Testing
Does anybody test our code on Apple? Solaris? Does anybody use any of the fancy interface logic? It's available both vie the command line and the config file. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Is anybody using/testing the interface options?
There is an option in the config file and more on the command line. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Hack for monitoring NTP servers
James Browning said: > If you were thinking of adding way too many servers you might want to replace > the bubble sort around lines 1709-1728 of ntp_proto.c That code is only sorting the servers that get used. Anything with noselect got tossed back at line 1619. if (peer_unfit(peer)) { continue; -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Crappy testing
If you use the extra port stuff I pushed last night, port 123 stops working. Ugh, blush. I usually do better than that. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
extra port nnnn, nts port nnnn
I just pushed code that optionally listens on a second port. The NTS-KE server will tell the client to use that port. Requests going out will be from the new port. The idea is to bypass ISP filtering on port 123. Testing encouraged. I've been testing with nts port 8123 Be sure to let traffic on that port through your firewall. I'm pretty sure I didn't break anything if you don't use this feature. It hasn't been tested with ethernets that get unplugged and plugged back in or wifi that comes and goes or laptops going to sleep... We should tweak the code so that server foo.example.com:8123 does the obvious thing. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
CI is broken
I just pushed some code. The CI stuff sent me a Failed pipeline message. [0K[31;1mERROR: Job failed: failed to pull image "registry.gitlab.com/gitlab-or g/gitlab-runner/gitlab-runner-helper:x86_64-v16.11.0" with specified policies [always]: Error response from daemon: manifest for registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-v16.11 .0 not found: manifest unknown: manifest unknown (manager.go:250:0s) https://gitlab.com/NTPsec/ntpsec/-/jobs/6619973110/raw There are 9 copies that looked the same to me. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Hack for monitoring NTP servers
If somebody feels like hacking, something like this should be fun. The idea is to setup a ntpd server watching the servers you want to monitor. (noselect on the server line does that) The new code is a program that watches that server to see if the servers to be monitored are responding correctly and sends you email if they aren't. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What next?
James Browning said: >> I think we should split ntpd into several independant programs. >> More in another message. > I gave up on that notion; I lacked the patience to do it. I think we can take small steps. Or at least some of them. > Yeah, the IETF NTP WG shot down the notion of NTP alternative port. It wasn't the NTP WG -- they had a draft RFC ready to go. The group that vetoed it was the group in charge of rationing port assignments. [testing config file] > I think somewhere in the middle might be a program that takes config files > and dumps them into some format that is easy to eyeball and machine parse. Internally, there is a parse tree. But it doesn't contain the comments. I'm not interested in that, but if you want to work on it, it might be a useful utility. [testing FIPS] > None of the CI runners support FIPS140-2 at the moment. I don't know how to > make them either. There is a HOWTO-OpenSSL that tells you how to build OpenSSL from source. Adding enable-fips to the configure step builds/tests/installs the FIPS library too. The recent FIPS discussion has a recipe for getting libssl to use it. I haven't tried that step yet. >> I'd like a script that checks the certificates. When do they expire? > That sounds like a simple wrapper around 'openssl x509' would work. I think it will be something simple like that after we do it. I've poked around a few times but never ended up with anything clean. The openssl command has a blizzard of options. This just got more important for me. I fatfingered renewing a certificate and a KE server stopped working. [I did the certbot step but forgot to copy the new cert/key over to /etc/ntp/.] -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What next?
(I found some more notes...) We should test the config file stuff to see that all the options at least get past the parser. Better would be to actually run the code. We should check FIPS mode. Do any of the CI options include FIPS? I got half way there by building OpenSSL to include FIPS mode but I haven't made the config file to use it. I'd like a script that checks the certificates. When do they expire? I'd like a script that finds out who signed a certificate and pokes around in my local certificate collection and tells me a filename so I can add that to a server line in the config file. The idea is to make sure that we are using the right root-cert rather than one from a CA that was arm twisted by your local repressive govt or broken into by the KBG or NSA. I'd like some code that goes through the NTS-KE dance and prints the answer. Extra credit if it can request various options. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Splitting ntpd
Here are the cnhnks I have in mind: NTP server NTS-KE server NTP/NTS client refclocks monitoring/ntpq I have debugged the lockclock mode so we now have a stand-alone NTP server. It gets the error data from the krenel. (Or can/should. I haven't checked that code.) As just a server, ntpd is horribly bloated, but it's enough of a proof of concept that we can play with it. The NTS-KE server needs to cooperate with the NTP server to get cookies. That's easy if they are co-packaged. If we split them up, the KE server can read the cookie file and we can scp that to other machines. It may be cleaner to split them when we get to paying attention to DoS-ing. The key idea with the client side is to use threads. Each thread would use its own socket. Nobody would be listening on port 123. That will take a lot of work. I haven't thought much about splitting out refclocks. I assume they should use Unix sockets to talk to the client. We need some way for monitoring/debugging code to watch. Maybe the data goes in shared memory too. Or maybe the refclock opens several sockets. For monitoring/ntpq, I think we can use shared memory. They would be read-only by ntpq. I picture ntpq running in two modes. For starters, it looks directly into shared memory and only works when run on the target machine. Then we split it into two parts connected via the network. I want a simple and reliable way to update this area. It's going to take at least 2 edits. One to define the counter and one to bump it. I picture a text file that gets translated into the structs for the code and also for the table that ntpq needs. It isn't really part of splitting ntpd, but I think a clean sntp client will fit into this collection. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
What next?
