Release 1.1.3

.github/workflows/checks.yaml

@@ -130,10 +130,10 @@ jobs:
         run: cargo run --bin ntp-ctl -- -c ./ntp.toml validate
       - name: ./ntp.server.toml
         run: cargo run --bin ntp-ctl -- -c ./ntp.server.toml validate
-      - name: ./test-keys/unsafe.nts.client.toml
-        run: cargo run --bin ntp-ctl -- -c ./test-keys/unsafe.nts.client.toml validate
-      - name: ./test-keys/unsafe.nts.server.toml
-        run: cargo run --bin ntp-ctl -- -c ./test-keys/unsafe.nts.server.toml validate
+      - name: ./ntp-proto/test-keys/unsafe.nts.client.toml
+        run: cargo run --bin ntp-ctl -- -c ./ntp-proto/test-keys/unsafe.nts.client.toml validate
+      - name: ./ntp-proto/test-keys/unsafe.nts.server.toml
+        run: cargo run --bin ntp-ctl -- -c ./ntp-proto/test-keys/unsafe.nts.server.toml validate
       - name: ./config/ntp.demobilize.toml
         run: cargo run --bin ntp-ctl -- -c ./config/ntp.demobilize.toml validate
       - name: ./pkg/common/ntp.toml.default

CHANGELOG.md

@@ -1,5 +1,15 @@
 # Changelog
 
+## [1.1.3] - 2024-06-28
+
+### Fixed
+- Unlimited number of NTS-KE connections could crash ntpd-rs server (CVE-2024-38528)
+
+## [1.1.2] - 2024-02-01
+
+### Fixed
+- Fixed tests in ntp-proto to also work outside the repository.
+
 ## [1.1.1] - 2024-01-24
 
 ### Added
@@ -183,6 +193,8 @@ process.
 - Fixed a bug in peer dispersion calculation which resulted in overly
   pessimistic dispersion estimates.
 
+[1.1.3]: https://github.com/pendulum-project/ntpd-rs/compare/v1.1.2...v1.1.3
+[1.1.2]: https://github.com/pendulum-project/ntpd-rs/compare/v1.1.1...v1.1.2
 [1.1.1]: https://github.com/pendulum-project/ntpd-rs/compare/v1.1.0...v1.1.1
 [1.1.0]: https://github.com/pendulum-project/ntpd-rs/compare/v1.0.0...v1.1.0
 [1.0.0]: https://github.com/pendulum-project/ntpd-rs/compare/v0.3.7...v1.0.0

Cargo.toml

@@ -1,4 +1,4 @@
 [workspace]
 members = [
     "ntp-proto",
     "ntp-os-clock",
@@ -14,7 +14,7 @@
 
 # Global settings for our crates
 [workspace.package]
-version = "1.1.1"
+version = "1.1.3"
 edition = "2021"
 license = "Apache-2.0 OR MIT"
 repository = "https://github.com/pendulum-project/ntpd-rs"
@@ -61,6 +61,6 @@
 
 # our own crates used as dependencies, same version as the workspace version
 # NOTE: keep this part at the bottom of the file, do not change this line
-ntp-os-clock = { version = "1.1.1", path = "./ntp-os-clock" }
-ntp-proto = { version = "1.1.1", path = "./ntp-proto", features = ["__internal-api"] }
-ntp-udp = { version = "1.1.1", path = "./ntp-udp" }
+ntp-os-clock = { version = "1.1.3", path = "./ntp-os-clock" }
+ntp-proto = { version = "1.1.3", path = "./ntp-proto", features = ["__internal-api"] }
+ntp-udp = { version = "1.1.3", path = "./ntp-udp" }

docs/man/ntp-ctl.8.md

@@ -1,5 +1,5 @@
 <!-- ---
-title: NTP-CTL(8) ntpd-rs 1.1.1 | ntpd-rs
+title: NTP-CTL(8) ntpd-rs 1.1.3 | ntpd-rs
 --- -->
 
 # NAME

docs/man/ntp-daemon.8.md

@@ -1,5 +1,5 @@
 <!-- ---
-title: NTP-DAEMON(8) ntpd-rs 1.1.1 | ntpd-rs
+title: NTP-DAEMON(8) ntpd-rs 1.1.3 | ntpd-rs
 --- -->
 
 # NAME

docs/man/ntp-metrics-exporter.8.md

@@ -1,5 +1,5 @@
 <!-- ---
-title: NTP-METRICS-EXPORTER(8) ntpd-rs 1.1.1 | ntpd-rs
+title: NTP-METRICS-EXPORTER(8) ntpd-rs 1.1.3 | ntpd-rs
 --- -->
 
 # NAME

docs/man/ntp.toml.5.md

@@ -1,5 +1,5 @@
 <!-- ---
-title: NTP.TOML(5) ntpd-rs 1.1.1 | ntpd-rs
+title: NTP.TOML(5) ntpd-rs 1.1.3 | ntpd-rs
 --- -->
 
 # NAME
@@ -234,6 +234,10 @@ untampered with.
 :   Timeout in milliseconds for how long a key exchange may take. If the timeout
     is exceeded the connection will be dropped.
 
