMS = 19, INDEX_OPT_MV_KEYS = 20, @@ -94,9 +94,9 @@ typedef enum { /** count of all options for ntp-keygen */ #define OPTION_CT 26 /** ntp-keygen version */ -#define NTP_KEYGEN_VERSION "4.2.8p10" +#define NTP_KEYGEN_VERSION "4.2.8p11" /** Full ntp-keygen version text */ -#define NTP_KEYGEN_FULL_VERSION "ntp-keygen (ntp) 4.2.8p10" +#define NTP_KEYGEN_FULL_VERSION "ntp-keygen (ntp) 4.2.8p11" /** * Interface defines for all options. Replace "n" with the UPPER_CASED @@ -193,14 +193,14 @@ typedef enum { # warning undefining LIFETIME due to option name conflict # undef LIFETIME # endif -# ifdef MD5KEY -# warning undefining MD5KEY due to option name conflict -# undef MD5KEY -# endif # ifdef MODULUS # warning undefining MODULUS due to option name conflict # undef MODULUS # endif +# ifdef MD5KEY +# warning undefining MD5KEY due to option name conflict +# undef MD5KEY +# endif # ifdef PVT_CERT # warning undefining PVT_CERT due to option name conflict # undef PVT_CERT @@ -213,14 +213,14 @@ typedef enum { # warning undefining EXPORT_PASSWD due to option name conflict # undef EXPORT_PASSWD # endif -# ifdef SIGN_KEY -# warning undefining SIGN_KEY due to option name conflict -# undef SIGN_KEY -# endif # ifdef SUBJECT_NAME # warning undefining SUBJECT_NAME due to option name conflict # undef SUBJECT_NAME # endif +# ifdef SIGN_KEY +# warning undefining SIGN_KEY due to option name conflict +# undef SIGN_KEY +# endif # ifdef TRUSTED_CERT # warning undefining TRUSTED_CERT due to option name conflict # undef TRUSTED_CERT @@ -245,13 +245,13 @@ typedef enum { # undef IFFKEY # undef IDENT # undef LIFETIME -# undef MD5KEY # undef MODULUS +# undef MD5KEY # undef PVT_CERT # undef PASSWORD # undef EXPORT_PASSWD -# undef SIGN_KEY # undef SUBJECT_NAME +# undef SIGN_KEY # undef TRUSTED_CERT # undef MV_PARAMS # undef MV_KEYS @@ -280,16 +280,16 @@ typedef enum { #ifdef AUTOKEY #define OPT_VALUE_LIFETIME (DESC(LIFETIME).optArg.argInt) #endif /* AUTOKEY */ -#define VALUE_OPT_MD5KEY 'M' #define VALUE_OPT_MODULUS 'm' #ifdef AUTOKEY #define OPT_VALUE_MODULUS (DESC(MODULUS).optArg.argInt) #endif /* AUTOKEY */ +#define VALUE_OPT_MD5KEY 'M' #define VALUE_OPT_PVT_CERT 'P' #define VALUE_OPT_PASSWORD 'p' #define VALUE_OPT_EXPORT_PASSWD 'q' -#define VALUE_OPT_SIGN_KEY 'S' #define VALUE_OPT_SUBJECT_NAME 's' +#define VALUE_OPT_SIGN_KEY 'S' #define VALUE_OPT_TRUSTED_CERT 'T' #define VALUE_OPT_MV_PARAMS 'V' #ifdef AUTOKEY diff --git a/contrib/ntp/util/ntp-keygen.1ntp-keygenman b/contrib/ntp/util/ntp-keygen.1ntp-keygenman index 1a309ee..5b942d8 100644 --- a/contrib/ntp/util/ntp-keygen.1ntp-keygenman +++ b/contrib/ntp/util/ntp-keygen.1ntp-keygenman @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp-keygen 1ntp-keygenman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntp-keygen 1ntp-keygenman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-uUaiiy/ag-lVaahy) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bBa46V/ag-nBaW5V) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:54 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:53 PM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -36,30 +36,33 @@ All arguments must be options. .SH DESCRIPTION This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .sp \n(Ppu .ne 2 -All files are in PEM-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. .sp \n(Ppu .ne 2 -When used to generate message digest keys, the program produces a file -containing ten pseudo-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -83,27 +86,38 @@ other than Autokey. Some files used by this program are encrypted using a private password. The \f\*[B-Font]\-p\f[] -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the \f\*[B-Font]\-q\f[] -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -\fBgethostname\f[]\fR()\f[] -function, normally the DNS name of the host is used. +\fChostname\f[]\fR(1)\f[] +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +\f\*[B-Font]ntp-keygen\fP +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. .sp \n(Ppu .ne 2 The -\f\*[I-Font]pw\f[] +\f\*[B-Font]pw\f[] option of the -\f\*[I-Font]crypto\f[] +\f\*[B-Font]crypto\f[] +\fCntpd\f[]\fR(1ntpdmdoc)\f[] configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -\f\*[I-Font]ntpd\f[] -without password but only on the same host. +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. .sp \n(Ppu .ne 2 @@ -111,215 +125,102 @@ Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -\f\*[I-Font]ntp.keys\f[], +\fIntp.keys\f[], is usually installed in \fI/etc\f[]. Other files and links are usually installed in \fI/usr/local/etc\f[], which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -\f\*[I-Font]keysdir\f[] -configuration command in such cases. -Normally, this is in -\fI/etc\f[]. +In these cases, NFS clients can specify the files in another +directory such as +\fI/etc\f[] +using the +\f\*[B-Font]keysdir\f[] +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +configuration file command. .sp \n(Ppu .ne 2 This program directs commentary and error messages to the standard error stream -\f\*[I-Font]stderr\f[] +\fIstderr\f[] and remote files to the standard output stream -\f\*[I-Font]stdout\f[] +\fIstdout\f[] where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -\f\*[I-Font]ntpkey\f[] +\fIntpkey\&*\f[] and include the file type, generating host and filestamp, as described in the -\*[Lq]Cryptographic Data Files\*[Rq] +\fICryptographic Data Files\f[] section below. .SS Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -\fI/usr/local/etc\f[] -When run for the first time, or if all files with names beginning with -\f\*[I-Font]ntpkey\f[] -have been removed, use the -\f\*[B-Font]ntp-keygen\fP -command without arguments to generate a -default RSA host key and matching RSA-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. -.sp \n(Ppu -.ne 2 - -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using +The safest way to run the \f\*[B-Font]ntp-keygen\fP -with the -\f\*[B-Font]\-T\f[] -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -.sp \n(Ppu -.ne 2 - -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -\f\*[B-Font]\-S\f[] -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -\f\*[B-Font]\-c\f[] -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken-and-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball-and-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re-generated. -.sp \n(Ppu -.ne 2 - -Additional information on trusted groups and identity schemes is on the -\*[Lq]Autokey Public-Key Authentication\*[Rq] -page. -.sp \n(Ppu -.ne 2 - -The -\fCntpd\f[]\fR(1ntpdmdoc)\f[] -configuration command -\f\*[B-Font]crypto\f[] \f\*[B-Font]pw\f[] \f\*[I-Font]password\f[] -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. -.sp \n(Ppu -.ne 2 - -File names begin with the prefix -\f\*[B-Font]ntpkey_\f[] -and end with the postfix -\f\*[I-Font]_hostname.filestamp\f[], -where -\f\*[I-Font]hostname\f[] -is the owner name, usually the string returned -by the Unix gethostname() routine, and -\f\*[I-Font]filestamp\f[] -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -\f\*[B-Font]rm\f[] \f\*[B-Font]ntpkey\&*\f[] -command or all files generated -at a specific time can be removed by a -\f\*[B-Font]rm\f[] -\f\*[I-Font]\&*filestamp\f[] -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. -.sp \n(Ppu -.ne 2 - -All files are installed by default in the keys directory +program is logged in directly as root. +The recommended procedure is change to the +\f\*[I-Font]keys\f[] +directory, usually \fI/usr/local/etc\f[], -which is normally in a shared filesystem -in NFS-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. -.sp \n(Ppu -.ne 2 - -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. +then run the program. .sp \n(Ppu .ne 2 -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -\fCntpd\f[]\fR(1ntpdmdoc)\f[] -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -\f\*[B-Font]ntp-keygen\fP -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -.SS Running the program -The safest way to run the +To test and gain experience with Autokey concepts, log in as root and +change to the +\f\*[I-Font]keys\f[] +directory, usually +\fI/usr/local/etc\f[]. +When run for the first time, or if all files with names beginning with +\fIntpkey\&*\f[] +have been removed, use the \f\*[B-Font]ntp-keygen\fP -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -\fI/usr/local/etc\f[], -then run the program. -When run for the first time, -or if all -\f\*[B-Font]ntpkey\f[] -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, +command without arguments to generate a default +\f\*[B-Font]RSA\f[] +host key and matching +\f\*[B-Font]RSA-MD5\f[] +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. .sp \n(Ppu .ne 2 -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +\f\*[B-Font]RSA\f[] +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +\f\*[B-Font]RSA\f[] +or +\f\*[B-Font]DSA\f[] +type. +By default, the message digest type is +\f\*[B-Font]MD5\f[], +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +\f\*[B-Font]AES128CMAC\f[], \f\*[B-Font]MD2\f[], \f\*[B-Font]MD5\f[], \f\*[B-Font]MDC2\f[], \f\*[B-Font]SHA\f[], \f\*[B-Font]SHA1\f[] +and +\f\*[B-Font]RIPE160\f[] +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +\f\*[B-Font]RSA\f[] +sign keys; +however, only +\f\*[B-Font]SHA\f[] +and +\f\*[B-Font]SHA1\f[] +certificates are compatible with +\f\*[B-Font]DSA\f[] +sign keys. .sp \n(Ppu .ne 2 @@ -334,19 +235,19 @@ as the other files, are probably not compatible with anything other than Autokey .ne 2 Running the program as other than root and using the Unix -\f\*[B-Font]su\f[] +\fCsu\f[]\fR(1)\f[] command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -\f\*[B-Font].rnd\f[] +\fI.rnd\f[] in the user home directory. However, there should be only one -\f\*[B-Font].rnd\f[], +\fI.rnd\f[], most conveniently in the root directory, so it is convenient to define the -\f\*[B-Font]$RANDFILE\f[] +RANDFILE environment variable used by the OpenSSL library as the path to -\f\*[B-Font]/.rnd\f[]. +\fI.rnd\f[]. .sp \n(Ppu .ne 2 @@ -358,7 +259,8 @@ directory such as \fI/etc\f[] using the \f\*[B-Font]keysdir\f[] -command. +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -397,8 +299,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +\f\*[I-Font]hostname\f[] +and +\f\*[I-Font]filestamp\f[] +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. .sp \n(Ppu .ne 2 @@ -409,116 +314,121 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +follows it to the file name to extract the +\f\*[I-Font]filestamp\f[]. If a link is not present, \fCntpd\f[]\fR(1ntpdmdoc)\f[] -extracts the filestamp from the file itself. +extracts the +\f\*[I-Font]filestamp\f[] +from the file itself. This allows clients to verify that the file and generation times are always current. The \f\*[B-Font]ntp-keygen\fP -program uses the same timestamp extension for all files generated +program uses the same +\f\*[I-Font]filestamp\f[] +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -.SS Running the program -The safest way to run the -\f\*[B-Font]ntp-keygen\fP -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -\fI/usr/local/etc\f[], -then run the program. -When run for the first time, -or if all -\f\*[B-Font]ntpkey\f[] -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. .sp \n(Ppu .ne 2 -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using +\f\*[B-Font]ntp-keygen\fP +with the +\f\*[B-Font]\-T\f[] +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. .sp \n(Ppu .ne 2 -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +\f\*[B-Font]\-S\f[] +option and this can be either +\f\*[B-Font]RSA\f[] +or +\f\*[B-Font]DSA\f[] +type. +By default, the signature +message digest type is +\f\*[B-Font]MD5\f[], +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +\f\*[B-Font]\-c\f[] +option. .sp \n(Ppu .ne 2 -Running the program as other than root and using the Unix -\f\*[B-Font]su\f[] -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -\f\*[B-Font].rnd\f[] -in the user home directory. -However, there should be only one -\f\*[B-Font].rnd\f[], -most conveniently -in the root directory, so it is convenient to define the -\f\*[B-Font]$RANDFILE\f[] -environment variable used by the OpenSSL library as the path to -\f\*[B-Font]/.rnd\f[]. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. .sp \n(Ppu .ne 2 -Installing the keys as root might not work in NFS-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -\fI/etc\f[] -using the -\f\*[B-Font]keysdir\f[] -command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. +Additional information on trusted groups and identity schemes is on the +\*[Lq]Autokey Public-Key Authentication\*[Rq] +page. .sp \n(Ppu .ne 2 -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. -s Trusted Hosts and Groups +File names begin with the prefix +\fIntpkey\f[]_ +and end with the suffix +\fI_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[], +where +\f\*[I-Font]hostname\f[] +is the owner name, usually the string returned +by the Unix +\fChostname\f[]\fR(1)\f[] +command, and +\f\*[I-Font]filestamp\f[] +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +\f\*[B-Font]rm\f[] \fIntpkey\&*\f[] +command or all files generated +at a specific time can be removed by a +\f\*[B-Font]rm\f[] \fI\&*\f[]\f\*[I-Font]filestamp\f[] +command. +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. +.SS Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the \fIAuthentication\f[] \fIOptions\f[] section of \fCntp.conf\f[]\fR(5)\f[]. -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +\f\*[B-Font]RSA\f[] +encryption, +\f\*[B-Font]MD5\f[] +message digest +and +\f\*[B-Font]TC\f[] +identification. First, configure a NTP subnet including one or more low-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -538,7 +448,7 @@ section of On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -\f\*[B-Font]ntpkey\f[] +\fIntpkey\f[] files. Then run \f\*[B-Font]ntp-keygen\fP @@ -565,7 +475,9 @@ is either \f\*[B-Font]RSA\f[] or \f\*[B-Font]DSA\f[]. -The most often need to do this is when a DSA-signed certificate is used. +The most frequent need to do this is when a +\f\*[B-Font]DSA\f[]\-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run \f\*[B-Font]ntp-keygen\fP @@ -574,10 +486,10 @@ with the option and selected \f\*[I-Font]scheme\f[] as needed. -f +If \f\*[B-Font]ntp-keygen\fP is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. .sp \n(Ppu .ne 2 @@ -586,7 +498,7 @@ from time to time, if only to extend the validity interval. Simply run \f\*[B-Font]ntp-keygen\fP with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, \fCntpd\f[]\fR(1ntpdmdoc)\f[] should be restarted. @@ -597,13 +509,15 @@ Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. .SS Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +\f\*[B-Font]TC\f[] +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -"Identification Schemes" -page -(maybe available at -\f[C]http://www.eecis.udel.edu/%7emills/keygen.html\f[]). +including +\f\*[B-Font]PC\f[], \f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[] +and +\f\*[B-Font]MV\f[] +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -632,12 +546,15 @@ On trusted host alice run \f\*[B-Font]\-P\f[] \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] to generate the host key file -\fIntpkey_RSAkey_\f[]\f\*[I-Font]alice.filestamp\f[] +\fIntpkey\f[]_ \f\*[B-Font]RSA\f[] \fIkey_alice.\f[] \f\*[I-Font]filestamp\f[] and trusted private certificate file -\fIntpkey_RSA-MD5_cert_\f[]\f\*[I-Font]alice.filestamp\f[]. +\fIntpkey\f[]_ \f\*[B-Font]RSA-MD5\f[] \f\*[B-Font]_\f[] \fIcert_alice.\f[] \f\*[I-Font]filestamp\f[], +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +\f\*[I-Font]bob\f[] +install a soft link from the generic name \fIntpkey_host_\f[]\f\*[I-Font]bob\f[] to the host key file and soft link \fIntpkey_cert_\f[]\f\*[I-Font]bob\f[] @@ -646,28 +563,36 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. .sp \n(Ppu .ne 2 -For the IFF scheme proceed as in the TC scheme to generate keys +For the +\f\*[B-Font]IFF\f[] +scheme proceed as in the +\f\*[B-Font]TC\f[] +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +\f\*[B-Font]IFF\f[] +parameter file. On trusted host alice run \f\*[B-Font]ntp-keygen\fP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-I\f[] \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] to produce her parameter file -\fIntpkey_IFFpar_\f[]\f\*[I-Font]alice.filestamp\f[], +\fIntpkey_IFFpar_alice.\f[]\f\*[I-Font]filestamp\f[], which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_iff_alice\f[] to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +\f\*[B-Font]IFF\f[] +scheme is independent of keys and certificates, these files can be refreshed as needed. .sp \n(Ppu .ne 2 @@ -679,41 +604,57 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run \f\*[B-Font]ntp-keygen\fP \f\*[B-Font]\-e\f[] -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_iff_alice\f[] to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. .sp \n(Ppu .ne 2 -For the GQ scheme proceed as in the TC scheme to generate keys +For the +\f\*[B-Font]GQ\f[] +scheme proceed as in the +\f\*[B-Font]TC\f[] +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +\f\*[B-Font]IFF\f[] +parameter file. On trusted host alice run \f\*[B-Font]ntp-keygen\fP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-G\f[] \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] to produce her parameter file -\fIntpkey_GQpar_\f[]\f\*[I-Font]alice.filestamp\f[], +\fIntpkey_GQpar_alice.\f[]\f\*[I-Font]filestamp\f[], which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -\fIntpkey_gq_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_gq_alice\f[] to this file. -In addition, on each host bob install a soft link +In addition, on each host +\f\*[I-Font]bob\f[] +install a soft link from generic \fIntpkey_gq_\f[]\f\*[I-Font]bob\f[] to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +\f\*[B-Font]GQ\f[] +scheme updates the +\f\*[B-Font]GQ\f[] +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. .sp \n(Ppu .ne 2 -For the MV scheme, proceed as in the TC scheme to generate keys +For the +\f\*[B-Font]MV\f[] +scheme, proceed as in the +\f\*[B-Font]TC\f[] +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -725,9 +666,9 @@ where \f\*[I-Font]n\f[] is the number of revokable keys (typically 5) to produce the parameter file -\fIntpkeys_MVpar_\f[]\f\*[I-Font]trish.filestamp\f[] +\fIntpkeys_MVpar_trish.\f[]\f\*[I-Font]filestamp\f[] and client key files -\fIntpkeys_MVkeyd_\f[]\f\*[I-Font]trish.filestamp\f[] +\fIntpkeys_MVkey\f[]\f\*[I-Font]d\f[] \f\*[I-Font]_\f[] \fItrish.\f[] \f\*[I-Font]filestamp\f[] where \f\*[I-Font]d\f[] is the key number (0 \&< @@ -736,95 +677,236 @@ is the key number (0 \&< \f\*[I-Font]n\f[]). Copy the parameter file to alice and install a soft link from the generic -\fIntpkey_mv_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_mv_alice\f[] to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -\fIntpkey_mvkey_\f[]\f\*[I-Font]bob\f[] +\fIntpkey_mvkey_bob\f[] to the client key file. -As the MV scheme is independent of keys and certificates, +As the +\f\*[B-Font]MV\f[] +scheme is independent of keys and certificates, these files can be refreshed as needed. .SS Command Line Options .TP 7 -.NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]scheme\f[] -Select certificate message digest/signature encryption scheme. +.NOP \f\*[B-Font]\-b\f[] \f\*[B-Font]\-\-imbits\f[]= \f\*[I-Font]modulus\f[] +Set the number of bits in the identity modulus for generating identity keys to +\f\*[I-Font]modulus\f[] +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.TP 7 +.NOP \f\*[B-Font]\-c\f[] \f\*[B-Font]\-\-certificate\f[]= \f\*[I-Font]scheme\f[] +Select certificate signature encryption/message digest scheme. The \f\*[I-Font]scheme\f[] can be one of the following: -. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +\f\*[B-Font]RSA-MD2\f[], \f\*[B-Font]RSA-MD5\f[], \f\*[B-Font]RSA-MDC2\f[], \f\*[B-Font]RSA-SHA\f[], \f\*[B-Font]RSA-SHA1\f[], \f\*[B-Font]RSA-RIPEMD160\f[], \f\*[B-Font]DSA-SHA\f[], or \f\*[B-Font]DSA-SHA1\f[]. -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +\f\*[B-Font]RSA\f[] +schemes must be used with an +\f\*[B-Font]RSA\f[] +sign key and +\f\*[B-Font]DSA\f[] +schemes must be used with a +\f\*[B-Font]DSA\f[] +sign key. The default without this option is \f\*[B-Font]RSA-MD5\f[]. +If compatibility with FIPS 140-2 is required, either the +\f\*[B-Font]DSA-SHA\f[] +or +\f\*[B-Font]DSA-SHA1\f[] +scheme must be used. .TP 7 -.NOP \f\*[B-Font]\-d\f[] -Enable debugging. +.NOP \f\*[B-Font]\-C\f[] \f\*[B-Font]\-\-cipher\f[]= \f\*[I-Font]cipher\f[] +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three-key triple DES in CBC mode, +\f\*[B-Font]des-ede3-cbc\f[]. +The +\f\*[B-Font]openssl\f[] \f\*[B-Font]\-h\f[] +command provided with OpenSSL displays available ciphers. +.TP 7 +.NOP \f\*[B-Font]\-d\f[] \f\*[B-Font]\-\-debug-level\f[] +Increase debugging verbosity level. This option displays the cryptographic data produced in eye-friendly billboards. .TP 7 -.NOP \f\*[B-Font]\-e\f[] -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. +.NOP \f\*[B-Font]\-D\f[] \f\*[B-Font]\-\-set-debug-level\f[]= \f\*[I-Font]level\f[] +Set the debugging verbosity to +\f\*[I-Font]level\f[]. +This option displays the cryptographic data produced in eye-friendly billboards. .TP 7 -.NOP \f\*[B-Font]\-G\f[] -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. +.NOP \f\*[B-Font]\-e\f[] \f\*[B-Font]\-\-id-key\f[] +Write the +\f\*[B-Font]IFF\f[] +or +\f\*[B-Font]GQ\f[] +public parameters from the +\f\*[I-Font]IFFkey\f[] \f\*[I-Font]or\f[] \f\*[I-Font]GQkey\f[] +client keys file previously specified +as unencrypted data to the standard output stream +\fIstdout\f[]. +This is intended for automatic key distribution by email. .TP 7 -.NOP \f\*[B-Font]\-g\f[] -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. +.NOP \f\*[B-Font]\-G\f[] \f\*[B-Font]\-\-gq-params\f[] +Generate a new encrypted +\f\*[B-Font]GQ\f[] +parameters and key file for the Guillou-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +\f\*[B-Font]\-I\f[] +and +\f\*[B-Font]\-V\f[] +options. .TP 7 -.NOP \f\*[B-Font]\-H\f[] -Generate new host keys, obsoleting any that may exist. +.NOP \f\*[B-Font]\-H\f[] \f\*[B-Font]\-\-host-key\f[] +Generate a new encrypted +\f\*[B-Font]RSA\f[] +public/private host key file. .TP 7 -.NOP \f\*[B-Font]\-I\f[] -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. +.NOP \f\*[B-Font]\-I\f[] \f\*[B-Font]\-\-iffkey\f[] +Generate a new encrypted +\f\*[B-Font]IFF\f[] +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +\f\*[B-Font]\-G\f[] +and +Fl V +options. .TP 7 -.NOP \f\*[B-Font]\-i\f[] \f\*[I-Font]name\f[] -Set the suject name to -\f\*[I-Font]name\f[]. -This is used as the subject field in certificates -and in the file name for host and sign keys. +.NOP \f\*[B-Font]\-i\f[] \f\*[B-Font]\-\-ident\f[]= \f\*[I-Font]group\f[] +Set the optional Autokey group name to +\f\*[I-Font]group\f[]. +This is used in the identity scheme parameter file names of +\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[], +and +\f\*[B-Font]MV\f[] +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +\f\*[B-Font]\-i\f[] +or +\f\*[B-Font]\-s\f[] +following an +\[oq]@@\[cq] +character, is also used in certificate subject and issuer names in the form +\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[] +and should match the group specified via +\f\*[B-Font]crypto\f[] \f\*[B-Font]ident\f[] +or +\f\*[B-Font]server\f[] \f\*[B-Font]ident\f[] +in the ntpd configuration file. .TP 7 -.NOP \f\*[B-Font]\-M\f[] -Generate MD5 keys, obsoleting any that may exist. +.NOP \f\*[B-Font]\-l\f[] \f\*[B-Font]\-\-lifetime\f[]= \f\*[I-Font]days\f[] +Set the lifetime for certificate expiration to +\f\*[I-Font]days\f[]. +The default lifetime is one year (365 days). .TP 7 -.NOP \f\*[B-Font]\-P\f[] -Generate a private certificate. -By default, the program generates public certificates. +.NOP \f\*[B-Font]\-m\f[] \f\*[B-Font]\-\-modulus\f[]= \f\*[I-Font]bits\f[] +Set the number of bits in the prime modulus for generating files to +\f\*[I-Font]bits\f[]. +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. .TP 7 -.NOP \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] -Encrypt generated files containing private data with -\f\*[I-Font]password\f[] -and the DES-CBC algorithm. +.NOP \f\*[B-Font]\-M\f[] \f\*[B-Font]\-\-md5key\f[] +Generate a new symmetric keys file containing 10 +\f\*[B-Font]MD5\f[] +keys, and if OpenSSL is available, 10 +\f\*[B-Font]SHA\f[] +keys. +An +\f\*[B-Font]MD5\f[] +key is a string of 20 random printable ASCII characters, while a +\f\*[B-Font]SHA\f[] +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. .TP 7 -.NOP \f\*[B-Font]\-q\f[] -Set the password for reading files to password. +.NOP \f\*[B-Font]\-p\f[] \f\*[B-Font]\-\-password\f[]= \f\*[I-Font]passwd\f[] +Set the password for reading and writing encrypted files to +\f\*[I-Font]passwd\f[]. +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +\f\*[B-Font]hostname\f[] +command. .TP 7 -.NOP \f\*[B-Font]\-S\f[] [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]] -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. +.NOP \f\*[B-Font]\-P\f[] \f\*[B-Font]\-\-pvt-cert\f[] +Generate a new private certificate used by the +\f\*[B-Font]PC\f[] +identity scheme. +By default, the program generates public certificates. +Note: the PC identity scheme is not recommended for new installations. .TP 7 -.NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]name\f[] -Set the issuer name to -\f\*[I-Font]name\f[]. -This is used for the issuer field in certificates -and in the file name for identity files. +.NOP \f\*[B-Font]\-q\f[] \f\*[B-Font]\-\-export-passwd\f[]= \f\*[I-Font]passwd\f[] +Set the password for writing encrypted +\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[] \f\*[B-Font]and\f[] \f\*[B-Font]MV\f[] +identity files redirected to +\fIstdout\f[] +to +\f\*[I-Font]passwd\f[]. +In effect, these files are decrypted with the +\f\*[B-Font]\-p\f[] +password, then encrypted with the +\f\*[B-Font]\-q\f[] +password. +By default, the password is the string returned by the Unix +\f\*[B-Font]hostname\f[] +command. .TP 7 -.NOP \f\*[B-Font]\-T\f[] +.NOP \f\*[B-Font]\-s\f[] \f\*[B-Font]\-\-subject-key\f[]= [host] [@@ \f\*[I-Font]group\f[]] +Specify the Autokey host name, where +\f\*[I-Font]host\f[] +is the optional host name and +\f\*[I-Font]group\f[] +is the optional group name. +The host name, and if provided, group name are used in +\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[] +form as certificate subject and issuer. +Specifying +\f\*[B-Font]\-s\f[] \f\*[B-Font]\-@@\f[] \f\*[I-Font]group\f[] +is allowed, and results in leaving the host name unchanged, as with +\f\*[B-Font]\-i\f[] \f\*[I-Font]group\f[]. +The group name, or if no group is provided, the host name are also used in the +file names of +\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[], +and +\f\*[B-Font]MV\f[] +identity scheme client parameter files. +If +\f\*[I-Font]host\f[] +is not specified, the default host name is the string returned by the Unix +\f\*[B-Font]hostname\f[] +command. +.TP 7 +.NOP \f\*[B-Font]\-S\f[] \f\*[B-Font]\-\-sign-key\f[]= [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]] +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140-2 is required, the sign key type must be +\f\*[B-Font]DSA\f[]. +.TP 7 +.NOP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-\-trusted-cert\f[] Generate a trusted certificate. By default, the program generates a non-trusted certificate. .TP 7 -.NOP \f\*[B-Font]\-V\f[] \f\*[I-Font]nkeys\f[] -Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. +.NOP \f\*[B-Font]\-V\f[] \f\*[B-Font]\-\-mv-params\f[] \f\*[I-Font]nkeys\f[] +Generate +\f\*[I-Font]nkeys\f[] +encrypted server keys and parameters for the Mu-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +\f\*[B-Font]\-I\f[] +and +\f\*[B-Font]\-G\f[] +options. +Note: support for this option should be considered a work in progress. .PP .SS Random Seed File All cryptographically sound key generation schemes must have means @@ -852,7 +934,7 @@ but are outside the scope of this page. The entropy seed used by the OpenSSL library is contained in a file, usually called -\f\*[B-Font].rnd\f[], +\fI.rnd\f[], which must be available when starting the NTP daemon or the \f\*[B-Font]ntp-keygen\fP @@ -875,48 +957,131 @@ If the RANDFILE environment variable is not present, the library will look for the -\f\*[B-Font].rnd\f[] +\fI.rnd\f[] file in the user home directory. +Since both the +\f\*[B-Font]ntp-keygen\fP +program and +\fCntpd\f[]\fR(1ntpdmdoc)\f[] +daemon must run as root, the logical place to put this file is in +\fI/.rnd\f[] +or +\fI/root/.rnd\f[]. If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. .SS Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +\fIntpkey_\f[]\f\*[I-Font]key\f[] \f\*[I-Font]_\f[] \f\*[I-Font]name\f[]. \f\*[I-Font]filestamp\f[], +where +\f\*[I-Font]key\f[] +is the key or parameter type, +\f\*[I-Font]name\f[] +is the host or group name and +\f\*[I-Font]filestamp\f[] +is the filestamp (NTP seconds) when the file was created. +By convention, +\f\*[I-Font]key\f[] +names in generated file names include both upper and lower case +characters, while +\f\*[I-Font]key\f[] +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +\fIdate\f[] +format. +Lines beginning with +\[oq]#\[cq] +are considered comments and ignored by the \f\*[B-Font]ntp-keygen\fP program and \fCntpd\f[]\fR(1ntpdmdoc)\f[] daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM-encoded -printable ASCII format preceded and followed by MIME content identifier lines. .sp \n(Ppu .ne 2 -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. +.sp \n(Ppu +.ne 2 + +The format of the symmetric keys file, ordinarily named +\fIntp.keys\f[], +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +.br +.in +4 +.nf +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o}3i@@@@V@@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +.in -4 +.fi +.in +4 +Figure 1. Typical Symmetric Key File +.in -4 +.sp \n(Ppu +.ne 2 + +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format .in +4 \f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[] .in -4 where \f\*[I-Font]keyno\f[] -is a positive integer in the range 1-65,535, +is a positive integer in the range 1-65534; \f\*[I-Font]type\f[] -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +\f\*[B-Font]MD5\f[] +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140-2 is required, +the key type must be either +\f\*[B-Font]SHA\f[] +or +\f\*[B-Font]SHA1\f[]; \f\*[I-Font]key\f[] is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +\[oq]\[cq]! +through +\[oq]~\[cq] +\&) excluding space and the +\[oq]#\[cq] +character, and terminated by whitespace or a \[oq]#\[cq] character. +An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which +is truncated as necessary. .sp \n(Ppu .ne 2 @@ -933,8 +1098,8 @@ in human readable ASCII format. The \f\*[B-Font]ntp-keygen\fP -program generates a MD5 symmetric keys file -\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname.filestamp\f[]. +program generates a symmetric keys file +\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[]. Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -973,10 +1138,10 @@ The number of bits in the identity modulus. The default is 256. certificate scheme. .sp scheme is one of -RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, +RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160, DSA-SHA, or DSA-SHA1. .sp -Select the certificate message digest/signature encryption scheme. +Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA-MD5. @@ -986,7 +1151,7 @@ privatekey cipher. .sp Select the cipher which is used to encrypt the files containing private keys. The default is three-key triple DES in CBC mode, -equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers +equivalent to "\fB-C des-ede3-cbc\fP". The openssl tool lists ciphers available in "\fBopenssl \-h\fP" output. .TP .NOP \f\*[B-Font]\-d\f[], \f\*[B-Font]\-\-debug\-level\f[] @@ -1003,8 +1168,9 @@ This option takes an integer number as its argument. .NOP \f\*[B-Font]\-e\f[], \f\*[B-Font]\-\-id\-key\f[] Write IFF or GQ identity keys. .sp -Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. +Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. .TP .NOP \f\*[B-Font]\-G\f[], \f\*[B-Font]\-\-gq\-params\f[] Generate GQ parameters and keys. @@ -1030,11 +1196,11 @@ Set the optional Autokey group name to name. This is used in the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using \fB-i/--ident\fP or -using \fB-s/--subject-name\fP following an '\fB@\fP' character, -is also a part of the self-signed host certificate's subject and -issuer names in the form \fBhost@group\fP and should match the -'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in -\fBntpd\fP's configuration file. +using \fB-s/--subject-name\fP following an '\fB@@\fP' character, +is also a part of the self-signed host certificate subject and +issuer names in the form \fBhost@@group\fP and should match the +'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the +\fBntpd\fP configuration file. .TP .NOP \f\*[B-Font]\-l\f[] \f\*[I-Font]lifetime\f[], \f\*[B-Font]\-\-lifetime\f[]=\f\*[I-Font]lifetime\f[] set certificate lifetime. @@ -1042,13 +1208,8 @@ This option takes an integer number as its argument. .sp Set the certificate expiration to lifetime days from now. .TP -.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[] -generate MD5 keys. -.sp -Generate MD5 keys, obsoleting any that may exist. -.TP .NOP \f\*[B-Font]\-m\f[] \f\*[I-Font]modulus\f[], \f\*[B-Font]\-\-modulus\f[]=\f\*[I-Font]modulus\f[] -modulus. +prime modulus. This option takes an integer number as its argument. The value of \f\*[I-Font]modulus\f[] @@ -1062,6 +1223,11 @@ in the range 256 through 2048 .sp The number of bits in the prime modulus. The default is 512. .TP +.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[] +generate symmetric keys. +.sp +Generate symmetric keys, obsoleting any that may exist. +.TP .NOP \f\*[B-Font]\-P\f[], \f\*[B-Font]\-\-pvt\-cert\f[] generate PC private certificate. .sp @@ -1086,27 +1252,27 @@ The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option --id-key (-e) for unencrypted exports. .TP -.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[] -generate sign key (RSA or DSA). -.sp -Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. -.TP .NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]host@group\f[], \f\*[B-Font]\-\-subject\-name\f[]=\f\*[I-Font]host@group\f[] set host and optionally group name. .sp Set the Autokey host name, and optionally, group name specified -following an '\fB@\fP' character. The host name is used in the file +following an '\fB@@\fP' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used -in \fBhost@group\fP form for the host certificate's subject and issuer -fields. Specifying '\fB-s @group\fP' is allowed, and results in -leaving the host name unchanged while appending \fB@group\fP to the +in \fBhost@@group\fP form for the host certificate subject and issuer +fields. Specifying '\fB-s @@group\fP' is allowed, and results in +leaving the host name unchanged while appending \fB@@group\fP to the subject and issuer fields, as with \fB-i group\fP. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. .TP +.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[] +generate sign key (RSA or DSA). +.sp +Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. +.TP .NOP \f\*[B-Font]\-T\f[], \f\*[B-Font]\-\-trusted\-cert\f[] trusted certificate (TC scheme). .sp @@ -1162,18 +1328,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP". If any of these are directories, then the file \fI.ntprc\fP is searched for within those directories. .SH USAGE -The -\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] -option specifies the write password and -\f\*[B-Font]\-q\f[] \f\*[I-Font]password\f[] -option the read password for previously encrypted files. -The -\f\*[B-Font]ntp-keygen\fP -program prompts for the password if it reads an encrypted file -and the password is missing or incorrect. -If an encrypted file is read successfully and -no write password is specified, the read password is used -as the write password by default. .SH "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .SH "FILES" @@ -1200,10 +1354,7 @@ The University of Delaware and Network Time Foundation Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation all rights reserved. This program is released under the terms of the NTP license, <http://ntp.org/license>. .SH BUGS -It can take quite a while to generate some cryptographic values, -from one to several minutes with modern architectures -such as UltraSPARC and up to tens of minutes to an hour -with older architectures such as SPARC IPC. +It can take quite a while to generate some cryptographic values. .sp \n(Ppu .ne 2 diff --git a/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc b/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc index e20d55d..ba21087 100644 --- a/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc +++ b/contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:59 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -21,26 +21,29 @@ All arguments must be options. .Sh DESCRIPTION This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .Pp -All files are in PEM\-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM\-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. .Pp -When used to generate message digest keys, the program produces a file -containing ten pseudo\-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo\-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex\-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -60,219 +63,131 @@ other than Autokey. Some files used by this program are encrypted using a private password. The .Fl p -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the .Fl q -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -.Fn gethostname -function, normally the DNS name of the host is used. +.Xr hostname 1 +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +.Nm +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. .Pp The -.Ar pw +.Cm pw option of the -.Ar crypto +.Ic crypto +.Xr ntpd 1ntpdmdoc configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -.Ar ntpd -without password but only on the same host. +.Xr ntpd 1ntpdmdoc +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. .Pp Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -.Ar ntp.keys , +.Pa ntp.keys , is usually installed in .Pa /etc . Other files and links are usually installed in .Pa /usr/local/etc , which is normally in a shared filesystem in NFS\-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -.Ar keysdir -configuration command in such cases. -Normally, this is in -.Pa /etc . +In these cases, NFS clients can specify the files in another +directory such as +.Pa /etc +using the +.Ic keysdir +.Xr ntpd 1ntpdmdoc +configuration file command. .Pp This program directs commentary and error messages to the standard error stream -.Ar stderr +.Pa stderr and remote files to the standard output stream -.Ar stdout +.Pa stdout where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -.Ar ntpkey +.Pa ntpkey\&* and include the file type, generating host and filestamp, as described in the -.Dq Cryptographic Data Files +.Sx "Cryptographic Data Files" section below. .Ss Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -.Pa /usr/local/etc -When run for the first time, or if all files with names beginning with -.Ar ntpkey -have been removed, use the -.Nm -command without arguments to generate a -default RSA host key and matching RSA\-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. -.Pp -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using -.Nm -with the -.Fl T -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -.Pp -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -.Fl S -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -.Fl c -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken\-and\-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball\-and\-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re\-generated. -.Pp -Additional information on trusted groups and identity schemes is on the -.Dq Autokey Public\-Key Authentication -page. -.Pp -The -.Xr ntpd 1ntpdmdoc -configuration command -.Ic crypto pw Ar password -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. -.Pp -File names begin with the prefix -.Cm ntpkey_ -and end with the postfix -.Ar _hostname.filestamp , -where -.Ar hostname -is the owner name, usually the string returned -by the Unix gethostname() routine, and -.Ar filestamp -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -.Ic rm ntpkey\&* -command or all files generated -at a specific time can be removed by a -.Ic rm -.Ar \&*filestamp -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. -.Pp -All files are installed by default in the keys directory -.Pa /usr/local/etc , -which is normally in a shared filesystem -in NFS\-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. -.Pp -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write\-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. -.Pp -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -.Xr ntpd 1ntpdmdoc -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -.Nm -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -.Ss Running the program The safest way to run the .Nm program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually +The recommended procedure is change to the +.Ar keys +directory, usually .Pa /usr/local/etc , then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA\-MD5 certificate file, +.Pp +To test and gain experience with Autokey concepts, log in as root and +change to the +.Ar keys +directory, usually +.Pa /usr/local/etc . +When run for the first time, or if all files with names beginning with +.Pa ntpkey\&* +have been removed, use the +.Nm +command without arguments to generate a default +.Cm RSA +host key and matching +.Cm RSA\-MD5 +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +.Cm RSA +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +.Cm RSA +or +.Cm DSA +type. +By default, the message digest type is +.Cm MD5 , +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1 +and +.Cm RIPE160 +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +.Cm RSA +sign keys; +however, only +.Cm SHA +and +.Cm SHA1 +certificates are compatible with +.Cm DSA +sign keys. .Pp Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. @@ -283,19 +198,19 @@ However, the identification parameter files, although encoded as the other files, are probably not compatible with anything other than Autokey. .Pp Running the program as other than root and using the Unix -.Ic su +.Xr su 1 command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -.Cm .rnd +.Pa .rnd in the user home directory. However, there should be only one -.Cm .rnd , +.Pa .rnd , most conveniently in the root directory, so it is convenient to define the -.Cm $RANDFILE +.Ev RANDFILE environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +.Pa .rnd . .Pp Installing the keys as root might not work in NFS\-mounted shared file systems, as NFS clients may not be able to write @@ -305,7 +220,8 @@ directory such as .Pa /etc using the .Ic keysdir -command. +.Xr ntpd 1ntpdmdoc +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -338,8 +254,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +.Ar hostname +and +.Ar filestamp +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. .Pp The recommended practice is to keep the file name extensions @@ -348,106 +267,111 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +.Xr ntpd 1ntpdmdoc +follows it to the file name to extract the +.Ar filestamp . If a link is not present, .Xr ntpd 1ntpdmdoc -extracts the filestamp from the file itself. +extracts the +.Ar filestamp +from the file itself. This allows clients to verify that the file and generation times are always current. The .Nm -program uses the same timestamp extension for all files generated +program uses the same +.Ar filestamp +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -.Ss Running the program -The safest way to run the +.Pp +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using .Nm -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -.Pa /usr/local/etc , -then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA\-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +with the +.Fl T +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +.Fl S +option and this can be either +.Cm RSA +or +.Cm DSA +type. +By default, the signature +message digest type is +.Cm MD5 , +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +.Fl c +option. .Pp -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken\-and\-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball\-and\-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re\-generated. .Pp -Running the program as other than root and using the Unix -.Ic su -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -.Cm .rnd -in the user home directory. -However, there should be only one -.Cm .rnd , -most conveniently -in the root directory, so it is convenient to define the -.Cm $RANDFILE -environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +Additional information on trusted groups and identity schemes is on the +.Dq Autokey Public\-Key Authentication +page. .Pp -Installing the keys as root might not work in NFS\-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -.Pa /etc -using the -.Ic keysdir +File names begin with the prefix +.Pa ntpkey Ns _ +and end with the suffix +.Pa _ Ns Ar hostname . Ar filestamp , +where +.Ar hostname +is the owner name, usually the string returned +by the Unix +.Xr hostname 1 +command, and +.Ar filestamp +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +.Ic rm Pa ntpkey\&* +command or all files generated +at a specific time can be removed by a +.Ic rm Pa \&* Ns Ar filestamp command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. -.Pp -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. -s Trusted Hosts and Groups +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. +.Ss Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the .Sx Authentication Options section of .Xr ntp.conf 5 . -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +.Cm RSA +encryption, +.Cm MD5 +message digest +and +.Cm TC +identification. First, configure a NTP subnet including one or more low\-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -465,7 +389,7 @@ section of .Pp On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -.Cm ntpkey +.Pa ntpkey files. Then run .Nm @@ -490,7 +414,9 @@ is either .Cm RSA or .Cm DSA . -The most often need to do this is when a DSA\-signed certificate is used. +The most frequent need to do this is when a +.Cm DSA Ns \-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run .Nm @@ -499,17 +425,17 @@ with the option and selected .Ar scheme as needed. -f +If .Nm is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. .Pp After setting up the environment it is advisable to update certificates from time to time, if only to extend the validity interval. Simply run .Nm with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, .Xr ntpd 1ntpdmdoc should be restarted. @@ -520,13 +446,15 @@ Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. .Ss Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +.Cm TC +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -.Qq Identification Schemes -page -(maybe available at -.Li http://www.eecis.udel.edu/%7emills/keygen.html ) . +including +.Cm PC , IFF , GQ +and +.Cm MV +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -551,12 +479,15 @@ On trusted host alice run .Fl P .Fl p Ar password to generate the host key file -.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp +.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp and trusted private certificate file -.Pa ntpkey_RSA\-MD5_cert_ Ns Ar alice.filestamp . +.Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp , +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +.Ar bob +install a soft link from the generic name .Pa ntpkey_host_ Ns Ar bob to the host key file and soft link .Pa ntpkey_cert_ Ns Ar bob @@ -565,26 +496,34 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. .Pp -For the IFF scheme proceed as in the TC scheme to generate keys +For the +.Cm IFF +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl I .Fl p Ar password to produce her parameter file -.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp , +.Pa ntpkey_IFFpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +.Cm IFF +scheme is independent of keys and certificates, these files can be refreshed as needed. .Pp If a rogue client has the parameter file, it could masquerade @@ -594,37 +533,53 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run .Nm .Fl e -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. .Pp -For the GQ scheme proceed as in the TC scheme to generate keys +For the +.Cm GQ +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl G .Fl p Ar password to produce her parameter file -.Pa ntpkey_GQpar_ Ns Ar alice.filestamp , +.Pa ntpkey_GQpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -.Pa ntpkey_gq_ Ns Ar alice +.Pa ntpkey_gq_alice to this file. -In addition, on each host bob install a soft link +In addition, on each host +.Ar bob +install a soft link from generic .Pa ntpkey_gq_ Ns Ar bob to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +.Cm GQ +scheme updates the +.Cm GQ +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. .Pp -For the MV scheme, proceed as in the TC scheme to generate keys +For the +.Cm MV +scheme, proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -636,9 +591,9 @@ where .Ar n is the number of revokable keys (typically 5) to produce the parameter file -.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp +.Pa ntpkeys_MVpar_trish. Ns Ar filestamp and client key files -.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp +.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp where .Ar d is the key number (0 \&< @@ -647,80 +602,217 @@ is the key number (0 \&< .Ar n ) . Copy the parameter file to alice and install a soft link from the generic -.Pa ntpkey_mv_ Ns Ar alice +.Pa ntpkey_mv_alice to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -.Pa ntpkey_mvkey_ Ns Ar bob +.Pa ntpkey_mvkey_bob to the client key file. -As the MV scheme is independent of keys and certificates, +As the +.Cm MV +scheme is independent of keys and certificates, these files can be refreshed as needed. .Ss Command Line Options .Bl -tag -width indent -.It Fl c Ar scheme -Select certificate message digest/signature encryption scheme. +.It Fl b Fl \-imbits Ns = Ar modulus +Set the number of bits in the identity modulus for generating identity keys to +.Ar modulus +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl c Fl \-certificate Ns = Ar scheme +Select certificate signature encryption/message digest scheme. The .Ar scheme can be one of the following: -. Cm RSA\-MD2 , RSA\-MD5 , RSA\-SHA , RSA\-SHA1 , RSA\-MDC2 , RSA\-RIPEMD160 , DSA\-SHA , +.Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA , or .Cm DSA\-SHA1 . -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +.Cm RSA +schemes must be used with an +.Cm RSA +sign key and +.Cm DSA +schemes must be used with a +.Cm DSA +sign key. The default without this option is .Cm RSA\-MD5 . -.It Fl d -Enable debugging. +If compatibility with FIPS 140\-2 is required, either the +.Cm DSA\-SHA +or +.Cm DSA\-SHA1 +scheme must be used. +.It Fl C Fl \-cipher Ns = Ar cipher +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three\-key triple DES in CBC mode, +.Cm des\-ede3\-cbc . +The +.Ic openssl Fl h +command provided with OpenSSL displays available ciphers. +.It Fl d Fl \-debug\-level +Increase debugging verbosity level. This option displays the cryptographic data produced in eye\-friendly billboards. -.It Fl e -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. -.It Fl G -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. -.It Fl g -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. -.It Fl H -Generate new host keys, obsoleting any that may exist. -.It Fl I -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. -.It Fl i Ar name -Set the suject name to -.Ar name . -This is used as the subject field in certificates -and in the file name for host and sign keys. -.It Fl M -Generate MD5 keys, obsoleting any that may exist. -.It Fl P -Generate a private certificate. +.It Fl D Fl \-set\-debug\-level Ns = Ar level +Set the debugging verbosity to +.Ar level . +This option displays the cryptographic data produced in eye\-friendly billboards. +.It Fl e Fl \-id\-key +Write the +.Cm IFF +or +.Cm GQ +public parameters from the +.Ar IFFkey or GQkey +client keys file previously specified +as unencrypted data to the standard output stream +.Pa stdout . +This is intended for automatic key distribution by email. +.It Fl G Fl \-gq\-params +Generate a new encrypted +.Cm GQ +parameters and key file for the Guillou\-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl V +options. +.It Fl H Fl \-host\-key +Generate a new encrypted +.Cm RSA +public/private host key file. +.It Fl I Fl \-iffkey +Generate a new encrypted +.Cm IFF +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +.Fl G +and +Fl V +options. +.It Fl i Fl \-ident Ns = Ar group +Set the optional Autokey group name to +.Ar group . +This is used in the identity scheme parameter file names of +.Cm IFF , GQ , +and +.Cm MV +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +.Fl i +or +.Fl s +following an +.Ql @ +character, is also used in certificate subject and issuer names in the form +.Ar host @ group +and should match the group specified via +.Ic crypto Cm ident +or +.Ic server Cm ident +in the ntpd configuration file. +.It Fl l Fl \-lifetime Ns = Ar days +Set the lifetime for certificate expiration to +.Ar days . +The default lifetime is one year (365 days). +.It Fl m Fl \-modulus Ns = Ar bits +Set the number of bits in the prime modulus for generating files to +.Ar bits . +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl M Fl \-md5key +Generate a new symmetric keys file containing 10 +.Cm MD5 +keys, and if OpenSSL is available, 10 +.Cm SHA +keys. +An +.Cm MD5 +key is a string of 20 random printable ASCII characters, while a +.Cm SHA +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. +.It Fl p Fl \-password Ns = Ar passwd +Set the password for reading and writing encrypted files to +.Ar passwd . +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl P Fl \-pvt\-cert +Generate a new private certificate used by the +.Cm PC +identity scheme. By default, the program generates public certificates. -.It Fl p Ar password -Encrypt generated files containing private data with -.Ar password -and the DES\-CBC algorithm. -.It Fl q -Set the password for reading files to password. -.It Fl S Oo Cm RSA | DSA Oc -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. -.It Fl s Ar name -Set the issuer name to -.Ar name . -This is used for the issuer field in certificates -and in the file name for identity files. -.It Fl T +Note: the PC identity scheme is not recommended for new installations. +.It Fl q Fl \-export\-passwd Ns = Ar passwd +Set the password for writing encrypted +.Cm IFF , GQ and MV +identity files redirected to +.Pa stdout +to +.Ar passwd . +In effect, these files are decrypted with the +.Fl p +password, then encrypted with the +.Fl q +password. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group +Specify the Autokey host name, where +.Ar host +is the optional host name and +.Ar group +is the optional group name. +The host name, and if provided, group name are used in +.Ar host @ group +form as certificate subject and issuer. +Specifying +.Fl s @ Ar group +is allowed, and results in leaving the host name unchanged, as with +.Fl i Ar group . +The group name, or if no group is provided, the host name are also used in the +file names of +.Cm IFF , GQ , +and +.Cm MV +identity scheme client parameter files. +If +.Ar host +is not specified, the default host name is the string returned by the Unix +.Ic hostname +command. +.It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140\-2 is required, the sign key type must be +.Cm DSA . +.It Fl T Fl \-trusted\-cert Generate a trusted certificate. By default, the program generates a non\-trusted certificate. -.It Fl V Ar nkeys -Generate parameters and keys for the Mu\-Varadharajan (MV) identification scheme. +.It Fl V Fl \-mv\-params Ar nkeys +Generate +.Ar nkeys +encrypted server keys and parameters for the Mu\-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl G +options. +Note: support for this option should be considered a work in progress. .El .Ss Random Seed File All cryptographically sound key generation schemes must have means @@ -744,14 +836,14 @@ but are outside the scope of this page. .Pp The entropy seed used by the OpenSSL library is contained in a file, usually called -.Cm .rnd , +.Pa .rnd , which must be available when starting the NTP daemon or the .Nm program. The NTP daemon will first look for the file using the path specified by the -.Ic randfile +.Cm randfile subcommand of the .Ic crypto configuration command. @@ -767,44 +859,118 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -.Cm .rnd +.Pa .rnd file in the user home directory. +Since both the +.Nm +program and +.Xr ntpd 1ntpdmdoc +daemon must run as root, the logical place to put this file is in +.Pa /.rnd +or +.Pa /root/.rnd . If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. .Ss Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp , +where +.Ar key +is the key or parameter type, +.Ar name +is the host or group name and +.Ar filestamp +is the filestamp (NTP seconds) when the file was created. +By convention, +.Ar key +names in generated file names include both upper and lower case +characters, while +.Ar key +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +.Pa date +format. +Lines beginning with +.Ql # +are considered comments and ignored by the .Nm program and .Xr ntpd 1ntpdmdoc daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM\-encoded -printable ASCII format preceded and followed by MIME content identifier lines. .Pp -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES\-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format -.D1 Ar keyno type key +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM\-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. +.Pp +The format of the symmetric keys file, ordinarily named +.Pa ntp.keys , +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +.Bd -literal -unfilled -offset center +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +.Ed +.D1 Figure 1. Typical Symmetric Key File +.Pp +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format +.D1 Ar keyno Ar type Ar key where .Ar keyno -is a positive integer in the range 1\-65,535, +is a positive integer in the range 1\-65534; .Ar type -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +.Cm MD5 +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140\-2 is required, +the key type must be either +.Cm SHA +or +.Cm SHA1 ; .Ar key is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +.Ql ! +through +.Ql ~ +\&) excluding space and the +.Ql # +character, and terminated by whitespace or a .Ql # character. +An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which +is truncated as necessary. .Pp Note that the keys used by the .Xr ntpq 1ntpqmdoc @@ -817,8 +983,8 @@ in human readable ASCII format. .Pp The .Nm -program generates a MD5 symmetric keys file -.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp . +program generates a symmetric keys file +.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp . Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -856,10 +1022,10 @@ The number of bits in the identity modulus. The default is 256. certificate scheme. .sp scheme is one of -RSA\-MD2, RSA\-MD5, RSA\-SHA, RSA\-SHA1, RSA\-MDC2, RSA\-RIPEMD160, +RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160, DSA\-SHA, or DSA\-SHA1. .sp -Select the certificate message digest/signature encryption scheme. +Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA\-MD5. @@ -868,7 +1034,7 @@ privatekey cipher. .sp Select the cipher which is used to encrypt the files containing private keys. The default is three\-key triple DES in CBC mode, -equivalent to "@code{\-C des\-ede3\-cbc". The openssl tool lists ciphers +equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers available in "\fBopenssl \-h\fP" output. .It Fl d , Fl \-debug\-level Increase debug verbosity level. @@ -882,8 +1048,9 @@ This option takes an integer number as its argument. .It Fl e , Fl \-id\-key Write IFF or GQ identity keys. .sp -Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. +Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. .It Fl G , Fl \-gq\-params Generate GQ parameters and keys. .sp @@ -906,21 +1073,17 @@ the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using \fB\-i/\-\-ident\fP or using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character, -is also a part of the self\-signed host certificate's subject and +is also a part of the self\-signed host certificate subject and issuer names in the form \fBhost@group\fP and should match the -\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in -\fBntpd\fP's configuration file. +\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the +\fBntpd\fP configuration file. .It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime set certificate lifetime. This option takes an integer number as its argument. .sp Set the certificate expiration to lifetime days from now. -.It Fl M , Fl \-md5key -generate MD5 keys. -.sp -Generate MD5 keys, obsoleting any that may exist. .It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus -modulus. +prime modulus. This option takes an integer number as its argument. The value of .Ar modulus @@ -933,6 +1096,10 @@ in the range 256 through 2048 .in -4 .sp The number of bits in the prime modulus. The default is 512. +.It Fl M , Fl \-md5key +generate symmetric keys. +.sp +Generate symmetric keys, obsoleting any that may exist. .It Fl P , Fl \-pvt\-cert generate PC private certificate. .sp @@ -954,12 +1121,6 @@ encrypted with the DES\-CBC algorithm and the specified password. The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option -\-id\-key (\-e) for unencrypted exports. -.