diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml index 99f151e57..f7da206c3 100644 --- a/.github/workflows/checks.yaml +++ b/.github/workflows/checks.yaml @@ -130,10 +130,10 @@ jobs: run: cargo run --bin ntp-ctl -- -c ./ntp.toml validate - name: ./ntp.server.toml run: cargo run --bin ntp-ctl -- -c ./ntp.server.toml validate - - name: ./test-keys/unsafe.nts.client.toml - run: cargo run --bin ntp-ctl -- -c ./test-keys/unsafe.nts.client.toml validate - - name: ./test-keys/unsafe.nts.server.toml - run: cargo run --bin ntp-ctl -- -c ./test-keys/unsafe.nts.server.toml validate + - name: ./ntp-proto/test-keys/unsafe.nts.client.toml + run: cargo run --bin ntp-ctl -- -c ./ntp-proto/test-keys/unsafe.nts.client.toml validate + - name: ./ntp-proto/test-keys/unsafe.nts.server.toml + run: cargo run --bin ntp-ctl -- -c ./ntp-proto/test-keys/unsafe.nts.server.toml validate - name: ./config/ntp.demobilize.toml run: cargo run --bin ntp-ctl -- -c ./config/ntp.demobilize.toml validate - name: ./pkg/common/ntp.toml.default diff --git a/CHANGELOG.md b/CHANGELOG.md index b5b67144d..d075dbfbc 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,15 @@ # Changelog +## [1.1.3] - 2024-06-28 + +### Fixed +- Unlimited number of NTS-KE connections could crash ntpd-rs server (CVE-2024-38528) + +## [1.1.2] - 2024-02-01 + +### Fixed +- Fixed tests in ntp-proto to also work outside the repository. + ## [1.1.1] - 2024-01-24 ### Added @@ -183,6 +193,8 @@ process. - Fixed a bug in peer dispersion calculation which resulted in overly pessimistic dispersion estimates. +[1.1.3]: https://github.com/pendulum-project/ntpd-rs/compare/v1.1.2...v1.1.3 +[1.1.2]: https://github.com/pendulum-project/ntpd-rs/compare/v1.1.1...v1.1.2 [1.1.1]: https://github.com/pendulum-project/ntpd-rs/compare/v1.1.0...v1.1.1 [1.1.0]: https://github.com/pendulum-project/ntpd-rs/compare/v1.0.0...v1.1.0 [1.0.0]: https://github.com/pendulum-project/ntpd-rs/compare/v0.3.7...v1.0.0 diff --git a/Cargo.lock b/Cargo.lock index daf9c91c5..e276a2d69 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -340,7 +340,7 @@ dependencies = [ [[package]] name = "ntp-os-clock" -version = "1.1.1" +version = "1.1.3" dependencies = [ "libc", "ntp-proto", @@ -349,7 +349,7 @@ dependencies = [ [[package]] name = "ntp-proto" -version = "1.1.1" +version = "1.1.3" dependencies = [ "aead", "aes-siv", @@ -366,7 +366,7 @@ dependencies = [ [[package]] name = "ntp-udp" -version = "1.1.1" +version = "1.1.3" dependencies = [ "libc", "ntp-proto", @@ -377,7 +377,7 @@ dependencies = [ [[package]] name = "ntpd" -version = "1.1.1" +version = "1.1.3" dependencies = [ "async-trait", "libc", @@ -400,7 +400,7 @@ dependencies = [ [[package]] name = "nts-pool-ke" -version = "1.1.1" +version = "1.1.3" dependencies = [ "ntp-proto", "rustls", diff --git a/Cargo.toml b/Cargo.toml index 7c1dec3b8..fca8c9057 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -14,7 +14,7 @@ resolver = "2" # Global settings for our crates [workspace.package] -version = "1.1.1" +version = "1.1.3" edition = "2021" license = "Apache-2.0 OR MIT" repository = "https://github.com/pendulum-project/ntpd-rs" @@ -61,6 +61,6 @@ zeroize = "1.5" # our own crates used as dependencies, same version as the workspace version # NOTE: keep this part at the bottom of the file, do not change this line -ntp-os-clock = { version = "1.1.1", path = "./ntp-os-clock" } -ntp-proto = { version = "1.1.1", path = "./ntp-proto", features = ["__internal-api"] } -ntp-udp = { version = "1.1.1", path = "./ntp-udp" } +ntp-os-clock = { version = "1.1.3", path = "./ntp-os-clock" } +ntp-proto = { version = "1.1.3", path = "./ntp-proto", features = ["__internal-api"] } +ntp-udp = { version = "1.1.3", path = "./ntp-udp" } diff --git a/docs/man/ntp-ctl.8.md b/docs/man/ntp-ctl.8.md index 038ad9c84..72aae773d 100644 --- a/docs/man/ntp-ctl.8.md +++ b/docs/man/ntp-ctl.8.md @@ -1,5 +1,5 @@ # NAME diff --git a/docs/man/ntp-daemon.8.md b/docs/man/ntp-daemon.8.md index c4ce0518b..544866d95 100644 --- a/docs/man/ntp-daemon.8.md +++ b/docs/man/ntp-daemon.8.md @@ -1,5 +1,5 @@ # NAME diff --git a/docs/man/ntp-metrics-exporter.8.md b/docs/man/ntp-metrics-exporter.8.md index 2df115c24..00effa4b8 100644 --- a/docs/man/ntp-metrics-exporter.8.md +++ b/docs/man/ntp-metrics-exporter.8.md @@ -1,5 +1,5 @@ # NAME diff --git a/docs/man/ntp.toml.5.md b/docs/man/ntp.toml.5.md index f19ff1348..37d90218b 100644 --- a/docs/man/ntp.toml.5.md +++ b/docs/man/ntp.toml.5.md @@ -1,5 +1,5 @@ # NAME @@ -234,6 +234,10 @@ untampered with. : Timeout in milliseconds for how long a key exchange may take. If the timeout is exceeded the connection will be dropped. +`concurrent-connections` = *number* (**512**) +: Maximum number of concurrent connections the key exchange server will handle. + Any connections above the threshold will be held in an OS level queue. + `ntp-port` = *port* Port number the key exchange server should instruct clients to use. Should be used when the port number of the NTP server is not the default. diff --git a/docs/precompiled/man/ntp-ctl.8 b/docs/precompiled/man/ntp-ctl.8 index 4f39a5c9a..17010180d 100644 --- a/docs/precompiled/man/ntp-ctl.8 +++ b/docs/precompiled/man/ntp-ctl.8 @@ -1,74 +1,56 @@ -.\" Automatically generated by Pandoc 3.1.1 +.\" Automatically generated by Pandoc 3.1.13 .\" -.\" Define V font for inline verbatim, using C font in formats -.\" that render this, and otherwise B font. -.ie "\f[CB]x\f[]"x" \{\ -. ftr V B -. ftr VI BI -. ftr VB B -. ftr VBI BI -.\} -.el \{\ -. ftr V CR -. ftr VI CI -. ftr VB CB -. ftr VBI CBI -.\} -.TH "NTP-CTL" "8" "" "ntpd-rs 1.1.1" "ntpd-rs" -.hy +.TH "NTP\-CTL" "8" "" "ntpd\-rs 1.1.3" "ntpd\-rs" .SH NAME -.PP -\f[V]ntp-ctl\f[R] - management client for the ntpd-rs ntp-daemon process +\f[CR]ntp\-ctl\f[R] \- management client for the ntpd\-rs ntp\-daemon +process .SH SYNOPSIS -.PP -\f[V]ntp-ctl\f[R] validate [\f[V]-c\f[R] \f[I]path\f[R]] +\f[CR]ntp\-ctl\f[R] validate [\f[CR]\-c\f[R] \f[I]path\f[R]] .PD 0 .P .PD -\f[V]ntp-ctl\f[R] status [\f[V]-f\f[R] \f[I]format\f[R]] [\f[V]-c\f[R] -\f[I]path\f[R]] +\f[CR]ntp\-ctl\f[R] status [\f[CR]\-f\f[R] \f[I]format\f[R]] +[\f[CR]\-c\f[R] \f[I]path\f[R]] .PD 0 .P .PD -\f[V]ntp-ctl\f[R] \f[V]-h\f[R] +\f[CR]ntp\-ctl\f[R] \f[CR]\-h\f[R] .PD 0 .P .PD -\f[V]ntp-ctl\f[R] \f[V]-v\f[R] +\f[CR]ntp\-ctl\f[R] \f[CR]\-v\f[R] .SH DESCRIPTION -.PP -The \f[V]ntp-ctl\f[R] management client allows management of some -aspects of the ntpd-rs daemon. +The \f[CR]ntp\-ctl\f[R] management client allows management of some +aspects of the ntpd\-rs daemon. Currently the management client only allows displaying the current status of the daemon and validating a configuration file for usage with the daemon. .SH OPTIONS .TP -\f[V]-c\f[R] \f[I]path\f[R], \f[V]--config\f[R]=\f[I]path\f[R] +\f[CR]\-c\f[R] \f[I]path\f[R], \f[CR]\-\-config\f[R]=\f[I]path\f[R] Path to the configuration file from which the observation socket address will be retrieved. -If not specified this defaults to \f[V]/etc/ntpd-rs/ntp.toml\f[R]. +If not specified this defaults to \f[CR]/etc/ntpd\-rs/ntp.toml\f[R]. .TP -\f[V]-f\f[R] \f[I]format\f[R], \f[V]--format\f[R]=\f[I]format\f[R] +\f[CR]\-f\f[R] \f[I]format\f[R], \f[CR]\-\-format\f[R]=\f[I]format\f[R] The output format for the status command. If not specified this defaults to \f[I]plain\f[R]. Alternatively the format \f[I]prometheus\f[R] is available to display the output in an OpenMetrics/Prometheus compatible format. .TP -\f[V]-h\f[R], \f[V]--help\f[R] +\f[CR]\-h\f[R], \f[CR]\-\-help\f[R] Display usage instructions. .TP -\f[V]-v\f[R], \f[V]--version\f[R] +\f[CR]\-v\f[R], \f[CR]\-\-version\f[R] Display version information. .SH COMMANDS .TP -\f[V]validate\f[R] +\f[CR]validate\f[R] Checks if the configuration specified (or -\f[V]/etc/ntpd-rs/ntp.toml\f[R] by default) is valid. +\f[CR]/etc/ntpd\-rs/ntp.toml\f[R] by default) is valid. .TP -\f[V]status\f[R] -Returns status information about the current state of the ntp-daemon +\f[CR]status\f[R] +Returns status information about the current state of the ntp\-daemon that the client connects to. .SH SEE ALSO -.PP -ntp-daemon(8), ntp-metrics-exporter(8), ntp.toml(5) +ntp\-daemon(8), ntp\-metrics\-exporter(8), ntp.toml(5) diff --git a/docs/precompiled/man/ntp-daemon.8 b/docs/precompiled/man/ntp-daemon.8 index aa4a2043c..ba138532e 100644 --- a/docs/precompiled/man/ntp-daemon.8 +++ b/docs/precompiled/man/ntp-daemon.8 @@ -1,59 +1,41 @@ -.\" Automatically generated by Pandoc 3.1.1 +.\" Automatically generated by Pandoc 3.1.13 .\" -.\" Define V font for inline verbatim, using C font in formats -.\" that render this, and otherwise B font. -.ie "\f[CB]x\f[]"x" \{\ -. ftr V B -. ftr VI BI -. ftr VB B -. ftr VBI BI -.\} -.el \{\ -. ftr V CR -. ftr VI CI -. ftr VB CB -. ftr VBI CBI -.\} -.TH "NTP-DAEMON" "8" "" "ntpd-rs 1.1.1" "ntpd-rs" -.hy +.TH "NTP\-DAEMON" "8" "" "ntpd\-rs 1.1.3" "ntpd\-rs" .SH NAME -.PP -\f[V]ntp-daemon\f[R] - ntpd-rs Network Time Protocol service daemon +\f[CR]ntp\-daemon\f[R] \- ntpd\-rs Network Time Protocol service daemon .SH SYNOPSIS -.PP -\f[V]ntp-daemon\f[R] [\f[V]-c\f[R] \f[I]path\f[R]] [\f[V]-l\f[R] +\f[CR]ntp\-daemon\f[R] [\f[CR]\-c\f[R] \f[I]path\f[R]] [\f[CR]\-l\f[R] \f[I]loglevel\f[R]] .PD 0 .P .PD -\f[V]ntp-daemon\f[R] \f[V]-h\f[R] +\f[CR]ntp\-daemon\f[R] \f[CR]\-h\f[R] .PD 0 .P .PD -\f[V]ntp-daemon\f[R] \f[V]-v\f[R] +\f[CR]ntp\-daemon\f[R] \f[CR]\-v\f[R] .SH DESCRIPTION -.PP -\f[V]ntp-daemon\f[R] is the Network Time Protocol (NTP) service daemon -for ntpd-rs, an NTP implementation with a focus on security and +\f[CR]ntp\-daemon\f[R] is the Network Time Protocol (NTP) service daemon +for ntpd\-rs, an NTP implementation with a focus on security and stability. -The \f[V]ntp-deamon\f[R] can be configured as both an NTP client and an -NTP server. +The \f[CR]ntp\-deamon\f[R] can be configured as both an NTP client and +an NTP server. The daemon also works with the Network Time Security (NTS) protocol. Details of the configuration of the daemon and implementation details -can be found in ntp.toml(5), where several concepts of the ntp-daemon +can be found in ntp.toml(5), where several concepts of the ntp\-daemon are also explained. .SH OPTIONS .TP -\f[V]-c\f[R] \f[I]path\f[R], \f[V]--config\f[R]=\f[I]path\f[R] -The configuration file path for the ntp-daemon where settings for the -configuration of ntpd-rs are stored. +\f[CR]\-c\f[R] \f[I]path\f[R], \f[CR]\-\-config\f[R]=\f[I]path\f[R] +The configuration file path for the ntp\-daemon where settings for the +configuration of ntpd\-rs are stored. If not specified the default configuration file is -\f[V]/etc/ntpd-rs/ntp.toml\f[R]. +\f[CR]/etc/ntpd\-rs/ntp.toml\f[R]. .TP -\f[V]-h\f[R], \f[V]--help\f[R] +\f[CR]\-h\f[R], \f[CR]\-\-help\f[R] Display usage instructions. .TP -\f[V]-l\f[R] \f[I]loglevel\f[R], \f[V]--log-level\f[R]=\f[I]loglevel\f[R] +\f[CR]\-l\f[R] \f[I]loglevel\f[R], \f[CR]\-\-log\-level\f[R]=\f[I]loglevel\f[R] Change which log messages are logged to stdout. Available log levels are \f[I]trace\f[R], \f[I]debug\f[R], \f[I]info\f[R], \f[I]warn\f[R] and \f[I]error\f[R] (from lower to higher @@ -61,8 +43,7 @@ priority). Only messages with the given priority and higher will be displayed. The default log level is \f[I]info\f[R]. .TP -\f[V]-v\f[R], \f[V]--version\f[R] +\f[CR]\-v\f[R], \f[CR]\-\-version\f[R] Display version information. .SH SEE ALSO -.PP -ntp-ctl(8), ntp-metrics-exporter(8), ntp.toml(5) +ntp\-ctl(8), ntp\-metrics\-exporter(8), ntp.toml(5) diff --git a/docs/precompiled/man/ntp-metrics-exporter.8 b/docs/precompiled/man/ntp-metrics-exporter.8 index bed9aaa97..fa97ca3d6 100644 --- a/docs/precompiled/man/ntp-metrics-exporter.8 +++ b/docs/precompiled/man/ntp-metrics-exporter.8 @@ -1,52 +1,33 @@ -.\" Automatically generated by Pandoc 3.1.1 +.\" Automatically generated by Pandoc 3.1.13 .\" -.\" Define V font for inline verbatim, using C font in formats -.\" that render this, and otherwise B font. -.ie "\f[CB]x\f[]"x" \{\ -. ftr V B -. ftr VI BI -. ftr VB B -. ftr VBI BI -.\} -.el \{\ -. ftr V CR -. ftr VI CI -. ftr VB CB -. ftr VBI CBI -.\} -.TH "NTP-METRICS-EXPORTER" "8" "" "ntpd-rs 1.1.1" "ntpd-rs" -.hy +.TH "NTP\-METRICS\-EXPORTER" "8" "" "ntpd\-rs 1.1.3" "ntpd\-rs" .SH NAME -.PP -\f[V]ntp-metrics-exporter\f[R] - Prometheus/OpenMetrics exporter for the -ntpd-rs daemon +\f[CR]ntp\-metrics\-exporter\f[R] \- Prometheus/OpenMetrics exporter for +the ntpd\-rs daemon .SH SYNOPSIS -.PP -\f[V]ntp-metrics-exporter\f[R] [\f[V]-c\f[R] \f[I]path\f[R]] +\f[CR]ntp\-metrics\-exporter\f[R] [\f[CR]\-c\f[R] \f[I]path\f[R]] .PD 0 .P .PD -\f[V]ntp-metrics-exporter\f[R] \f[V]-h\f[R] +\f[CR]ntp\-metrics\-exporter\f[R] \f[CR]\-h\f[R] .PD 0 .P .PD -\f[V]ntp-metrics-exporter\f[R] \f[V]-v\f[R] +\f[CR]ntp\-metrics\-exporter\f[R] \f[CR]\-v\f[R] .SH DESCRIPTION -.PP -Exports the status metrics from the ntpd-rs daemon as +Exports the status metrics from the ntpd\-rs daemon as Prometheus/OpenMetrics via an HTTP socket. .SH OPTIONS .TP -\f[V]-c\f[R] \f[I]path\f[R], \f[V]--config\f[R]=\f[I]path\f[R] +\f[CR]\-c\f[R] \f[I]path\f[R], \f[CR]\-\-config\f[R]=\f[I]path\f[R] Path to the configuration file where the observation socket path for -connecting with the ntp-daemon is specified. -This defaults to \f[V]/etc/ntpd-rs/ntp.toml\f[R] if not specified. +connecting with the ntp\-daemon is specified. +This defaults to \f[CR]/etc/ntpd\-rs/ntp.toml\f[R] if not specified. .TP -\f[V]-h\f[R], \f[V]--help\f[R] +\f[CR]\-h\f[R], \f[CR]\-\-help\f[R] Display usage instructions. .TP -\f[V]-v\f[R], \f[V]--version\f[R] +\f[CR]\-v\f[R], \f[CR]\-\-version\f[R] Display version information. .SH SEE ALSO -.PP -ntp-daemon(8), ntp-ctl(8), ntp.toml(5) +ntp\-daemon(8), ntp\-ctl(8), ntp.toml(5) diff --git a/docs/precompiled/man/ntp.toml.5 b/docs/precompiled/man/ntp.toml.5 index 5c30badcf..d66309040 100644 --- a/docs/precompiled/man/ntp.toml.5 +++ b/docs/precompiled/man/ntp.toml.5 @@ -1,73 +1,54 @@ -.\" Automatically generated by Pandoc 3.1.1 +.\" Automatically generated by Pandoc 3.1.13 .\" -.\" Define V font for inline verbatim, using C font in formats -.\" that render this, and otherwise B font. -.ie "\f[CB]x\f[]"x" \{\ -. ftr V B -. ftr VI BI -. ftr VB B -. ftr VBI BI -.\} -.el \{\ -. ftr V CR -. ftr VI CI -. ftr VB CB -. ftr VBI CBI -.