+`concurrent-connections` = *number* (**512**)
+:   Maximum number of concurrent connections the key exchange server will handle.
+    Any connections above the threshold will be held in an OS level queue.
+
 `ntp-port` = *port*
     Port number the key exchange server should instruct clients to use. Should
     be used when the port number of the NTP server is not the default.

docs/precompiled/man/ntp-ctl.8

@@ -1,74 +1,56 @@
-.\" Automatically generated by Pandoc 3.1.1
+.\" Automatically generated by Pandoc 3.1.13
 .\"
-.\" Define V font for inline verbatim, using C font in formats
-.\" that render this, and otherwise B font.
-.ie "\f[CB]x\f[]"x" \{\
-. ftr V B
-. ftr VI BI
-. ftr VB B
-. ftr VBI BI
-.\}
-.el \{\
-. ftr V CR
-. ftr VI CI
-. ftr VB CB
-. ftr VBI CBI
-.\}
-.TH "NTP-CTL" "8" "" "ntpd-rs 1.1.1" "ntpd-rs"
-.hy
+.TH "NTP\-CTL" "8" "" "ntpd\-rs 1.1.3" "ntpd\-rs"
 .SH NAME
-.PP
-\f[V]ntp-ctl\f[R] - management client for the ntpd-rs ntp-daemon process
+\f[CR]ntp\-ctl\f[R] \- management client for the ntpd\-rs ntp\-daemon
+process
 .SH SYNOPSIS
-.PP
-\f[V]ntp-ctl\f[R] validate [\f[V]-c\f[R] \f[I]path\f[R]]
+\f[CR]ntp\-ctl\f[R] validate [\f[CR]\-c\f[R] \f[I]path\f[R]]
 .PD 0
 .P
 .PD
-\f[V]ntp-ctl\f[R] status [\f[V]-f\f[R] \f[I]format\f[R]] [\f[V]-c\f[R]
-\f[I]path\f[R]]
+\f[CR]ntp\-ctl\f[R] status [\f[CR]\-f\f[R] \f[I]format\f[R]]
+[\f[CR]\-c\f[R] \f[I]path\f[R]]
 .PD 0
 .P
 .PD
-\f[V]ntp-ctl\f[R] \f[V]-h\f[R]
+\f[CR]ntp\-ctl\f[R] \f[CR]\-h\f[R]
 .PD 0
 .P
 .PD
-\f[V]ntp-ctl\f[R] \f[V]-v\f[R]
+\f[CR]ntp\-ctl\f[R] \f[CR]\-v\f[R]
 .SH DESCRIPTION
-.PP
-The \f[V]ntp-ctl\f[R] management client allows management of some
-aspects of the ntpd-rs daemon.
+The \f[CR]ntp\-ctl\f[R] management client allows management of some
+aspects of the ntpd\-rs daemon.
 Currently the management client only allows displaying the current
 status of the daemon and validating a configuration file for usage with
 the daemon.
 .SH OPTIONS
 .TP
-\f[V]-c\f[R] \f[I]path\f[R], \f[V]--config\f[R]=\f[I]path\f[R]
+\f[CR]\-c\f[R] \f[I]path\f[R], \f[CR]\-\-config\f[R]=\f[I]path\f[R]
 Path to the configuration file from which the observation socket address
 will be retrieved.
-If not specified this defaults to \f[V]/etc/ntpd-rs/ntp.toml\f[R].
+If not specified this defaults to \f[CR]/etc/ntpd\-rs/ntp.toml\f[R].
 .TP
-\f[V]-f\f[R] \f[I]format\f[R], \f[V]--format\f[R]=\f[I]format\f[R]
+\f[CR]\-f\f[R] \f[I]format\f[R], \f[CR]\-\-format\f[R]=\f[I]format\f[R]
 The output format for the status command.
 If not specified this defaults to \f[I]plain\f[R].
 Alternatively the format \f[I]prometheus\f[R] is available to display
 the output in an OpenMetrics/Prometheus compatible format.
 .TP
-\f[V]-h\f[R], \f[V]--help\f[R]
+\f[CR]\-h\f[R], \f[CR]\-\-help\f[R]
 Display usage instructions.
 .TP
-\f[V]-v\f[R], \f[V]--version\f[R]
+\f[CR]\-v\f[R], \f[CR]\-\-version\f[R]
 Display version information.
 .SH COMMANDS
 .TP
-\f[V]validate\f[R]
+\f[CR]validate\f[R]
 Checks if the configuration specified (or
-\f[V]/etc/ntpd-rs/ntp.toml\f[R] by default) is valid.
+\f[CR]/etc/ntpd\-rs/ntp.toml\f[R] by default) is valid.
 .TP
-\f[V]status\f[R]
-Returns status information about the current state of the ntp-daemon
+\f[CR]status\f[R]
+Returns status information about the current state of the ntp\-daemon
 that the client connects to.
 .SH SEE ALSO
-.PP
-ntp-daemon(8), ntp-metrics-exporter(8), ntp.toml(5)
+ntp\-daemon(8), ntp\-metrics\-exporter(8), ntp.toml(5)