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign -generate sign key (RSA or DSA). -.sp -Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. .It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group set host and optionally group name. .sp @@ -967,12 +1128,18 @@ Set the Autokey host name, and optionally, group name specified following an '\fB@\fP' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used -in \fBhost@group\fP form for the host certificate's subject and issuer +in \fBhost@group\fP form for the host certificate subject and issuer fields. Specifying '\fB\-s @group\fP' is allowed, and results in leaving the host name unchanged while appending \fB@group\fP to the subject and issuer fields, as with \fB\-i group\fP. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. +.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign +generate sign key (RSA or DSA). +.sp +Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. .It Fl T , Fl \-trusted\-cert trusted certificate (TC scheme). .sp @@ -1021,18 +1188,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP". If any of these are directories, then the file \fI.ntprc\fP is searched for within those directories. .Sh USAGE -The -.Fl p Ar password -option specifies the write password and -.Fl q Ar password -option the read password for previously encrypted files. -The -.Nm -program prompts for the password if it reads an encrypted file -and the password is missing or incorrect. -If an encrypted file is read successfully and -no write password is specified, the read password is used -as the write password by default. .Sh "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .Sh "FILES" @@ -1056,10 +1211,7 @@ The University of Delaware and Network Time Foundation Copyright (C) 1992\-2017 The University of Delaware and Network Time Foundation all rights reserved. This program is released under the terms of the NTP license, <http://ntp.org/license>. .Sh BUGS -It can take quite a while to generate some cryptographic values, -from one to several minutes with modern architectures -such as UltraSPARC and up to tens of minutes to an hour -with older architectures such as SPARC IPC. +It can take quite a while to generate some cryptographic values. .Pp Please report bugs to http://bugs.ntp.org . .Pp diff --git a/contrib/ntp/util/ntp-keygen.html b/contrib/ntp/util/ntp-keygen.html index b4fc629..854d055 100644 --- a/contrib/ntp/util/ntp-keygen.html +++ b/contrib/ntp/util/ntp-keygen.html @@ -70,7 +70,7 @@ All other files are in PEM-encoded printable ASCII format so they can be embedded as MIME attachments in mail to other sites. - <p>This document applies to version 4.2.8p10 of <code>ntp-keygen</code>. + <p>This document applies to version 4.2.8p11 of <code>ntp-keygen</code>. <div class="node"> <p><hr> @@ -217,26 +217,29 @@ Autokey Public-Key Authentication page. <p>This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. - <p>All files are in PEM-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites + <p>The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. - <p>When used to generate message digest keys, the program produces a file -containing ten pseudo-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. + <p>When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -256,223 +259,133 @@ other than Autokey. <p>Some files used by this program are encrypted using a private password. The <code>-p</code> -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the <code>-q</code> -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -<code>gethostname()</code> -function, normally the DNS name of the host is used. +<code>hostname(1)</code> +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +<code>ntp-keygen</code> +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. <p>The -<kbd>pw</kbd> +<code>pw</code> option of the -<kbd>crypto</kbd> +<code>crypto</code> +<code>ntpd(1ntpdmdoc)</code> configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -<kbd>ntpd</kbd> -without password but only on the same host. +<code>ntpd(1ntpdmdoc)</code> +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. <p>Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -<kbd>ntp.keys</kbd>, +<span class="file">ntp.keys</span>, is usually installed in <span class="file">/etc</span>. Other files and links are usually installed in <span class="file">/usr/local/etc</span>, which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -<kbd>keysdir</kbd> -configuration command in such cases. -Normally, this is in -<span class="file">/etc</span>. +In these cases, NFS clients can specify the files in another +directory such as +<span class="file">/etc</span> +using the +<code>keysdir</code> +<code>ntpd(1ntpdmdoc)</code> +configuration file command. <p>This program directs commentary and error messages to the standard error stream -<kbd>stderr</kbd> +<span class="file">stderr</span> and remote files to the standard output stream -<kbd>stdout</kbd> +<span class="file">stdout</span> where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -<kbd>ntpkey</kbd> +<span class="file">ntpkey*</span> and include the file type, generating host and filestamp, as described in the -Cryptographic Data Files +<a href="#Cryptographic-Data-Files">Cryptographic Data Files</a> section below. <h5 class="subsubsection">Running the Program</h5> -<p>To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -<span class="file">/usr/local/etc</span> -When run for the first time, or if all files with names beginning with -<kbd>ntpkey</kbd> -have been removed, use the -<code>ntp-keygen</code> -command without arguments to generate a -default RSA host key and matching RSA-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. - - <p>Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using -<code>ntp-keygen</code> -with the -<code>-T</code> -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. - - <p>The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -<code>-S</code> -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -<code>-c</code> -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken-and-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball-and-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re-generated. - - <p>Additional information on trusted groups and identity schemes is on the -Autokey Public-Key Authentication -page. - - <p>The -<code>ntpd(1ntpdmdoc)</code> -configuration command -<code>crypto</code> <code>pw</code> <kbd>password</kbd> -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. - - <p>File names begin with the prefix -<code>ntpkey_</code> -and end with the postfix -<kbd>_hostname.filestamp</kbd>, -where -<kbd>hostname</kbd> -is the owner name, usually the string returned -by the Unix gethostname() routine, and -<kbd>filestamp</kbd> -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -<code>rm</code> <code>ntpkey*</code> -command or all files generated -at a specific time can be removed by a -<code>rm</code> -<kbd>*filestamp</kbd> -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. - - <p>All files are installed by default in the keys directory -<span class="file">/usr/local/etc</span>, -which is normally in a shared filesystem -in NFS-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. - - <p>Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. - - <p>The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -<code>ntpd(1ntpdmdoc)</code> -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -<code>ntp-keygen</code> -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. - -<h5 class="subsubsection">Running the program</h5> - <p>The safest way to run the <code>ntp-keygen</code> program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually +The recommended procedure is change to the +<kbd>keys</kbd> +directory, usually <span class="file">/usr/local/etc</span>, -then run the program. -When run for the first time, -or if all -<code>ntpkey</code> -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, +then run the program. + + <p>To test and gain experience with Autokey concepts, log in as root and +change to the +<kbd>keys</kbd> +directory, usually +<span class="file">/usr/local/etc</span>. +When run for the first time, or if all files with names beginning with +<span class="file">ntpkey*</span> +have been removed, use the +<code>ntp-keygen</code> +command without arguments to generate a default +<code>RSA</code> +host key and matching +<code>RSA-MD5</code> +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. - <p>The host key is used to encrypt the cookie when required and so must be RSA type. + <p>The host key is used to encrypt the cookie when required and so must be +<code>RSA</code> +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +<code>RSA</code> +or +<code>DSA</code> +type. +By default, the message digest type is +<code>MD5</code>, +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +<code>AES128CMAC</code>, <code>MD2</code>, <code>MD5</code>, <code>MDC2</code>, <code>SHA</code>, <code>SHA1</code> +and +<code>RIPE160</code> +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +<code>RSA</code> +sign keys; +however, only +<code>SHA</code> +and +<code>SHA1</code> +certificates are compatible with +<code>DSA</code> +sign keys. <p>Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. @@ -483,19 +396,19 @@ However, the identification parameter files, although encoded as the other files, are probably not compatible with anything other than Autokey. <p>Running the program as other than root and using the Unix -<code>su</code> +<code>su(1)</code> command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -<code>.rnd</code> +<span class="file">.rnd</span> in the user home directory. However, there should be only one -<code>.rnd</code>, +<span class="file">.rnd</span>, most conveniently in the root directory, so it is convenient to define the -<code>$RANDFILE</code> +.Ev RANDFILE environment variable used by the OpenSSL library as the path to -<code>/.rnd</code>. +<span class="file">.rnd</span>. <p>Installing the keys as root might not work in NFS-mounted shared file systems, as NFS clients may not be able to write @@ -505,7 +418,8 @@ directory such as <span class="file">/etc</span> using the <code>keysdir</code> -command. +<code>ntpd(1ntpdmdoc)</code> +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -538,8 +452,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +<kbd>hostname</kbd> +and +<kbd>filestamp</kbd> +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. <p>The recommended practice is to keep the file name extensions @@ -548,109 +465,113 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +<code>ntpd(1ntpdmdoc)</code> +follows it to the file name to extract the +<kbd>filestamp</kbd>. If a link is not present, <code>ntpd(1ntpdmdoc)</code> -extracts the filestamp from the file itself. +extracts the +<kbd>filestamp</kbd> +from the file itself. This allows clients to verify that the file and generation times are always current. The <code>ntp-keygen</code> -program uses the same timestamp extension for all files generated +program uses the same +<kbd>filestamp</kbd> +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -<h5 class="subsubsection">Running the program</h5> - -<p>The safest way to run the + <p>Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using <code>ntp-keygen</code> -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -<span class="file">/usr/local/etc</span>, -then run the program. -When run for the first time, -or if all -<code>ntpkey</code> -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +with the +<code>-T</code> +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. - <p>The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. + <p>The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +<code>-S</code> +option and this can be either +<code>RSA</code> +or +<code>DSA</code> +type. +By default, the signature +message digest type is +<code>MD5</code>, +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +<code>-c</code> +option. - <p>Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. + <p>The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. - <p>Running the program as other than root and using the Unix -<code>su</code> -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -<code>.rnd</code> -in the user home directory. -However, there should be only one -<code>.rnd</code>, -most conveniently -in the root directory, so it is convenient to define the -<code>$RANDFILE</code> -environment variable used by the OpenSSL library as the path to -<code>/.rnd</code>. + <p>Additional information on trusted groups and identity schemes is on the +Autokey Public-Key Authentication +page. - <p>Installing the keys as root might not work in NFS-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -<span class="file">/etc</span> -using the -<code>keysdir</code> + <p>File names begin with the prefix +<span class="file">ntpkey</span>_ +and end with the suffix +<span class="file">_</span><kbd>hostname</kbd>. <kbd>filestamp</kbd>, +where +<kbd>hostname</kbd> +is the owner name, usually the string returned +by the Unix +<code>hostname(1)</code> +command, and +<kbd>filestamp</kbd> +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +<code>rm</code> <span class="file">ntpkey*</span> +command or all files generated +at a specific time can be removed by a +<code>rm</code> <span class="file">*</span><kbd>filestamp</kbd> command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. - <p>Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. +<h5 class="subsubsection">Trusted Hosts and Groups</h5> - <p>s Trusted Hosts and Groups -Each cryptographic configuration involves selection of a signature scheme +<p>Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the <a href="#Authentication-Options">Authentication Options</a> section of <code>ntp.conf(5)</code>. -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +<code>RSA</code> +encryption, +<code>MD5</code> +message digest +and +<code>TC</code> +identification. First, configure a NTP subnet including one or more low-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -668,7 +589,7 @@ section of <p>On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -<code>ntpkey</code> +<span class="file">ntpkey</span> files. Then run <code>ntp-keygen</code> @@ -693,7 +614,9 @@ is either <code>RSA</code> or <code>DSA</code>. -The most often need to do this is when a DSA-signed certificate is used. +The most frequent need to do this is when a +<code>DSA</code>-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run <code>ntp-keygen</code> @@ -702,17 +625,17 @@ with the option and selected <kbd>scheme</kbd> as needed. -f +If <code>ntp-keygen</code> is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. <p>After setting up the environment it is advisable to update certificates from time to time, if only to extend the validity interval. Simply run <code>ntp-keygen</code> with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, <code>ntpd(1ntpdmdoc)</code> should be restarted. @@ -725,13 +648,15 @@ at which time the protocol is restarted. <h5 class="subsubsection">Identity Schemes</h5> <p>As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +<code>TC</code> +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -"Identification Schemes" -page -(maybe available at -<code>http://www.eecis.udel.edu/%7emills/keygen.html</code>). +including +<code>PC</code>, <code>IFF</code>, <code>GQ</code> +and +<code>MV</code> +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -756,12 +681,15 @@ On trusted host alice run <code>-P</code> <code>-p</code> <kbd>password</kbd> to generate the host key file -<span class="file">ntpkey_RSAkey_</span><kbd>alice.filestamp</kbd> +<span class="file">ntpkey</span>_ <code>RSA</code> <span class="file">key_alice.</span> <kbd>filestamp</kbd> and trusted private certificate file -<span class="file">ntpkey_RSA-MD5_cert_</span><kbd>alice.filestamp</kbd>. +<span class="file">ntpkey</span>_ <code>RSA-MD5</code> <code>_</code> <span class="file">cert_alice.</span> <kbd>filestamp</kbd>, +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +<kbd>bob</kbd> +install a soft link from the generic name <span class="file">ntpkey_host_</span><kbd>bob</kbd> to the host key file and soft link <span class="file">ntpkey_cert_</span><kbd>bob</kbd> @@ -770,26 +698,34 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. - <p>For the IFF scheme proceed as in the TC scheme to generate keys + <p>For the +<code>IFF</code> +scheme proceed as in the +<code>TC</code> +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +<code>IFF</code> +parameter file. On trusted host alice run <code>ntp-keygen</code> <code>-T</code> <code>-I</code> <code>-p</code> <kbd>password</kbd> to produce her parameter file -<span class="file">ntpkey_IFFpar_</span><kbd>alice.filestamp</kbd>, +<span class="file">ntpkey_IFFpar_alice.</span><kbd>filestamp</kbd>, which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -<span class="file">ntpkey_iff_</span><kbd>alice</kbd> +<span class="file">ntpkey_iff_alice</span> to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +<code>IFF</code> +scheme is independent of keys and certificates, these files can be refreshed as needed. <p>If a rogue client has the parameter file, it could masquerade @@ -799,37 +735,53 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run <code>ntp-keygen</code> <code>-e</code> -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -<span class="file">ntpkey_iff_</span><kbd>alice</kbd> +<span class="file">ntpkey_iff_alice</span> to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. - <p>For the GQ scheme proceed as in the TC scheme to generate keys + <p>For the +<code>GQ</code> +scheme proceed as in the +<code>TC</code> +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +<code>IFF</code> +parameter file. On trusted host alice run <code>ntp-keygen</code> <code>-T</code> <code>-G</code> <code>-p</code> <kbd>password</kbd> to produce her parameter file -<span class="file">ntpkey_GQpar_</span><kbd>alice.filestamp</kbd>, +<span class="file">ntpkey_GQpar_alice.</span><kbd>filestamp</kbd>, which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -<span class="file">ntpkey_gq_</span><kbd>alice</kbd> +<span class="file">ntpkey_gq_alice</span> to this file. -In addition, on each host bob install a soft link +In addition, on each host +<kbd>bob</kbd> +install a soft link from generic <span class="file">ntpkey_gq_</span><kbd>bob</kbd> to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +<code>GQ</code> +scheme updates the +<code>GQ</code> +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. - <p>For the MV scheme, proceed as in the TC scheme to generate keys + <p>For the +<code>MV</code> +scheme, proceed as in the +<code>TC</code> +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -841,9 +793,9 @@ where <kbd>n</kbd> is the number of revokable keys (typically 5) to produce the parameter file -<span class="file">ntpkeys_MVpar_</span><kbd>trish.filestamp</kbd> +<span class="file">ntpkeys_MVpar_trish.</span><kbd>filestamp</kbd> and client key files -<span class="file">ntpkeys_MVkeyd_</span><kbd>trish.filestamp</kbd> +<span class="file">ntpkeys_MVkey</span><kbd>d</kbd> <kbd>_</kbd> <span class="file">trish.</span> <kbd>filestamp</kbd> where <kbd>d</kbd> is the key number (0 < @@ -852,66 +804,199 @@ is the key number (0 < <kbd>n</kbd>). Copy the parameter file to alice and install a soft link from the generic -<span class="file">ntpkey_mv_</span><kbd>alice</kbd> +<span class="file">ntpkey_mv_alice</span> to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -<span class="file">ntpkey_mvkey_</span><kbd>bob</kbd> +<span class="file">ntpkey_mvkey_bob</span> to the client key file. -As the MV scheme is independent of keys and certificates, +As the +<code>MV</code> +scheme is independent of keys and certificates, these files can be refreshed as needed. <h5 class="subsubsection">Command Line Options</h5> <dl> -<dt><code>-c</code> <kbd>scheme</kbd><dd>Select certificate message digest/signature encryption scheme. +<dt><code>-b</code> <code>--imbits</code>= <kbd>modulus</kbd><dd>Set the number of bits in the identity modulus for generating identity keys to +<kbd>modulus</kbd> +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +<br><dt><code>-c</code> <code>--certificate</code>= <kbd>scheme</kbd><dd>Select certificate signature encryption/message digest scheme. The <kbd>scheme</kbd> can be one of the following: -. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +<code>RSA-MD2</code>, <code>RSA-MD5</code>, <code>RSA-MDC2</code>, <code>RSA-SHA</code>, <code>RSA-SHA1</code>, <code>RSA-RIPEMD160</code>, <code>DSA-SHA</code>, or <code>DSA-SHA1</code>. -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +<code>RSA</code> +schemes must be used with an +<code>RSA</code> +sign key and +<code>DSA</code> +schemes must be used with a +<code>DSA</code> +sign key. The default without this option is <code>RSA-MD5</code>. -<br><dt><code>-d</code><dd>Enable debugging. +If compatibility with FIPS 140-2 is required, either the +<code>DSA-SHA</code> +or +<code>DSA-SHA1</code> +scheme must be used. +<br><dt><code>-C</code> <code>--cipher</code>= <kbd>cipher</kbd><dd>Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three-key triple DES in CBC mode, +<code>des-ede3-cbc</code>. +The +<code>openssl</code> <code>-h</code> +command provided with OpenSSL displays available ciphers. +<br><dt><code>-d</code> <code>--debug-level</code><dd>Increase debugging verbosity level. This option displays the cryptographic data produced in eye-friendly billboards. -<br><dt><code>-e</code><dd>Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. -<br><dt><code>-G</code><dd>Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. -<br><dt><code>-g</code><dd>Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. -<br><dt><code>-H</code><dd>Generate new host keys, obsoleting any that may exist. -<br><dt><code>-I</code><dd>Generate parameters for the IFF identification scheme, -obsoleting any that may exist. -<br><dt><code>-i</code> <kbd>name</kbd><dd>Set the suject name to -<kbd>name</kbd>. -This is used as the subject field in certificates -and in the file name for host and sign keys. -<br><dt><code>-M</code><dd>Generate MD5 keys, obsoleting any that may exist. -<br><dt><code>-P</code><dd>Generate a private certificate. +<br><dt><code>-D</code> <code>--set-debug-level</code>= <kbd>level</kbd><dd>Set the debugging verbosity to +<kbd>level</kbd>. +This option displays the cryptographic data produced in eye-friendly billboards. +<br><dt><code>-e</code> <code>--id-key</code><dd>Write the +<code>IFF</code> +or +<code>GQ</code> +public parameters from the +<kbd>IFFkey</kbd> <kbd>or</kbd> <kbd>GQkey</kbd> +client keys file previously specified +as unencrypted data to the standard output stream +<span class="file">stdout</span>. +This is intended for automatic key distribution by email. +<br><dt><code>-G</code> <code>--gq-params</code><dd>Generate a new encrypted +<code>GQ</code> +parameters and key file for the Guillou-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +<code>-I</code> +and +<code>-V</code> +options. +<br><dt><code>-H</code> <code>--host-key</code><dd>Generate a new encrypted +<code>RSA</code> +public/private host key file. +<br><dt><code>-I</code> <code>--iffkey</code><dd>Generate a new encrypted +<code>IFF</code> +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +<code>-G</code> +and +Fl V +options. +<br><dt><code>-i</code> <code>--ident</code>= <kbd>group</kbd><dd>Set the optional Autokey group name to +<kbd>group</kbd>. +This is used in the identity scheme parameter file names of +<code>IFF</code>, <code>GQ</code>, +and +<code>MV</code> +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +<code>-i</code> +or +<code>-s</code> +following an +@ +character, is also used in certificate subject and issuer names in the form +<kbd>host</kbd> <kbd>@</kbd> <kbd>group</kbd> +and should match the group specified via +<code>crypto</code> <code>ident</code> +or +<code>server</code> <code>ident</code> +in the ntpd configuration file. +<br><dt><code>-l</code> <code>--lifetime</code>= <kbd>days</kbd><dd>Set the lifetime for certificate expiration to +<kbd>days</kbd>. +The default lifetime is one year (365 days). +<br><dt><code>-m</code> <code>--modulus</code>= <kbd>bits</kbd><dd>Set the number of bits in the prime modulus for generating files to +<kbd>bits</kbd>. +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +<br><dt><code>-M</code> <code>--md5key</code><dd>Generate a new symmetric keys file containing 10 +<code>MD5</code> +keys, and if OpenSSL is available, 10 +<code>SHA</code> +keys. +An +<code>MD5</code> +key is a string of 20 random printable ASCII characters, while a +<code>SHA</code> +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. +<br><dt><code>-p</code> <code>--password</code>= <kbd>passwd</kbd><dd>Set the password for reading and writing encrypted files to +<kbd>passwd</kbd>. +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +<code>hostname</code> +command. +<br><dt><code>-P</code> <code>--pvt-cert</code><dd>Generate a new private certificate used by the +<code>PC</code> +identity scheme. By default, the program generates public certificates. -<br><dt><code>-p</code> <kbd>password</kbd><dd>Encrypt generated files containing private data with -<kbd>password</kbd> -and the DES-CBC algorithm. -<br><dt><code>-q</code><dd>Set the password for reading files to password. -<br><dt><code>-S</code> <code>[RSA | DSA]</code><dd>Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. -<br><dt><code>-s</code> <kbd>name</kbd><dd>Set the issuer name to -<kbd>name</kbd>. -This is used for the issuer field in certificates -and in the file name for identity files. -<br><dt><code>-T</code><dd>Generate a trusted certificate. +Note: the PC identity scheme is not recommended for new installations. +<br><dt><code>-q</code> <code>--export-passwd</code>= <kbd>passwd</kbd><dd>Set the password for writing encrypted +<code>IFF</code>, <code>GQ</code> <code>and</code> <code>MV</code> +identity files redirected to +<span class="file">stdout</span> +to +<kbd>passwd</kbd>. +In effect, these files are decrypted with the +<code>-p</code> +password, then encrypted with the +<code>-q</code> +password. +By default, the password is the string returned by the Unix +<code>hostname</code> +command. +<br><dt><code>-s</code> <code>--subject-key</code>= <code>[host]</code> <code>[@ </code><kbd>group</kbd><code>]</code><dd>Specify the Autokey host name, where +<kbd>host</kbd> +is the optional host name and +<kbd>group</kbd> +is the optional group name. +The host name, and if provided, group name are used in +<kbd>host</kbd> <kbd>@</kbd> <kbd>group</kbd> +form as certificate subject and issuer. +Specifying +<code>-s</code> <code>-@</code> <kbd>group</kbd> +is allowed, and results in leaving the host name unchanged, as with +<code>-i</code> <kbd>group</kbd>. +The group name, or if no group is provided, the host name are also used in the +file names of +<code>IFF</code>, <code>GQ</code>, +and +<code>MV</code> +identity scheme client parameter files. +If +<kbd>host</kbd> +is not specified, the default host name is the string returned by the Unix +<code>hostname</code> +command. +<br><dt><code>-S</code> <code>--sign-key</code>= <code>[RSA | DSA]</code><dd>Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140-2 is required, the sign key type must be +<code>DSA</code>. +<br><dt><code>-T</code> <code>--trusted-cert</code><dd>Generate a trusted certificate. By default, the program generates a non-trusted certificate. -<br><dt><code>-V</code> <kbd>nkeys</kbd><dd>Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. +<br><dt><code>-V</code> <code>--mv-params</code> <kbd>nkeys</kbd><dd>Generate +<kbd>nkeys</kbd> +encrypted server keys and parameters for the Mu-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +<code>-I</code> +and +<code>-G</code> +options. +Note: support for this option should be considered a work in progress. </dl> <h5 class="subsubsection">Random Seed File</h5> @@ -937,7 +1022,7 @@ but are outside the scope of this page. <p>The entropy seed used by the OpenSSL library is contained in a file, usually called -<code>.rnd</code>, +<span class="file">.rnd</span>, which must be available when starting the NTP daemon or the <code>ntp-keygen</code> @@ -960,47 +1045,122 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -<code>.rnd</code> +<span class="file">.rnd</span> file in the user home directory. +Since both the +<code>ntp-keygen</code> +program and +<code>ntpd(1ntpdmdoc)</code> +daemon must run as root, the logical place to put this file is in +<span class="file">/.rnd</span> +or +<span class="file">/root/.rnd</span>. If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. <h5 class="subsubsection">Cryptographic Data Files</h5> -<p>All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +<p>All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +<span class="file">ntpkey_</span><kbd>key</kbd> <kbd>_</kbd> <kbd>name</kbd>. <kbd>filestamp</kbd>, +where +<kbd>key</kbd> +is the key or parameter type, +<kbd>name</kbd> +is the host or group name and +<kbd>filestamp</kbd> +is the filestamp (NTP seconds) when the file was created. +By convention, +<kbd>key</kbd> +names in generated file names include both upper and lower case +characters, while +<kbd>key</kbd> +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +<span class="file">date</span> +format. +Lines beginning with +# +are considered comments and ignored by the <code>ntp-keygen</code> program and <code>ntpd(1ntpdmdoc)</code> -daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM-encoded -printable ASCII format preceded and followed by MIME content identifier lines. - - <p>The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format +daemon. + + <p>The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. + + <p>The format of the symmetric keys file, ordinarily named +<span class="file">ntp.keys</span>, +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +<pre class="verbatim"> +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 + +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +</pre> +<pre class="example"> Figure 1. Typical Symmetric Key File +</pre> + <p>Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format <pre class="example"> <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd> </pre> <p>where <kbd>keyno</kbd> -is a positive integer in the range 1-65,535, +is a positive integer in the range 1-65534; <kbd>type</kbd> -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +<code>MD5</code> +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140-2 is required, +the key type must be either +<code>SHA</code> +or +<code>SHA1</code>; <kbd>key</kbd> is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +! +through +~ +) excluding space and the +# +character, and terminated by whitespace or a # -character. +character. +An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which +is truncated as necessary. <p>Note that the keys used by the <code>ntpq(1ntpqmdoc)</code> @@ -1013,8 +1173,8 @@ in human readable ASCII format. <p>The <code>ntp-keygen</code> -program generates a MD5 symmetric keys file -<span class="file">ntpkey_MD5key_</span><kbd>hostname.filestamp</kbd>. +program generates a symmetric keys file +<span class="file">ntpkey_MD5key_</span><kbd>hostname</kbd>. <kbd>filestamp</kbd>. Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -1048,13 +1208,13 @@ This software is released under the NTP license, <http://ntp.org/license>. <li><a accesskey="8" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>: iffkey option (-I) <li><a accesskey="9" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>: ident option (-i) <li><a href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>: lifetime option (-l) -<li><a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>: md5key option (-M) <li><a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>: modulus option (-m) +<li><a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>: md5key option (-M) <li><a href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>: pvt-cert option (-P) <li><a href="#ntp_002dkeygen-password">ntp-keygen password</a>: password option (-p) <li><a href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>: export-passwd option (-q) -<li><a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>: sign-key option (-S) <li><a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>: subject-name option (-s) +<li><a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>: sign-key option (-S) <li><a href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>: trusted-cert option (-T) <li><a href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>: mv-params option (-V) <li><a href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>: mv-keys option (-v) @@ -1085,7 +1245,7 @@ the usage text by passing it through a pager program. used to select the program, defaulting to <span class="file">more</span>. Both will exit with a status code of 0. -<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10-beta +<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10 Usage: ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val>] ]... Flg Arg Option-Name Description -b Num imbits identity modulus bits @@ -1103,15 +1263,15 @@ Usage: ntp-keygen [ -<flag> [<val>] | --<name>[{=| }<val&g -I no iffkey generate IFF parameters -i Str ident set Autokey group name -l Num lifetime set certificate lifetime - -M no md5key generate MD5 keys - -m Num modulus modulus + -m Num modulus prime modulus - it must be in the range: 256 to 2048 + -M no md5key generate symmetric keys -P no pvt-cert generate PC private certificate -p Str password local private password -q Str export-passwd export IFF or GQ group keys with password - -S Str sign-key generate sign key (RSA or DSA) -s Str subject-name set host and optionally group name + -S Str sign-key generate sign key (RSA or DSA) -T no trusted-cert trusted certificate (TC scheme) -V Num mv-params generate <num> MV parameters -v Num mv-keys update <num> MV keys @@ -1174,10 +1334,10 @@ This option takes a string argument <span class="file">scheme</span>. </ul> <p>scheme is one of -RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, +RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160, DSA-SHA, or DSA-SHA1. - <p>Select the certificate message digest/signature encryption scheme. + <p>Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA-MD5. @@ -1202,9 +1362,9 @@ This option takes a string argument <span class="file">cipher</span>. <p>Select the cipher which is used to encrypt the files containing private keys. The default is three-key triple DES in CBC mode, -equivalent to "<code>-C des-ede3-cbc". The openssl tool lists ciphers -available in "openssl -h" output. -</code><div class="node"> +equivalent to "<code>-C des-ede3-cbc</code>". The openssl tool lists ciphers +available in "<code>openssl -h</code>" output. +<div class="node"> <p><hr> <a name="ntp_002dkeygen-id_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>, Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>, @@ -1222,8 +1382,9 @@ This is the “write iff or gq identity keys” option. <li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. </ul> - <p>Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. + <p>Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. <div class="node"> <p><hr> <a name="ntp_002dkeygen-gq_002dparams"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>, @@ -1306,14 +1467,14 @@ This option takes a string argument <span class="file">group</span>. the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using <code>-i/--ident</code> or -using <code>-s/--subject-name</code> following an '<code>}' character, -is also a part of the self-signed host certificate's subject and -issuer names in the form host - <p>'crypto ident' or 'server ident' configuration in -ntpd's configuration file. -</code><div class="node"> +using <code>-s/--subject-name</code> following an '<code>@</code>' character, +is also a part of the self-signed host certificate subject and +issuer names in the form <code>host@group</code> and should match the +'<code>crypto ident</code>' or '<code>server ident</code>' configuration in the +<code>ntpd</code> configuration file. +<div class="node"> <p><hr> -<a name="ntp_002dkeygen-lifetime"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, +<a name="ntp_002dkeygen-lifetime"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> @@ -1322,7 +1483,7 @@ Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen <h4 class="subsection">lifetime option (-l)</h4> <p><a name="index-ntp_002dkeygen_002dlifetime-12"></a> -This is the ``set certificate lifetime'' option. +This is the “set certificate lifetime” option. This option takes a number argument <span class="file">lifetime</span>. <p class="noindent">This option has some usage constraints. It: @@ -1333,29 +1494,16 @@ This option takes a number argument <span class="file">lifetime</span>. <p>Set the certificate expiration to lifetime days from now. <div class="node"> <p><hr> -<a name="ntp_002dkeygen-md5key"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, +<a name="ntp_002dkeygen-modulus"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> </div> -<h4 class="subsection">md5key option (-M)</h4> - -<p><a name="index-ntp_002dkeygen_002dmd5key-13"></a> -This is the ``generate md5 keys'' option. -Generate MD5 keys, obsoleting any that may exist. -<div class="node"> -<p><hr> -<a name="ntp_002dkeygen-modulus"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, -Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, -Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> -<br> -</div> - <h4 class="subsection">modulus option (-m)</h4> -<p><a name="index-ntp_002dkeygen_002dmodulus-14"></a> -This is the ``modulus'' option. +<p><a name="index-ntp_002dkeygen_002dmodulus-13"></a> +This is the “prime modulus” option. This option takes a number argument <span class="file">modulus</span>. <p class="noindent">This option has some usage constraints. It: @@ -1366,16 +1514,29 @@ This option takes a number argument <span class="file">modulus</span>. <p>The number of bits in the prime modulus. The default is 512. <div class="node"> <p><hr> -<a name="ntp_002dkeygen-pvt_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>, +<a name="ntp_002dkeygen-md5key"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>, Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> </div> +<h4 class="subsection">md5key option (-M)</h4> + +<p><a name="index-ntp_002dkeygen_002dmd5key-14"></a> +This is the “generate symmetric keys” option. +Generate symmetric keys, obsoleting any that may exist. +<div class="node"> +<p><hr> +<a name="ntp_002dkeygen-pvt_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>, +Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> +<br> +</div> + <h4 class="subsection">pvt-cert option (-P)</h4> <p><a name="index-ntp_002dkeygen_002dpvt_002dcert-15"></a> -This is the ``generate pc private certificate'' option. +This is the “generate pc private certificate” option. <p class="noindent">This option has some usage constraints. It: <ul> @@ -1395,7 +1556,7 @@ Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen <h4 class="subsection">password option (-p)</h4> <p><a name="index-ntp_002dkeygen_002dpassword-16"></a> -This is the ``local private password'' option. +This is the “local private password” option. This option takes a string argument <span class="file">passwd</span>. <p class="noindent">This option has some usage constraints. It: @@ -1410,7 +1571,7 @@ configuration command. The default password is the local hostname. <div class="node"> <p><hr> -<a name="ntp_002dkeygen-export_002dpasswd"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, +<a name="ntp_002dkeygen-export_002dpasswd"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-password">ntp-keygen password</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> @@ -1419,7 +1580,7 @@ Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen <h4 class="subsection">export-passwd option (-q)</h4> <p><a name="index-ntp_002dkeygen_002dexport_002dpasswd-17"></a> -This is the ``export iff or gq group keys with password'' option. +This is the “export iff or gq group keys with password” option. This option takes a string argument <span class="file">passwd</span>. <p class="noindent">This option has some usage constraints. It: @@ -1431,62 +1592,62 @@ This option takes a string argument <span class="file">passwd</span>. encrypted with the DES-CBC algorithm and the specified password. The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option ---id-key (-e) for unencrypted exports. +–id-key (-e) for unencrypted exports. <div class="node"> <p><hr> -<a name="ntp_002dkeygen-sign_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, +<a name="ntp_002dkeygen-subject_002dname"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> </div> -<h4 class="subsection">sign-key option (-S)</h4> +<h4 class="subsection">subject-name option (-s)</h4> -<p><a name="index-ntp_002dkeygen_002dsign_002dkey-18"></a> -This is the ``generate sign key (rsa or dsa)'' option. -This option takes a string argument <span class="file">sign</span>. +<p><a name="index-ntp_002dkeygen_002dsubject_002dname-18"></a> +This is the “set host and optionally group name” option. +This option takes a string argument <span class="file">host@group</span>. <p class="noindent">This option has some usage constraints. It: <ul> <li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. </ul> - <p>Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. + <p>Set the Autokey host name, and optionally, group name specified +following an '<code>@</code>' character. The host name is used in the file +name of generated host and signing certificates, without the +group name. The host name, and if provided, group name are used +in <code>host@group</code> form for the host certificate subject and issuer +fields. Specifying '<code>-s @group</code>' is allowed, and results in +leaving the host name unchanged while appending <code>@group</code> to the +subject and issuer fields, as with <code>-i group</code>. The group name, or +if not provided, the host name are also used in the file names +of IFF, GQ, and MV client parameter files. <div class="node"> <p><hr> -<a name="ntp_002dkeygen-subject_002dname"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, -Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, +<a name="ntp_002dkeygen-sign_002dkey"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> </div> -<h4 class="subsection">subject-name option (-s)</h4> +<h4 class="subsection">sign-key option (-S)</h4> -<p><a name="index-ntp_002dkeygen_002dsubject_002dname-19"></a> -This is the ``set host and optionally group name'' option. -This option takes a string argument <span class="file">host@group</span>. +<p><a name="index-ntp_002dkeygen_002dsign_002dkey-19"></a> +This is the “generate sign key (rsa or dsa)” option. +This option takes a string argument <span class="file">sign</span>. <p class="noindent">This option has some usage constraints. It: <ul> <li>must be compiled in by defining <code>AUTOKEY</code> during the compilation. </ul> - <p>Set the Autokey host name, and optionally, group name specified -following an '<code>}' character. The host name is used in the file -name of generated host and signing certificates, without the -group name. The host name, and if provided, group name are used -in host - <p>fields. Specifying '-s - <p>leaving the host name unchanged while appending - <p>subject and issuer fields, as with -i group. The group name, or -if not provided, the host name are also used in the file names -of IFF, GQ, and MV client parameter files. -</code><div class="node"> + <p>Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. +<div class="node"> <p><hr> <a name="ntp_002dkeygen-trusted_002dcert"></a>Next: <a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>, -Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>, +Previous: <a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>, Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a> <br> </div> @@ -1494,7 +1655,7 @@ Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen <h4 class="subsection">trusted-cert option (-T)</h4> <p><a name="index-ntp_002dkeygen_002dtrusted_002dcert-20"></a> -This is the ``trusted certificate (tc scheme)'' option. +This is the “trusted certificate (tc scheme)” option. <p class="noindent">This option has some usage constraints. It: <ul> @@ -1514,7 +1675,7 @@ Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen <h4 class="subsection">mv-params option (-V)</h4> <p><a name="index-ntp_002dkeygen_002dmv_002dparams-21"></a> -This is the ``generate <num> mv parameters'' option. +This is the “generate <num> mv parameters” option. This option takes a number argument <span class="file">num</span>. <p class="noindent">This option has some usage constraints. It: @@ -1535,7 +1696,7 @@ Up: <a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen <h4 class="subsection">mv-keys option (-v)</h4> <p><a name="index-ntp_002dkeygen_002dmv_002dkeys-22"></a> -This is the ``update <num> mv keys'' option. +This is the “update <num> mv keys” option. This option takes a number argument <span class="file">num</span>. <p class="noindent">This option has some usage constraints. It: diff --git a/contrib/ntp/util/ntp-keygen.man.in b/contrib/ntp/util/ntp-keygen.man.in index bf2bb4a..71dcaa5 100644 --- a/contrib/ntp/util/ntp-keygen.man.in +++ b/contrib/ntp/util/ntp-keygen.man.in @@ -10,11 +10,11 @@ .ds B-Font B .ds I-Font I .ds R-Font R -.TH ntp-keygen @NTP_KEYGEN_MS@ "21 Mar 2017" "ntp (4.2.8p10)" "User Commands" +.TH ntp-keygen @NTP_KEYGEN_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands" .\" -.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-uUaiiy/ag-lVaahy) +.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bBa46V/ag-nBaW5V) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:54 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:53 PM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agman-cmd.tpl .SH NAME @@ -36,30 +36,33 @@ All arguments must be options. .SH DESCRIPTION This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .sp \n(Ppu .ne 2 -All files are in PEM-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. .sp \n(Ppu .ne 2 -When used to generate message digest keys, the program produces a file -containing ten pseudo-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -83,27 +86,38 @@ other than Autokey. Some files used by this program are encrypted using a private password. The \f\*[B-Font]\-p\f[] -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the \f\*[B-Font]\-q\f[] -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -\fBgethostname\f[]\fR()\f[] -function, normally the DNS name of the host is used. +\fChostname\f[]\fR(1)\f[] +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +\f\*[B-Font]ntp-keygen\fP +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. .sp \n(Ppu .ne 2 The -\f\*[I-Font]pw\f[] +\f\*[B-Font]pw\f[] option of the -\f\*[I-Font]crypto\f[] +\f\*[B-Font]crypto\f[] +\fCntpd\f[]\fR(@NTPD_MS@)\f[] configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -\f\*[I-Font]ntpd\f[] -without password but only on the same host. +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. .sp \n(Ppu .ne 2 @@ -111,215 +125,102 @@ Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -\f\*[I-Font]ntp.keys\f[], +\fIntp.keys\f[], is usually installed in \fI/etc\f[]. Other files and links are usually installed in \fI/usr/local/etc\f[], which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -\f\*[I-Font]keysdir\f[] -configuration command in such cases. -Normally, this is in -\fI/etc\f[]. +In these cases, NFS clients can specify the files in another +directory such as +\fI/etc\f[] +using the +\f\*[B-Font]keysdir\f[] +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +configuration file command. .sp \n(Ppu .ne 2 This program directs commentary and error messages to the standard error stream -\f\*[I-Font]stderr\f[] +\fIstderr\f[] and remote files to the standard output stream -\f\*[I-Font]stdout\f[] +\fIstdout\f[] where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -\f\*[I-Font]ntpkey\f[] +\fIntpkey\&*\f[] and include the file type, generating host and filestamp, as described in the -\*[Lq]Cryptographic Data Files\*[Rq] +\fICryptographic Data Files\f[] section below. .SS Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -\fI/usr/local/etc\f[] -When run for the first time, or if all files with names beginning with -\f\*[I-Font]ntpkey\f[] -have been removed, use the -\f\*[B-Font]ntp-keygen\fP -command without arguments to generate a -default RSA host key and matching RSA-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. -.sp \n(Ppu -.ne 2 - -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using +The safest way to run the \f\*[B-Font]ntp-keygen\fP -with the -\f\*[B-Font]\-T\f[] -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -.sp \n(Ppu -.ne 2 - -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -\f\*[B-Font]\-S\f[] -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -\f\*[B-Font]\-c\f[] -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken-and-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball-and-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re-generated. -.sp \n(Ppu -.ne 2 - -Additional information on trusted groups and identity schemes is on the -\*[Lq]Autokey Public-Key Authentication\*[Rq] -page. -.sp \n(Ppu -.ne 2 - -The -\fCntpd\f[]\fR(@NTPD_MS@)\f[] -configuration command -\f\*[B-Font]crypto\f[] \f\*[B-Font]pw\f[] \f\*[I-Font]password\f[] -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. -.sp \n(Ppu -.ne 2 - -File names begin with the prefix -\f\*[B-Font]ntpkey_\f[] -and end with the postfix -\f\*[I-Font]_hostname.filestamp\f[], -where -\f\*[I-Font]hostname\f[] -is the owner name, usually the string returned -by the Unix gethostname() routine, and -\f\*[I-Font]filestamp\f[] -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -\f\*[B-Font]rm\f[] \f\*[B-Font]ntpkey\&*\f[] -command or all files generated -at a specific time can be removed by a -\f\*[B-Font]rm\f[] -\f\*[I-Font]\&*filestamp\f[] -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. -.sp \n(Ppu -.ne 2 - -All files are installed by default in the keys directory +program is logged in directly as root. +The recommended procedure is change to the +\f\*[I-Font]keys\f[] +directory, usually \fI/usr/local/etc\f[], -which is normally in a shared filesystem -in NFS-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. -.sp \n(Ppu -.ne 2 - -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. +then run the program. .sp \n(Ppu .ne 2 -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -\fCntpd\f[]\fR(@NTPD_MS@)\f[] -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -\f\*[B-Font]ntp-keygen\fP -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -.SS Running the program -The safest way to run the +To test and gain experience with Autokey concepts, log in as root and +change to the +\f\*[I-Font]keys\f[] +directory, usually +\fI/usr/local/etc\f[]. +When run for the first time, or if all files with names beginning with +\fIntpkey\&*\f[] +have been removed, use the \f\*[B-Font]ntp-keygen\fP -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -\fI/usr/local/etc\f[], -then run the program. -When run for the first time, -or if all -\f\*[B-Font]ntpkey\f[] -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, +command without arguments to generate a default +\f\*[B-Font]RSA\f[] +host key and matching +\f\*[B-Font]RSA-MD5\f[] +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. .sp \n(Ppu .ne 2 -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +\f\*[B-Font]RSA\f[] +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +\f\*[B-Font]RSA\f[] +or +\f\*[B-Font]DSA\f[] +type. +By default, the message digest type is +\f\*[B-Font]MD5\f[], +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +\f\*[B-Font]AES128CMAC\f[], \f\*[B-Font]MD2\f[], \f\*[B-Font]MD5\f[], \f\*[B-Font]MDC2\f[], \f\*[B-Font]SHA\f[], \f\*[B-Font]SHA1\f[] +and +\f\*[B-Font]RIPE160\f[] +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +\f\*[B-Font]RSA\f[] +sign keys; +however, only +\f\*[B-Font]SHA\f[] +and +\f\*[B-Font]SHA1\f[] +certificates are compatible with +\f\*[B-Font]DSA\f[] +sign keys. .sp \n(Ppu .ne 2 @@ -334,19 +235,19 @@ as the other files, are probably not compatible with anything other than Autokey .ne 2 Running the program as other than root and using the Unix -\f\*[B-Font]su\f[] +\fCsu\f[]\fR(1)\f[] command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -\f\*[B-Font].rnd\f[] +\fI.rnd\f[] in the user home directory. However, there should be only one -\f\*[B-Font].rnd\f[], +\fI.rnd\f[], most conveniently in the root directory, so it is convenient to define the -\f\*[B-Font]$RANDFILE\f[] +RANDFILE environment variable used by the OpenSSL library as the path to -\f\*[B-Font]/.rnd\f[]. +\fI.rnd\f[]. .sp \n(Ppu .ne 2 @@ -358,7 +259,8 @@ directory such as \fI/etc\f[] using the \f\*[B-Font]keysdir\f[] -command. +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -397,8 +299,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +\f\*[I-Font]hostname\f[] +and +\f\*[I-Font]filestamp\f[] +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. .sp \n(Ppu .ne 2 @@ -409,116 +314,121 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +follows it to the file name to extract the +\f\*[I-Font]filestamp\f[]. If a link is not present, \fCntpd\f[]\fR(@NTPD_MS@)\f[] -extracts the filestamp from the file itself. +extracts the +\f\*[I-Font]filestamp\f[] +from the file itself. This allows clients to verify that the file and generation times are always current. The \f\*[B-Font]ntp-keygen\fP -program uses the same timestamp extension for all files generated +program uses the same +\f\*[I-Font]filestamp\f[] +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -.SS Running the program -The safest way to run the -\f\*[B-Font]ntp-keygen\fP -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -\fI/usr/local/etc\f[], -then run the program. -When run for the first time, -or if all -\f\*[B-Font]ntpkey\f[] -files have been removed, -the program generates a RSA host key file and matching RSA-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. .sp \n(Ppu .ne 2 -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using +\f\*[B-Font]ntp-keygen\fP +with the +\f\*[B-Font]\-T\f[] +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. .sp \n(Ppu .ne 2 -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +\f\*[B-Font]\-S\f[] +option and this can be either +\f\*[B-Font]RSA\f[] +or +\f\*[B-Font]DSA\f[] +type. +By default, the signature +message digest type is +\f\*[B-Font]MD5\f[], +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +\f\*[B-Font]\-c\f[] +option. .sp \n(Ppu .ne 2 -Running the program as other than root and using the Unix -\f\*[B-Font]su\f[] -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -\f\*[B-Font].rnd\f[] -in the user home directory. -However, there should be only one -\f\*[B-Font].rnd\f[], -most conveniently -in the root directory, so it is convenient to define the -\f\*[B-Font]$RANDFILE\f[] -environment variable used by the OpenSSL library as the path to -\f\*[B-Font]/.rnd\f[]. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken-and-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball-and-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re-generated. .sp \n(Ppu .ne 2 -Installing the keys as root might not work in NFS-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -\fI/etc\f[] -using the -\f\*[B-Font]keysdir\f[] -command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. +Additional information on trusted groups and identity schemes is on the +\*[Lq]Autokey Public-Key Authentication\*[Rq] +page. .sp \n(Ppu .ne 2 -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. -s Trusted Hosts and Groups +File names begin with the prefix +\fIntpkey\f[]_ +and end with the suffix +\fI_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[], +where +\f\*[I-Font]hostname\f[] +is the owner name, usually the string returned +by the Unix +\fChostname\f[]\fR(1)\f[] +command, and +\f\*[I-Font]filestamp\f[] +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +\f\*[B-Font]rm\f[] \fIntpkey\&*\f[] +command or all files generated +at a specific time can be removed by a +\f\*[B-Font]rm\f[] \fI\&*\f[]\f\*[I-Font]filestamp\f[] +command. +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. +.SS Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the \fIAuthentication\f[] \fIOptions\f[] section of \fCntp.conf\f[]\fR(5)\f[]. -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +\f\*[B-Font]RSA\f[] +encryption, +\f\*[B-Font]MD5\f[] +message digest +and +\f\*[B-Font]TC\f[] +identification. First, configure a NTP subnet including one or more low-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -538,7 +448,7 @@ section of On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -\f\*[B-Font]ntpkey\f[] +\fIntpkey\f[] files. Then run \f\*[B-Font]ntp-keygen\fP @@ -565,7 +475,9 @@ is either \f\*[B-Font]RSA\f[] or \f\*[B-Font]DSA\f[]. -The most often need to do this is when a DSA-signed certificate is used. +The most frequent need to do this is when a +\f\*[B-Font]DSA\f[]\-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run \f\*[B-Font]ntp-keygen\fP @@ -574,10 +486,10 @@ with the option and selected \f\*[I-Font]scheme\f[] as needed. -f +If \f\*[B-Font]ntp-keygen\fP is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. .sp \n(Ppu .ne 2 @@ -586,7 +498,7 @@ from time to time, if only to extend the validity interval. Simply run \f\*[B-Font]ntp-keygen\fP with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, \fCntpd\f[]\fR(@NTPD_MS@)\f[] should be restarted. @@ -597,13 +509,15 @@ Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. .SS Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +\f\*[B-Font]TC\f[] +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -"Identification Schemes" -page -(maybe available at -\f[C]http://www.eecis.udel.edu/%7emills/keygen.html\f[]). +including +\f\*[B-Font]PC\f[], \f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[] +and +\f\*[B-Font]MV\f[] +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -632,12 +546,15 @@ On trusted host alice run \f\*[B-Font]\-P\f[] \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] to generate the host key file -\fIntpkey_RSAkey_\f[]\f\*[I-Font]alice.filestamp\f[] +\fIntpkey\f[]_ \f\*[B-Font]RSA\f[] \fIkey_alice.\f[] \f\*[I-Font]filestamp\f[] and trusted private certificate file -\fIntpkey_RSA-MD5_cert_\f[]\f\*[I-Font]alice.filestamp\f[]. +\fIntpkey\f[]_ \f\*[B-Font]RSA-MD5\f[] \f\*[B-Font]_\f[] \fIcert_alice.\f[] \f\*[I-Font]filestamp\f[], +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +\f\*[I-Font]bob\f[] +install a soft link from the generic name \fIntpkey_host_\f[]\f\*[I-Font]bob\f[] to the host key file and soft link \fIntpkey_cert_\f[]\f\*[I-Font]bob\f[] @@ -646,28 +563,36 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. .sp \n(Ppu .ne 2 -For the IFF scheme proceed as in the TC scheme to generate keys +For the +\f\*[B-Font]IFF\f[] +scheme proceed as in the +\f\*[B-Font]TC\f[] +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +\f\*[B-Font]IFF\f[] +parameter file. On trusted host alice run \f\*[B-Font]ntp-keygen\fP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-I\f[] \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] to produce her parameter file -\fIntpkey_IFFpar_\f[]\f\*[I-Font]alice.filestamp\f[], +\fIntpkey_IFFpar_alice.\f[]\f\*[I-Font]filestamp\f[], which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_iff_alice\f[] to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +\f\*[B-Font]IFF\f[] +scheme is independent of keys and certificates, these files can be refreshed as needed. .sp \n(Ppu .ne 2 @@ -679,41 +604,57 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run \f\*[B-Font]ntp-keygen\fP \f\*[B-Font]\-e\f[] -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_iff_alice\f[] to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. .sp \n(Ppu .ne 2 -For the GQ scheme proceed as in the TC scheme to generate keys +For the +\f\*[B-Font]GQ\f[] +scheme proceed as in the +\f\*[B-Font]TC\f[] +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +\f\*[B-Font]IFF\f[] +parameter file. On trusted host alice run \f\*[B-Font]ntp-keygen\fP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-G\f[] \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] to produce her parameter file -\fIntpkey_GQpar_\f[]\f\*[I-Font]alice.filestamp\f[], +\fIntpkey_GQpar_alice.