Is anybody thinking about what we should be doing? Here is my list: Port to Windows Does anybody know anything about Windows? Is there a decent POSIX environment? How well does waf work on Windows? We can get the magic code from ntp-classic. I think we should split ntpd into several independant programs. More in another message. I think we need a good SNTP client. Something like the old ntpdate. I'm looking for a clean example. This would be a good opportunity to experiment with Go and/or Rust. Getting off the ground. There is a chicken-egg problem with getting started when using NTS. TLS needs the time to check certificates. I think we can do something like skip the date part of certificate checking, then come back and see if the certificates pass the date-check after we have a candidate date. Alternate port for use with NTS. There is a lot of blocking/filtering on port 123. NTS-KE includes specifying the port to use. We should be able to listen on another port too. I haven't looked carefully. This feels like medium complexity. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
FreeBSD is phasing out support for 32 bit systems
Future of 32-bit platform support in FreeBSD FreeBSD is deprecating 32-bit platforms over the next couple of major releases. We anticipate FreeBSD 15.0 will not include the armv6, i386, and powerpc platforms, and FreeBSD 16.0 will not include armv7. Support for executing 32-bit binaries on 64-bit kernels will be retained through at least the lifetime of the stable/16 branch if not longer. (There is currently no plan to remove support for 32-bit binaries on 64-bit kernels.) Whole thing: https://lists.freebsd.org/archives/freebsd-announce/2024-February/000117.html -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
FYI: Dave Mills has passed away
On Thu, Jan 18, 2024 at 08:35:14PM -0500, vinton cerf via Internet-history wrote: > His daughter, Leigh, just sent me the news that Dave passed away peacefully > on January 17, 2024. He was such an iconic element of the early Internet. > Network Time Protocol, the Fuzzball routers of the early NSFNET, INARG > taskforce lead, COMSAT Labs and University of Delaware and so much more. > > R.I.P. > vint > -- > Internet-history mailing list > internet-hist...@elists.isoc.org > https://elists.isoc.org/mailman/listinfo/internet-history -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Addressing the Python 2, AsciiDoc classic, and AsciiDoc 3 tangle
I have no strong opinions on this area. I won't grumble if our doc stuff doesn't build on Python2 as long as we have a copy of the doc on the web. Or somebody who really wants their own can build it on a more modern system and copy the files over. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: NTPsec 1.2.3 released
Fred Wright said: [context is my reply to the released message.] > For some reason the antecedent to this message wasn't sent to the list, > though I'd noticed the release by checking the repo. My copy was sent to: Subject: NTPsec 1.2.3 released From: Matthew Selsky via announce Date: Sun, 31 Dec 2023 06:50:59 + (Sat 22:50 PST) To: , , I'm on all 3 lists but only got one copy to announce. It's in the announce archives, but not users or devel. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: NTPsec 1.2.3 released
Thanks. and thanks to all who contributed and tested. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Regression in OpenBSD
>> Please say more about your Mac patches? > The patches come in two categories: > Fallback for missing clock_gettime() and clock_settime(). My copy of OpenBSD 7.4 has clock_gettime() and clock_settime(). So we can take the first step without changing that area. The timex stuff will be a bit more complicated. They have something to set the drift. I forget what it is called.What ntp_adjtime() does is kick the drift by 500 PPM for as long as it takes to make the target adjustment. We can fake that. It won't be as good as as doing it in the kernel. It will be fun to measure. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Regression in OpenBSD
Let's put that stuff on the back burner until the release is out. > Ntpsec doesn't fully support OpenBSD anyway, due to the lack of "timex" > (though my Mac patches fix that), and the fact that OpenBSD provides > LibreSSL rather than OpenSSL, but the 1.2.2a "Mac" version did build with > --disable-nts. Please say more about your Mac patches? Does ntpd work? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Missing clockwork
James said: > It sounds like a race condition in our wscript files or waf. How willing are > you to sink time into this, I think it's a losing proposition. I've got a --jobs=1 in my script. That was added to make sure the printout was easy to read when there were compiler errors. I'm willing to invest some time on this but I don't have any ideas on what to do. Note that it was building 3 copies of clockwork [ 1/137] Compiling libntp/clockwork.c [ 2/137] Compiling libaes_siv/aes_siv.c [ 3/137] Compiling libntp/clockwork.c [ 4/137] Compiling libntp/clockwork.c I only expect 2 ./test-classic/main/libntp/clockwork.c.2.o ./test-doc/main/libntp/clockwork.c.1.o ./test-doc/main/libntp/clockwork.c.2.o ./libntp/clockwork.c -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Missing clockwork
Anybody recognize this? I've seen a missing file once before. I think it was clockwork.?? It works if I try it again. Waf: Entering directory `/home/murray/ntpsec/raw/test-all/main' --- PYTHONPATH is not set, loading the Python ntp library may be troublesome --- [ 1/137] Compiling libntp/clockwork.c [ 2/137] Compiling libaes_siv/aes_siv.c [ 3/137] Compiling libntp/clockwork.c [ 4/137] Compiling libntp/clockwork.c [ 5/137] Compiling libntp/ntp_endian.c [ 6/137] Compiling libntp/macencrypt.c [ 7/137] Compiling libntp/isc_net.c [ 8/137] Compiling libntp/isc_interfaceiter.c [ 9/137] Compiling libntp/initnetwork.c [ 10/137] Compiling libntp/getopt.c [ 11/137] Compiling libntp/timespecops.c Waf: Leaving directory `/home/murray/ntpsec/raw/test-all/main' Build failed -> missing file: '/home/murray/ntpsec/raw/test-all/main/libntp/clockwork.c.1.o' [murray@hgm raw]$ find . -name clockwork* ./test-all/main/libntp/clockwork.c.1.o ./test-minimal/main/libntp/clockwork.c.1.o ./test-minimal/main/libntp/clockwork.c.2.o ./test-classic/main/libntp/clockwork.c.1.o ./test-classic/main/libntp/clockwork.c.2.o ./test-doc/main/libntp/clockwork.c.1.o ./test-doc/main/libntp/clockwork.c.2.o ./libntp/clockwork.c ./hgm/main/libntp/clockwork.c.1.o ./hgm/main/libntp/clockwork.c.2.o ./test-default/main/libntp/clockwork.c.1.o ./test-default/main/libntp/clockwork.c.2.o -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release
Fred Wright said: > I also stumbled across something (which may not be new) where it appears > that if libaes_siv is installed as a system library, it's preferred over the > bundled version. That probably doesn't change the actual behavior, but may > lead to opportunistic builds. That seems worth fixing. I don't think we should hold up the release unless somebody fixes it in the next day or two. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release
Fred Wright said: > The main issue I've found is that the "struct var" in ntp_control.c, is > relying on anonymous unions, which are a relatively new language feature. That is my attempt at getting a sane procedure for adding slots to the table. The old scheme required coordinated edits in several places and there was no checking that you got them right. > Turning the "p_" and "p2_" prefixes into names of the union instances seems > fairly reasonable (e.g., "p_time" becomes "p.time"), but would require > changing the initializers. I'd be willing to look into that if I'm not > wasting my time. I think I just fixed that. I'll push in a while after more local testing. > There are also a bunch of warnings with some compilers, which might be worth > looking at. They're often fairly easy to fix, and sometimes indicate actual > problems. Which compilers? Or rather which OS/distros? Can we set things up so that the gitlab CI stuff tells us about warnings? James suggested adding the compiler flag that turns warnings into errors. That won't work on the old old version of Bison that has a missing default or something like that. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Certificate geekery
Thanks. > If that's a thing you want to do on your system, you can. IMHO, it's not > something that we particularly need to promote, nor would I find it > desirable operationally. If my NTP server changes their CA provider, then I > won't be able to talk to them any more until I take manual action to adjust > the pin. I was assuming there would be a script that would do the work, say run as a cron job. Probably send you email so you can do the actual edit. > Yes, that's how the CA ecosystem works. That is absolutely a threat. Keep in > mind that if a CA gets caught doing that, they will get the CA death > penalty, ending their money printing business. Some CAs are run by governments. That area gets messy. There was a news item recently (month or 3??) about a Russian social media server located in a German cloud provider that got MITM-ed. The bad guys got a Let's Encrypt certificate. They could do that by just stealing the IP Address for a few minutes which only takes one insider at the hosting service. Researchers Uncover Wiretapping of XMPP-Based Instant Messaging Service https://thehackernews.com/2023/10/researchers-uncover-wiretapping-of-xmpp.htm l I can't tell how paranoid to be. It would be nice if we didn't depend on all the root certificates. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What does gitlab's "Successful pipeline" mean?
James said: > Maybe we should add -Werror or such to CFLAGS. Sounds like a good idea to me. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
What does gitlab's "Successful pipeline" mean?
Does that mean no warnings? If not, how are we expected to learn about code that generates warnings on obscure systems? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Any Coverity wizards?
I expect the comment on the previous line to tell Coverity to not complain about this case. Is there a typo or such that I'm missing? 149/* coverity[checked_return] */ CID 462307 (#1 of 1): Unchecked return value (CHECKED_RETURN) 15. check_return: Calling CMAC_Update without checking return value (as is done elsewhere 5 out of 6 times). 150CMAC_Update(cmac_ctx, data, (unsigned int)datalen); -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release
> I'll aim to release ~15-Dec-2023 Sounds good. Thanks. > I'm thinking about AES becoming the new default for ntpq, etc. I got a few a day or so ago. I missed that one. I'll get it tonight. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: How does the parser work?