docs/precompiled/man/ntp-daemon.8

@@ -1,68 +1,49 @@
-.\" Automatically generated by Pandoc 3.1.1
+.\" Automatically generated by Pandoc 3.1.13
 .\"
-.\" Define V font for inline verbatim, using C font in formats
-.\" that render this, and otherwise B font.
-.ie "\f[CB]x\f[]"x" \{\
-. ftr V B
-. ftr VI BI
-. ftr VB B
-. ftr VBI BI
-.\}
-.el \{\
-. ftr V CR
-. ftr VI CI
-. ftr VB CB
-. ftr VBI CBI
-.\}
-.TH "NTP-DAEMON" "8" "" "ntpd-rs 1.1.1" "ntpd-rs"
-.hy
+.TH "NTP\-DAEMON" "8" "" "ntpd\-rs 1.1.3" "ntpd\-rs"
 .SH NAME
-.PP
-\f[V]ntp-daemon\f[R] - ntpd-rs Network Time Protocol service daemon
+\f[CR]ntp\-daemon\f[R] \- ntpd\-rs Network Time Protocol service daemon
 .SH SYNOPSIS
-.PP
-\f[V]ntp-daemon\f[R] [\f[V]-c\f[R] \f[I]path\f[R]] [\f[V]-l\f[R]
+\f[CR]ntp\-daemon\f[R] [\f[CR]\-c\f[R] \f[I]path\f[R]] [\f[CR]\-l\f[R]
 \f[I]loglevel\f[R]]
 .PD 0
 .P
 .PD
-\f[V]ntp-daemon\f[R] \f[V]-h\f[R]
+\f[CR]ntp\-daemon\f[R] \f[CR]\-h\f[R]
 .PD 0
 .P
 .PD
-\f[V]ntp-daemon\f[R] \f[V]-v\f[R]
+\f[CR]ntp\-daemon\f[R] \f[CR]\-v\f[R]
 .SH DESCRIPTION
-.PP
-\f[V]ntp-daemon\f[R] is the Network Time Protocol (NTP) service daemon
-for ntpd-rs, an NTP implementation with a focus on security and
+\f[CR]ntp\-daemon\f[R] is the Network Time Protocol (NTP) service daemon
+for ntpd\-rs, an NTP implementation with a focus on security and
 stability.
-The \f[V]ntp-deamon\f[R] can be configured as both an NTP client and an
-NTP server.
+The \f[CR]ntp\-deamon\f[R] can be configured as both an NTP client and
+an NTP server.
 The daemon also works with the Network Time Security (NTS) protocol.
 Details of the configuration of the daemon and implementation details
-can be found in ntp.toml(5), where several concepts of the ntp-daemon
+can be found in ntp.toml(5), where several concepts of the ntp\-daemon
 are also explained.
 .SH OPTIONS
 .TP
-\f[V]-c\f[R] \f[I]path\f[R], \f[V]--config\f[R]=\f[I]path\f[R]
-The configuration file path for the ntp-daemon where settings for the
-configuration of ntpd-rs are stored.
+\f[CR]\-c\f[R] \f[I]path\f[R], \f[CR]\-\-config\f[R]=\f[I]path\f[R]
+The configuration file path for the ntp\-daemon where settings for the
+configuration of ntpd\-rs are stored.
 If not specified the default configuration file is
-\f[V]/etc/ntpd-rs/ntp.toml\f[R].
+\f[CR]/etc/ntpd\-rs/ntp.toml\f[R].
 .TP
-\f[V]-h\f[R], \f[V]--help\f[R]
+\f[CR]\-h\f[R], \f[CR]\-\-help\f[R]
 Display usage instructions.
 .TP
-\f[V]-l\f[R] \f[I]loglevel\f[R], \f[V]--log-level\f[R]=\f[I]loglevel\f[R]
+\f[CR]\-l\f[R] \f[I]loglevel\f[R], \f[CR]\-\-log\-level\f[R]=\f[I]loglevel\f[R]
 Change which log messages are logged to stdout.
 Available log levels are \f[I]trace\f[R], \f[I]debug\f[R],
 \f[I]info\f[R], \f[I]warn\f[R] and \f[I]error\f[R] (from lower to higher
 priority).
 Only messages with the given priority and higher will be displayed.
 The default log level is \f[I]info\f[R].
 .TP
-\f[V]-v\f[R], \f[V]--version\f[R]
+\f[CR]\-v\f[R], \f[CR]\-\-version\f[R]
 Display version information.
 .SH SEE ALSO
-.PP
-ntp-ctl(8), ntp-metrics-exporter(8), ntp.toml(5)
+ntp\-ctl(8), ntp\-metrics\-exporter(8), ntp.toml(5)