\f[]\f\*[I-Font]filestamp\f[], which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -\fIntpkey_gq_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_gq_alice\f[] to this file. -In addition, on each host bob install a soft link +In addition, on each host +\f\*[I-Font]bob\f[] +install a soft link from generic \fIntpkey_gq_\f[]\f\*[I-Font]bob\f[] to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +\f\*[B-Font]GQ\f[] +scheme updates the +\f\*[B-Font]GQ\f[] +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. .sp \n(Ppu .ne 2 -For the MV scheme, proceed as in the TC scheme to generate keys +For the +\f\*[B-Font]MV\f[] +scheme, proceed as in the +\f\*[B-Font]TC\f[] +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -725,9 +666,9 @@ where \f\*[I-Font]n\f[] is the number of revokable keys (typically 5) to produce the parameter file -\fIntpkeys_MVpar_\f[]\f\*[I-Font]trish.filestamp\f[] +\fIntpkeys_MVpar_trish.\f[]\f\*[I-Font]filestamp\f[] and client key files -\fIntpkeys_MVkeyd_\f[]\f\*[I-Font]trish.filestamp\f[] +\fIntpkeys_MVkey\f[]\f\*[I-Font]d\f[] \f\*[I-Font]_\f[] \fItrish.\f[] \f\*[I-Font]filestamp\f[] where \f\*[I-Font]d\f[] is the key number (0 \&< @@ -736,95 +677,236 @@ is the key number (0 \&< \f\*[I-Font]n\f[]). Copy the parameter file to alice and install a soft link from the generic -\fIntpkey_mv_\f[]\f\*[I-Font]alice\f[] +\fIntpkey_mv_alice\f[] to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -\fIntpkey_mvkey_\f[]\f\*[I-Font]bob\f[] +\fIntpkey_mvkey_bob\f[] to the client key file. -As the MV scheme is independent of keys and certificates, +As the +\f\*[B-Font]MV\f[] +scheme is independent of keys and certificates, these files can be refreshed as needed. .SS Command Line Options .TP 7 -.NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]scheme\f[] -Select certificate message digest/signature encryption scheme. +.NOP \f\*[B-Font]\-b\f[] \f\*[B-Font]\-\-imbits\f[]= \f\*[I-Font]modulus\f[] +Set the number of bits in the identity modulus for generating identity keys to +\f\*[I-Font]modulus\f[] +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.TP 7 +.NOP \f\*[B-Font]\-c\f[] \f\*[B-Font]\-\-certificate\f[]= \f\*[I-Font]scheme\f[] +Select certificate signature encryption/message digest scheme. The \f\*[I-Font]scheme\f[] can be one of the following: -. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA , +\f\*[B-Font]RSA-MD2\f[], \f\*[B-Font]RSA-MD5\f[], \f\*[B-Font]RSA-MDC2\f[], \f\*[B-Font]RSA-SHA\f[], \f\*[B-Font]RSA-SHA1\f[], \f\*[B-Font]RSA-RIPEMD160\f[], \f\*[B-Font]DSA-SHA\f[], or \f\*[B-Font]DSA-SHA1\f[]. -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +\f\*[B-Font]RSA\f[] +schemes must be used with an +\f\*[B-Font]RSA\f[] +sign key and +\f\*[B-Font]DSA\f[] +schemes must be used with a +\f\*[B-Font]DSA\f[] +sign key. The default without this option is \f\*[B-Font]RSA-MD5\f[]. +If compatibility with FIPS 140-2 is required, either the +\f\*[B-Font]DSA-SHA\f[] +or +\f\*[B-Font]DSA-SHA1\f[] +scheme must be used. .TP 7 -.NOP \f\*[B-Font]\-d\f[] -Enable debugging. +.NOP \f\*[B-Font]\-C\f[] \f\*[B-Font]\-\-cipher\f[]= \f\*[I-Font]cipher\f[] +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three-key triple DES in CBC mode, +\f\*[B-Font]des-ede3-cbc\f[]. +The +\f\*[B-Font]openssl\f[] \f\*[B-Font]\-h\f[] +command provided with OpenSSL displays available ciphers. +.TP 7 +.NOP \f\*[B-Font]\-d\f[] \f\*[B-Font]\-\-debug-level\f[] +Increase debugging verbosity level. This option displays the cryptographic data produced in eye-friendly billboards. .TP 7 -.NOP \f\*[B-Font]\-e\f[] -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. +.NOP \f\*[B-Font]\-D\f[] \f\*[B-Font]\-\-set-debug-level\f[]= \f\*[I-Font]level\f[] +Set the debugging verbosity to +\f\*[I-Font]level\f[]. +This option displays the cryptographic data produced in eye-friendly billboards. .TP 7 -.NOP \f\*[B-Font]\-G\f[] -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. +.NOP \f\*[B-Font]\-e\f[] \f\*[B-Font]\-\-id-key\f[] +Write the +\f\*[B-Font]IFF\f[] +or +\f\*[B-Font]GQ\f[] +public parameters from the +\f\*[I-Font]IFFkey\f[] \f\*[I-Font]or\f[] \f\*[I-Font]GQkey\f[] +client keys file previously specified +as unencrypted data to the standard output stream +\fIstdout\f[]. +This is intended for automatic key distribution by email. .TP 7 -.NOP \f\*[B-Font]\-g\f[] -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. +.NOP \f\*[B-Font]\-G\f[] \f\*[B-Font]\-\-gq-params\f[] +Generate a new encrypted +\f\*[B-Font]GQ\f[] +parameters and key file for the Guillou-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +\f\*[B-Font]\-I\f[] +and +\f\*[B-Font]\-V\f[] +options. .TP 7 -.NOP \f\*[B-Font]\-H\f[] -Generate new host keys, obsoleting any that may exist. +.NOP \f\*[B-Font]\-H\f[] \f\*[B-Font]\-\-host-key\f[] +Generate a new encrypted +\f\*[B-Font]RSA\f[] +public/private host key file. .TP 7 -.NOP \f\*[B-Font]\-I\f[] -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. +.NOP \f\*[B-Font]\-I\f[] \f\*[B-Font]\-\-iffkey\f[] +Generate a new encrypted +\f\*[B-Font]IFF\f[] +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +\f\*[B-Font]\-G\f[] +and +Fl V +options. .TP 7 -.NOP \f\*[B-Font]\-i\f[] \f\*[I-Font]name\f[] -Set the suject name to -\f\*[I-Font]name\f[]. -This is used as the subject field in certificates -and in the file name for host and sign keys. +.NOP \f\*[B-Font]\-i\f[] \f\*[B-Font]\-\-ident\f[]= \f\*[I-Font]group\f[] +Set the optional Autokey group name to +\f\*[I-Font]group\f[]. +This is used in the identity scheme parameter file names of +\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[], +and +\f\*[B-Font]MV\f[] +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +\f\*[B-Font]\-i\f[] +or +\f\*[B-Font]\-s\f[] +following an +\[oq]@@\[cq] +character, is also used in certificate subject and issuer names in the form +\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[] +and should match the group specified via +\f\*[B-Font]crypto\f[] \f\*[B-Font]ident\f[] +or +\f\*[B-Font]server\f[] \f\*[B-Font]ident\f[] +in the ntpd configuration file. .TP 7 -.NOP \f\*[B-Font]\-M\f[] -Generate MD5 keys, obsoleting any that may exist. +.NOP \f\*[B-Font]\-l\f[] \f\*[B-Font]\-\-lifetime\f[]= \f\*[I-Font]days\f[] +Set the lifetime for certificate expiration to +\f\*[I-Font]days\f[]. +The default lifetime is one year (365 days). .TP 7 -.NOP \f\*[B-Font]\-P\f[] -Generate a private certificate. -By default, the program generates public certificates. +.NOP \f\*[B-Font]\-m\f[] \f\*[B-Font]\-\-modulus\f[]= \f\*[I-Font]bits\f[] +Set the number of bits in the prime modulus for generating files to +\f\*[I-Font]bits\f[]. +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. .TP 7 -.NOP \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] -Encrypt generated files containing private data with -\f\*[I-Font]password\f[] -and the DES-CBC algorithm. +.NOP \f\*[B-Font]\-M\f[] \f\*[B-Font]\-\-md5key\f[] +Generate a new symmetric keys file containing 10 +\f\*[B-Font]MD5\f[] +keys, and if OpenSSL is available, 10 +\f\*[B-Font]SHA\f[] +keys. +An +\f\*[B-Font]MD5\f[] +key is a string of 20 random printable ASCII characters, while a +\f\*[B-Font]SHA\f[] +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. .TP 7 -.NOP \f\*[B-Font]\-q\f[] -Set the password for reading files to password. +.NOP \f\*[B-Font]\-p\f[] \f\*[B-Font]\-\-password\f[]= \f\*[I-Font]passwd\f[] +Set the password for reading and writing encrypted files to +\f\*[I-Font]passwd\f[]. +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +\f\*[B-Font]hostname\f[] +command. .TP 7 -.NOP \f\*[B-Font]\-S\f[] [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]] -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. +.NOP \f\*[B-Font]\-P\f[] \f\*[B-Font]\-\-pvt-cert\f[] +Generate a new private certificate used by the +\f\*[B-Font]PC\f[] +identity scheme. +By default, the program generates public certificates. +Note: the PC identity scheme is not recommended for new installations. .TP 7 -.NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]name\f[] -Set the issuer name to -\f\*[I-Font]name\f[]. -This is used for the issuer field in certificates -and in the file name for identity files. +.NOP \f\*[B-Font]\-q\f[] \f\*[B-Font]\-\-export-passwd\f[]= \f\*[I-Font]passwd\f[] +Set the password for writing encrypted +\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[] \f\*[B-Font]and\f[] \f\*[B-Font]MV\f[] +identity files redirected to +\fIstdout\f[] +to +\f\*[I-Font]passwd\f[]. +In effect, these files are decrypted with the +\f\*[B-Font]\-p\f[] +password, then encrypted with the +\f\*[B-Font]\-q\f[] +password. +By default, the password is the string returned by the Unix +\f\*[B-Font]hostname\f[] +command. .TP 7 -.NOP \f\*[B-Font]\-T\f[] +.NOP \f\*[B-Font]\-s\f[] \f\*[B-Font]\-\-subject-key\f[]= [host] [@@ \f\*[I-Font]group\f[]] +Specify the Autokey host name, where +\f\*[I-Font]host\f[] +is the optional host name and +\f\*[I-Font]group\f[] +is the optional group name. +The host name, and if provided, group name are used in +\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[] +form as certificate subject and issuer. +Specifying +\f\*[B-Font]\-s\f[] \f\*[B-Font]\-@@\f[] \f\*[I-Font]group\f[] +is allowed, and results in leaving the host name unchanged, as with +\f\*[B-Font]\-i\f[] \f\*[I-Font]group\f[]. +The group name, or if no group is provided, the host name are also used in the +file names of +\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[], +and +\f\*[B-Font]MV\f[] +identity scheme client parameter files. +If +\f\*[I-Font]host\f[] +is not specified, the default host name is the string returned by the Unix +\f\*[B-Font]hostname\f[] +command. +.TP 7 +.NOP \f\*[B-Font]\-S\f[] \f\*[B-Font]\-\-sign-key\f[]= [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]] +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140-2 is required, the sign key type must be +\f\*[B-Font]DSA\f[]. +.TP 7 +.NOP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-\-trusted-cert\f[] Generate a trusted certificate. By default, the program generates a non-trusted certificate. .TP 7 -.NOP \f\*[B-Font]\-V\f[] \f\*[I-Font]nkeys\f[] -Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme. +.NOP \f\*[B-Font]\-V\f[] \f\*[B-Font]\-\-mv-params\f[] \f\*[I-Font]nkeys\f[] +Generate +\f\*[I-Font]nkeys\f[] +encrypted server keys and parameters for the Mu-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +\f\*[B-Font]\-I\f[] +and +\f\*[B-Font]\-G\f[] +options. +Note: support for this option should be considered a work in progress. .PP .SS Random Seed File All cryptographically sound key generation schemes must have means @@ -852,7 +934,7 @@ but are outside the scope of this page. The entropy seed used by the OpenSSL library is contained in a file, usually called -\f\*[B-Font].rnd\f[], +\fI.rnd\f[], which must be available when starting the NTP daemon or the \f\*[B-Font]ntp-keygen\fP @@ -875,48 +957,131 @@ If the RANDFILE environment variable is not present, the library will look for the -\f\*[B-Font].rnd\f[] +\fI.rnd\f[] file in the user home directory. +Since both the +\f\*[B-Font]ntp-keygen\fP +program and +\fCntpd\f[]\fR(@NTPD_MS@)\f[] +daemon must run as root, the logical place to put this file is in +\fI/.rnd\f[] +or +\fI/root/.rnd\f[]. If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. .SS Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +\fIntpkey_\f[]\f\*[I-Font]key\f[] \f\*[I-Font]_\f[] \f\*[I-Font]name\f[]. \f\*[I-Font]filestamp\f[], +where +\f\*[I-Font]key\f[] +is the key or parameter type, +\f\*[I-Font]name\f[] +is the host or group name and +\f\*[I-Font]filestamp\f[] +is the filestamp (NTP seconds) when the file was created. +By convention, +\f\*[I-Font]key\f[] +names in generated file names include both upper and lower case +characters, while +\f\*[I-Font]key\f[] +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +\fIdate\f[] +format. +Lines beginning with +\[oq]#\[cq] +are considered comments and ignored by the \f\*[B-Font]ntp-keygen\fP program and \fCntpd\f[]\fR(@NTPD_MS@)\f[] daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM-encoded -printable ASCII format preceded and followed by MIME content identifier lines. .sp \n(Ppu .ne 2 -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. +.sp \n(Ppu +.ne 2 + +The format of the symmetric keys file, ordinarily named +\fIntp.keys\f[], +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +.br +.in +4 +.nf +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o}3i@@@@V@@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +.in -4 +.fi +.in +4 +Figure 1. Typical Symmetric Key File +.in -4 +.sp \n(Ppu +.ne 2 + +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format .in +4 \f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[] .in -4 where \f\*[I-Font]keyno\f[] -is a positive integer in the range 1-65,535, +is a positive integer in the range 1-65534; \f\*[I-Font]type\f[] -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +\f\*[B-Font]MD5\f[] +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140-2 is required, +the key type must be either +\f\*[B-Font]SHA\f[] +or +\f\*[B-Font]SHA1\f[]; \f\*[I-Font]key\f[] is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +\[oq]\[cq]! +through +\[oq]~\[cq] +\&) excluding space and the +\[oq]#\[cq] +character, and terminated by whitespace or a \[oq]#\[cq] character. +An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which +is truncated as necessary. .sp \n(Ppu .ne 2 @@ -933,8 +1098,8 @@ in human readable ASCII format. The \f\*[B-Font]ntp-keygen\fP -program generates a MD5 symmetric keys file -\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname.filestamp\f[]. +program generates a symmetric keys file +\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[]. Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -973,10 +1138,10 @@ The number of bits in the identity modulus. The default is 256. certificate scheme. .sp scheme is one of -RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160, +RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160, DSA-SHA, or DSA-SHA1. .sp -Select the certificate message digest/signature encryption scheme. +Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA-MD5. @@ -986,7 +1151,7 @@ privatekey cipher. .sp Select the cipher which is used to encrypt the files containing private keys. The default is three-key triple DES in CBC mode, -equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers +equivalent to "\fB-C des-ede3-cbc\fP". The openssl tool lists ciphers available in "\fBopenssl \-h\fP" output. .TP .NOP \f\*[B-Font]\-d\f[], \f\*[B-Font]\-\-debug\-level\f[] @@ -1003,8 +1168,9 @@ This option takes an integer number as its argument. .NOP \f\*[B-Font]\-e\f[], \f\*[B-Font]\-\-id\-key\f[] Write IFF or GQ identity keys. .sp -Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. +Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. .TP .NOP \f\*[B-Font]\-G\f[], \f\*[B-Font]\-\-gq\-params\f[] Generate GQ parameters and keys. @@ -1030,11 +1196,11 @@ Set the optional Autokey group name to name. This is used in the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using \fB-i/--ident\fP or -using \fB-s/--subject-name\fP following an '\fB@\fP' character, -is also a part of the self-signed host certificate's subject and -issuer names in the form \fBhost@group\fP and should match the -'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in -\fBntpd\fP's configuration file. +using \fB-s/--subject-name\fP following an '\fB@@\fP' character, +is also a part of the self-signed host certificate subject and +issuer names in the form \fBhost@@group\fP and should match the +'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the +\fBntpd\fP configuration file. .TP .NOP \f\*[B-Font]\-l\f[] \f\*[I-Font]lifetime\f[], \f\*[B-Font]\-\-lifetime\f[]=\f\*[I-Font]lifetime\f[] set certificate lifetime. @@ -1042,13 +1208,8 @@ This option takes an integer number as its argument. .sp Set the certificate expiration to lifetime days from now. .TP -.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[] -generate MD5 keys. -.sp -Generate MD5 keys, obsoleting any that may exist. -.TP .NOP \f\*[B-Font]\-m\f[] \f\*[I-Font]modulus\f[], \f\*[B-Font]\-\-modulus\f[]=\f\*[I-Font]modulus\f[] -modulus. +prime modulus. This option takes an integer number as its argument. The value of \f\*[I-Font]modulus\f[] @@ -1062,6 +1223,11 @@ in the range 256 through 2048 .sp The number of bits in the prime modulus. The default is 512. .TP +.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[] +generate symmetric keys. +.sp +Generate symmetric keys, obsoleting any that may exist. +.TP .NOP \f\*[B-Font]\-P\f[], \f\*[B-Font]\-\-pvt\-cert\f[] generate PC private certificate. .sp @@ -1086,27 +1252,27 @@ The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option --id-key (-e) for unencrypted exports. .TP -.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[] -generate sign key (RSA or DSA). -.sp -Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. -.TP .NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]host@group\f[], \f\*[B-Font]\-\-subject\-name\f[]=\f\*[I-Font]host@group\f[] set host and optionally group name. .sp Set the Autokey host name, and optionally, group name specified -following an '\fB@\fP' character. The host name is used in the file +following an '\fB@@\fP' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used -in \fBhost@group\fP form for the host certificate's subject and issuer -fields. Specifying '\fB-s @group\fP' is allowed, and results in -leaving the host name unchanged while appending \fB@group\fP to the +in \fBhost@@group\fP form for the host certificate subject and issuer +fields. Specifying '\fB-s @@group\fP' is allowed, and results in +leaving the host name unchanged while appending \fB@@group\fP to the subject and issuer fields, as with \fB-i group\fP. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. .TP +.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[] +generate sign key (RSA or DSA). +.sp +Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. +.TP .NOP \f\*[B-Font]\-T\f[], \f\*[B-Font]\-\-trusted\-cert\f[] trusted certificate (TC scheme). .sp @@ -1162,18 +1328,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP". If any of these are directories, then the file \fI.ntprc\fP is searched for within those directories. .SH USAGE -The -\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[] -option specifies the write password and -\f\*[B-Font]\-q\f[] \f\*[I-Font]password\f[] -option the read password for previously encrypted files. -The -\f\*[B-Font]ntp-keygen\fP -program prompts for the password if it reads an encrypted file -and the password is missing or incorrect. -If an encrypted file is read successfully and -no write password is specified, the read password is used -as the write password by default. .SH "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .SH "FILES" @@ -1200,10 +1354,7 @@ The University of Delaware and Network Time Foundation Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation all rights reserved. This program is released under the terms of the NTP license, <http://ntp.org/license>. .SH BUGS -It can take quite a while to generate some cryptographic values, -from one to several minutes with modern architectures -such as UltraSPARC and up to tens of minutes to an hour -with older architectures such as SPARC IPC. +It can take quite a while to generate some cryptographic values. .sp \n(Ppu .ne 2 diff --git a/contrib/ntp/util/ntp-keygen.mdoc.in b/contrib/ntp/util/ntp-keygen.mdoc.in index e00c61c..8ed42c0 100644 --- a/contrib/ntp/util/ntp-keygen.mdoc.in +++ b/contrib/ntp/util/ntp-keygen.mdoc.in @@ -1,9 +1,9 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_KEYGEN @NTP_KEYGEN_MS@ User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc) .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:59 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -21,26 +21,29 @@ All arguments must be options. .Sh DESCRIPTION This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .Pp -All files are in PEM\-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM\-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. .Pp -When used to generate message digest keys, the program produces a file -containing ten pseudo\-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo\-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex\-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -60,219 +63,131 @@ other than Autokey. Some files used by this program are encrypted using a private password. The .Fl p -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the .Fl q -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -.Fn gethostname -function, normally the DNS name of the host is used. +.Xr hostname 1 +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +.Nm +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. .Pp The -.Ar pw +.Cm pw option of the -.Ar crypto +.Ic crypto +.Xr ntpd @NTPD_MS@ configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -.Ar ntpd -without password but only on the same host. +.Xr ntpd @NTPD_MS@ +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. .Pp Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -.Ar ntp.keys , +.Pa ntp.keys , is usually installed in .Pa /etc . Other files and links are usually installed in .Pa /usr/local/etc , which is normally in a shared filesystem in NFS\-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -.Ar keysdir -configuration command in such cases. -Normally, this is in -.Pa /etc . +In these cases, NFS clients can specify the files in another +directory such as +.Pa /etc +using the +.Ic keysdir +.Xr ntpd @NTPD_MS@ +configuration file command. .Pp This program directs commentary and error messages to the standard error stream -.Ar stderr +.Pa stderr and remote files to the standard output stream -.Ar stdout +.Pa stdout where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -.Ar ntpkey +.Pa ntpkey\&* and include the file type, generating host and filestamp, as described in the -.Dq Cryptographic Data Files +.Sx "Cryptographic Data Files" section below. .Ss Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -.Pa /usr/local/etc -When run for the first time, or if all files with names beginning with -.Ar ntpkey -have been removed, use the -.Nm -command without arguments to generate a -default RSA host key and matching RSA\-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. -.Pp -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using -.Nm -with the -.Fl T -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -.Pp -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -.Fl S -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -.Fl c -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken\-and\-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball\-and\-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re\-generated. -.Pp -Additional information on trusted groups and identity schemes is on the -.Dq Autokey Public\-Key Authentication -page. -.Pp -The -.Xr ntpd @NTPD_MS@ -configuration command -.Ic crypto pw Ar password -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. -.Pp -File names begin with the prefix -.Cm ntpkey_ -and end with the postfix -.Ar _hostname.filestamp , -where -.Ar hostname -is the owner name, usually the string returned -by the Unix gethostname() routine, and -.Ar filestamp -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -.Ic rm ntpkey\&* -command or all files generated -at a specific time can be removed by a -.Ic rm -.Ar \&*filestamp -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. -.Pp -All files are installed by default in the keys directory -.Pa /usr/local/etc , -which is normally in a shared filesystem -in NFS\-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. -.Pp -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write\-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. -.Pp -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -.Xr ntpd @NTPD_MS@ -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -.Nm -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -.Ss Running the program The safest way to run the .Nm program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually +The recommended procedure is change to the +.Ar keys +directory, usually .Pa /usr/local/etc , then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA\-MD5 certificate file, +.Pp +To test and gain experience with Autokey concepts, log in as root and +change to the +.Ar keys +directory, usually +.Pa /usr/local/etc . +When run for the first time, or if all files with names beginning with +.Pa ntpkey\&* +have been removed, use the +.Nm +command without arguments to generate a default +.Cm RSA +host key and matching +.Cm RSA\-MD5 +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +.Cm RSA +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +.Cm RSA +or +.Cm DSA +type. +By default, the message digest type is +.Cm MD5 , +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1 +and +.Cm RIPE160 +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +.Cm RSA +sign keys; +however, only +.Cm SHA +and +.Cm SHA1 +certificates are compatible with +.Cm DSA +sign keys. .Pp Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. @@ -283,19 +198,19 @@ However, the identification parameter files, although encoded as the other files, are probably not compatible with anything other than Autokey. .Pp Running the program as other than root and using the Unix -.Ic su +.Xr su 1 command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -.Cm .rnd +.Pa .rnd in the user home directory. However, there should be only one -.Cm .rnd , +.Pa .rnd , most conveniently in the root directory, so it is convenient to define the -.Cm $RANDFILE +.Ev RANDFILE environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +.Pa .rnd . .Pp Installing the keys as root might not work in NFS\-mounted shared file systems, as NFS clients may not be able to write @@ -305,7 +220,8 @@ directory such as .Pa /etc using the .Ic keysdir -command. +.Xr ntpd @NTPD_MS@ +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -338,8 +254,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +.Ar hostname +and +.Ar filestamp +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. .Pp The recommended practice is to keep the file name extensions @@ -348,106 +267,111 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +.Xr ntpd @NTPD_MS@ +follows it to the file name to extract the +.Ar filestamp . If a link is not present, .Xr ntpd @NTPD_MS@ -extracts the filestamp from the file itself. +extracts the +.Ar filestamp +from the file itself. This allows clients to verify that the file and generation times are always current. The .Nm -program uses the same timestamp extension for all files generated +program uses the same +.Ar filestamp +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -.Ss Running the program -The safest way to run the +.Pp +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using .Nm -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -.Pa /usr/local/etc , -then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA\-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +with the +.Fl T +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +.Fl S +option and this can be either +.Cm RSA +or +.Cm DSA +type. +By default, the signature +message digest type is +.Cm MD5 , +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +.Fl c +option. .Pp -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken\-and\-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball\-and\-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re\-generated. .Pp -Running the program as other than root and using the Unix -.Ic su -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -.Cm .rnd -in the user home directory. -However, there should be only one -.Cm .rnd , -most conveniently -in the root directory, so it is convenient to define the -.Cm $RANDFILE -environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +Additional information on trusted groups and identity schemes is on the +.Dq Autokey Public\-Key Authentication +page. .Pp -Installing the keys as root might not work in NFS\-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -.Pa /etc -using the -.Ic keysdir +File names begin with the prefix +.Pa ntpkey Ns _ +and end with the suffix +.Pa _ Ns Ar hostname . Ar filestamp , +where +.Ar hostname +is the owner name, usually the string returned +by the Unix +.Xr hostname 1 +command, and +.Ar filestamp +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +.Ic rm Pa ntpkey\&* +command or all files generated +at a specific time can be removed by a +.Ic rm Pa \&* Ns Ar filestamp command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. -.Pp -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. -s Trusted Hosts and Groups +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. +.Ss Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the .Sx Authentication Options section of .Xr ntp.conf 5 . -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +.Cm RSA +encryption, +.Cm MD5 +message digest +and +.Cm TC +identification. First, configure a NTP subnet including one or more low\-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -465,7 +389,7 @@ section of .Pp On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -.Cm ntpkey +.Pa ntpkey files. Then run .Nm @@ -490,7 +414,9 @@ is either .Cm RSA or .Cm DSA . -The most often need to do this is when a DSA\-signed certificate is used. +The most frequent need to do this is when a +.Cm DSA Ns \-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run .Nm @@ -499,17 +425,17 @@ with the option and selected .Ar scheme as needed. -f +If .Nm is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. .Pp After setting up the environment it is advisable to update certificates from time to time, if only to extend the validity interval. Simply run .Nm with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, .Xr ntpd @NTPD_MS@ should be restarted. @@ -520,13 +446,15 @@ Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. .Ss Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +.Cm TC +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -.Qq Identification Schemes -page -(maybe available at -.Li http://www.eecis.udel.edu/%7emills/keygen.html ) . +including +.Cm PC , IFF , GQ +and +.Cm MV +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -551,12 +479,15 @@ On trusted host alice run .Fl P .Fl p Ar password to generate the host key file -.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp +.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp and trusted private certificate file -.Pa ntpkey_RSA\-MD5_cert_ Ns Ar alice.filestamp . +.Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp , +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +.Ar bob +install a soft link from the generic name .Pa ntpkey_host_ Ns Ar bob to the host key file and soft link .Pa ntpkey_cert_ Ns Ar bob @@ -565,26 +496,34 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. .Pp -For the IFF scheme proceed as in the TC scheme to generate keys +For the +.Cm IFF +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl I .Fl p Ar password to produce her parameter file -.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp , +.Pa ntpkey_IFFpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +.Cm IFF +scheme is independent of keys and certificates, these files can be refreshed as needed. .Pp If a rogue client has the parameter file, it could masquerade @@ -594,37 +533,53 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run .Nm .Fl e -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. .Pp -For the GQ scheme proceed as in the TC scheme to generate keys +For the +.Cm GQ +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl G .Fl p Ar password to produce her parameter file -.Pa ntpkey_GQpar_ Ns Ar alice.filestamp , +.Pa ntpkey_GQpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -.Pa ntpkey_gq_ Ns Ar alice +.Pa ntpkey_gq_alice to this file. -In addition, on each host bob install a soft link +In addition, on each host +.Ar bob +install a soft link from generic .Pa ntpkey_gq_ Ns Ar bob to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +.Cm GQ +scheme updates the +.Cm GQ +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. .Pp -For the MV scheme, proceed as in the TC scheme to generate keys +For the +.Cm MV +scheme, proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -636,9 +591,9 @@ where .Ar n is the number of revokable keys (typically 5) to produce the parameter file -.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp +.Pa ntpkeys_MVpar_trish. Ns Ar filestamp and client key files -.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp +.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp where .Ar d is the key number (0 \&< @@ -647,80 +602,217 @@ is the key number (0 \&< .Ar n ) . Copy the parameter file to alice and install a soft link from the generic -.Pa ntpkey_mv_ Ns Ar alice +.Pa ntpkey_mv_alice to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -.Pa ntpkey_mvkey_ Ns Ar bob +.Pa ntpkey_mvkey_bob to the client key file. -As the MV scheme is independent of keys and certificates, +As the +.Cm MV +scheme is independent of keys and certificates, these files can be refreshed as needed. .Ss Command Line Options .Bl -tag -width indent -.It Fl c Ar scheme -Select certificate message digest/signature encryption scheme. +.It Fl b Fl \-imbits Ns = Ar modulus +Set the number of bits in the identity modulus for generating identity keys to +.Ar modulus +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl c Fl \-certificate Ns = Ar scheme +Select certificate signature encryption/message digest scheme. The .Ar scheme can be one of the following: -. Cm RSA\-MD2 , RSA\-MD5 , RSA\-SHA , RSA\-SHA1 , RSA\-MDC2 , RSA\-RIPEMD160 , DSA\-SHA , +.Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA , or .Cm DSA\-SHA1 . -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +.Cm RSA +schemes must be used with an +.Cm RSA +sign key and +.Cm DSA +schemes must be used with a +.Cm DSA +sign key. The default without this option is .Cm RSA\-MD5 . -.It Fl d -Enable debugging. +If compatibility with FIPS 140\-2 is required, either the +.Cm DSA\-SHA +or +.Cm DSA\-SHA1 +scheme must be used. +.It Fl C Fl \-cipher Ns = Ar cipher +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three\-key triple DES in CBC mode, +.Cm des\-ede3\-cbc . +The +.Ic openssl Fl h +command provided with OpenSSL displays available ciphers. +.It Fl d Fl \-debug\-level +Increase debugging verbosity level. This option displays the cryptographic data produced in eye\-friendly billboards. -.It Fl e -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. -.It Fl G -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. -.It Fl g -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. -.It Fl H -Generate new host keys, obsoleting any that may exist. -.It Fl I -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. -.It Fl i Ar name -Set the suject name to -.Ar name . -This is used as the subject field in certificates -and in the file name for host and sign keys. -.It Fl M -Generate MD5 keys, obsoleting any that may exist. -.It Fl P -Generate a private certificate. +.It Fl D Fl \-set\-debug\-level Ns = Ar level +Set the debugging verbosity to +.Ar level . +This option displays the cryptographic data produced in eye\-friendly billboards. +.It Fl e Fl \-id\-key +Write the +.Cm IFF +or +.Cm GQ +public parameters from the +.Ar IFFkey or GQkey +client keys file previously specified +as unencrypted data to the standard output stream +.Pa stdout . +This is intended for automatic key distribution by email. +.It Fl G Fl \-gq\-params +Generate a new encrypted +.Cm GQ +parameters and key file for the Guillou\-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl V +options. +.It Fl H Fl \-host\-key +Generate a new encrypted +.Cm RSA +public/private host key file. +.It Fl I Fl \-iffkey +Generate a new encrypted +.Cm IFF +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +.Fl G +and +Fl V +options. +.It Fl i Fl \-ident Ns = Ar group +Set the optional Autokey group name to +.Ar group . +This is used in the identity scheme parameter file names of +.Cm IFF , GQ , +and +.Cm MV +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +.Fl i +or +.Fl s +following an +.Ql @ +character, is also used in certificate subject and issuer names in the form +.Ar host @ group +and should match the group specified via +.Ic crypto Cm ident +or +.Ic server Cm ident +in the ntpd configuration file. +.It Fl l Fl \-lifetime Ns = Ar days +Set the lifetime for certificate expiration to +.Ar days . +The default lifetime is one year (365 days). +.It Fl m Fl \-modulus Ns = Ar bits +Set the number of bits in the prime modulus for generating files to +.Ar bits . +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl M Fl \-md5key +Generate a new symmetric keys file containing 10 +.Cm MD5 +keys, and if OpenSSL is available, 10 +.Cm SHA +keys. +An +.Cm MD5 +key is a string of 20 random printable ASCII characters, while a +.Cm SHA +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. +.It Fl p Fl \-password Ns = Ar passwd +Set the password for reading and writing encrypted files to +.Ar passwd . +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl P Fl \-pvt\-cert +Generate a new private certificate used by the +.Cm PC +identity scheme. By default, the program generates public certificates. -.It Fl p Ar password -Encrypt generated files containing private data with -.Ar password -and the DES\-CBC algorithm. -.It Fl q -Set the password for reading files to password. -.It Fl S Oo Cm RSA | DSA Oc -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. -.It Fl s Ar name -Set the issuer name to -.Ar name . -This is used for the issuer field in certificates -and in the file name for identity files. -.It Fl T +Note: the PC identity scheme is not recommended for new installations. +.It Fl q Fl \-export\-passwd Ns = Ar passwd +Set the password for writing encrypted +.Cm IFF , GQ and MV +identity files redirected to +.Pa stdout +to +.Ar passwd . +In effect, these files are decrypted with the +.Fl p +password, then encrypted with the +.Fl q +password. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group +Specify the Autokey host name, where +.Ar host +is the optional host name and +.Ar group +is the optional group name. +The host name, and if provided, group name are used in +.Ar host @ group +form as certificate subject and issuer. +Specifying +.Fl s @ Ar group +is allowed, and results in leaving the host name unchanged, as with +.Fl i Ar group . +The group name, or if no group is provided, the host name are also used in the +file names of +.Cm IFF , GQ , +and +.Cm MV +identity scheme client parameter files. +If +.Ar host +is not specified, the default host name is the string returned by the Unix +.Ic hostname +command. +.It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140\-2 is required, the sign key type must be +.Cm DSA . +.It Fl T Fl \-trusted\-cert Generate a trusted certificate. By default, the program generates a non\-trusted certificate. -.It Fl V Ar nkeys -Generate parameters and keys for the Mu\-Varadharajan (MV) identification scheme. +.It Fl V Fl \-mv\-params Ar nkeys +Generate +.Ar nkeys +encrypted server keys and parameters for the Mu\-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl G +options. +Note: support for this option should be considered a work in progress. .El .Ss Random Seed File All cryptographically sound key generation schemes must have means @@ -744,14 +836,14 @@ but are outside the scope of this page. .Pp The entropy seed used by the OpenSSL library is contained in a file, usually called -.Cm .rnd , +.Pa .rnd , which must be available when starting the NTP daemon or the .Nm program. The NTP daemon will first look for the file using the path specified by the -.Ic randfile +.Cm randfile subcommand of the .Ic crypto configuration command. @@ -767,44 +859,118 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -.Cm .rnd +.Pa .rnd file in the user home directory. +Since both the +.Nm +program and +.Xr ntpd @NTPD_MS@ +daemon must run as root, the logical place to put this file is in +.Pa /.rnd +or +.Pa /root/.rnd . If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. .Ss Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp , +where +.Ar key +is the key or parameter type, +.Ar name +is the host or group name and +.Ar filestamp +is the filestamp (NTP seconds) when the file was created. +By convention, +.Ar key +names in generated file names include both upper and lower case +characters, while +.Ar key +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +.Pa date +format. +Lines beginning with +.Ql # +are considered comments and ignored by the .Nm program and .Xr ntpd @NTPD_MS@ daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM\-encoded -printable ASCII format preceded and followed by MIME content identifier lines. .Pp -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES\-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format -.D1 Ar keyno type key +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM\-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. +.Pp +The format of the symmetric keys file, ordinarily named +.Pa ntp.keys , +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +.Bd -literal -unfilled -offset center +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +.Ed +.D1 Figure 1. Typical Symmetric Key File +.Pp +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format +.D1 Ar keyno Ar type Ar key where .Ar keyno -is a positive integer in the range 1\-65,535, +is a positive integer in the range 1\-65534; .Ar type -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +.Cm MD5 +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140\-2 is required, +the key type must be either +.Cm SHA +or +.Cm SHA1 ; .Ar key is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +.Ql ! +through +.Ql ~ +\&) excluding space and the +.Ql # +character, and terminated by whitespace or a .Ql # character. +An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which +is truncated as necessary. .Pp Note that the keys used by the .Xr ntpq @NTPQ_MS@ @@ -817,8 +983,8 @@ in human readable ASCII format. .Pp The .Nm -program generates a MD5 symmetric keys file -.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp . +program generates a symmetric keys file +.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp . Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -856,10 +1022,10 @@ The number of bits in the identity modulus. The default is 256. certificate scheme. .sp scheme is one of -RSA\-MD2, RSA\-MD5, RSA\-SHA, RSA\-SHA1, RSA\-MDC2, RSA\-RIPEMD160, +RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160, DSA\-SHA, or DSA\-SHA1. .sp -Select the certificate message digest/signature encryption scheme. +Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA\-MD5. @@ -868,7 +1034,7 @@ privatekey cipher. .sp Select the cipher which is used to encrypt the files containing private keys. The default is three\-key triple DES in CBC mode, -equivalent to "@code{\-C des\-ede3\-cbc". The openssl tool lists ciphers +equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers available in "\fBopenssl \-h\fP" output. .It Fl d , Fl \-debug\-level Increase debug verbosity level. @@ -882,8 +1048,9 @@ This option takes an integer number as its argument. .It Fl e , Fl \-id\-key Write IFF or GQ identity keys. .sp -Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. +Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. .It Fl G , Fl \-gq\-params Generate GQ parameters and keys. .sp @@ -906,21 +1073,17 @@ the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using \fB\-i/\-\-ident\fP or using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character, -is also a part of the self\-signed host certificate's subject and +is also a part of the self\-signed host certificate subject and issuer names in the form \fBhost@group\fP and should match the -\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in -\fBntpd\fP's configuration file. +\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the +\fBntpd\fP configuration file. .It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime set certificate lifetime. This option takes an integer number as its argument. .sp Set the certificate expiration to lifetime days from now. -.It Fl M , Fl \-md5key -generate MD5 keys. -.sp -Generate MD5 keys, obsoleting any that may exist. .It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus -modulus. +prime modulus. This option takes an integer number as its argument. The value of .Ar modulus @@ -933,6 +1096,10 @@ in the range 256 through 2048 .in -4 .sp The number of bits in the prime modulus. The default is 512. +.It Fl M , Fl \-md5key +generate symmetric keys. +.sp +Generate symmetric keys, obsoleting any that may exist. .It Fl P , Fl \-pvt\-cert generate PC private certificate. .sp @@ -954,12 +1121,6 @@ encrypted with the DES\-CBC algorithm and the specified password. The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option -\-id\-key (\-e) for unencrypted exports. -.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign -generate sign key (RSA or DSA). -.sp -Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. .It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group set host and optionally group name. .sp @@ -967,12 +1128,18 @@ Set the Autokey host name, and optionally, group name specified following an '\fB@\fP' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used -in \fBhost@group\fP form for the host certificate's subject and issuer +in \fBhost@group\fP form for the host certificate subject and issuer fields. Specifying '\fB\-s @group\fP' is allowed, and results in leaving the host name unchanged while appending \fB@group\fP to the subject and issuer fields, as with \fB\-i group\fP. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. +.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign +generate sign key (RSA or DSA). +.sp +Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. .It Fl T , Fl \-trusted\-cert trusted certificate (TC scheme). .sp @@ -1021,18 +1188,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP". If any of these are directories, then the file \fI.ntprc\fP is searched for within those directories. .Sh USAGE -The -.Fl p Ar password -option specifies the write password and -.Fl q Ar password -option the read password for previously encrypted files. -The -.Nm -program prompts for the password if it reads an encrypted file -and the password is missing or incorrect. -If an encrypted file is read successfully and -no write password is specified, the read password is used -as the write password by default. .Sh "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .Sh "FILES" @@ -1056,10 +1211,7 @@ The University of Delaware and Network Time Foundation Copyright (C) 1992\-2017 The University of Delaware and Network Time Foundation all rights reserved. This program is released under the terms of the NTP license, <http://ntp.org/license>. .Sh BUGS -It can take quite a while to generate some cryptographic values, -from one to several minutes with modern architectures -such as UltraSPARC and up to tens of minutes to an hour -with older architectures such as SPARC IPC. +It can take quite a while to generate some cryptographic values. .Pp Please report bugs to http://bugs.ntp.org . .Pp diff --git a/lib/libc/gen/getpeereid.c b/lib/libc/gen/getpeereid.c index cedaee6..f0423ae 100644 --- a/lib/libc/gen/getpeereid.c +++ b/lib/libc/gen/getpeereid.c @@ -48,8 +48,10 @@ getpeereid(int s, uid_t *euid, gid_t *egid) error = _getsockopt(s, 0, LOCAL_PEERCRED, &xuc, &xuclen); if (error != 0) return (error); - if (xuc.cr_version != XUCRED_VERSION) - return (EINVAL); + if (xuc.cr_version != XUCRED_VERSION) { + errno = EINVAL; + return (-1); + } *euid = xuc.cr_uid; *egid = xuc.cr_gid; return (0); diff --git a/lib/libc/gen/getusershell.c b/lib/libc/gen/getusershell.c index 6e78286..42ecfb1 100644 --- a/lib/libc/gen/getusershell.c +++ b/lib/libc/gen/getusershell.c @@ -115,8 +115,8 @@ _local_initshells(void *rv, void *cb_data, va_list ap) if ((fp = fopen(_PATH_SHELLS, "re")) == NULL) return NS_UNAVAIL; - cp = line; - while (fgets(cp, MAXPATHLEN + 1, fp) != NULL) { + while (fgets(line, MAXPATHLEN + 1, fp) != NULL) { + cp = line; while (*cp != '#' && *cp != '/' && *cp != '\0') cp++; if (*cp == '#' || *cp == '\0') @@ -124,7 +124,7 @@ _local_initshells(void *rv, void *cb_data, va_list ap) sp = cp; while (!isspace(*cp) && *cp != '#' && *cp != '\0') cp++; - *cp++ = '\0'; + *cp = '\0'; sl_add(sl, strdup(sp)); } (void)fclose(fp); diff --git a/lib/libc/stdio/xprintf_int.c b/lib/libc/stdio/xprintf_int.c index f006b54..bbccc3e 100644 --- a/lib/libc/stdio/xprintf_int.c +++ b/lib/libc/stdio/xprintf_int.c @@ -258,8 +258,8 @@ __printf_render_int(struct __printf_io *io, const struct printf_info *pi, const const union arg *argp; char buf[BUF]; char *p, *pe; - char ns, l; - int rdx, sign, zext, ngrp; + char ns; + int l, ngrp, rdx, sign, zext; const char *nalt, *digit; char thousands_sep; /* locale specific thousands separator */ const char *grouping; /* locale specific numeric grouping rules */ diff --git a/lib/libc/string/Makefile.inc b/lib/libc/string/Makefile.inc index f27cb17..3df53f0 100644 --- a/lib/libc/string/Makefile.inc +++ b/lib/libc/string/Makefile.inc @@ -50,6 +50,7 @@ MLINKS+=ffs.3 ffsl.3 \ ffs.3 flsll.3 MLINKS+=index.3 rindex.3 MLINKS+=memchr.3 memrchr.3 +MLINKS+=memset.3 memset_s.3 MLINKS+=strcasecmp.3 strncasecmp.3 \ strcasecmp.3 strcasecmp_l.3 \ strcasecmp.3 strncasecmp_l.3 diff --git a/lib/libc/string/memset.3 b/lib/libc/string/memset.3 index 28d1919..9ab5214 100644 --- a/lib/libc/string/memset.3 +++ b/lib/libc/string/memset.3 @@ -32,7 +32,7 @@ .\" @(#)memset.3 8.1 (Berkeley) 6/4/93 .\" $FreeBSD$ .\" -.Dd June 4, 1993 +.Dd February 15, 2018 .Dt MEMSET 3 .Os .Sh NAME @@ -43,7 +43,9 @@ .Sh SYNOPSIS .In string.h .Ft void * -.Fn memset "void *b" "int c" "size_t len" +.Fn memset "void *dest" "int c" "size_t len" +.Ft errno_t +.Fn memset_s "void *dest" "rsize_t destsz" "int c" "rsize_t len" .Sh DESCRIPTION The .Fn memset @@ -55,13 +57,66 @@ bytes of value (converted to an .Vt "unsigned char" ) to the string -.Fa b . +.Fa dest . +Undefined behaviour from +.Fn memset , +resulting from storage overflow, will occur if +.Fa len +is greater than the the length of buffer +.Fa dest . +The behaviour is also undefined if +.Fa dest +is an invalid pointer. +.Pp +The +.Fn memset_s +function behaves the same as +.Fn memset +except that an error is returned and the currently registered +runtime-constraint handler is called if +.Fa dest +is a null pointer, +.Fa destsz +or +.Fa len +is greater than +.Dv RSIZE_MAX , +or +.Sp +.Fa len +is greater than +.Fa destsz +(buffer overflow would occur). +The runtime-constraint handler is called first and may not return. +If it does return, an error is returned to the caller. +Like +.Xr explicit_bzero 3 , +.Fn memset_s +is not removed through Dead Store Elimination (DSE), making it useful for +clearing sensitve data. +In contrast +.Fn memset +function +may be optimized away if the object modified by the function is not accessed +again. +To clear memory that will not subsequently be accessed it is advised to use +.Fn memset_s +instead of +.Fn memset . +For instance, a buffer containing a password should be cleared with +.Fn memset_s +before +.Xr free 3 . .Sh RETURN VALUES The .Fn memset function returns its first argument. +The +.Fn memset_s +function returns zero on success, non-zero on error. .Sh SEE ALSO .Xr bzero 3 , +.Xr explicit_bzero 3 , .Xr swab 3 , .Xr wmemset 3 .Sh STANDARDS @@ -70,3 +125,7 @@ The function conforms to .St -isoC . +.Fn memset_s +conforms to: +.St -isoC-2011 +K.3.7.4.1. diff --git a/lib/libc/sys/mlock.2 b/lib/libc/sys/mlock.2 index 4f26420..dda796a 100644 --- a/lib/libc/sys/mlock.2 +++ b/lib/libc/sys/mlock.2 @@ -28,7 +28,7 @@ .\" @(#)mlock.2 8.2 (Berkeley) 12/11/93 .\" $FreeBSD$ .\" -.Dd May 17, 2014 +.Dd Jan 22, 2018 .Dt MLOCK 2 .Os .Sh NAME @@ -125,7 +125,7 @@ will fail if: .Va security.bsd.unprivileged_mlock is set to 0 and the caller is not the super-user. .It Bq Er EINVAL -The address given is not page aligned or the length is negative. +The address range given wraps around zero. .It Bq Er EAGAIN Locking the indicated range would exceed the system limit for locked memory. .It Bq Er ENOMEM @@ -143,7 +143,7 @@ will fail if: .Va security.bsd.unprivileged_mlock is set to 0 and the caller is not the super-user. .It Bq Er EINVAL -The address given is not page aligned or the length is negative. +The address range given wraps around zero. .It Bq Er ENOMEM Some or all of the address range specified by the addr and len arguments does not correspond to valid mapped pages in the address space diff --git a/sbin/fsck_ffs/inode.c b/sbin/fsck_ffs/inode.c index c72e1be..d13c5b2 100644 --- a/sbin/fsck_ffs/inode.c +++ b/sbin/fsck_ffs/inode.c @@ -451,8 +451,10 @@ cacheino(union dinode *dp, ino_t inumber) if (howmany(DIP(dp, di_size), sblock.fs_bsize) > NDADDR) blks = NDADDR + NIADDR; - else + else if (DIP(dp, di_size) > 0) blks = howmany(DIP(dp, di_size), sblock.fs_bsize); + else + blks = 1; inp = (struct inoinfo *) Malloc(sizeof(*inp) + (blks - 1) * sizeof(ufs2_daddr_t)); if (inp == NULL) diff --git a/sbin/geom/class/nop/geom_nop.c b/sbin/geom/class/nop/geom_nop.c index f05a522..35e2b94 100644 --- a/sbin/geom/class/nop/geom_nop.c +++ b/sbin/geom/class/nop/geom_nop.c @@ -49,10 +49,12 @@ struct g_command class_commands[] = { { 's', "size", "0", G_TYPE_NUMBER }, { 'S', "secsize", "0", G_TYPE_NUMBER }, { 'w', "wfailprob", "-1", G_TYPE_NUMBER }, + { 'z', "physpath", G_NOP_PHYSPATH_PASSTHROUGH, G_TYPE_STRING }, G_OPT_SENTINEL }, "[-v] [-e error] [-o offset] [-p stripesize] [-P stripeoffset] " - "[-r rfailprob] [-s size] [-S secsize] [-w wfailprob] dev ..." + "[-r rfailprob] [-s size] [-S secsize] [-w wfailprob] " + "[-z physpath] dev ..." }, { "configure", G_FLAG_VERBOSE, NULL, { diff --git a/sbin/geom/class/nop/gnop.8 b/sbin/geom/class/nop/gnop.8 index fc7732d..f9b3dc2 100644 --- a/sbin/geom/class/nop/gnop.8 +++ b/sbin/geom/class/nop/gnop.8 @@ -24,7 +24,7 @@ .\" .\" $FreeBSD$ .\" -.Dd October 10, 2015 +.Dd January 17, 2018 .Dt GNOP 8 .Os .Sh NAME @@ -42,6 +42,7 @@ .Op Fl s Ar size .Op Fl S Ar secsize .Op Fl w Ar wfailprob +.Op Fl z Ar physpath .Ar dev ... .Nm .Cm configure @@ -132,6 +133,8 @@ Sector size of the transparent provider. Specifies write failure probability in percent. .It Fl v Be more verbose. +.It Fl z Ar physpath +Physical path of the transparent provider. .El .Sh SYSCTL VARIABLES The following diff --git a/sbin/ipfw/ipfw.8 b/sbin/ipfw/ipfw.8 index d9a991b..28a721e 100644 --- a/sbin/ipfw/ipfw.8 +++ b/sbin/ipfw/ipfw.8 @@ -1070,49 +1070,49 @@ Set specified DiffServ codepoint for an IPv4/IPv6 packet. Processing continues at the next rule. Supported values are: .Pp -.Cm CS0 +.Cm cs0 .Pq Dv 000000 , -.Cm CS1 +.Cm cs1 .Pq Dv 001000 , -.Cm CS2 +.Cm cs2 .Pq Dv 010000 , -.Cm CS3 +.Cm cs3 .Pq Dv 011000 , -.Cm CS4 +.Cm cs4 .Pq Dv 100000 , -.Cm CS5 +.Cm cs5 .Pq Dv 101000 , -.Cm CS6 +.Cm cs6 .Pq Dv 110000 , -.Cm CS7 +.Cm cs7 .Pq Dv 111000 , -.Cm AF11 +.Cm af11 .Pq Dv 001010 , -.Cm AF12 +.Cm af12 .Pq Dv 001100 , -.Cm AF13 +.Cm af13 .Pq Dv 001110 , -.Cm AF21 +.Cm af21 .Pq Dv 010010 , -.Cm AF22 +.Cm af22 .Pq Dv 010100 , -.Cm AF23 +.Cm af23 .Pq Dv 010110 , -.Cm AF31 +.Cm af31 .Pq Dv 011010 , -.Cm AF32 +.Cm af32 .Pq Dv 011100 , -.Cm AF33 +.Cm af33 .Pq Dv 011110 , -.Cm AF41 +.Cm af41 .Pq Dv 100010 , -.Cm AF42 +.Cm af42 .Pq Dv 100100 , -.Cm AF43 +.Cm af43 .Pq Dv 100110 , -.Cm EF +.Cm ef .Pq Dv 101110 , -.Cm BE +.Cm be .Pq Dv 000000 . Additionally, DSCP value can be specified by number (0..64). It is also possible to use the diff --git a/sbin/savecore/savecore.c b/sbin/savecore/savecore.c index cfeb407..4c3f945 100644 --- a/sbin/savecore/savecore.c +++ b/sbin/savecore/savecore.c @@ -155,6 +155,13 @@ getbounds(void) char buf[6]; int ret; + /* + * If we are just checking, then we haven't done a chdir to the dump + * directory and we should not try to read a bounds file. + */ + if (checkfor) + return (0); + ret = 0; if ((fp = fopen("bounds", "r")) == NULL) { diff --git a/share/man/man4/Makefile b/share/man/man4/Makefile index 6cd0e5a..f9d73a6 100644 --- a/share/man/man4/Makefile +++ b/share/man/man4/Makefile @@ -46,6 +46,7 @@ MAN= aac.4 \ amdpm.4 \ ${_amdsbwd.4} \ ${_amdsmb.4} \ + ${_amdsmn.4} \ ${_amdtemp.4} \ ${_bxe.4} \ amr.4 \ @@ -244,6 +245,7 @@ MAN= aac.4 \ ixgbe.4 \ ixl.4 \ ixlv.4 \ + jedec_dimm.4 \ jedec_ts.4 \ jme.4 \ joy.4 \ @@ -792,6 +794,7 @@ _attimer.4= attimer.4 _aibs.4= aibs.4 _amdsbwd.4= amdsbwd.4 _amdsmb.4= amdsmb.4 +_amdsmn.4= amdsmn.4 _amdtemp.4= amdtemp.4 _asmc.4= asmc.4 _bxe.4= bxe.4 diff --git a/share/man/man4/amdsmn.4 b/share/man/man4/amdsmn.4 new file mode 100644 index 0000000..8e279cc --- /dev/null +++ b/share/man/man4/amdsmn.4 @@ -0,0 +1,64 @@ +.\"- +.\" Copyright (c) 2017 Conrad Meyer <cem@FreeBSD.org> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd September 5, 2017 +.Dt AMDSMN 4 +.Os +.Sh NAME +.Nm amdsmn +.Nd device driver for +.Tn AMD +processor System Management Network +.Sh SYNOPSIS +To compile this driver into the kernel, place the following line in your +kernel configuration file: +.Bd -ragged -offset indent +.Cd "device amdsmn" +.Ed +.Pp +Alternatively, to load the driver as a module at boot time, place the +following line in +.Xr loader.conf 5 : +.Bd -literal -offset indent +amdsmn_load="YES" +.Ed +.Sh DESCRIPTION +The +.Nm +driver provides support for resources on the System Management Network bus +in +.Tn AMD +Family 17h processors. +.Sh SEE ALSO +.Xr loader 8 +.Sh HISTORY +The +.Nm +driver first appeared in +.Fx 12.0 . +.Sh AUTHORS +.An Conrad Meyer Aq Mt cem@FreeBSD.org diff --git a/share/man/man4/amdtemp.4 b/share/man/man4/amdtemp.4 index 2b9bcc3..8d1764f 100644 --- a/share/man/man4/amdtemp.4 +++ b/share/man/man4/amdtemp.4 @@ -25,7 +25,7 @@ .\" .\" $FreeBSD$ .\" -.Dd March 27, 2015 +.Dd September 5, 2017 .Dt AMDTEMP 4 .Os .Sh NAME @@ -53,7 +53,7 @@ The driver provides support for the on-die digital thermal sensor present in .Tn AMD -Family 0Fh, 10h, 11h, 12h, 14h, 15h, and 16h processors. +Family 0Fh, 10h, 11h, 12h, 14h, 15h, 16h, and 17h processors. .Pp For Family 0Fh processors, the .Nm @@ -64,8 +64,8 @@ The driver also creates in the corresponding CPU device's sysctl tree, displaying the maximum temperature of the two sensors located in each CPU core. .Pp -For Family 10h, 11h, 12h, 14h, 15h, and 16h processors, the driver reports each -package's temperature through a sysctl node, named +For Family 10h, 11h, 12h, 14h, 15h, 16h, and 17h processors, the driver reports +each package's temperature through a sysctl node, named .Va dev.amdtemp.%d.core0.sensor0 . The driver also creates .Va dev.cpu.%d.temperature @@ -107,5 +107,5 @@ specified maximum case temperature and maximum thermal power dissipation according to .Rs .%T BIOS and Kernel Developer's Guide (BKDG) for AMD Processors -.%U http://developer.amd.com/documentation/guides/Pages/default.aspx +.%U http://developer.amd.com/resources/developer-guides-manuals/ .Re diff --git a/share/man/man4/jedec_dimm.4 b/share/man/man4/jedec_dimm.4 new file mode 100644 index 0000000..ca8977c --- /dev/null +++ b/share/man/man4/jedec_dimm.4 @@ -0,0 +1,240 @@ +.\" +.\" SPDX-License-Identifier: BSD-2-Clause-FreeBSD +.\" +.\" Copyright (c) 2016 Andriy Gapon <avg@FreeBSD.org> +.\" Copyright (c) 2018 Ravi Pokala <rpokala@freebsd.org> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.\" $FreeBSD$ +.\" +.Dd February 22, 2018 +.Dt JEDEC_DIMM 4 +.Os +.Sh NAME +.Nm jedec_dimm +.Nd report asset information and temperatures for JEDEC DDR3 / DDR4 DIMMs +.Sh SYNOPSIS +.Bd -ragged -offset indent +.Cd "device jedec_dimm" +.Cd "device smbus" +.Ed +.Pp +Alternatively, to load the driver as a module at boot time, place the following +line in +.Xr loader.conf 5 : +.Bd -literal -offset indent +jedec_dimm_load="YES" +.Ed +.Pp +Addressing information must be manually specified in +.Pa /boot/device.hints : +.Bd -literal -offset indent +.Cd hint.jedec_dimm.0.at="smbus0" +.Cd hint.jedec_dimm.0.addr="0xa0" +.Cd hint.jedec_dimm.0.slotid="Silkscreen" +.Ed +.Sh DESCRIPTION +The +.Nm +driver reports asset information (Part Number, Serial Number) encoded in the +.Dq Serial Presence Detect +(SPD) data on JEDEC DDR3 and DDR4 DIMMs. +It also calculates and reports the memory capacity of the DIMM, in megabytes. +If the DIMM includes a +.Dq Thermal Sensor On DIMM +(TSOD), the temperature is also reported. +.Pp +The +.Nm +driver accesses the SPD and TSOD over the +.Xr smbus 4 . +.Pp +The data is reported via a +.Xr sysctl 8 +interface; all values are read-only: +.Bl -tag -width "dev.jedec_dimm.X.capacity" +.It Va dev.jedec_dimm.X.