James said: >The host phase of Waf build generates tablegen which in turn generates >keywords.h IIRC. I have no idea how the internals work. I took a look at the code. It looks like there are 2 tables of keywords, one in ntp_keyword.h (build by keyword-gen) and another in ntp_parser.y. Because the tokens in each table look so similar, my brain jumped to the conclusion that they were parallel. Wrong. The values of the corresponding tokens are different. I don't know how the values from the keyword table get translated into parser values. The parser table also has a few extra entries like integer and string. keyword.h is more than just a list of keywords. It's also table/tree of steps along the way of recognizing a keyword: S_ST( 's',3, 675, 422 ), /* 674 tru */ S_ST( 't',3, 676, 0 ), /* 675 trus */ S_ST( 'e',3, 677, 0 ), /* 676 trust */ S_ST( 'd',3, 678, 0 ), /* 677 truste*/ S_ST( 'k',3, 679, 0 ), /* 678 trusted */ S_ST( 'e',3, 423, 0 ), /* 679 trustedk */ Anyway, I think extra "keywords" in the parser table are just useless. The parser will never get there because the keyword table doesn't know about them. When we run out of better things to do, we should make a config file that uses all the keywords so we can make sure they work and are all useful. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
How does the parser work?
ntp_parser.y contqains: %token T_Tinker %token T_Tlsciphers %token T_Tlsciphersuites I'd expect those tokens to come from the keywords header file. But tlsciphers isn't in the keyword list. tlscipehrswuites is in the list. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Asciidoc question
What does the $$ after the +aga+ do? |+year+|One generation file element is generated per year. The filename suffix consists of a dot and a 4 digit year number. |+age+$$ |This type of file generation sets changes to a new element of the file set every 24 hours of server operation. The filename -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release
Gary said: > DO you have an account on: https://scan.coverity.com/ > If so, I think I can add you to the project. Thanks. I think i worked. How does their stuff work? How often do they check NTPsec? Or what should I be asking? How much mail should I expect? ... There are 3 Coverity quirks. I'll go fix the filegen one. Should I push the fix? That will require more testing. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release
Gary said: > Uh, not quite. Check the Coverity stuff. How do I do that? I'd expect something to send me email but I don't remember anything about Coverity. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Certificate geekery
I'm working on devel-TODO-NTS. (mostly deleting things) Currently, if a bad guy hacks or arm-twists a certificate authority, they can sign a certificate that the bad guy can use for a MITM attack. We can make that a lot harder if we lookup the current root certificate that a server is currently using, find that certificate in a system's root cert collection, and add a ca xxx to the server line. That doesn't take any changes to ntpd. It needs some script hacking. I think the openssl command can handle much of the details. Is that called pinning? If not, is there a term for it? Wiki has a page for a related proposal: https://en.wikipedia.org/wiki/Certificate_pinning Is this interesting? Anybody interested in writing that script? -- There is another tangle with verifying certificates. OCSP Is that interesting? https://en.wikipedia.org/wiki/OCSP -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Release
I think you should release what we have as soon as it is convenient. There are many more things I would like to include but we aren't making much progress so it's time to do it. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: [Git][NTPsec/ntpsec][master] Fix mode 6 client to round up to 4 bytes (was 8)
> Does the comment on line 880 also need to be updated? Good catch. Thanks. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Documentation tangle
We have a mix of man pages and web pages. I think all the man pages have a web version generated from the same source. There are some/many web pages without the corresponding man page. Debian includes the web pages in ntpsec-doc Fedora doesn't have a separate doc package for ntpsec. Their ntpsec package includes the man pages but not the web pages. I haven't checked what FreeBSD does. What should we do if a man page wants to refer to a html only page? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: I/we need a lesson in git and/or gitlab and/or merge requests
Fred Wright said: > In general, it's a good idea to read an actual book on git, rather than > trying to understand it purely through manpages. The one I used (almost a > decade ago) is this one: > https://www.amazon.com/gp/product/1449316387/ Thanks. I like books. There is a 3rd edition out now. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
SHA1 or SHA-1?
I'm looking into making our documentation consistent. NIST and Wikipedia use SHA-1. Ages ago. ntpkeygen used SHA1. OpenSSL seems to prefer SHA1, but it has an alias for SHA-1. To list the digests: openssl dgst -list -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
I/we need a lesson in git and/or gitlab and/or merge requests
Merge requests seem reasonable if all goes well. My work flow is roughly: download the patch (URL plus ".patch") scan it maybe apply and test approve and merge But things go downhill if I don't like something. What I get from James is an update to the MR, a patch to the patch. That makes reading/checking the patch harder and clutters up the git log. What if I don't like the description of a patch? Merge has an option to reduce all the patches to one. But often that isn't appropriate. git works so well for most things. I think I/we are missing something in the workflow. Should we be throwing away merges and making new ones rather than patching them? How do I backup a bunch of commits that turned into a MR so I can make them better and try again? I'm on a list or two where patches are distributed via email. git has several commands for that. Iterations usually have a v1 v2 ... as part of the Subject. Often individual parts will be approved. It's a lof of clutter in the email stream but the discussion gets archived in email rather than hidden over in a MR. Is there a way in gitlab to approve only one of the patches rather than all of them? I think I could do that by downloading the patch which is several email messages, editing out the one I want... Again, if that was the right thing to be doing, I'd expect git to support it which it probably does if you use their email mode. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Time for a release?
Is updating PIVOT.h on your checklist and/or should I update it now while I/we think of it? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Time for a release?
> What sort of testing did you have in mind? Nothing in particular. We haven't had a release in a while so I hope everybody will run git head and keep an eye out for glitches, make sure their favorite toys work as expected, double check log files, etc... > Any specific doc cleanup? Our doc always seems to need work. On my list was making sure it mentioned mssntpinfo. When I took a quick look at the man page, I got distracted with multicast/broadcast stuff. > Here are the open issues the caught my eye: > https://gitlab.com/NTPsec/ntpsec/-/issues/806 I think we should fix that. Or at least try. It sounds like a bug in ntp_control. I just tried rv xxx for some xxx that was a reasonable assid. It didn't print any garbage. Anybody got a handy test case? Looking at the code... It fills a buffer with 8 " %.2f", then calls the routine that prints that as name=value. That won't work with spaces in there -- well, maybe it will, but it depends on what the parser in ntpq does. I'd expect it to call the routine that prints it as name="value". But I don't know what ntpq is doing... We should print that stuff in a nice table. > https://gitlab.com/NTPsec/ntpsec/-/issues/802 (is this resolved with our > latest FIPS changes, and do we have an environment to test it?) I think it is fixed. I don't think we have any way to test it. Google says maybe we can get CentOS into FIPS mode, but maybe that only works for a particular version of CentOS... > Are we able to use our ntpq to probe *cast fields on other > ntp daemons that support it? If so, leave it in. If you point ntpq -p at a Mills/classic box, it might be configred with a *cast slot or a peer slot. If so, our ntpq would print something in the t column that you can't get from our servers. Plan 1 is to move the stuff I don't like to a footnote. Plan 2 is to fix the codes in the t column to be sensible for our use. The old use is "s" for symmetric (aka peer) and "u" for unicast (aka normal server). I'd like to see "s" for server and "p" for a pool host. (That would make the footnote a bit bigger.) But "p" is already used for the pool slot. We could change that to P or people could notice the POOL in the refid slot. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Time for a release?