\} -.TH "NTP.TOML" "5" "" "ntpd-rs 1.1.1" "ntpd-rs" -.hy +.TH "NTP.TOML" "5" "" "ntpd\-rs 1.1.3" "ntpd\-rs" .SH NAME -.PP -\f[V]ntp.toml\f[R] - configuration file for the ntpd-rs ntp-daemon +\f[CR]ntp.toml\f[R] \- configuration file for the ntpd\-rs ntp\-daemon .SH DESCRIPTION -.PP -Configuration of ntpd-rs happens in the \f[V]ntp.toml\f[R] configuration -format. +Configuration of ntpd\-rs happens in the \f[CR]ntp.toml\f[R] +configuration format. The toml format is in lots of ways similar to a simple ini with several -extensions allowing a json-like syntax. +extensions allowing a json\-like syntax. .PP -The ntpd-rs configuration file consists of several sections, each of -which configuring a separate part of the ntp-daemon process. +The ntpd\-rs configuration file consists of several sections, each of +which configuring a separate part of the ntp\-daemon process. Each of the secions is described in the rest of this document. Many settings will have defaults, which will be indicated by each configuration setting shown. .PP -The ntp daemon only supports unicast client-server connections. +The ntp daemon only supports unicast client\-server connections. Most NTP traffic, especially across the public internet, almost exclusively uses this mode, so it is not considered a practical limitation for most scenarios. .SH SOURCE MODES -.PP Different types of sources (see the section below for details) are supported by the ntp daemon. To set the type of the source, you can configure the mode field with any of these options: .TP -\f[V]server\f[R] +\f[CR]server\f[R] A server source connects to a single specific NTP server. If a connection is lost, attempts will be made to reconnect to the source. .TP -\f[V]pool\f[R] +\f[CR]pool\f[R] A pool source retrieves multiple NTP servers by resolving a hostname via DNS. It then attempts to connect to multiple of these servers at the same time. If a connection is lost, a new server will be retrieved from the pool. .TP -\f[V]nts\f[R] +\f[CR]nts\f[R] Connect to a single Network Time Security (NTS) source. The NTS protocol uses a TLS handshake to exchange secrets with a server to allow verifying that NTP messages have not been tampered with. Note that the TLS protocol requires that both the client and server have a rough idea of the current time. .SH CONFIGURATION -.SS \f[V][source-defaults]\f[R] -.PP +.SS \f[CR][source\-defaults]\f[R] Some values are shared between all sources in the daemon. -You can configure these in the \f[V][source-defaults]\f[R] section. +You can configure these in the \f[CR][source\-defaults]\f[R] section. .TP -\f[V]poll-interval-limits\f[R] = { \f[V]min\f[R] = \f[I]min\f[R], \f[V]max\f[R] = \f[I]max\f[R] } (\f[B]{ min = 4, max = 10}\f[R]) +\f[CR]poll\-interval\-limits\f[R] = { \f[CR]min\f[R] = \f[I]min\f[R], \f[CR]max\f[R] = \f[I]max\f[R] } (\f[B]{ min = 4, max = 10}\f[R]) Specifies the limit on how often a source is queried for a new time. For most instances the defaults will be adequate. The min and max are given as the log2 of the number of seconds @@ -76,80 +57,78 @@ An interval of 4 equates to 32 seconds, 10 results in an interval of 1024 seconds. If specified, both min and max must be specified. .TP -\f[V]initial-poll-interval\f[R] = \f[I]interval\f[R] (\f[B]4\f[R]) +\f[CR]initial\-poll\-interval\f[R] = \f[I]interval\f[R] (\f[B]4\f[R]) Initial poll interval used on startup. The value is given as the log2 of the number of seconds (i.e.\ two to the power of the interval). The default value of 4 results in an interval of 32 seconds. -.SS \f[V][[source]]\f[R] -.PP -Each \f[V][[source]]\f[R] is a set of one or more time sources for the +.SS \f[CR][[source]]\f[R] +Each \f[CR][[source]]\f[R] is a set of one or more time sources for the daemon to retrieve time information from. Any number of sources can be configured by repeating a -\f[V][[source]]\f[R] section (note the double brackets) for as many +\f[CR][[source]]\f[R] section (note the double brackets) for as many times as required. Each source can be configured to connect to a specific remote location. Multiple modes for connecting to sources are supported. -If less than \f[V]minimum-agreeing-sources\f[R] time sources have been -configured, no time will be synchronized to the local clock. +If less than \f[CR]minimum\-agreeing\-sources\f[R] time sources have +been configured, no time will be synchronized to the local clock. Note that a pool counts as multiple time sources. .TP -\f[V]mode\f[R] = \f[I]mode\f[R] -Specify one of the source modes that ntpd-rs supports: \f[V]server\f[R], -\f[V]pool\f[R] or \f[V]nts\f[R]. +\f[CR]mode\f[R] = \f[I]mode\f[R] +Specify one of the source modes that ntpd\-rs supports: +\f[CR]server\f[R], \f[CR]pool\f[R] or \f[CR]nts\f[R]. For a description of the different source modes, see the \f[I]SOURCE MODES\f[R] section. .TP -\f[V]address\f[R] = \f[I]address\f[R] +\f[CR]address\f[R] = \f[I]address\f[R] Specify the remote address of the source. For server sources this will be the remote address of the NTP server. For pools, this will be the DNS address of the NTP pool and for nts this will be the address of the key exchange server. The server address may include a port number by appending a colon -(\f[V]:\f[R]) followed by a port number. -If not specified the daemon will connect to \f[V]server\f[R] and -\f[V]pool\f[R] servers via port \f[I]123\f[R], for \f[V]nts\f[R] sources -the default port is \f[I]4460\f[R]. +(\f[CR]:\f[R]) followed by a port number. +If not specified the daemon will connect to \f[CR]server\f[R] and +\f[CR]pool\f[R] servers via port \f[I]123\f[R], for \f[CR]nts\f[R] +sources the default port is \f[I]4460\f[R]. .TP -\f[V]certificate-authority\f[R] = \f[I]cert\f[R] -Can only be set on sources with the \f[V]nts\f[R] mode. +\f[CR]certificate\-authority\f[R] = \f[I]cert\f[R] +Can only be set on sources with the \f[CR]nts\f[R] mode. Path to a certificate for an additional certificate authority to use, aside from the certificate authorities specified by the system configuration. Note that this cannot be used to specify a self signed certificate. .TP -\f[V]count\f[R] = \f[I]number\f[R] (\f[B]4\f[R]) -Can only be set on sources with the \f[V]pool\f[R] mode. +\f[CR]count\f[R] = \f[I]number\f[R] (\f[B]4\f[R]) +Can only be set on sources with the \f[CR]pool\f[R] mode. Specifies the maximum number of servers that the daemon will attempt to connect to from a pool. The daemon will keep retrying to get more sources from the pool when connections are lost, up to the maximum specified by this configuration value. -.SS \f[V][[server]]\f[R] -.PP +.SS \f[CR][[server]]\f[R] The NTP daemon can be configured to distribute time via any number of -\f[V][[server]]\f[R] sections. +\f[CR][[server]]\f[R] sections. If no such sections have been defined, the daemon runs in a client only mode. Any number of servers can be configured by repeating the -\f[V][[server]]\f[R] section (note the double brackets) for as many +\f[CR][[server]]\f[R] section (note the double brackets) for as many times as required. Each server can serve a specific socket address or listen on all