%desc +a string description of the DIMM, including TSOD and slotid info if present. +.It Va dev.jedec_dimm.X.capacity +the DIMM's memory capacity, in megabytes +.It Va dev.jedec_dimm.X.part +the manufacturer's part number of the DIMM +.It Va dev.jedec_dimm.X.serial +the manufacturer's serial number of the DIMM +.It Va dev.jedec_dimm.X.slotid +a copy of the corresponding hint, if set +.It Va dev.jedec_dimm.X.temp +if a TSOD is present, the reported temperature +.It Va dev.jedec_dimm.X.type +the DIMM type (DDR3 or DDR4) +.El +.Pp +These values are configurable for +.Nm +via +.Xr device.hints 5 : +.Bl -tag -width "hint.jedec_dimm.X.slotid" +.It Va hint.jedec_dimm.X.at +the +.Xr smbus 4 +to which the DIMM is connected +.It Va hint.jedec_dimm.X.addr +the SMBus address of the SPD. +JEDEC specifies that the four most-significant bits of the address are the +.Dq Device Type Identifier +(DTI), and that the DTI of the SPD is 0xa. +Since the least-significant bit of an SMBus address is the read/write bit, and +is always written as 0, that means the four least-significant bits of the +address must be even. +.It Va hint.jedec_dimm.X.slotid +optional slot identifier. +If populated with the DIMM slot name silkscreened on the motherboard, this +provides a mapping between the DIMM slot name and the DIMM serial number. +That mapping is useful for detailed asset tracking, and makes it easier to +physically locate a specific DIMM when doing a replacement. +This is useful when assembling multiple identical systems, as might be done by +a system vendor. +The mapping between bus/address and DIMM slot must first be determined, either +through motherboard documentation or trial-and-error. +.El +.Pp +If the DIMMs are on an I2C bus behind an +.Xr iicbus 4 +controller, then the +.Xr iicsmb 4 +bridge driver can be used to attach the +.Xr smbus 4 . +.Sh EXAMPLES +Consider two DDR4 DIMMs with the following hints: +.Bd -literal -offset indent +hint.jedec_dimm.0.at="smbus0" +hint.jedec_dimm.0.addr="0xa0" +hint.jedec_dimm.0.slotid="A1" + +hint.jedec_dimm.6.at="smbus1" +hint.jedec_dimm.6.addr="0xa8" +.Ed +.Pp +Their +.Xr sysctl 8 +output (sorted): +.Bd -literal -offset indent +dev.jedec_dimm.0.%desc: DDR4 DIMM w/ Atmel TSOD (A1) +dev.jedec_dimm.0.%driver: jedec_dimm +dev.jedec_dimm.0.%location: addr=0xa0 +dev.jedec_dimm.0.%parent: smbus0 +dev.jedec_dimm.0.%pnpinfo: +dev.jedec_dimm.0.capacity: 16384 +dev.jedec_dimm.0.part: 36ASF2G72PZ-2G1A2 +dev.jedec_dimm.0.serial: 0ea815de +dev.jedec_dimm.0.slotid: A1 +dev.jedec_dimm.0.temp: 32.7C +dev.jedec_dimm.0.type: DDR4 + +dev.jedec_dimm.6.%desc: DDR4 DIMM w/ TSE2004av compliant TSOD +dev.jedec_dimm.6.%driver: jedec_dimm +dev.jedec_dimm.6.%location: addr=0xa8 +dev.jedec_dimm.6.%parent: smbus1 +dev.jedec_dimm.6.%pnpinfo: +dev.jedec_dimm.6.capacity: 8192 +dev.jedec_dimm.6.part: VRA9MR8B2H1603 +dev.jedec_dimm.6.serial: 0c4c46ad +dev.jedec_dimm.6.temp: 43.1C +dev.jedec_dimm.6.type: DDR4 +.Ed +.Sh COMPATIBILITY +Hints for +.Xr jedec_ts 4 +can be mechanically converted for use with +.Nm . +Two changes are required: +.Bl -enum +.It +In all +.Xr jedec_ts 4 +hints, replace +.Dq jedec_ts +with +.Dq jedec_dimm +.It +In +.Xr jedec_ts 4 +.Dq addr +hints, replace the TSOD DTI +.Dq 0x3 +with the SPD DTI +.Dq 0xa +.El +.Pp +The following +.Xr sed 1 +script will perform the necessary changes: +.Bd -literal -offset indent +sed -i ".old" -e 's/jedec_ts/jedec_dimm/' \\ + -e '/jedec_dimm/s/addr="0x3/addr="0xa/' /boot/device.hints +.Ed +.Sh SEE ALSO +.Xr iicbus 4 , +.Xr iicsmb 4 , +.Xr jedec_ts 4 , +.Xr smbus 4 , +.Xr sysctl 8 +.Sh STANDARDS +.Rs +(DDR3 SPD) +.%A JEDEC +.%T Standard 21-C, Annex K +.Re +.Pp +.Rs +(DDR3 TSOD) +.%A JEDEC +.%T Standard 21-C, TSE2002av +.Re +.Pp +.Rs +(DDR4 SPD) +.%A JEDEC +.%T Standard 21-C, Annex L +.Re +.Pp +.Rs +(DDR4 TSOD) +.%A JEDEC +.%T Standard 21-C, TSE2004av +.Re +.Sh HISTORY +The +.Nm +driver first appeared in +.Fx 12.0 . +.Sh AUTHORS +.An -nosplit +The +.Nm +driver and this manual page were written by +.An Ravi Pokala Aq Mt rpokala@freebsd.org . +They are both based in part on the +.Xr jedec_ts 4 +driver and manual page, written by +.An Andriy Gapon Aq Mt avg@FreeBSD.org . diff --git a/share/misc/pci_vendors b/share/misc/pci_vendors index 6b8211d..519e3ad 100644 --- a/share/misc/pci_vendors +++ b/share/misc/pci_vendors @@ -1,10 +1,9 @@ # $FreeBSD$ -# # List of PCI ID's # -# Version: 2017.12.06 -# Date: 2017-12-06 03:15:02 +# Version: 2018.02.15 +# Date: 2018-02-15 03:15:01 # # Maintained by Albert Pool, Martin Mares, and other volunteers from # the PCI ID Project at http://pci-ids.ucw.cz/. @@ -44,6 +43,7 @@ # nee nCipher 0100 Thales e-Security 0123 General Dynamics +0128 Dell (wrong ID) # 018a is not LevelOne but there is a board misprogrammed 018a LevelOne 0106 FPC-0106TX misprogrammed [RTL81xx] @@ -251,6 +251,7 @@ 1028 1fd4 PERC H745P MX 1d49 0602 ThinkSystem RAID 930-16i 4GB Flash PCIe 12Gb Adapter 1d49 0604 ThinkSystem RAID 930-8e 4GB Flash PCIe 12Gb Adapter + 1d49 0607 ThinkSystem RAID 930-16i 8GB Flash PCIe 12Gb Adapter 8086 352d Integrated RAID Module RMSP3AD160F 8086 9460 RAID Controller RSP3TD160F 8086 9480 RAID Controller RSP3MD088F @@ -586,6 +587,7 @@ 0096 SAS3004 PCI-Express Fusion-MPT SAS-3 0097 SAS3008 PCI-Express Fusion-MPT SAS-3 1000 3090 SAS9311-8i + 1000 30a0 SAS9300-8e 1000 30e0 SAS9300-8i 1000 3130 SAS 9300-16i 1028 1f45 HBA330 Adapter @@ -751,7 +753,8 @@ 131b Kaveri [Radeon R4 Graphics] 131c Kaveri [Radeon R7 Graphics] 131d Kaveri [Radeon R6 Graphics] - 15dd Radeon Vega 8 Mobile + 15dd Vega [Radeon Vega 8 Mobile] + 15ff Vega [Radeon Vega 28 Mobile] 1714 BeaverCreek HDMI Audio [Radeon HD 6500D and 6400G-6600G series] 103c 168b ProBook 4535s 3150 RV380/M24 [Mobility Radeon X600] @@ -783,7 +786,7 @@ 18bc 0101 GC-R9600PRO (Primary) 4151 RV350 [Radeon 9600 Series] 1043 c004 A9600SE - 174b 7c37 Radeon 9600 SE + 174b 7c37 Radeon 9600SE 128M DDR V/D/VO 4152 RV360 [Radeon 9600/X1050 Series] 1002 0002 Radeon 9600XT 1002 4772 All-in-Wonder 9600 XT @@ -813,7 +816,7 @@ 18bc 0100 GC-R9600PRO (Secondary) 4171 RV350 [Radeon 9600] (Secondary) 1043 c005 A9600SE (Secondary) - 174b 7c36 Radeon 9600 SE (secondary) + 174b 7c36 Radeon 9600SE 128M DDR V/D/VO (secondary) 4172 RV350 [Radeon 9600/X1050 Series] (Secondary) 1002 0003 Radeon 9600XT (Secondary) 1002 4773 All-in-Wonder 9600 XT (Secondary) @@ -920,6 +923,7 @@ 1043 836c M4A785TD Motherboard 1043 8410 M4A89GTD PRO/USB3 Motherboard 1043 841b M5A88-V EVO + 1043 8445 M5A78L LE 105b 0e13 N15235/A74MX mainboard / AMD SB700 1179 ff50 Satellite P305D-S8995E 1458 a022 GA-MA770-DS3rev2.0 Motherboard @@ -1606,6 +1610,7 @@ 1028 0684 FirePro W4170M 6607 Mars LE [Radeon HD 8530M / R5 M240] 6608 Oland GL [FirePro W2100] + 13cc 3d28 MXRT-2600 6610 Oland XT [Radeon HD 8670 / R7 250/350] 1019 0030 Radeon HD 8670 1028 2120 Radeon R7 250 @@ -1638,6 +1643,7 @@ 1002 0b0c FirePro W4300 103c 0b0c Bonaire [FirePro W4300] 103c 230c FirePro W5100 + 13cc 3d2a MXRT-5600 6650 Bonaire 6651 Bonaire 6658 Bonaire XTX [Radeon R7 260X/360] @@ -1876,7 +1882,10 @@ 8086 2111 Radeon HD 6625M 6743 Whistler [Radeon E6760] 6749 Turks GL [FirePro V4900] + 15c3 2b06 MED-X4900 674a Turks GL [FirePro V3900] + 13cc 3d22 MXRT-2500 + 15c3 0106 MED-X3900 6750 Onega [Radeon HD 6650A/7650A] 1462 2670 Radeon HD 6670A 17aa 3079 Radeon HD 7650A @@ -2189,11 +2198,13 @@ 1043 3001 Tahiti XTL [ROG Matrix R9 280X] 1043 3006 Tahiti XTL [Radeon R9 280X DirectCU II TOP] 1043 9999 ARES II + 106b 0127 FirePro D700 + 106b 0128 FirePro D700 1092 3000 Tahiti XT2 [Radeon HD 7970 GHz Edition] 1458 2261 Tahiti XT2 [Radeon HD 7970 GHz Edition OC] # GV-R928XOC-3GD 1458 3001 Tahiti XTL [Radeon R9 280X OC] - 1462 2774 MSI R7970 TF 3GD5/OC BE + 1462 2774 HD 7970 TwinFrozr III Boost Edition OC 1682 3001 Tahiti XTL [Radeon R9 280X] 1682 3211 Double D HD 7970 Black Edition # FX-797A-TNBC @@ -2214,6 +2225,8 @@ 1462 8036 Radeon HD 8990 OEM 148c 8990 Radeon HD 8990 OEM 679e Tahiti LE [Radeon HD 7870 XT] + 106b 0125 FirePro D500 + 106b 0126 FirePro D500 1787 2328 Radeon HD 7870 Black Edition 2 GB GDDR5 [2GBD5-2DHV3E] 679f Tahiti 67a0 Hawaii XT GL [FirePro W9100] @@ -2268,7 +2281,8 @@ 174b e324 Sapphire Nitro R9 390 67b9 Vesuvius [Radeon R9 295X2] 67be Hawaii LE - 67c0 Ellesmere [Radeon Pro WX 7100] + 67c0 Ellesmere [Radeon Pro WX 7100 Mobile] + 67c2 Ellesmere [Radeon Pro V7300X / V7350x2] 67c4 Ellesmere [Radeon Pro WX 7100] 1002 0336 Radeon Pro Duo 1002 1336 Radeon Pro Duo @@ -2276,6 +2290,7 @@ 67ca Ellesmere [Polaris10] 67cc Ellesmere [Polaris10] 67cf Ellesmere [Polaris10] + 67d0 Ellesmere [Radeon Pro V7300X / V7350x2] 67df Ellesmere [Radeon RX 470/480/570/580] 1002 0b37 Radeon RX 480 1043 04a8 Radeon RX 480 @@ -2295,13 +2310,23 @@ 1787 a470 Radeon RX 470 1787 a480 Radeon RX 480 1da2 e353 Sapphire Radeon RX 580 Pulse 8GB - 1da2 e366 Radeon RX 570 - 67e0 Baffin [Polaris11] + 1da2 e366 Nitro+ Radeon RX 580 4GB + 67e0 Baffin [Radeon Pro WX 4170] + 103c 8270 Radeon Pro WX 4170 + 103c 8272 Radeon Pro WX 4170 67e1 Baffin [Polaris11] 67e3 Baffin [Radeon Pro WX 4100] - 67e8 Baffin [Polaris11] + 67e8 Baffin [Radeon Pro WX 4130/4150] + 1028 075d Radeon Pro WX 4150 + 1028 07b0 Radeon Pro WX 4130/4150 + 1028 07b1 Radeon Pro WX 4130 + 1028 175d Radeon Pro WX 4150 + 1028 17b0 Radeon Pro WX 4130/4150 + 1028 17b1 Radeon Pro WX 4130 + 103c 8275 Radeon Pro WX 4150 + 103c 8277 Radeon Pro WX 4150 67e9 Baffin [Polaris11] - 67eb Baffin [Polaris11] + 67eb Baffin [Radeon Pro V5300X] 67ef Baffin [Radeon RX 460/560D / Pro 450/455/460/560] 106b 0160 Radeon Pro 460 106b 0166 Radeon Pro 455 @@ -2324,8 +2349,14 @@ 6808 Pitcairn XT GL [FirePro W7000] 1002 0310 FirePro S7000 1002 0420 Radeon Sky 500 + 13cc 3d25 MXRT-7500 6809 Pitcairn LE GL [FirePro W5000] + 13cc 3d23 MXRT-5500 + 13cc 3d24 MXRT-5550 + 15c3 0b06 MED-X5000 6810 Curacao XT / Trinidad XT [Radeon R7 370 / R9 270X/370X] + 106b 012a FirePro D300 + 106b 012b FirePro D300 148c 0908 Radeon R9 370 OEM 1682 7370 Radeon R7 370 6811 Curacao PRO [Radeon R7 370 / R9 270/370 OEM] @@ -2345,6 +2376,7 @@ 1002 0b05 Radeon HD 8870 OEM 174b 8b04 Radeon HD 8860 6819 Pitcairn PRO [Radeon HD 7850 / R7 265 / R9 270 1024SP] + 1043 042c Radeon HD 7850 1682 7269 Radeon R9 270 1024SP 1682 9278 Radeon R9 270 1024SP 174b a008 Radeon R9 270 1024SP @@ -2370,6 +2402,7 @@ 6826 Chelsea LP [Radeon HD 7700M Series] 6827 Heathrow PRO [Radeon HD 7850M/8850M] 6828 Cape Verde PRO [FirePro W600] + 15c3 2b1e MED-X6000 6829 Cape Verde 682a Venus PRO 682b Venus LE / Tropo PRO-L [Radeon HD 8830M / R7 M465X] @@ -2507,12 +2540,20 @@ 144d c0c7 Radeon HD 7550M 6842 Thames LE [Radeon HD 7000M Series] 6843 Thames [Radeon HD 7670M] + 6860 Vega 10 [Radeon Instinct MI25] + 106b 017c Radeon Pro Vega 64 6861 Vega 10 XT [Radeon PRO WX 9100] + 6862 Vega 10 XT [Radeon PRO SSG] 6863 Vega 10 XTX [Radeon Vega Frontier Edition] + 6864 Vega + 6867 Vega 10 XL [Radeon Pro Vega 56] + 6868 Vega + 686c Vega 10 [Radeon Instinct MI25 MxGPU] 687f Vega 10 XT [Radeon RX Vega 64] 6888 Cypress XT [FirePro V8800] 6889 Cypress PRO [FirePro V7800] 1002 0301 FirePro V7800P + 13cc 3d1f MXRT-7400 688a Cypress XT [FirePro V9800] 1002 030c FirePro V9800P 688c Cypress XT GL [FireStream 9370] @@ -2560,6 +2601,8 @@ 103c 159b Radeon HD 6850M 144d c0ad Radeon HD 6850M 68a9 Juniper XT [FirePro V5800] + 13cc 3d1e MXRT-5400 + 13cc 3d20 MXRT-5450 68b8 Juniper XT [Radeon HD 5770] 106b 00cf MacPro5,1 [Mac Pro 2.8GHz DDR3] 68b9 Juniper LE [Radeon HD 5670 640SP Edition] @@ -2721,6 +2764,7 @@ 1462 2246 Radeon HD 6550A 68c8 Redwood XT GL [FirePro V4800] 68c9 Redwood PRO GL [FirePro V3800] + 13cc 3d1d MXRT-2400 68d8 Redwood XT [Radeon HD 5670/5690/5730] 1028 68e0 Radeon HD 5670 174b 5690 Radeon HD 5690 @@ -3003,6 +3047,7 @@ 6921 Amethyst XT [Radeon R9 M295X] 6929 Tonga XT GL [FirePro S7150] 692b Tonga PRO GL [FirePro W7100] + 13cc 3d2b MXRT-7600 692f Tonga XTV GL [FirePro S7150V] 6938 Tonga XT / Amethyst XT [Radeon R9 380X / R9 M295X] 1043 04f5 Radeon R9 380X @@ -3017,11 +3062,12 @@ 148c 9380 Radeon R9 380 # Make naming scheme consistent 174b e308 Radeon R9 380 Nitro 4G D5 + 694c Vega [Radeon RX Vega M] 6980 Polaris12 6981 Polaris12 6985 Lexa XT [Radeon PRO WX 3100] 6986 Polaris12 - 6987 Polaris12 + 6987 Lexa [Radeon E9171 MCM] 6995 Lexa XT [Radeon PRO WX 2100] 699f Lexa PRO [Radeon RX 550] 148c 2380 Lexa XL [Radeon RX 550] @@ -3032,17 +3078,27 @@ 7101 R520/M58 [Mobility Radeon X1800 XT] 7102 R520/M58 [Mobility Radeon X1800] 7104 R520 GL [FireGL V7200] + 13cc 3d0a MXRT-5100 7109 R520 [Radeon X1800 XL] 1002 0322 All-in-Wonder X1800XL 1002 0d02 Radeon X1800 CrossFire Edition 710a R520 [Radeon X1800 GTO] 1002 0b12 Radeon X1800 GTO² 710b R520 [Radeon X1800 GTO] + 710e R520 GL [FireGL V7300] + 13cc 3d0c MXRT-5150 + 710f R520 GL [FireGL V7350] + 13cc 3d0e MXRT-7100 7120 R520 [Radeon X1800] (Secondary) 7124 R520 GL [FireGL V7200] (Secondary) + 13cc 3d0b MXRT-5100 (Secondary) 7129 R520 [Radeon X1800] (Secondary) 1002 0323 All-In-Wonder X1800 XL (Secondary) 1002 0d03 Radeon X1800 CrossFire Edition (Secondary) + 712e R520 GL [FireGL V7300] (Secondary) + 13cc 3d0d MXRT-5150 (Secondary) + 712f R520 GL [FireGL V7350] (Secondary) + 13cc 3d0f MXRT-7100 (Secondary) 7140 RV515 [Radeon X1300/X1550/X1600 Series] 7142 RV515 PRO [Radeon X1300/X1550 Series] 1002 0322 All-in-Wonder 2006 PCI-E Edition @@ -3082,12 +3138,16 @@ 7193 RV516 [Radeon X1550 Series] 7196 RV516/M62-S [Mobility Radeon X1350] 719b RV516 GL [FireMV 2250] + 13cc 3d12 MXRT-1150 + 13cc 3d14 MXRT-2150 719f RV516 [Radeon X1550 Series] 71a0 RV516 [Radeon X1300/X1550 Series] (Secondary) 71a1 RV516 [Radeon X1600/X1650 Series] (Secondary) 71a3 RV516 [Radeon X1300/X1550 Series] (Secondary) 71a7 RV516 [Radeon X1300/X1550 Series] (Secondary) 71bb RV516 GL [FireMV 2250] (Secondary) + 13cc 3d13 MXRT-1150 (Secondary) + 13cc 3d15 MXRT-2150 (Secondary) 71c0 RV530 [Radeon X1600 XT/X1650 GTO] 1002 e160 Radeon X1650 GTO 174b e160 Radeon X1650 GTO @@ -3106,6 +3166,7 @@ 1787 3000 PowerColor X1650 PRO AGP 71ce RV530 [Radeon X1300 XT/X1600 PRO] 71d2 RV530 GL [FireGL V3400] + 13cc 3d08 MXRT-2100 71d4 RV530/M66 GL [Mobility FireGL V5250] 71d5 RV530/M66-P [Mobility Radeon X1700] 71d6 RV530/M66-XT [Mobility Radeon X1700] @@ -3119,6 +3180,7 @@ 71e7 RV535 [Radeon X1650 PRO] (Secondary) 1787 3001 Radeon X1650 PRO AGP 71f2 RV530 GL [FireGL V3400] (Secondary) + 13cc 3d09 MXRT-2100 (Secondary) 7210 RV550/M71 [Mobility Radeon HD 2300] 7211 RV550/M71 [Mobility Radeon X2300 HD] 7240 R580+ [Radeon X1950 XTX] @@ -3195,6 +3257,7 @@ 9403 R600 [Radeon HD 2900 PRO] 9405 R600 [Radeon HD 2900 GT] 940a R600 GL [FireGL V8650] + 13cc 3d16 MXRT-7200 940b R600 GL [FireGL V8600] 940f R600 GL [FireGL V7600] 9440 RV770 [Radeon HD 4870] @@ -3232,6 +3295,7 @@ 174b 0028 Radeon HD 4650 AGP DDR2 9498 RV730 PRO [Radeon HD 4650] 949c RV730 GL [FirePro V7750] + 13cc 3d1b MXRT-7300 949e RV730 GL [FirePro V5700] 949f RV730 GL [FirePro V3750] 94a0 RV740/M97 [Mobility Radeon HD 4830] @@ -3318,6 +3382,7 @@ 958a RV630 [Radeon HD 2600 X2] 958b RV630/M76 [Mobility Radeon HD 2600 XT] 958c RV630 GL [FireGL V5600] + 13cc 3d18 MXRT-5200 958d RV630 GL [FireGL V3600] 9591 RV635/M86 [Mobility Radeon HD 3650] 1002 9591 Mobility Radeon HD 3650 @@ -3332,6 +3397,7 @@ 1043 3001 Radeon HD 4570 174b 3001 Radeon HD 3750 174b 4580 RV635 PRO [Radeon HD 4580] + 17af 3011 RV635 PRO [Radeon HD 4580] 9599 RV635 PRO [Radeon HD 3650 AGP] 95c0 RV620 PRO [Radeon HD 3470] 1002 95c0 Mobility Radeon HD 3470 @@ -3431,8 +3497,8 @@ 103c 194e ProBook 455 G1 Notebook 103c 1952 ProBook 455 G1 Notebook 9904 Trinity [Radeon HD 7560D] - 9905 Trinity [FirePro A300 Series Graphics] - 9906 Trinity [FirePro A300 Series Graphics] + 9905 Trinity GL [FirePro A300] + 9906 Trinity GL [FirePro A320] 9907 Trinity [Radeon HD 7620G] 9908 Trinity [Radeon HD 7600G] 9909 Trinity [Radeon HD 7500G] @@ -4043,6 +4109,11 @@ 1423 Family 15h (Models 30h-3fh) I/O Memory Management Unit 1424 Family 15h (Models 30h-3fh) Processor Root Port 1426 Family 15h (Models 30h-3fh) Processor Root Port + 142e Liverpool Processor Function 0 + 142f Liverpool Processor Function 1 + 1430 Liverpool Processor Function 2 + 1431 Liverpool Processor Function 3 + 1432 Liverpool Processor Function 4 1436 Liverpool Processor Root Complex 1437 Liverpool I/O Memory Management Unit 1438 Liverpool Processor Root Port @@ -4063,7 +4134,7 @@ 1463 Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 3 1464 Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 4 1465 Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 5 - 1466 Family 17h (Models 00h-0fh) Data Fabric Device 18h Function 6 + 1466 Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 6 1467 Family 17h (Models 00h-0fh) Data Fabric: Device 18h; Function 7 1510 Family 14h Processor Root Complex 174b 1001 PURE Fusion Mini @@ -4080,6 +4151,17 @@ 1535 Family 16h Processor Function 5 1536 Family 16h Processor Root Complex 1538 Family 16h Processor Function 0 + 1570 Family 15h (Models 60h-6fh) Processor Function 0 + 1571 Family 15h (Models 60h-6fh) Processor Function 1 + 1572 Family 15h (Models 60h-6fh) Processor Function 2 + 1573 Family 15h (Models 60h-6fh) Processor Function 3 + 1574 Family 15h (Models 60h-6fh) Processor Function 4 + 1575 Family 15h (Models 60h-6fh) Processor Function 5 + 1576 Family 15h (Models 60h-6fh) Processor Root Complex + 1577 Family 15h (Models 60h-6fh) I/O Memory Management Unit + 157a Family 15h (Models 60h-6fh) Audio Controller + 157b Family 15h (Models 60h-6fh) Host Bridge + 157c Family 15h (Models 60h-6fh) Processor Root Port 1600 Family 15h Processor Function 0 1601 Family 15h Processor Function 1 1602 Family 15h Processor Function 2 @@ -4149,8 +4231,11 @@ 43a1 Hudson PCI to PCI bridge (PCIE port 1) 43a2 Hudson PCI to PCI bridge (PCIE port 2) 43a3 Hudson PCI to PCI bridge (PCIE port 3) + 43b1 X399 Series Chipset PCIe Bridge 43b4 300 Series Chipset PCIe Port + 43b6 X399 Series Chipset SATA Controller 43b7 300 Series Chipset SATA Controller + 43ba X399 Series Chipset USB 3.1 xHCI Controller 43bb 300 Series Chipset USB 3.1 xHCI Controller 7006 AMD-751 [Irongate] System Controller 7007 AMD-751 [Irongate] AGP Bridge @@ -4607,7 +4692,7 @@ 103c 3381 iLO4 0534 G200eR2 0536 Integrated Matrox G200eW3 Graphics Controller - 0538 G200eH + 0538 MGA G200eH3 1590 00e4 iLO5 VGA 0540 M91XX 102b 2080 M9140 LP PCIe x16 @@ -5293,7 +5378,7 @@ c824 82C824 c825 82C825 [Firebridge 2] c832 82C832 - c861 82C861 + c861 82C861 OHCI USB Host c881 82C881 [FireLink] 1394 OHCI Link Controller c895 82C895 c935 EV1935 ECTIVA MachOne PCIAudio @@ -5441,10 +5526,11 @@ 1028 014e PCI7410,7510,7610 OHCI-Lynx Controller (Latitude D800) 802e PCI7x20 1394a-2000 OHCI Two-Port PHY/Link-Layer Controller 1028 018d Inspiron 700m/710m - 8031 PCIxx21/x515 Cardbus Controller + 8031 PCIxx21/PCIxx11/PCIx515 PC Card Controller 1025 0064 Extensa 3000 series laptop 1025 0080 Aspire 5024WLMi 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 103c 308b MX6125 8032 OHCI Compliant IEEE 1394 Host Controller @@ -5453,19 +5539,22 @@ 103c 0934 Compaq nw8240/nx8220 103c 099c NX6110/NC6120 103c 308b MX6125 - 8033 PCIxx21 Integrated FlashMedia Controller + 8033 PCIxx21/PCIxx11 Flash Media Controller 1025 0064 Extensa 3000 series laptop 1025 0080 Aspire 5024WLMi 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 103c 308b MX6125 - 8034 PCI6411/6421/6611/6621/7411/7421/7611/7621 Secure Digital Controller + 8034 PCIxx21/PCIxx11 SD Host Controller 1025 0080 Aspire 5024WLMi 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 103c 308b MX6125 - 8035 PCI6411/6421/6611/6621/7411/7421/7611/7621 Smart Card Controller + 8035 PCIxx21/PCIxx11 Smart Card Controller 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 8036 PCI6515 Cardbus Controller 8038 PCI6515 SmartCard Controller @@ -5479,7 +5568,7 @@ 103c 30a1 NC2400 103c 30a3 Compaq nw8440 104d 902d VAIO VGN-NR120E - 803b 5-in-1 Multimedia Card Reader (SD/MMC/MS/MS PRO/xD) + 803b PCIxx12 Flash Media Controller 103c 309f nx9420 103c 30a3 Compaq nw8440 104d 8212 VAIO VGN-N21E @@ -5652,6 +5741,22 @@ 90a3 Aeolia Memory (DDR3/SPM) 90a4 Aeolia USB 3.0 xHCI Host Controller 90bc SxS Pro+ memory card + 90c8 Belize ACPI + 90c9 Belize Ethernet Controller + 90ca Belize SATA AHCI Controller + 90cb Belize SD/MMC Host Controller + 90cc Belize PCI Express Glue and Miscellaneous Devices + 90cd Belize DMA Controller + 90ce Belize Memory (DDR3/SPM) + 90cf Belize USB 3.0 xHCI Host Controller + 90d7 Baikal ACPI + 90d8 Baikal Ethernet Controller + 90d9 Baikal SATA AHCI Controller + 90da Baikal SD/MMC Host Controller + 90db Baikal PCI Express Glue and Miscellaneous Devices + 90dc Baikal DMA Controller + 90dd Baikal Memory (DDR3/SPM) + 90de Baikal USB 3.0 xHCI Host Controller 104e Oak Technology, Inc 0017 OTI-64017 0107 OTI-107 [Spitfire] @@ -6232,6 +6337,10 @@ 8070 FastLinQ QL41000 Series 10/25/40/50GbE Controller 1077 0001 10GE 2P QL41162HxRJ-DE Adapter 1077 0002 10GE 2P QL41112HxCU-DE Adapter + 1077 0005 QLogic 4x10GE QL41164HMRJ CNA + 1077 0006 QLogic 4x10GE QL41164HMCU CNA + 1077 0007 QLogic 2x1GE+2x10GE QL41264HMCU CNA + 1077 0009 QLogic 2x1GE+2x10GE QL41162HMRJ CNA 1077 000b 25GE 2P QL41262HxCU-DE Adapter 1077 0011 FastLinQ QL41212H 25GbE Adapter 1077 0012 FastLinQ QL41112H 10GbE Adapter @@ -6242,19 +6351,34 @@ 8080 FastLinQ QL41000 Series 10/25/40/50GbE Controller (FCoE) 1077 0001 10GE 2P QL41162HxRJ-DE Adapter 1077 0002 10GE 2P QL41112HxCU-DE Adapter + 1077 0005 QLogic 4x10GE QL41164HMRJ CNA + 1077 0006 QLogic 4x10GE QL41164HMCU CNA + 1077 0007 QLogic 2x1GE+2x10GE QL41264HMCU CNA + 1077 0009 QLogic 2x1GE+2x10GE QL41162HMRJ CNA 1077 000b 25GE 2P QL41262HxCU-DE Adapter + 1077 000c QLogic 2x25GE QL41262HMCU CNA 1077 000d FastLinQ QL41262H 25GbE FCoE Adapter 1077 000e FastLinQ QL41162H 10GbE FCoE Adapter 8084 FastLinQ QL41000 Series 10/25/40/50GbE Controller (iSCSI) 1077 0001 10GE 2P QL41162HxRJ-DE Adapter 1077 0002 10GE 2P QL41112HxCU-DE Adapter + 1077 0005 QLogic 4x10GE QL41164HMRJ CNA + 1077 0006 QLogic 4x10GE QL41164HMCU CNA + 1077 0007 QLogic 2x25GE QL41262HMCU CNA + 1077 0009 QLogic 2x1GE+2x10GE QL41162HMRJ CNA 1077 000b 25GE 2P QL41262HxCU-DE Adapter + 1077 000c QLogic 2x25GE QL41262HMCU CNA 1077 000d FastLinQ QL41262H 25GbE iSCSI Adapter 1077 000e FastLinQ QL41162H 10GbE iSCSI Adapter 8090 FastLinQ QL41000 Series Gigabit Ethernet Controller (SR-IOV VF) 1077 0001 25GE 2P QL41262HxCU-DE Adapter 1077 0002 10GE 2P QL41112HxCU-DE Adapter + 1077 0005 QLogic 4x10GE QL41164HMRJ CNA + 1077 0006 QLogic 4x10GE QL41164HMCU CNA + 1077 0007 QLogic 2x1GE+2x10GE QL41264HMCU CNA + 1077 0009 QLogic 2x1GE+2x10GE QL41162HMRJ CNA 1077 000b 25GE 2P QL41262HxCU-DE Adapter + 1077 000c QLogic 2x25GE QL41262HMCU CNA 1077 000d FastLinQ QL41262H 25GbE FCoE Adapter (SR-IOV VF) 1077 000e FastLinQ QL41162H 10GbE iSCSI Adapter (SR-IOV VF) 1077 0011 FastLinQ QL41212H 25GbE Adapter (SR-IOV VF) @@ -9238,6 +9362,7 @@ 0424 G86 [GeForce 8400 GS] 0425 G86M [GeForce 8600M GS] 1025 0121 Aspire 5920G + 1043 1514 F3SV 0426 G86M [GeForce 8400M GT] 0427 G86M [GeForce 8400M GS] 103c 30cc Pavilion dv6700 @@ -9409,6 +9534,7 @@ 1682 2385 GeForce 9600 GSO 768mb 0611 G92 [GeForce 8800 GT] 107d 2ab0 Winfast PX8800 GT PCI-E + 1462 1170 NX8800GT series model V117 2xDVI+TV 19da 1040 ZT-88TES2P-FSP 0612 G92 [GeForce 9800 GTX / 9800 GTX+] 0613 G92 [GeForce 9800 GTX+] @@ -10193,8 +10319,10 @@ 102a GK110BGL [Tesla K40t] 102d GK210GL [Tesla K80] 102e GK110BGL [Tesla K40d] + 102f GK110BGL [Tesla Stella Solo] 103a GK110GL [Quadro K6000] 103c GK110GL [Quadro K5200] + 103f GK110BGL [Tesla Stella SXM] 1040 GF119 [GeForce GT 520] 1043 83a0 ENGT520 SILENT 1042 GF119 [GeForce 510] @@ -10648,6 +10776,7 @@ 11a3 GK104M [GeForce GTX 680MX] 106b 010d iMac 13,2 11a7 GK104M [GeForce GTX 675MX] + 11af GK104GLM [GRID IceCube] # GRID K2 Quadro USM 11b0 GK104GL [GRID K240Q\K260Q vGPU] 10de 101a GRID K240Q @@ -10827,6 +10956,7 @@ 13bd GM107GL [Tesla M10] 10de 110a GRID M40 10de 1160 Tesla M10 + 10de 11d2 GRID M10-8Q 13c0 GM204 [GeForce GTX 980] 1043 8504 GTX980-4GD5 13c1 GM204 @@ -10836,11 +10966,16 @@ 13d8 GM204M [GeForce GTX 970M] 13d9 GM204M [GeForce GTX 965M] 13da GM204M [GeForce GTX 980 Mobile] - 13e7 GM204 [GeForce GTX 980 Engineering Sample] + 13e7 GM204GL [GeForce GTX 980 Engineering Sample] 13f0 GM204GL [Quadro M5000] 13f1 GM204GL [Quadro M4000] 13f2 GM204GL [Tesla M60] + 10de 114d GRID M60-1Q + 10de 114e GRID M60-2Q + 10de 1150 GRID M60-8Q + 10de 11b0 GRID M60-4A 13f3 GM204GL [Tesla M6] + 10de 1184 GRID M6-8Q 13f8 GM204GLM [Quadro M5000M / M5000 SE] 13f9 GM204GLM [Quadro M4000M] 13fa GM204GLM [Quadro M3000M] @@ -10869,6 +11004,7 @@ 172f GP100 174d GM108M [GeForce MX130] 174e GM108M [GeForce MX110] + 1789 GM107GL [GRID M3-3020] 17c2 GM200 [GeForce GTX TITAN X] 17c8 GM200 [GeForce GTX 980 Ti] 17f0 GM200GL [Quadro M6000] @@ -10904,6 +11040,7 @@ 1bb7 GP104GLM [Quadro P4000 Mobile] 1462 11e9 Quadro P4000 Max-Q 1bb8 GP104GLM [Quadro P3000 Mobile] + 1bc7 GP104 [P104-101] 1be0 GP104M [GeForce GTX 1080 Mobile] 1028 07c0 GeForce GTX 1080 Max-Q 1458 355b GeForce GTX 1080 Max-Q @@ -10912,6 +11049,8 @@ 1c01 GP106 1c02 GP106 [GeForce GTX 1060 3GB] 1c03 GP106 [GeForce GTX 1060 6GB] + 1c04 GP106 [GeForce GTX 1060 5GB] + 1c06 GP106 [GeForce GTX 1060 6GB Rev. 2] 1c07 GP106 [P106-100] 1c09 GP106 [P106-090] 1c20 GP106M [GeForce GTX 1060 Mobile] @@ -10937,11 +11076,13 @@ 1cb1 GP107GL [Quadro P1000] 1cb2 GP107GL [Quadro P600] 1cb3 GP107GL [Quadro P400] + 1cb6 GP107GL [Quadro P620] 1d01 GP108 [GeForce GT 1030] 1d10 GP108M [GeForce MX150] - 1d81 GV100 - 1db1 GV100 [Tesla V100 SXM2] - 1db4 GV100 [Tesla V100 PCIe] + 1d33 GP108GL [Quadro P500] + 1d81 GV100 [TITAN V] + 1db1 GV100GL [Tesla V100 SXM2] + 1db4 GV100GL [Tesla V100 PCIe] 10df Emulex Corporation 0720 OneConnect NIC (Skyhawk) 103c 1934 FlexFabric 20Gb 2-port 650M Adapter @@ -10967,6 +11108,7 @@ e180 Proteus-X: LightPulse IOV Fibre Channel Host Adapter e200 LightPulse LPe16002 1014 03f1 PCIe2 16 Gb 2-port Fibre Channel Adapter (FC EL5B; CCIN 577F) + 10df e282 Flex System FC5054 4-port 16Gb FC Adapter e208 LightPulse 16Gb Fibre Channel Host Adapter (Lancer-VF) e220 OneConnect NIC (Lancer) 17aa 1054 ThinkServer LPm16002B-M6-L AnyFabric @@ -11141,13 +11283,14 @@ 8129 RTL-8129 10ec 8129 RT8129 Fast Ethernet Adapter 11ec 8129 RTL8111/8168 PCIe Gigabit Ethernet (misconfigured) - 8136 RTL8101/2/6E PCI Express Fast Ethernet controller + 8136 RTL810xE PCI Express Fast Ethernet controller 103c 1985 RTL8106E on Pavilion 17-e163sg Notebook PC 103c 2a8c Compaq 500B Microtower 103c 2ab1 Pavilion p6774 103c 30cc Pavilion dv6700 1179 ff64 RTL8102E PCI-E Fast Ethernet NIC 17c0 1053 RTL8101e Medion WIM 2210 Notebook PC [MD96850] + 8137 RTL8104E PCIe Fast Ethernet Controller 8138 RT8139 (B/C) Cardbus Fast Ethernet Adapter 10ec 8138 RT8139 (B/C) Fast Ethernet Adapter 8139 RTL-8100/8101L/8139 PCI Fast Ethernet Adapter @@ -11218,7 +11361,7 @@ 1043 16d5 U6V/U31J laptop 1043 81aa P5B 1043 82c6 M3A78 Series Motherboard - 1043 83a3 M4A785TD Motherboard + 1043 83a3 M4A785/P7P55 Motherboard 1043 8432 P8P67 and other motherboards 1043 8505 P8 series motherboard 105b 0d7c D270S/D250S Motherboard @@ -11226,6 +11369,7 @@ 144d c652 RTL8168 on a NP300E5C series laptop 1458 e000 Onboard Ethernet 1462 238c Onboard RTL8111b on MSI P965 Platinum Mainboard + 1462 345c RTL8111B on MS-7345 Motherboard 1462 368c K9AG Neo2 1462 4180 Wind PC MS-7418 1462 7522 X58 Pro-E @@ -13242,9 +13386,47 @@ 117c 802f ExpressPCI UL5D Low Profile 0033 SAS Adapter 0041 ExpressSAS R30F + 0042 ExpressSAS 6Gb/s SAS/SATA HBA + 117c 0042 ExpressSAS H680 + 117c 0043 ExpressSAS H608 + 117c 0044 ExpressSAS H60F + 117c 0045 ExpressSAS H6F0 + 117c 0046 ExpressSAS H644 + 117c 004f ExpressSAS M608 + 117c 0057 ExpressSAS M680 + 117c 0058 ExpressSAS M644 + 117c 0059 ExpressSAS W608 + 117c 005a ExpressSAS W680 + 117c 005b ExpressSAS W644 + 0049 ExpressSAS 6Gb SAS/SATA RAID Adapter + 117c 0049 ExpressSAS R680 + 117c 004a ExpressSAS R608 + 117c 004b ExpressSAS R60F + 117c 004c ExpressSAS R6F0 + 117c 004d ExpressSAS R644 + 117c 004e ExpressSAS R648 + 0064 Celerity FC 16Gb/s Gen 5 Fibre Channel HBA + 117c 0063 Celerity FC-161E + 117c 0064 Celerity FC-162E + 117c 0065 Celerity FC-164E + 0094 Celerity FC 16/32Gb/s Gen 6 Fibre Channel HBA + 117c 0094 Celerity FC-162P + 117c 00a0 Celerity FC-161P + 117c 00a1 Celerity FC-164P + 117c 00a2 Celerity FC-321E + 117c 00a3 Celerity FC-322E + 117c 00ac Celerity FC-324E 8013 ExpressPCI UL4D 8014 ExpressPCI UL4S 8027 ExpressPCI UL5D + 8070 ExpressSAS 12Gb/s SAS/SATA HBA + 117c 0070 ExpressSAS H1280 + 117c 0071 ExpressSAS H1208 + 117c 0080 ExpressSAS H1244 + 8072 ExpressSAS 12Gb/s SAS/SATA HBA + 117c 0072 ExpressSAS H12F0 + 117c 0073 ExpressSAS H120F + 117c 0082 ExpressSAS H1288 117d Becton & Dickinson 117e T/R Systems 117f Integrated Circuit Systems @@ -13299,6 +13481,7 @@ 1025 0121 Aspire 5920G 1028 01d7 XPS M1210 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30b5 Presario V3242AU 103c 30b7 Presario V6133CL 103c 30cc Pavilion dv6700 @@ -13316,6 +13499,7 @@ 1028 01a2 Inspiron 9200 1028 01d7 XPS M1210 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 03b5 Presario V3242AU 103c 30b7 Presario V6133CL 103c 30c1 Compaq 6910p @@ -13332,6 +13516,7 @@ 1025 0121 Aspire 5920G 1028 01d7 XPS M1210 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 1028 024d Latitude E4300 103c 30b5 Presario V3242AU 103c 30b7 Presario V6133CL @@ -13354,6 +13539,7 @@ 0852 xD-Picture Card Controller 1025 0121 Aspire 5920G 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30b5 Presario V3242AU 103c 30b7 Presario V6133CL 103c 30cc Pavilion dv6700 @@ -13605,6 +13791,7 @@ 4353 88E8039 PCI-E Fast Ethernet Controller 104d 902d VAIO VGN-NR120E 4354 88E8040 PCI-E Fast Ethernet Controller + 1028 022f Inspiron 1525 144d c06a R730 Laptop 144d c072 Notebook N150P 4355 88E8040T PCI-E Fast Ethernet Controller @@ -13700,8 +13887,9 @@ 6081 MV88SX6081 8-port SATA II PCI-X Controller 6101 88SE6101/6102 single-port PATA133 interface 1043 82e0 P5K PRO Motherboard - 6111 88SE6111 1-port PATA133(IDE) and 1-port SATA II Controllers - 6121 88SE6121 SATA II / PATA Controller + 6121 88SE6111/6121 SATA II / PATA Controller +# 6111: 1 SATA port; 6121: 2 SATA ports + 11ab 6121 88SE6111/6121 1/2 port SATA II + 1 port PATA Controller 6141 88SE614x SATA II PCI-E controller 6145 88SE6145 SATA II PCI-E controller 6180 88F6180 [Kirkwood] ARM SoC @@ -14027,6 +14215,7 @@ 8000 PM8000 [SPC - SAS Protocol Controller] 8009 PM8009 SPCve 8x6G 8032 ATTO Celerity FC8xEN + 117c 003a Celerity FC-81EN Fibre Channel Adapter 117c 003b Celerity FC-82EN Fibre Channel Adapter 117c 003c Celerity FC-84EN Fibre Channel Adapter 8053 PM8053 SXP 12G 24-port SAS/SATA expander @@ -14047,41 +14236,70 @@ 11fc Silicon Magic 11fd High Street Consultants 11fe Comtrol Corporation - 0001 RocketPort 32 port w/external I/F - 0002 RocketPort 8 port w/external I/F - 0003 RocketPort 16 port w/external I/F - 0004 RocketPort 4 port w/quad cable - 0005 RocketPort 8 port w/octa cable - 0006 RocketPort 8 port w/RJ11 connectors - 0007 RocketPort 4 port w/RJ11 connectors - 0008 RocketPort 8 port w/ DB78 SNI (Siemens) connector - 0009 RocketPort 16 port w/ DB78 SNI (Siemens) connector - 000a RocketPort Plus 4 port - 000b RocketPort Plus 8 port - 000c RocketModem 6 port + 0001 RocketPort PCI 32-port w/external I/F + 0002 RocketPort PCI 8-port w/external I/F + 0003 RocketPort PCI 16-port w/external I/F + 0004 RocketPort PCI 4-port w/Quad Cable + 0005 RocketPort PCI 8-port w/Octa Cable + 0006 RocketPort PCI 8-port w/RJ11 connectors + 0007 RocketPort PCI 4-port w/RJ45 connectors + 0008 RocketPort PCI 8-port w/DB78 SNI connector (Siemens) + 0009 RocketPort PCI 16-port w/DB78 SNI connector (Siemens) + 000a RocketPort PCI Plus 4-port w/Quad Cable + 000b RocketPort PCI Plus 8-port w/Octa Cable + 000c RocketModem II 6-port 000d RocketModem 4-port - 000e RocketPort Plus 2 port RS232 - 000f RocketPort Plus 2 port RS422 - 0040 RocketPort Infinity Octa, 8port, RJ45 - 0041 RocketPort Infinity 32port, External Interface - 0042 RocketPort Infinity 8port, External Interface - 0043 RocketPort Infinity 16port, External Interface - 0044 RocketPort Infinity Quad, 4port, DB - 0045 RocketPort Infinity Octa, 8port, DB - 0047 RocketPort Infinity 4port, RJ45 - 004f RocketPort Infinity 2port, SMPTE - 0052 RocketPort Infinity Octa, 8port, SMPTE - 0801 RocketPort UPCI 32 port w/external I/F - 0802 RocketPort UPCI 8 port w/external I/F - 0803 RocketPort UPCI 16 port w/external I/F - 0805 RocketPort UPCI 8 port w/octa cable - 080c RocketModem III 8 port - 080d RocketModem III 4 port - 0810 RocketPort UPCI Plus 4 port RS232 - 0811 RocketPort UPCI Plus 8 port RS232 - 0812 RocketPort UPCI Plus 8 port RS422 + 000e RocketPort PCI Plus 2-port RS-232 w/DB9 connectors + 000f RocketPort PCI Plus 2-port SMPTE w/DB9 connectors + 0040 RocketPort INFINITY 8-port w/Octa Cable RJ45 + 0041 RocketPort INFINITY 32-port w/external I/F + 0042 RocketPort INFINITY 8-port w/external I/F + 0043 RocketPort INFINITY 16-port w/external I/F + 0044 RocketPort INFINITY 4-port w/Quad Cable DB + 0045 RocketPort INFINITY 8-port w/Octa Cable DB + 0046 RocketPort INFINITY 4-port w/external I/F + 0047 RocketPort INFINITY 4J (4-port) w/RJ45 connectors + 0048 RocketPort INFINITY 4J (4-port) w/RJ45 connectors + 004a RocketPort INFINITY Plus 4-port + 004b RocketPort INFINITY Plus 8-port + 004c RocketModem INFINITY III 8-port + 004d RocketModem INFINITY III 4-port + 004e RocketPort INFINITY Plus 2-port + 004f RocketPort INFINITY 2-port SMPTE w/DB9 connectors + 0050 RocketPort INFINITY Plus 4-port RJ45 + 0051 RocketPort INFINITY Plus 8-port RJ11 + 0052 RocketPort INFINITY 8-port SMPTE w/DB9 Connectors + 0060 RocketPort EXPRESS 8-port w/Octa Cable + 0061 RocketPort EXPRESS 32-port w/external I/F + 0062 RocketPort EXPRESS 8-Port w/external I/F + 0063 RocketPort EXPRESS 16-port w/external I/F + 0064 RocketPort EXPRESS 4-port w/Quad Cable + 0065 RocketPort EXPRESS 8-port w/Octa Cable + 0066 RocketPort EXPRESS 4-port w/external I/F + 0067 RocketPort EXPRESS 4J (4-port) w/RJ45 connectors + 0068 RocketPort EXPRESS 8J (8-port) w/RJ11 connectors + 006f RocketPort EXPRESS SMPTE 2-port + 0072 RocketPort EXPRESS SMPTE 8-port w/external I/F + 0801 RocketPort uPCI 32-port w/external I/F + 0802 RocketPort uPCI 8-port w/external I/F + 0803 RocketPort uPCI 16-port w/external I/F + 0805 RocketPort uPCI 8-port w/Octa Cable + 080b RocketPort Plus uPCI 8-port w/Octa Cable + 080c RocketModem III 8-port + 080d RocketModem III 4-port + 080e RocketPort uPCI 2-port RS232 w/DB9 connectors + 080f RocketPort uPCI SMPTE 2-port + 0810 RocketPort Plus uPCI 4J (4-port) w/RJ45 connectors + 0811 RocketPort Plus uPCI 8J (8-port) w/RJ11 connectors + 0812 RocketPort Plus uPCI 422 8-port + 0813 RocketModem IV uPCI 8-port + 0814 RocketModem IV uPCI 4-port 0903 RocketPort Compact PCI 16 port w/external I/F - 8015 RocketPort 4-port UART 16954 +# 16954 UART + 8015 RocketPort 550 4-port + 8805 RocketPort uPCI 4-port w/Quad Cable + 880b RocketPort Plus uPCI 4-port w/Quad Cable + 8812 RocketPort Plus uPCI 4-port RS422 w/Quad Cable 11ff Scion Corporation 0003 AG-5 1200 CSS Corporation @@ -15644,6 +15862,7 @@ 0252 XR17V252 Dual UART PCI controller 0254 XR17V254 Quad UART PCI controller 0258 XR17V258 Octal UART PCI controller + 0352 XR17V3521 Dual PCIe UART 13a9 Siemens Medical Systems, Ultrasound Group 13aa Broadband Networks Inc 13ab Arcom Control Systems Ltd @@ -16243,6 +16462,7 @@ 4887 T440T-4087 Unified Wire Ethernet Controller [VF] 4888 T440-4088 Unified Wire Ethernet Controller [VF] 5001 T520-CR Unified Wire Ethernet Controller + 193d 1001 510F-B 5002 T522-CR Unified Wire Ethernet Controller 5003 T540-CR Unified Wire Ethernet Controller 5004 T520-BCH Unified Wire Ethernet Controller @@ -16304,6 +16524,7 @@ 50a9 T580-50A9 Unified Wire Ethernet Controller 50aa T580-50AA Unified Wire Ethernet Controller 50ab T520-50AB Unified Wire Ethernet Controller + 50ac T540-50AC Unified Wire Ethernet Controller 5401 T520-CR Unified Wire Ethernet Controller 5402 T522-CR Unified Wire Ethernet Controller 5403 T540-CR Unified Wire Ethernet Controller @@ -16366,6 +16587,7 @@ 54a9 T580-50A9 Unified Wire Ethernet Controller 54aa T580-50AA Unified Wire Ethernet Controller 54ab T520-50AB Unified Wire Ethernet Controller + 54ac T540-50AC Unified Wire Ethernet Controller 5501 T520-CR Unified Wire Storage Controller 5502 T522-CR Unified Wire Storage Controller 5503 T540-CR Unified Wire Storage Controller @@ -16426,6 +16648,9 @@ 55a7 T580-50A7 Unified Wire Storage Controller 55a8 T580-50A8 Unified Wire Storage Controller 55a9 T580-50A9 Unified Wire Storage Controller + 55aa T580-50AA Unified Wire Storage Controller + 55ab T520-50AB Unified Wire Storage Controller + 55ac T540-50AC Unified Wire Storage Controller 5601 T520-CR Unified Wire Storage Controller 5602 T522-CR Unified Wire Storage Controller 5603 T540-CR Unified Wire Storage Controller @@ -16488,6 +16713,7 @@ 56a9 T580-50A9 Unified Wire Storage Controller 56aa T580-50AA Unified Wire Storage Controller 56ab T520-50AB Unified Wire Storage Controller + 56ac T540-50AC Unified Wire Storage Controller 5701 T520-CR Unified Wire Ethernet Controller 5702 T522-CR Unified Wire Ethernet Controller 5703 T540-CR Unified Wire Ethernet Controller @@ -16589,6 +16815,7 @@ 58a9 T580-50A9 Unified Wire Ethernet Controller [VF] 58aa T580-50AA Unified Wire Ethernet Controller [VF] 58ab T520-50AB Unified Wire Ethernet Controller [VF] + 58ac T540-50AC Unified Wire Ethernet Controller [VF] 6001 T6225-CR Unified Wire Ethernet Controller 6002 T6225-SO-CR Unified Wire Ethernet Controller 6003 T6425-CR Unified Wire Ethernet Controller @@ -16609,6 +16836,7 @@ 6084 T64100-6084 Unified Wire Ethernet Controller 6085 T6240-6085 Unified Wire Ethernet Controller 6086 T6225-6086 Unified Wire Ethernet Controller + 6087 T6225-6087 Unified Wire Ethernet Controller 6401 T6225-CR Unified Wire Ethernet Controller 6402 T6225-SO-CR Unified Wire Ethernet Controller 6403 T6425-CR Unified Wire Ethernet Controller @@ -16629,6 +16857,7 @@ 6484 T64100-6084 Unified Wire Ethernet Controller 6485 T6240-6085 Unified Wire Ethernet Controller 6486 T6225-6086 Unified Wire Ethernet Controller + 6487 T6225-6087 Unified Wire Ethernet Controller 6501 T6225-CR Unified Wire Storage Controller 6502 T6225-SO-CR Unified Wire Storage Controller 6503 T6425-CR Unified Wire Storage Controller @@ -16649,6 +16878,7 @@ 6584 T64100-6084 Unified Wire Storage Controller 6585 T6240-6085 Unified Wire Storage Controller 6586 T6225-6086 Unified Wire Storage Controller + 6587 T6225-6087 Unified Wire Storage Controller 6601 T6225-CR Unified Wire Storage Controller 6602 T6225-SO-CR Unified Wire Storage Controller 6603 T6425-CR Unified Wire Storage Controller @@ -16669,6 +16899,7 @@ 6684 T64100-6084 Unified Wire Storage Controller 6685 T6240-6085 Unified Wire Storage Controller 6686 T6225-6086 Unified Wire Storage Controller + 6687 T6225-6087 Unified Wire Storage Controller 6801 T6225-CR Unified Wire Ethernet Controller [VF] 6802 T6225-SO-CR Unified Wire Ethernet Controller [VF] 6803 T6425-CR Unified Wire Ethernet Controller [VF] @@ -16689,6 +16920,7 @@ 6884 T64100-6084 Unified Wire Ethernet Controller [VF] 6885 T6240-6085 Unified Wire Ethernet Controller [VF] 6886 T6225-6086 Unified Wire Ethernet Controller [VF] + 6887 T6225-6087 Unified Wire Ethernet Controller [VF] a000 PE10K Unified Wire Ethernet Controller 1426 Storage Technology Corp. 1427 Better On-Line Solutions @@ -16954,6 +17186,7 @@ 14be L3 Communications 14bf SPIDER Communications Inc. 14c0 COMPAL Electronics Inc + 1201 X550 10Gb 2P RJ45 OCP Mezz # now owned by CSP, Inc. 14c1 MYRICOM Inc. 0008 Myri-10G Dual-Protocol NIC @@ -17062,7 +17295,12 @@ 107b 5048 E4500 Onboard 1259 2705 AT-2711FX 1601 NetXtreme BCM5752M Gigabit Ethernet PCI Express + 1604 BCM5745X NetXtreme-E Ethernet Partition + 1605 BCM5745X NetXtreme-E RDMA Partition + 1606 BCM5745X NetXtreme-E RDMA Virtual Function + 1609 BCM5745X NetXtreme-E Ethernet Virtual Function 1612 BCM70012 Video Decoder [Crystal HD] + 1614 BCM57454 NetXtreme-E 10Gb/25Gb/40Gb/50Gb/100Gb Ethernet 1615 BCM70015 Video Decoder [Crystal HD] 1639 NetXtreme II BCM5709 Gigabit Ethernet 1028 0235 PowerEdge R710 BCM5709 Gigabit Ethernet @@ -17200,6 +17438,7 @@ 103c 169d Ethernet 1Gb 4-port 331FLR Adapter 103c 22be Ethernet 1Gb 4-port 331i Adapter 103c 3383 Ethernet 1Gb 4-port 331T Adapter + 14e4 1904 4-port 1Gb Ethernet Adapter 1659 NetXtreme BCM5721 Gigabit Ethernet PCI Express 1014 02c6 eServer xSeries server mainboard 1028 01e6 PowerEdge 860 @@ -17271,6 +17510,7 @@ 1014 0577 ThinkPad X41 / Z60t 103c 0934 nx8220 103c 0940 Compaq nw8240 Mobile Workstation + 103c 0944 Compaq nc6220 Notebook PC 17aa 2081 ThinkPad R60e 167e NetXtreme BCM5751F Fast Ethernet PCI Express 167f NetLink BCM5787F Fast Ethernet PCI Express @@ -17303,6 +17543,8 @@ 103c 193a FlexFabric 10Gb 2-port 533FLR-T Adapter 103c 3382 Ethernet 10Gb 2-port 530FLR-SFP+ Adapter 103c 339d Ethernet 10Gb 2-port 530SFP+ Adapter + 193d 1003 530F-B + 193d 1006 530F-L 1690 NetXtreme BCM57760 Gigabit Ethernet PCIe 1691 NetLink BCM57788 Gigabit Ethernet PCIe 1028 04aa XPS 8300 @@ -17475,6 +17717,7 @@ 16ed BCM57414 NetXtreme-E RDMA Partition 16ee BCM57416 NetXtreme-E Ethernet Partition 16ef BCM57416 NetXtreme-E RDMA Partition + 16f1 BCM57452 NetXtreme-E 10Gb/25Gb/40Gb/50Gb Ethernet 16f3 NetXtreme BCM5727 Gigabit Ethernet PCIe 16f7 NetXtreme BCM5753 Gigabit Ethernet PCI Express 16fd NetXtreme BCM5753M Gigabit Ethernet PCI Express @@ -17751,6 +17994,13 @@ aa52 BCM43602 802.11ac Wireless LAN SoC b302 BCM56302 StrataXGS 24x1GE 2x10GE Switch Controller b334 BCM56334 StrataXGS 24x1GE 4x10GE Switch Controller + b370 BCM56370 Switch ASIC + b371 BCM56371 Switch ASIC + b372 BCM56372 Switch ASIC + b375 BCM56375 Switch ASIC + b376 BCM56376 Switch ASIC + b377 BCM56377 Switch ASIC + b379 Broadcom BCM56379 Switch ASIC b800 BCM56800 StrataXGS 10GE Switch Controller b842 BCM56842 Trident 10GE Switch Controller # Trident2 @@ -18255,6 +18505,8 @@ 1556 PLDA 1100 PCI Express Core Reference Design 110f PCI Express Core Reference Design Virtual Function + 1110 XpressRich Reference Design + 1113 XpressSwitch 1557 MEDIASTAR Co Ltd 1558 CLEVO/KAPOK Computer 1559 SI LOGIC Ltd @@ -18410,6 +18662,7 @@ 020b MT27710 Family [ConnectX-4 Lx Flash Recovery] 020d MT28800 Family [ConnectX-5 Flash Recovery] 020f MT28908A0 Family [ConnectX-6 Flash Recovery] + 0210 MT28908A0 Family [ConnectX-6 Secure Flash Recovery] 0211 MT416842 Family [BlueField SoC Flash Recovery] # reserved for RM#105916 024e MT53100 [Spectrum-2, Flash recovery mode] @@ -18417,9 +18670,11 @@ 024f MT53100 [Spectrum-2, Flash recovery mode] 0262 MT27710 [ConnectX-4 Lx Programmable] EN 0263 MT27710 [ConnectX-4 Lx Programmable Virtual Function] EN + 0264 Innova-2 Flex Burn image 0281 NPS-600 Flash Recovery 1002 MT25400 Family [ConnectX-2 Virtual Function] 1003 MT27500 Family [ConnectX-3] + 1014 04b5 PCIe3 40GbE RoCE Converged Host Bus Adapter for Power 103c 1777 InfiniBand FDR/EN 10/40Gb Dual Port 544FLR-QSFP Adapter (Rev Cx) 103c 17c9 Infiniband QDR/Ethernet 10Gb 2-port 544i Adapter 103c 18ce InfiniBand QDR/EN 10Gb Dual Port 544M Adapter @@ -18454,6 +18709,7 @@ 15b3 0078 ConnectX-3 Pro 10 GbE Dual Port KR Mezzanine Card 15b3 0079 ConnectX-3 Pro 40 GbE Dual Port QSFP+ Adapter 15b3 0080 ConnectX-3 Pro 10 GbE Dual Port SFP+ Adapter + 193d 1002 520F-B 1009 MT27530 Family 100a MT27531 Family 100b MT27540 Family @@ -18465,6 +18721,7 @@ 1011 MT27600 [Connect-IB] 1012 MT27600 Family [Connect-IB Virtual Function] 1013 MT27700 Family [ConnectX-4] + 1014 04f7 PCIe3 2-port 100 GbE (NIC and RoCE) QSFP28 Adapter for Power 15b3 0003 Mellanox Technologies ConnectX-4 Stand-up single-port 40GbE MCX413A-BCAT 15b3 0005 Mellanox Technologies ConnectX-4 Stand-up single-port 40GbE MCX415A-BCAT 15b3 0006 MCX416A-BCAT, ConnectX-4 EN, 40/56GbE 2P, PCIe3.0 x16 @@ -18474,11 +18731,13 @@ 15b3 0050 ConnectX-4 100 GbE Dual Port QSFP28 Adapter 1014 MT27700 Family [ConnectX-4 Virtual Function] 1015 MT27710 Family [ConnectX-4 Lx] + 15b3 0004 ConnectX-4 Lx Stand-up dual-port 10GbE MCX4121A-XCAT 15b3 0005 Mellanox Technologies ConnectX-4 Lx Stand-up single-port 40GbE MCX4131A-BCAT 15b3 0016 ConnectX-4 Lx 25 GbE Dual Port SFP28 Adapter 15b3 0020 MCX4411A-ACQN, ConnectX-4 Lx EN OCP, 1x25Gb 15b3 0021 MCX4421A-ACQN ConnectX-4 Lx EN OCP,2x25G 15b3 0025 ConnectX-4 Lx 25 GbE Dual Port SFP28 rNDC + 193d 100a 620F-B 1016 MT27710 Family [ConnectX-4 Lx Virtual Function] 1017 MT27800 Family [ConnectX-5] 1018 MT27800 Family [ConnectX-5 Virtual Function] @@ -18509,6 +18768,7 @@ 6372 MT25408 [ConnectX EN 10GigE 10GBaseT, PCIe 2.0 2.5GT/s] 6732 MT26418 [ConnectX VPI PCIe 2.0 5GT/s - IB DDR / 10GigE] 673c MT26428 [ConnectX VPI PCIe 2.0 5GT/s - IB QDR / 10GigE] + 1014 0415 PCIe2 2-port 4X InfiniBand QDR Adapter for Power 1014 0487 GX++ 1-port 4X IB QDR Adapter for Power 795 103c 1782 4X QDR InfiniBand Mezzanine HCA for c-Class BladeSystem 15b3 0021 HP InfiniBand 4X QDR CX-2 PCI-e G2 Dual Port HCA @@ -18531,6 +18791,7 @@ 7121 NPS-600 configuration and management interface 7122 NPS-600 network interface PF 7123 NPS-600 network interface VF + 8200 Innova-2 Flex Shell Logic a2d0 MT416842 BlueField SoC Crypto enabled a2d1 MT416842 BlueField SoC Crypto disabled a2d2 MT416842 BlueField integrated ConnectX-5 network controller @@ -18544,7 +18805,7 @@ # Spectrum, 100GbE Switch cb84 MT52100 cf08 MT53236 - cf6c MT53100 [Spectrum-2, 64 x 100GbE switch] + cf6c MT53100 [Spectrum-2] d2f0 Switch-IB 3 HDR (200Gbps) switch 15b4 CCI/TRIAD 15b5 Cimetrics Inc @@ -18567,6 +18828,7 @@ 0015 ZBox 15b7 Sandisk Corp 2001 Skyhawk Series NVME SSD + 5001 WD Black NVMe SSD 15b8 ADDI-DATA GmbH 1001 APCI1516 SP controller (16 digi outputs) 1003 APCI1032 SP controller (32 digi inputs w/ opto coupler) @@ -18708,6 +18970,14 @@ 5641 FarSync T4Ee PCI Express (4 port X.21/V.35/V.24) 6620 FarSync T2U-PMC PCI Express (2 port X.21/V.35/V.24) 161f Rioworks +1621 Lynx Studio Technology, Inc. + 0020 LynxTWO-A + 0021 LynxTWO-B + 0022 LynxTWO-C + 0023 Lynx L22 + 0024 Lynx AES16 + 0025 Lynx AES16-SRC + 0028 Lynx AES16e 1626 TDK Semiconductor Corp. 8410 RTL81xx Fast Ethernet 1629 Kongsberg Spacetec AS @@ -18715,6 +18985,11 @@ 1006 Format synchronizer, model 10500 1007 Format synchronizer, model 21000 2002 Fast Universal Data Output + 3100 IO31000 Frame Synchronizer and I/O + 3200 IO32000 Frame Synchronizer and I/O + 4002 High Rate Demodulator + 5001 High Rate FEC + 6001 High Rate Demodulator and FEC 1631 Packard Bell B.V. 1638 Standard Microsystems Corp [SMC] 1100 SMC2602W EZConnect / Addtron AWA-100 / Eumitcom PCI WL11000 @@ -19021,6 +19296,7 @@ 0777 4005 SR71-15 802.11an Mini PCI Adapter 1186 3a7a DWA-552 802.11n Xtreme N Desktop Adapter (rev A2) 1186 3a7d DWA-552 802.11n Xtreme N Desktop Adapter (rev A3) + 168c 0029 AR922X Wireless Network Adapter 168c 2096 Compex WLM200NX / Wistron DNMA-92 002a AR928X Wireless Network Adapter (PCI-Express) 0777 4f05 SR71-X 802.11abgn Wireless ExpressCard Adapter [AR9280] @@ -19205,17 +19481,26 @@ 7012 AP440-2: 32-Channel Isolated Digital Input Module 7013 AP440-3: 32-Channel Isolated Digital Input Module 7014 AP445: 32-Channel Isolated Digital Output Module + 7015 AP471 48-Channel TTL Level Digital Input/Output Module 7016 AP470 48-Channel TTL Level Digital Input/Output Module 7017 AP323 16-bit, 20 or 40 Channel Analog Input Module 7018 AP408: 32-Channel Digital I/O Module 7019 AP341 14-bit, 16-Channel Simultaneous Conversion Analog Input Module 701a AP220-16 12-Bit, 16-Channel Analog Output Module 701b AP231-16 16-Bit, 16-Channel Analog Output Module + 701c AP225 12-Bit, 16-Channel Analog Output Module with Waveform Memory + 701d AP235 16-Bit, 16-Channel Analog Output Module with Waveform Memory 7021 APA7-201 Reconfigurable Artix-7 FPGA module 48 TTL channels 7022 APA7-202 Reconfigurable Artix-7 FPGA module 24 RS485 channels 7023 APA7-203 Reconfigurable Artix-7 FPGA module 24 TTL & 12 RS485 channels 7024 APA7-204 Reconfigurable Artix-7 FPGA module 24 LVDS channels 7027 AP418 16-Channel High Voltage Digital Input/Output Module + 7029 AP342 14-bit, 12-Channel Isolated Simultaneous Conversion Analog Input Module + 702a AP226 12-Bit, 8-Channel Isolated Analog Output Module + 702b AP236 16-Bit, 8-Channel Isolated Analog Output Module + 7031 AP441-1: 32-Channel Isolated Digital Input Module + 7032 AP441-2: 32-Channel Isolated Digital Input Module + 7033 AP441-3: 32-Channel Isolated Digital Input Module 7042 AP482 Counter Timer Module with TTL Level Input/Output 7043 AP483 Counter Timer Module with TTL Level and RS422 Input/Output 7044 AP484 Counter Timer Module with RS422 Input/Output @@ -19288,6 +19573,7 @@ 0101 PCD-7004 Digital Bi-Directional Ports PCI Card 0102 PCD-7104 Digital Input & Output PCI Card 0303 PCD-7006C Digital Input & Output PCI Card +1761 Pickering Interfaces Ltd 1771 InnoVISION Multimedia Ltd. # nee SBS Technologies 1775 GE Intelligent Platforms @@ -20072,11 +20358,15 @@ 1924 8019 SFN8542-R2 8000 Series 10/40G Adapter 1924 801a SFN8722-R1 8000 Series OCP 10G Adapter 1924 801b SFN8522-R3 8000 Series 10G Adapter + 0b03 SFC9250 10/25/40/50/100G Ethernet Controller + 1924 801d x2522-R1 2000 Series 10/25G Adapter + 1924 801e x2542-R1 2000 Series 40/100G Adapter 1803 SFC9020 10G Ethernet Controller (Virtual Function) 1813 SFL9021 10GBASE-T Ethernet Controller (Virtual Function) 1903 SFC9120 10G Ethernet Controller (Virtual Function) 1923 SFC9140 10/40G Ethernet Controller (Virtual Function) 1a03 SFC9220 10/40G Ethernet Controller (Virtual Function) + 1b03 SFC9250 10/25/40/50/100G Ethernet Controller (Virtual Function) 6703 SFC4000 rev A iSCSI/Onload [Solarstorm] 10b8 0102 SMC10GPCIe-10BT (A2) [TigerCard] 10b8 0103 SMC10GPCIe-10BT (A3) [TigerCard] @@ -20097,6 +20387,7 @@ 000c Qualcomm MSM6275 UMTS chip 1932 DiBcom 193c MAXIM Integrated Products +193d Hangzhou H3C Technologies Co., Ltd. 193f AHA Products Group 0001 AHA36x-PCIX 0360 AHA360-PCIe @@ -20485,6 +20776,7 @@ 0009 RAIDCore Controller 000a RAIDCore Controller 1aae Global Velocity, Inc. +1ab4 FFEI Ltd 1ab6 CalDigit, Inc. 6201 RAID Card # Parallels VM virtual devices @@ -20659,6 +20951,9 @@ 91a4 88SE912x IDE Controller 9220 88SE9220 PCIe 2.0 x2 2-port SATA 6 Gb/s RAID Controller 9230 88SE9230 PCIe SATA 6Gb/s Controller + 1028 1fd6 BOSS-S1 Adapter + 1028 1fdf BOSS-S1 Modular + 1028 1fe2 BOSS-S1 Adapter 1d49 0300 ThinkSystem M.2 with Mirroring Enablement Kit 9235 88SE9235 PCIe 2.0 x2 4-port SATA 6 Gb/s Controller 9445 88SE9445 PCIe 2.0 x4 4-Port SAS/SATA 6 Gbps RAID Controller @@ -20739,6 +21034,8 @@ 1bbf Maxeler Technologies Ltd. 0003 MAX3 0004 MAX4 +1bcf NEC Corporation + 001c Vector Engine 1.0 1bd0 Astronics Corporation 1001 Mx5 PMC/XMC Databus Interface Card 1002 PM1553-5 (PC/104+ MIL-STD-1553 Interface Card) @@ -20799,6 +21096,8 @@ 1014 04f5 PCIe3 1.6TB NVMe Flash Adapter 1014 04f6 PCIe3 3.2TB NVMe Flash Adapter 0023 Ultrastar SN200 Series NVMe SSD +1c5c SK hynix + 1283 PC300 NVMe Solid State Drive 1c5f Beijing Memblaze Technology Co. Ltd. 0540 PBlaze4 NVMe SSD # http://www.nicevt.ru/ (in Russian) @@ -20922,7 +21221,13 @@ 1d65 Imagine Communications Corp. 04de Taurus/McKinley 1d6a Aquantia Corp. + 07b1 AQC107 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] + 08b1 AQC108 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] + 11b1 AQC111 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] + 12b1 AQC112 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] + 87b1 AQC107 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] d107 AQC107 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] + d108 AQC108 NBase-T/IEEE 802.3bz Ethernet Controller [AQtion] 1d6c Atomic Rules LLC 1001 A5PL-E1 1002 A5PL-E7 @@ -20945,6 +21250,36 @@ 1d7c Aerotech, Inc. 1d87 Fuzhou Rockchip Electronics Co., Ltd 1d8f Enyx +1d94 Chengdu Higon IC Design Co.Ltd + 1450 Root Complex + 1451 I/O Memory Management Unit + 1452 PCIe Dummy Host Bridge + 1453 PCIE GPP Bridge + 1454 Internal PCIe GPP Bridge 0 to Bus B + 1455 PCIe Dummy Function + 1456 PSPCCP Command DMA Processor + 1458 10 Gb Ethernet Controller Port 0/Port1 + 1459 10 Gb Ethernet Controller Port 2/Port3 + 145a PCIe Dummy Function + 145b PCIE Non-Transparent Bridge + 145c USB3 XHCI + 145d Switch upstream in PCIe + 145e Switch downstream in PCIe + 145f USB 3.0 Host controller + 1460 Data Fabric: Device 18h; Function 0 + 1461 Data Fabric: Device 18h; Function 1 + 1462 Data Fabric: Device 18h; Function 2 + 1463 Data Fabric: Device 18h; Function 3 + 1464 Data Fabric: Device 18h; Function 4 + 1465 Data Fabric: Device 18h; Function 5 + 1466 Data Fabric: Device 18h; Function 6 + 1467 Data Fabric: Device 18h; Function 7 + 1468 NTBCCP + 7901 FCH SATA Controller [AHCI mode] + 7904 FCH SATA Controller [AHCI mode] + 7906 FCH SD Flash Controller + 790b FCH SMBus Controller + 790e FCH LPC Bridge 1d95 Graphcore Ltd 1da1 Teko Telecom S.r.l. 1da2 Sapphire Technology Limited @@ -20956,6 +21291,19 @@ 1de5 Eideticom, Inc 1000 IO Memory Controller 2000 NoLoad Hardware Development Kit +1def Ampere Computing, LLC + e005 Skylark PCI Express Root Port 0 [X-Gene 3] + e006 Skylark PCI Express Root Port 1 [X-Gene 3] + e007 Skylark PCI Express Root Port 2 [X-Gene 3] + e008 Skylark PCI Express Root Port 3 [X-Gene 3] + e009 Skylark PCI Express Root Port 4 [X-Gene 3] + e00a Skylark PCI Express Root Port 5 [X-Gene 3] + e00b Skylark PCI Express Root Port 6 [X-Gene 3] + e00c Skylark PCI Express Root Port 7 [X-Gene 3] +1df7 opencpi.org + 0001 ml605 + 0002 alst4 + 0003 alst4x # nee Tumsan Oy 1fc0 Ascom (Finland) Oy 0300 E2200 Dual E1/Rawpipe Card @@ -21006,6 +21354,7 @@ 4027 TN9710P 10GBase-T/NBASE-T Ethernet Adapter 1154 0368 LGY-PCIE-MG 1432 8104 10 Gigabit Ethernet PCI Express Adapter + 1546 4027 IOI9710P 10Gbase-T/NBASE-T Ethernet Adapter 1fc9 3015 Ethernet Adapter 4527 TN9710Q 5GBase-T/NBASE-T Ethernet Adapter 1fcc StreamLabs @@ -21670,6 +22019,8 @@ 3000 HD-3000 5500 HD5500 HDTV 7284 HT OMEGA Inc. +7357 IOxOS Technologies SA + 7910 7910 [Althea] 7401 EndRun Technologies e100 PTP3100 PCIe PTP Slave Clock 7470 TP-LINK Technologies Co., Ltd. @@ -23069,6 +23420,7 @@ 17aa 402b 82599ES 10Gb 2-port Server Adapter X520-DA2 17aa 402f FPGA Card XC7VX690T-3FFG1157E 18d4 0c09 82599ES 10Gb 2-port SFP+ OCP Mezz Card MOP81-I-10GS2 + 193d 1004 560F-B 1bd4 001b 10G SFP+ DP ER102Fi4 Rack Adapter 1bd4 002f 10G SFP+ DP EP102Fi4A Adapter 1bd4 0032 10G SFP+ DP EP102Fi4 Adapter @@ -23387,6 +23739,8 @@ 17aa 1074 ThinkServer I350-T4 AnyFabric 17aa 4005 I350 Gigabit Network Connection 18d4 0c07 I350 1Gb 2-port RJ45 OCP Mezz Card MOP41-I-1GT2 + 193d 1005 360T-B + 193d 1007 360T-L 1bd4 001d 1G base-T QP EP014Ti1 Adapter 1bd4 0035 1G base-T QP EP014Ti1 Adapter 8086 0001 Ethernet Server Adapter I350-T4 @@ -23500,9 +23854,12 @@ 1563 Ethernet Controller 10G X550T 1028 1fa8 Ethernet 10G 4P X550/I350 rNDC 1028 1fa9 Ethernet 10G 4P X550 rNDC + 14c0 1201 X550 10Gb 2P RJ45 OCP Mezz 1590 00d1 Ethernet 10Gb 2-port 562T Adapter 1590 00d2 Ethernet 10Gb 2-port 562FLR-T Adapter 18d4 0c08 X550 10Gb 2-port RJ45 OCP Mezz Card MOP81-I-10GT2 + 193d 1008 560T-B + 193d 1009 560T-L 8086 0001 Ethernet Converged Network Adapter X550-T2 8086 001a Ethernet Converged Network Adapter X550-T2 8086 001b Ethernet Server Adapter X550-T2 for OCP @@ -23661,8 +24018,9 @@ 15c7 Ethernet Connection X553 1GbE 15c8 Ethernet Connection X553/X557-AT 10GBASE-T 15ce Ethernet Connection X553 10 GbE SFP+ - 15d0 Ethernet SDI Adapter FM10420-100GbE-QDA2 + 15d0 Ethernet SDI Adapter 8086 0001 Ethernet SDI Adapter FM10420-100GbE-QDA2 + 8086 0002 Ethernet SDI Adapter FM10840-MTP2 15d1 Ethernet Controller 10G X550T 8086 0002 Ethernet Converged Network Adapter X550-T1 8086 001b Ethernet Server Adapter X550-T1 for OCP @@ -23687,6 +24045,14 @@ 15e3 Ethernet Connection (5) I219-LM 15e4 Ethernet Connection X553 1GbE 15e5 Ethernet Connection X553 1GbE + 15e7 JHL7540 Thunderbolt 3 Bridge [Titan Ridge 2C 2018] + 15e8 JHL7540 Thunderbolt 3 NHI [Titan Ridge 2C 2018] + 15e9 JHL7540 Thunderbolt 3 USB Controller [Titan Ridge 2C 2018] + 15ea JHL7540 Thunderbolt 3 Bridge [Titan Ridge 4C 2018] + 15eb JHL7540 Thunderbolt 3 NHI [Titan Ridge 4C 2018] + 15ec JHL7540 Thunderbolt 3 USB Controller [Titan Ridge 4C 2018] + 15ef JHL7540 Thunderbolt 3 Bridge [Titan Ridge DD 2018] + 15f0 JHL7540 Thunderbolt 3 USB Controller [Titan Ridge DD 2018] 1600 Broadwell-U Host Bridge -OPI 1601 Broadwell-U PCI Express x16 Controller 1602 Broadwell-U Integrated Graphics @@ -24113,6 +24479,7 @@ 144d c652 NP300E5C series laptop 1849 1e2d Motherboard 1e31 7 Series/C210 Series Chipset Family USB xHCI Host Controller + 103c 179b Elitebook 8470p 103c 17ab ProBook 6570b 1043 108d VivoBook X202EV 1043 1477 N56VZ @@ -24422,6 +24789,7 @@ 1028 040a Latitude E6410 1028 040b Latitude E6510 103c 0934 Compaq nw8240 Mobile Workstation + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 103c 309f Compaq nx9420 Notebook 103c 30a3 Compaq nw8440 @@ -24502,6 +24870,7 @@ 1043 8277 P5K PRO Motherboard 1043 844d P8 series motherboard 1458 5000 Motherboard + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7418 Wind PC MS-7418 15d9 060d C7SIM-Q Motherboard 15d9 9680 X7DBN Motherboard @@ -24990,6 +25359,7 @@ 24f4 Wireless 8260 # Snow Field Peak AC 8086 0030 Dual Band Wireless-AC 8260 + 24fb Dual Band Wireless-AC 3168NGW [Stone Peak] 24fd Wireless 8265 / 8275 # Windstorm Peak 8086 0010 Dual Band Wireless-AC 8265 @@ -25003,6 +25373,7 @@ 250f 82820 820 (Camino) Chipset AGP Bridge 2520 82805AA MTH Memory Translator Hub 2521 82804AA MRH-S Memory Repeater Hub for SDRAM + 2526 Wireless-AC 9260 2530 82850 850 (Tehama) Chipset Host Bridge (MCH) 1028 00c7 Dimension 8100 147b 0507 TH7II-RAID @@ -25089,6 +25460,7 @@ 1014 0575 ThinkPad X41 / Z60t 1028 0182 Latitude C610 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 104d 81b7 Vaio VGN-S3XP a304 81b7 Vaio VGN-S3XP @@ -25273,6 +25645,7 @@ 2641 82801FBM (ICH6M) LPC Interface Bridge 1014 0568 ThinkPad X41 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 2642 82801FW/FRW (ICH6W/ICH6RW) LPC Interface Bridge 2651 82801FB/FW (ICH6/ICH6W) SATA Controller @@ -25293,6 +25666,7 @@ 1028 0177 Dimension 8400 1028 0179 Optiplex GX280 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 1043 80a6 P5GD1-VW Mainboard 1458 2558 GA-8I915ME-G Mainboard @@ -25306,6 +25680,7 @@ 1028 0177 Dimension 8400 1028 0179 Optiplex GX280 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 1043 80a6 P5GD1-VW Mainboard 1458 2659 GA-8I915ME-G Mainboard @@ -25319,6 +25694,7 @@ 1028 0177 Dimension 8400 1028 0179 Optiplex GX280 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 1043 80a6 P5GD1-VW Mainboard 1458 265a GA-8I915ME-G Mainboard @@ -25344,6 +25720,7 @@ 1028 0177 Dimension 8400 1028 0179 Optiplex GX280 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 1043 80a6 P5GD1-VW Mainboard 1458 5006 GA-8I915ME-G Mainboard @@ -25355,12 +25732,14 @@ e4bf 58b1 XB1 2660 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 1 103c 0934 Compaq nw8240 Mobile Workstation + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 e4bf 0ccd CCD-CALYPSO e4bf 0cd3 CD3-JIVE e4bf 58b1 XB1 2662 82801FB/FBM/FR/FW/FRW (ICH6 Family) PCI Express Port 2 103c 0934 Compaq nw8240 Mobile Workstation + 103c 0944 Compaq nc6220 Notebook PC e4bf 0ccd CCD-CALYPSO e4bf 0cd3 CD3-JIVE e4bf 58b1 XB1 @@ -25414,6 +25793,7 @@ 266f 82801FB/FBM/FR/FW/FRW (ICH6 Family) IDE Controller 1028 0177 Dimension 8400 103c 0934 Compaq nw8240/nx8220 + 103c 0944 Compaq nc6220 Notebook PC 103c 099c NX6110/NC6120 1043 80a6 P5GD1-VW Mainboard 1458 266f GA-8I915ME-G Mainboard @@ -25486,6 +25866,12 @@ 103c 31fe ProLiant DL140 G3 15d9 8680 X7DVL-E-O motherboard 15d9 9680 X7DBN Motherboard + 2700 Optane SSD 900P Series + 8086 3900 900P Series [Add-in Card] + 8086 3901 900P Series [2.5" SFF] + 2701 Optane DC P4800X Series SSD + 8086 3904 DC P4800X Series [Add-in Card] + 8086 3905 DC P4800X Series [2.5" SFF] 2770 82945G/GZ/P/PL Memory Controller Hub 1028 01ad OptiPlex GX620 103c 2a3b Pavilion A1512X @@ -25516,6 +25902,7 @@ 2792 Mobile 915GM/GMS/910GML Express Graphics Controller 1014 0582 ThinkPad X41 103c 099c NX6110/NC6120 + 103c 308a Compaq nc6220 Notebook PC 1043 1881 GMA 900 915GM Integrated Graphics e4bf 0ccd CCD-CALYPSO e4bf 0cd3 CD3-JIVE @@ -25860,6 +26247,7 @@ 2815 82801HM (ICH8M) LPC Interface Controller 1025 0121 Aspire 5920G 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30cc Pavilion dv6700 103c 30d9 Presario C700 @@ -25875,6 +26263,7 @@ 1028 020d Inspiron 530 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 2823 C610/X99 series chipset sSATA Controller [RAID mode] 2824 82801HB (ICH8) 4 port SATA Controller [AHCI mode] 1043 81ec P5B @@ -25896,6 +26285,7 @@ e4bf cc47 CCG-RUMBA 2829 82801HM/HEM (ICH8M/ICH8M-E) SATA Controller [AHCI mode] 1025 0121 Aspire 5920G + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -25912,6 +26302,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -25927,6 +26318,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -25942,6 +26334,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -25958,6 +26351,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -25972,6 +26366,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -25985,6 +26380,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -26000,6 +26396,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -26013,6 +26410,7 @@ 1025 0121 Aspire 5920G 1028 01da OptiPlex 745 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30d9 Presario C700 1043 81ec P5B 104d 9005 Vaio VGN-FZ260E @@ -26054,6 +26452,7 @@ 1028 01f3 Inspiron 1420 1028 01f9 Latitude D630 1028 01ff Precision M4300 + 1028 022f Inspiron 1525 1028 0256 Studio 1735 103c 2802 Compaq dc7700p 103c 30c0 Compaq 6710b @@ -26074,6 +26473,7 @@ 2850 82801HM/HEM (ICH8M/ICH8M-E) IDE Controller 1025 0121 Aspire 5920G 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -26090,6 +26490,7 @@ 1028 020d Inspiron 530 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard + 1462 7345 MS-7345 Motherboard 8086 5044 Desktop Board DP35DP 2917 ICH9M-E LPC Interface Controller e4bf cc4d CCM-BOOGIE @@ -26105,6 +26506,7 @@ 1028 0211 Optiplex 755 1028 023c PowerEdge R200 onboard SATA Controller 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801IR [ICH9R] 2921 82801IB (ICH9) 2 port SATA Controller [IDE mode] 1028 0235 PowerEdge R710 SATA IDE Controller 1028 0236 PowerEdge R610 SATA IDE Controller @@ -26112,6 +26514,7 @@ 1462 7360 G33/P35 Neo 2922 82801IR/IO/IH (ICH9R/DO/DH) 6 port SATA Controller [AHCI mode] 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801IR [ICH9R] 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP 2923 82801IB (ICH9) 4 port SATA Controller [AHCI mode] @@ -26124,6 +26527,7 @@ 1028 0210 PowerEdge T300 onboard SATA Controller 1028 0211 Optiplex 755 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801IR [ICH9R] 1462 7360 G33/P35 Neo 2928 82801IBM/IEM (ICH9M/ICH9M-E) 2 port SATA Controller [IDE mode] 2929 82801IBM/IEM (ICH9M/ICH9M-E) 4 port SATA Controller [AHCI mode] @@ -26138,6 +26542,7 @@ 103c 2a6f Asus IPIBL-LB Motherboard 103c 3628 dv6-1190en 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26158,6 +26563,7 @@ 1028 2011 Optiplex 