The last time this was suggested, I encouraged waiting until we fixed mssntp. Well, I think we have it fixed but we haven't found anybody to test it. So I think it's time to get ready for a release. Time for lots of testing. And documentation checking/cleanup. Does anybody have any features that should or must go in or bugs we should fix? (I haven't looked through issues yet.) What is the policy on ntpq documentation? We have tuned the code for use with our version of ntpd, but it still mostly(?) talks to the old Mills/classic version. I noticed lots of references to multicast and broadcast in the man page. We removed the code that supported that stuff ages ago. The *cast references are now clutter if you are interested in our code, but might be relevant if you are looking at an old old system. Should we leave the *cast documentation in or clean it out? I have 3 hacks that were used to debug talking to Samba. Is a subdir under attic a reasonable place for them? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What's magic about /tmp/? ntpd can't find UNIX socket
Found it. systemd sets up separate /tmp for some services. Features/ServicesPrivateTmp https://fedoraproject.org/wiki/Features/ServicesPrivateTmp Run some services started by systemd with a private /tmp directory. This would mitigate the chance of a service making a mistake with how it handles its /tmp data allowing a user on the system to get a privilege escalation, since users would not have access to the services /tmp directory. Poking around finds these: /var/tmp/systemd-private-2c3b3b4c2ab247d6818605b23cd9d8a8-ntpd.service-oWq0lA/t mp /tmp/systemd-private-2c3b3b4c2ab247d6818605b23cd9d8a8-ntpd.service-2VABCf/tmp Both are empty. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What's magic about /tmp/? ntpd can't find UNIX socket
matthew.sel...@twosigma.com said: > Are you running ntpd with --jaildir (or -i) or some chroot-like > functionality? Not that I know of. Oct 18 23:17:42 hgm ntpd[16099]: INIT: Command line: /usr/local/sbin/ntpd -g -N -u ntp:ntp But systemd might be doing something like that without telling me and/or it is telling me but I don't know where to look. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What's magic about /tmp/? ntpd can't find UNIX socket
Gary said: > Notice the "nodev"? > From "man chmod": >nodev >Do not interpret character or block special devices on the >filesystem. It works fine from my test program. What's different about ntpd? Is a UNIX socket (fifo?) a special device? When I see "device", I think of the stuff in /dev/ -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What's magic about /tmp/? ntpd can't find UNIX socket
devel@ntpsec.org said: > Can you provide: > ~ $ ls -ld /tmp drwxrwxrwt 12 root root 580 Oct 19 11:00 /tmp srwxrwxrwx 1 murray murray 0 Oct 18 20:51 /tmp/fake-samba-socket/socket drwxrwxrwx 2 ntpntp 60 Oct 18 20:51 /tmp/fake-samba-socket/ drwxrwxrwt 19 root root 500 Oct 19 13:19 /tmp/ Changing the owner to ntp didn't make any difference. > And: > ~ $ mount | fgrep /tmp tmpfs on /tmp type tmpfs (rw,nosuid,relatime,size=3D20 > 97152k) tmpfs on /tmp type tmpfs (rw,nosuid,nodev,nr_inodes=1048576,inode64) We may be shooting ourselves in the foot. There is a lot of stuff in ntp_sandbox. When we droproot, we retain privs for setting the clock. Is there a priv for accessing /tmp/? I just scanned the list in the capabilities(7) man page and didn't see anything but I could easily have missed something. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: What's magic about /tmp/? ntpd can't find UNIX socket
matthew.sel...@twosigma.com said: > Are you using selinux or something that would prevent access to /tmp? I have selinux=0 and audit=0 on the kernel command line. What sort of rule would keep ntpd from seeing /tmp/ and where would that sort of rule live? Is this something from systemd? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
What's magic about /tmp/? ntpd can't find UNIX socket
I'm working on MS-SNTP. I have some hack programs that should help exercise all the code. [We should have done this ages ago.] I put James's patches into my server and tweaked the config. I put the samba socket in /tmp/ ntpd couldn't see it. My test programs work fine. 18 Oct 20:52:00 ntpd[5671]: SIGND: can not connect socket '/tmp/fake-samba-socket/socket': No such file or directory What's magic about ntpd and /tmp/? I'm running on Fedora. It works when I move the socket to /home/murray/, but I was trying to keep my name out of it so somebody else could run my hacks without any edits. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Too many merge requests
James said: > MR 1333 should address the issue where every response in an mssntp-restricted > subnet gets lost in ntp_signd. Is there any reason to approve it now when we don't know if it works yet? Are all the changes inside an #ifdef? (and thus unlikely to break normal operations) > MR 1331 addresses several issues with ntpdig and MAC handling. I hate big python programs. It would be nice if somebody else took a look at that one. > MR 1325 holds lost patches. What does "lost patches" mean.? If they are useful, it will be much easier to approve them if they are split up -- one problem will hold up the whole collection. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: mssntp option breaking time service: tester(s) wanted
Google found this: [MS-SNTP]: Network Time Protocol (NTP) Authentication Extensions https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-sntp/8106cb73- ab3a-4542-8bc8-784dd32031cc Which links to: [MS-SNTP]: Network Time Protocol (NTP) Authentication Extensions https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-SNTP/ %5bMS-SNTP%5d.pdf 54 pages. It has lots of details, but I've only skimmed it. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: mssntp option breaking time service: tester(s) wanted
Does anybody have details on how MSSNTP signing works? If we can find that, we can write some POSIX code to test things. There is a link in ntpd/ntp_signd.c http://msdn.microsoft.com/en-us/library/cc212930.aspx But I didn't find anything interesting there. (Maybe my browser was filtering something.) We still need to test with real Windows at least once to make sure our test code does the right thing. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: I just pushed ntsstats and ntskestats
> After glancing at the tops and bottoms fo some of the HTML docs, I think I > have some issues to correct. I think the last line of the man pages used to have the version number. I'm not seeing that now. Is that because I'm doing something special to get the date in the version string ( --build-desc=xxx to waf) or did that fall throug the cracks somehow? (Or was it my imagination?) -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: I just pushed ntsstats and ntskestats
>I am willing to break out some instant expert credentials on this until >someone better shows up. Thanks. >I will take a look at it. Would you like a single or double-line 'box' I have a slight preference for double, but it doesn't really matter. I've seen some example with double on the left bar and single on the top/bottom. That was probably the web version. -- I thought I send in an Issue but can't find it... Please check the bottom few lines on the man pages. At least one of them didn't get updated to use our trailer stuff and still has the Mills version. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
I just pushed ntsstats and ntskestats
There was a request for ntpviz to show NTS traffic. We now have the log files to make that possible. Any documentation wizards? Please look at the indentation around the info for the *stats options in both the man page for ntp.conf and the html pages for ntp_conf and monopt. The web pages have a box around the sample lines for the log file. That's missing from the man pages. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Testing -4 and -6
Does anybody have a recipe (or pointer to one) for how to get a system running without any IPv6? I want something such that isc_net_probeipv6_bool() will return false. Do we have to build our own kernel with some config variable turned off? Or will just not configuring any IPv6 interfaces be good enough? Same for IPv4. The code for isc_net_probeipv6_bool is slightly different from that for isc_net_probeipv4_bool. I didn't go down that rathole. It looks like somebody may be assuming that some or all of IPv4 always exists. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Tangle with -4 and -6
-4 and -6 work on the server line in ntp.conf but are not documented -4/ipv4 and -6/ipv6 "work" on the command line, but they don't do what the documentation says. The man page says: Force DNS resolution of following host names on the command line to the IPv4 namespace. What they do is turn off setting up sockets for the other protocol. I'm not sure what the NTS server does if, say, the system doesn't support IPv6 when it tries to listen on an IPv6 address. -- The network side sets up two flags: ipv4_works and ipv6_works The command line -4 and -6 flags turn off the other _works flag. I wrote the DNS code for both server/pool and NTS. I don't remember how the -4/-6 options work (and a quick look didn't refresh my memory). I don't remember ever checking the above flags or thinking about doing it. Note that there are 2 DNS lookups on the NTS path, one for the NTS-KE server and another if the server returns a name/address rather than using the default of the same address as was used for the NTS-KE lookup. I'm pretty sure the command line processing doesn't do any DNS lookups. It roughly adds a server line, and does a DNS lookup with the constant-only (no net traffic) flag so that slot won't get delayed behing a real DNS lookup that is skow. -- I think we should clean up this area. That includes: Making sure DNS lookups don't use an address for a disabled protocol. Add enable/disable -4/ipv4 -6/ipv6 to ntp.conf Note that these will have a backwards meaning from the -4 on the command line. -4 on the command line <=> disable -6 Does this make sense? Am I missing anything? This will take a lot of testing. We should move the command line code in config_peers to that checks for a numeric address to the main processing loop. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Windows time scrambling (from the TZ list)