available network interfaces on a specific port. Servers always serve the system clock time. .TP -\f[V]listen\f[R] = \f[I]socketaddr\f[R] +\f[CR]listen\f[R] = \f[I]socketaddr\f[R] Address of a UDP socket on which the server should listen for incoming NTP requests. Specified as an interface IP address, a colon and a port number. The standard port number for NTP is UDP port 123. Both IPv4 and IPv6 are supported. For example to listen on localhost port 123 in IPv4 you can use -\f[V]127.0.0.1:123\f[R]. +\f[CR]127.0.0.1:123\f[R]. You can listen on all available network interfaces at once using -\f[V]0.0.0.0:123\f[R] for IPv4 or \f[V][::]:123\f[R] for IPv6. +\f[CR]0.0.0.0:123\f[R] for IPv4 or \f[CR][::]:123\f[R] for IPv6. .TP -\f[V]rate-limiting-cache-size\f[R] = \f[I]size\f[R] (\f[B]0\f[R]) +\f[CR]rate\-limiting\-cache\-size\f[R] = \f[I]size\f[R] (\f[B]0\f[R]) Number of elements in the rate limiting cache. At most \f[I]size\f[R] elements are kept in the cache. This means that if more than \f[I]size\f[R] different clients attempt to @@ -158,120 +137,118 @@ functionality, as rate limiting information gets lost when new clients connect to the server. If set to zero, the cache is unused, this is the default. .TP -\f[V]rate-limiting-cutoff-ms\f[R] = \f[I]cutoff\f[R] (\f[B]0\f[R]) +\f[CR]rate\-limiting\-cutoff\-ms\f[R] = \f[I]cutoff\f[R] (\f[B]0\f[R]) Minimum time between two requests from the same client, if a request was sent sooner than the cutoff time, the client will be asked to slow down their requests by the server responding with a packet with the NTP -\f[V]RATE\f[R] kiss code. +\f[CR]RATE\f[R] kiss code. No actual time measurement will be returned to the client in that case. If set to zero, no rate limiting is applied, this is the default. .TP -\f[V]allowlist\f[R] = { filter = [ \f[I]subnet\f[R], .. ], action = \f[V]\[dq]deny\[dq]\f[R] | \f[V]\[dq]ignore\[dq]\f[R] } (\f[B]unset\f[R]) +\f[CR]allowlist\f[R] = { filter = [ \f[I]subnet\f[R], .. ], action = \f[CR]\[dq]deny\[dq]\f[R] | \f[CR]\[dq]ignore\[dq]\f[R] } (\f[B]unset\f[R]) Only allow any number of filtered \f[I]subnets\f[R] to connect to the daemon. Any IP that matches one of the subnets specified is allowed to contact this server. The subnets must be specified in CIDR notation (an IP address followed by a slash and the number of masked bits, for example -\f[V]127.0.0.1/8\f[R] or \f[V]192.168.1.1/24\f[R]). +\f[CR]127.0.0.1/8\f[R] or \f[CR]192.168.1.1/24\f[R]). The action determines what measure is taken for IP addresses not in any of the specified subnets. -When \f[V]deny\f[R], an explicit packet with the NTP \f[V]DENY\f[R] kiss -code is returned to the sender indicating that they are not allowed to -do so. -When \f[V]ignore\f[R] is specified, messages are discarded with no +When \f[CR]deny\f[R], an explicit packet with the NTP \f[CR]DENY\f[R] +kiss code is returned to the sender indicating that they are not allowed +to do so. +When \f[CR]ignore\f[R] is specified, messages are discarded with no response sent. The default value is equivalent to allowing any IP address, and would be equivalent to setting the filter to -\f[V][\[dq]0.0.0.0/0\[dq], \[dq]::/0\[dq]]\f[R], with either action. +\f[CR][\[dq]0.0.0.0/0\[dq], \[dq]::/0\[dq]]\f[R], with either action. .TP -\f[V]denylist\f[R] = { filter = [ \f[I]subnet\f[R], .. ], action = \f[V]\[dq]deny\[dq]\f[R] | \f[V]\[dq]ignore\[dq]\f[R] } (\f[B]unset\f[R]) +\f[CR]denylist\f[R] = { filter = [ \f[I]subnet\f[R], .. ], action = \f[CR]\[dq]deny\[dq]\f[R] | \f[CR]\[dq]ignore\[dq]\f[R] } (\f[B]unset\f[R]) Do not allow any number of filtered \f[I]subnets\f[R] to connect to the daemon. Any IP that matches one of the subnets specified is not allowed to contact this server. The subnets must be specified in CIDR notation (an IP address followed by a slash and the number of masked bits, for example -\f[V]127.0.0.1/8\f[R] or \f[V]192.168.1.1/24\f[R]). +\f[CR]127.0.0.1/8\f[R] or \f[CR]192.168.1.1/24\f[R]). The action determines what measure is taken for IP addresses in any of the specified subnets. -When \f[V]deny\f[R], an explicit packet with the NTP \f[V]DENY\f[R] kiss -code is returned to the sender indicating that they are not allowed to -do so. -When \f[V]ignore\f[R] is specified, messages are discarded with no +When \f[CR]deny\f[R], an explicit packet with the NTP \f[CR]DENY\f[R] +kiss code is returned to the sender indicating that they are not allowed +to do so. +When \f[CR]ignore\f[R] is specified, messages are discarded with no response sent. The default value is equivalent to allowing any IP address, and would be -equivalent to setting the filter to \f[V][]\f[R], with either action. -.SS \f[V][observability]\f[R] -.PP +equivalent to setting the filter to \f[CR][]\f[R], with either action. +.SS \f[CR][observability]\f[R] Settings in this section configure how you can observe the behavior of the daemon. Currently the daemon can be observed either through the logs or by -retrieving several key metrics either through ntp-ctl(8) or through -ntp-metrics-exporter(8). +retrieving several key metrics either through ntp\-ctl(8) or through +ntp\-metrics\-exporter(8). .TP -\f[V]log-level\f[R] = \f[V]\[dq]trace\[dq]\f[R] | \f[V]\[dq]debug\[dq]\f[R] | \f[V]\[dq]info\[dq]\f[R] | \f[V]\[dq]warn\[dq]\f[R] | \f[V]\[dq]error\[dq]\f[R] (\f[B]unset\f[R]) +\f[CR]log\-level\f[R] = \f[CR]\[dq]trace\[dq]\f[R] | \f[CR]\[dq]debug\[dq]\f[R] | \f[CR]\[dq]info\[dq]\f[R] | \f[CR]\[dq]warn\[dq]\f[R] | \f[CR]\[dq]error\[dq]\f[R] (\f[B]unset\f[R]) Set the logging level for messages printed to stdout. -The lowest level \f[V]trace\f[R] gives very detailed information about +The lowest level \f[CR]trace\f[R] gives very detailed information about anything going on in the daemon, whereas the highest level -\f[V]error\f[R] only logs error conditions in the daemon. +\f[CR]error\f[R] only logs error conditions in the daemon. Levels higher than the given log level are logged as well. If not set (the default), then logging will be completely disabled. .TP -\f[V]observation-path\f[R] = \f[I]path\f[R] (\f[B]unset\f[R]) +\f[CR]observation\-path\f[R] = \f[I]path\f[R] (\f[B]unset\f[R]) Path where the daemon will create an observation unix domain socket. -This socket is used by \f[V]ntp-ctl\f[R] and -\f[V]ntp-metrics-exporter\f[R] to read the current status of the daemon. +This socket is used by \f[CR]ntp\-ctl\f[R] and +\f[CR]ntp\-metrics\-exporter\f[R] to read the current status of the +daemon. If not set (the default) no observation socket will be created and it is -not possible to use \f[V]ntp-ctl\f[R] or \f[V]ntp-metrics-exporter\f[R] -to observe the daemon. +not possible to use \f[CR]ntp\-ctl\f[R] or +\f[CR]ntp\-metrics\-exporter\f[R] to observe the daemon. .TP -\f[V]observation-permissions\f[R] = \f[I]mode\f[R] (\f[B]0o666\f[R]) +\f[CR]observation\-permissions\f[R] = \f[I]mode\f[R] (\f[B]0o666\f[R]) The file system permissions with which the observation socket should be created. Warning: You should always write this number with the octal prefix -\f[V]0o\f[R], otherwise your permissions might be interpreted wrongly. +\f[CR]0o\f[R], otherwise