755 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26175,6 +26581,7 @@ 1028 029c PowerEdge M710 USB UHCI Controller 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26190,6 +26597,7 @@ 1028 029c PowerEdge M710 USB UHCI Controller 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26205,6 +26613,7 @@ 1028 2011 Optiplex 755 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 2937 Optiplex 755 @@ -26221,6 +26630,7 @@ 1028 029c PowerEdge M710 USB UHCI Controller 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 2938 Optiplex 755 @@ -26232,6 +26642,7 @@ 1028 0237 PowerEdge T610 USB UHCI Controller 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26249,6 +26660,7 @@ 1028 029c PowerEdge M710 USB EHCI Controller 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26263,6 +26675,7 @@ 1028 029c PowerEdge M710 USB EHCI Controller 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 293c Optiplex 755 @@ -26274,6 +26687,7 @@ 103c 2a6f Asus IPIBL-LB Motherboard 103c 3628 dv6-1190en 1043 829f P5K PRO Motherboard: 82801IR [ICH9R] + 1462 735a MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 293e Optiplex 755 @@ -26284,6 +26698,7 @@ 1028 0211 Optiplex 755 103c 2a6f Asus IPIBL-LB Motherboard 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 8086 2940 Optiplex 755 2942 82801I (ICH9 Family) PCI Express Port 2 1028 020d Inspiron 530 @@ -26295,9 +26710,11 @@ 2948 82801I (ICH9 Family) PCI Express Port 5 1028 020d Inspiron 530 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 294a 82801I (ICH9 Family) PCI Express Port 6 1028 020d Inspiron 530 1043 8277 P5K PRO Motherboard: 82801IR [ICH9R] + 1462 7345 MS-7345 Motherboard: Intel 82801I/IR [ICH9/ICH9R] 294c 82566DC-2 Gigabit Network Connection 17aa 302e 82566DM-2 Gigabit Network Connection 2970 82946GZ/PL/GL Memory Controller Hub @@ -26353,6 +26770,7 @@ 103c 2a6f Asus IPIBL-LB Motherboard 1043 8276 P5K PRO Motherboard: Intel 82P35 Northbridge 1043 82b0 P5KPL-VM Motherboard + 1462 7345 MS-7345 Motherboard: Intel 82G33/P35 Northbridge 1462 7360 G33/P35 Neo 1af4 1100 QEMU Virtual Machine 8086 5044 Desktop Board DP35DP @@ -26396,6 +26814,7 @@ 2a00 Mobile PM965/GM965/GL960 Memory Controller Hub 1025 0121 Aspire 5920G 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30c1 Compaq 6910p 103c 30cc Pavilion dv6700 @@ -26410,6 +26829,7 @@ 2a02 Mobile GM965/GL960 Integrated Graphics Controller (primary) 1028 01f3 Inspiron 1420 1028 01f9 Latitude D630 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30d9 Presario C700 104d 902d VAIO VGN-NR120E @@ -26418,6 +26838,7 @@ e4bf cc47 CCG-RUMBA 2a03 Mobile GM965/GL960 Integrated Graphics Controller (secondary) 1028 01f3 Inspiron 1420 + 1028 022f Inspiron 1525 103c 30c0 Compaq 6710b 103c 30d9 Presario C700 104d 902d VAIO VGN-NR120E @@ -27133,6 +27554,10 @@ 17aa 4020 Intel Ethernet Connection X722 for 10G SFP+ 17aa 4021 Intel Ethernet Connection X722 for 10G SFP+ 17aa 4022 Ethernet Connection X722 for 10GbE SFP+ + 8086 0001 Ethernet Network Adapter X722-2 + 8086 0002 Ethernet Network Adapter X722-2 + 8086 0003 Ethernet Network Adapter X722-4 + 8086 0004 Ethernet Network Adapter X722-4 37d1 Ethernet Connection X722 for 1GbE 14cd 0010 88E1514 Ethernet OCP 2x1G RJ45 Phy Card [USI-1514-1GbaseT] 1590 0216 Ethernet 1Gb 2-port 368i Adapter @@ -27351,6 +27776,8 @@ 1028 02da OptiPlex 980 1028 040a Latitude E6410 1028 040b Latitude E6510 + 1043 3838 P7P55-M Motherboard + 1043 8383 P7P55-M Motherboard 144d c06a R730 Laptop 15d9 060d C7SIM-Q Motherboard 17c0 10d2 Medion Akoya E7214 Notebook PC [MD98410] @@ -27546,7 +27973,7 @@ 4117 Atom Processor E6xx PCI Host Bridge #4 4220 PRO/Wireless 2200BG [Calexico2] Network Connection 103c 0934 Compaq nw8240/nx8220 - 103c 12f6 nc6120/nx8220/nw8240 + 103c 12f6 nc6120/nc6220/nw8240/nx8220 8086 2701 WM3B2200BG Mini-PCI Card 8086 2712 IBM ThinkPad R50e 8086 2721 Dell B130 laptop integrated WLAN @@ -27694,9 +28121,11 @@ 590f Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers 5910 Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers 5912 HD Graphics 630 + 5914 Xeon E3-1200 v6/7th Gen Core Processor Host Bridge/DRAM Registers 5916 HD Graphics 620 17aa 2248 ThinkPad T570 17aa 224f ThinkPad X1 Carbon 5th Gen + 5917 UHD Graphics 620 591d HD Graphics P630 591f Intel Kaby Lake Host Bridge 5a84 Celeron N3350/Pentium N4200/Atom E3900 Series Integrated Graphics Controller @@ -28113,6 +28542,8 @@ 8c26 8 Series/C220 Series Chipset Family USB EHCI #1 103c 1909 ZBook 15 17aa 220e ThinkPad T440p + 17aa 2210 ThinkPad T540p + 2210 17aa ThinkPad T540p 8c2d 8 Series/C220 Series Chipset Family USB EHCI #2 103c 1909 ZBook 15 17aa 220e ThinkPad T440p @@ -29020,6 +29451,11 @@ 103c 0701 Smart Array P204i-b SR Gen10 103c 1100 Smart Array P816i-a SR Gen10 103c 1101 Smart Array P416ie-m SR G10 + 152d 8a22 QS-8204-8i + 152d 8a23 QS-8238-16i + 152d 8a24 QS-8236-16i + 152d 8a36 QS-8240-24i + 152d 8a37 QS-8242-24i 9005 0800 SmartRAID 3154-8i 9005 0801 SmartRAID 3152-8i 9005 0802 SmartRAID 3151-4i @@ -29222,8 +29658,8 @@ bdbd Blackmagic Design a124 Intensity Extreme a126 Intensity Shuttle a127 UltraStudio Express - a129 UltraStudio Mini Monitor - a12a UltraStudio Mini Recorder + a129 UltraStudio Mini Recorder + a12a UltraStudio Mini Monitor a12d UltraStudio 4K a12e DeckLink 4K Extreme a12f DeckLink Mini Monitor @@ -29238,6 +29674,11 @@ bdbd Blackmagic Design a13e UltraStudio 4K Extreme a13f DeckLink Quad 2 a140 DeckLink Duo 2 + a141 UltraStudio 4K Extreme 3 + a142 UltraStudio HD Mini + a143 DeckLink Mini Recorder 4K + a144 DeckLink Mini Monitor 4K + a14b DeckLink 8K Pro c001 TSI Telsys c0a9 Micron/Crucial Technology c0de Motorola @@ -29349,9 +29790,8 @@ deaf Middle Digital Inc. 9052 PC Weasel Watchdog Timer # formerly SoftHard Technology Ltd. deda XIMEA - 4001 Camera CB -# Thunderbolt based camera MT family - 4021 Camera MT + 4001 CB or MX camera + 4021 MT camera e000 Winbond e000 W89C940 e159 Tiger Jet Network Inc. @@ -29442,9 +29882,13 @@ eace Endace Measurement Systems, Ltd 8500 DAG 8.5I Infiniband x4 DDR 9200 DAG 9.2SX2 10G Ethernet 920e DAG 9.2X2 10G Ethernet + 9540 DAG 9.5G4 Gig Ethernet + 954f DAG 9.5G4F Gig Ethernet a120 DAG 10X2-P 10G Ethernet a12e DAG 10X2-S 10G Ethernet - a140 DAG 10X4-P 10G Ethernet + a140 DAG 10X4-P 10/40G Ethernet + a14e DAG 10X4-S 10/40G Ethernet + eace vDAG virtual device ec80 Belkin Corporation ec00 F5D6000 ecc0 Echo Digital Audio Corporation diff --git a/stand/forth/loader.conf b/stand/forth/loader.conf index 3511aa2..c888c8b 100644 --- a/stand/forth/loader.conf +++ b/stand/forth/loader.conf @@ -533,6 +533,7 @@ coretemp_load="NO" # Intel Core CPU temperature monitor vkbd_load="NO" # Virtual AT keyboard interface vpd_load="NO" # Vital Product Data kernel interface vpo_load="NO" # Parallel to SCSI interface driver +amdsmn_load="NO" # AMD Family 17h System Management Network amdtemp_load="NO" # AMD K8/K10/K11 temperature monitor tpm_load="NO" # Trusted Platform Module wbwd_load="NO" # Winbond watchdog diff --git a/sys/amd64/conf/NOTES b/sys/amd64/conf/NOTES index 8022c22..33d2542 100644 --- a/sys/amd64/conf/NOTES +++ b/sys/amd64/conf/NOTES @@ -599,6 +599,11 @@ device cpuctl options ENABLE_ALART # Control alarm on Intel intpm driver # +# AMD System Management Network (SMN) +# +device amdsmn + +# # Number of initial kernel page table pages used for early bootstrap. # This number should include enough pages to map the kernel and any # modules or other data loaded with the kernel by the loader. Each diff --git a/sys/amd64/vmm/amd/svm.c b/sys/amd64/vmm/amd/svm.c index 9beafbc..1f35e84 100644 --- a/sys/amd64/vmm/amd/svm.c +++ b/sys/amd64/vmm/amd/svm.c @@ -964,6 +964,7 @@ svm_save_intinfo(struct svm_softc *svm_sc, int vcpu) vm_exit_intinfo(svm_sc->vm, vcpu, intinfo); } +#ifdef INVARIANTS static __inline int vintr_intercept_enabled(struct svm_softc *sc, int vcpu) { @@ -971,6 +972,7 @@ vintr_intercept_enabled(struct svm_softc *sc, int vcpu) return (svm_get_intercept(sc, vcpu, VMCB_CTRL1_INTCPT, VMCB_INTCPT_VINTR)); } +#endif static __inline void enable_intr_window_exiting(struct svm_softc *sc, int vcpu) diff --git a/sys/arm/allwinner/if_awg.c b/sys/arm/allwinner/if_awg.c index cded892..6170adb 100644 --- a/sys/arm/allwinner/if_awg.c +++ b/sys/arm/allwinner/if_awg.c @@ -87,7 +87,7 @@ __FBSDID("$FreeBSD$"); #define TX_SKIP(n, o) (((n) + (o)) & (TX_DESC_COUNT - 1)) #define RX_NEXT(n) (((n) + 1) & (RX_DESC_COUNT - 1)) -#define TX_MAX_SEGS 10 +#define TX_MAX_SEGS 20 #define SOFT_RST_RETRY 1000 #define MII_BUSY_RETRY 1000 @@ -148,6 +148,7 @@ struct awg_softc { struct resource *res[2]; struct mtx mtx; if_t ifp; + device_t dev; device_t miibus; struct callout stat_ch; struct task link_task; @@ -375,14 +376,18 @@ awg_setup_txbuf(struct awg_softc *sc, int index, struct mbuf **mp) sc->tx.buf_map[index].map, m, segs, &nsegs, BUS_DMA_NOWAIT); if (error == EFBIG) { m = m_collapse(m, M_NOWAIT, TX_MAX_SEGS); - if (m == NULL) + if (m == NULL) { + device_printf(sc->dev, "awg_setup_txbuf: m_collapse failed\n"); return (0); + } *mp = m; error = bus_dmamap_load_mbuf_sg(sc->tx.buf_tag, sc->tx.buf_map[index].map, m, segs, &nsegs, BUS_DMA_NOWAIT); } - if (error != 0) + if (error != 0) { + device_printf(sc->dev, "awg_setup_txbuf: bus_dmamap_load_mbuf_sg failed\n"); return (0); + } bus_dmamap_sync(sc->tx.buf_tag, sc->tx.buf_map[index].map, BUS_DMASYNC_PREWRITE); @@ -1324,6 +1329,7 @@ awg_attach(device_t dev) int error; sc = device_get_softc(dev); + sc->dev = dev; node = ofw_bus_get_node(dev); if (bus_alloc_resources(dev, awg_spec, sc->res) != 0) { diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c index e01b89f..0a7239a 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/arc.c @@ -4237,6 +4237,7 @@ arc_available_memory(void) free_memory_reason_t r = FMR_UNKNOWN; #ifdef _KERNEL +#ifdef __FreeBSD__ /* * Cooperate with pagedaemon when it's time for it to scan * and reclaim some pages. @@ -4247,7 +4248,15 @@ arc_available_memory(void) r = FMR_LOTSFREE; } -#ifdef illumos +#else + if (needfree > 0) { + n = PAGESIZE * (-needfree); + if (n < lowest) { + lowest = n; + r = FMR_NEEDFREE; + } + } + /* * check that we're out of range of the pageout scanner. It starts to * schedule paging if freemem is less than lotsfree and needfree. @@ -4290,7 +4299,7 @@ arc_available_memory(void) r = FMR_PAGES_PP_MAXIMUM; } -#endif /* illumos */ +#endif /* __FreeBSD__ */ #if defined(__i386) || !defined(UMA_MD_SMALL_ALLOC) /* * If we're on an i386 platform, it's possible that we'll exhaust the @@ -4501,6 +4510,11 @@ arc_reclaim_thread(void *dummy __unused) int64_t to_free = (arc_c >> arc_shrink_shift) - free_memory; if (to_free > 0) { +#ifdef _KERNEL +#ifdef illumos + to_free = MAX(to_free, ptob(needfree)); +#endif +#endif arc_shrink(to_free); } } else if (free_memory < arc_c >> arc_no_grow_shift) { diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c index 8731af4..3ec78c3 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/dnode.c @@ -59,6 +59,12 @@ static dnode_phys_t dnode_phys_zero; int zfs_default_bs = SPA_MINBLOCKSHIFT; int zfs_default_ibs = DN_MAX_INDBLKSHIFT; +SYSCTL_DECL(_vfs_zfs); +SYSCTL_INT(_vfs_zfs, OID_AUTO, default_bs, CTLFLAG_RWTUN, + &zfs_default_bs, 0, "Default dnode block shift"); +SYSCTL_INT(_vfs_zfs, OID_AUTO, default_ibs, CTLFLAG_RWTUN, + &zfs_default_ibs, 0, "Default dnode indirect block shift"); + #ifdef illumos static kmem_cbrc_t dnode_move(void *, void *, size_t, void *); #endif diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_raidz.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_raidz.c index 9395f3c..e9b46da 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_raidz.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/vdev_raidz.c @@ -2398,7 +2398,7 @@ vdev_raidz_io_done(zio_t *zio) */ if (parity_errors + parity_untried < rm->rm_firstdatacol || - (zio->io_flags & ZIO_FLAG_RESILVER)) { + (zio->io_flags & (ZIO_FLAG_RESILVER | ZIO_FLAG_SCRUB))) { n = raidz_parity_verify(zio, rm); unexpected_errors += n; ASSERT(parity_errors + n <= @@ -2450,7 +2450,7 @@ vdev_raidz_io_done(zio_t *zio) * out to failed devices later. */ if (parity_errors < rm->rm_firstdatacol - n || - (zio->io_flags & ZIO_FLAG_RESILVER)) { + (zio->io_flags & (ZIO_FLAG_RESILVER | ZIO_FLAG_SCRUB))) { n = raidz_parity_verify(zio, rm); unexpected_errors += n; ASSERT(parity_errors + n <= @@ -2552,7 +2552,8 @@ done: zio_checksum_verified(zio); if (zio->io_error == 0 && spa_writeable(zio->io_spa) && - (unexpected_errors || (zio->io_flags & ZIO_FLAG_RESILVER))) { + (unexpected_errors || + (zio->io_flags & (ZIO_FLAG_RESILVER | ZIO_FLAG_SCRUB)))) { /* * Use the good data we have in hand to repair damaged children. */ diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c index 4f92cfb..b8def48 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ctldir.c @@ -886,13 +886,6 @@ zfsctl_snapdir_lookup(ap) break; /* - * The vnode must be referenced at least by this thread and - * the mount point or the thread doing the mounting. - * There can be more references from concurrent lookups. - */ - KASSERT(vrefcnt(*vpp) > 1, ("found unreferenced mountpoint")); - - /* * Check if a snapshot is already mounted on top of the vnode. */ err = zfsctl_mounted_here(vpp, lkflags); diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c index c54cc1c..6452543 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_ioctl.c @@ -203,7 +203,6 @@ #include "lua.h" #include "lauxlib.h" -CTASSERT(sizeof(zfs_cmd_t) < IOCPARM_MAX); static struct cdev *zfsdev; extern void zfs_init(void); diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c index f8c7c47..29e89b9 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c @@ -4515,21 +4515,6 @@ zfs_setsecattr(vnode_t *vp, vsecattr_t *vsecp, int flag, cred_t *cr, } static int -ioflags(int ioflags) -{ - int flags = 0; - - if (ioflags & IO_APPEND) - flags |= FAPPEND; - if (ioflags & IO_NDELAY) - flags |= FNONBLOCK; - if (ioflags & IO_SYNC) - flags |= (FSYNC | FDSYNC | FRSYNC); - - return (flags); -} - -static int zfs_getpages(struct vnode *vp, vm_page_t *m, int count, int *rbehind, int *rahead) { @@ -4716,7 +4701,6 @@ zfs_putpages(struct vnode *vp, vm_page_t *ma, size_t len, int flags, } if (zp->z_blksz < PAGE_SIZE) { - i = 0; for (i = 0; len > 0; off += tocopy, len -= tocopy, i++) { tocopy = len > PAGE_SIZE ? PAGE_SIZE : len; va = zfs_map_page(ma[i], &sf); @@ -4852,6 +4836,21 @@ zfs_freebsd_ioctl(ap) } static int +ioflags(int ioflags) +{ + int flags = 0; + + if (ioflags & IO_APPEND) + flags |= FAPPEND; + if (ioflags & IO_NDELAY) + flags |= FNONBLOCK; + if (ioflags & IO_SYNC) + flags |= (FSYNC | FDSYNC | FRSYNC); + + return (flags); +} + +static int zfs_freebsd_read(ap) struct vop_read_args /* { struct vnode *a_vp; diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c index fac10c3..58c3807 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c @@ -1250,6 +1250,16 @@ zfs_rezget(znode_t *zp) int count = 0; uint64_t gen; + /* + * Remove cached pages before reloading the znode, so that they are not + * lingering after we run into any error. Ideally, we should vgone() + * the vnode in case of error, but currently we cannot do that + * because of the LOR between the vnode lock and z_teardown_lock. + * So, instead, we have to "doom" the znode in the illumos style. + */ + vp = ZTOV(zp); + vn_pages_remove(vp, 0, 0); + ZFS_OBJ_HOLD_ENTER(zfsvfs, obj_num); mutex_enter(&zp->z_acl_lock); @@ -1329,18 +1339,12 @@ zfs_rezget(znode_t *zp) * (e.g. via a look-up). The old vnode and znode will be * recycled when the last vnode reference is dropped. */ - vp = ZTOV(zp); if (vp->v_type != IFTOVT((mode_t)zp->z_mode)) { zfs_znode_dmu_fini(zp); ZFS_OBJ_HOLD_EXIT(zfsvfs, obj_num); - return (EIO); + return (SET_ERROR(EIO)); } - zp->z_blksz = doi.doi_data_block_size; - vn_pages_remove(vp, 0, 0); - if (zp->z_size != size) - vnode_pager_setsize(vp, zp->z_size); - /* * If the file has zero links, then it has been unlinked on the send * side and it must be in the received unlinked set. @@ -1351,8 +1355,15 @@ zfs_rezget(znode_t *zp) * when the unlinked set gets processed. */ zp->z_unlinked = (zp->z_links == 0); - if (zp->z_unlinked) + if (zp->z_unlinked) { zfs_znode_dmu_fini(zp); + ZFS_OBJ_HOLD_EXIT(zfsvfs, obj_num); + return (0); + } + + zp->z_blksz = doi.doi_data_block_size; + if (zp->z_size != size) + vnode_pager_setsize(vp, zp->z_size); ZFS_OBJ_HOLD_EXIT(zfsvfs, obj_num); diff --git a/sys/compat/linux/linux_mmap.c b/sys/compat/linux/linux_mmap.c index 11da2ebf..94dec5a 100644 --- a/sys/compat/linux/linux_mmap.c +++ b/sys/compat/linux/linux_mmap.c @@ -129,7 +129,7 @@ linux_mmap_common(struct thread *td, uintptr_t addr, size_t len, int prot, error = fget(td, fd, cap_rights_init(&rights, CAP_MMAP), &fp); if (error != 0) return (error); - if (fp->f_type != DTYPE_VNODE) { + if (fp->f_type != DTYPE_VNODE && fp->f_type != DTYPE_DEV) { fdrop(fp, td); return (EINVAL); } diff --git a/sys/compat/linuxkpi/common/include/asm/atomic.h b/sys/compat/linuxkpi/common/include/asm/atomic.h index 7f25319..4b2610c 100644 --- a/sys/compat/linuxkpi/common/include/asm/atomic.h +++ b/sys/compat/linuxkpi/common/include/asm/atomic.h @@ -159,46 +159,80 @@ atomic_cmpxchg(atomic_t *v, int old, int new) return (ret); } -#define cmpxchg(ptr, old, new) ({ \ - __typeof(*(ptr)) __ret; \ - \ - CTASSERT(sizeof(__ret) == 1 || sizeof(__ret) == 2 || \ - sizeof(__ret) == 4 || sizeof(__ret) == 8); \ - \ - __ret = (old); \ - switch (sizeof(__ret)) { \ - case 1: \ - while (!atomic_fcmpset_8((volatile int8_t *)(ptr), \ - (int8_t *)&__ret, (new)) && __ret == (old)) \ - ; \ - break; \ - case 2: \ - while (!atomic_fcmpset_16((volatile int16_t *)(ptr), \ - (int16_t *)&__ret, (new)) && __ret == (old)) \ - ; \ - break; \ - case 4: \ - while (!atomic_fcmpset_32((volatile int32_t *)(ptr), \ - (int32_t *)&__ret, (new)) && __ret == (old)) \ - ; \ - break; \ - case 8: \ - while (!atomic_fcmpset_64((volatile int64_t *)(ptr), \ - (int64_t *)&__ret, (new)) && __ret == (old)) \ - ; \ - break; \ - } \ - __ret; \ +#define cmpxchg(ptr, old, new) ({ \ + union { \ + __typeof(*(ptr)) val; \ + u8 u8[0]; \ + u16 u16[0]; \ + u32 u32[0]; \ + u64 u64[0]; \ + } __ret = { .val = (old) }, __new = { .val = (new) }; \ + \ + CTASSERT(sizeof(__ret.val) == 1 || sizeof(__ret.val) == 2 || \ + sizeof(__ret.val) == 4 || sizeof(__ret.val) == 8); \ + \ + switch (sizeof(__ret.val)) { \ + case 1: \ + while (!atomic_fcmpset_8((volatile u8 *)(ptr), \ + __ret.u8, __new.u8[0]) && __ret.val == (old)) \ + ; \ + break; \ + case 2: \ + while (!atomic_fcmpset_16((volatile u16 *)(ptr), \ + __ret.u16, __new.u16[0]) && __ret.val == (old)) \ + ; \ + break; \ + case 4: \ + while (!atomic_fcmpset_32((volatile u32 *)(ptr), \ + __ret.u32, __new.u32[0]) && __ret.val == (old)) \ + ; \ + break; \ + case 8: \ + while (!atomic_fcmpset_64((volatile u64 *)(ptr), \ + __ret.u64, __new.u64[0]) && __ret.val == (old)) \ + ; \ + break; \ + } \ + __ret.val; \ }) #define cmpxchg_relaxed(...) cmpxchg(__VA_ARGS__) -#define xchg(ptr, v) ({ \ - __typeof(*(ptr)) __ret; \ - \ - __ret = *(ptr); \ - *(ptr) = v; \ - __ret; \ +#define xchg(ptr, new) ({ \ + union { \ + __typeof(*(ptr)) val; \ + u8 u8[0]; \ + u16 u16[0]; \ + u32 u32[0]; \ + u64 u64[0]; \ + } __ret, __new = { .val = (new) }; \ + \ + CTASSERT(sizeof(__ret.val) == 1 || sizeof(__ret.val) == 2 || \ + sizeof(__ret.val) == 4 || sizeof(__ret.val) == 8); \ + \ + switch (sizeof(__ret.val)) { \ + case 1: \ + __ret.val = READ_ONCE(*ptr); \ + while (!atomic_fcmpset_8((volatile u8 *)(ptr), \ + __ret.u8, __new.u8[0])) \ + ; \ + break; \ + case 2: \ + __ret.val = READ_ONCE(*ptr); \ + while (!atomic_fcmpset_16((volatile u16 *)(ptr), \ + __ret.u16, __new.u16[0])) \ + ; \ + break; \ + case 4: \ + __ret.u32[0] = atomic_swap_32((volatile u32 *)(ptr), \ + __new.u32[0]); \ + break; \ + case 8: \ + __ret.u64[0] = atomic_swap_64((volatile u64 *)(ptr), \ + __new.u64[0]); \ + break; \ + } \ + __ret.val; \ }) #define LINUX_ATOMIC_OP(op, c_op) \ diff --git a/sys/compat/linuxkpi/common/include/linux/compiler.h b/sys/compat/linuxkpi/common/include/linux/compiler.h index ae60553..2b9ae10 100644 --- a/sys/compat/linuxkpi/common/include/linux/compiler.h +++ b/sys/compat/linuxkpi/common/include/linux/compiler.h @@ -56,6 +56,8 @@ #define __devexit #define __exit #define __rcu +#define __percpu +#define __weak __weak_symbol #define __malloc #define ___stringify(...) #__VA_ARGS__ #define __stringify(...) ___stringify(__VA_ARGS__) diff --git a/sys/compat/linuxkpi/common/include/linux/dcache.h b/sys/compat/linuxkpi/common/include/linux/dcache.h new file mode 100644 index 0000000..1bafa3d --- /dev/null +++ b/sys/compat/linuxkpi/common/include/linux/dcache.h @@ -0,0 +1,46 @@ +/*- + * Copyright (c) 2017 Limelight Networks, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice unmodified, this list of conditions, and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef __LINUX_DCACHE_H +#define __LINUX_DCACHE_H + +struct vnode; +struct pfs_node; + +struct dentry { + struct vnode *d_inode; + struct pfs_node *d_pfs_node; /* FreeBSD specific field */ +}; + +static inline struct vnode * +d_inode(const struct dentry *dentry) +{ + return (dentry->d_inode); +} + +#endif /* __LINUX_DCACHE_H */ diff --git a/sys/compat/linuxkpi/common/include/linux/device.h b/sys/compat/linuxkpi/common/include/linux/device.h index edc6cd8..7062478 100644 --- a/sys/compat/linuxkpi/common/include/linux/device.h +++ b/sys/compat/linuxkpi/common/include/linux/device.h @@ -46,9 +46,6 @@ #include <sys/bus.h> -enum irqreturn { IRQ_NONE = 0, IRQ_HANDLED, IRQ_WAKE_THREAD, }; -typedef enum irqreturn irqreturn_t; - struct device; struct fwnode_handle; diff --git a/sys/compat/linuxkpi/common/include/linux/fs.h b/sys/compat/linuxkpi/common/include/linux/fs.h index 04fc78d..e05debf 100644 --- a/sys/compat/linuxkpi/common/include/linux/fs.h +++ b/sys/compat/linuxkpi/common/include/linux/fs.h @@ -42,6 +42,7 @@ #include <linux/wait.h> #include <linux/semaphore.h> #include <linux/spinlock.h> +#include <linux/dcache.h> struct module; struct kiocb; @@ -65,11 +66,6 @@ struct pfs_node; typedef struct files_struct *fl_owner_t; -struct dentry { - struct inode *d_inode; - struct pfs_node *d_pfs_node; -}; - struct file_operations; struct linux_file_wait_queue { @@ -288,6 +284,20 @@ noop_llseek(struct linux_file *file, loff_t offset, int whence) return (file->_file->f_offset); } +static inline struct vnode * +file_inode(const struct linux_file *file) +{ + + return (file->f_vnode); +} + +static inline int +call_mmap(struct linux_file *file, struct vm_area_struct *vma) +{ + + return (file->f_op->mmap(file, vma)); +} + /* Shared memory support */ unsigned long linux_invalidate_mapping_pages(vm_object_t, pgoff_t, pgoff_t); struct page *linux_shmem_read_mapping_page_gfp(vm_object_t, int, gfp_t); diff --git a/sys/compat/linuxkpi/common/include/linux/gfp.h b/sys/compat/linuxkpi/common/include/linux/gfp.h index 3d9ddba..2eea6d2 100644 --- a/sys/compat/linuxkpi/common/include/linux/gfp.h +++ b/sys/compat/linuxkpi/common/include/linux/gfp.h @@ -54,6 +54,8 @@ #define __GFP_NO_KSWAPD 0 #define __GFP_WAIT M_WAITOK #define __GFP_DMA32 (1U << 24) /* LinuxKPI only */ +#define __GFP_BITS_SHIFT 25 +#define __GFP_BITS_MASK ((1 << __GFP_BITS_SHIFT) - 1) #define GFP_NOWAIT M_NOWAIT #define GFP_ATOMIC (M_NOWAIT | M_USE_RESERVE) @@ -67,6 +69,9 @@ #define GFP_TEMPORARY M_NOWAIT #define GFP_NATIVE_MASK (M_NOWAIT | M_WAITOK | M_USE_RESERVE | M_ZERO) +CTASSERT((__GFP_DMA32 & GFP_NATIVE_MASK) == 0); +CTASSERT((__GFP_BITS_MASK & GFP_NATIVE_MASK) == GFP_NATIVE_MASK); + /* * Resolve a page into a virtual address: * diff --git a/sys/compat/linuxkpi/common/include/linux/interrupt.h b/sys/compat/linuxkpi/common/include/linux/interrupt.h index 6f7b96d..9e78b8a 100644 --- a/sys/compat/linuxkpi/common/include/linux/interrupt.h +++ b/sys/compat/linuxkpi/common/include/linux/interrupt.h @@ -33,14 +33,13 @@ #include <linux/device.h> #include <linux/pci.h> +#include <linux/irqreturn.h> #include <sys/bus.h> #include <sys/rman.h> typedef irqreturn_t (*irq_handler_t)(int, void *); -#define IRQ_RETVAL(x) ((x) != IRQ_NONE) - #define IRQF_SHARED RF_SHAREABLE struct irq_ent { @@ -112,6 +111,39 @@ request_irq(unsigned int irq, irq_handler_t handler, unsigned long flags, } static inline int +enable_irq(unsigned int irq) +{ + struct irq_ent *irqe; + struct device *dev; + + dev = linux_pci_find_irq_dev(irq); + if (dev == NULL) + return -EINVAL; + irqe = linux_irq_ent(dev, irq); + if (irqe == NULL || irqe->tag != NULL) + return -EINVAL; + return -bus_setup_intr(dev->bsddev, irqe->res, INTR_TYPE_NET | INTR_MPSAFE, + NULL, linux_irq_handler, irqe, &irqe->tag); +} + +static inline void +disable_irq(unsigned int irq) +{ + struct irq_ent *irqe; + struct device *dev; + + dev = linux_pci_find_irq_dev(irq); + if (dev == NULL) + return; + irqe = linux_irq_ent(dev, irq); + if (irqe == NULL) + return; + if (irqe->tag != NULL) + bus_teardown_intr(dev->bsddev, irqe->res, irqe->tag); + irqe->tag = NULL; +} + +static inline int bind_irq_to_cpu(unsigned int irq, int cpu_id) { struct irq_ent *irqe; @@ -142,7 +174,8 @@ free_irq(unsigned int irq, void *device) irqe = linux_irq_ent(dev, irq); if (irqe == NULL) return; - bus_teardown_intr(dev->bsddev, irqe->res, irqe->tag); + if (irqe->tag != NULL) + bus_teardown_intr(dev->bsddev, irqe->res, irqe->tag); bus_release_resource(dev->bsddev, SYS_RES_IRQ, rid, irqe->res); list_del(&irqe->links); kfree(irqe); @@ -168,5 +201,7 @@ extern void tasklet_schedule(struct tasklet_struct *); extern void tasklet_kill(struct tasklet_struct *); extern void tasklet_init(struct tasklet_struct *, tasklet_func_t *, unsigned long data); +extern void tasklet_enable(struct tasklet_struct *); +extern void tasklet_disable(struct tasklet_struct *); #endif /* _LINUX_INTERRUPT_H_ */ diff --git a/sys/compat/linuxkpi/common/include/linux/irqreturn.h b/sys/compat/linuxkpi/common/include/linux/irqreturn.h new file mode 100644 index 0000000..780fcca --- /dev/null +++ b/sys/compat/linuxkpi/common/include/linux/irqreturn.h @@ -0,0 +1,40 @@ +/*- + * Copyright (c) 2017 Limelight Networks, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice unmodified, this list of conditions, and the following + * disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _LINUX_IRQRETURN_H +#define _LINUX_IRQRETURN_H + +typedef enum irqreturn { + IRQ_NONE = 0, + IRQ_HANDLED = 1, + IRQ_WAKE_THREAD = 2 +} irqreturn_t; + +#define IRQ_RETVAL(x) ((x) ? IRQ_HANDLED : IRQ_NONE) + +#endif /* _LINUX_IRQRETURN_H */ diff --git a/sys/compat/linuxkpi/common/include/linux/kernel.h b/sys/compat/linuxkpi/common/include/linux/kernel.h index c264132..5053330 100644 --- a/sys/compat/linuxkpi/common/include/linux/kernel.h +++ b/sys/compat/linuxkpi/common/include/linux/kernel.h @@ -89,6 +89,7 @@ #define BUILD_BUG_ON(x) CTASSERT(!(x)) #define BUILD_BUG_ON_MSG(x, msg) BUILD_BUG_ON(x) #define BUILD_BUG_ON_NOT_POWER_OF_2(x) BUILD_BUG_ON(!powerof2(x)) +#define BUILD_BUG_ON_INVALID(expr) while (0) { (void)(expr); } #define BUG() panic("BUG at %s:%d", __FILE__, __LINE__) #define BUG_ON(cond) do { \ diff --git a/sys/compat/linuxkpi/common/include/linux/kref.h b/sys/compat/linuxkpi/common/include/linux/kref.h index 80fd271..7411694 100644 --- a/sys/compat/linuxkpi/common/include/linux/kref.h +++ b/sys/compat/linuxkpi/common/include/linux/kref.h @@ -52,6 +52,13 @@ kref_init(struct kref *kref) refcount_init(&kref->refcount.counter, 1); } +static inline unsigned int +kref_read(const struct kref *kref) +{ + + return (atomic_read(&kref->refcount)); +} + static inline void kref_get(struct kref *kref) { diff --git a/sys/compat/linuxkpi/common/include/linux/ktime.h b/sys/compat/linuxkpi/common/include/linux/ktime.h index f5f11e4..1c6df95 100644 --- a/sys/compat/linuxkpi/common/include/linux/ktime.h +++ b/sys/compat/linuxkpi/common/include/linux/ktime.h @@ -1,5 +1,6 @@ /*- - * Copyright (c) 2014-2015 Mellanox Technologies, Ltd. + * Copyright (c) 2018 Limelight Networks, Inc. + * Copyright (c) 2014-2018 Mellanox Technologies, Ltd. * Copyright (c) 2015 François Tigeot * All rights reserved. * @@ -34,104 +35,96 @@ #include <linux/time.h> #include <linux/jiffies.h> -#define ktime_get_ts(x) getnanouptime(x) +#define ktime_get_ts(x) getnanouptime(x) /* time values in nanoseconds */ -union ktime { - int64_t tv64; -}; +typedef s64 ktime_t; -typedef union ktime ktime_t; - -#define KTIME_MAX ((s64)~((u64)1 << 63)) -#define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) +#define KTIME_MAX ((s64)~((u64)1 << 63)) +#define KTIME_SEC_MAX (KTIME_MAX / NSEC_PER_SEC) static inline int64_t ktime_to_ns(ktime_t kt) { - return kt.tv64; + return (kt); } static inline ktime_t ns_to_ktime(uint64_t nsec) { - ktime_t kt; - - kt.tv64 = nsec; - return (kt); + return (nsec); } static inline int64_t ktime_divns(const ktime_t kt, int64_t div) { - return kt.tv64 / div; + return (kt / div); } static inline int64_t ktime_to_us(ktime_t kt) { - return ktime_divns(kt, NSEC_PER_USEC); + return (ktime_divns(kt, NSEC_PER_USEC)); } static inline int64_t ktime_to_ms(ktime_t kt) { - return ktime_divns(kt, NSEC_PER_MSEC); + return (ktime_divns(kt, NSEC_PER_MSEC)); } static inline struct timeval ktime_to_timeval(ktime_t kt) { - return ns_to_timeval(kt.tv64); + return (ns_to_timeval(kt)); } static inline ktime_t ktime_add_ns(ktime_t kt, int64_t ns) { - kt.tv64 += ns; - return kt; + return (kt + ns); } static inline ktime_t ktime_sub_ns(ktime_t kt, int64_t ns) { - kt.tv64 -= ns; - return kt; + return (kt - ns); } static inline ktime_t ktime_set(const long secs, const unsigned long nsecs) { - ktime_t retval = { (s64)secs * NSEC_PER_SEC + (s64)nsecs }; + ktime_t retval = {(s64) secs * NSEC_PER_SEC + (s64) nsecs}; + return (retval); } static inline ktime_t ktime_sub(ktime_t lhs, ktime_t rhs) { - lhs.tv64 -= rhs.tv64; - return (lhs); + return (lhs - rhs); } static inline int64_t ktime_us_delta(ktime_t later, ktime_t earlier) { - ktime_t diff = ktime_sub(later, earlier); - return ktime_to_us(diff); + ktime_t diff = ktime_sub(later, earlier); + + return (ktime_to_us(diff)); } static inline int64_t ktime_ms_delta(ktime_t later, ktime_t earlier) { - ktime_t diff = ktime_sub(later, earlier); - return ktime_to_ms(diff); + ktime_t diff = ktime_sub(later, earlier); + + return (ktime_to_ms(diff)); } static inline ktime_t ktime_add(ktime_t lhs, ktime_t rhs) { - lhs.tv64 += rhs.tv64; - return (lhs); + return (lhs + rhs); } static inline ktime_t @@ -146,22 +139,19 @@ timeval_to_ktime(struct timeval tv) return (ktime_set(tv.tv_sec, tv.tv_usec * NSEC_PER_USEC)); } -#define ktime_to_timespec(kt) ns_to_timespec((kt).tv64) -#define ktime_to_timeval(kt) ns_to_timeval((kt).tv64) -#define ktime_to_ns(kt) ((kt).tv64) +#define ktime_to_timespec(kt) ns_to_timespec(kt) +#define ktime_to_timeval(kt) ns_to_timeval(kt) +#define ktime_to_ns(kt) (kt) static inline int64_t ktime_get_ns(void) { struct timespec ts; - ktime_t kt; ktime_get_ts(&ts); - kt = timespec_to_ktime(ts); - return (ktime_to_ns(kt)); -} -#define ktime_get_raw_ns() ktime_get_ns() + return (ktime_to_ns(timespec_to_ktime(ts))); +} static inline ktime_t ktime_get(void) @@ -190,4 +180,22 @@ ktime_get_real(void) return (timespec_to_ktime(ts)); } +static inline ktime_t +ktime_get_real_seconds(void) +{ + struct timespec ts; + + nanotime(&ts); + return (ts.tv_sec); +} + +static inline u64 +ktime_get_raw_ns(void) +{ + struct timespec ts; + + nanouptime(&ts); + return (ktime_to_ns(timespec_to_ktime(ts))); +} + #endif /* _LINUX_KTIME_H */ diff --git a/sys/compat/linuxkpi/common/include/linux/list.h b/sys/compat/linuxkpi/common/include/linux/list.h index c235c26..826a8cf 100644 --- a/sys/compat/linuxkpi/common/include/linux/list.h +++ b/sys/compat/linuxkpi/common/include/linux/list.h @@ -117,6 +117,13 @@ __list_del(struct list_head *prev, struct list_head *next) } static inline void +__list_del_entry(struct list_head *entry) +{ + + __list_del(entry->prev, entry->next); +} + +static inline void list_del(struct list_head *entry) { @@ -172,6 +179,9 @@ list_del_init(struct list_head *entry) #define list_next_entry(ptr, member) \ list_entry(((ptr)->member.next), typeof(*(ptr)), member) +#define list_safe_reset_next(ptr, n, member) \ + (n) = list_next_entry(ptr, member) + #define list_prev_entry(ptr, member) \ list_entry(((ptr)->member.prev), typeof(*(ptr)), member) diff --git a/sys/compat/linuxkpi/common/include/linux/lockdep.h b/sys/compat/linuxkpi/common/include/linux/lockdep.h index 4bf902d..6b9f71d 100644 --- a/sys/compat/linuxkpi/common/include/linux/lockdep.h +++ b/sys/compat/linuxkpi/common/include/linux/lockdep.h @@ -48,5 +48,10 @@ struct lock_class_key { #define lockdep_is_held(m) (sx_xholder(&(m)->sx) == curthread) #define might_lock(m) do { } while (0) +#define might_lock_read(m) do { } while (0) + +#define lock_acquire(...) do { } while (0) +#define lock_release(...) do { } while (0) +#define lock_acquire_shared_recursive(...) do { } while (0) #endif /* _LINUX_LOCKDEP_H_ */ diff --git a/sys/compat/linuxkpi/common/include/linux/mm.h b/sys/compat/linuxkpi/common/include/linux/mm.h index a649c8c..ad90382 100644 --- a/sys/compat/linuxkpi/common/include/linux/mm.h +++ b/sys/compat/linuxkpi/common/include/linux/mm.h @@ -118,8 +118,13 @@ struct vm_area_struct { struct vm_fault { unsigned int flags; pgoff_t pgoff; - void *virtual_address; /* user-space address */ + union { + /* user-space address */ + void *virtual_address; + unsigned long address; + }; struct page *page; + struct vm_area_struct *vma; }; struct vm_operations_struct { @@ -243,7 +248,8 @@ static inline void put_page(struct vm_page *page) { vm_page_lock(page); - vm_page_unwire(page, PQ_ACTIVE); + if (vm_page_unwire(page, PQ_ACTIVE) && page->object == NULL) + vm_page_free(page); vm_page_unlock(page); } diff --git a/sys/compat/linuxkpi/common/include/linux/mm_types.h b/sys/compat/linuxkpi/common/include/linux/mm_types.h index 44aad34..81eb278 100644 --- a/sys/compat/linuxkpi/common/include/linux/mm_types.h +++ b/sys/compat/linuxkpi/common/include/linux/mm_types.h @@ -62,6 +62,12 @@ mmput(struct mm_struct *mm) mmdrop(mm); } +static inline void +mmgrab(struct mm_struct *mm) +{ + atomic_inc(&mm->mm_count); +} + extern struct mm_struct *linux_get_task_mm(struct task_struct *); #define get_task_mm(task) linux_get_task_mm(task) diff --git a/sys/compat/linuxkpi/common/include/linux/mutex.h b/sys/compat/linuxkpi/common/include/linux/mutex.h index 36911b1..bbf6023 100644 --- a/sys/compat/linuxkpi/common/include/linux/mutex.h +++ b/sys/compat/linuxkpi/common/include/linux/mutex.h @@ -63,7 +63,7 @@ typedef struct mutex { #define mutex_lock_interruptible(_m) ({ \ MUTEX_SKIP() ? 0 : \ - (sx_xlock_sig(&(_m)->sx) ? -EINTR : 0); \ + linux_mutex_lock_interruptible(_m); \ }) #define mutex_unlock(_m) do { \ @@ -77,6 +77,21 @@ typedef struct mutex { !!sx_try_xlock(&(_m)->sx); \ }) +enum mutex_trylock_recursive_enum { + MUTEX_TRYLOCK_FAILED = 0, + MUTEX_TRYLOCK_SUCCESS = 1, + MUTEX_TRYLOCK_RECURSIVE = 2, +}; + +static inline __must_check enum mutex_trylock_recursive_enum +mutex_trylock_recursive(struct mutex *lock) +{ + if (unlikely(sx_xholder(&lock->sx) == curthread)) + return (MUTEX_TRYLOCK_RECURSIVE); + + return (mutex_trylock(lock)); +} + #define mutex_init(_m) \ linux_mutex_init(_m, mutex_name(#_m), SX_NOWITNESS) @@ -128,4 +143,6 @@ linux_mutex_destroy(mutex_t *m) sx_destroy(&m->sx); } +extern int linux_mutex_lock_interruptible(mutex_t *m); + #endif /* _LINUX_MUTEX_H_ */ diff --git a/sys/compat/linuxkpi/common/include/linux/pid.h b/sys/compat/linuxkpi/common/include/linux/pid.h index 2c7e0ea..73d8f1f 100644 --- a/sys/compat/linuxkpi/common/include/linux/pid.h +++ b/sys/compat/linuxkpi/common/include/linux/pid.h @@ -58,6 +58,11 @@ enum pid_type { __ts; \ }) +#define get_task_pid(task, type) ({ \ + CTASSERT((type) == PIDTYPE_PID); \ + (task)->task_thread->td_tid; \ +}) + struct task_struct; extern struct task_struct *linux_pid_task(pid_t); extern struct task_struct *linux_get_pid_task(pid_t); diff --git a/sys/compat/linuxkpi/common/include/linux/printk.h b/sys/compat/linuxkpi/common/include/linux/printk.h index 1480fc6..6e8e3da 100644 --- a/sys/compat/linuxkpi/common/include/linux/printk.h +++ b/sys/compat/linuxkpi/common/include/linux/printk.h @@ -106,10 +106,16 @@ print_hex_dump_bytes(const char *prefix_str, const int prefix_type, print_hex_dump(NULL, prefix_str, prefix_type, 16, 1, buf, len, 0); } -#define printk_ratelimited(...) do { \ +#define printk_ratelimit() ({ \ static linux_ratelimit_t __ratelimited; \ - if (linux_ratelimited(&__ratelimited)) \ + linux_ratelimited(&__ratelimited); \ +}) + +#define printk_ratelimited(...) ({ \ + bool __retval = printk_ratelimit(); \ + if (__retval) \ printk(__VA_ARGS__); \ -} while (0) + __retval; \ +}) #endif /* _LINUX_PRINTK_H_ */ diff --git a/sys/compat/linuxkpi/common/include/linux/radix-tree.h b/sys/compat/linuxkpi/common/include/linux/radix-tree.h index 0edf04e..cd7c56cb 100644 --- a/sys/compat/linuxkpi/common/include/linux/radix-tree.h +++ b/sys/compat/linuxkpi/common/include/linux/radix-tree.h @@ -2,7 +2,7 @@ * Copyright (c) 2010 Isilon Systems, Inc. * Copyright (c) 2010 iX Systems, Inc. * Copyright (c) 2010 Panasas, Inc. - * Copyright (c) 2013, 2014 Mellanox Technologies, Ltd. + * Copyright (c) 2013-2018 Mellanox Technologies, Ltd. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -34,10 +34,14 @@ #include <linux/types.h> #define RADIX_TREE_MAP_SHIFT 6 -#define RADIX_TREE_MAP_SIZE (1 << RADIX_TREE_MAP_SHIFT) -#define RADIX_TREE_MAP_MASK (RADIX_TREE_MAP_SIZE - 1) -#define RADIX_TREE_MAX_HEIGHT \ - DIV_ROUND_UP((sizeof(long) * NBBY), RADIX_TREE_MAP_SHIFT) +#define RADIX_TREE_MAP_SIZE (1UL << RADIX_TREE_MAP_SHIFT) +#define RADIX_TREE_MAP_MASK (RADIX_TREE_MAP_SIZE - 1UL) +#define RADIX_TREE_MAX_HEIGHT \ + howmany(sizeof(long) * NBBY, RADIX_TREE_MAP_SHIFT) + +#define RADIX_TREE_ENTRY_MASK 3UL +#define RADIX_TREE_EXCEPTIONAL_ENTRY 2UL +#define RADIX_TREE_EXCEPTIONAL_SHIFT 2 struct radix_tree_node { void *slots[RADIX_TREE_MAP_SIZE]; @@ -50,6 +54,10 @@ struct radix_tree_root { int height; }; +struct radix_tree_iter { + unsigned long index; +}; + #define RADIX_TREE_INIT(mask) \ { .rnode = NULL, .gfp_mask = mask, .height = 0 }; #define INIT_RADIX_TREE(root, mask) \ @@ -57,8 +65,19 @@ struct radix_tree_root { #define RADIX_TREE(name, mask) \ struct radix_tree_root name = RADIX_TREE_INIT(mask) +#define radix_tree_for_each_slot(slot, root, iter, start) \ + for ((iter)->index = (start); \ + radix_tree_iter_find(root, iter, &(slot)); (iter)->index++) + +static inline int +radix_tree_exception(void *arg) +{ + return ((uintptr_t)arg & RADIX_TREE_ENTRY_MASK); +} + void *radix_tree_lookup(struct radix_tree_root *, unsigned long); void *radix_tree_delete(struct radix_tree_root *, unsigned long); int radix_tree_insert(struct radix_tree_root *, unsigned long, void *); +bool radix_tree_iter_find(struct radix_tree_root *, struct radix_tree_iter *, void ***); #endif /* _LINUX_RADIX_TREE_H_ */ diff --git a/sys/compat/linuxkpi/common/include/linux/rcupdate.h b/sys/compat/linuxkpi/common/include/linux/rcupdate.h index b2dd2ae..e4afa5a 100644 --- a/sys/compat/linuxkpi/common/include/linux/rcupdate.h +++ b/sys/compat/linuxkpi/common/include/linux/rcupdate.h @@ -74,14 +74,17 @@ } while (0) #define rcu_access_pointer(p) \ - ((__typeof(*p) *)(READ_ONCE(p))) + ((__typeof(*p) *)READ_ONCE(p)) #define rcu_dereference_protected(p, c) \ - ((__typeof(*p) *)(p)) + ((__typeof(*p) *)READ_ONCE(p)) #define rcu_dereference(p) \ rcu_dereference_protected(p, 0) +#define rcu_dereference_raw(p) \ + ((__typeof(*p) *)READ_ONCE(p)) + #define rcu_pointer_handoff(p) (p) #define rcu_assign_pointer(p, v) do { \ diff --git a/sys/compat/linuxkpi/common/include/linux/rwsem.h b/sys/compat/linuxkpi/common/include/linux/rwsem.h index 3042dcf..34e51c1 100644 --- a/sys/compat/linuxkpi/common/include/linux/rwsem.h +++ b/sys/compat/linuxkpi/common/include/linux/rwsem.h @@ -47,7 +47,7 @@ struct rw_semaphore { #define up_read(_rw) sx_sunlock(&(_rw)->sx) #define down_read_trylock(_rw) !!sx_try_slock(&(_rw)->sx) #define down_write_trylock(_rw) !!sx_try_xlock(&(_rw)->sx) -#define down_write_killable(_rw) !!sx_xlock_sig(&(_rw)->sx) +#define down_write_killable(_rw) linux_down_write_killable(_rw) #define downgrade_write(_rw) sx_downgrade(&(_rw)->sx) #define down_read_nested(_rw, _sc) down_read(_rw) #define init_rwsem(_rw) linux_init_rwsem(_rw, rwsem_name("lnxrwsem")) @@ -79,4 +79,6 @@ linux_init_rwsem(struct rw_semaphore *rw, const char *name) sx_init_flags(&rw->sx, name, SX_NOWITNESS); } +extern int linux_down_write_killable(struct rw_semaphore *); + #endif /* _LINUX_RWSEM_H_ */ diff --git a/sys/compat/linuxkpi/common/include/linux/sched.h b/sys/compat/linuxkpi/common/include/linux/sched.h index 817e16c..b24de2c 100644 --- a/sys/compat/linuxkpi/common/include/linux/sched.h +++ b/sys/compat/linuxkpi/common/include/linux/sched.h @@ -2,7 +2,7 @@ * Copyright (c) 2010 Isilon Systems, Inc. * Copyright (c) 2010 iX Systems, Inc. * Copyright (c) 2010 Panasas, Inc. - * Copyright (c) 2013-2017 Mellanox Technologies, Ltd. + * Copyright (c) 2013-2018 Mellanox Technologies, Ltd. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -77,6 +77,7 @@ struct task_struct { struct completion exited; TAILQ_ENTRY(task_struct) rcu_entry; int rcu_recurse; + int bsd_interrupt_value; }; #define current ({ \ @@ -127,12 +128,26 @@ void linux_send_sig(int signo, struct task_struct *task); #define signal_pending_state(state, task) \ linux_signal_pending_state(state, task) #define send_sig(signo, task, priv) do { \ - CTASSERT(priv == 0); \ + CTASSERT((priv) == 0); \ linux_send_sig(signo, task); \ } while (0) int linux_schedule_timeout(int timeout); +static inline void +linux_schedule_save_interrupt_value(struct task_struct *task, int value) +{ + task->bsd_interrupt_value = value; +} + +static inline int +linux_schedule_get_interrupt_value(struct task_struct *task) +{ + int value = task->bsd_interrupt_value; + task->bsd_interrupt_value = 0; + return (value); +} + #define schedule() \ (void)linux_schedule_timeout(MAX_SCHEDULE_TIMEOUT) #define schedule_timeout(timeout) \ diff --git a/sys/compat/linuxkpi/common/include/linux/slab.h b/sys/compat/linuxkpi/common/include/linux/slab.h index a0fdd42..f22a19f 100644 --- a/sys/compat/linuxkpi/common/include/linux/slab.h +++ b/sys/compat/linuxkpi/common/include/linux/slab.h @@ -65,6 +65,10 @@ MALLOC_DECLARE(M_KMALLOC); #define kmem_cache_free(...) linux_kmem_cache_free(__VA_ARGS__) #define kmem_cache_destroy(...) linux_kmem_cache_destroy(__VA_ARGS__) +#define KMEM_CACHE(__struct, flags) \ + linux_kmem_cache_create(#__struct, sizeof(struct __struct), \ + __alignof(struct __struct), (flags), NULL) + typedef void linux_kmem_ctor_t (void *); struct linux_kmem_cache { diff --git a/sys/compat/linuxkpi/common/include/linux/spinlock.h b/sys/compat/linuxkpi/common/include/linux/spinlock.h index dbd7a5a..d88d200 100644 --- a/sys/compat/linuxkpi/common/include/linux/spinlock.h +++ b/sys/compat/linuxkpi/common/include/linux/spinlock.h @@ -98,6 +98,9 @@ typedef struct { __ret; \ }) +#define spin_trylock_irq(_l) \ + spin_trylock(_l) + #define spin_lock_nested(_l, _n) do { \ if (SPIN_SKIP()) \ break; \ diff --git a/sys/compat/linuxkpi/common/include/linux/string.h b/sys/compat/linuxkpi/common/include/linux/string.h index a47eb42..918ff81 100644 --- a/sys/compat/linuxkpi/common/include/linux/string.h +++ b/sys/compat/linuxkpi/common/include/linux/string.h @@ -71,6 +71,22 @@ memdup_user(const void *ptr, size_t len) } static inline void * +memdup_user_nul(const void *ptr, size_t len) +{ + char *retval; + int error; + + retval = malloc(len + 1, M_KMALLOC, M_WAITOK); + error = linux_copyin(ptr, retval, len); + if (error != 0) { + free(retval, M_KMALLOC); + return (ERR_PTR(error)); + } + retval[len] = '\0'; + return (retval); +} + +static inline void * kmemdup(const void *src, size_t len, gfp_t gfp) { void *dst; diff --git a/sys/compat/linuxkpi/common/include/linux/uaccess.h b/sys/compat/linuxkpi/common/include/linux/uaccess.h index c046e1c..a69e9cc 100644 --- a/sys/compat/linuxkpi/common/include/linux/uaccess.h +++ b/sys/compat/linuxkpi/common/include/linux/uaccess.h @@ -58,7 +58,7 @@ linux_copyout(&(__x), (_p), sizeof(*(_p))); \ }) #define get_user(_x, _p) linux_copyin((_p), &(_x), sizeof(*(_p))) -#define put_user(_x, _p) linux_copyout(&(_x), (_p), sizeof(*(_p))) +#define put_user(_x, _p) __put_user(_x, _p) #define clear_user(...) linux_clear_user(__VA_ARGS__) #define access_ok(...) linux_access_ok(__VA_ARGS__) diff --git a/sys/compat/linuxkpi/common/src/linux_compat.c b/sys/compat/linuxkpi/common/src/linux_compat.c index 08ddbbe..b39d718 100644 --- a/sys/compat/linuxkpi/common/src/linux_compat.c +++ b/sys/compat/linuxkpi/common/src/linux_compat.c @@ -2,7 +2,7 @@ * Copyright (c) 2010 Isilon Systems, Inc. * Copyright (c) 2010 iX Systems, Inc. * Copyright (c) 2010 Panasas, Inc. - * Copyright (c) 2013-2017 Mellanox Technologies, Ltd. + * Copyright (c) 2013-2018 Mellanox Technologies, Ltd. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -538,6 +538,7 @@ linux_cdev_pager_populate(vm_object_t vm_obj, vm_pindex_t pidx, int fault_type, vmf.flags = (fault_type & VM_PROT_WRITE) ? FAULT_FLAG_WRITE : 0; vmf.pgoff = 0; vmf.page = NULL; + vmf.vma = vmap; vmap->vm_pfn_count = 0; vmap->vm_pfn_pcount = &vmap->vm_pfn_count; @@ -827,10 +828,27 @@ linux_access_ok(int rw, const void *uaddr, size_t len) (eaddr > saddr && eaddr <= VM_MAXUSER_ADDRESS)); } +/* + * This function should return either EINTR or ERESTART depending on + * the signal type sent to this thread: + */ +static int +linux_get_error(struct task_struct *task, int error) +{ + /* check for signal type interrupt code */ + if (error == EINTR || error == ERESTARTSYS || error == ERESTART) { + error = -linux_schedule_get_interrupt_value(task); + if (error == 0) + error = EINTR; + } + return (error); +} + static int linux_file_ioctl_sub(struct file *fp, struct linux_file *filp, u_long cmd, caddr_t data, struct thread *td) { + struct task_struct *task = current; unsigned size; int error; @@ -843,8 +861,8 @@ linux_file_ioctl_sub(struct file *fp, struct linux_file *filp, * Background: Linux code expects a user-space address * while FreeBSD supplies a kernel-space address. */ - current->bsd_ioctl_data = data; - current->bsd_ioctl_len = size; + task->bsd_ioctl_data = data; + task->bsd_ioctl_len = size; data = (void *)LINUX_IOCTL_MIN_PTR; } else { /* fetch user-space pointer */ @@ -868,16 +886,17 @@ linux_file_ioctl_sub(struct file *fp, struct linux_file *filp, else error = ENOTTY; if (size > 0) { - current->bsd_ioctl_data = NULL; - current->bsd_ioctl_len = 0; + task->bsd_ioctl_data = NULL; + task->bsd_ioctl_len = 0; } if (error == EWOULDBLOCK) { /* update kqfilter status, if any */ linux_file_kqfilter_poll(filp, LINUX_KQ_FLAG_HAS_READ | LINUX_KQ_FLAG_HAS_WRITE); - } else if (error == ERESTARTSYS) - error = ERESTART; + } else { + error = linux_get_error(task, error); + } return (error); } @@ -1110,6 +1129,7 @@ linux_file_mmap_single(struct file *fp, vm_ooffset_t *offset, vm_size_t size, struct vm_object **object, int nprot, struct thread *td) { + struct task_struct *task; struct vm_area_struct *vmap; struct mm_struct *mm; struct linux_file *filp; @@ -1131,7 +1151,8 @@ linux_file_mmap_single(struct file *fp, vm_ooffset_t *offset, * The atomic reference below makes sure the mm_struct is * available as long as the vmap is in the linux_vma_head. */ - mm = current->mm; + task = current; + mm = task->mm; if (atomic_inc_not_zero(&mm->mm_users) == 0) return (EINVAL); @@ -1146,11 +1167,10 @@ linux_file_mmap_single(struct file *fp, vm_ooffset_t *offset, vmap->vm_mm = mm; if (unlikely(down_write_killable(&vmap->vm_mm->mmap_sem))) { - error = EINTR; + error = linux_get_error(task, EINTR); } else { error = -OPW(fp, td, filp->f_op->mmap(filp, vmap)); - if (error == ERESTARTSYS) - error = ERESTART; + error = linux_get_error(task, error); up_write(&vmap->vm_mm->mmap_sem); } @@ -1289,9 +1309,7 @@ linux_file_read(struct file *file, struct uio *uio, struct ucred *active_cred, uio->uio_iov->iov_len -= bytes; uio->uio_resid -= bytes; } else { - error = -bytes; - if (error == ERESTARTSYS) - error = ERESTART; + error = linux_get_error(current, -bytes); } } else error = ENXIO; @@ -1328,9 +1346,7 @@ linux_file_write(struct file *file, struct uio *uio, struct ucred *active_cred, uio->uio_iov->iov_len -= bytes; uio->uio_resid -= bytes; } else { - error = -bytes; - if (error == ERESTARTSYS) - error = ERESTART; + error = linux_get_error(current, -bytes); } } else error = ENXIO; @@ -1779,6 +1795,7 @@ linux_complete_common(struct completion *c, int all) int linux_wait_for_common(struct completion *c, int flags) { + struct task_struct *task; int error; if (SCHEDULER_STOPPED()) @@ -1786,6 +1803,8 @@ linux_wait_for_common(struct completion *c, int flags) DROP_GIANT(); + task = current; + if (flags != 0) flags = SLEEPQ_INTERRUPTIBLE | SLEEPQ_SLEEP; else @@ -1797,7 +1816,9 @@ linux_wait_for_common(struct completion *c, int flags) break; sleepq_add(c, NULL, "completion", flags, 0); if (flags & SLEEPQ_INTERRUPTIBLE) { - if (sleepq_wait_sig(c, 0) != 0) { + error = -sleepq_wait_sig(c, 0); + if (error != 0) { + linux_schedule_save_interrupt_value(task, error); error = -ERESTARTSYS; goto intr; } @@ -1819,22 +1840,22 @@ intr: int linux_wait_for_timeout_common(struct completion *c, int timeout, int flags) { + struct task_struct *task; int end = jiffies + timeout; int error; - int ret; if (SCHEDULER_STOPPED()) return (0); DROP_GIANT(); + task = current; + if (flags != 0) flags = SLEEPQ_INTERRUPTIBLE | SLEEPQ_SLEEP; else flags = SLEEPQ_SLEEP; - error = 0; - ret = 0; for (;;) { sleepq_lock(c); if (c->done) @@ -1842,26 +1863,30 @@ linux_wait_for_timeout_common(struct completion *c, int timeout, int flags) sleepq_add(c, NULL, "completion", flags, 0); sleepq_set_timeout(c, linux_timer_jiffies_until(end)); if (flags & SLEEPQ_INTERRUPTIBLE) - ret = sleepq_timedwait_sig(c, 0); + error = -sleepq_timedwait_sig(c, 0); else - ret = sleepq_timedwait(c, 0); - if (ret != 0) { - /* check for timeout or signal */ - if (ret == EWOULDBLOCK) - error = 0; - else + error = -sleepq_timedwait(c, 0); + if (error != 0) { + /* check for timeout */ + if (error == -EWOULDBLOCK) { + error = 0; /* timeout */ + } else { + /* signal happened */ + linux_schedule_save_interrupt_value(task, error); error = -ERESTARTSYS; - goto intr; + } + goto done; } } c->done--; sleepq_release(c); -intr: + /* return how many jiffies are left */ + error = linux_timer_jiffies_until(end); +done: PICKUP_GIANT(); - /* return how many jiffies are left */ - return (ret != 0 ? error : linux_timer_jiffies_until(end)); + return (error); } int diff --git a/sys/compat/linuxkpi/common/src/linux_hrtimer.c b/sys/compat/linuxkpi/common/src/linux_hrtimer.c index c650256..a0041b8 100644 --- a/sys/compat/linuxkpi/common/src/linux_hrtimer.c +++ b/sys/compat/linuxkpi/common/src/linux_hrtimer.c @@ -98,7 +98,7 @@ linux_hrtimer_start_range_ns(struct hrtimer *hrtimer, ktime_t time, int64_t nsec { mtx_lock(&hrtimer->mtx); - callout_reset_sbt(&hrtimer->callout, nstosbt(time.tv64), nstosbt(nsec), + callout_reset_sbt(&hrtimer->callout, nstosbt(time), nstosbt(nsec), hrtimer_call_handler, hrtimer, 0); mtx_unlock(&hrtimer->mtx); } diff --git a/sys/compat/linuxkpi/common/src/linux_lock.c b/sys/compat/linuxkpi/common/src/linux_lock.c index ff91514..f037cd3 100644 --- a/sys/compat/linuxkpi/common/src/linux_lock.c +++ b/sys/compat/linuxkpi/common/src/linux_lock.c @@ -28,6 +28,7 @@ #include <sys/queue.h> +#include <linux/sched.h> #include <linux/ww_mutex.h> struct ww_mutex_thread { @@ -72,10 +73,13 @@ linux_ww_unlock(void) int linux_ww_mutex_lock_sub(struct ww_mutex *lock, int catch_signal) { + struct task_struct *task; struct ww_mutex_thread entry; struct ww_mutex_thread *other; int retval = 0; + task = current; + linux_ww_lock(); if (unlikely(sx_try_xlock(&lock->base.sx) == 0)) { entry.thread = curthread; @@ -105,7 +109,9 @@ linux_ww_mutex_lock_sub(struct ww_mutex *lock, int catch_signal) } } if (catch_signal) { - if (cv_wait_sig(&lock->condvar, &ww_mutex_global) != 0) { + retval = -cv_wait_sig(&lock->condvar, &ww_mutex_global); + if (retval != 0) { + linux_schedule_save_interrupt_value(task, retval); retval = -EINTR; goto done; } @@ -134,3 +140,29 @@ linux_ww_mutex_unlock_sub(struct ww_mutex *lock) cv_signal(&lock->condvar); linux_ww_unlock(); } + +int +linux_mutex_lock_interruptible(mutex_t *m) +{ + int error; + + error = -sx_xlock_sig(&m->sx); + if (error != 0) { + linux_schedule_save_interrupt_value(current, error); + error = -EINTR; + } + return (error); +} + +int +linux_down_write_killable(struct rw_semaphore *rw) +{ + int error; + + error = -sx_xlock_sig(&rw->sx); + if (error != 0) { + linux_schedule_save_interrupt_value(current, error); + error = -EINTR; + } + return (error); +} diff --git a/sys/compat/linuxkpi/common/src/linux_radix.c b/sys/compat/linuxkpi/common/src/linux_radix.c index 6a8bd11..053f08b 100644 --- a/sys/compat/linuxkpi/common/src/linux_radix.c +++ b/sys/compat/linuxkpi/common/src/linux_radix.c @@ -2,7 +2,7 @@ * Copyright (c) 2010 Isilon Systems, Inc. * Copyright (c) 2010 iX Systems, Inc. * Copyright (c) 2010 Panasas, Inc. - * Copyright (c) 2013, 2014 Mellanox Technologies, Ltd. + * Copyright (c) 2013-2018 Mellanox Technologies, Ltd. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -43,10 +43,10 @@ __FBSDID("$FreeBSD$"); static MALLOC_DEFINE(M_RADIX, "radix", "Linux radix compat"); -static inline int +static inline unsigned long radix_max(struct radix_tree_root *root) { - return (1 << (root->height * RADIX_TREE_MAP_SHIFT)) - 1; + return ((1UL << (root->height * RADIX_TREE_MAP_SHIFT)) - 1UL); } static inline int @@ -76,6 +76,45 @@ out: return (item); } +bool +radix_tree_iter_find(struct radix_tree_root *root, struct radix_tree_iter *iter, + void ***pppslot) +{ + struct radix_tree_node *node; + unsigned long index = iter->index; + int height; + +restart: + node = root->rnode; + if (node == NULL) + return (false); + height = root->height - 1; + if (height == -1 || index > radix_max(root)) + return (false); + do { + unsigned long mask = RADIX_TREE_MAP_MASK << (RADIX_TREE_MAP_SHIFT * height); + unsigned long step = 1UL << (RADIX_TREE_MAP_SHIFT * height); + int pos = radix_pos(index, height); + struct radix_tree_node *next; + + /* track last slot */ + *pppslot = node->slots + pos; + + next = node->slots[pos]; + if (next == NULL) { + index += step; + index &= -step; + if ((index & mask) == 0) + goto restart; + } else { + node = next; + height--; + } + } while (height != -1); + iter->index = index; + return (true); +} + void * radix_tree_delete(struct radix_tree_root *root, unsigned long index) { diff --git a/sys/compat/linuxkpi/common/src/linux_schedule.c b/sys/compat/linuxkpi/common/src/linux_schedule.c index dc3dd91..0958b3a 100644 --- a/sys/compat/linuxkpi/common/src/linux_schedule.c +++ b/sys/compat/linuxkpi/common/src/linux_schedule.c @@ -41,7 +41,8 @@ __FBSDID("$FreeBSD$"); #include <linux/wait.h> static int -linux_add_to_sleepqueue(void *wchan, const char *wmesg, int timeout, int state) +linux_add_to_sleepqueue(void *wchan, struct task_struct *task, + const char *wmesg, int timeout, int state) { int flags, ret; @@ -66,8 +67,10 @@ linux_add_to_sleepqueue(void *wchan, const char *wmesg, int timeout, int state) ret = -sleepq_timedwait(wchan, 0); } /* filter return value */ - if (ret != 0 && ret != -EWOULDBLOCK) + if (ret != 0 && ret != -EWOULDBLOCK) { + linux_schedule_save_interrupt_value(task, ret); ret = -ERESTARTSYS; + } return (ret); } @@ -235,10 +238,10 @@ linux_wait_event_common(wait_queue_head_t *wqh, wait_queue_t *wq, int timeout, PHOLD(task->task_thread->td_proc); sleepq_lock(task); if (atomic_read(&task->state) != TASK_WAKING) { - ret = linux_add_to_sleepqueue(task, "wevent", timeout, state); + ret = linux_add_to_sleepqueue(task, task, "wevent", timeout, state); } else { sleepq_release(task); - ret = linux_signal_pending_state(state, task) ? -ERESTARTSYS : 0; + ret = 0; } PRELE(task->task_thread->td_proc); @@ -253,6 +256,7 @@ int linux_schedule_timeout(int timeout) { struct task_struct *task; + int ret; int state; int remainder; @@ -270,10 +274,12 @@ linux_schedule_timeout(int timeout) sleepq_lock(task); state = atomic_read(&task->state); - if (state != TASK_WAKING) - (void)linux_add_to_sleepqueue(task, "sched", timeout, state); - else + if (state != TASK_WAKING) { + ret = linux_add_to_sleepqueue(task, task, "sched", timeout, state); + } else { sleepq_release(task); + ret = 0; + } set_task_state(task, TASK_RUNNING); PICKUP_GIANT(); @@ -283,7 +289,11 @@ linux_schedule_timeout(int timeout) /* range check return value */ remainder -= ticks; - if (remainder < 0) + + /* range check return value */ + if (ret == -ERESTARTSYS && remainder < 1) + remainder = 1; + else if (remainder < 0) remainder = 0; else if (remainder > timeout) remainder = timeout; @@ -337,7 +347,7 @@ linux_wait_on_bit_timeout(unsigned long *word, int bit, unsigned int state, break; } set_task_state(task, state); - ret = linux_add_to_sleepqueue(wchan, "wbit", timeout, state); + ret = linux_add_to_sleepqueue(wchan, task, "wbit", timeout, state); if (ret != 0) break; } @@ -374,7 +384,7 @@ linux_wait_on_atomic_t(atomic_t *a, unsigned int state) break; } set_task_state(task, state); - ret = linux_add_to_sleepqueue(wchan, "watomic", 0, state); + ret = linux_add_to_sleepqueue(wchan, task, "watomic", 0, state); if (ret != 0) break; } diff --git a/sys/compat/linuxkpi/common/src/linux_tasklet.c b/sys/compat/linuxkpi/common/src/linux_tasklet.c index 5fe9455..549af86 100644 --- a/sys/compat/linuxkpi/common/src/linux_tasklet.c +++ b/sys/compat/linuxkpi/common/src/linux_tasklet.c @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #define TASKLET_ST_BUSY 1 #define TASKLET_ST_EXEC 2 #define TASKLET_ST_LOOP 3 +#define TASKLET_ST_PAUSED 4 #define TASKLET_ST_CMPSET(ts, old, new) \ atomic_cmpset_ptr((volatile uintptr_t *)&(ts)->entry.tqe_prev, old, new) @@ -196,3 +197,21 @@ tasklet_kill(struct tasklet_struct *ts) while (TASKLET_ST_GET(ts) != TASKLET_ST_IDLE) pause("W", 1); } + +void +tasklet_enable(struct tasklet_struct *ts) +{ + (void) TASKLET_ST_CMPSET(ts, TASKLET_ST_PAUSED, TASKLET_ST_IDLE); +} + +void +tasklet_disable(struct tasklet_struct *ts) +{ + while (1) { + if (TASKLET_ST_GET(ts) == TASKLET_ST_PAUSED) + break; + if (TASKLET_ST_CMPSET(ts, TASKLET_ST_IDLE, TASKLET_ST_PAUSED)) + break; + pause("W", 1); + } +} diff --git a/sys/conf/NOTES b/sys/conf/NOTES index 7d5081b..28e7e2b 100644 --- a/sys/conf/NOTES +++ b/sys/conf/NOTES @@ -2541,8 +2541,10 @@ device smb # SMBus peripheral devices # +# jedec_dimm Asset and temperature reporting for DDR3 and DDR4 DIMMs # jedec_ts Temperature Sensor compliant with JEDEC Standard 21-C # +device jedec_dimm device jedec_ts # I2C Bus diff --git a/sys/conf/files b/sys/conf/files index aeebb47..59351b2 100644 --- a/sys/conf/files +++ b/sys/conf/files @@ -2164,6 +2164,7 @@ dev/ixgbe/ixgbe_dcb_82598.c optional ix inet | ixv inet \ compile-with "${NORMAL_C} -I$S/dev/ixgbe" dev/ixgbe/ixgbe_dcb_82599.c optional ix inet | ixv inet \ compile-with "${NORMAL_C} -I$S/dev/ixgbe" +dev/jedec_dimm/jedec_dimm.c optional jedec_dimm smbus dev/jedec_ts/jedec_ts.c optional jedec_ts smbus dev/jme/if_jme.c optional jme pci dev/joy/joy.c optional joy diff --git a/sys/conf/files.amd64 b/sys/conf/files.amd64 index 4bbe63c..3e19915 100644 --- a/sys/conf/files.amd64 +++ b/sys/conf/files.amd64 @@ -192,6 +192,7 @@ dev/agp/agp_amd64.c optional agp dev/agp/agp_i810.c optional agp dev/agp/agp_via.c optional agp dev/amdsbwd/amdsbwd.c optional amdsbwd +dev/amdsmn/amdsmn.c optional amdsmn | amdtemp dev/amdtemp/amdtemp.c optional amdtemp dev/arcmsr/arcmsr.c optional arcmsr pci dev/asmc/asmc.c optional asmc isa diff --git a/sys/conf/files.i386 b/sys/conf/files.i386 index e96f783..8aee3cf 100644 --- a/sys/conf/files.i386 +++ b/sys/conf/files.i386 @@ -175,6 +175,7 @@ dev/agp/agp_sis.c optional agp dev/agp/agp_via.c optional agp dev/aic/aic_isa.c optional aic isa dev/amdsbwd/amdsbwd.c optional amdsbwd +dev/amdsmn/amdsmn.c optional amdsmn | amdtemp dev/amdtemp/amdtemp.c optional amdtemp dev/arcmsr/arcmsr.c optional arcmsr pci dev/asmc/asmc.c optional asmc isa diff --git a/sys/dev/amdsmn/amdsmn.c b/sys/dev/amdsmn/amdsmn.c new file mode 100644 index 0000000..bc2ed7c --- /dev/null +++ b/sys/dev/amdsmn/amdsmn.c @@ -0,0 +1,193 @@ +/*- + * Copyright (c) 2017 Conrad Meyer <cem@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Driver for the AMD Family 17h CPU System Management Network. + */ + +#include <sys/cdefs.h> +__FBSDID("$FreeBSD$"); + +#include <sys/param.h> +#include <sys/bus.h> +#include <sys/conf.h> +#include <sys/lock.h> +#include <sys/kernel.h> +#include <sys/module.h> +#include <sys/mutex.h> +#include <sys/sysctl.h> +#include <sys/systm.h> + +#include <machine/cpufunc.h> +#include <machine/md_var.h> +#include <machine/specialreg.h> + +#include <dev/pci/pcivar.h> +#include <x86/pci_cfgreg.h> + +#include <dev/amdsmn/amdsmn.h> + +#define SMN_ADDR_REG 0x60 +#define SMN_DATA_REG 0x64 + +struct amdsmn_softc { + struct mtx smn_lock; +}; + +static struct pciid { + uint32_t device_id; +} amdsmn_ids[] = { + { 0x14501022 }, +}; + +/* + * Device methods. + */ +static void amdsmn_identify(driver_t *driver, device_t parent); +static int amdsmn_probe(device_t dev); +static int amdsmn_attach(device_t dev); +static int amdsmn_detach(device_t dev); + +static device_method_t amdsmn_methods[] = { + /* Device interface */ + DEVMETHOD(device_identify, amdsmn_identify), + DEVMETHOD(device_probe, amdsmn_probe), + DEVMETHOD(device_attach, amdsmn_attach), + DEVMETHOD(device_detach, amdsmn_detach), + DEVMETHOD_END +}; + +static driver_t amdsmn_driver = { + "amdsmn", + amdsmn_methods, + sizeof(struct amdsmn_softc), +}; + +static devclass_t amdsmn_devclass; +DRIVER_MODULE(amdsmn, hostb, amdsmn_driver, amdsmn_devclass, NULL, NULL); +MODULE_VERSION(amdsmn, 1); + +static bool +amdsmn_match(device_t parent) +{ + uint32_t devid; + size_t i; + + devid = pci_get_devid(parent); + for (i = 0; i < nitems(amdsmn_ids); i++) + if (amdsmn_ids[i].device_id == devid) + return (true); + return (false); +} + +static void +amdsmn_identify(driver_t *driver, device_t parent) +{ + device_t child; + + /* Make sure we're not being doubly invoked. */ + if (device_find_child(parent, "amdsmn", -1) != NULL) + return; + if (!amdsmn_match(parent)) + return; + + child = device_add_child(parent, "amdsmn", -1); + if (child == NULL) + device_printf(parent, "add amdsmn child failed\n"); +} + +static int +amdsmn_probe(device_t dev) +{ + uint32_t family; + + if (resource_disabled("amdsmn", 0)) + return (ENXIO); + if (!amdsmn_match(device_get_parent(dev))) + return (ENXIO); + + family = CPUID_TO_FAMILY(cpu_id); + + switch (family) { + case 0x17: + break; + default: + return (ENXIO); + } + device_set_desc(dev, "AMD Family 17h System Management Network"); + + return (BUS_PROBE_GENERIC); +} + +static int +amdsmn_attach(device_t dev) +{ + struct amdsmn_softc *sc = device_get_softc(dev); + + mtx_init(&sc->smn_lock, "SMN mtx", "SMN", MTX_DEF); + return (0); +} + +int +amdsmn_detach(device_t dev) +{ + struct amdsmn_softc *sc = device_get_softc(dev); + + mtx_destroy(&sc->smn_lock); + return (0); +} + +int +amdsmn_read(device_t dev, uint32_t addr, uint32_t *value) +{ + struct amdsmn_softc *sc = device_get_softc(dev); + device_t parent; + + parent = device_get_parent(dev); + + mtx_lock(&sc->smn_lock); + pci_write_config(parent, SMN_ADDR_REG, addr, 4); + *value = pci_read_config(parent, SMN_DATA_REG, 4); + mtx_unlock(&sc->smn_lock); + + return (0); +} + +int +amdsmn_write(device_t dev, uint32_t addr, uint32_t value) +{ + struct amdsmn_softc *sc = device_get_softc(dev); + device_t parent; + + parent = device_get_parent(dev); + + mtx_lock(&sc->smn_lock); + pci_write_config(parent, SMN_ADDR_REG, addr, 4); + pci_write_config(parent, SMN_DATA_REG, value, 4); + mtx_unlock(&sc->smn_lock); + + return (0); +} diff --git a/sys/dev/amdsmn/amdsmn.h b/sys/dev/amdsmn/amdsmn.h new file mode 100644 index 0000000..c3225ff --- /dev/null +++ b/sys/dev/amdsmn/amdsmn.h @@ -0,0 +1,32 @@ +/*- + * Copyright (c) 2017 Conrad Meyer <cem@FreeBSD.org> + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED + * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN + * ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#pragma once + +int amdsmn_read(device_t dev, uint32_t addr, uint32_t *value); +int amdsmn_write(device_t dev, uint32_t addr, uint32_t value); diff --git a/sys/dev/amdtemp/amdtemp.c b/sys/dev/amdtemp/amdtemp.c index 1e658e6..2080c92 100644 --- a/sys/dev/amdtemp/amdtemp.c +++ b/sys/dev/amdtemp/amdtemp.c @@ -49,6 +49,8 @@ __FBSDID("$FreeBSD$"); #include <dev/pci/pcivar.h> #include <x86/pci_cfgreg.h> +#include <dev/amdsmn/amdsmn.h> + typedef enum { CORE0_SENSOR0, CORE0_SENSOR1, @@ -59,7 +61,6 @@ typedef enum { } amdsensor_t; struct amdtemp_softc { - device_t sc_dev; int sc_ncores; int sc_ntemps; int sc_flags; @@ -70,6 +71,7 @@ struct amdtemp_softc { int32_t (*sc_gettemp)(device_t, amdsensor_t); struct sysctl_oid *sc_sysctl_cpu[MAXCPU]; struct intr_config_hook sc_ich; + device_t sc_smn; }; #define VENDORID_AMD 0x1022 @@ -82,6 +84,7 @@ struct amdtemp_softc { #define DEVICEID_AMD_MISC16 0x1533 #define DEVICEID_AMD_MISC16_M30H 0x1583 #define DEVICEID_AMD_MISC17 0x141d +#define DEVICEID_AMD_HOSTB17H 0x1450 static struct amdtemp_product { uint16_t amdtemp_vendorid; @@ -96,6 +99,7 @@ static struct amdtemp_product { { VENDORID_AMD, DEVICEID_AMD_MISC16 }, { VENDORID_AMD, DEVICEID_AMD_MISC16_M30H }, { VENDORID_AMD, DEVICEID_AMD_MISC17 }, + { VENDORID_AMD, DEVICEID_AMD_HOSTB17H }, { 0, 0 } }; @@ -105,6 +109,11 @@ static struct amdtemp_product { #define AMDTEMP_REPTMP_CTRL 0xa4 /* + * Reported Temperature, Family 17h + */ +#define AMDTEMP_17H_CUR_TMP 0x59800 + +/* * Thermaltrip Status Register (Family 0Fh only) */ #define AMDTEMP_THERMTP_STAT 0xe4 @@ -133,6 +142,7 @@ static int amdtemp_detach(device_t dev); static int amdtemp_match(device_t dev); static int32_t amdtemp_gettemp0f(device_t dev, amdsensor_t sensor); static int32_t amdtemp_gettemp(device_t dev, amdsensor_t sensor); +static int32_t amdtemp_gettemp17h(device_t dev, amdsensor_t sensor); static int amdtemp_sysctl(SYSCTL_HANDLER_ARGS); static device_method_t amdtemp_methods[] = { @@ -153,6 +163,8 @@ static driver_t amdtemp_driver = { static devclass_t amdtemp_devclass; DRIVER_MODULE(amdtemp, hostb, amdtemp_driver, amdtemp_devclass, NULL, NULL); +MODULE_VERSION(amdtemp, 1); +MODULE_DEPEND(amdtemp, amdsmn, 1, 1, 1); static int amdtemp_match(device_t dev) @@ -195,6 +207,8 @@ amdtemp_probe(device_t dev) if (resource_disabled("amdtemp", 0)) return (ENXIO); + if (!amdtemp_match(device_get_parent(dev))) + return (ENXIO); family = CPUID_TO_FAMILY(cpu_id); model = CPUID_TO_MODEL(cpu_id); @@ -211,6 +225,7 @@ amdtemp_probe(device_t dev) case 0x14: case 0x15: case 0x16: + case 0x17: break; default: return (ENXIO); @@ -240,7 +255,7 @@ amdtemp_attach(device_t dev) cpuid = cpu_id; family = CPUID_TO_FAMILY(cpuid); model = CPUID_TO_MODEL(cpuid); - if (family != 0x0f || model >= 0x40) { + if ((family != 0x0f || model >= 0x40) && family != 0x17) { cpuid = pci_read_config(dev, AMDTEMP_CPUID, 4); family = CPUID_TO_FAMILY(cpuid); model = CPUID_TO_MODEL(cpuid); @@ -342,6 +357,17 @@ amdtemp_attach(device_t dev) sc->sc_gettemp = amdtemp_gettemp; break; + case 0x17: + sc->sc_ntemps = 1; + sc->sc_gettemp = amdtemp_gettemp17h; + sc->sc_smn = device_find_child( + device_get_parent(dev), "amdsmn", -1); + if (sc->sc_smn == NULL) { + if (bootverbose) + device_printf(dev, "No SMN device found\n"); + return (ENXIO); + } + break; } /* Find number of cores per package. */ @@ -557,3 +583,19 @@ amdtemp_gettemp(device_t dev, amdsensor_t sensor) return (temp); } + +static int32_t +amdtemp_gettemp17h(device_t dev, amdsensor_t sensor) +{ + struct amdtemp_softc *sc = device_get_softc(dev); + uint32_t temp; + int error; + + error = amdsmn_read(sc->sc_smn, AMDTEMP_17H_CUR_TMP, &temp); + KASSERT(error == 0, ("amdsmn_read")); + + temp = ((temp >> 21) & 0x7ff) * 5 / 4; + temp += AMDTEMP_ZERO_C_TO_K + sc->sc_offset * 10; + + return (temp); +} diff --git a/sys/dev/jedec_dimm/jedec_dimm.c b/sys/dev/jedec_dimm/jedec_dimm.c new file mode 100644 index 0000000..c496742 --- /dev/null +++ b/sys/dev/jedec_dimm/jedec_dimm.c @@ -0,0 +1,1010 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Authors: Ravi Pokala (rpokala@freebsd.org), Andriy Gapon (avg@FreeBSD.org) + * + * Copyright (c) 2016 Andriy Gapon <avg@FreeBSD.org> + * Copyright (c) 2018 Panasas + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +/* + * This driver is a super-set of jedec_ts(4), and most of the code for reading + * and reporting the temperature is either based on that driver, or copied + * from it verbatim. + */ + +#include <sys/param.h> +#include <sys/kernel.h> +#include <sys/bus.h> +#include <sys/endian.h> +#include <sys/malloc.h> +#include <sys/module.h> +#include <sys/sysctl.h> +#include <sys/systm.h> + +#include <dev/jedec_dimm/jedec_dimm.h> +#include <dev/smbus/smbconf.h> +#include <dev/smbus/smbus.h> + +#include "smbus_if.h" + +struct jedec_dimm_softc { + device_t dev; + device_t smbus; + uint8_t spd_addr; /* SMBus address of the SPD EEPROM. */ + uint8_t tsod_addr; /* Address of the Thermal Sensor On DIMM */ + uint32_t capacity_mb; + char type_str[5]; + char part_str[21]; /* 18 (DDR3) or 20 (DDR4) chars, plus terminator */ + char serial_str[9]; /* 4 bytes = 8 nybble characters, plus terminator */ + char *slotid_str; /* Optional DIMM slot identifier (silkscreen) */ +}; + +/* General Thermal Sensor on DIMM (TSOD) identification notes. + * + * The JEDEC TSE2004av specification defines the device ID that all compliant + * devices should use, but very few do in practice. Maybe that's because the + * earlier TSE2002av specification was rather vague about that. + * Rare examples are IDT TSE2004GB2B0 and Atmel AT30TSE004A, not sure if + * they are TSE2004av compliant by design or by accident. + * Also, the specification mandates that PCI SIG manufacturer IDs are to be + * used, but in practice the JEDEC manufacturer IDs are often used. + */ +const struct jedec_dimm_tsod_dev { + uint16_t vendor_id; + uint8_t device_id; + const char *description; +} known_tsod_devices[] = { + /* Analog Devices ADT7408. + * http://www.analog.com/media/en/technical-documentation/data-sheets/ADT7408.pdf + */ + { 0x11d4, 0x08, "Analog Devices TSOD" }, + + /* Atmel AT30TSE002B, AT30TSE004A. + * http://www.atmel.com/images/doc8711.pdf + * http://www.atmel.com/images/atmel-8868-dts-at30tse004a-datasheet.pdf + * Note how one chip uses the JEDEC Manufacturer ID while the other + * uses the PCI SIG one. + */ + { 0x001f, 0x82, "Atmel TSOD" }, + { 0x1114, 0x22, "Atmel TSOD" }, + + /* Integrated Device Technology (IDT) TS3000B3A, TSE2002B3C, + * TSE2004GB2B0 chips and their variants. + * http://www.idt.com/sites/default/files/documents/IDT_TSE2002B3C_DST_20100512_120303152056.pdf + * http://www.idt.com/sites/default/files/documents/IDT_TS3000B3A_DST_20101129_120303152013.pdf + * https://www.idt.com/document/dst/tse2004gb2b0-datasheet + */ + { 0x00b3, 0x29, "IDT TSOD" }, + { 0x00b3, 0x22, "IDT TSOD" }, + + /* Maxim Integrated MAX6604. + * Different document revisions specify different Device IDs. + * Document 19-3837; Rev 0; 10/05 has 0x3e00 while + * 19-3837; Rev 3; 10/11 has 0x5400. + * http://datasheets.maximintegrated.com/en/ds/MAX6604.pdf + */ + { 0x004d, 0x3e, "Maxim Integrated TSOD" }, + { 0x004d, 0x54, "Maxim Integrated TSOD" }, + + /* Microchip Technology MCP9805, MCP9843, MCP98242, MCP98243 + * and their variants. + * http://ww1.microchip.com/downloads/en/DeviceDoc/21977b.pdf + * Microchip Technology EMC1501. + * http://ww1.microchip.com/downloads/en/DeviceDoc/00001605A.pdf + */ + { 0x0054, 0x00, "Microchip TSOD" }, + { 0x0054, 0x20, "Microchip TSOD" }, + { 0x0054, 0x21, "Microchip TSOD" }, + { 0x1055, 0x08, "Microchip TSOD" }, + + /* NXP Semiconductors SE97 and SE98. + * http://www.nxp.com/docs/en/data-sheet/SE97B.pdf + */ + { 0x1131, 0xa1, "NXP TSOD" }, + { 0x1131, 0xa2, "NXP TSOD" }, + + /* ON Semiconductor CAT34TS02 revisions B and C, CAT6095 and compatible. + * https://www.onsemi.com/pub/Collateral/CAT34TS02-D.PDF + * http://www.onsemi.com/pub/Collateral/CAT6095-D.PDF + */ + { 0x1b09, 0x08, "ON Semiconductor TSOD" }, + { 0x1b09, 0x0a, "ON Semiconductor TSOD" }, + + /* ST[Microelectronics] STTS424E02, STTS2002 and others. + * http://www.st.com/resource/en/datasheet/cd00157558.pdf + * http://www.st.com/resource/en/datasheet/stts2002.pdf + */ + { 0x104a, 0x00, "ST Microelectronics TSOD" }, + { 0x104a, 0x03, "ST Microelectronics TSOD" }, +}; + +static int jedec_dimm_attach(device_t dev); + +static int jedec_dimm_capacity(struct jedec_dimm_softc *sc, enum dram_type type, + uint32_t *capacity_mb); + +static int jedec_dimm_detach(device_t dev); + +static int jedec_dimm_dump(struct jedec_dimm_softc *sc, enum dram_type type); + +static int jedec_dimm_field_to_str(struct jedec_dimm_softc *sc, char *dst, + size_t dstsz, uint16_t offset, uint16_t len, bool ascii); + +static int jedec_dimm_probe(device_t dev); + +static int jedec_dimm_readw_be(struct jedec_dimm_softc *sc, uint8_t reg, + uint16_t *val); + +static int jedec_dimm_temp_sysctl(SYSCTL_HANDLER_ARGS); + +static const char *jedec_dimm_tsod_match(uint16_t vid, uint16_t did); + + +/** + * device_attach() method. Read the DRAM type, use that to determine the offsets + * and lengths of the asset string fields. Calculate the capacity. If a TSOD is + * present, figure out exactly what it is, and update the device description. + * If all of that was successful, create the sysctls for the DIMM. If an + * optional slotid has been hinted, create a sysctl for that too. + * + * @author rpokala + * + * @param[in,out] dev + * Device being attached. + */ +static int +jedec_dimm_attach(device_t dev) +{ + uint8_t byte; + uint16_t devid; + uint16_t partnum_len; + uint16_t partnum_offset; + uint16_t serial_len; + uint16_t serial_offset; + uint16_t tsod_present_offset; + uint16_t vendorid; + bool tsod_present; + int rc; + int new_desc_len; + enum dram_type type; + struct jedec_dimm_softc *sc; + struct sysctl_ctx_list *ctx; + struct sysctl_oid *oid; + struct sysctl_oid_list *children; + const char *tsod_match; + const char *slotid_str; + char *new_desc; + + sc = device_get_softc(dev); + ctx = device_get_sysctl_ctx(dev); + oid = device_get_sysctl_tree(dev); + children = SYSCTL_CHILDREN(oid); + + bzero(sc, sizeof(*sc)); + sc->dev = dev; + sc->smbus = device_get_parent(dev); + sc->spd_addr = smbus_get_addr(dev); + + /* The TSOD address has a different DTI from the SPD address, but shares + * the LSA bits. + */ + sc->tsod_addr = JEDEC_DTI_TSOD | (sc->spd_addr & 0x0f); + + /* Read the DRAM type, and set the various offsets and lengths. */ + rc = smbus_readb(sc->smbus, sc->spd_addr, SPD_OFFSET_DRAM_TYPE, &byte); + if (rc != 0) { + device_printf(dev, "failed to read dram_type: %d\n", rc); + goto out; + } + type = (enum dram_type) byte; + switch (type) { + case DRAM_TYPE_DDR3_SDRAM: + (void) snprintf(sc->type_str, sizeof(sc->type_str), "DDR3"); + partnum_len = SPD_LEN_DDR3_PARTNUM; + partnum_offset = SPD_OFFSET_DDR3_PARTNUM; + serial_len = SPD_LEN_DDR3_SERIAL; + serial_offset = SPD_OFFSET_DDR3_SERIAL; + tsod_present_offset = SPD_OFFSET_DDR3_TSOD_PRESENT; + break; + case DRAM_TYPE_DDR4_SDRAM: + (void) snprintf(sc->type_str, sizeof(sc->type_str), "DDR4"); + partnum_len = SPD_LEN_DDR4_PARTNUM; + partnum_offset = SPD_OFFSET_DDR4_PARTNUM; + serial_len = SPD_LEN_DDR4_SERIAL; + serial_offset = SPD_OFFSET_DDR4_SERIAL; + tsod_present_offset = SPD_OFFSET_DDR4_TSOD_PRESENT; + break; + default: + device_printf(dev, "unsupported dram_type 0x%02x\n", type); + rc = EINVAL; + goto out; + } + + if (bootverbose) { + /* bootverbose debuggery is best-effort, so ignore the rc. */ + (void) jedec_dimm_dump(sc, type); + } + + /* Read all the required info from the SPD. If any of it fails, error + * out without creating the sysctls. + */ + rc = jedec_dimm_capacity(sc, type, &sc->capacity_mb); + if (rc != 0) { + goto out; + } + + rc = jedec_dimm_field_to_str(sc, sc->part_str, sizeof(sc->part_str), + partnum_offset, partnum_len, true); + if (rc != 0) { + goto out; + } + + rc = jedec_dimm_field_to_str(sc, sc->serial_str, sizeof(sc->serial_str), + serial_offset, serial_len, false); + if (rc != 0) { + goto out; + } + + /* The MSBit of the TSOD-presence byte reports whether or not the TSOD + * is in fact present. If it is, read manufacturer and device info from + * it to confirm that it's a valid TSOD device. It's an error if any of + * those bytes are unreadable; it's not an error if the device is simply + * not known to us (tsod_match == NULL). + * While DDR3 and DDR4 don't explicitly require a TSOD, essentially all + * DDR3 and DDR4 DIMMs include one. + */ + rc = smbus_readb(sc->smbus, sc->spd_addr, tsod_present_offset, &byte); + if (rc != 0) { + device_printf(dev, "failed to read TSOD-present byte: %d\n", + rc); + goto out; + } + if (byte & 0x80) { + tsod_present = true; + rc = jedec_dimm_readw_be(sc, TSOD_REG_MANUFACTURER, &vendorid); + if (rc != 0) { + device_printf(dev, + "failed to read TSOD Manufacturer ID\n"); + goto out; + } + rc = jedec_dimm_readw_be(sc, TSOD_REG_DEV_REV, &devid); + if (rc != 0) { + device_printf(dev, "failed to read TSOD Device ID\n"); + goto out; + } + + tsod_match = jedec_dimm_tsod_match(vendorid, devid); + if (bootverbose) { + if (tsod_match == NULL) { + device_printf(dev, + "Unknown TSOD Manufacturer and Device IDs," + " 0x%x and 0x%x\n", vendorid, devid); + } else { + device_printf(dev, + "TSOD: %s\n", tsod_match); + } + } + } else { + tsod_match = NULL; + tsod_present = false; + } + + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "type", + CTLFLAG_RD | CTLFLAG_MPSAFE, sc->type_str, 0, + "DIMM type"); + + SYSCTL_ADD_UINT(ctx, children, OID_AUTO, "capacity", + CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, sc->capacity_mb, + "DIMM capacity (MB)"); + + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "part", + CTLFLAG_RD | CTLFLAG_MPSAFE, sc->part_str, 0, + "DIMM Part Number"); + + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "serial", + CTLFLAG_RD | CTLFLAG_MPSAFE, sc->serial_str, 0, + "DIMM Serial Number"); + + /* Create the temperature sysctl IFF the TSOD is present and valid */ + if (tsod_present && (tsod_match != NULL)) { + SYSCTL_ADD_PROC(ctx, children, OID_AUTO, "temp", + CTLTYPE_INT | CTLFLAG_RD | CTLFLAG_MPSAFE, dev, 0, + jedec_dimm_temp_sysctl, "IK", "DIMM temperature (deg C)"); + } + + /* If a "slotid" was hinted, add the sysctl for it. */ + if (resource_string_value(device_get_name(dev), device_get_unit(dev), + "slotid", &slotid_str) == 0) { + if (slotid_str != NULL) { + sc->slotid_str = malloc(strlen(slotid_str) + 1, + M_DEVBUF, (M_WAITOK | M_ZERO)); + strlcpy(sc->slotid_str, slotid_str, + sizeof(sc->slotid_str)); + SYSCTL_ADD_STRING(ctx, children, OID_AUTO, "slotid", + CTLFLAG_RD | CTLFLAG_MPSAFE, sc->slotid_str, 0, + "DIMM Slot Identifier"); + } + } + + /* If a TSOD type string or a slotid are present, add them to the + * device description. + */ + if ((tsod_match != NULL) || (sc->slotid_str != NULL)) { + new_desc_len = strlen(device_get_desc(dev)); + if (tsod_match != NULL) { + new_desc_len += strlen(tsod_match); + new_desc_len += 4; /* " w/ " */ + } + if (sc->slotid_str != NULL) { + new_desc_len += strlen(sc->slotid_str); + new_desc_len += 3; /* space + parens */ + } + new_desc_len++; /* terminator */ + new_desc = malloc(new_desc_len, M_TEMP, (M_WAITOK | M_ZERO)); + (void) snprintf(new_desc, new_desc_len, "%s%s%s%s%s%s", + device_get_desc(dev), + (tsod_match ? " w/ " : ""), + (tsod_match ? tsod_match : ""), + (sc->slotid_str ? " (" : ""), + (sc->slotid_str ? sc->slotid_str : ""), + (sc->slotid_str ? ")" : "")); + device_set_desc_copy(dev, new_desc); + free(new_desc, M_TEMP); + } + +out: + return (rc); +} + +/** + * Calculate the capacity of a DIMM. Both DDR3 and DDR4 encode "geometry" + * information in various SPD bytes. The standards documents codify everything + * in look-up tables, but it's trivial to reverse-engineer the the formulas for + * most of them. Unless otherwise noted, the same formulas apply for both DDR3 + * and DDR4. The SPD offsets of where the data comes from are different between + * the two types, because having them be the same would be too easy. + * + * @author rpokala + * + * @param[in] sc + * Instance-specific context data + * + * @param[in] dram_type + * The locations of the data used to calculate the capacity depends on the + * type of the DIMM. + * + * @param[out] capacity_mb + * The calculated capacity, in MB + */ +static int +jedec_dimm_capacity(struct jedec_dimm_softc *sc, enum dram_type type, + uint32_t *capacity_mb) +{ + uint8_t bus_width_byte; + uint8_t bus_width_offset; + uint8_t dimm_ranks_byte; + uint8_t dimm_ranks_offset; + uint8_t sdram_capacity_byte; + uint8_t sdram_capacity_offset; + uint8_t sdram_pkg_type_byte; + uint8_t sdram_pkg_type_offset; + uint8_t sdram_width_byte; + uint8_t sdram_width_offset; + uint32_t bus_width; + uint32_t dimm_ranks; + uint32_t sdram_capacity; + uint32_t sdram_pkg_type; + uint32_t sdram_width; + int rc; + + switch (type) { + case DRAM_TYPE_DDR3_SDRAM: + bus_width_offset = SPD_OFFSET_DDR3_BUS_WIDTH; + dimm_ranks_offset = SPD_OFFSET_DDR3_DIMM_RANKS; + sdram_capacity_offset = SPD_OFFSET_DDR3_SDRAM_CAPACITY; + sdram_width_offset = SPD_OFFSET_DDR3_SDRAM_WIDTH; + break; + case DRAM_TYPE_DDR4_SDRAM: + bus_width_offset = SPD_OFFSET_DDR4_BUS_WIDTH; + dimm_ranks_offset = SPD_OFFSET_DDR4_DIMM_RANKS; + sdram_capacity_offset = SPD_OFFSET_DDR4_SDRAM_CAPACITY; + sdram_pkg_type_offset = SPD_OFFSET_DDR4_SDRAM_PKG_TYPE; + sdram_width_offset = SPD_OFFSET_DDR4_SDRAM_WIDTH; + break; + default: + device_printf(sc->dev, "unsupported dram_type 0x%02x\n", type); + rc = EINVAL; + goto out; + } + + rc = smbus_readb(sc->smbus, sc->spd_addr, bus_width_offset, + &bus_width_byte); + if (rc != 0) { + device_printf(sc->dev, "failed to read bus_width: %d\n", rc); + goto out; + } + + rc = smbus_readb(sc->smbus, sc->spd_addr, dimm_ranks_offset, + &dimm_ranks_byte); + if (rc != 0) { + device_printf(sc->dev, "failed to read dimm_ranks: %d\n", rc); + goto out; + } + + rc = smbus_readb(sc->smbus, sc->spd_addr, sdram_capacity_offset, + &sdram_capacity_byte); + if (rc != 0) { + device_printf(sc->dev, "failed to read sdram_capacity: %d\n", + rc); + goto out; + } + + rc = smbus_readb(sc->smbus, sc->spd_addr, sdram_width_offset, + &sdram_width_byte); + if (rc != 0) { + device_printf(sc->dev, "failed to read sdram_width: %d\n", rc); + goto out; + } + + /* The "SDRAM Package Type" is only needed for DDR4 DIMMs. */ + if (type == DRAM_TYPE_DDR4_SDRAM) { + rc = smbus_readb(sc->smbus, sc->spd_addr, sdram_pkg_type_offset, + &sdram_pkg_type_byte); + if (rc != 0) { + device_printf(sc->dev, + "failed to read sdram_pkg_type: %d\n", rc); + goto out; + } + } + + /* "Primary bus width, in bits" is in bits [2:0]. */ + bus_width_byte &= 0x07; + if (bus_width_byte <= 3) { + bus_width = 1 << bus_width_byte; + bus_width *= 8; + } else { + device_printf(sc->dev, "invalid bus width info\n"); + rc = EINVAL; + goto out; + } + + /* "Number of ranks per DIMM" is in bits [5:3]. Values 4-7 are only + * valid for DDR4. + */ + dimm_ranks_byte >>= 3; + dimm_ranks_byte &= 0x07; + if (dimm_ranks_byte <= 7) { + dimm_ranks = dimm_ranks_byte + 1; + } else { + device_printf(sc->dev, "invalid DIMM Rank info\n"); + rc = EINVAL; + goto out; + } + if ((dimm_ranks_byte >= 4) && (type != DRAM_TYPE_DDR4_SDRAM)) { + device_printf(sc->dev, "invalid DIMM Rank info\n"); + rc = EINVAL; + goto out; + } + + /* "Total SDRAM capacity per die, in Mb" is in bits [3:0]. There are two + * different formulas, for values 0-7 and for values 8-9. Also, values + * 7-9 are only valid for DDR4. + */ + sdram_capacity_byte &= 0x0f; + if (sdram_capacity_byte <= 7) { + sdram_capacity = 1 << sdram_capacity_byte; + sdram_capacity *= 256; + } else if (sdram_capacity_byte <= 9) { + sdram_capacity = 12 << (sdram_capacity_byte - 8); + sdram_capacity *= 1024; + } else { + device_printf(sc->dev, "invalid SDRAM capacity info\n"); + rc = EINVAL; + goto out; + } + if ((sdram_capacity_byte >= 7) && (type != DRAM_TYPE_DDR4_SDRAM)) { + device_printf(sc->dev, "invalid SDRAM capacity info\n"); + rc = EINVAL; + goto out; + } + + /* "SDRAM device width" is in bits [2:0]. */ + sdram_width_byte &= 0x7; + if (sdram_width_byte <= 3) { + sdram_width = 1 << sdram_width_byte; + sdram_width *= 4; + } else { + device_printf(sc->dev, "invalid SDRAM width info\n"); + rc = EINVAL; + goto out; + } + + /* DDR4 has something called "3DS", which is indicated by [1:0] = 2; + * when that is the case, the die count is encoded in [6:4], and + * dimm_ranks is multiplied by it. + */ + if ((type == DRAM_TYPE_DDR4_SDRAM) && + ((sdram_pkg_type_byte & 0x3) == 2)) { + sdram_pkg_type_byte >>= 4; + sdram_pkg_type_byte &= 0x07; + sdram_pkg_type = sdram_pkg_type_byte + 1; + dimm_ranks *= sdram_pkg_type; + } + + /* Finally, assemble the actual capacity. The formula is the same for + * both DDR3 and DDR4. + */ + *capacity_mb = sdram_capacity / 8 * bus_width / sdram_width * + dimm_ranks; + +out: + return (rc); +} + +/** + * device_detach() method. If we allocated sc->slotid_str, free it. Even if we + * didn't allocate, free it anyway; free(NULL) is safe. + * + * @author rpokala + * + * @param[in,out] dev + * Device being detached. + */ +static int +jedec_dimm_detach(device_t dev) +{ + struct jedec_dimm_softc *sc; + + sc = device_get_softc(dev); + free(sc->slotid_str, M_DEVBUF); + + return (0); +} + +/** + * Read and dump the entire SPD contents. + * + * @author rpokala + * + * @param[in] sc + * Instance-specific context data + * + * @param[in] dram_type + * The length of data which needs to be read and dumped differs based on + * the type of the DIMM. + */ +static int +jedec_dimm_dump(struct jedec_dimm_softc *sc, enum dram_type type) +{ + int i; + int rc; + bool page_changed; + uint8_t bytes[512]; + + page_changed = false; + + for (i = 0; i < 256; i++) { + rc = smbus_readb(sc->smbus, sc->spd_addr, i, &bytes[i]); + if (rc != 0) { + device_printf(sc->dev, + "unable to read page0:0x%02x: %d\n", i, rc); + goto out; + } + } + + /* The DDR4 SPD is 512 bytes, but SMBus only allows for 8-bit offsets. + * JEDEC gets around this by defining the "PAGE" DTI and LSAs. + */ + if (type == DRAM_TYPE_DDR4_SDRAM) { + page_changed = true; + rc = smbus_writeb(sc->smbus, + (JEDEC_DTI_PAGE | JEDEC_LSA_PAGE_SET1), 0, 0); + if (rc != 0) { + device_printf(sc->dev, "unable to change page: %d\n", + rc); + goto out; + } + /* Add 256 to the store location, because we're in the second + * page. + */ + for (i = 0; i < 256; i++) { + rc = smbus_readb(sc->smbus, sc->spd_addr, i, + &bytes[256 + i]); + if (rc != 0) { + device_printf(sc->dev, + "unable to read page1:0x%02x: %d\n", i, rc); + goto out; + } + } + } + + /* Display the data in a nice hexdump format, with byte offsets. */ + hexdump(bytes, (page_changed ? 512 : 256), NULL, 0); + +out: + if (page_changed) { + int rc2; + /* Switch back to page0 before returning. */ + rc2 = smbus_writeb(sc->smbus, + (JEDEC_DTI_PAGE | JEDEC_LSA_PAGE_SET0), 0, 0); + if (rc2 != 0) { + device_printf(sc->dev, "unable to restore page: %d\n", + rc2); + } + } + return (rc); +} + +/** + * Read a specified range of bytes from the SPD, convert them to a string, and + * store them in the provided buffer. Some SPD fields are space-padded ASCII, + * and some are just a string of bits that we want to convert to a hex string. + * + * @author rpokala + * + * @param[in] sc + * Instance-specific context data + * + * @param[out] dst + * The output buffer to populate + * + * @param[in] dstsz + * The size of the output buffer + * + * @param[in] offset + * The starting offset of the field within the SPD + * + * @param[in] len + * The length in bytes of the field within the SPD + * + * @param[in] ascii + * Is the field a sequence of ASCII characters? If not, it is binary data + * which should be converted to characters. + */ +static int +jedec_dimm_field_to_str(struct jedec_dimm_softc *sc, char *dst, size_t dstsz, + uint16_t offset, uint16_t len, bool ascii) +{ + uint8_t byte; + int i; + int rc; + bool page_changed; + + /* Change to the proper page. Offsets [0, 255] are in page0; offsets + * [256, 512] are in page1. + * + * *The page must be reset to page0 before returning.* + * + * For the page-change operation, only the DTI and LSA matter; the + * offset and write-value are ignored, so use just 0. + * + * Mercifully, JEDEC defined the fields such that none of them cross + * pages, so we don't need to worry about that complication. + */ + if (offset < JEDEC_SPD_PAGE_SIZE) { + page_changed = false; + } else if (offset < (2 * JEDEC_SPD_PAGE_SIZE)) { + page_changed = true; + rc = smbus_writeb(sc->smbus, + (JEDEC_DTI_PAGE | JEDEC_LSA_PAGE_SET1), 0, 0); + if (rc != 0) { + device_printf(sc->dev, + "unable to change page for offset 0x%04x: %d\n", + offset, rc); + } + /* Adjust the offset to account for the page change. */ + offset -= JEDEC_SPD_PAGE_SIZE; + } else { + page_changed = false; + rc = EINVAL; + device_printf(sc->dev, "invalid offset 0x%04x\n", offset); + goto out; + } + + /* Sanity-check (adjusted) offset and length; everything must be within + * the same page. + */ + if (offset >= JEDEC_SPD_PAGE_SIZE) { + rc = EINVAL; + device_printf(sc->dev, "invalid offset 0x%04x\n", offset); + goto out; + } + if ((offset + len) >= JEDEC_SPD_PAGE_SIZE) { + rc = EINVAL; + device_printf(sc->dev, + "(offset + len) would cross page (0x%04x + 0x%04x)\n", + offset, len); + goto out; + } + + /* Sanity-check the destination string length. If we're dealing with + * ASCII chars, then the destination must be at least the same length; + * otherwise, it must be *twice* the length, because each byte must + * be converted into two nybble characters. + * + * And, of course, there needs to be an extra byte for the terminator. + */ + if (ascii) { + if (dstsz < (len + 1)) { + rc = EINVAL; + device_printf(sc->dev, + "destination too short (%u < %u)\n", + (uint16_t) dstsz, (len + 1)); + goto out; + } + } else { + if (dstsz < ((2 * len) + 1)) { + rc = EINVAL; + device_printf(sc->dev, + "destination too short (%u < %u)\n", + (uint16_t) dstsz, ((2 * len) + 1)); + goto out; + } + } + + /* Read a byte at a time. */ + for (i = 0; i < len; i++) { + rc = smbus_readb(sc->smbus, sc->spd_addr, (offset + i), &byte); + if (rc != 0) { + device_printf(sc->dev, + "failed to read byte at 0x%02x: %d\n", + (offset + i), rc); + goto out; + } + if (ascii) { + /* chars can be copied directly. */ + dst[i] = byte; + } else { + /* Raw bytes need to be converted to a two-byte hex + * string, plus the terminator. + */ + (void) snprintf(&dst[(2 * i)], 3, "%02x", byte); + } + } + + /* If we're dealing with ASCII, convert trailing spaces to NULs. */ + if (ascii) { + for (i = dstsz; i > 0; i--) { + if (dst[i] == ' ') { + dst[i] = 0; + } else if (dst[i] == 0) { + continue; + } else { + break; + } + } + } + +out: + if (page_changed) { + int rc2; + /* Switch back to page0 before returning. */ + rc2 = smbus_writeb(sc->smbus, + (JEDEC_DTI_PAGE | JEDEC_LSA_PAGE_SET0), 0, 0); + if (rc2 != 0) { + device_printf(sc->dev, + "unable to restore page for offset 0x%04x: %d\n", + offset, rc2); + } + } + + return (rc); +} + +/** + * device_probe() method. Validate the address that was given as a hint, and + * display an error if it's bogus. Make sure that we're dealing with one of the + * SPD versions that we can handle. + * + * @author rpokala + * + * @param[in] dev + * Device being probed. + */ +static int +jedec_dimm_probe(device_t dev) +{ + uint8_t addr; + uint8_t byte; + int rc; + enum dram_type type; + device_t smbus; + + smbus = device_get_parent(dev); + addr = smbus_get_addr(dev); + + /* Don't bother if this isn't an SPD address, or if the LSBit is set. */ + if (((addr & 0xf0) != JEDEC_DTI_SPD) || + ((addr & 0x01) != 0)) { + device_printf(dev, + "invalid \"addr\" hint; address must start with \"0x%x\"," + " and the least-significant bit must be 0\n", + JEDEC_DTI_SPD); + rc = ENXIO; + goto out; + } + + /* Try to read the DRAM_TYPE from the SPD. */ + rc = smbus_readb(smbus, addr, SPD_OFFSET_DRAM_TYPE, &byte); + if (rc != 0) { + device_printf(dev, "failed to read dram_type\n"); + goto out; + } + + /* This driver currently only supports DDR3 and DDR4 SPDs. */ + type = (enum dram_type) byte; + switch (type) { + case DRAM_TYPE_DDR3_SDRAM: + rc = BUS_PROBE_DEFAULT; + device_set_desc(dev, "DDR3 DIMM"); + break; + case DRAM_TYPE_DDR4_SDRAM: + rc = BUS_PROBE_DEFAULT; + device_set_desc(dev, "DDR4 DIMM"); + break; + default: + rc = ENXIO; + break; + } + +out: + return (rc); +} + +/** + * SMBus specifies little-endian byte order, but it looks like the TSODs use + * big-endian. Read and convert. + * + * @author avg + * + * @param[in] sc + * Instance-specific context data + * + * @param[in] reg + * The register number to read. + * + * @param[out] val + * Pointer to populate with the value read. + */ +static int +jedec_dimm_readw_be(struct jedec_dimm_softc *sc, uint8_t reg, uint16_t *val) +{ + int rc; + + rc = smbus_readw(sc->smbus, sc->tsod_addr, reg, val); + if (rc != 0) { + goto out; + } + *val = be16toh(*val); + +out: + return (rc); +} + +/** + * Read the temperature data from the TSOD and convert it to the deciKelvin + * value that the sysctl expects. + * + * @author avg + */ +static int +jedec_dimm_temp_sysctl(SYSCTL_HANDLER_ARGS) +{ + uint16_t val; + int rc; + int temp; + device_t dev = arg1; + struct jedec_dimm_softc *sc; + + sc = device_get_softc(dev); + + rc = jedec_dimm_readw_be(sc, TSOD_REG_TEMPERATURE, &val); + if (rc != 0) { + goto out; + } + + /* The three MSBits are flags, and the next bit is a sign bit. */ + temp = val & 0xfff; + if ((val & 0x1000) != 0) + temp = -temp; + /* Each step is 0.0625 degrees, so convert to 1000ths of a degree C. */ + temp *= 625; + /* ... and then convert to 1000ths of a Kelvin */ + temp += 2731500; + /* As a practical matter, few (if any) TSODs are more accurate than + * about a tenth of a degree, so round accordingly. This correlates with + * the "IK" formatting used for this sysctl. + */ + temp = (temp + 500) / 1000; + + rc = sysctl_handle_int(oidp, &temp, 0, req); + +out: + return (rc); +} + +/** + * Check the TSOD's Vendor ID and Device ID against the list of known TSOD + * devices. Return the description, or NULL if this doesn't look like a valid + * TSOD. + * + * @author avg + * + * @param[in] vid + * The Vendor ID of the TSOD device + * + * @param[in] did + * The Device ID of the TSOD device + * + * @return + * The description string, or NULL for a failure to match. + */ +static const char * +jedec_dimm_tsod_match(uint16_t vid, uint16_t did) +{ + const struct jedec_dimm_tsod_dev *d; + int i; + + for (i = 0; i < nitems(known_tsod_devices); i++) { + d = &known_tsod_devices[i]; + if ((vid == d->vendor_id) && ((did >> 8) == d->device_id)) { + return (d->description); + } + } + + /* If no matches for a specific device, then check for a generic + * TSE2004av-compliant device. + */ + if ((did >> 8) == 0x22) { + return ("TSE2004av compliant TSOD"); + } + + return (NULL); +} + +static device_method_t jedec_dimm_methods[] = { + /* Methods from the device interface */ + DEVMETHOD(device_probe, jedec_dimm_probe), + DEVMETHOD(device_attach, jedec_dimm_attach), + DEVMETHOD(device_detach, jedec_dimm_detach), + DEVMETHOD_END +}; + +static driver_t jedec_dimm_driver = { + .name = "jedec_dimm", + .methods = jedec_dimm_methods, + .size = sizeof(struct jedec_dimm_softc), +}; + +static devclass_t jedec_dimm_devclass; + +DRIVER_MODULE(jedec_dimm, smbus, jedec_dimm_driver, jedec_dimm_devclass, 0, 0); +MODULE_DEPEND(jedec_dimm, smbus, SMBUS_MINVER, SMBUS_PREFVER, SMBUS_MAXVER); +MODULE_VERSION(jedec_dimm, 1); + +/* vi: set ts=8 sw=4 sts=8 noet: */ diff --git a/sys/dev/jedec_dimm/jedec_dimm.h b/sys/dev/jedec_dimm/jedec_dimm.h new file mode 100644 index 0000000..f6c5485 --- /dev/null +++ b/sys/dev/jedec_dimm/jedec_dimm.h @@ -0,0 +1,147 @@ +/*- + * SPDX-License-Identifier: BSD-2-Clause-FreeBSD + * + * Authors: Ravi Pokala (rpokala@freebsd.org) + * + * Copyright (c) 2018 Panasas + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD$ + */ + +#ifndef _DEV__JEDEC_DIMM__JEDEC_DIMM_H_ +#define _DEV__JEDEC_DIMM__JEDEC_DIMM_H_ + +/* JEDEC DIMMs include one or more SMBus devices. + * + * At a minimum, they have an EEPROM containing either 256 bytes (DDR3) or 512 + * bytes (DDR4) of "Serial Presence Detect" (SPD) information. The SPD contains + * data used by the memory controller to configure itself, and it also includes + * asset information. The layout of SPD data is defined in: + * + * JEDEC Standard 21-C, Annex K (DDR3) + * JEDEC Standard 21-C, Annex L (DDR4) + * + * DIMMs may also include a "Thermal Sensor on DIMM" (TSOD), which reports + * temperature data. While not strictly required, the TSOD is so often included + * that JEDEC defined standards for single chips which include both SPD and TSOD + * functions. They respond on multiple SMBus addresses, depending on the + * function. + * + * JEDEC Standard 21-C, TSE2002av (DDR3) + * JEDEC Standard 21-C, TSE2004av (DDR4) + */ + +/* TSE2004av defines several Device Type Identifiers (DTIs), which are the high + * nybble of the SMBus address. Addresses with DTIs of PROTECT (or PAGE, which + * has the same value) are essentially "broadcast" addresses; all SPD devices + * respond to them, changing their mode based on the Logical Serial Address + * (LSA) encoded in bits [3:1]. For normal SPD access, bits [3:1] encode the + * DIMM slot number. + */ +#define JEDEC_SPD_PAGE_SIZE 256 +#define JEDEC_DTI_SPD 0xa0 +#define JEDEC_DTI_TSOD 0x30 +#define JEDEC_DTI_PROTECT 0x60 +#define JEDEC_LSA_PROTECT_SET0 0x02 +#define JEDEC_LSA_PROTECT_SET1 0x08 +#define JEDEC_LSA_PROTECT_SET2 0x0a +#define JEDEC_LSA_PROTECT_SET3 0x00 +#define JEDEC_LSA_PROTECT_CLR 0x06 +#define JEDEC_LSA_PROTECT_GET0 0x03 +#define JEDEC_LSA_PROTECT_GET1 0x09 +#define JEDEC_LSA_PROTECT_GET2 0x0b +#define JEDEC_LSA_PROTECT_GET3 0x01 +#define JEDEC_DTI_PAGE 0x60 +#define JEDEC_LSA_PAGE_SET0 0x0c +#define JEDEC_LSA_PAGE_SET1 0x0e +#define JEDEC_LSA_PAGE_GET 0x0d + +/* The offsets and lengths of various SPD bytes are defined in Annex K (DDR3) + * and Annex L (DDR4). Conveniently, the DRAM type is at the same offset for + * both versions. + * + * This list only includes information needed to get the asset information and + * calculate the DIMM capacity. + */ +#define SPD_OFFSET_DRAM_TYPE 2 +#define SPD_OFFSET_DDR3_SDRAM_CAPACITY 4 +#define SPD_OFFSET_DDR3_DIMM_RANKS 7 +#define SPD_OFFSET_DDR3_SDRAM_WIDTH 7 +#define SPD_OFFSET_DDR3_BUS_WIDTH 8 +#define SPD_OFFSET_DDR3_TSOD_PRESENT 32 +#define SPD_OFFSET_DDR3_SERIAL 122 +#define SPD_LEN_DDR3_SERIAL 4 +#define SPD_OFFSET_DDR3_PARTNUM 128 +#define SPD_LEN_DDR3_PARTNUM 18 +#define SPD_OFFSET_DDR4_SDRAM_CAPACITY 4 +#define SPD_OFFSET_DDR4_SDRAM_PKG_TYPE 6 +#define SPD_OFFSET_DDR4_DIMM_RANKS 12 +#define SPD_OFFSET_DDR4_SDRAM_WIDTH 12 +#define SPD_OFFSET_DDR4_BUS_WIDTH 13 +#define SPD_OFFSET_DDR4_TSOD_PRESENT 14 +#define SPD_OFFSET_DDR4_SERIAL 325 +#define SPD_LEN_DDR4_SERIAL 4 +#define SPD_OFFSET_DDR4_PARTNUM 329 +#define SPD_LEN_DDR4_PARTNUM 20 + +/* The "DRAM Type" field of the SPD enumerates various memory technologies which + * have been used over the years. The list is append-only, so we need only refer + * to the latest SPD specification. In this case, Annex L for DDR4. + */ +enum dram_type { + DRAM_TYPE_RESERVED = 0x00, + DRAM_TYPE_FAST_PAGE_MODE = 0x01, + DRAM_TYPE_EDO = 0x02, + DRAM_TYPE_PIPLEINED_NYBBLE = 0x03, + DRAM_TYPE_SDRAM = 0x04, + DRAM_TYPE_ROM = 0x05, + DRAM_TYPE_DDR_SGRAM = 0x06, + DRAM_TYPE_DDR_SDRAM = 0x07, + DRAM_TYPE_DDR2_SDRAM = 0x08, + DRAM_TYPE_DDR2_SDRAM_FBDIMM = 0x09, + DRAM_TYPE_DDR2_SDRAM_FBDIMM_PROBE = 0x0a, + DRAM_TYPE_DDR3_SDRAM = 0x0b, + DRAM_TYPE_DDR4_SDRAM = 0x0c, + DRAM_TYPE_RESERVED_0D = 0x0d, + DRAM_TYPE_DDR4E_SDRAM = 0x0e, + DRAM_TYPE_LPDDR3_SDRAM = 0x0f, + DRAM_TYPE_LPDDR4_SDRAM = 0x10, +}; + +/* The TSOD is accessed using a simple word interface, which is identical + * between TSE2002av (DDR3) and TSE2004av (DDR4). + */ +#define TSOD_REG_CAPABILITES 0 +#define TSOD_REG_CONFIG 1 +#define TSOD_REG_LIM_HIGH 2 +#define TSOD_REG_LIM_LOW 3 +#define TSOD_REG_LIM_CRIT 4 +#define TSOD_REG_TEMPERATURE 5 +#define TSOD_REG_MANUFACTURER 6 +#define TSOD_REG_DEV_REV 7 + +#endif /* _DEV__JEDEC_DIMM__JEDEC_DIMM_H_ */ + +/* vi: set ts=8 sw=4 sts=8 noet: */ diff --git a/sys/dev/mxge/if_mxge.c b/sys/dev/mxge/if_mxge.c index c14fda9..f7d09e6 100644 --- a/sys/dev/mxge/if_mxge.c +++ b/sys/dev/mxge/if_mxge.c @@ -4161,11 +4161,6 @@ mxge_ioctl(struct ifnet *ifp, u_long command, caddr_t data) err = 0; switch (command) { - case SIOCSIFADDR: - case SIOCGIFADDR: - err = ether_ioctl(ifp, command, data); - break; - case SIOCSIFMTU: err = mxge_change_mtu(sc, ifr->ifr_mtu); break; @@ -4289,7 +4284,8 @@ mxge_ioctl(struct ifnet *ifp, u_long command, caddr_t data) break; default: - err = ENOTTY; + err = ether_ioctl(ifp, command, data); + break; } return err; } diff --git a/sys/dev/nctgpio/nctgpio.c b/sys/dev/nctgpio/nctgpio.c index 30c364f..e0edbd9 100644 --- a/sys/dev/nctgpio/nctgpio.c +++ b/sys/dev/nctgpio/nctgpio.c @@ -140,6 +140,10 @@ struct nuvoton_vendor_device_id { .chip_id = 0xc452, .descr = "Nuvoton NCT5104D (PC-Engines APU)", }, + { + .chip_id = 0xc453, + .descr = "Nuvoton NCT5104D (PC-Engines APU3)", + }, }; static void diff --git a/sys/dev/usb/quirk/usb_quirk.c b/sys/dev/usb/quirk/usb_quirk.c index a451ee0..42b7cc7 100644 --- a/sys/dev/usb/quirk/usb_quirk.c +++ b/sys/dev/usb/quirk/usb_quirk.c @@ -136,6 +136,8 @@ static struct usb_quirk_entry usb_quirks[USB_DEV_QUIRKS_MAX] = { USB_QUIRK(CORSAIR, K60, 0x0000, 0xffff, UQ_KBD_BOOTPROTO), /* Quirk for Corsair Vengeance K70 keyboard */ USB_QUIRK(CORSAIR, K70, 0x0000, 0xffff, UQ_KBD_BOOTPROTO), + /* Quirk for Corsair K70 RGB keyboard */ + USB_QUIRK(CORSAIR, K70_RGB, 0x0000, 0xffff, UQ_KBD_BOOTPROTO), /* Quirk for Corsair STRAFE Gaming keyboard */ USB_QUIRK(CORSAIR, STRAFE, 0x0000, 0xffff, UQ_KBD_BOOTPROTO), /* umodem(4) device quirks */ diff --git a/sys/dev/usb/usbdevs b/sys/dev/usb/usbdevs index f191a24..5717a99 100644 --- a/sys/dev/usb/usbdevs +++ b/sys/dev/usb/usbdevs @@ -1520,6 +1520,7 @@ product COREGA FETHER_USB_TXC 0x9601 FEther USB-TXC /* Corsair products */ product CORSAIR K60 0x0a60 Corsair Vengeance K60 keyboard product CORSAIR K70 0x1b09 Corsair Vengeance K70 keyboard +product CORSAIR K70_RGB 0x1b13 Corsair K70 RGB Keyboard product CORSAIR STRAFE 0x1b15 Cossair STRAFE Gaming keyboard /* Creative products */ diff --git a/sys/dev/usb/usbdi.h b/sys/dev/usb/usbdi.h index 202ad89..1a59fbb 100644 --- a/sys/dev/usb/usbdi.h +++ b/sys/dev/usb/usbdi.h @@ -334,7 +334,7 @@ struct usb_device_id { unsigned long driver_info; } __aligned(32); -#define USB_STD_PNP_INFO "M16:mask;U16:vendor;U16:product;L16:product;G16:product;" \ +#define USB_STD_PNP_INFO "M16:mask;U16:vendor;U16:product;L16:release;G16:release;" \ "U8:devclass;U8:devsubclass;U8:devprotocol;" \ "U8:intclass;U8:intsubclass;U8:intprotocol;" #define USB_STD_PNP_HOST_INFO USB_STD_PNP_INFO "T:mode=host;" diff --git a/sys/geom/mirror/g_mirror.c b/sys/geom/mirror/g_mirror.c index 216adb5..8903dfe 100644 --- a/sys/geom/mirror/g_mirror.c +++ b/sys/geom/mirror/g_mirror.c @@ -1334,9 +1334,7 @@ g_mirror_sync_request(struct g_mirror_softc *sc, struct bio *bp) */ switch (bp->bio_cmd) { case BIO_READ: { - struct g_mirror_disk *d; struct g_consumer *cp; - int readable; KFAIL_POINT_ERROR(DEBUG_FP, g_mirror_sync_request_read, bp->bio_error); @@ -1347,31 +1345,17 @@ g_mirror_sync_request(struct g_mirror_softc *sc, struct bio *bp) bp->bio_error); /* - * If there's at least one other disk from which we can - * read the block, retry the request. - */ - readable = 0; - LIST_FOREACH(d, &sc->sc_disks, d_next) - if (d->d_state == G_MIRROR_DISK_STATE_ACTIVE && - !(d->d_flags & G_MIRROR_DISK_FLAG_BROKEN)) - readable++; - - /* * The read error will trigger a syncid bump, so there's * no need to do that here. * - * If we can retry the read from another disk, do so. - * Otherwise, all we can do is kick out the new disk. + * The read error handling for regular requests will + * retry the read from all active mirrors before passing + * the error back up, so there's no need to retry here. */ - if (readable == 0) { - g_mirror_sync_request_free(disk, bp); - g_mirror_event_send(disk, - G_MIRROR_DISK_STATE_DISCONNECTED, - G_MIRROR_EVENT_DONTWAIT); - } else { - g_mirror_sync_reinit(disk, bp, bp->bio_offset); - goto retry_read; - } + g_mirror_sync_request_free(disk, bp); + g_mirror_event_send(disk, + G_MIRROR_DISK_STATE_DISCONNECTED, + G_MIRROR_EVENT_DONTWAIT); return; } G_MIRROR_LOGREQ(3, bp, @@ -1427,7 +1411,6 @@ g_mirror_sync_request(struct g_mirror_softc *sc, struct bio *bp) g_mirror_sync_reinit(disk, bp, sync->ds_offset); sync->ds_offset += bp->bio_length; -retry_read: G_MIRROR_LOGREQ(3, bp, "Sending synchronization request."); sync->ds_consumer->index++; diff --git a/sys/geom/nop/g_nop.c b/sys/geom/nop/g_nop.c index f36472d..743811a 100644 --- a/sys/geom/nop/g_nop.c +++ b/sys/geom/nop/g_nop.c @@ -124,6 +124,11 @@ g_nop_start(struct bio *bp) break; case BIO_GETATTR: sc->sc_getattrs++; + if (sc->sc_physpath && + g_handleattr_str(bp, "GEOM::physpath", sc->sc_physpath)) { + mtx_unlock(&sc->sc_lock); + return; + } break; case BIO_FLUSH: sc->sc_flushes++; @@ -180,7 +185,7 @@ g_nop_access(struct g_provider *pp, int dr, int dw, int de) static int g_nop_create(struct gctl_req *req, struct g_class *mp, struct g_provider *pp, int ioerror, u_int rfailprob, u_int wfailprob, off_t offset, off_t size, - u_int secsize, u_int stripesize, u_int stripeoffset) + u_int secsize, u_int stripesize, u_int stripeoffset, const char *physpath) { struct g_nop_softc *sc; struct g_geom *gp; @@ -251,6 +256,10 @@ g_nop_create(struct gctl_req *req, struct g_class *mp, struct g_provider *pp, sc->sc_explicitsize = explicitsize; sc->sc_stripesize = stripesize; sc->sc_stripeoffset = stripeoffset; + if (physpath && strcmp(physpath, G_NOP_PHYSPATH_PASSTHROUGH)) { + sc->sc_physpath = strndup(physpath, MAXPATHLEN, M_GEOM); + } else + sc->sc_physpath = NULL; sc->sc_error = ioerror; sc->sc_rfailprob = rfailprob; sc->sc_wfailprob = wfailprob; @@ -297,6 +306,7 @@ fail: g_destroy_consumer(cp); g_destroy_provider(newpp); mtx_destroy(&sc->sc_lock); + free(sc->sc_physpath, M_GEOM); g_free(gp->softc); g_destroy_geom(gp); return (error); @@ -312,6 +322,7 @@ g_nop_destroy(struct g_geom *gp, boolean_t force) sc = gp->softc; if (sc == NULL) return (ENXIO); + free(sc->sc_physpath, M_GEOM); pp = LIST_FIRST(&gp->provider); if (pp != NULL && (pp->acr != 0 || pp->acw != 0 || pp->ace != 0)) { if (force) { @@ -346,7 +357,7 @@ g_nop_ctl_create(struct gctl_req *req, struct g_class *mp) struct g_provider *pp; intmax_t *error, *rfailprob, *wfailprob, *offset, *secsize, *size, *stripesize, *stripeoffset; - const char *name; + const char *name, *physpath; char param[16]; int i, *nargs; @@ -429,6 +440,7 @@ g_nop_ctl_create(struct gctl_req *req, struct g_class *mp) gctl_error(req, "Invalid '%s' argument", "stripeoffset"); return; } + physpath = gctl_get_asciiparam(req, "physpath"); for (i = 0; i < *nargs; i++) { snprintf(param, sizeof(param), "arg%d", i); @@ -450,7 +462,8 @@ g_nop_ctl_create(struct gctl_req *req, struct g_class *mp) *rfailprob == -1 ? 0 : (u_int)*rfailprob, *wfailprob == -1 ? 0 : (u_int)*wfailprob, (off_t)*offset, (off_t)*size, (u_int)*secsize, - (u_int)*stripesize, (u_int)*stripeoffset) != 0) { + (u_int)*stripesize, (u_int)*stripeoffset, + physpath) != 0) { return; } } diff --git a/sys/geom/nop/g_nop.h b/sys/geom/nop/g_nop.h index beba43e..34a0526 100644 --- a/sys/geom/nop/g_nop.h +++ b/sys/geom/nop/g_nop.h @@ -32,6 +32,11 @@ #define G_NOP_CLASS_NAME "NOP" #define G_NOP_VERSION 4 #define G_NOP_SUFFIX ".nop" +/* + * Special flag to instruct gnop to passthrough the underlying provider's + * physical path + */ +#define G_NOP_PHYSPATH_PASSTHROUGH "\255" #ifdef _KERNEL #define G_NOP_DEBUG(lvl, ...) do { \ @@ -73,6 +78,7 @@ struct g_nop_softc { uintmax_t sc_cmd2s; uintmax_t sc_readbytes; uintmax_t sc_wrotebytes; + char* sc_physpath; struct mtx sc_lock; }; #endif /* _KERNEL */ diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index 3a26b4e..2a375f2 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -1004,7 +1004,7 @@ exec_map_first_page(imgp) if ((ma[i] = vm_page_next(ma[i - 1])) != NULL) { if (ma[i]->valid) break; - if (vm_page_tryxbusy(ma[i])) + if (!vm_page_tryxbusy(ma[i])) break; } else { ma[i] = vm_page_alloc(object, i, diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c index 48f6e64..b7cdafd 100644 --- a/sys/kern/sysv_msg.c +++ b/sys/kern/sysv_msg.c @@ -1493,7 +1493,8 @@ SYSCTL_INT(_kern_ipc, OID_AUTO, msgseg, CTLFLAG_RDTUN, &msginfo.msgseg, 0, "Number of message segments"); SYSCTL_PROC(_kern_ipc, OID_AUTO, msqids, CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_MPSAFE, - NULL, 0, sysctl_msqids, "", "Message queue IDs"); + NULL, 0, sysctl_msqids, "", + "Array of struct msqid_kernel for each potential message queue"); static int msg_prison_check(void *obj, void *data) diff --git a/sys/kern/sysv_sem.c b/sys/kern/sysv_sem.c index deae3b0..9f2203d 100644 --- a/sys/kern/sysv_sem.c +++ b/sys/kern/sysv_sem.c @@ -221,7 +221,8 @@ SYSCTL_INT(_kern_ipc, OID_AUTO, semaem, CTLFLAG_RWTUN, &seminfo.semaem, 0, "Adjust on exit max value"); SYSCTL_PROC(_kern_ipc, OID_AUTO, sema, CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_MPSAFE, - NULL, 0, sysctl_sema, "", "Semaphore id pool"); + NULL, 0, sysctl_sema, "", + "Array of struct semid_kernel for each potential semaphore"); static struct syscall_helper_data sem_syscalls[] = { SYSCALL_INIT_HELPER(__semctl), diff --git a/sys/kern/sysv_shm.c b/sys/kern/sysv_shm.c index c17d791..6c77ff2 100644 --- a/sys/kern/sysv_shm.c +++ b/sys/kern/sysv_shm.c @@ -190,7 +190,7 @@ SYSCTL_INT(_kern_ipc, OID_AUTO, shm_allow_removed, CTLFLAG_RWTUN, "Enable/Disable attachment to attached segments marked for removal"); SYSCTL_PROC(_kern_ipc, OID_AUTO, shmsegs, CTLTYPE_OPAQUE | CTLFLAG_RD | CTLFLAG_MPSAFE, NULL, 0, sysctl_shmsegs, "", - "Current number of shared memory segments allocated"); + "Array of struct shmid_kernel for each potential shared memory segment"); static struct sx sysvshmsx; #define SYSVSHM_LOCK() sx_xlock(&sysvshmsx) diff --git a/sys/modules/Makefile b/sys/modules/Makefile index 5569895..812f688 100644 --- a/sys/modules/Makefile +++ b/sys/modules/Makefile @@ -36,6 +36,7 @@ SUBDIR= \ alq \ ${_amd_ecc_inject} \ ${_amdsbwd} \ + ${_amdsmn} \ ${_amdtemp} \ amr \ ${_an} \ @@ -631,6 +632,7 @@ _aesni= aesni .endif _amd_ecc_inject=amd_ecc_inject _amdsbwd= amdsbwd +_amdsmn= amdsmn _amdtemp= amdtemp _arcmsr= arcmsr _asmc= asmc diff --git a/sys/modules/amdsmn/Makefile b/sys/modules/amdsmn/Makefile new file mode 100644 index 0000000..1f03027 --- /dev/null +++ b/sys/modules/amdsmn/Makefile @@ -0,0 +1,8 @@ +# $FreeBSD$ + +.PATH: ${SRCTOP}/sys/dev/amdsmn + +KMOD= amdsmn +SRCS= amdsmn.c bus_if.h device_if.h pci_if.h + +.include <bsd.kmod.mk> diff --git a/sys/modules/i2c/Makefile b/sys/modules/i2c/Makefile index 5e73eb3..fa41c4f 100644 --- a/sys/modules/i2c/Makefile +++ b/sys/modules/i2c/Makefile @@ -14,6 +14,7 @@ SUBDIR = \ iicsmb \ isl \ isl12xx \ + jedec_dimm \ jedec_ts \ nxprtc \ s35390a \ diff --git a/sys/modules/i2c/jedec_dimm/Makefile b/sys/modules/i2c/jedec_dimm/Makefile new file mode 100644 index 0000000..35e66c3 --- /dev/null +++ b/sys/modules/i2c/jedec_dimm/Makefile @@ -0,0 +1,7 @@ +# $FreeBSD$ + +.PATH: ${.CURDIR}/../../../dev/jedec_dimm +KMOD = jedec_dimm +SRCS = jedec_dimm.c jedec_dimm.h bus_if.h device_if.h smbus_if.h + +.include <bsd.kmod.mk> diff --git a/sys/netinet6/icmp6.c b/sys/netinet6/icmp6.c index 790c431..53a228c 100644 --- a/sys/netinet6/icmp6.c +++ b/sys/netinet6/icmp6.c @@ -2302,6 +2302,14 @@ icmp6_redirect_input(struct mbuf *m, int off) goto bad; } + /* + * Embed scope zone id into next hop address, since + * fib6_lookup_nh_basic() returns address without embedded + * scope zone id. + */ + if (in6_setscope(&nh6.nh_addr, m->m_pkthdr.rcvif, NULL)) + goto freeit; + if (IN6_ARE_ADDR_EQUAL(&src6, &nh6.nh_addr) == 0) { nd6log((LOG_ERR, "ICMP6 redirect rejected; " diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c index d473995..a6e2841 100644 --- a/sys/netinet6/in6.c +++ b/sys/netinet6/in6.c @@ -1449,7 +1449,7 @@ in6ifa_ifpforlinklocal(struct ifnet *ifp, int ignoreflags) /* - * find the internet address corresponding to a given address. + * find the interface address corresponding to a given IPv6 address. * ifaddr is returned referenced. */ struct in6_ifaddr * diff --git a/sys/netinet6/nd6_rtr.c b/sys/netinet6/nd6_rtr.c index c5ce353..e8044f7 100644 --- a/sys/netinet6/nd6_rtr.c +++ b/sys/netinet6/nd6_rtr.c @@ -406,8 +406,11 @@ nd6_ra_input(struct mbuf *m, int off, int icmp6len) int change = (ndi->linkmtu != mtu); ndi->linkmtu = mtu; - if (change) /* in6_maxmtu may change */ + if (change) { + /* in6_maxmtu may change */ in6_setmaxmtu(); + rt_updatemtu(ifp); + } } else { nd6log((LOG_INFO, "nd6_ra_input: bogus mtu " "mtu=%lu sent from %s; " diff --git a/sys/netinet6/scope6.c b/sys/netinet6/scope6.c index a00842e..e5da367 100644 --- a/sys/netinet6/scope6.c +++ b/sys/netinet6/scope6.c @@ -409,7 +409,7 @@ in6_setscope(struct in6_addr *in6, struct ifnet *ifp, u_int32_t *ret_id) if (scope == IPV6_ADDR_SCOPE_INTFACELOCAL || scope == IPV6_ADDR_SCOPE_LINKLOCAL) { /* - * Currently we use interface indeces as the + * Currently we use interface indices as the * zone IDs for interface-local and link-local * scopes. */ diff --git a/sys/netipsec/ipsec.c b/sys/netipsec/ipsec.c index fd53da9..92dbaa9 100644 --- a/sys/netipsec/ipsec.c +++ b/sys/netipsec/ipsec.c @@ -108,7 +108,6 @@ VNET_PCPUSTAT_SYSINIT(ipsec4stat); VNET_PCPUSTAT_SYSUNINIT(ipsec4stat); #endif /* VIMAGE */ -VNET_DEFINE(int, ip4_ah_offsetmask) = 0; /* maybe IP_DF? */ /* DF bit on encap. 0: clear 1: set 2: copy */ VNET_DEFINE(int, ip4_ipsec_dfbit) = 0; VNET_DEFINE(int, ip4_esp_trans_deflev) = IPSEC_LEVEL_USE; @@ -117,7 +116,6 @@ VNET_DEFINE(int, ip4_ah_trans_deflev) = IPSEC_LEVEL_USE; VNET_DEFINE(int, ip4_ah_net_deflev) = IPSEC_LEVEL_USE; /* ECN ignore(-1)/forbidden(0)/allowed(1) */ VNET_DEFINE(int, ip4_ipsec_ecn) = 0; -VNET_DEFINE(int, ip4_esp_randpad) = -1; static VNET_DEFINE(int, ip4_filtertunnel) = 0; #define V_ip4_filtertunnel VNET(ip4_filtertunnel) @@ -192,9 +190,6 @@ SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DEF_AH_NETLEV, ah_net_deflev, SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_CLEARTOS, ah_cleartos, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ah_cleartos), 0, "If set, clear type-of-service field when doing AH computation."); -SYSCTL_INT(_net_inet_ipsec, IPSECCTL_AH_OFFSETMASK, ah_offsetmask, - CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ah_offsetmask), 0, - "If not set, clear offset field mask when doing AH computation."); SYSCTL_INT(_net_inet_ipsec, IPSECCTL_DFBIT, dfbit, CTLFLAG_VNET | CTLFLAG_RW, &VNET_NAME(ip4_ipsec_dfbit), 0, "Do not fragment bit on encap."); diff --git a/sys/netipsec/ipsec.h b/sys/netipsec/ipsec.h index 1e73c01..46ce853 100644 --- a/sys/netipsec/ipsec.h +++ b/sys/netipsec/ipsec.h @@ -278,10 +278,8 @@ VNET_DECLARE(int, ip4_esp_trans_deflev); VNET_DECLARE(int, ip4_esp_net_deflev); VNET_DECLARE(int, ip4_ah_trans_deflev); VNET_DECLARE(int, ip4_ah_net_deflev); -VNET_DECLARE(int, ip4_ah_offsetmask); VNET_DECLARE(int, ip4_ipsec_dfbit); VNET_DECLARE(int, ip4_ipsec_ecn); -VNET_DECLARE(int, ip4_esp_randpad); VNET_DECLARE(int, crypto_support); VNET_DECLARE(int, async_crypto); VNET_DECLARE(int, natt_cksum_policy); @@ -292,10 +290,8 @@ VNET_DECLARE(int, natt_cksum_policy); #define V_ip4_esp_net_deflev VNET(ip4_esp_net_deflev) #define V_ip4_ah_trans_deflev VNET(ip4_ah_trans_deflev) #define V_ip4_ah_net_deflev VNET(ip4_ah_net_deflev) -#define V_ip4_ah_offsetmask VNET(ip4_ah_offsetmask) #define V_ip4_ipsec_dfbit VNET(ip4_ipsec_dfbit) #define V_ip4_ipsec_ecn VNET(ip4_ipsec_ecn) -#define V_ip4_esp_randpad VNET(ip4_esp_randpad) #define V_crypto_support VNET(crypto_support) #define V_async_crypto VNET(async_crypto) #define V_natt_cksum_policy VNET(natt_cksum_policy) diff --git a/sys/netipsec/xform_ah.c b/sys/netipsec/xform_ah.c index 530542d..44d4b1b 100644 --- a/sys/netipsec/xform_ah.c +++ b/sys/netipsec/xform_ah.c @@ -582,6 +582,16 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) error = EACCES; goto bad; } + if (skip + authsize + rplen > m->m_pkthdr.len) { + DPRINTF(("%s: bad mbuf length %u (expecting %lu)" + " for packet in SA %s/%08lx\n", __func__, + m->m_pkthdr.len, (u_long) (skip + authsize + rplen), + ipsec_address(&sav->sah->saidx.dst, buf, sizeof(buf)), + (u_long) ntohl(sav->spi))); + AHSTAT_INC(ahs_badauthl); + error = EACCES; + goto bad; + } AHSTAT_ADD(ahs_ibytes, m->m_pkthdr.len - skip - hl); /* Get crypto descriptors. */ @@ -626,6 +636,9 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* Zeroize the authenticator on the packet. */ m_copyback(m, skip + rplen, authsize, ipseczeroes); + /* Save ah_nxt, since ah pointer can become invalid after "massage" */ + hl = ah->ah_nxt; + /* "Massage" the packet headers for crypto processing. */ error = ah_massage_headers(&m, sav->sah->saidx.dst.sa.sa_family, skip, ahx->type, 0); @@ -650,7 +663,7 @@ ah_input(struct mbuf *m, struct secasvar *sav, int skip, int protoff) /* These are passed as-is to the callback. */ xd->sav = sav; - xd->nxt = ah->ah_nxt; + xd->nxt = hl; xd->protoff = protoff; xd->skip = skip; xd->cryptoid = cryptoid; diff --git a/sys/opencrypto/cryptodev.c b/sys/opencrypto/cryptodev.c index bda77c7..0784570 100644 --- a/sys/opencrypto/cryptodev.c +++ b/sys/opencrypto/cryptodev.c @@ -443,6 +443,7 @@ cryptof_ioctl( default: CRYPTDEB("invalid cipher"); + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); } @@ -490,6 +491,7 @@ cryptof_ioctl( break; default: CRYPTDEB("invalid mac"); + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); } @@ -503,6 +505,8 @@ cryptof_ioctl( sop->keylen < txform->minkey) { CRYPTDEB("invalid cipher parameters"); error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, + __LINE__); goto bail; } @@ -511,6 +515,8 @@ cryptof_ioctl( if ((error = copyin(sop->key, crie.cri_key, crie.cri_klen / 8))) { CRYPTDEB("invalid key"); + SDT_PROBE1(opencrypto, dev, ioctl, error, + __LINE__); goto bail; } if (thash) @@ -523,6 +529,8 @@ cryptof_ioctl( if (sop->mackeylen != thash->keysize) { CRYPTDEB("invalid mac key length"); error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, + __LINE__); goto bail; } @@ -532,6 +540,8 @@ cryptof_ioctl( if ((error = copyin(sop->mackey, cria.cri_key, cria.cri_klen / 8))) { CRYPTDEB("invalid mac key"); + SDT_PROBE1(opencrypto, dev, ioctl, + error, __LINE__); goto bail; } } @@ -547,6 +557,8 @@ cryptof_ioctl( error = checkforsoftware(&crid); if (error) { CRYPTDEB("checkforsoftware"); + SDT_PROBE1(opencrypto, dev, ioctl, error, + __LINE__); goto bail; } } else @@ -554,6 +566,7 @@ cryptof_ioctl( error = crypto_newsession(&sid, (txform ? &crie : &cria), crid); if (error) { CRYPTDEB("crypto_newsession"); + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; } @@ -564,6 +577,7 @@ cryptof_ioctl( if (cse == NULL) { crypto_freesession(sid); error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); CRYPTDEB("csecreate"); goto bail; } @@ -596,8 +610,10 @@ bail: case CIOCFSESSION: ses = *(u_int32_t *)data; cse = csefind(fcr, ses); - if (cse == NULL) + if (cse == NULL) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); + } csedelete(fcr, cse); error = csefree(cse); break; @@ -627,8 +643,10 @@ bail: case CIOCKEY32: case CIOCKEY232: #endif - if (!crypto_userasymcrypto) + if (!crypto_userasymcrypto) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EPERM); /* XXX compat? */ + } #ifdef COMPAT_FREEBSD32 if (cmd == CIOCKEY32 || cmd == CIOCKEY232) { kop = &kopc; @@ -662,8 +680,12 @@ bail: * fallback to doing them in software. */ *(int *)data = 0; - } else + } else { error = crypto_getfeat((int *)data); + if (error) + SDT_PROBE1(opencrypto, dev, ioctl, error, + __LINE__); + } break; case CIOCFINDDEV: error = cryptodev_find((struct crypt_find_op *)data); @@ -671,12 +693,15 @@ bail: case CIOCCRYPTAEAD: caead = (struct crypt_aead *)data; cse = csefind(fcr, caead->ses); - if (cse == NULL) + if (cse == NULL) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); + } error = cryptodev_aead(cse, caead, active_cred, td); break; default: error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); break; } return (error); @@ -887,18 +912,22 @@ cryptodev_aead( struct cryptodesc *crde = NULL, *crda = NULL; int error; - if (caead->len > 256*1024-4 || caead->aadlen > 256*1024-4) + if (caead->len > 256*1024-4 || caead->aadlen > 256*1024-4) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (E2BIG); + } if (cse->txform == NULL || cse->thash == NULL || caead->tag == NULL || - (caead->len % cse->txform->blocksize) != 0) + (caead->len % cse->txform->blocksize) != 0) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); + } uio = &cse->uio; uio->uio_iov = &cse->iovec; uio->uio_iovcnt = 1; uio->uio_offset = 0; - uio->uio_resid = caead->len + caead->aadlen + cse->thash->hashsize; + uio->uio_resid = caead->aadlen + caead->len + cse->thash->hashsize; uio->uio_segflg = UIO_SYSSPACE; uio->uio_rw = UIO_WRITE; uio->uio_td = td; @@ -910,23 +939,28 @@ cryptodev_aead( crp = crypto_getreq(2); if (crp == NULL) { error = ENOMEM; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; } crda = crp->crp_desc; crde = crda->crd_next; - if ((error = copyin(caead->src, cse->uio.uio_iov[0].iov_base, - caead->len))) + if ((error = copyin(caead->aad, cse->uio.uio_iov[0].iov_base, + caead->aadlen))) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } - if ((error = copyin(caead->aad, (char *)cse->uio.uio_iov[0].iov_base + - caead->len, caead->aadlen))) + if ((error = copyin(caead->src, (char *)cse->uio.uio_iov[0].iov_base + + caead->aadlen, caead->len))) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } - crda->crd_skip = caead->len; + crda->crd_skip = 0; crda->crd_len = caead->aadlen; - crda->crd_inject = caead->len + caead->aadlen; + crda->crd_inject = caead->aadlen + caead->len; crda->crd_alg = cse->mac; crda->crd_key = cse->mackey; @@ -936,15 +970,15 @@ cryptodev_aead( crde->crd_flags |= CRD_F_ENCRYPT; else crde->crd_flags &= ~CRD_F_ENCRYPT; - /* crde->crd_skip set below */ + crde->crd_skip = caead->aadlen; crde->crd_len = caead->len; - crde->crd_inject = 0; + crde->crd_inject = caead->aadlen; crde->crd_alg = cse->cipher; crde->crd_key = cse->key; crde->crd_klen = cse->keylen * 8; - crp->crp_ilen = caead->len + caead->aadlen; + crp->crp_ilen = caead->aadlen + caead->len; crp->crp_flags = CRYPTO_F_IOV | CRYPTO_F_CBIMM | (caead->flags & COP_F_BATCH); crp->crp_buf = (caddr_t)&cse->uio.uio_iov; @@ -955,23 +989,27 @@ cryptodev_aead( if (caead->iv) { if (caead->ivlen > sizeof cse->tmp_iv) { error = EINVAL; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; } - if ((error = copyin(caead->iv, cse->tmp_iv, caead->ivlen))) + if ((error = copyin(caead->iv, cse->tmp_iv, caead->ivlen))) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } bcopy(cse->tmp_iv, crde->crd_iv, caead->ivlen); crde->crd_flags |= CRD_F_IV_EXPLICIT | CRD_F_IV_PRESENT; - crde->crd_skip = 0; } else { crde->crd_flags |= CRD_F_IV_PRESENT; - crde->crd_skip = cse->txform->blocksize; + crde->crd_skip += cse->txform->blocksize; crde->crd_len -= cse->txform->blocksize; } if ((error = copyin(caead->tag, (caddr_t)cse->uio.uio_iov[0].iov_base + - caead->len + caead->aadlen, cse->thash->hashsize))) + caead->len + caead->aadlen, cse->thash->hashsize))) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } again: /* * Let the dispatch run unlocked, then, interlock against the @@ -986,8 +1024,10 @@ again: error = msleep(crp, &cse->lock, PWAIT, "crydev", 