"Windows feature that resets system clocks based on random data is wreaking havoc." https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clo cks-based-on-random-data-is-wreaking-havoc/ -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Go GC
Gary said: > Avoiding creating garbage is hard. In general, yes. But the inner loop of the server side is not very complicated. The APIs that I'm looking at are read-into-my-buffer rather than return a new buffer that needs to be GCed. I think it's worth some effort to investigate this area. I'm prepared to give up if we find a fatal problem. Again, I'm assuming that we split ntpd into client and server parts so all we have to work on is the server half. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Go GC
Gary said: >James Browning via devel wrote: >> It would appear there is a way to turn off GC under runtime/, > How? Link? https://pkg.go.dev/runtime/debug#SetGCPercent It's not clear to me how to take advantage of that. You still have to turn it on occasionally or your world will fill up with garbage. I poked around a bit. I'm pretty sure that we can write a server that doesn't generate any garbage when processing a normal client request. The APIs for recvmsg/sendto don't allocate anything. If we split ntpd into client side and server side, I think we can write the server code such that the GC never runs. Or maybe never needs to run and we have to explicitly tell it not to bother trying. Logging stuff would probably generate garbage. The server side doesn't need to do that. Gary said: > Hal said: >> There are lots of ways to inject timing bumps before we get to >> garbage collecting. cache, scheduler, interrupts, CPU speed, ... > Any that work? What do you mean by "work"? I don't know how to avoid any of the above. Note that there are 2 levels of interrupt. The firmware steals a few cycles every now and then for things that it doesn't trust the OS to get right. The main example is checking the temperature and turning the CPU clock down if things are too hot. Then there are interrupts that get passed to the OS. You can fight that somewhat by manually assigning work to CPUs. But the scheduler still has to run occasionally and if your workload doesn't use the whole CPU, that CPU is likely to slow down when you are waiting for work. I did a bit of hacking with attic/clocks.c On this machine, the average time to read the clock is 13 ns. Within a burst of a million samples, there is usually a few in the 10-15 microsecond range. Occasinally, there is something in the 60-70 microseconds range. They are rare enough that it's easy to miss one in a million sample pairs of reading the clock. Slowest from each batch of 100... 11331 18540 11282 11341 11306 11311 11307 11316 11307 11322 16188 14920 11322 11293 13337 13025 32270 11352 21706 11313 32463 22764 11812 11308 11319 60664 11301 14530 20428 11319 14973 11308 11287 14181 13127 11320 11298 11312 12053 15081 17762 17329 11279 12430 11299 16946 14470 14745 13816 11323 Slowest was 60664 Histogram: CLOCK_REALTIME, 1 ns per bucket, 100 samples. ns hits 10 6646 11124028 12410522 13229036 14177996 15 48724 16 259 17 535 18 1430 19 585 2070 2124 2214 2313 2410 59 samples were bigger than 24. Histogram: CLOCK_REALTIME, 250 ns per bucket, 100 samples. ns hits 049 2250 2 3250 1 3500 3 3750 3 4000 1 8250 1 8500 1 875020 9000 1 9250 1 10250 1 11000 9 11250 4 13250 1 2 samples were bigger than 13250. Slowest was 14424. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Is python2 dead?
Gary said: > Please, no. Go is a garbage collected language. Just what NTPsec does not > need, random, unpredictable delays. I was thinking of the Python code in ntpclients/ and pylib/ Is there anything in there that is time sensitive? There are lots of ways to inject timing bumps before we get to garbage collecting. cache, scheduler, interrupts, CPU speed, ... Do you have any data on Go GC times? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Is python2 dead?
Thanks. Maybe it's time to switch to Go? How long would it take us to rewrite, from scratch, everything in ntpclients? I occasionally poke around in ntpq. I find it very hard to work with. I think the others are much simpler. Is the basic structure right? If we were starting from scratch, what would pylib look like? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Is python2 dead?
Gary said: > Let's try again in a year. Sounds good to me. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Is python2 dead?
Really really dead? Or maybe just hiding in some dark corner? Should we drop support for python2 as part of the next release? Or announce in the next release that we will drop it as part of the following release? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: nts and ntske log files
>Expires February 2036 minus the current date >is about 12 years and 5 months maybe ish... The context is a duration of time rather than time of day. eg the result of sub_tspec() How many seconds did it take to do X? The current date has nothing to do with it. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: nts and ntske log files
James Browning said: > The NTP solution would be to convert the mess to l_fp which > will work for a bit less than 13 years. Thanks. l_fp is the right answer. How did you get 13 years? I get 136. Did you drop/typo the 6? > My joke would be to have it as a long long of micro-seconds which would be > good for hundreds of thousands of years. l_fp has 32 bits of fraction. micro takes 20 bits. So using micro seconds would gain 12 bits. So that would be 557xxx years. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
nts and ntske log files
I just pushed the first cut. No documentation yet. Like sysstats and usestats, ntsstats and ntskestats get logged every hour. If you look at the output from ntpq -c nts, the counters fall into two clumps, one for NTS and one for NTS-KE. All the counters get logged in the same order. Should we add counters for IPv4 and IPv6? I think I'll merge the CPU usage. (getrusage provides separate user and system CPU slots) There are 3 cases for the server side of NTS-KE: OK: Worked Failed: SSL got started but something didn't work (http?) NoSSL: SSL didn't get started (telnet?) I think I'll add wall/CPU counters for the no-SSL case. Should we split things client/server rather than NTS/NTS-KE? With the current split, you can't get NTS packets per NTS-KE without looking in two separate files. What's the right type/units for wall time and CPU time? The current code is double and seconds. That won't ever overflow, but some day in the far future a very busy KE server might drop low bits. We could solve that by using timespec. Should I switch to timespec now so we never have to think about this again? Can ntpq handle timespecs as elapsed times rather than time of day? ... I'd like ntpq to display both the total and recent counters like sysstats does. The code that does hourly logging has to remember the totals when it prints things so it can subtract them off from the new totals next time. It's easy for me to return the old values but slightly inconvenient to do the subtract. How hard is it to do the subtract in ntpq? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Windows time confusion (long)
Windows feature that resets system clocks based on random data is wreaking havoc https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-c locks-based-on-random-data-is-wreaking-havoc/ Windows Secure Time Seeding resets clocks months or years off the correct time. That's 4 web pages of several screens each. >From the 3rd web page: > Simen said he believes the STS design is based on a fundamental > misinterpretation of the TLS specification. Microsoft's description of > STS acknowledges that some SSL implementations don't put the current > system time of the server in the ServerUnixTime field at all. Instead, these > implementations--most notably the widely used OpenSSL code library > starting in 2014--populate the field with random values. Microsoft's > description goes on to say, "We have observed that most servers provide > a fairly accurate value in this field and the rest provide random > values." > "The false assumption is that most SSL implementations return the server > time," Simen said. "This was probably true in a Microsoft-only > ecosystem back when they implemented it, but at that time [when STS was > introduced], OpenSSL was already sending random data instead." The background story continues over here: [TLS] Let's remove gmt_unix_time from TLS https://mailarchive.ietf.org/arch/msg/tls/_clS-TIIlZUcid_2S4WPej9iMWk/ (There are roughly 20 messages in that thread.) Time was in there to provide some protection against broken random number sources. But it leaks enough information to help tracking which is a big no-no for things like TOR. That's from 2013. OpenSSL has been using random since 1.0.1f [6 Jan 2014] * Don't include gmt_unix_time in TLS server and client random values -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Release, project sleeping, and running down the clock.