your permissions might be interpreted wrongly. The default should be ok for most applications however. .TP -\f[V]metrics-exporter-listen\f[R] = \f[I]socketaddr\f[R] (\f[B]127.0.0.1:9975\f[R]) -The listen address that is used for the ntp-metrics-exporter(8). -.SS \f[V][keyset]\f[R] -.PP +\f[CR]metrics\-exporter\-listen\f[R] = \f[I]socketaddr\f[R] (\f[B]127.0.0.1:9975\f[R]) +The listen address that is used for the ntp\-metrics\-exporter(8). +.SS \f[CR][keyset]\f[R] The keyset configures the internal key infrastructure for NTS packets. Note that this is separate from the TLS certificate and private key, for -those see the relevant configuration in the \f[V][[nts-ke-server]]\f[R] -section. +those see the relevant configuration in the +\f[CR][[nts\-ke\-server]]\f[R] section. .TP -\f[V]stale-key-count\f[R] = \f[I]count\f[R] (\f[B]7\f[R]) +\f[CR]stale\-key\-count\f[R] = \f[I]count\f[R] (\f[B]7\f[R]) Maximum number of old keys to retain in the cache. Whenever keys are rotated the old keys will become invalid, but clients may still have NTS cookies encrypted with any of the old keys. .TP -\f[V]key-rotation-interval\f[R] = \f[I]seconds\f[R] (\f[B]86400\f[R]) +\f[CR]key\-rotation\-interval\f[R] = \f[I]seconds\f[R] (\f[B]86400\f[R]) Time between key rotation events. Every time \f[I]seconds\f[R] elapses, a new internal key will be generated for creating NTS cookies. By default this is set to a day. .TP -\f[V]key-storage-path\f[R] = \f[I]path\f[R] (\f[B]unset\f[R]) +\f[CR]key\-storage\-path\f[R] = \f[I]path\f[R] (\f[B]unset\f[R]) If set, stores the internal NTS keys in the file indicated by \f[I]path\f[R]. This allows keys to survive a server reboot. If not set, clients using NTS may need to redo a key exchange operation to get new NTS cookies. -.SS \f[V][[nts-ke-server]]\f[R] -.PP +.SS \f[CR][[nts\-ke\-server]]\f[R] The daemon can be configured to operate as an NTS key exchange server by -repeating any number of \f[V][[nts-ke-server]]\f[R] sections. +repeating any number of \f[CR][[nts\-ke\-server]]\f[R] sections. If no such sections have been defined, the daemon will offer no NTS key exchange services. -All NTS-KE servers make use of the shared keyset. +All NTS\-KE servers make use of the shared keyset. It is the purpose of the key exchange server to distribute cookies to clients in a safe way. These cookies can then be used in NTP packets with the normal server to validate that the traffic was untampered with. .TP -\f[V]listen\f[R] = \f[I]socket\f[R] +\f[CR]listen\f[R] = \f[I]socket\f[R] Address of a TCP socket on which the server should listen for incoming NTS key exchange requests. Specified as an interface IP address, a colon and a port number. @@ -279,54 +256,58 @@ The standard port number for an NTS key exchange server is TCP port 4460. Both IPv4 and IPv6 are supported. For example to listen on localhost port 4460 in IPv4 you can use -\f[V]127.0.0.1:4460\f[R]. +\f[CR]127.0.0.1:4460\f[R]. You can listen on all available network interfaces at once using -\f[V]0.0.0.0:4460\f[R] for IPv4 or \f[V][::]:4460\f[R] for IPv6. +\f[CR]0.0.0.0:4460\f[R] for IPv4 or \f[CR][::]:4460\f[R] for IPv6. .TP -\f[V]certificate-chain-path\f[R] = \f[I]path\f[R] +\f[CR]certificate\-chain\-path\f[R] = \f[I]path\f[R] Path to a certificate chain for the public certificate that the server offers to clients. .TP -\f[V]private-key-path\f[R] = \f[I]path\f[R] +\f[CR]private\-key\-path\f[R] = \f[I]path\f[R] Path to the private key associated with the server certificate in the certificate chain. .TP -\f[V]key-exchange-timeout-ms\f[R] = \f[I]timeout\f[R] (\f[B]1000\f[R]) +\f[CR]key\-exchange\-timeout\-ms\f[R] = \f[I]timeout\f[R] (\f[B]1000\f[R]) Timeout in milliseconds for how long a key exchange may take. If the timeout is exceeded the connection will be dropped. +.TP +\f[CR]concurrent\-connections\f[R] = \f[I]number\f[R] (\f[B]512\f[R]) +Maximum number of concurrent connections the key exchange server will +handle. +Any connections above the threshold will be held in an OS level queue. .PP -\f[V]ntp-port\f[R] = \f[I]port\f[R] Port number the key exchange server -should instruct clients to use. +\f[CR]ntp\-port\f[R] = \f[I]port\f[R] Port number the key exchange +server should instruct clients to use. Should be used when the port number of the NTP server is not the default. .PP -\f[V]ntp-server\f[R] = \f[I]server-name\f[R] Server address (either as -ip or as domain name) where clients can find the NTP server. +\f[CR]ntp\-server\f[R] = \f[I]server\-name\f[R] Server address (either +as ip or as domain name) where clients can find the NTP server. Should be used when this name does not match the name of the NTS key exchange server. -.SS \f[V][synchronization]\f[R] -.PP +.SS \f[CR][synchronization]\f[R] This section of the configuration focusses on how the time information from the time sources is gathered and applied to the system clock. .TP -\f[V]minimum-agreeing-sources\f[R] = \f[I]count\f[R] (\f[B]3\f[R]) +\f[CR]minimum\-agreeing\-sources\f[R] = \f[I]count\f[R] (\f[B]3\f[R]) The minimum number of sources that should agree on the current time before the daemon does any steering operation on the clock. Note that if you have configured fewer than this amount of sources, this may result in the daemon never updating the clock. .TP -\f[V]single-step-panic-threshold\f[R] = \f[I]seconds\f[R] | { \f[V]forward\f[R] = \f[I]forward\f[R], \f[V]backward\f[R] = \f[I]backward\f[R] } (\f[B]1000\f[R]) +\f[CR]single\-step\-panic\-threshold\f[R] = \f[I]seconds\f[R] | { \f[CR]forward\f[R] = \f[I]forward\f[R], \f[CR]backward\f[R] = \f[I]backward\f[R] } (\f[B]1000\f[R]) The threshold in seconds at which the daemon will completely exit (i.e. -panic) when a single non-startup step occurs. +panic) when a single non\-startup step occurs. Generally during normal operation the clock on your system should run somewhat close to the time it is synchronized to. As such, it is highly unlikely that such a large step will take place, and the daemon will exit to prevent any accidental mistakes. -If set to the value \f[V]\[dq]inf\[dq]\f[R], any step will be allowed. +If set to the value \f[CR]\[dq]inf\[dq]\f[R], any step will be allowed. May either be configured as one number of seconds for both forward and backward steps, or separate values for forward and backward steps. .TP -\f[V]startup-step-panic-threshold\f[R] = \f[I]seconds\f[R] | { \f[V]forward\f[R] = \f[I]forward\f[R], \f[V]backward\f[R] = \f[I]backward\f[R] } (\f[B]{ forward = \[lq]inf\[rq], backward = \[lq]86400\[rq] }\f[R]) +\f[CR]startup\-step\-panic\-threshold\f[R] = \f[I]seconds\f[R] | { \f[CR]forward\f[R] = \f[I]forward\f[R], \f[CR]backward\f[R] = \f[I]backward\f[R] } (\f[B]{ forward = \[lq]inf\[rq], backward = \[lq]86400\[rq] }\f[R]) The threshold in seconds at which the daemon will completely exit (i.e. panic) when a step occurs at startup. The default allows any forward step, but prevents backward steps larger @@ -335,11 +316,11 @@ Generally computer clocks that are not synchronized will run behind the true time, instead of running ahead. If a computer is running ahead and steps back a large time this generally indicates a problem. -If set to the value \f[V]\[dq]inf\[dq]\f[R], any step will be allowed. +If set to the value \f[CR]\[dq]inf\[dq]\f[R], any step will be allowed. May either be configured as one number of seconds for both forward and backward steps, or separate values for forward and backward steps. .TP -\f[V]accumulated-step-panic-threshold\f[R] = \f[I]seconds\f[R] (\f[B]unset\f[R]) +\f[CR]accumulated\-step\-panic\-threshold\f[R] = \f[I]seconds\f[R] (\f[B]unset\f[R]) Every time the daemon steps the time instead of slowly adjusting the clock by using frequency changes, this counter is increased by the absolute value of the step (i.e.