0); mtx_unlock(&cse->lock); - if (error != 0) + if (error != 0) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } if (crp->crp_etype == EAGAIN) { crp->crp_etype = 0; @@ -997,21 +1037,28 @@ again: if (crp->crp_etype != 0) { error = crp->crp_etype; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; } if (cse->error) { error = cse->error; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; } - if (caead->dst && (error = copyout(cse->uio.uio_iov[0].iov_base, - caead->dst, caead->len))) + if (caead->dst && (error = copyout( + (caddr_t)cse->uio.uio_iov[0].iov_base + caead->aadlen, caead->dst, + caead->len))) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } if ((error = copyout((caddr_t)cse->uio.uio_iov[0].iov_base + - caead->len + caead->aadlen, caead->tag, cse->thash->hashsize))) + caead->aadlen + caead->len, caead->tag, cse->thash->hashsize))) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto bail; + } bail: crypto_freereq(crp); @@ -1050,6 +1097,7 @@ cryptodev_key(struct crypt_kop *kop) int in, out, size, i; if (kop->crk_iparams + kop->crk_oparams > CRK_MAXPARAM) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EFBIG); } @@ -1059,30 +1107,38 @@ cryptodev_key(struct crypt_kop *kop) case CRK_MOD_EXP: if (in == 3 && out == 1) break; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); case CRK_MOD_EXP_CRT: if (in == 6 && out == 1) break; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); case CRK_DSA_SIGN: if (in == 5 && out == 2) break; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); case CRK_DSA_VERIFY: if (in == 7 && out == 0) break; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); case CRK_DH_COMPUTE_KEY: if (in == 3 && out == 1) break; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); default: + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (EINVAL); } krp = (struct cryptkop *)malloc(sizeof *krp, M_XDATA, M_WAITOK|M_ZERO); - if (!krp) + if (!krp) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); return (ENOMEM); + } krp->krp_op = kop->crk_op; krp->krp_status = kop->crk_status; krp->krp_iparams = kop->crk_iparams; @@ -1092,9 +1148,11 @@ cryptodev_key(struct crypt_kop *kop) krp->krp_callback = (int (*) (struct cryptkop *)) cryptodevkey_cb; for (i = 0; i < CRK_MAXPARAM; i++) { - if (kop->crk_param[i].crp_nbits > 65536) + if (kop->crk_param[i].crp_nbits > 65536) { /* Limit is the same as in OpenBSD */ + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto fail; + } krp->krp_param[i].crp_nbits = kop->crk_param[i].crp_nbits; } for (i = 0; i < krp->krp_iparams + krp->krp_oparams; i++) { @@ -1105,22 +1163,28 @@ cryptodev_key(struct crypt_kop *kop) if (i >= krp->krp_iparams) continue; error = copyin(kop->crk_param[i].crp_p, krp->krp_param[i].crp_p, size); - if (error) + if (error) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto fail; + } } error = crypto_kdispatch(krp); - if (error) + if (error) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto fail; + } error = tsleep(krp, PSOCK, "crydev", 0); if (error) { /* XXX can this happen? if so, how do we recover? */ + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto fail; } kop->crk_crid = krp->krp_crid; /* device that did the work */ if (krp->krp_status != 0) { error = krp->krp_status; + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto fail; } @@ -1129,8 +1193,10 @@ cryptodev_key(struct crypt_kop *kop) if (size == 0) continue; error = copyout(krp->krp_param[i].crp_p, kop->crk_param[i].crp_p, size); - if (error) + if (error) { + SDT_PROBE1(opencrypto, dev, ioctl, error, __LINE__); goto fail; + } } fail: diff --git a/sys/sys/param.h b/sys/sys/param.h index dba258e..249b325 100644 --- a/sys/sys/param.h +++ b/sys/sys/param.h @@ -58,7 +58,7 @@ * in the range 5 to 9. */ #undef __FreeBSD_version -#define __FreeBSD_version 1101510 /* Master, propagated to newvers */ +#define __FreeBSD_version 1101511 /* Master, propagated to newvers */ /* * __FreeBSD_kernel__ indicates that this system uses the kernel of FreeBSD, diff --git a/sys/sys/vmmeter.h b/sys/sys/vmmeter.h index 1ff09de..a5c9dc6 100644 --- a/sys/sys/vmmeter.h +++ b/sys/sys/vmmeter.h @@ -202,13 +202,12 @@ u_int vm_meter_cnt(size_t); #endif -/* systemwide totals computed every five seconds */ struct vmtotal { int16_t t_rq; /* length of the run queue */ - int16_t t_dw; /* jobs in ``disk wait'' (neg priority) */ - int16_t t_pw; /* jobs in page wait */ - int16_t t_sl; /* jobs sleeping in core */ - int16_t t_sw; /* swapped out runnable/short block jobs */ + int16_t t_dw; /* threads in ``disk wait'' (neg priority) */ + int16_t t_pw; /* threads in page wait */ + int16_t t_sl; /* threads sleeping in core */ + int16_t t_sw; /* swapped out runnable/short block threads */ int32_t t_vm; /* total virtual memory */ int32_t t_avm; /* active virtual memory */ int32_t t_rm; /* total real memory in use */ diff --git a/sys/vm/swap_pager.c b/sys/vm/swap_pager.c index 22f1c0f..d827256 100644 --- a/sys/vm/swap_pager.c +++ b/sys/vm/swap_pager.c @@ -1083,16 +1083,16 @@ swap_pager_unswapped(vm_page_t m) /* * swap_pager_getpages() - bring pages in from swap * - * Attempt to page in the pages in array "m" of length "count". The caller - * may optionally specify that additional pages preceding and succeeding - * the specified range be paged in. The number of such pages is returned - * in the "rbehind" and "rahead" parameters, and they will be in the - * inactive queue upon return. + * Attempt to page in the pages in array "ma" of length "count". The + * caller may optionally specify that additional pages preceding and + * succeeding the specified range be paged in. The number of such pages + * is returned in the "rbehind" and "rahead" parameters, and they will + * be in the inactive queue upon return. * - * The pages in "m" must be busied and will remain busied upon return. + * The pages in "ma" must be busied and will remain busied upon return. */ static int -swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, +swap_pager_getpages(vm_object_t object, vm_page_t *ma, int count, int *rbehind, int *rahead) { struct buf *bp; @@ -1107,7 +1107,7 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, bp = getpbuf(&nsw_rcount); VM_OBJECT_WLOCK(object); - if (!swap_pager_haspage(object, m[0]->pindex, &maxbehind, &maxahead)) { + if (!swap_pager_haspage(object, ma[0]->pindex, &maxbehind, &maxahead)) { relpbuf(bp, &nsw_rcount); return (VM_PAGER_FAIL); } @@ -1119,15 +1119,15 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, KASSERT(reqcount - 1 <= maxahead, ("page count %d extends beyond swap block", reqcount)); *rahead = imin(*rahead, maxahead - (reqcount - 1)); - pindex = m[reqcount - 1]->pindex; - msucc = TAILQ_NEXT(m[reqcount - 1], listq); + pindex = ma[reqcount - 1]->pindex; + msucc = TAILQ_NEXT(ma[reqcount - 1], listq); if (msucc != NULL && msucc->pindex - pindex - 1 < *rahead) *rahead = msucc->pindex - pindex - 1; } if (rbehind != NULL) { *rbehind = imin(*rbehind, maxbehind); - pindex = m[0]->pindex; - mpred = TAILQ_PREV(m[0], pglist, listq); + pindex = ma[0]->pindex; + mpred = TAILQ_PREV(ma[0], pglist, listq); if (mpred != NULL && pindex - mpred->pindex - 1 < *rbehind) *rbehind = pindex - mpred->pindex - 1; } @@ -1138,7 +1138,7 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, shift = rbehind != NULL ? *rbehind : 0; if (shift != 0) { for (i = 1; i <= shift; i++) { - p = vm_page_alloc(object, m[0]->pindex - i, + p = vm_page_alloc(object, ma[0]->pindex - i, VM_ALLOC_NORMAL); if (p == NULL) { /* Shift allocated pages to the left. */ @@ -1153,11 +1153,11 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, *rbehind = shift; } for (i = 0; i < reqcount; i++) - bp->b_pages[i + shift] = m[i]; + bp->b_pages[i + shift] = ma[i]; if (rahead != NULL) { for (i = 0; i < *rahead; i++) { p = vm_page_alloc(object, - m[reqcount - 1]->pindex + i + 1, VM_ALLOC_NORMAL); + ma[reqcount - 1]->pindex + i + 1, VM_ALLOC_NORMAL); if (p == NULL) break; bp->b_pages[shift + reqcount + i] = p; @@ -1202,7 +1202,7 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, * Instead, we look at the one page we are interested in which we * still hold a lock on even through the I/O completion. * - * The other pages in our m[] array are also released on completion, + * The other pages in our ma[] array are also released on completion, * so we cannot assume they are valid anymore either. * * NOTE: b_blkno is destroyed by the call to swapdev_strategy @@ -1216,8 +1216,8 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, * is set in the metadata for each page in the request. */ VM_OBJECT_WLOCK(object); - while ((m[0]->oflags & VPO_SWAPINPROG) != 0) { - m[0]->oflags |= VPO_SWAPSLEEP; + while ((ma[0]->oflags & VPO_SWAPINPROG) != 0) { + ma[0]->oflags |= VPO_SWAPSLEEP; PCPU_INC(cnt.v_intrans); if (VM_OBJECT_SLEEP(object, &object->paging_in_progress, PSWP, "swread", hz * 20)) { @@ -1231,7 +1231,7 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, * If we had an unrecoverable read error pages will not be valid. */ for (i = 0; i < reqcount; i++) - if (m[i]->valid != VM_PAGE_BITS_ALL) + if (ma[i]->valid != VM_PAGE_BITS_ALL) return (VM_PAGER_ERROR); return (VM_PAGER_OK); @@ -1251,12 +1251,12 @@ swap_pager_getpages(vm_object_t object, vm_page_t *m, int count, int *rbehind, * swap_pager_getpages(). */ static int -swap_pager_getpages_async(vm_object_t object, vm_page_t *m, int count, +swap_pager_getpages_async(vm_object_t object, vm_page_t *ma, int count, int *rbehind, int *rahead, pgo_getpages_iodone_t iodone, void *arg) { int r, error; - r = swap_pager_getpages(object, m, count, rbehind, rahead); + r = swap_pager_getpages(object, ma, count, rbehind, rahead); VM_OBJECT_WUNLOCK(object); switch (r) { case VM_PAGER_OK: @@ -1271,7 +1271,7 @@ swap_pager_getpages_async(vm_object_t object, vm_page_t *m, int count, default: panic("unhandled swap_pager_getpages() error %d", r); } - (iodone)(arg, m, count, error); + (iodone)(arg, ma, count, error); VM_OBJECT_WLOCK(object); return (r); @@ -1300,16 +1300,16 @@ swap_pager_getpages_async(vm_object_t object, vm_page_t *m, int count, * We need to unbusy the rest on I/O completion. */ static void -swap_pager_putpages(vm_object_t object, vm_page_t *m, int count, +swap_pager_putpages(vm_object_t object, vm_page_t *ma, int count, int flags, int *rtvals) { int i, n; boolean_t sync; - if (count && m[0]->object != object) { + if (count && ma[0]->object != object) { panic("swap_pager_putpages: object mismatch %p/%p", object, - m[0]->object + ma[0]->object ); } @@ -1387,7 +1387,7 @@ swap_pager_putpages(vm_object_t object, vm_page_t *m, int count, VM_OBJECT_WLOCK(object); for (j = 0; j < n; ++j) { - vm_page_t mreq = m[i+j]; + vm_page_t mreq = ma[i+j]; swp_pager_meta_build( mreq->object, diff --git a/sys/vm/vm_fault.c b/sys/vm/vm_fault.c index 92c761b..e829bd7 100644 --- a/sys/vm/vm_fault.c +++ b/sys/vm/vm_fault.c @@ -1133,6 +1133,10 @@ readrest: */ pmap_copy_page(fs.m, fs.first_m); fs.first_m->valid = VM_PAGE_BITS_ALL; + if ((fault_flags & VM_FAULT_WIRE) == 0) { + prot &= ~VM_PROT_WRITE; + fault_type &= ~VM_PROT_WRITE; + } if (wired && (fault_flags & VM_FAULT_WIRE) == 0) { vm_page_lock(fs.first_m); @@ -1217,6 +1221,12 @@ readrest: * write-enabled after all. */ prot &= retry_prot; + fault_type &= retry_prot; + if (prot == 0) { + release_page(&fs); + unlock_and_deallocate(&fs); + goto RetryFault; + } } } diff --git a/sys/vm/vm_reserv.c b/sys/vm/vm_reserv.c index ce3289e..65b65e2 100644 --- a/sys/vm/vm_reserv.c +++ b/sys/vm/vm_reserv.c @@ -231,7 +231,7 @@ static long vm_reserv_reclaimed; SYSCTL_LONG(_vm_reserv, OID_AUTO, reclaimed, CTLFLAG_RD, &vm_reserv_reclaimed, 0, "Cumulative number of reclaimed reservations"); -static void vm_reserv_break(vm_reserv_t rv, vm_page_t m); +static void vm_reserv_break(vm_reserv_t rv); static void vm_reserv_depopulate(vm_reserv_t rv, int index); static vm_reserv_t vm_reserv_from_page(vm_page_t m); static boolean_t vm_reserv_has_pindex(vm_reserv_t rv, @@ -726,16 +726,15 @@ found: } /* - * Breaks the given reservation. Except for the specified free page, all free - * pages in the reservation are returned to the physical memory allocator. - * The reservation's population count and map are reset to their initial - * state. + * Breaks the given reservation. All free pages in the reservation + * are returned to the physical memory allocator. The reservation's + * population count and map are reset to their initial state. * * The given reservation must not be in the partially populated reservation * queue. The free page queue lock must be held. */ static void -vm_reserv_break(vm_reserv_t rv, vm_page_t m) +vm_reserv_break(vm_reserv_t rv) { int begin_zeroes, hi, i, lo; @@ -746,18 +745,7 @@ vm_reserv_break(vm_reserv_t rv, vm_page_t m) ("vm_reserv_break: reserv %p's inpartpopq is TRUE", rv)); LIST_REMOVE(rv, objq); rv->object = NULL; - if (m != NULL) { - /* - * Since the reservation is being broken, there is no harm in - * abusing the population map to stop "m" from being returned - * to the physical memory allocator. - */ - i = m - rv->pages; - KASSERT(popmap_is_clear(rv->popmap, i), - ("vm_reserv_break: reserv %p's popmap is corrupted", rv)); - popmap_set(rv->popmap, i); - rv->popcnt++; - } + rv->pages->psind = 0; i = hi = 0; do { /* Find the next 0 bit. Any previous 0 bits are < "hi". */ @@ -818,7 +806,7 @@ vm_reserv_break_all(vm_object_t object) TAILQ_REMOVE(&vm_rvq_partpop, rv, partpopq); rv->inpartpopq = FALSE; } - vm_reserv_break(rv, NULL); + vm_reserv_break(rv); } mtx_unlock(&vm_page_queue_free_mtx); } @@ -927,7 +915,7 @@ vm_reserv_reclaim(vm_reserv_t rv) ("vm_reserv_reclaim: reserv %p's inpartpopq is FALSE", rv)); TAILQ_REMOVE(&vm_rvq_partpop, rv, partpopq); rv->inpartpopq = FALSE; - vm_reserv_break(rv, NULL); + vm_reserv_break(rv); vm_reserv_reclaimed++; } diff --git a/sys/x86/iommu/intel_gas.c b/sys/x86/iommu/intel_gas.c index d4aca10..8cebe37 100644 --- a/sys/x86/iommu/intel_gas.c +++ b/sys/x86/iommu/intel_gas.c @@ -79,7 +79,7 @@ intel_gas_init(void) dmar_map_entry_zone = uma_zcreate("DMAR_MAP_ENTRY", sizeof(struct dmar_map_entry), NULL, NULL, - NULL, NULL, UMA_ALIGN_PTR, 0); + NULL, NULL, UMA_ALIGN_PTR, UMA_ZONE_NODUMP); } SYSINIT(intel_gas, SI_SUB_DRIVERS, SI_ORDER_FIRST, intel_gas_init, NULL); diff --git a/sys/x86/x86/local_apic.c b/sys/x86/x86/local_apic.c index 9cbdca9..0db3d9b 100644 --- a/sys/x86/x86/local_apic.c +++ b/sys/x86/x86/local_apic.c @@ -520,6 +520,9 @@ native_lapic_init(vm_paddr_t addr) do_cpuid(0x06, regs); if ((regs[0] & CPUTPM1_ARAT) != 0) arat = 1; + } else if (cpu_vendor_id == CPU_VENDOR_AMD && + CPUID_TO_FAMILY(cpu_id) >= 0x12) { + arat = 1; } bzero(&lapic_et, sizeof(lapic_et)); lapic_et.et_name = "LAPIC"; diff --git a/sys/x86/x86/mp_x86.c b/sys/x86/x86/mp_x86.c index cd10782..41e37d7 100644 --- a/sys/x86/x86/mp_x86.c +++ b/sys/x86/x86/mp_x86.c @@ -74,15 +74,6 @@ __FBSDID("$FreeBSD$"); #include <machine/specialreg.h> #include <machine/cpu.h> -#define WARMBOOT_TARGET 0 -#define WARMBOOT_OFF (KERNBASE + 0x0467) -#define WARMBOOT_SEG (KERNBASE + 0x0469) - -#define CMOS_REG (0x70) -#define CMOS_DATA (0x71) -#define BIOS_RESET (0x0f) -#define BIOS_WARM (0x0a) - /* lock region used by kernel profiling */ int mcount_lock; diff --git a/tests/sys/geom/class/nop/nop_test.sh b/tests/sys/geom/class/nop/nop_test.sh index edf5ac7..bd02d67 100644 --- a/tests/sys/geom/class/nop/nop_test.sh +++ b/tests/sys/geom/class/nop/nop_test.sh @@ -27,14 +27,14 @@ MD_DEVS="md.devs" PLAINFILES=plainfiles -atf_test_case diskinfo cleanup -diskinfo_head() +atf_test_case preserve_props cleanup +preserve_props_head() { - atf_set "descr" "gnop should preserve diskinfo's basic properties" + atf_set "descr" "gnop should preserve basic GEOM properties" atf_set "require.user" "root" atf_set "timeout" 15 } -diskinfo_body() +preserve_props_body() { load_gnop us=$(alloc_md) @@ -49,11 +49,54 @@ diskinfo_body() atf_check_equal "$md_mediasize" "$nop_mediasize" atf_check_equal "$md_stripesize" "$nop_stripesize" } -diskinfo_cleanup() +preserve_props_cleanup() { common_cleanup } +atf_test_case preserve_disk_props cleanup +preserve_disk_props_head() +{ + atf_set "descr" "gnop should preserve properties for disks" + atf_set "require.user" "root" + atf_set "require.config" "disks" + atf_set "timeout" 15 +} +preserve_disk_props_body() +{ + load_gnop + disks=`atf_config_get disks` + disk=${disks%% *} + if [ -z "$disk" ]; then + atf_skip "Must define disks (see tests(7))" + fi + atf_check gnop create ${disk} + + disk_ident=$(diskinfo -s ${disk}) + disk_physpath=$(diskinfo -p ${disk}) + disk_descr=$(diskinfo -v ${disk} | awk '/Disk descr/ {print $1}') + disk_trim=$(diskinfo -v ${disk} | awk '/TRIM.UNMAP/ {print $1}') + disk_rotrate=$(diskinfo -v ${disk} | awk '/Rotation rate/ {print $1}') + disk_zonemode=$(diskinfo -v ${disk} | awk '/Zone Mode/ {print $1}') + nop_ident=$(diskinfo -s ${disk}.nop) + nop_physpath=$(diskinfo -p ${disk}.nop) + nop_descr=$(diskinfo -v ${disk}.nop | awk '/Disk descr/ {print $1}') + nop_trim=$(diskinfo -v ${disk}.nop | awk '/TRIM.UNMAP/ {print $1}') + nop_rotrate=$(diskinfo -v ${disk}.nop | awk '/Rotation/ {print $1}') + nop_zonemode=$(diskinfo -v ${disk}.nop | awk '/Zone Mode/ {print $1}') + atf_check_equal "$disk_ident" "$nop_ident" + atf_check_equal "$disk_physpath" "$nop_physpath" + atf_check_equal "$disk_descr" "$nop_descr" + atf_check_equal "$disk_trim" "$nop_trim" + atf_check_equal "$disk_rotrate" "$nop_rotrate" + atf_check_equal "$disk_zonemode" "$nop_zonemode" +} +preserve_disk_props_cleanup() +{ + disk_cleanup + common_cleanup +} + atf_test_case io cleanup io_head() { @@ -80,6 +123,54 @@ io_cleanup() common_cleanup } +atf_test_case physpath cleanup +physpath_head() +{ + atf_set "descr" "Test gnop's -z option" + atf_set "require.user" "root" + atf_set "timeout" 15 +} +physpath_body() +{ + load_gnop + us=$(alloc_md) + physpath="some/physical/path" + atf_check gnop create -z $physpath /dev/${us} + gnop_physpath=$(diskinfo -p ${us}.nop) + atf_check_equal "$physpath" "$gnop_physpath" +} +physpath_cleanup() +{ + common_cleanup +} + +atf_test_case physpath_blank cleanup +physpath_blank_head() +{ + atf_set "descr" "gnop can set physical path to the empty string" + atf_set "require.user" "root" + atf_set "require.config" "disks" + atf_set "timeout" 15 +} +physpath_blank_body() +{ + load_gnop + disks=`atf_config_get disks` + disk=${disks%% *} + if [ -z "$disk" ]; then + atf_skip "Must define disks (see tests(7))" + fi + + atf_check gnop create -z "" ${disk} + gnop_physpath=$(diskinfo -p ${disk}.nop) + atf_check_equal "" "$gnop_physpath" +} +physpath_blank_cleanup() +{ + disk_cleanup + common_cleanup +} + atf_test_case size cleanup size_head() { @@ -136,7 +227,10 @@ stripesize_cleanup() atf_init_test_cases() { atf_add_test_case io - atf_add_test_case diskinfo + atf_add_test_case physpath + atf_add_test_case physpath_blank + atf_add_test_case preserve_props + atf_add_test_case preserve_disk_props atf_add_test_case stripesize atf_add_test_case size } @@ -169,6 +263,15 @@ common_cleanup() true } +disk_cleanup() +{ + disks=`atf_config_get disks` + disk=${disks%% *} + if [ -n "$disk" ]; then + gnop destroy -f ${disk}.nop 2>/dev/null + fi +} + load_gnop() { if ! kldstat -q -m g_nop; then diff --git a/usr.bin/vmstat/vmstat.8 b/usr.bin/vmstat/vmstat.8 index 36ebcbb..f263928 100644 --- a/usr.bin/vmstat/vmstat.8 +++ b/usr.bin/vmstat/vmstat.8 @@ -28,7 +28,7 @@ .\" @(#)vmstat.8 8.1 (Berkeley) 6/6/93 .\" $FreeBSD$ .\" -.Dd November 19, 2015 +.Dd January 18, 2018 .Dt VMSTAT 8 .Os .Sh NAME @@ -248,31 +248,39 @@ By default, displays the following information: .Bl -tag -width indent .It procs -Information about the numbers of processes in various states. +Information about the number of threads in various states: .Pp .Bl -tag -width indent -compact .It r -in run queue +running or in run queue .It b blocked for resources (i/o, paging, etc.) .It w -runnable or short sleeper (< 20 secs) but swapped +swapped out .El .It memory Information about the usage of virtual and real memory. -Virtual pages (reported in units of 1024 bytes) are considered active if -they belong to processes which are running or have run in the last 20 -seconds. +.Pp +Mapped virtual memory is a sum of all of the virtual pages belonging +to mapped virtual memory objects. +Note that the entire memory object's size is considered mapped even if +only a subset of the object's pages are currently mapped. +This statistic is not related to the active page queue which is used to track +real memory. .Pp .Bl -tag -width indent -compact .It avm -active virtual pages +mapped virtual memory +.Po previously called active in +.Nm +output +.Pc .It fre size of the free list .El .It page Information about page faults and paging activity. -These are averaged each five seconds, and given in units per second. +These are given in units per second. .Pp .Bl -tag -width indent -compact .It flt @@ -286,11 +294,11 @@ pages paged in .It po pages paged out .It fr -pages freed per second +pages freed .\" .It de .\" anticipated short term memory shortfall .It sr -pages scanned by clock algorithm, per-second +pages scanned by page daemon .El .It disks Disk operations per second (this field is system dependent). @@ -319,15 +327,15 @@ matching pattern is specified (see above), will only display the given devices or the devices matching the pattern, and will not randomly select other devices in the system. .It faults -Trap/interrupt rate averages per second over last 5 seconds. +Trap/interrupt rates per second. .Pp .Bl -tag -width indent -compact .It in -device interrupts per interval (including clock interrupts) +device interrupts (including clock interrupts) .It sy -system calls per interval +system calls .It cs -cpu context switch rate (switches/interval) +cpu context switches .El .It cpu Breakdown of percentage usage of CPU time. @@ -336,7 +344,7 @@ Breakdown of percentage usage of CPU time. .It us user time for normal and low priority processes .It sy -system time +system and interrupt time .It id cpu idle .El @@ -352,10 +360,7 @@ default memory file The command: .Dl vmstat -w 5 will print what the system is doing every five -seconds; this is a good choice of printing interval since this is how often -some of the statistics are sampled in the system. -Others vary every second and running the output for a while will make it -apparent which are recomputed every second. +seconds. .Pp The command: .Dl vmstat -p da -p cd -w 1 diff --git a/usr.sbin/bsdinstall/partedit/gpart_ops.c b/usr.sbin/bsdinstall/partedit/gpart_ops.c index a502e72..59d0de5 100644 --- a/usr.sbin/bsdinstall/partedit/gpart_ops.c +++ b/usr.sbin/bsdinstall/partedit/gpart_ops.c @@ -1034,14 +1034,17 @@ addpartform: /* Warn if no mountpoint set */ if (strcmp(items[0].text, "freebsd-ufs") == 0 && items[2].text[0] != '/') { - dialog_vars.defaultno = TRUE; - choice = dialog_yesno("Warning", - "This partition does not have a valid mountpoint " - "(for the partition from which you intend to boot the " - "operating system, the mountpoint should be /). Are you " - "sure you want to continue?" - , 0, 0); - dialog_vars.defaultno = FALSE; + choice = 0; + if (interactive) { + dialog_vars.defaultno = TRUE; + choice = dialog_yesno("Warning", + "This partition does not have a valid mountpoint " + "(for the partition from which you intend to boot the " + "operating system, the mountpoint should be /). Are you " + "sure you want to continue?" + , 0, 0); + dialog_vars.defaultno = FALSE; + } if (choice == 1) /* cancel */ goto addpartform; } diff --git a/usr.sbin/mountd/mountd.c b/usr.sbin/mountd/mountd.c index 51f7c7f..1e35cc5 100644 --- a/usr.sbin/mountd/mountd.c +++ b/usr.sbin/mountd/mountd.c @@ -1051,8 +1051,6 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *transp) */ if (realpath(rpcpath, dirpath) == NULL || stat(dirpath, &stb) < 0 || - (!S_ISDIR(stb.st_mode) && - (dir_only || !S_ISREG(stb.st_mode))) || statfs(dirpath, &fsb) < 0) { chdir("/"); /* Just in case realpath doesn't */ syslog(LOG_NOTICE, @@ -1062,10 +1060,23 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *transp) warnx("stat failed on %s", dirpath); bad = ENOENT; /* We will send error reply later */ } + if (!bad && + !S_ISDIR(stb.st_mode) && + (dir_only || !S_ISREG(stb.st_mode))) { + syslog(LOG_NOTICE, + "mount request from %s for non-directory path %s", + numerichost, dirpath); + if (debug) + warnx("mounting non-directory %s", dirpath); + bad = ENOTDIR; /* We will send error reply later */ + } /* Check in the exports list */ sigprocmask(SIG_BLOCK, &sighup_mask, NULL); - ep = ex_search(&fsb.f_fsid); + if (bad) + ep = NULL; + else + ep = ex_search(&fsb.f_fsid); hostset = defset = 0; if (ep && (chk_host(ep->ex_defdir, saddr, &defset, &hostset, &numsecflavors, &secflavorsp) || @@ -1116,7 +1127,8 @@ mntsrv(struct svc_req *rqstp, SVCXPRT *transp) "mount request succeeded from %s for %s", numerichost, dirpath); } else { - bad = EACCES; + if (!bad) + bad = EACCES; syslog(LOG_NOTICE, "mount request denied from %s for %s", numerichost, dirpath); diff --git a/usr.sbin/ntp/config.h b/usr.sbin/ntp/config.h index 3cc4dbd..9bc0564 100644 --- a/usr.sbin/ntp/config.h +++ b/usr.sbin/ntp/config.h @@ -1396,9 +1396,6 @@ /* Should we NOT read /dev/kmem? */ #define NOKMEM 1 -/* Define to 1 if your C compiler doesn't accept -c and -o together. */ -/* #undef NO_MINUS_C_MINUS_O */ - /* Should we avoid #warning on option name collisions? */ /* #undef NO_OPTION_NAME_WARNINGS */ @@ -1448,7 +1445,7 @@ #define PACKAGE_NAME "ntp" /* Define to the full name and version of this package. */ -#define PACKAGE_STRING "ntp 4.2.8p10" +#define PACKAGE_STRING "ntp 4.2.8p11" /* Define to the one symbol short name of this package. */ #define PACKAGE_TARNAME "ntp" @@ -1457,10 +1454,10 @@ #define PACKAGE_URL "http://www.ntp.org./" /* Define to the version of this package. */ -#define PACKAGE_VERSION "4.2.8p10" +#define PACKAGE_VERSION "4.2.8p11" /* data dir */ -#define PERLLIBDIR "/usr/local/share/ntp/lib" +#define PERLLIBDIR "/usr/share/ntp/lib" /* define to a working POSIX compliant shell */ #define POSIX_SHELL "/bin/sh" @@ -1638,7 +1635,7 @@ typedef unsigned int uintptr_t; /* #undef USE_UDP_SIGPOLL */ /* Version number of package */ -#define VERSION "4.2.8p10" +#define VERSION "4.2.8p11" /* vsnprintf expands "%m" to strerror(errno) */ /* #undef VSNPRINTF_PERCENT_M */ @@ -1815,5 +1812,5 @@ typedef union mpinfou { /* * FreeBSD specific: Explicitly specify date/time for reproducible build. */ -#define MKREPRO_DATE "Mar 22 2017" -#define MKREPRO_TIME "05:40:15" +#define MKREPRO_DATE "Feb 28 2018" +#define MKREPRO_TIME "06:33:03" diff --git a/usr.sbin/ntp/doc/ntp-keygen.8 b/usr.sbin/ntp/doc/ntp-keygen.8 index a5c62f7..e4b7eaf 100644 --- a/usr.sbin/ntp/doc/ntp-keygen.8 +++ b/usr.sbin/ntp/doc/ntp-keygen.8 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_KEYGEN 8 User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:59 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5 .\" From the definitions ntp-keygen-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -23,26 +23,29 @@ All arguments must be options. .Sh DESCRIPTION This program generates cryptographic data files used by the NTPv4 authentication and identification schemes. -It generates MD5 key files used in symmetric key cryptography. -In addition, if the OpenSSL software library has been installed, -it generates keys, certificate and identity files used in public key -cryptography. +It can generate message digest keys used in symmetric key cryptography and, +if the OpenSSL software library has been installed, it can generate host keys, +signing keys, certificates, and identity keys and parameters used in Autokey +public key cryptography. These files are used for cookie encryption, -digital signature and challenge/response identification algorithms +digital signature, and challenge/response identification algorithms compatible with the Internet standard security infrastructure. .Pp -All files are in PEM\-encoded printable ASCII format, -so they can be embedded as MIME attachments in mail to other sites +The message digest symmetric keys file is generated in a format +compatible with NTPv3. +All other files are in PEM\-encoded printable ASCII format, +so they can be embedded as MIME attachments in email to other sites and certificate authorities. By default, files are not encrypted. .Pp -When used to generate message digest keys, the program produces a file -containing ten pseudo\-random printable ASCII strings suitable for the -MD5 message digest algorithm included in the distribution. +When used to generate message digest symmetric keys, the program +produces a file containing ten pseudo\-random printable ASCII strings +suitable for the MD5 message digest algorithm included in the +distribution. If the OpenSSL library is installed, it produces an additional ten -hex\-encoded random bit strings suitable for the SHA1 and other message -digest algorithms. -The message digest keys file must be distributed and stored +hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and +other message digest algorithms. +The message digest symmetric keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the @@ -62,219 +65,131 @@ other than Autokey. Some files used by this program are encrypted using a private password. The .Fl p -option specifies the password for local encrypted files and the +option specifies the read password for local encrypted files and the .Fl q -option the password for encrypted files sent to remote sites. +option the write password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix -.Fn gethostname -function, normally the DNS name of the host is used. +.Xr hostname 1 +command, normally the DNS name of the host, is used as the the default read +password, for convenience. +The +.Nm +program prompts for the password if it reads an encrypted file +and the password is missing or incorrect. +If an encrypted file is read successfully and +no write password is specified, the read password is used +as the write password by default. .Pp The -.Ar pw +.Cm pw option of the -.Ar crypto +.Ic crypto +.Xr ntpd 8 configuration command specifies the read password for previously encrypted local files. -This must match the local password used by this program. +This must match the local read password used by this program. If not specified, the host name is used. -Thus, if files are generated by this program without password, +Thus, if files are generated by this program without an explicit password, they can be read back by -.Ar ntpd -without password but only on the same host. +.Xr ntpd 8 +without specifying an explicit password but only on the same host. +If the write password used for encryption is specified as the host name, +these files can be read by that host with no explicit password. .Pp Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called -.Ar ntp.keys , +.Pa ntp.keys , is usually installed in .Pa /etc . Other files and links are usually installed in .Pa /usr/local/etc , which is normally in a shared filesystem in NFS\-mounted networks and cannot be changed by shared clients. -The location of the keys directory can be changed by the -.Ar keysdir -configuration command in such cases. -Normally, this is in -.Pa /etc . +In these cases, NFS clients can specify the files in another +directory such as +.Pa /etc +using the +.Ic keysdir +.Xr ntpd 8 +configuration file command. .Pp This program directs commentary and error messages to the standard error stream -.Ar stderr +.Pa stderr and remote files to the standard output stream -.Ar stdout +.Pa stdout where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string -.Ar ntpkey +.Pa ntpkey\&* and include the file type, generating host and filestamp, as described in the -.Dq Cryptographic Data Files +.Sx "Cryptographic Data Files" section below. .Ss Running the Program -To test and gain experience with Autokey concepts, log in as root and -change to the keys directory, usually -.Pa /usr/local/etc -When run for the first time, or if all files with names beginning with -.Ar ntpkey -have been removed, use the -.Nm -command without arguments to generate a -default RSA host key and matching RSA\-MD5 certificate with expiration -date one year hence. -If run again without options, the program uses the -existing keys and parameters and generates only a new certificate with -new expiration date one year hence. -.Pp -Run the command on as many hosts as necessary. -Designate one of them as the trusted host (TH) using -.Nm -with the -.Fl T -option and configure it to synchronize from reliable Internet servers. -Then configure the other hosts to synchronize to the TH directly or -indirectly. -A certificate trail is created when Autokey asks the immediately -ascendant host towards the TH to sign its certificate, which is then -provided to the immediately descendant host on request. -All group hosts should have acyclic certificate trails ending on the TH. -.Pp -The host key is used to encrypt the cookie when required and so must be -RSA type. -By default, the host key is also the sign key used to encrypt -signatures. -A different sign key can be assigned using the -.Fl S -option and this can be either RSA or DSA type. -By default, the signature -message digest type is MD5, but any combination of sign key type and -message digest type supported by the OpenSSL library can be specified -using the -.Fl c -option. -The rules say cryptographic media should be generated with proventic -filestamps, which means the host should already be synchronized before -this program is run. -This of course creates a chicken\-and\-egg problem -when the host is started for the first time. -Accordingly, the host time -should be set by some other means, such as eyeball\-and\-wristwatch, at -least so that the certificate lifetime is within the current year. -After that and when the host is synchronized to a proventic source, the -certificate should be re\-generated. -.Pp -Additional information on trusted groups and identity schemes is on the -.Dq Autokey Public\-Key Authentication -page. -.Pp -The -.Xr ntpd 8 -configuration command -.Ic crypto pw Ar password -specifies the read password for previously encrypted files. -The daemon expires on the spot if the password is missing -or incorrect. -For convenience, if a file has been previously encrypted, -the default read password is the name of the host running -the program. -If the previous write password is specified as the host name, -these files can be read by that host with no explicit password. -.Pp -File names begin with the prefix -.Cm ntpkey_ -and end with the postfix -.Ar _hostname.filestamp , -where -.Ar hostname -is the owner name, usually the string returned -by the Unix gethostname() routine, and -.Ar filestamp -is the NTP seconds when the file was generated, in decimal digits. -This both guarantees uniqueness and simplifies maintenance -procedures, since all files can be quickly removed -by a -.Ic rm ntpkey\&* -command or all files generated -at a specific time can be removed by a -.Ic rm -.Ar \&*filestamp -command. -To further reduce the risk of misconfiguration, -the first two lines of a file contain the file name -and generation date and time as comments. -.Pp -All files are installed by default in the keys directory -.Pa /usr/local/etc , -which is normally in a shared filesystem -in NFS\-mounted networks. -The actual location of the keys directory -and each file can be overridden by configuration commands, -but this is not recommended. -Normally, the files for each host are generated by that host -and used only by that host, although exceptions exist -as noted later on this page. -.Pp -Normally, files containing private values, -including the host key, sign key and identification parameters, -are permitted root read/write\-only; -while others containing public values are permitted world readable. -Alternatively, files containing private values can be encrypted -and these files permitted world readable, -which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and -dependent clients can all be installed in the same shared directory. -.Pp -The recommended practice is to keep the file name extensions -when installing a file and to install a soft link -from the generic names specified elsewhere on this page -to the generated files. -This allows new file generations to be activated simply -by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. -If a link is not present, -.Xr ntpd 8 -extracts the filestamp from the file itself. -This allows clients to verify that the file and generation times -are always current. -The -.Nm -program uses the same timestamp extension for all files generated -at one time, so each generation is distinct and can be readily -recognized in monitoring data. -.Ss Running the program The safest way to run the .Nm program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually +The recommended procedure is change to the +.Ar keys +directory, usually .Pa /usr/local/etc , then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA\-MD5 certificate file, +.Pp +To test and gain experience with Autokey concepts, log in as root and +change to the +.Ar keys +directory, usually +.Pa /usr/local/etc . +When run for the first time, or if all files with names beginning with +.Pa ntpkey\&* +have been removed, use the +.Nm +command without arguments to generate a default +.Cm RSA +host key and matching +.Cm RSA\-MD5 +certificate file with expiration date one year hence, which is all that is necessary in many cases. The program also generates soft links from the generic names to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +If run again without options, the program uses the +existing keys and parameters and generates a new certificate file with +new expiration date one year hence, and soft link. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. +The host key is used to encrypt the cookie when required and so must be +.Cm RSA +type. By default, the host key is also the sign key used to encrypt signatures. When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination +either +.Cm RSA +or +.Cm DSA +type. +By default, the message digest type is +.Cm MD5 , +but any combination of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. +can be specified, including those using the +.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1 +and +.Cm RIPE160 +message digest algorithms. However, the scheme specified in the certificate must be compatible with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +Certificates using any digest algorithm are compatible with +.Cm RSA +sign keys; +however, only +.Cm SHA +and +.Cm SHA1 +certificates are compatible with +.Cm DSA +sign keys. .Pp Private/public key files and certificates are compatible with other OpenSSL applications and very likely other libraries as well. @@ -285,19 +200,19 @@ However, the identification parameter files, although encoded as the other files, are probably not compatible with anything other than Autokey. .Pp Running the program as other than root and using the Unix -.Ic su +.Xr su 1 command to assume root may not work properly, since by default the OpenSSL library looks for the random seed file -.Cm .rnd +.Pa .rnd in the user home directory. However, there should be only one -.Cm .rnd , +.Pa .rnd , most conveniently in the root directory, so it is convenient to define the -.Cm $RANDFILE +.Ev RANDFILE environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +.Pa .rnd . .Pp Installing the keys as root might not work in NFS\-mounted shared file systems, as NFS clients may not be able to write @@ -307,7 +222,8 @@ directory such as .Pa /etc using the .Ic keysdir -command. +.Xr ntpd 8 +configuration file command. There is no need for one client to read the keys and certificates of other clients or servers, as these data are obtained automatically by the Autokey protocol. @@ -340,8 +256,11 @@ while others containing public values are permitted world readable. Alternatively, files containing private values can be encrypted and these files permitted world readable, which simplifies maintenance in shared file systems. -Since uniqueness is insured by the hostname and -file name extensions, the files for a NFS server and +Since uniqueness is insured by the +.Ar hostname +and +.Ar filestamp +file name extensions, the files for an NTP server and dependent clients can all be installed in the same shared directory. .Pp The recommended practice is to keep the file name extensions @@ -350,106 +269,111 @@ from the generic names specified elsewhere on this page to the generated files. This allows new file generations to be activated simply by changing the link. -If a link is present, ntpd follows it to the file name -to extract the filestamp. +If a link is present, +.Xr ntpd 8 +follows it to the file name to extract the +.Ar filestamp . If a link is not present, .Xr ntpd 8 -extracts the filestamp from the file itself. +extracts the +.Ar filestamp +from the file itself. This allows clients to verify that the file and generation times are always current. The .Nm -program uses the same timestamp extension for all files generated +program uses the same +.Ar filestamp +extension for all files generated at one time, so each generation is distinct and can be readily recognized in monitoring data. -.Ss Running the program -The safest way to run the +.Pp +Run the command on as many hosts as necessary. +Designate one of them as the trusted host (TH) using .Nm -program is logged in directly as root. -The recommended procedure is change to the keys directory, -usually -.Pa /usr/local/etc , -then run the program. -When run for the first time, -or if all -.Cm ntpkey -files have been removed, -the program generates a RSA host key file and matching RSA\-MD5 certificate file, -which is all that is necessary in many cases. -The program also generates soft links from the generic names -to the respective files. -If run again, the program uses the same host key file, -but generates a new certificate file and link. +with the +.Fl T +option and configure it to synchronize from reliable Internet servers. +Then configure the other hosts to synchronize to the TH directly or +indirectly. +A certificate trail is created when Autokey asks the immediately +ascendant host towards the TH to sign its certificate, which is then +provided to the immediately descendant host on request. +All group hosts should have acyclic certificate trails ending on the TH. .Pp -The host key is used to encrypt the cookie when required and so must be RSA type. -By default, the host key is also the sign key used to encrypt signatures. -When necessary, a different sign key can be specified and this can be -either RSA or DSA type. -By default, the message digest type is MD5, but any combination -of sign key type and message digest type supported by the OpenSSL library -can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2 -and RIPE160 message digest algorithms. -However, the scheme specified in the certificate must be compatible -with the sign key. -Certificates using any digest algorithm are compatible with RSA sign keys; -however, only SHA and SHA1 certificates are compatible with DSA sign keys. +The host key is used to encrypt the cookie when required and so must be +RSA type. +By default, the host key is also the sign key used to encrypt +signatures. +A different sign key can be assigned using the +.Fl S +option and this can be either +.Cm RSA +or +.Cm DSA +type. +By default, the signature +message digest type is +.Cm MD5 , +but any combination of sign key type and +message digest type supported by the OpenSSL library can be specified +using the +.Fl c +option. .Pp -Private/public key files and certificates are compatible with -other OpenSSL applications and very likely other libraries as well. -Certificates or certificate requests derived from them should be compatible -with extant industry practice, although some users might find -the interpretation of X509v3 extension fields somewhat liberal. -However, the identification parameter files, although encoded -as the other files, are probably not compatible with anything other than Autokey. +The rules say cryptographic media should be generated with proventic +filestamps, which means the host should already be synchronized before +this program is run. +This of course creates a chicken\-and\-egg problem +when the host is started for the first time. +Accordingly, the host time +should be set by some other means, such as eyeball\-and\-wristwatch, at +least so that the certificate lifetime is within the current year. +After that and when the host is synchronized to a proventic source, the +certificate should be re\-generated. .Pp -Running the program as other than root and using the Unix -.Ic su -command -to assume root may not work properly, since by default the OpenSSL library -looks for the random seed file -.Cm .rnd -in the user home directory. -However, there should be only one -.Cm .rnd , -most conveniently -in the root directory, so it is convenient to define the -.Cm $RANDFILE -environment variable used by the OpenSSL library as the path to -.Cm /.rnd . +Additional information on trusted groups and identity schemes is on the +.Dq Autokey Public\-Key Authentication +page. .Pp -Installing the keys as root might not work in NFS\-mounted -shared file systems, as NFS clients may not be able to write -to the shared keys directory, even as root. -In this case, NFS clients can specify the files in another -directory such as -.Pa /etc -using the -.Ic keysdir +File names begin with the prefix +.Pa ntpkey Ns _ +and end with the suffix +.Pa _ Ns Ar hostname . Ar filestamp , +where +.Ar hostname +is the owner name, usually the string returned +by the Unix +.Xr hostname 1 +command, and +.Ar filestamp +is the NTP seconds when the file was generated, in decimal digits. +This both guarantees uniqueness and simplifies maintenance +procedures, since all files can be quickly removed +by a +.Ic rm Pa ntpkey\&* +command or all files generated +at a specific time can be removed by a +.Ic rm Pa \&* Ns Ar filestamp command. -There is no need for one client to read the keys and certificates -of other clients or servers, as these data are obtained automatically -by the Autokey protocol. -.Pp -Ordinarily, cryptographic files are generated by the host that uses them, -but it is possible for a trusted agent (TA) to generate these files -for other hosts; however, in such cases files should always be encrypted. -The subject name and trusted name default to the hostname -of the host generating the files, but can be changed by command line options. -It is convenient to designate the owner name and trusted name -as the subject and issuer fields, respectively, of the certificate. -The owner name is also used for the host and sign key files, -while the trusted name is used for the identity files. -seconds. -seconds. -s Trusted Hosts and Groups +To further reduce the risk of misconfiguration, +the first two lines of a file contain the file name +and generation date and time as comments. +.Ss Trusted Hosts and Groups Each cryptographic configuration involves selection of a signature scheme and identification scheme, called a cryptotype, as explained in the .Sx Authentication Options section of .Xr ntp.conf 5 . -The default cryptotype uses RSA encryption, MD5 message digest -and TC identification. +The default cryptotype uses +.Cm RSA +encryption, +.Cm MD5 +message digest +and +.Cm TC +identification. First, configure a NTP subnet including one or more low\-stratum trusted hosts from which all other hosts derive synchronization directly or indirectly. @@ -467,7 +391,7 @@ section of .Pp On each trusted host as root, change to the keys directory. To insure a fresh fileset, remove all -.Cm ntpkey +.Pa ntpkey files. Then run .Nm @@ -492,7 +416,9 @@ is either .Cm RSA or .Cm DSA . -The most often need to do this is when a DSA\-signed certificate is used. +The most frequent need to do this is when a +.Cm DSA Ns \-signed +certificate is used. If it is necessary to use a different certificate scheme than the default, run .Nm @@ -501,17 +427,17 @@ with the option and selected .Ar scheme as needed. -f +If .Nm is run again without these options, it generates a new certificate -using the same scheme and sign key. +using the same scheme and sign key, and soft link. .Pp After setting up the environment it is advisable to update certificates from time to time, if only to extend the validity interval. Simply run .Nm with the same flags as before to generate new certificates -using existing keys. +using existing keys, and soft links. However, if the host or sign key is changed, .Xr ntpd 8 should be restarted. @@ -522,13 +448,15 @@ Other dependent hosts will continue as usual until signatures are refreshed, at which time the protocol is restarted. .Ss Identity Schemes As mentioned on the Autonomous Authentication page, -the default TC identity scheme is vulnerable to a middleman attack. +the default +.Cm TC +identity scheme is vulnerable to a middleman attack. However, there are more secure identity schemes available, -including PC, IFF, GQ and MV described on the -.Qq Identification Schemes -page -(maybe available at -.Li http://www.eecis.udel.edu/%7emills/keygen.html ) . +including +.Cm PC , IFF , GQ +and +.Cm MV +schemes described below. These schemes are based on a TA, one or more trusted hosts and some number of nontrusted hosts. Trusted hosts prove identity using values provided by the TA, @@ -553,12 +481,15 @@ On trusted host alice run .Fl P .Fl p Ar password to generate the host key file -.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp +.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp and trusted private certificate file -.Pa ntpkey_RSA\-MD5_cert_ Ns Ar alice.filestamp . +.Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp , +and soft links. Copy both files to all group hosts; they replace the files which would be generated in other schemes. -On each host bob install a soft link from the generic name +On each host +.Ar bob +install a soft link from the generic name .Pa ntpkey_host_ Ns Ar bob to the host key file and soft link .Pa ntpkey_cert_ Ns Ar bob @@ -567,26 +498,34 @@ Note the generic links are on bob, but point to files generated by trusted host alice. In this scheme it is not possible to refresh either the keys or certificates without copying them -to all other hosts in the group. +to all other hosts in the group, and recreating the soft links. .Pp -For the IFF scheme proceed as in the TC scheme to generate keys +For the +.Cm IFF +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host in the group, -generate the IFF parameter file. +generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl I .Fl p Ar password to produce her parameter file -.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp , +.Pa ntpkey_IFFpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts that operate as both servers and clients and install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. If there are no hosts restricted to operate only as clients, there is nothing further to do. -As the IFF scheme is independent +As the +.Cm IFF +scheme is independent of keys and certificates, these files can be refreshed as needed. .Pp If a rogue client has the parameter file, it could masquerade @@ -596,37 +535,53 @@ from the parameter file and distributed to all restricted clients. After generating the parameter file, on alice run .Nm .Fl e -and pipe the output to a file or mail program. -Copy or mail this file to all restricted clients. +and pipe the output to a file or email program. +Copy or email this file to all restricted clients. On these clients install a soft link from the generic -.Pa ntpkey_iff_ Ns Ar alice +.Pa ntpkey_iff_alice to this file. To further protect the integrity of the keys, each file can be encrypted with a secret password. .Pp -For the GQ scheme proceed as in the TC scheme to generate keys +For the +.Cm GQ +scheme proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts, then for every trusted host -in the group, generate the IFF parameter file. +in the group, generate the +.Cm IFF +parameter file. On trusted host alice run .Nm .Fl T .Fl G .Fl p Ar password to produce her parameter file -.Pa ntpkey_GQpar_ Ns Ar alice.filestamp , +.Pa ntpkey_GQpar_alice. Ns Ar filestamp , which includes both server and client keys. Copy this file to all group hosts and install a soft link from the generic -.Pa ntpkey_gq_ Ns Ar alice +.Pa ntpkey_gq_alice to this file. -In addition, on each host bob install a soft link +In addition, on each host +.Ar bob +install a soft link from generic .Pa ntpkey_gq_ Ns Ar bob to this file. -As the GQ scheme updates the GQ parameters file and certificate +As the +.Cm GQ +scheme updates the +.Cm GQ +parameters file and certificate at the same time, keys and certificates can be regenerated as needed. .Pp -For the MV scheme, proceed as in the TC scheme to generate keys +For the +.Cm MV +scheme, proceed as in the +.Cm TC +scheme to generate keys and certificates for all group hosts. For illustration assume trish is the TA, alice one of several trusted hosts and bob one of her clients. @@ -638,9 +593,9 @@ where .Ar n is the number of revokable keys (typically 5) to produce the parameter file -.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp +.Pa ntpkeys_MVpar_trish. Ns Ar filestamp and client key files -.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp +.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp where .Ar d is the key number (0 \&< @@ -649,80 +604,217 @@ is the key number (0 \&< .Ar n ) . Copy the parameter file to alice and install a soft link from the generic -.Pa ntpkey_mv_ Ns Ar alice +.Pa ntpkey_mv_alice to this file. Copy one of the client key files to alice for later distribution to her clients. -It doesn't matter which client key file goes to alice, +It does not matter which client key file goes to alice, since they all work the same way. -Alice copies the client key file to all of her cliens. +Alice copies the client key file to all of her clients. On client bob install a soft link from generic -.Pa ntpkey_mvkey_ Ns Ar bob +.Pa ntpkey_mvkey_bob to the client key file. -As the MV scheme is independent of keys and certificates, +As the +.Cm MV +scheme is independent of keys and certificates, these files can be refreshed as needed. .Ss Command Line Options .Bl -tag -width indent -.It Fl c Ar scheme -Select certificate message digest/signature encryption scheme. +.It Fl b Fl \-imbits Ns = Ar modulus +Set the number of bits in the identity modulus for generating identity keys to +.Ar modulus +bits. +The number of bits in the identity modulus defaults to 256, but can be set to +values from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl c Fl \-certificate Ns = Ar scheme +Select certificate signature encryption/message digest scheme. The .Ar scheme can be one of the following: -. Cm RSA\-MD2 , RSA\-MD5 , RSA\-SHA , RSA\-SHA1 , RSA\-MDC2 , RSA\-RIPEMD160 , DSA\-SHA , +.Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA , or .Cm DSA\-SHA1 . -Note that RSA schemes must be used with a RSA sign key and DSA -schemes must be used with a DSA sign key. +Note that +.Cm RSA +schemes must be used with an +.Cm RSA +sign key and +.Cm DSA +schemes must be used with a +.Cm DSA +sign key. The default without this option is .Cm RSA\-MD5 . -.It Fl d -Enable debugging. +If compatibility with FIPS 140\-2 is required, either the +.Cm DSA\-SHA +or +.Cm DSA\-SHA1 +scheme must be used. +.It Fl C Fl \-cipher Ns = Ar cipher +Select the OpenSSL cipher to encrypt the files containing private keys. +The default without this option is three\-key triple DES in CBC mode, +.Cm des\-ede3\-cbc . +The +.Ic openssl Fl h +command provided with OpenSSL displays available ciphers. +.It Fl d Fl \-debug\-level +Increase debugging verbosity level. This option displays the cryptographic data produced in eye\-friendly billboards. -.It Fl e -Write the IFF client keys to the standard output. -This is intended for automatic key distribution by mail. -.It Fl G -Generate parameters and keys for the GQ identification scheme, -obsoleting any that may exist. -.It Fl g -Generate keys for the GQ identification scheme -using the existing GQ parameters. -If the GQ parameters do not yet exist, create them first. -.It Fl H -Generate new host keys, obsoleting any that may exist. -.It Fl I -Generate parameters for the IFF identification scheme, -obsoleting any that may exist. -.It Fl i Ar name -Set the suject name to -.Ar name . -This is used as the subject field in certificates -and in the file name for host and sign keys. -.It Fl M -Generate MD5 keys, obsoleting any that may exist. -.It Fl P -Generate a private certificate. +.It Fl D Fl \-set\-debug\-level Ns = Ar level +Set the debugging verbosity to +.Ar level . +This option displays the cryptographic data produced in eye\-friendly billboards. +.It Fl e Fl \-id\-key +Write the +.Cm IFF +or +.Cm GQ +public parameters from the +.Ar IFFkey or GQkey +client keys file previously specified +as unencrypted data to the standard output stream +.Pa stdout . +This is intended for automatic key distribution by email. +.It Fl G Fl \-gq\-params +Generate a new encrypted +.Cm GQ +parameters and key file for the Guillou\-Quisquater (GQ) identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl V +options. +.It Fl H Fl \-host\-key +Generate a new encrypted +.Cm RSA +public/private host key file. +.It Fl I Fl \-iffkey +Generate a new encrypted +.Cm IFF +key file for the Schnorr (IFF) identity scheme. +This option is mutually exclusive with the +.Fl G +and +Fl V +options. +.It Fl i Fl \-ident Ns = Ar group +Set the optional Autokey group name to +.Ar group . +This is used in the identity scheme parameter file names of +.Cm IFF , GQ , +and +.Cm MV +client parameters files. +In that role, the default is the host name if no group is provided. +The group name, if specified using +.Fl i +or +.Fl s +following an +.Ql @ +character, is also used in certificate subject and issuer names in the form +.Ar host @ group +and should match the group specified via +.Ic crypto Cm ident +or +.Ic server Cm ident +in the ntpd configuration file. +.It Fl l Fl \-lifetime Ns = Ar days +Set the lifetime for certificate expiration to +.Ar days . +The default lifetime is one year (365 days). +.It Fl m Fl \-modulus Ns = Ar bits +Set the number of bits in the prime modulus for generating files to +.Ar bits . +The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets). +Use the larger moduli with caution, as this can consume considerable computing +resources and increases the size of authenticated packets. +.It Fl M Fl \-md5key +Generate a new symmetric keys file containing 10 +.Cm MD5 +keys, and if OpenSSL is available, 10 +.Cm SHA +keys. +An +.Cm MD5 +key is a string of 20 random printable ASCII characters, while a +.Cm SHA +key is a string of 40 random hex digits. +The file can be edited using a text editor to change the key type or key content. +This option is mutually exclusive with all other options. +.It Fl p Fl \-password Ns = Ar passwd +Set the password for reading and writing encrypted files to +.Ar passwd . +These include the host, sign and identify key files. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl P Fl \-pvt\-cert +Generate a new private certificate used by the +.Cm PC +identity scheme. By default, the program generates public certificates. -.It Fl p Ar password -Encrypt generated files containing private data with -.Ar password -and the DES\-CBC algorithm. -.It Fl q -Set the password for reading files to password. -.It Fl S Oo Cm RSA | DSA Oc -Generate a new sign key of the designated type, -obsoleting any that may exist. -By default, the program uses the host key as the sign key. -.It Fl s Ar name -Set the issuer name to -.Ar name . -This is used for the issuer field in certificates -and in the file name for identity files. -.It Fl T +Note: the PC identity scheme is not recommended for new installations. +.It Fl q Fl \-export\-passwd Ns = Ar passwd +Set the password for writing encrypted +.Cm IFF , GQ and MV +identity files redirected to +.Pa stdout +to +.Ar passwd . +In effect, these files are decrypted with the +.Fl p +password, then encrypted with the +.Fl q +password. +By default, the password is the string returned by the Unix +.Ic hostname +command. +.It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group +Specify the Autokey host name, where +.Ar host +is the optional host name and +.Ar group +is the optional group name. +The host name, and if provided, group name are used in +.Ar host @ group +form as certificate subject and issuer. +Specifying +.Fl s @ Ar group +is allowed, and results in leaving the host name unchanged, as with +.Fl i Ar group . +The group name, or if no group is provided, the host name are also used in the +file names of +.Cm IFF , GQ , +and +.Cm MV +identity scheme client parameter files. +If +.Ar host +is not specified, the default host name is the string returned by the Unix +.Ic hostname +command. +.It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA +Generate a new encrypted public/private sign key file of the specified type. +By default, the sign key is the host key and has the same type. +If compatibility with FIPS 140\-2 is required, the sign key type must be +.Cm DSA . +.It Fl T Fl \-trusted\-cert Generate a trusted certificate. By default, the program generates a non\-trusted certificate. -.It Fl V Ar nkeys -Generate parameters and keys for the Mu\-Varadharajan (MV) identification scheme. +.It Fl V Fl \-mv\-params Ar nkeys +Generate +.Ar nkeys +encrypted server keys and parameters for the Mu\-Varadharajan (MV) +identity scheme. +This option is mutually exclusive with the +.Fl I +and +.Fl G +options. +Note: support for this option should be considered a work in progress. .El .Ss Random Seed File All cryptographically sound key generation schemes must have means @@ -746,14 +838,14 @@ but are outside the scope of this page. .Pp The entropy seed used by the OpenSSL library is contained in a file, usually called -.Cm .rnd , +.Pa .rnd , which must be available when starting the NTP daemon or the .Nm program. The NTP daemon will first look for the file using the path specified by the -.Ic randfile +.Cm randfile subcommand of the .Ic crypto configuration command. @@ -769,44 +861,118 @@ If the .Ev RANDFILE environment variable is not present, the library will look for the -.Cm .rnd +.Pa .rnd file in the user home directory. +Since both the +.Nm +program and +.Xr ntpd 8 +daemon must run as root, the logical place to put this file is in +.Pa /.rnd +or +.Pa /root/.rnd . If the file is not available or cannot be written, the daemon exits with a message to the system log and the program exits with a suitable error message. .Ss Cryptographic Data Files -All other file formats begin with two lines. -The first contains the file name, including the generated host name -and filestamp. -The second contains the datestamp in conventional Unix date format. -Lines beginning with # are considered comments and ignored by the +All file formats begin with two nonencrypted lines. +The first line contains the file name, including the generated host name +and filestamp, in the format +.