James Browning said: > If the project is sleeping, then you may as >well cut the new release now. I think we should do a normal release. That includes scanning the issues and merge requests. And lots of testing. I'm working on making a couple of new stats files for NTP packets using NTS and NTS-KE. That should enable fixing #795 (ntpviz) and provide data for thinking about #797 (TLS server priority bit). I think we should fix the mssntp hack or decide to rip it out. > I would >appreciate it if people commented on my merge >requests 1331, 1333, and 1335. 1335: sysstats are not resetting hourly when not logged to a file ntp.poly.polychr() is broken on Python 2 (incorrectly reported as Python 3 on the ML) ./waf requires Python development headers when building no ntp.ntpc or Python w/ FFI ntp.ntpc Minor text fixups in many Python files 9 tests/libntp/*y do not have pyshebang headers 6 test files, two wscript files, and ntp.agentx all lack SPDX licenses declarations 9 pylib files and 8 test files lack license attribution wscript files in tests and pylib lack UTF-8 coding lines That looks like 4 unrelated things in one MR. There is only one "approve" button. I'm interested in the first one, but not interested enough to try to dig it out from all the other stuff. 1333: 2403ed08 - 1 commit from branch NTPsec:master 18336fa1 - ms-sntp: works up to trying to connect to the socket. 5535c882 - ms-sntp: Add excessive logging. Do we have a test setup yet? There was a lot of discussion a few weeks ago, but I don't remember seeing a recipe for one. Again, There is only one "approve" button and I'm not going to approve anything that says "excessive logging". If you need more info for debugging... There are several approaches. 1) Use the normal msyslog, but make sure it doesn't turn into a self-DoS. You can add some rate limiting. 2) You can use the DEBUG stuff. I've never been happy with that -- too much other printout to wade through. 3) You can add the msyslog stuff with an ifdef or if (0) that defaults to off. You edit the file and rebuild to turn on your extra printout. This seems to work well if you are likely to want the same printout in the future. You change a (0) to (1) rather than typing in the whole long line again. 1331: ntpdig appends a new mac after each host dug ntpdig can try to take the trusted attribute of a byte string. the authenticator bits in ntp.packet do not truncate digests I can't quite figure out what that means. Does it print something stupid? Crash? How would I test it? My head doesn't like python. I'd be happier if somebody else tested/approved this. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
What does bison do with undefined tokens?
ntpd/ntp_parser.y has this line: %token T_Timingstats T_Timingstats is never defined. All the other similar tokens are defined in ntpd/keyword-gen.c -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: NTPsec 1.2.2a released
Should that also go to users@ and devel@? What fraction of people on users or devel are also on announce? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Old email on gitlab
Thanks Gary and Fred. I found it in ~/.gitconfig It would have taken me a long long long time to look there. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Old email on gitlab
git log on a fresh clone shows things like this: Author: Hal Murray Date: Tue Jul 4 15:16:47 2023 -0700 Squash warnings about not handled enumeration I haven't used that email in ages. My profile has been updated. Mail from gitlab goes to the right place. Where is the other address stored and how do I fix it? All my updates are setup and tested locally, then pushed with git push which uses ssh. That directory was cloned ages ago. The old email address may be on my disk. A friesh clone has the old/wrong email in .git/logs/refs/remotes/origin/HEAD Is anybody familiar with this tangle? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Warnings from unity
> That usually means there is no "default:" case in a switch. OK, but where did the unity code come from and/or have we cloned it or are we tracking what they do? Or ... -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Warnings from unity
Is anybdy familiar with this area? Is this something I did? Or are others seeing the same problem? (I might have turned on some more-warnings flag, but I don't think so.) ../../tests/unity/unity.c:984:5: warning: enumeration value \u2018UNITY_FLOAT_INVALID_TRAIT\u2019 not handled in switch [-Wswitch-enum] ../../tests/unity/unity.c:1124:5: warning: enumeration value \u2018UNITY_FLOAT_INVALID_TRAIT\u2019 not handled in switch [-Wswitch-enum] Speaking of warnings, some versions of OpenSSL and/or some compilers generate this: /usr/local/ssl/include/openssl/ssl.h:1491:53: warning: cast discards "const" qualifier from pointer target type [-Wcast-qual] I've looked into it a bit and don't understand what's going on. I think our code is OK. This is passing a string literal through a maze of macros. I've decided not to spend much time on this since it doesn't happen with newer OpenSSL and/or compilers. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: UnicodeDecodeError from tty.readline(), u-Blox 8
Gary said: > Weird... Since ttyACM0 is USB, maybe a driver thing. Yes, I'm using the USB port rather than the serial port. The question is: Which driver? Linux or U-Blox? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: UnicodeDecodeError from tty.readline(), u-Blox 8
Gary said: > To open to read binary: > tty = open("/dev/ttyACM0", "rb") > The line will be binary. Getting just the NMEA out will be fun. Thanks. That's what I needed. There is no problem getting just the NMEA. I'm using isASCII to detect the garbage cases. I get things like: ### Not ASCII 2023 Jun 3, 22:46:41 UTC ### "$GLG\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\x cd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\ xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd \xcd\xcd\xcd$GLGSV,3,3,11,87,43,333,,88,01,306,,90,13,029,*5A" I get several bogus lines each day. I haven't seen anything other then 0xcd in the non-ASCII part. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
UnicodeDecodeError from tty.readline(), u-Blox 8
Can somebody give me a lesson on this area? The code is: tty = open("/dev/ttyACM0") forever: line = tty.readline() a) How do I read mostly ASCII without crashing when there is non-ASCII? b) Why is a u-Blox LEA-M8T sending me non-ASCII crap? This is coming from the USB port. It's running in NMEA mode. I don't think I have sent it any commands. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Book: The Go Programming Language
By Alan L Donovan and Brian W Kernighan 350+ pages In case you didn't notice, that's the K of K I don't know anything about Go, yet, but I like books. This is a good one. I flipped around, reading a paragraph or a page or two. It feels good. Lots of examples. The text is easy to read and understand. It's probably too verbose if you know what you are looking for, for example what is the name of the thing that does xxx? I read all of chapter 9, Concurency with Shared Variables. I think I know something about that area. It was always one step ahead of me. It covered many important cases that I wouldn't have thought to mention. I'm looking forward to reading more. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: ntpsec | mssntp in ntp.conf breaks time service to all clients (#785)