\ both forward and backward steps are @@ -349,134 +330,132 @@ When this threshold is reached, the daemon will exit immediately During normal operation steps are unlikely to occur, and as such, steps may indicate that someone or something is triggering illicit steps. By default however this panic mechanism is disabled. -Is disabled if left unset or if set to the value \f[V]0\f[R]. +Is disabled if left unset or if set to the value \f[CR]0\f[R]. .TP -\f[V]local-stratum\f[R] = \f[I]stratum\f[R] (\f[B]16\f[R]) +\f[CR]local\-stratum\f[R] = \f[I]stratum\f[R] (\f[B]16\f[R]) Sets the NTP clock stratum of the system clock when no NTP time sources have been configured, or when the time has not yet been synchronized from an NTP time source. Can be used in servers to indicate that there are external mechanisms synchronizing the clock. -.SS \f[V][synchronization.algorithm]\f[R] -.PP +.SS \f[CR][synchronization.algorithm]\f[R] Warning: the algorithm section contains mostly internal algorithm tweaks that generally do not need to be changed. However, they are offered here for specific use cases. These settings are considered implementation details however, and as -such may change in future ntpd-rs versions. +such may change in future ntpd\-rs versions. .TP -\f[V]precision-low-probability\f[R] = \f[I]probability\f[R] (\f[B]1/3\f[R]) +\f[CR]precision\-low\-probability\f[R] = \f[I]probability\f[R] (\f[B]1/3\f[R]) Probability bound below which we start moving towards decreasing our precision estimate. -Unit: probability, 0-1 +Unit: probability, 0\-1 .TP -\f[V]precision-high-probability\f[R] = \f[I]probability\f[R] (\f[B]2/3\f[R]) +\f[CR]precision\-high\-probability\f[R] = \f[I]probability\f[R] (\f[B]2/3\f[R]) Probability bound above which we start moving towards increasing our precision estimate. -Unit: probability, 0-1 +Unit: probability, 0\-1 .TP -\f[V]precision-hysteresis\f[R] = \f[I]hysteresis\f[R] (\f[B]16\f[R]) +\f[CR]precision\-hysteresis\f[R] = \f[I]hysteresis\f[R] (\f[B]16\f[R]) Amount of hysteresis in changing the precision estimate. Unit: count, 1+ .TP -\f[V]precision-minimum-weight\f[R] = \f[I]weight\f[R] (\f[B]0.1\f[R]) +\f[CR]precision\-minimum\-weight\f[R] = \f[I]weight\f[R] (\f[B]0.1\f[R]) Lower bound on the amount of effect our precision estimate has on the total noise estimate before we allow decreasing of the precision estimate. -Unit: weight, 0-1 +Unit: weight, 0\-1 .TP -\f[V]poll-interval-low-weight\f[R] = \f[I]weight\f[R] (\f[B]0.4\f[R]) +\f[CR]poll\-interval\-low\-weight\f[R] = \f[I]weight\f[R] (\f[B]0.4\f[R]) Amount which a measurement contributes to the state, below which we start increasing the poll interval. -Unit: weight, 0-1 +Unit: weight, 0\-1 .TP -\f[V]poll-interval-high-weight\f[R] = \f[I]weight\f[R] (\f[B]0.6\f[R]) +\f[CR]poll\-interval\-high\-weight\f[R] = \f[I]weight\f[R] (\f[B]0.6\f[R]) Amount which a measurement contributes to the state, above which we -start decreasing the poll-interval interval. -Unit: weight, 0-1 +start decreasing the poll\-interval interval. +Unit: weight, 0\-1 .TP -\f[V]poll-interval-hysteresis\f[R] = \f[I]hysteresis\f[R] (\f[B]16\f[R]) +\f[CR]poll\-interval\-hysteresis\f[R] = \f[I]hysteresis\f[R] (\f[B]16\f[R]) Amount of hysteresis in changing the poll interval. Unit: count, 1+ .TP -\f[V]poll-interval-step-threshold\f[R] = \f[I]threshold\f[R] (\f[B]1e-6\f[R]) +\f[CR]poll\-interval\-step\-threshold\f[R] = \f[I]threshold\f[R] (\f[B]1e\-6\f[R]) Probability threshold for when a measurement is considered a significant enough outlier that we decide something weird is going on and we need to do more measurements. -Unit: probability, 0-1 +Unit: probability, 0\-1 .TP -\f[V]delay-outlier-threshold\f[R] = \f[I]threshold\f[R] (\f[B]5.0\f[R]) +\f[CR]delay\-outlier\-threshold\f[R] = \f[I]threshold\f[R] (\f[B]5.0\f[R]) Threshold (in number of standard deviations) above which measurements with a significantly larger network delay are rejected. Unit: standard deviations, 0+ .TP -\f[V]initial-wander\f[R] = \f[I]wander\f[R] (\f[B]1e-8\f[R]) +\f[CR]initial\-wander\f[R] = \f[I]wander\f[R] (\f[B]1e\-8\f[R]) Initial estimate of the clock wander of the combination of our local clock and that of the source. Unit: s/s\[ha]2 .TP -\f[V]initial-frequency-uncertainty\f[R] = \f[I]uncertainty\f[R] (\f[B]100e-6\f[R]) +\f[CR]initial\-frequency\-uncertainty\f[R] = \f[I]uncertainty\f[R] (\f[B]100e\-6\f[R]) Initial uncertainty of the frequency difference between our clock and that of the source. Unit: s/s .TP -\f[V]maximum-source-uncertainty\f[R] = \f[I]uncertainty\f[R] (\f[B]0.25\f[R]) +\f[CR]maximum\-source\-uncertainty\f[R] = \f[I]uncertainty\f[R] (\f[B]0.25\f[R]) Maximum source uncertainty before we start disregarding it. Note that this is combined uncertainty due to noise and possible assymetry error (see also weights below). Unit: seconds .TP -\f[V]range-statistical-weight\f[R] = \f[I]weight\f[R] (\f[B]2.0\f[R]) +\f[CR]range\-statistical\-weight\f[R] = \f[I]weight\f[R] (\f[B]2.0\f[R]) Weight of statistical uncertainty when constructing overlap ranges. Unit: standard deviations, 0+ .TP -\f[V]range-delay-weight\f[R] = \f[I]weight\f[R] (\f[B]0.25\f[R]) +\f[CR]range\-delay\-weight\f[R] = \f[I]weight\f[R] (\f[B]0.25\f[R]) Weight of delay uncertainty when constructing overlap ranges. -Unit: weight, 0-1 +Unit: weight, 0\-1 .TP -\f[V]steer-offset-threshold\f[R] = \f[I]threshold\f[R] (\f[B]2.0\f[R]) +\f[CR]steer\-offset\-threshold\f[R] = \f[I]threshold\f[R] (\f[B]2.0\f[R]) How far from 0 (in multiples of the uncertainty) should the offset be before we correct. Unit: standard deviations, 0+ .TP -\f[V]steer-offset-leftover\f[R] = \f[I]stddev\f[R] (\f[B]1.0\f[R]) +\f[CR]steer\-offset\-leftover\f[R] = \f[I]stddev\f[R] (\f[B]1.0\f[R]) How many standard deviations do we leave after offset correction? Unit: standard deviations, 0+ .TP -\f[V]steer-frequency-threshold\f[R] = \f[I]threshold\f[R] (\f[B]0.0\f[R]) +\f[CR]steer\-frequency\-threshold\f[R] = \f[I]threshold\f[R] (\f[B]0.0\f[R]) How far from 0 (in multiples of the uncertainty) should the frequency estimate be before we correct. Unit: standard deviations, 0+ .TP -\f[V]steer-frequency-leftover\f[R] = \f[I]stddev\f[R] (\f[B]0.0\f[R]) +\f[CR]steer\-frequency\-leftover\f[R] = \f[I]stddev\f[R] (\f[B]0.0\f[R]) How many standard deviations do we leave after frequency correction? Unit: standard deviations, 0+ .TP -\f[V]step-threshold\f[R] = \f[I]threshold\f[R] (\f[B]0.010\f[R]) +\f[CR]step\-threshold\f[R] = \f[I]threshold\f[R] (\f[B]0.010\f[R]) From