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp , +where +.Ar key +is the key or parameter type, +.Ar name +is the host or group name and +.Ar filestamp +is the filestamp (NTP seconds) when the file was created. +By convention, +.Ar key +names in generated file names include both upper and lower case +characters, while +.Ar key +names in generated link names include only lower case characters. +The filestamp is not used in generated link names. +The second line contains the datestamp in conventional Unix +.Pa date +format. +Lines beginning with +.Ql # +are considered comments and ignored by the .Nm program and .Xr ntpd 8 daemon. -Cryptographic values are encoded first using ASN.1 rules, -then encrypted if necessary, and finally written PEM\-encoded -printable ASCII format preceded and followed by MIME content identifier lines. .Pp -The format of the symmetric keys file is somewhat different -than the other files in the interest of backward compatibility. -Since DES\-CBC is deprecated in NTPv4, the only key format of interest -is MD5 alphanumeric strings. -Following hte heard the keys are -entered one per line in the format -.D1 Ar keyno type key +The remainder of the file contains cryptographic data, encoded first using ASN.1 +rules, then encrypted if necessary, and finally written in PEM\-encoded +printable ASCII text, preceded and followed by MIME content identifier lines. +.Pp +The format of the symmetric keys file, ordinarily named +.Pa ntp.keys , +is somewhat different than the other files in the interest of backward compatibility. +Ordinarily, the file is generated by this program, but it can be constructed +and edited using an ordinary text editor. +.Bd -literal -unfilled -offset center +# ntpkey_MD5key_bk.ntp.org.3595864945 +# Thu Dec 12 19:22:25 2013 +1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key +2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key +3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key +4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key +5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key +6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key +7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key +8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key +9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key +10 MD5 2late4Me # MD5 key +11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key +12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key +13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key +14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key +15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key +16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key +17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key +18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key +19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key +20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key +.Ed +.D1 Figure 1. Typical Symmetric Key File +.Pp +Figure 1 shows a typical symmetric keys file used by the reference +implementation. +Following the header the keys are entered one per line in the format +.D1 Ar keyno Ar type Ar key where .Ar keyno -is a positive integer in the range 1\-65,535, +is a positive integer in the range 1\-65534; .Ar type -is the string MD5 defining the key format and +is the key type for the message digest algorithm, which in the absence of the +OpenSSL library must be +.Cm MD5 +to designate the MD5 message digest algorithm; +if the OpenSSL library is installed, the key type can be any +message digest algorithm supported by that library; +however, if compatibility with FIPS 140\-2 is required, +the key type must be either +.Cm SHA +or +.Cm SHA1 ; .Ar key is the key itself, -which is a printable ASCII string 16 characters or less in length. -Each character is chosen from the 93 printable characters -in the range 0x21 through 0x7f excluding space and the +which is a printable ASCII string 20 characters or less in length: +each character is chosen from the 93 printable characters +in the range 0x21 through 0x7e ( +.Ql ! +through +.Ql ~ +\&) excluding space and the +.Ql # +character, and terminated by whitespace or a .Ql # character. +An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which +is truncated as necessary. .Pp Note that the keys used by the .Xr ntpq 8 @@ -819,8 +985,8 @@ in human readable ASCII format. .Pp The .Nm -program generates a MD5 symmetric keys file -.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp . +program generates a symmetric keys file +.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp . Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. @@ -858,10 +1024,10 @@ The number of bits in the identity modulus. The default is 256. certificate scheme. .sp scheme is one of -RSA\-MD2, RSA\-MD5, RSA\-SHA, RSA\-SHA1, RSA\-MDC2, RSA\-RIPEMD160, +RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160, DSA\-SHA, or DSA\-SHA1. .sp -Select the certificate message digest/signature encryption scheme. +Select the certificate signature encryption/message digest scheme. Note that RSA schemes must be used with a RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is RSA\-MD5. @@ -870,7 +1036,7 @@ privatekey cipher. .sp Select the cipher which is used to encrypt the files containing private keys. The default is three\-key triple DES in CBC mode, -equivalent to "@code{\-C des\-ede3\-cbc". The openssl tool lists ciphers +equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers available in "\fBopenssl \-h\fP" output. .It Fl d , Fl \-debug\-level Increase debug verbosity level. @@ -884,8 +1050,9 @@ This option takes an integer number as its argument. .It Fl e , Fl \-id\-key Write IFF or GQ identity keys. .sp -Write the IFF or GQ client keys to the standard output. This is -intended for automatic key distribution by mail. +Write the public parameters from the IFF or GQ client keys to +the standard output. +This is intended for automatic key distribution by email. .It Fl G , Fl \-gq\-params Generate GQ parameters and keys. .sp @@ -908,21 +1075,17 @@ the file name of IFF, GQ, and MV client parameters files. In that role, the default is the host name if this option is not provided. The group name, if specified using \fB\-i/\-\-ident\fP or using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character, -is also a part of the self\-signed host certificate's subject and +is also a part of the self\-signed host certificate subject and issuer names in the form \fBhost@group\fP and should match the -\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in -\fBntpd\fP's configuration file. +\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the +\fBntpd\fP configuration file. .It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime set certificate lifetime. This option takes an integer number as its argument. .sp Set the certificate expiration to lifetime days from now. -.It Fl M , Fl \-md5key -generate MD5 keys. -.sp -Generate MD5 keys, obsoleting any that may exist. .It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus -modulus. +prime modulus. This option takes an integer number as its argument. The value of .Ar modulus @@ -935,6 +1098,10 @@ in the range 256 through 2048 .in -4 .sp The number of bits in the prime modulus. The default is 512. +.It Fl M , Fl \-md5key +generate symmetric keys. +.sp +Generate symmetric keys, obsoleting any that may exist. .It Fl P , Fl \-pvt\-cert generate PC private certificate. .sp @@ -956,12 +1123,6 @@ encrypted with the DES\-CBC algorithm and the specified password. The same password must be specified to the remote ntpd via the "crypto pw password" configuration command. See also the option -\-id\-key (\-e) for unencrypted exports. -.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign -generate sign key (RSA or DSA). -.sp -Generate a new sign key of the designated type, obsoleting any -that may exist. By default, the program uses the host key as the -sign key. .It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group set host and optionally group name. .sp @@ -969,12 +1130,18 @@ Set the Autokey host name, and optionally, group name specified following an '\fB@\fP' character. The host name is used in the file name of generated host and signing certificates, without the group name. The host name, and if provided, group name are used -in \fBhost@group\fP form for the host certificate's subject and issuer +in \fBhost@group\fP form for the host certificate subject and issuer fields. Specifying '\fB\-s @group\fP' is allowed, and results in leaving the host name unchanged while appending \fB@group\fP to the subject and issuer fields, as with \fB\-i group\fP. The group name, or if not provided, the host name are also used in the file names of IFF, GQ, and MV client parameter files. +.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign +generate sign key (RSA or DSA). +.sp +Generate a new sign key of the designated type, obsoleting any +that may exist. By default, the program uses the host key as the +sign key. .It Fl T , Fl \-trusted\-cert trusted certificate (TC scheme). .sp @@ -1023,18 +1190,6 @@ The \fIhomerc\fP files are "\fI$HOME\fP", and "\fI.\fP". If any of these are directories, then the file \fI.ntprc\fP is searched for within those directories. .Sh USAGE -The -.Fl p Ar password -option specifies the write password and -.Fl q Ar password -option the read password for previously encrypted files. -The -.Nm -program prompts for the password if it reads an encrypted file -and the password is missing or incorrect. -If an encrypted file is read successfully and -no write password is specified, the read password is used -as the write password by default. .Sh "ENVIRONMENT" See \fBOPTION PRESETS\fP for configuration environment variables. .Sh "FILES" @@ -1058,10 +1213,7 @@ The University of Delaware and Network Time Foundation Copyright (C) 1992\-2017 The University of Delaware and Network Time Foundation all rights reserved. This program is released under the terms of the NTP license, <http://ntp.org/license>. .Sh BUGS -It can take quite a while to generate some cryptographic values, -from one to several minutes with modern architectures -such as UltraSPARC and up to tens of minutes to an hour -with older architectures such as SPARC IPC. +It can take quite a while to generate some cryptographic values. .Pp Please report bugs to http://bugs.ntp.org . .Pp diff --git a/usr.sbin/ntp/doc/ntp.conf.5 b/usr.sbin/ntp/doc/ntp.conf.5 index be288c6..14632ce 100644 --- a/usr.sbin/ntp/doc/ntp.conf.5 +++ b/usr.sbin/ntp/doc/ntp.conf.5 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_CONF 5 File Formats .Os .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:31:09 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5 .\" From the definitions ntp.conf.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -1534,6 +1534,7 @@ subcommand specifies the probability of discard for packets that overflow the rate\-control window. .It Xo Ic restrict address .Op Cm mask Ar mask +.Op Cm ippeerlimit Ar int .Op Ar flag ... .Xc The @@ -1559,6 +1560,15 @@ Note that text string .Cm default , with no mask option, may be used to indicate the default entry. +The +.Cm ippeerlimit +directive limits the number of peer requests for each IP to +.Ar int , +where a value of \-1 means "unlimited", the current default. +A value of 0 means "none". +There would usually be at most 1 peering request per IP, +but if the remote peering requests are behind a proxy +there could well be more than 1 per IP. In the current implementation, .Cm flag always @@ -1609,6 +1619,18 @@ basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps. +.It Cm noepeer +Deny ephemeral peer requests, +even if they come from an authenticated source. +Note that the ability to use a symmetric key for authentication may be restricted to +one or more IPs or subnets via the third field of the +.Pa ntp.keys +file. +This restriction is not enabled by default, +to maintain backward compatability. +Expect +.Cm noepeer +to become the default in ntp\-4.4. .It Cm nomodify Deny .Xr ntpq 8 @@ -1626,10 +1648,10 @@ and queries. Time service is not affected. .It Cm nopeer -Deny packets which would result in mobilizing a new association. -This -includes broadcast and symmetric active packets when a configured -association does not exist. +Deny unauthenticated packets which would result in mobilizing a new association. +This includes +broadcast and symmetric active packets +when a configured association does not exist. It also includes .Cm pool associations, so if you want to use servers from a @@ -1637,8 +1659,9 @@ associations, so if you want to use servers from a directive and also want to use .Cm nopeer by default, you'll want a -.Cm "restrict source ..." line as well that does -.It not +.Cm "restrict source ..." +line as well that does +.Em not include the .Cm nopeer directive. @@ -2013,9 +2036,10 @@ there is clear benefit to having the clients notice this change as soon as possible. Attacks such as replay attacks can happen, however, and even though there are a number of protections built in to -broadcast mode, attempts to perform a replay attack are possible. +broadcast mode, attempts to perform a replay attack are possible. This value defaults to 0, but can be changed to any number of poll intervals between 0 and 4. +.El .Ss Manycast Options .Bl -tag -width indent .It Xo Ic tos @@ -2361,7 +2385,7 @@ specific drivers in the page (available as part of the HTML documentation provided in -.Pa /usr/share/doc/ntp ) . +.Pa /usr/share/doc/ntp ). .It Cm stratum Ar int Specifies the stratum number assigned to the driver, an integer between 0 and 15. @@ -2639,6 +2663,79 @@ This option is useful for sites that run .Xr ntpd 8 on multiple hosts, with (mostly) common options (e.g., a restriction list). +.It Xo Ic interface +.Oo +.Cm listen | Cm ignore | Cm drop +.Oc +.Oo +.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard +.Ar name | Ar address +.Oo Cm / Ar prefixlen +.Oc +.Oc +.Xc +The +.Cm interface +directive controls which network addresses +.Xr ntpd 8 +opens, and whether input is dropped without processing. +The first parameter determines the action for addresses +which match the second parameter. +The second parameter specifies a class of addresses, +or a specific interface name, +or an address. +In the address case, +.Ar prefixlen +determines how many bits must match for this rule to apply. +.Cm ignore +prevents opening matching addresses, +.Cm drop +causes +.Xr ntpd 8 +to open the address and drop all received packets without examination. +Multiple +.Cm interface +directives can be used. +The last rule which matches a particular address determines the action for it. +.Cm interface +directives are disabled if any +.Fl I , +.Fl \-interface , +.Fl L , +or +.Fl \-novirtualips +command\-line options are specified in the configuration file, +all available network addresses are opened. +The +.Cm nic +directive is an alias for +.Cm interface . +.It Ic leapfile Ar leapfile +This command loads the IERS leapseconds file and initializes the +leapsecond values for the next leapsecond event, leapfile expiration +time, and TAI offset. +The file can be obtained directly from the IERS at +.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list +or +.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list . +The +.Cm leapfile +is scanned when +.Xr ntpd 8 +processes the +.Cm leapfile directive or when +.Cm ntpd detects that the +.Ar leapfile +has changed. +.Cm ntpd +checks once a day to see if the +.Ar leapfile +has changed. +The +.Xr update\-leap 1update_leapmdoc +script can be run to see if the +.Ar leapfile +should be updated. .It Ic leapsmearinterval Ar seconds This EXPERIMENTAL option is only available if .Xr ntpd 8 @@ -2743,6 +2840,181 @@ facility. This is the same operation as the .Fl l command line option. +.It Xo Ic mru +.Oo +.Cm maxdepth Ar count | Cm maxmem Ar kilobytes | +.Cm mindepth Ar count | Cm maxage Ar seconds | +.Cm initialloc Ar count | Cm initmem Ar kilobytes | +.Cm incalloc Ar count | Cm incmem Ar kilobytes +.Oc +.Xc +Controls size limite of the monitoring facility's Most Recently Used +(MRU) list +of client addresses, which is also used by the +rate control facility. +.Bl -tag -width indent +.It Ic maxdepth Ar count +.It Ic maxmem Ar kilobytes +Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes. +The acutal limit will be up to +.Cm incalloc +entries or +.Cm incmem +kilobytes larger. +As with all of the +.Cm mru +options offered in units of entries or kilobytes, if both +.Cm maxdepth +and +.Cm maxmem are used, the last one used controls. +The default is 1024 kilobytes. +.It Cm mindepth Ar count +Lower limit on the MRU list size. +When the MRU list has fewer than +.Cm mindepth +entries, existing entries are never removed to make room for newer ones, +regardless of their age. +The default is 600 entries. +.It Cm maxage Ar seconds +Once the MRU list has +.Cm mindepth +entries and an additional client is to ba added to the list, +if the oldest entry was updated more than +.Cm maxage +seconds ago, that entry is removed and its storage is reused. +If the oldest entry was updated more recently the MRU list is grown, +subject to +.Cm maxdepth / moxmem . +The default is 64 seconds. +.It Cm initalloc Ar count +.It Cm initmem Ar kilobytes +Initial memory allocation at the time the monitoringfacility is first enabled, +in terms of the number of entries or kilobytes. +The default is 4 kilobytes. +.It Cm incalloc Ar count +.It Cm incmem Ar kilobytes +Size of additional memory allocations when growing the MRU list, in entries or kilobytes. +The default is 4 kilobytes. +.El +.It Ic nonvolatile Ar threshold +Specify the +.Ar threshold +delta in seconds before an hourly change to the +.Cm driftfile +(frequency file) will be written, with a default value of 1e\-7 (0.1 PPM). +The frequency file is inspected each hour. +If the difference between the current frequency and the last value written +exceeds the threshold, the file is written and the +.Cm threshold +becomes the new threshold value. +If the threshold is not exceeeded, it is reduced by half. +This is intended to reduce the number of file writes +for embedded systems with nonvolatile memory. +.It Ic phone Ar dial ... +This command is used in conjunction with +the ACTS modem driver (type 18) +or the JJY driver (type 40, mode 100 \- 180). +For the ACTS modem driver (type 18), the arguments consist of +a maximum of 10 telephone numbers used to dial USNO, NIST, or European +time service. +For the JJY driver (type 40 mode 100 \- 180), the argument is +one telephone number used to dial the telephone JJY service. +The Hayes command ATDT is normally prepended to the number. +The number can contain other modem control codes as well. +.It Xo Ic reset +.Oo +.Ic allpeers +.Oc +.Oo +.Ic auth +.Oc +.Oo +.Ic ctl +.Oc +.Oo +.Ic io +.Oc +.Oo +.Ic mem +.Oc +.Oo +.Ic sys +.Oc +.Oo +.Ic timer +.Oc +.Xc +Reset one or more groups of counters maintained by +.Cm ntpd +and exposed by +.Cm ntpq +and +.Cm ntpdc . +.It Xo Ic rlimit +.Oo +.Cm memlock Ar Nmegabytes | +.Cm stacksize Ar N4kPages +.Cm filenum Ar Nfiledescriptors +.Oc +.Xc +.Bl -tag -width indent +.It Cm memlock Ar Nmegabytes +Specify the number of megabytes of memory that should be +allocated and locked. +Probably only available under Linux, this option may be useful +when dropping root (the +.Fl i +option). +The default is 32 megabytes on non\-Linux machines, and \-1 under Linux. +-1 means "do not lock the process into memory". +0 means "lock whatever memory the process wants into memory". +.It Cm stacksize Ar N4kPages +Specifies the maximum size of the process stack on systems with the +.Fn mlockall +function. +Defaults to 50 4k pages (200 4k pages in OpenBSD). +.It Cm filenum Ar Nfiledescriptors +Specifies the maximum number of file descriptors ntpd may have open at once. +Defaults to the system default. +.El +.It Ic saveconfigdir Ar directory_path +Specify the directory in which to write configuration snapshots +requested with +.Cm ntpq 's +.Cm saveconfig +command. +If +.Cm saveconfigdir +does not appear in the configuration file, +.Cm saveconfig +requests are rejected by +.Cm ntpd . +.It Ic saveconfig Ar filename +Write the current configuration, including any runtime +modifications given with +.Cm :config +or +.Cm config\-from\-file +to the +.Cm ntpd +host's +.Ar filename +in the +.Cm saveconfigdir . +This command will be rejected unless the +.Cm saveconfigdir +directive appears in +.Cm ntpd 's +configuration file. +.Ar filename +can use +.Xr strftime 3 +format directives to substitute the current date and time, +for example, +.Cm saveconfig\ ntp\-%Y%m%d\-%H%M%S.conf . +The filename used is stored in the system variable +.Cm savedconfig . +Authentication is required. .It Ic setvar Ar variable Op Cm default This command adds an additional system variable. These @@ -2781,6 +3053,10 @@ holds the names of all peer variables and the .Va clock_var_list holds the names of the reference clock variables. +.It Cm sysinfo +Display operational summary. +.It Cm sysstats +Show statistics counters maintained in the protocol module. .It Xo Ic tinker .Oo .Cm allan Ar allan | @@ -2870,33 +3146,18 @@ be set to any positive number in seconds. If set to zero, the stepout pulses will not be suppressed. .El -.It Xo Ic rlimit -.Oo -.Cm memlock Ar Nmegabytes | -.Cm stacksize Ar N4kPages -.Cm filenum Ar Nfiledescriptors -.Oc -.Xc -.Bl -tag -width indent -.It Cm memlock Ar Nmegabytes -Specify the number of megabytes of memory that should be -allocated and locked. -Probably only available under Linux, this option may be useful -when dropping root (the -.Fl i -option). -The default is 32 megabytes on non\-Linux machines, and \-1 under Linux. --1 means "do not lock the process into memory". -0 means "lock whatever memory the process wants into memory". -.It Cm stacksize Ar N4kPages -Specifies the maximum size of the process stack on systems with the -.Fn mlockall -function. -Defaults to 50 4k pages (200 4k pages in OpenBSD). -.It Cm filenum Ar Nfiledescriptors -Specifies the maximum number of file descriptors ntpd may have open at once. -Defaults to the system default. -.El +.It Cm writevar Ar assocID\ name = value [,...] +Write (create or update) the specified variables. +If the +.Cm assocID +is zero, the variablea re from the +system variables +name space, otherwise they are from the +peer variables +name space. +The +.Cm assocID +is required, as the same name can occur in both name spaces. .It Xo Ic trap Ar host_address .Op Cm port Ar port_number .Op Cm interface Ar interface_address @@ -2911,6 +3172,13 @@ message is sent with a source address of the local interface the message is sent through. Note that on a multihomed host the interface used may vary from time to time with routing changes. +.It Cm ttl Ar hop ... +This command specifies a list of TTL values in increasing order. +Up to 8 values can be specified. +In +.Cm manycast +mode these values are used in\-turn in an expanding\-ring search. +The default is eight multiples of 32 starting at 31. .Pp The trap receiver will generally log event messages and other information from the server in a log file. diff --git a/usr.sbin/ntp/doc/ntp.keys.5 b/usr.sbin/ntp/doc/ntp.keys.5 index 68431c8..aeb7338 100644 --- a/usr.sbin/ntp/doc/ntp.keys.5 +++ b/usr.sbin/ntp/doc/ntp.keys.5 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTP_KEYS 5 File Formats .Os SunOS 5.10 .\" EDIT THIS FILE WITH CAUTION (ntp.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:22 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5 .\" From the definitions ntp.keys.def .\" and the template file agmdoc-file.tpl .Sh NAME @@ -53,16 +53,24 @@ where is a positive integer (between 1 and 65534), .Ar type is the message digest algorithm, -and .Ar key is the key itself, and .Ar opt_IP_list is an optional comma\-separated list of IPs +where the +.Ar keyno +should be trusted. that are allowed to serve time. +Each IP in +.Ar opt_IP_list +may contain an optional +.Cm /subnetbits +specification which identifies the number of bits for +the desired subnet of trust. If .Ar opt_IP_list is empty, -any properly\-authenticated server message will be +any properly\-authenticated message will be accepted. .Pp The diff --git a/usr.sbin/ntp/doc/ntpd.8 b/usr.sbin/ntp/doc/ntpd.8 index 179f5ea..7fb6529 100644 --- a/usr.sbin/ntp/doc/ntpd.8 +++ b/usr.sbin/ntp/doc/ntpd.8 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPD 8 User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:23 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:14:47 PM by AutoGen 5.18.5 .\" From the definitions ntpd-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/usr.sbin/ntp/doc/ntpdc.8 b/usr.sbin/ntp/doc/ntpdc.8 index ab3859e..c1b9c3e 100644 --- a/usr.sbin/ntp/doc/ntpdc.8 +++ b/usr.sbin/ntp/doc/ntpdc.8 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPDC 8 User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:44:57 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:09 PM by AutoGen 5.18.5 .\" From the definitions ntpdc-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME diff --git a/usr.sbin/ntp/doc/ntpq.8 b/usr.sbin/ntp/doc/ntpq.8 index 03f50bd..f1b77d3 100644 --- a/usr.sbin/ntp/doc/ntpq.8 +++ b/usr.sbin/ntp/doc/ntpq.8 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt NTPQ 8 User Commands .Os .\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:45:31 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:15:28 PM by AutoGen 5.18.5 .\" From the definitions ntpq-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -20,15 +20,12 @@ [ host ...] .Pp .Sh DESCRIPTION +.Pp The .Nm -utility program is used to query NTP servers which -implement the standard NTP mode 6 control message formats defined -in Appendix B of the NTPv3 specification RFC1305, requesting +utility program is used to query NTP servers to monitor NTP operations +and performance, requesting information about current state and/or changes in that state. -The same formats are used in NTPv4, although some of the -variables have changed and new ones added. The description on this -page is for the NTPv4 variables. The program may be run either in interactive mode or controlled using command line arguments. Requests to read and write arbitrary @@ -39,6 +36,7 @@ The utility can also obtain and print a list of peers in a common format by sending multiple queries to the server. +.Pp If one or more request options is included on the command line when .Nm @@ -56,6 +54,7 @@ The .Nm utility will prompt for commands if the standard input is a terminal device. +.Pp .Nm uses NTP mode 6 packets to communicate with the NTP server, and hence can be used to query any compatible server on @@ -69,6 +68,17 @@ utility makes one attempt to retransmit requests, and will time requests out if the remote host is not heard from within a suitable timeout time. +.Pp +Note that in contexts where a host name is expected, a +.Fl 4 +qualifier preceding the host name forces resolution to the IPv4 +namespace, while a +.Fl 6 +qualifier forces resolution to the IPv6 namespace. +For examples and usage, see the +.Dq NTP Debugging Techniques +page. +.Pp Specifying a command line option other than .Fl i @@ -82,51 +92,46 @@ Otherwise, will attempt to read interactive format commands from the standard input. .Ss "Internal Commands" +.Pp Interactive format commands consist of a keyword followed by zero to four arguments. Only enough characters of the full keyword to uniquely identify the command need be typed. +.Pp A number of interactive format commands are executed entirely within the .Nm -utility itself and do not result in NTP mode 6 +utility itself and do not result in NTP requests being sent to a server. These are described following. -.Bl -tag -width "? [command_keyword]" -compact -offset indent -.It Ic ? Op Ar command_keyword -.It Ic help Op Ar command_keyword +.Bl -tag -width "help [command]" -compact -offset indent +.It Ic ? Op Ar command +.It Ic help Op Ar command A .Ql \&? -by itself will print a list of all the command -keywords known to this incarnation of +by itself will print a list of all the commands +known to .Nm . A .Ql \&? -followed by a command keyword will print function and usage +followed by a command name will print function and usage information about the command. -This command is probably a better -source of information about -.Nm -than this manual -page. -.It Ic addvars Ar variable_name Ns Xo Op Ic =value -.Ic ... -.Xc -.It Ic rmvars Ar variable_name Ic ... +.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,... +.It Ic rmvars Ar name Ns Op ,... .It Ic clearvars .It Ic showvars -The data carried by NTP mode 6 messages consists of a list of +The arguments to this command consist of a list of items of the form -.Ql variable_name=value , +.Ar name Ns Op \&= Ns Ar value , where the -.Ql =value +.No \&= Ns Ar value is ignored, and can be omitted, in requests to the server to read variables. The .Nm -utility maintains an internal list in which data to be included in control -messages can be assembled, and sent using the +utility maintains an internal list in which data to be included in +messages can be assembled, and displayed or set using the .Ic readlist and .Ic writelist @@ -141,35 +146,31 @@ The .Ic rmvars command can be used to remove individual variables from the list, while the -.Ic clearlist +.Ic clearvars command removes all variables from the list. The .Ic showvars command displays the current list of optional variables. -.It Ic authenticate Op yes | no +.It Ic authenticate Op Cm yes Ns | Ns Cm no Normally .Nm does not authenticate requests unless they are write requests. The command -.Ql authenticate yes +.Ic authenticate Cm yes causes .Nm to send authentication with all requests it makes. Authenticated requests causes some servers to handle -requests slightly differently, and can occasionally melt the CPU in -fuzzballs if you turn authentication on before doing a -.Ic peer -display. +requests slightly differently. The command -.Ql authenticate +.Ic authenticate causes .Nm to display whether or not -.Nm -is currently autheinticating requests. +it is currently authenticating requests. .It Ic cooked Causes output from query commands to be "cooked", so that variables which are recognized by @@ -178,20 +179,13 @@ will have their values reformatted for human consumption. Variables which .Nm -thinks should have a decodable value but didn't are +could not decode completely are marked with a trailing .Ql \&? . -.It Xo -.Ic debug -.Oo -.Cm more | -.Cm less | -.Cm off -.Oc -.Xc +.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off With no argument, displays the current debug level. -Otherwise, the debug level is changed to the indicated level. -.It Ic delay Ar milliseconds +Otherwise, the debugging level is changed as indicated. +.It Ic delay Op Ar milliseconds Specify a time interval to be added to timestamps included in requests which require authentication. This is used to enable @@ -200,14 +194,21 @@ or between machines whose clocks are unsynchronized. Actually the server does not now require timestamps in authenticated requests, so this command may be obsolete. +Without any arguments, displays the current delay. +.It Ic drefid Op Cm hash Ns | Ns Cm ipv4 +Display refids as IPv4 or hash. +Without any arguments, displays whether refids are shown as IPv4 +addresses or hashes. .It Ic exit Exit .Nm . -.It Ic host Ar hostname +.It Ic host Op Ar name Set the host to which future queries will be sent. -.Ar hostname +The +.Ar name may be either a host name or a numeric address. -.It Ic hostnames Op Cm yes | Cm no +Without any arguments, displays the current host. +.It Ic hostnames Op Cm yes Ns | Ns Cm no If .Cm yes is specified, host names are printed in @@ -222,7 +223,9 @@ unless modified using the command line .Fl n switch. -.It Ic keyid Ar keyid +Without any arguments, displays whether host names or numeric addresses +are shown. +.It Ic keyid Op Ar keyid This command allows the specification of a key number to be used to authenticate configuration requests. This must correspond @@ -230,28 +233,20 @@ to the .Cm controlkey key number the server has been configured to use for this purpose. -.It Ic keytype Xo Oo -.Cm md5 | -.Cm OpenSSLDigestType -.Oc -.Xc -Specify the type of key to use for authenticating requests. -.Cm md5 -is alway supported. +Without any arguments, displays the current +.Ar keyid . +.It Ic keytype Op Ar digest +Specify the digest algorithm to use for authenticating requests, with default +.Cm MD5 . If .Nm -was built with OpenSSL support, -any digest type supported by OpenSSL can also be provided. +was built with OpenSSL support, and OpenSSL is installed, +.Ar digest +can be any message digest algorithm supported by OpenSSL. If no argument is given, the current -.Ic keytype -is displayed. -.It Ic ntpversion Xo Oo -.Cm 1 | -.Cm 2 | -.Cm 3 | -.Cm 4 -.Oc -.Xc +.Ic keytype Ar digest +algorithm used is displayed. +.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4 Sets the NTP version number which .Nm claims in @@ -269,13 +264,11 @@ requests. The password must correspond to the key configured for use by the NTP server for this purpose if such requests are to be successful. -.\" Not yet implemented. -.\" .It Ic poll -.\" .Op Ar n -.\" .Op Ic verbose -.\" Poll an NTP server in client mode -.\" .Ar n -.\" times. +.It Ic poll Oo Ar n Oc Op Cm verbose +Poll an NTP server in client mode +.Ar n +times. +Poll not implemented yet. .It Ic quit Exit .Nm . @@ -285,95 +278,150 @@ from the remote server. The only formating/interpretation done on the data is to transform nonascii data into a printable (but barely understandable) form. -.It Ic timeout Ar milliseconds +.It Ic timeout Op Ar milliseconds Specify a timeout period for responses to server queries. The default is about 5000 milliseconds. +Without any arguments, displays the current timeout period. Note that since .Nm retries each query once after a timeout, the total waiting time for a timeout will be twice the timeout value set. .It Ic version -Print the version of the +Display the version of the .Nm program. .El .Ss "Control Message Commands" -Association IDs are used to identify system, peer and clock variables. -System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace. -Most control commands send a single mode\-6 message to the server and expect a single response message. +Association ids are used to identify system, peer and clock variables. +System variables are assigned an association id of zero and system name +space, while each association is assigned a nonzero association id and +peer namespace. +Most control commands send a single message to the server and expect a +single response message. The exceptions are the -.Li peers +.Ic peers command, which sends a series of messages, and the -.Li mreadlist +.Ic mreadlist and -.Li mreadvar +.Ic mreadvar commands, which iterate over a range of associations. .Bl -tag -width "something" -compact -offset indent -.It Cm associations +.It Ic apeers +Display a list of peers in the form: +.Dl [tally]remote refid assid st t when pool reach delay offset jitter +where the output is just like the +.Ic peers +command except that the +.Cm refid +is displayed in hex format and the association number is also displayed. +.It Ic associations Display a list of mobilized associations in the form: .Dl ind assid status conf reach auth condition last_event cnt -.Bl -column -offset indent ".Sy Variable" ".Sy Description" -.It Sy String Ta Sy Description -.It Li ind Ta index on this list -.It Li assid Ta association ID -.It Li status Ta peer status word -.It Li conf Ta Li yes : persistent, Li no : ephemeral -.It Li reach Ta Li yes : reachable, Li no : unreachable -.It Li auth Ta Li ok , Li yes , Li bad and Li none -.It Li condition Ta selection status (see the Li select field of the peer status word) -.It Li last_event Ta event report (see the Li event field of the peer status word) -.It Li cnt Ta event count (see the Li count field of the peer status word) +.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word" +.It Sy Variable Ta Sy Description +.It Cm ind Ta index on this list +.It Cm assid Ta association id +.It Cm status Ta peer status word +.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral +.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable +.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none +.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&) +.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&) +.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&) .El -.It Cm authinfo -Display the authentication statistics. -.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ... -Display a list of clock variables for those associations supporting a reference clock. -.It Cm :config Op ... -Send the remainder of the command line, including whitespace, to the server as a run\-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required. -.It Cm config\-from\-file Ar filename -Send the each line of +.It Ic authinfo +Display the authentication statistics counters: +time since reset, stored keys, free keys, key lookups, keys not found, +uncached keys, expired keys, encryptions, decryptions. +.It Ic clocklist Op Ar associd +.It Ic cl Op Ar associd +Display all clock variables in the variable list for those associations +supporting a reference clock. +.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,... +Display a list of clock variables for those associations supporting a +reference clock. +.It Ic :config Ar "configuration command line" +Send the remainder of the command line, including whitespace, to the +server as a run\-time configuration command in the same format as a line +in the configuration file. +This command is experimental until further notice and clarification. +Authentication is of course required. +.It Ic config\-from\-file Ar filename +Send each line of .Ar filename -to the server as run\-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required. +to the server as run\-time configuration commands in the same format as +lines in the configuration file. +This command is experimental until further notice and clarification. +Authentication is required. .It Ic ifstats -Display statistics for each local network address. Authentication is required. +Display status and statistics counters for each local network interface address: +interface number, interface name and address or broadcast, drop, flag, +ttl, mc, received, sent, send failed, peers, uptime. +Authentication is required. .It Ic iostats -Display network and reference clock I/O statistics. +Display network and reference clock I/O statistics: +time since reset, receive buffers, free receive buffers, used receive buffers, +low water refills, dropped packets, ignored packets, received packets, +packets sent, packet send failures, input wakeups, useful input wakeups. .It Ic kerninfo -Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable. +Display kernel loop and PPS statistics: +associd, status, pll offset, pll frequency, maximum error, +estimated error, kernel status, pll time constant, precision, +frequency tolerance, pps frequency, pps stability, pps jitter, +calibration interval, calibration cycles, jitter exceeded, +stability exceeded, calibration errors. +As with other ntpq output, times are in milliseconds; very small values +may be shown as exponentials. +The precision value displayed is in milliseconds as well, unlike the +precision system variable. .It Ic lassociations -Perform the same function as the associations command, except display mobilized and unmobilized associations. -.It Ic lopeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc -Obtain and print a list of all peers and clients showing -.Ar dstadr -(associated with any given IP version). -.It Ic lpeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc -Print a peer spreadsheet for the appropriate IP version(s). -.Ar dstadr -(associated with any given IP version). +Perform the same function as the associations command, except display +mobilized and unmobilized associations, including all clients. +.It Ic lopeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients showing +.Cm dstadr +(associated with the given IP version). +.It Ic lpassociations +Display the last obtained list of associations, including all clients. +.It Ic lpeers Op Fl 4 Ns | Ns Fl 6 +Display a list of all peers and clients (associated with the given IP version). .It Ic monstats -Display monitor facility statistics. -.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc -Obtain and print traffic counts collected and maintained by the monitor facility. +Display monitor facility status, statistics, and limits: +enabled, addresses, peak addresses, maximum addresses, +reclaim above count, reclaim older than, kilobytes, maximum kilobytes. +.It Ic mreadlist Ar associdlo Ar associdhi +.It Ic mrl Ar associdlo Ar associdhi +Perform the same function as the +.Ic readlist +command for a range of association ids. +.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +This range may be determined from the list displayed by any +command showing associations. +.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,... +Perform the same function as the +.Ic readvar +command for a range of association ids. +This range may be determined from the list displayed by any +command showing associations. +.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count | +.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder | +.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc +.Xc +Display traffic counts of the most recently seen source addresses +collected and maintained by the monitor facility. With the exception of -.Cm sort Ns = Ns Ar sortorder , +.Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder , the options filter the list returned by -.Cm ntpd. +.Xr ntpd 8 . The .Cm limited and .Cm kod -options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response. +options return only entries representing client addresses from which the +last packet received triggered either discarding or a KoD response. The .Cm mincount Ns = Ns Ar count option filters entries representing less than @@ -394,18 +442,21 @@ The .Ar sortorder defaults to .Cm lstint -and may be any of +and may be .Cm addr , -.Cm count , .Cm avgint , +.Cm count , .Cm lstint , -or any of those preceded by a minus sign (hyphen) to reverse the sort order. +or any of those preceded by +.Ql \&\- +to reverse the sort order. The output columns are: .Bl -tag -width "something" -compact -offset indent .It Column Description .It Ic lstint -Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by +Interval in seconds between the receipt of the most recent packet from +this address and the completion of the retrieval of the MRU list by .Nm . .It Ic avgint Average interval in s between packets from this address. @@ -413,7 +464,8 @@ Average interval in s between packets from this address. Restriction flags associated with this address. Most are copied unchanged from the matching .Ic restrict -command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response. +command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless +the last packet from this address triggered a rate control response. .It Ic r Rate control indicator, either a period, @@ -431,27 +483,15 @@ Packets received from this address. .It Ic rport Source port of last packet from this address. .It Ic remote address -DNS name, numeric address, or address followed by +host or DNS name, numeric address, or address followed by claimed DNS name which could not be verified in parentheses. .El -.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ... -Perform the same function as the -.Ic readvar -command, except for a range of association IDs. -This range is determined from the association list cached by the most recent -.Ic associations -command. -.It Ic opeers Xo -.Oo Ic \-4 | -.Ic \-6 -.Oc -.Xc +.It Ic opeers Op Fl 4 | Fl 6 Obtain and print the old\-style list of all peers and clients showing -.Ar dstadr -(associated with any given IP version), +.Cm dstadr +(associated with the given IP version), rather than the -.Ar refid . +.Cm refid . .It Ic passociations Perform the same function as the .Ic associations @@ -463,28 +503,32 @@ Display a list of peers in the form: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic [tally] +.It Cm [tally] single\-character code indicating current value of the .Ic select field of the .Lk decode.html#peer "peer status word" -.It Ic remote +.It Cm remote host name (or IP number) of peer. -The value displayed will be truncated to 15 characters unless the +The value displayed will be truncated to 15 characters unless the +.Nm .Fl w -flag is given, in which case the full value will be displayed -on the first line, -and the remaining data is displayed on the next line. -.It Ic refid -association ID or +option is given, in which case the full value will be displayed +on the first line, and if too long, +the remaining data will be displayed on the next line. +.It Cm refid +source IP address or .Lk decode.html#kiss "'kiss code" -.It Ic st -stratum -.It Ic t +.It Cm st +stratum: 0 for local reference clocks, 1 for servers with local +reference clocks, ..., 16 for unsynchronized server clocks +.It Cm t .Ic u : unicast or manycast client, .Ic b : broadcast or multicast client, +.Ic p : +pool source, .Ic l : local (reference clock), .Ic s : @@ -495,115 +539,135 @@ manycast server, broadcast server, .Ic M : multicast server -.It Ic when -sec/min/hr since last received packet -.It Ic poll -poll interval (log2 s) -.It Ic reach +.It Cm when +time in seconds, minutes, hours, or days since the last packet +was received, or +.Ql \&\- +if a packet has never been received +.It Cm poll +poll interval (s) +.It Cm reach reach shift register (octal) -.It Ic delay +.It Cm delay roundtrip delay -.It Ic offset +.It Cm offset offset of server relative to this host -.It Ic jitter -jitter +.It Cm jitter +offset RMS error estimate. .El -.It Ic apeers -Display a list of peers in the form: -.Dl [tally]remote refid assid st t when pool reach delay offset jitter -where the output is just like the -.Ic peers -command except that the -.Ic refid -is displayed in hex format and the association number is also displayed. -.It Ic pstats Ar assocID -Show the statistics for the peer with the given -.Ar assocID . -.It Ic readlist Ar assocID -.It Ic rl Ar assocID -Read the system or peer variables included in the variable list. -.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc -Display the specified variables. +.It Ic pstats Ar associd +Display the statistics for the peer with the given +.Ar associd : +associd, status, remote host, local address, time last received, +time until next send, reachability change, packets sent, +packets received, bad authentication, bogus origin, duplicate, +bad dispersion, bad reference time, candidate order. +.It Ic readlist Op Ar associd +.It Ic rl Op Ar associd +Display all system or peer variables. +If the +.Ar associd +is omitted, it is assumed to be zero. +.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ... +Display the specified system or peer variables. If -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. If no .Ar name is included, all operative variables in the name space are displayed. In this case only, if the -.Ar assocID -is omitted, it is assumed zero. +.Ar associd +is omitted, it is assumed to be zero. Multiple names are specified with comma separators and without whitespace. Note that time values are represented in milliseconds and frequency values in parts\-per\-million (PPM). Some NTP timestamps are represented in the format -YYYYMMDDTTTT , -where YYYY is the year, -MM the month of year, -DD the day of month and -TTTT the time of day. +.Ar YYYY Ns Ar MM Ar DD Ar TTTT , +where +.Ar YYYY +is the year, +.Ar MM +the month of year, +.Ar DD +the day of month and +.Ar TTTT +the time of day. .It Ic reslist -Show the access control (restrict) list for +Display the access control (restrict) list for .Nm . +Authentication is required. .It Ic saveconfig Ar filename -Write the current configuration, -including any runtime modifications given with +Save the current configuration, +including any runtime modifications made by .Ic :config or .Ic config\-from\-file , -to the ntpd host's file +to the NTP server host file .Ar filename . This command will be rejected by the server unless .Lk miscopt.html#saveconfigdir "saveconfigdir" appears in the -.Ic ntpd +.Xr ntpd 8 configuration file. .Ar filename can use -.Xr strftime -format specifies to substitute the current date and time, for example, -.Ic q]saveconfig ntp\-%Y%m%d\-%H%M%S.confq] . +.Xr date 1 +format specifiers to substitute the current date and time, for +example, +.D1 Ic saveconfig Pa ntp\-%Y%m%d\-%H%M%S.conf . The filename used is stored in system variable -.Ic savedconfig . +.Cm savedconfig . Authentication is required. +.It Ic sysinfo +Display system operational summary: +associd, status, system peer, system peer mode, leap indicator, +stratum, log2 precision, root delay, root dispersion, +reference id, reference time, system jitter, clock jitter, +clock wander, broadcast delay, symm. auth. delay. +.It Ic sysstats +Display system uptime and packet counts maintained in the +protocol module: +uptime, sysstats reset, packets received, current version, +older version, bad length or format, authentication failed, +declined, restricted, rate limited, KoD responses, +processed for time. .It Ic timerstats -Display interval timer counters. -.It Ic writelist Ar assocID -Write the system or peer variables included in the variable list. -.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ... -Write the specified variables. +Display interval timer counters: +time since reset, timer overruns, calls to transmit. +.It Ic writelist Ar associd +Set all system or peer variables included in the variable list. +.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ... +Set the specified variables in the variable list. If the -.Ar assocID +.Ar associd is zero, the variables are from the .Sx System Variables name space, otherwise they are from the .Sx Peer Variables name space. The -.Ar assocID +.Ar associd is required, as the same name can occur in both spaces. -.It Ic sysinfo -Display operational summary. -.It Ic sysstats -Print statistics counters maintained in the protocol module. +Authentication is required. .El .Ss Status Words and Kiss Codes The current state of the operating program is shown in a set of status words maintained by the system. Status information is also available on a per\-association basis. -These words are displayed in the -.Ic rv +These words are displayed by the +.Ic readlist and -.Ic as +.Ic associations commands both in hexadecimal and in decoded short tip strings. The codes, tips and short explanations are documented on the .Lk decode.html "Event Messages and Status Words" @@ -620,58 +684,59 @@ They are now displayed, when appropriate, in the reference identifier field in various billboards. .Ss System Variables The following system variables appear in the -.Ic rv +.Ic readlist billboard. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic status +.It Cm status .Lk decode.html#sys "system status word" -.It Ic version +.It Cm version NTP software version and build time -.It Ic processor +.It Cm processor hardware platform and version -.It Ic system +.It Cm system operating system and version -.It Ic leap +.It Cm leap leap warning indicator (0\-3) -.It Ic stratum +.It Cm stratum stratum (1\-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total dispersion to the primary reference clock -.It Ic peer -system peer association ID -.It Ic tc -time constant and poll exponent (log2 s) (3\-17) -.It Ic mintc -minimum time constant (log2 s) (3\-10) -.It Ic clock -date and time of day -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic offset -combined offset of server relative to this host -.It Ic sys_jitter +.It Ic clock +date and time of day +.It Cm peer +system peer association id +.It Cm tc +time constant and poll exponent (log2 s) (3\-17) +.It Cm mintc +minimum time constant (log2 s) (3\-10) +.It Cm offset +combined offset of server relative to this host +.It Cm frequency +frequency drift (PPM) relative to hardware clock +.It Cm sys_jitter combined system jitter -.It Ic frequency -frequency offset (PPM) relative to hardware clock -.It Ic clk_wander +.It Cm clk_wander clock frequency wander (PPM) -.It Ic clk_jitter +.It Cm clk_jitter clock jitter -.It Ic tai +.It Cm tai TAI\-UTC offset (s) -.It Ic leapsec +.It Cm leapsec NTP seconds when the next leap second is/was inserted -.It Ic expire +.It Cm expire NTP seconds when the NIST leapseconds file expires .El The jitter and wander statistics are exponentially\-weighted RMS averages. @@ -685,98 +750,102 @@ depending on the particular Autokey dance: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic host +.It Cm host Autokey host name for this host -.It Ic ident +.It Cm ident Autokey group name for this host -.It Ic flags +.It Cm flags host flags (see Autokey specification) -.It Ic digest +.It Cm digest OpenSSL message digest algorithm -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic update +.It Cm update NTP seconds at last signature update -.It Ic cert +.It Cm cert certificate subject, issuer and certificate flags -.It Ic until +.It Cm until NTP seconds when the certificate expires .El .Ss Peer Variables The following peer variables appear in the -.Ic rv +.Ic readlist billboard for each association. Not all variables are displayed in some configurations. +.Pp .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#peer "peer status word" -.It Ic srcadr +.It Cm srcadr source (remote) IP address -.It Ic srcport +.It Cm srcport source (remote) port -.It Ic dstadr +.It Cm dstadr destination (local) IP address -.It Ic dstport +.It Cm dstport destination (local) port -.It Ic leap +.It Cm leap leap indicator (0\-3) -.It Ic stratum +.It Cm stratum stratum (0\-15) -.It Ic precision +.It Cm precision precision (log2 s) -.It Ic rootdelay +.It Cm rootdelay total roundtrip delay to the primary reference clock -.It Ic rootdisp +.It Cm rootdisp total root dispersion to the primary reference clock -.It Ic refid -reference ID or +.It Cm refid +reference id or .Lk decode.html#kiss "kiss code" -.It Ic reftime +.It Cm reftime reference time -.It Ic reach +.It Cm rec +last packet received time +.It Cm reach reach register (octal) -.It Ic unreach +.It Cm unreach unreach counter -.It Ic hmode +.It Cm hmode host mode (1\-6) -.It Ic pmode +.It Cm pmode peer mode (1\-5) -.It Ic hpoll +.It Cm hpoll host poll exponent (log2 s) (3\-17) -.It Ic ppoll +.It Cm ppoll peer poll exponent (log2 s) (3\-17) -.It Ic headway +.It Cm headway headway (see .Lk rate.html "Rate Management and the Kiss\-o'\-Death Packet" ) -.It Ic flash +.It Cm flash .Lk decode.html#flash "flash status word" -.It Ic offset +.It Cm keyid +symmetric key id +.It Cm offset filter offset -.It Ic delay +.It Cm delay filter delay -.It Ic dispersion +.It Cm dispersion filter dispersion -.It Ic jitter +.It Cm jitter filter jitter -.It Ic ident -Autokey group name for this association -.It Ic bias +.It Cm bias unicast/broadcast bias -.It Ic xleave +.It Cm xleave interleave delay (see .Lk xleave.html "NTP Interleaved Modes" ) .El The -.Ic bias +.Cm bias variable is calculated when the first broadcast packet is received after the calibration volley. -It represents the offset of the broadcast subgraph relative to the unicast subgraph. +It represents the offset of the broadcast subgraph relative to the +unicast subgraph. The -.Ic xleave +.Cm xleave variable appears only for the interleaved symmetric and interleaved modes. It represents the internal queuing, buffering and transmission delays for the preceding packet. @@ -786,71 +855,73 @@ additional peer variables are displayed, including the following: .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic host +.It Cm host Autokey server name -.It Ic flags +.It Cm flags peer flags (see Autokey specification) -.It Ic signature +.It Cm signature OpenSSL digest/signature scheme -.It Ic initsequence -initial key ID -.It Ic initkey +.It Cm initsequence +initial key id +.It Cm initkey initial key index -.It Ic timestamp +.It Cm timestamp Autokey signature timestamp +.It Cm ident +Autokey group name for this association .El .Ss Clock Variables The following clock variables appear in the -.Ic cv +.Ic clocklist billboard for each association with a reference clock. Not all variables are displayed in some configurations. .Bl -tag -width "something" -compact -offset indent .It Variable Description -.It Ic associd -association ID -.It Ic status +.It Cm associd +association id +.It Cm status .Lk decode.html#clock "clock status word" -.It Ic device +.It Cm device device description -.It Ic timecode +.It Cm timecode ASCII time code string (specific to device) -.It Ic poll +.It Cm poll poll messages sent -.It Ic noreply +.It Cm noreply no reply -.It Ic badformat +.It Cm badformat bad format -.It Ic baddata +.It Cm baddata bad date or time -.It Ic fudgetime1 +.It Cm fudgetime1 fudge time 1 -.It Ic fudgetime2 +.It Cm fudgetime2 fudge time 2 -.It Ic stratum +.It Cm stratum driver stratum -.It Ic refid -driver reference ID -.It Ic flags +.It Cm refid +driver reference id +.It Cm flags driver flags .El .Sh "OPTIONS" .Bl -tag .It Fl 4 , Fl \-ipv4 -Force IPv4 DNS name resolution. +Force IPv4 name resolution. This option must not appear in combination with any of the following options: ipv6. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv4 namespace. .It Fl 6 , Fl \-ipv6 -Force IPv6 DNS name resolution. +Force IPv6 name resolution. This option must not appear in combination with any of the following options: ipv4. .sp -Force DNS resolution of following host names on the command line +Force resolution of following host names on the command line to the IPv6 namespace. .It Fl c Ar cmd , Fl \-command Ns = Ns Ar cmd run a command and exit. @@ -880,7 +951,7 @@ commands read from the standard input. numeric host addresses. .sp Output all host addresses in dotted\-quad numeric format rather than -converting to the canonical host names. +converting to the canonical host names. .It Fl \-old\-rv Always output status line with readvar. .sp diff --git a/usr.sbin/ntp/doc/sntp.8 b/usr.sbin/ntp/doc/sntp.8 index 238fab7..813bcdd 100644 --- a/usr.sbin/ntp/doc/sntp.8 +++ b/usr.sbin/ntp/doc/sntp.8 @@ -1,11 +1,11 @@ -.Dd March 21 2017 +.Dd February 27 2018 .Dt SNTP 8 User Commands .Os .\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc) .\" .\" $FreeBSD$ .\" -.\" It has been AutoGen-ed March 21, 2017 at 10:36:52 AM by AutoGen 5.18.5 +.\" It has been AutoGen-ed February 27, 2018 at 05:13:14 PM by AutoGen 5.18.5 .\" From the definitions sntp-opts.def .\" and the template file agmdoc-cmd.tpl .Sh NAME @@ -140,6 +140,11 @@ responses received from servers. If the file does not exist, a warning message will be displayed. The file will not be created. .It Fl k Ar file\-name , Fl \-keyfile Ns = Ns Ar file\-name Look in this file for the key specified with \fB\-a\fP. +The default +.Ar file\-name +for this option is: +.ti +4 + /etc/ntp.keys .sp This option specifies the keyfile. \fBsntp\fP will search for the key specified with \fB\-a\fP diff --git a/usr.sbin/ntp/ntp-keygen/Makefile b/usr.sbin/ntp/ntp-keygen/Makefile index e285fe4..923ff42b 100644 --- a/usr.sbin/ntp/ntp-keygen/Makefile +++ b/usr.sbin/ntp/ntp-keygen/Makefile @@ -20,7 +20,7 @@ CFLAGS+= -I${SRCTOP}/contrib/ntp/include \ -I${.CURDIR}/lib/libc/${MACHINE_ARCH} \ -I${.CURDIR:H} -LIBADD+= ntp opts pthread +LIBADD+= m ntp opts pthread .if ${MK_OPENSSL} != "no" LIBADD+= crypto diff --git a/usr.sbin/ntp/ntptime/Makefile b/usr.sbin/ntp/ntptime/Makefile index 9f5ae36..1111434 100644 --- a/usr.sbin/ntp/ntptime/Makefile +++ b/usr.sbin/ntp/ntptime/Makefile @@ -11,6 +11,6 @@ CFLAGS+= -I${SRCTOP}/contrib/ntp/include \ -I${SRCTOP}/contrib/ntp/lib/isc/pthreads/include \ -I${.CURDIR:H} -LIBADD= ntp pthread +LIBADD= m ntp pthread .include <bsd.prog.mk> diff --git a/usr.sbin/ntp/scripts/mkver b/usr.sbin/ntp/scripts/mkver index 7c6a8d2..40e22f6 100755 --- a/usr.sbin/ntp/scripts/mkver +++ b/usr.sbin/ntp/scripts/mkver @@ -6,7 +6,7 @@ PROG=${1-UNKNOWN} ConfStr="$PROG" -ConfStr="$ConfStr 4.2.8p10" +ConfStr="$ConfStr 4.2.8p11" case "$CSET" in '') ;; |