I took a scan at the code. It's pretty broken. It won't be a quick fix. Given how broken the code is, this seems to be the first time anybody has tried to use that feature. :) [If there were others, they didn't bother to tell anybody.] Can we get a packet trace of a working example? I think we'll need a Windows box to generate the SNTP request. Either old/classic ntpd or a real DC should provide a good response. I think we should write/collect a HOWTO setup and run a test environment. I assume that will have several sections: Setup Samba as a DC Build/setup ntpd to process MS-SNTP Build/run some test code. I'm willing to write some hack code to generate/check MS-SNTP requests. Does anybody know enough about Samba to write (or point us at) a minimal setup? All it needs to do is sign MS-SNTP requests. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: master broken on macos
> one is to append '||cat build/config.log' to lines 386 and 402 (ish) of > .gitlab-ci.yml Worked. Thanks. err: ../../test.c:3:10: fatal error: 'openssl/opensslv.h' file not found #include -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
master broken on macos
I merged James' latest version for printing out the OpenSSL version during configure. It barfs on macos. https://gitlab.com/NTPsec/ntpsec/-/jobs/4105995926#L126 The log file says: Checking for OpenSSL != 1.1.1a : yes OpenSSL version : The configuration failed (complete log in /Users/gitlab/builds/NTPsec/ntpsec/build/config.log) Cleaning up project directory and file based variables 00:00 ERROR: Job failed (system failure): exit status 2 How do I get to the "complete log"? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
ntpq/mode6 cleanup
>> For a small project, I think we should make mode6/ntpq require the cookie on >> everything but getting the cookie, and we should make sure that there is no >> amplification when getting the cookie. > That would break compatibility with ntpq from classic NTP. There are 2 areas I'm interested in. First is to make sure there is no way to get amplification on reflection. I'm willing to break compatibility to get that. The second would be a big cleanup. I'd like to do something like split the current daemon into several parts, for example: server, client, refclocks, ntpq-server, NTS-KE server Splitting out ntpq-server would be a good start. Again, I'm willing, even expecting, to break compatibility. Handwave, strawman... Using TCP rather than UDP avoids reflection problems. Most of ntpq would work fine if we put all the counters info read only SHM. We don't need a lock. The results may be slightly inconsistent. The mru list stuff won't work in simple read-only SHM, at least with the current approach of scanning the list in chronological order. It almost doesn't work as is. If the list is big enough to be interesting for busy servers, it takes a long time to scan it. Too long to be useful. Or maybe we should shift to SNMP. I hate that level of obfuscatiion, but if somebody likes it and is willing to run with it, I'll put things in SHM. But suppose we scan it in physical order, and sort things out at the client? That also solves the problem of the current approach never finishing on a busy server because the data changes faster than it can be retrieved. The other tool in the mru area would be to log interesting stuff. But I haven't worked out a simple/clean version of "interesting". Putting things in SHM introduces version control issues. I think they are not a problem as long as the stuff on the wire is text rather than offsets. Then all we have to keep in sync is the ntpq-server and ntp-server and ntp-client. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Updated to-do list?
[Context is a multi-threaded Go echo server] > I can manage to do that. I'll send you the C code off list. Here is an outline of the big picture: Linux and FreeBSD have a SO_REUSEPORT option. The idea is that you can open several sockets on the same port number. The kernel will hash on source IP address and source port. (so packets for a connection go to the same thread -- the thread can save state for a connection) The main server thread sets up worker threads Each worker thread opens a socket The worker threads bump counters. The main thread will read/collect and print the info. The worker threads have an option to spin for N microseconds between recvfrom and sendto. The idea is to simulate crypto work. The limiting factor on packet throughput is the kernel thread That thread puts arriving packets on the right socket queue and wakes up a waiting thread if there is one So larger packets reduce the load on the kernel thread for a given traffic load in bits/second (rather than packets/second). Handwave... The CPU load for a NTP server is roughly constant in terms of bits/second. So you want to assign the kernel thread to one core (leaving the other hyperthread idle) and disable interrupt coalescing. Then fill up the rest of the CPUs on the chip with worker threads. It's roughly a microsecond per packet for the kernel thread, a microsecond each for recvfrom and sendto and (handwave) a microsecond for basic NTP server work. Up a level... There is a companion client side that runs several worker threads sending to the server. You can run it on multiple old/slow PCs to get enough traffic to saturate the target server. There is an option to send N extra packets, like ping -l. I call them "in flight". Things are setup assuming that no packets are lost. So you have to be sane on picking combinations of multiple clients and extra packets in flight. - Up another level... I have some hackish scripts that fire up a server fire up several clients read/reset the server stats wait a bit read server stats print results loop for various CPU load/delays or packet lengths -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: Updated to-do list?
>Given that the things I have been turning in are not in the direction >we are headed, what should I be working on? Other than trying to do a >Golang port by myself, or revisiting the more than a-year-old list? MR 1307 and/or 1309 is high on my list. I was hoping somebody else would be interested. What's on your year old list? For a small project, I think we should make mode6/ntpq require the cookie on everything but getting the cookie, and we should make sure that there is no amplification when getting the cookie. How much do you know about Go? Can you write a multi-threaded echo server? I have a collection of hacks for measuring performance of NTP servers. Down hill and with a tailwind, I can get 1,000,000 packets per second. I have C and Rust versions. It would be neat to try a Go version. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Anybody using seccomp? (MR 1316)
Or interested in it? I gave up a long time ago. It was too fiddly. James has split the list of syscalls out from a list built into the source (with a few ifdefs) to a text file. I think we will need a file for each libc/kernel cross each hardware. But I think that gets us the right syscalls. Or at least, a lot closer then the current setup which is everything that we have ever needed. We can probably get the list by running ntpd under strace and feeding the output through a script. If nothing else, it will be an interesting experiment. But I don't want to surprise anybody. If nobody is using it, then it doesn't matter what the code does as long as it builds cleanly when not enabled. We can ship something and let people play. If we go this route, I think we should ship a set of files for each major distro. That may turn into a lot of work. If somebody is using it, we need to find out what distro/hardware they are running on. So, anybody interested? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
MR 1307 and/or 1309
Has anybody tried them? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Does anybody use (aka test) MDNS?
-- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
CI happy now
I was thinking that "latest" suggested newer. 3.1 is out, but none of the distros I test with are using it yet. I was expecting a bug in that area. It turns out that ubuntu-latest has an older version of OpenSSL 3. It's using 3.0.2. The oldest 3.0 I have is 3.0.3. Many distros are using 3.0.8 We still support 1.1.1, but that uses an API that is now deprecated. Cleaning that up was what broke things. --- If I/we want to test this, I think I have to grab the source for all the versions we want to test, build/test them. Then setup a script that will for each version of OpenSSL install $version build/check ntpsec uninstall $version Our build stuff is already setup to look in /usr/local/ and friends. That only tests the NTP packet level crypto part of OpenSSL. To test the NTS-LE part, we would have to install and run each built version. Restarting the local ntpd could test the client side. We would need to restart other servers so their client side would test our server side. So plan B would be to setup an array of servers, each using a different version of OpenSSL. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: I've broken something
> I am reasonably sure about it. Jammy comes from [1] which come after looking > at ./dockerfiles/ubuntu-latest to get ubuntu:latest Thanks. > Seriously though, docker works great for this, and you don't need to glass > wipe a machine. But I don't know anything about docker and I do know how to install Ubuntu. Is there a getting started HOWTO for docker? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: I've broken something
James Browning said: >> Where/how do I get ubuntu-latest? > I would suggest `docker push registry.gitlab.com/na280/ntpsec`, but it seems > that it rarely is acceptable, or go to the Ubuntu website and download Jammy. Are you sure about Jammy? Where did that come from? I found a download page for Ubuntu 22.04.2 LTS (Jammy Jellyfish) But 22.04 is almost a year old which doesn't match my expectations for "latest". It is the latest for their LTS. I have 22.10 (Kinetic Kudu) It works. I have 20.04.6 LTS (Focal Fossa), but that's running on a Raspberry Pi rather than a PC. It works. I guess I'll settup Jammy on a PC. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
I've broken something
The pipeline fails on: Name: ubuntu-latest-basic Name: ubuntu-latest-refclocks Name: macos-basic Name: macos-refclocks All 4 get the same clump of errors: TEST(macencrypt, CMAC_Encrypt)../../tests/libntp/macencrypt.c:109::FAIL: Expected TRUE Was FALSE TEST(macencrypt, CMAC_Encrypt)../../tests/libntp/macencrypt.c:109::FAIL: Expected TRUE Was FALSE TEST(macencrypt, DecryptValidCMAC)../../tests/libntp/macencrypt.c:133::FAIL: Expected TRUE Was FALSE TEST(macencrypt, DecryptInvalidCMAC) PASS TEST(macencrypt, IPv4AddressToRefId) PASS TEST(macencrypt, IPv6AddressToRefId) PASS TEST(macencrypt, null_trunc) PASS TEST(macencrypt, CMAC_TestVectors)../../tests/libntp/macencrypt.c:297::FAIL: Memory Mismatch. Byte 0 Expected 0x07 Was 0xE5 This code area isn't wonderful. It leaves a lot of stuff in global variables so it can decrypt stuff it just encrypted. The code works on all my test cases. Anybody know what version of OpenSSL macos or ubuntu-latest are using? There was a new version released recently: 3.0 => 3.1, I think. None of the other distros I test with are using 3.1 yet. Where/how do I get ubuntu-latest? We should patch the configure stuff to print out the version of OpenSSL that it finds. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Thanks. matthew.sel...@twosigma.com said: >> Should we document that? Where? > The account creation seems self-explanatory. Or did you want to document > something else? I don't know. I was just tossing out a suggestion based on my stumbling. Yes, it's reasonably obvious, but only after you find the right URL. > Yes, Coverity is pointing at the GitHub mirror. I think it knows that it is a mirror. > I approved your account. Thanks. I didn't get any you-were-approved mail. Do I have to explicitly sign up for mail about reports? > No. We run the Coverity CI job weekly via a schedule, ... > I'll work on running Coverity post-merge. I agree that running it every merge is overkill. A button that says run-now would be nice if we are working on fixing Coverity problems. Can you poke it by hand? How does Coverity fit into the release procedure? Should we schedule releases after a Coverity run? > Do you need the ability to run Coverity offline on > your development host before you push? Not really. I expect this will all get sorted out and slip into the background before long. "before long" just takes longer if the turn around time is a week rather than an hour. I'm not in a hurry as long as I know what to expect. I have plenty of other things to work on. I got confused by misreading the report that started this thread so I was thinking that Coverity might generate a lot of reports that we would have to fix. I'm close to having -Wswitch-enum ready. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
I took a look at the Coverity reports for ntpsec. There are 10 of them. 10 is a small number. We should be able to fix them all. The Coverity report that started this thread was actually a bug. The code I had was bool once = false; if (once) return; once = true; ... I was so focused on getting the compiler warnings (-Wswitch-enum) that I missed the missing static on once. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
>> OK, I propose to turn on -Wswitch-enum and fix all the warnings I >> find. Then I/we fix whatever Coverity complains about. If that is >> too painful, we can back out of -Wswitch-enum. > Seems good to me. OK, I'll start working on it when I get time. > There are so many Coverity warnings about ntpd to worry about theat no one > will notice a few more or less. Any chance we can fix/annotate them all? Is there a web page that describes the /* coverity(mumble) */ stuff? Can I add a comment in there too, like: /* coverity(mumble) we handle all the cases */ Something like that might help somebody understand what's going on. >> > I'm waiting for somebody to approve me. > Where? How would I see it? > The request was stuck in my spam folder. Looks like someone beat me to > approving you. Thanks. No mail yet. I guess I'll have to go poke around. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
Thanks. > Do you have a coverity account? > https://scan.coverity.com/ > Then go to "My Dashboard" and "Add project". Should we document that? Where? It looks like Coverity is running over on github. Is our copy-to-github stuff documented? I'm waiting for somebody to approve me. >> Date: Thu, 02 Feb 2023 05:48:37 + (Wed 21:48 PST) > It was detected on Feb 5. So the turn around is days rather than hours. > So we tell Coverity to ignore the extra defaults. OK, I propose to turn on -Wswitch-enum and fix all the warnings I find. Then I/we fix whatever Coverity complains about. If that is too painful, we can back out of -Wswitch-enum. It may take a few iterations to make Coverity happy and we won't have great turn-around, but it's not on the critical path. -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
>> But then Coverity will barf (DEADCODE) at all the defaults. > What purpose do they still have? None. But we have -Wswitch-default so it will barf if we remove them. They would be useful if an illegal value was passed in. At least in the case that started this thread, the values are coming out of compile time data and I'm reasonably sure I have the type checking set up right so I'm not really worried about bogus values. I'd rather leave the default in with an error message and tell Coverity it's OK. >> I think I'm willing to fix them. Is there any way to run Coverity >> without waiting for it to get around to scanning our code? > I think coverity grabs every commit, and does not wait long. I don't get the Coverity mail. How do I fix that? The bottom of the mail you forwarded has a link for you to "manage Coverity Scan email notifications" so I assume there is some recipe to sign up. I poked around a bit but didn't find it. Do you remember how you signed up? Can you check to see how long it was between when I pushed that commit and when the mail arrived? Here is the pipeline mail from that push. Subject: ntpsec | Successful pipeline for master | bd596fa3 From: GitLab Date: Thu, 02 Feb 2023 05:48:37 + (Wed 21:48 PST) -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: New Defects reported by Coverity Scan for ntpsec
> Sadly some compilers will always complain if there is no default. So I > always add a default. We turn on -Wswitch-default I'd like to turn on -Wswitch-enum That generates a handful of warnings that I'm willing to fix. But then Coverity will barf (DEADCODE) at all the defaults. I think I'm willing to fix them. Is there any way to run Coverity without waiting for it to get around to scanning our code? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Fw: New Defects reported by Coverity Scan for ntpsec
1439 default: { 1440/* There should be a way for the compiler to check this. */ 1441 bool once =3D false; >>> CID 435753: Possible Control flow issues (DEADCODE) >>> Execution cannot reach this statement: "return;". =20 1442 if (once) return; /* Avoid log file DDoS */ That's some of my new code. In this case, I'm switching on a enum and have handled all the cases so the default "can't happen". How do I get the compiler to tell me if I missed an option on a switch statement? Of course, the data might get mashed, so the other question is: How do I get coverty to not complain about this code? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: issue blocking input_handler
James Browning said: >> How about fixing the bug at ithe source rather than patching around it? > I tried and failed then I came up with that. Did you get O_NONBLOCK turned on? Something like this: err = fcntl(sockfd, F_SETFL, O_NONBLOCK); -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel
Re: issue blocking input_handler
James Browning said: > I found a problem with input_handler(). If a reference clock passes a > blocking file descriptor, input_handler can block forever. Who did that? Which driver? How about fixing the bug at ithe source rather than patching around it? -- These are my opinions. I hate spam. ___ devel mailing list devel@ntpsec.org https://lists.ntpsec.org/mailman/listinfo/devel