what offset should we step the clock instead of trying to adjust gradually? Unit: seconds, 0+ .TP -\f[V]slew-maximum-frequency-offset\f[R] = \f[I]offset\f[R] (\f[B]200e-6\f[R]) +\f[CR]slew\-maximum\-frequency\-offset\f[R] = \f[I]offset\f[R] (\f[B]200e\-6\f[R]) What is the maximum frequency offset during a slew. Unit: s/s .TP -\f[V]slew-minimum-duration\f[R] = \f[I]duration\f[R] (\f[B]495e-6\f[R]) +\f[CR]slew\-minimum\-duration\f[R] = \f[I]duration\f[R] (\f[B]495e\-6\f[R]) What is the minimum duration of a slew. Unit: seconds .TP -\f[V]maximum-frequency-steer\f[R] = \f[I]frequency\f[R] (\f[B]8.0\f[R]) +\f[CR]maximum\-frequency\-steer\f[R] = \f[I]frequency\f[R] (\f[B]8.0\f[R]) Absolute maximum frequency correction. Unit: s/s .TP -\f[V]ignore-server-dispersion\f[R] = \f[I]bool\f[R] (\f[B]false\f[R]) +\f[CR]ignore\-server\-dispersion\f[R] = \f[I]bool\f[R] (\f[B]false\f[R]) Ignore a servers advertised dispersion when synchronizing. Can improve synchronization quality with servers reporting overly conservative root dispersion. .TP -\f[V]meddling-threshold\f[R] = \f[I]threshold\f[R] (\f[B]5.0\f[R]) +\f[CR]meddling\-threshold\f[R] = \f[I]threshold\f[R] (\f[B]5.0\f[R]) Threshold for detecting external clock meddling. Unit: seconds .SH SEE ALSO -.PP -ntp-daemon(8), ntp-ctl(8), ntp-metrics-exporter(8) +ntp\-daemon(8), ntp\-ctl(8), ntp\-metrics\-exporter(8) diff --git a/ntp-proto/src/nts_record.rs b/ntp-proto/src/nts_record.rs index c7a406a33..58d29e850 100644 --- a/ntp-proto/src/nts_record.rs +++ b/ntp-proto/src/nts_record.rs @@ -2894,7 +2894,7 @@ mod test { let keyset = KeySetProvider::new(8).get(); let pool_cert: Vec = rustls_pemfile::certs( - &mut std::io::BufReader::new(include_bytes!("../../test-keys/end.pem") as &[u8]), + &mut std::io::BufReader::new(include_bytes!("../test-keys/end.pem") as &[u8]), ) .unwrap() .into_iter() diff --git a/ntp-proto/test-keys b/ntp-proto/test-keys deleted file mode 120000 index fcfe6b663..000000000 --- a/ntp-proto/test-keys +++ /dev/null @@ -1 +0,0 @@ -../test-keys \ No newline at end of file diff --git a/test-keys/ec_key.pem b/ntp-proto/test-keys/ec_key.pem similarity index 100% rename from test-keys/ec_key.pem rename to ntp-proto/test-keys/ec_key.pem diff --git a/test-keys/end.fullchain.pem b/ntp-proto/test-keys/end.fullchain.pem similarity index 100% rename from test-keys/end.fullchain.pem rename to ntp-proto/test-keys/end.fullchain.pem diff --git a/test-keys/end.key b/ntp-proto/test-keys/end.key similarity index 100% rename from test-keys/end.key rename to ntp-proto/test-keys/end.key diff --git a/test-keys/end.pem b/ntp-proto/test-keys/end.pem similarity index 100% rename from test-keys/end.pem rename to ntp-proto/test-keys/end.pem diff --git a/test-keys/gen-cert.sh b/ntp-proto/test-keys/gen-cert.sh similarity index 100% rename from test-keys/gen-cert.sh rename to ntp-proto/test-keys/gen-cert.sh diff --git a/test-keys/pkcs8_key.pem b/ntp-proto/test-keys/pkcs8_key.pem similarity index 100% rename from test-keys/pkcs8_key.pem rename to ntp-proto/test-keys/pkcs8_key.pem diff --git a/test-keys/rsa_key.pem b/ntp-proto/test-keys/rsa_key.pem similarity index 100% rename from test-keys/rsa_key.pem rename to ntp-proto/test-keys/rsa_key.pem diff --git a/test-keys/testca.key b/ntp-proto/test-keys/testca.key similarity index 100% rename from test-keys/testca.key rename to ntp-proto/test-keys/testca.key diff --git a/test-keys/testca.pem b/ntp-proto/test-keys/testca.pem similarity index 100% rename from test-keys/testca.pem rename to ntp-proto/test-keys/testca.pem diff --git a/test-keys/unsafe.nts.client.toml b/ntp-proto/test-keys/unsafe.nts.client.toml similarity index 88% rename from test-keys/unsafe.nts.client.toml rename to ntp-proto/test-keys/unsafe.nts.client.toml index 12cb70873..7e91fb59f 100644 --- a/test-keys/unsafe.nts.client.toml +++ b/ntp-proto/test-keys/unsafe.nts.client.toml @@ -7,7 +7,7 @@ observation-path = "/var/run/ntpd-rs/observe" [[source]] mode = "nts" address = "localhost:4460" -certificate-authority = "test-keys/testca.pem" +certificate-authority = "ntp-proto/test-keys/testca.pem" # System parameters used in filtering and steering the clock: [synchronization] diff --git a/test-keys/unsafe.nts.server.toml b/ntp-proto/test-keys/unsafe.nts.server.toml similarity index 85% rename from test-keys/unsafe.nts.server.toml rename to ntp-proto/test-keys/unsafe.nts.server.toml index 772370760..0bf6acbe8 100644 --- a/test-keys/unsafe.nts.server.toml +++ b/ntp-proto/test-keys/unsafe.nts.server.toml @@ -22,6 +22,6 @@ startup-step-panic-threshold = { forward = 0, backward = 86400 } # uses an unsecure certificate chain! [[nts-ke-server]] listen = "0.0.0.0:4460" -certificate-chain-path = "test-keys/end.fullchain.pem" -private-key-path = "test-keys/end.key" +certificate-chain-path = "ntp-proto/test-keys/end.fullchain.pem" +private-key-path = "ntp-proto/test-keys/end.key" key-exchange-timeout-ms = 1000 diff --git a/ntpd/src/daemon/config/server.rs b/ntpd/src/daemon/config/server.rs index 319cc695e..a1172f151 100644 --- a/ntpd/src/daemon/config/server.rs +++ b/ntpd/src/daemon/config/server.rs @@ -135,6 +135,8 @@ pub struct NtsKeConfig { pub authorized_pool_server_certificates: Vec, #[serde(default = "default_nts_ke_timeout")] pub key_exchange_timeout_ms: u64, + #[serde(default = "default_concurrent_connections")] + pub concurrent_connections: usize, pub listen: SocketAddr, pub ntp_port: Option, pub ntp_server: Option, @@ -144,6 +146,10 @@ fn default_nts_ke_timeout() -> u64 { 1000 } +fn default_concurrent_connections() -> usize { + 512 +} + #[cfg(test)] mod tests { use super::*; diff --git a/ntpd/src/daemon/keyexchange.rs b/ntpd/src/daemon/keyexchange.rs index f31576367..b1c00ea54 100644 --- a/ntpd/src/daemon/keyexchange.rs +++ b/ntpd/src/daemon/keyexchange.rs @@ -8,6 +8,7 @@ use std::{ task::{Context, Poll}, }; +use libc::{ECONNABORTED, EMFILE, ENFILE, ENOBUFS, ENOMEM}; use ntp_proto::{ KeyExchangeClient, KeyExchangeError, KeyExchangeResult, KeyExchangeServer, KeySet, }; @@ -17,6 +18,7 @@ use tokio::{ net::TcpListener, task::JoinHandle, }; +use tracing::{debug, error}; use super::config::NtsKeConfig; use super::exitcode; @@ -166,41 +168,86 @@ async fn key_exchange_server( pool_certs: Vec, private_key: PrivateKey, ) -> std::io::Result<()> { - let listener = TcpListener::bind(&ke_config.listen).await?; - let config = build_server_config(certificate_chain, private_key)?; let pool_certs = Arc::<[_]>::from(pool_certs); + let timeout = std::time::Duration::from_millis(ke_config.key_exchange_timeout_ms); loop { - let (stream, peer_addr) = listener.accept().await?; - let config = config.clone(); - let keyset = keyset.borrow().clone(); - let pool_certs = pool_certs.clone(); - let ntp_port = ke_config.ntp_port; - let ntp_server = ke_config.ntp_server.clone(); - let timeout_ms = ke_config.key_exchange_timeout_ms; - - let fut = async move { - BoundKeyExchangeServer::run( - stream, - config, - keyset, - ntp_port, - ntp_server.clone(), - pool_certs, - ) - .await - .map_err(|ke_error| std::io::Error::new(std::io::ErrorKind::Other, ke_error)) + let listener = match TcpListener::bind(&ke_config.listen).await { + Ok(listener) => listener, + Err(e) => { + error!