docs/precompiled/man/ntp-metrics-exporter.8

@@ -1,52 +1,33 @@
-.\" Automatically generated by Pandoc 3.1.1
+.\" Automatically generated by Pandoc 3.1.13
 .\"
-.\" Define V font for inline verbatim, using C font in formats
-.\" that render this, and otherwise B font.
-.ie "\f[CB]x\f[]"x" \{\
-. ftr V B
-. ftr VI BI
-. ftr VB B
-. ftr VBI BI
-.\}
-.el \{\
-. ftr V CR
-. ftr VI CI
-. ftr VB CB
-. ftr VBI CBI
-.\}
-.TH "NTP-METRICS-EXPORTER" "8" "" "ntpd-rs 1.1.1" "ntpd-rs"
-.hy
+.TH "NTP\-METRICS\-EXPORTER" "8" "" "ntpd\-rs 1.1.3" "ntpd\-rs"
 .SH NAME
-.PP
-\f[V]ntp-metrics-exporter\f[R] - Prometheus/OpenMetrics exporter for the
-ntpd-rs daemon
+\f[CR]ntp\-metrics\-exporter\f[R] \- Prometheus/OpenMetrics exporter for
+the ntpd\-rs daemon
 .SH SYNOPSIS
-.PP
-\f[V]ntp-metrics-exporter\f[R] [\f[V]-c\f[R] \f[I]path\f[R]]
+\f[CR]ntp\-metrics\-exporter\f[R] [\f[CR]\-c\f[R] \f[I]path\f[R]]
 .PD 0
 .P
 .PD
-\f[V]ntp-metrics-exporter\f[R] \f[V]-h\f[R]
+\f[CR]ntp\-metrics\-exporter\f[R] \f[CR]\-h\f[R]
 .PD 0
 .P
 .PD
-\f[V]ntp-metrics-exporter\f[R] \f[V]-v\f[R]
+\f[CR]ntp\-metrics\-exporter\f[R] \f[CR]\-v\f[R]
 .SH DESCRIPTION
-.PP
-Exports the status metrics from the ntpd-rs daemon as
+Exports the status metrics from the ntpd\-rs daemon as
 Prometheus/OpenMetrics via an HTTP socket.
 .SH OPTIONS
 .TP
-\f[V]-c\f[R] \f[I]path\f[R], \f[V]--config\f[R]=\f[I]path\f[R]
+\f[CR]\-c\f[R] \f[I]path\f[R], \f[CR]\-\-config\f[R]=\f[I]path\f[R]
 Path to the configuration file where the observation socket path for
-connecting with the ntp-daemon is specified.
-This defaults to \f[V]/etc/ntpd-rs/ntp.toml\f[R] if not specified.
+connecting with the ntp\-daemon is specified.
+This defaults to \f[CR]/etc/ntpd\-rs/ntp.toml\f[R] if not specified.
 .TP
-\f[V]-h\f[R], \f[V]--help\f[R]
+\f[CR]\-h\f[R], \f[CR]\-\-help\f[R]
 Display usage instructions.
 .TP
-\f[V]-v\f[R], \f[V]--version\f[R]
+\f[CR]\-v\f[R], \f[CR]\-\-version\f[R]
 Display version information.
 .SH SEE ALSO
-.PP
-ntp-daemon(8), ntp-ctl(8), ntp.toml(5)
+ntp\-daemon(8), ntp\-ctl(8), ntp.toml(5)