("Could not open network port for KE server: {}", e); + tokio::time::sleep(timeout).await; + continue; + } }; - tokio::spawn(async move { - let timeout = std::time::Duration::from_millis(timeout_ms); - match tokio::time::timeout(timeout, fut).await { - Err(_) => tracing::debug!(?peer_addr, "NTS KE timed out"), - Ok(Err(err)) => tracing::debug!(?err, ?peer_addr, "NTS KE failed"), - Ok(Ok(())) => tracing::debug!(?peer_addr, "NTS KE completed"), - } - }); + // Ensure we do not make too many connections. We can reinitialize here because any error path recreating the socket + // waits at least ke_config.key_exchange_timeout_ms milliseconds, ensuring all pre-existing connections are or will very + // soon be gone. + let connectionpermits = Arc::new(tokio::sync::Semaphore::new( + ke_config.concurrent_connections, + )); + + loop { + let permit = match connectionpermits.clone().acquire_owned().await { + Ok(permit) => permit, + Err(e) => { + error!("Could not get ticket for new connection: {}", e); + tokio::time::sleep(timeout).await; + break; + } + }; + let (stream, peer_addr) = match listener.accept().await { + Ok(a) => a, + Err(e) if matches!(e.raw_os_error(), Some(ECONNABORTED)) => { + debug!("Potential client-triggered accept error in NTS-KE: {}", e); + continue; + } + Err(e) + if matches!( + e.raw_os_error(), + Some(ENFILE) | Some(EMFILE) | Some(ENOMEM) | Some(ENOBUFS) + ) => + { + error!("Out of resources in NTS-KE, consider raising limits or lowering max parallel connections: {}", e); + tokio::time::sleep(timeout).await; + continue; + } + Err(e) => { + error!("Could not accept NTS-KE connection: {}", e); + tokio::time::sleep(timeout).await; + break; + } + }; + let config = config.clone(); + let keyset = keyset.borrow().clone(); + let pool_certs = pool_certs.clone(); + let ntp_port = ke_config.ntp_port; + let ntp_server = ke_config.ntp_server.clone(); + + let fut = async move { + BoundKeyExchangeServer::run( + stream, + config, + keyset, + ntp_port, + ntp_server.clone(), + pool_certs, + ) + .await + .map_err(|ke_error| std::io::Error::new(std::io::ErrorKind::Other, ke_error)) + }; + + tokio::spawn(async move { + match tokio::time::timeout(timeout, fut).await { + Err(_) => tracing::debug!(?peer_addr, "NTS KE timed out"), + Ok(Err(err)) => tracing::debug!(?err, ?peer_addr, "NTS KE failed"), + Ok(Ok(())) => tracing::debug!(?peer_addr, "NTS KE completed"), + } + drop(permit); + }); + } } } @@ -622,6 +669,7 @@ mod tests { #[cfg(feature = "unstable_nts-pool")] authorized_pool_server_certificates: pool_certs.iter().map(PathBuf::from).collect(), key_exchange_timeout_ms: 1000, + concurrent_connections: 512, listen: "0.0.0.0:5431".parse().unwrap(), ntp_port: None, ntp_server: None, @@ -645,6 +693,74 @@ mod tests { assert_eq!(result.port, 123); } + #[tokio::test] + async fn key_exchange_connection_limiter() { + let provider = KeySetProvider::new(1); + let keyset = provider.get(); + #[cfg(feature = "unstable_nts-pool")] + let pool_certs = ["testdata/certificates/nos-nl.pem"]; + + let (_sender, keyset) = tokio::sync::watch::channel(keyset); + let nts_ke_config = NtsKeConfig { + certificate_chain_path: PathBuf::from("test-keys/end.fullchain.pem"), + private_key_path: PathBuf::from("test-keys/end.key"), + #[cfg(feature = "unstable_nts-pool")] + authorized_pool_server_certificates: pool_certs.iter().map(PathBuf::from).collect(), + key_exchange_timeout_ms: 10000, + concurrent_connections: 1, + listen: "0.0.0.0:5435".parse().unwrap(), + ntp_port: None, + ntp_server: None, + }; + + let _join_handle = spawn(nts_ke_config, keyset); + + // give the server some time to make the port available + tokio::time::sleep(std::time::Duration::from_millis(20)).await; + + let mut blocker = tokio::net::TcpStream::connect("localhost:5435") + .await + .unwrap(); + + // Ensure connection, just send a random client hello + blocker.write_all(b"\x16\x03\x01\x00\xf5\x01\x00\x00\xf1\x03\x03\xfc\x86\xea\x41\x80\x21\xec\x3e\x14\x5f\xf9\x4c\xa0\xcd\x8a\x1a\x66\x65\x41\xe5\x95\xd6\x8e\xb4\x65\x3b\x62\x49\x8d\xe1\xe0\xd8\x20\xe9\xa8\x94\xdb\xbf\x99\xfd\xc9\x3d\xd7\xcf\x7a\xc6\x7c\x03\xee\xb3\xcf\x17\x0b\x57\x69\xb6\x51\x48\xb1\xc6\x3e\xcb\x2d\x54\x2c\x00\x14\x13\x02\x13\x01\x13\x03\xc0\x2c\xc0\x2b\xcc\xa9\xc0\x30\xc0\x2f\xcc\xa8\x00\xff\x01\x00\x00\x94\x00\x33\x00\x26\x00\x24\x00\x1d\x00\x20\x4e\xcb\x36\xd3\xff\xc7\x64\x3e\xd8\x25\xf2\x1a\x20\x42\xc7\xa0\x29\x89\x8d\x00\x82\x0c\x9f\xff\xdf\xa6\xa0\xdc\xcf\xa7\xb8\x2b\x00\x0d\x00\x14\x00\x12\x05\x03\x04\x03\x08\x07\x08\x06\x08\x05\x08\x04\x06\x01\x05\x01\x04\x01\x00\x2b\x00\x05\x04\x03\x04\x03\x03\x00\x23\x00\x00\x00\x05\x00\x05\x01\x00\x00\x00\x00\x00\x17\x00\x00\x00\x10\x00\x0a\x00\x08\x07\x6e\x74\x73\x6b\x65\x2f\x31\x00\x00\x00\x0e\x00\x0c\x00\x00\x09\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x00\x2d\x00\x02\x01\x01\x00\x0a\x00\x08\x00\x06\x00\x1d\x00\x17\x00\x18\x00\x0b\x00\x02\x01\x00").await.unwrap(); + blocker.flush().await.unwrap(); + + // give the server time to accept the connection + tokio::time::sleep(std::time::Duration::from_millis(20)).await; + + let ca = include_bytes!("../../test-keys/testca.pem"); + + assert!(tokio::time::timeout( + std::time::Duration::from_millis(100), + key_exchange_client( + "localhost".to_string(), + 5435, + &certificates_from_bufread(BufReader::new(Cursor::new(ca))).unwrap(), + ) + ) + .await + .is_err()); + + blocker.shutdown().await.unwrap(); + drop(blocker); + + let result = tokio::time::timeout( + std::time::Duration::from_millis(100), + key_exchange_client( + "localhost".to_string(), + 5435, + &certificates_from_bufread(BufReader::new(Cursor::new(ca))).unwrap(), + ), + ) + .await + .unwrap() + .unwrap(); + + assert_eq!(result.remote, "localhost"); + assert_eq!(result.port, 123); + } + #[tokio::test] async fn key_exchange_roundtrip_with_port_server() { let provider = KeySetProvider::new(1); @@ -659,6 +775,7 @@ mod tests { #[cfg(feature = "unstable_nts-pool")] authorized_pool_server_certificates: pool_certs.iter().map(PathBuf::from).collect(), key_exchange_timeout_ms: 1000, + concurrent_connections: 512, listen: "0.0.0.0:5432".parse().unwrap(), ntp_port: Some(568), ntp_server: Some("jantje".into()), @@ -693,10 +810,11 @@ mod tests { let (_sender, keyset) = tokio::sync::watch::channel(keyset); let nts_ke_config = NtsKeConfig { - certificate_chain_path: PathBuf::from("../test-keys/end.fullchain.pem"), - private_key_path: PathBuf::from("../test-keys/end.key"), + certificate_chain_path: PathBuf::from("test-keys/end.fullchain.pem"), + private_key_path: PathBuf::from("test-keys/end.key"), authorized_pool_server_certificates: certs.iter().map(PathBuf::from).collect(), key_exchange_timeout_ms: 1000, + concurrent_connections: 512, listen: "0.0.0.0:5433".parse().unwrap(), ntp_port: None, ntp_server: None, diff --git a/ntpd/test-keys b/ntpd/test-keys index fcfe6b663..46898880c 120000 --- a/ntpd/test-keys +++ b/ntpd/test-keys @@ -1 +1 @@ -../test-keys \ No newline at end of file +../ntp-proto/test-keys \ No newline at end of file