This is an automated email from git. It was generated because a ref change was pushed to the "chrony/chrony.git" repository.
The branch, master has been updated via c3e34b81452c9b5340886b0f91a67cf3f6ff727c (commit) via 7bf3ec4aebbd7bac616d1f0d88bf76c776d5b7ff (commit) via 50204a125b33baed90153b0697245e3eef3a5c6c (commit) via 111d170542e5044d4cb70f972c2edc4b469fd961 (commit) via d6dd6f0bc959d71d0d06a4813bb7cc42217ac530 (commit) via 44aac84feb8c491412d18b708e2ccfe55a15d3ee (commit) via c41508723fcb67d281ec1693ea97fc225219b752 (commit) via 6043632f80679029a158a8eecfe1b3eb8aa9116f (commit) via a420ed57a10f7abebae4ac76c01ccde4ad893cf9 (commit) via 72f99033fead955dd9e647c72dd3b814c0f643ce (commit) via 2d798bc4cfe2a19e73be998f57cec4ceb4354c4b (commit) via 881d07fa0a24e34445ee902037757704bbee0f11 (commit) via c5306bed39da59a7d6f1e752268e048a1cf7f230 (commit) via 934b8712a57e324581a15ddb4f6c84cd67a5673e (commit) via 1d4690eb64e1cf1a4bd85f2b3d917aa9cdebddc3 (commit) via e6848b1e3f310b1f52bd3ee4e6fec44a5dadea02 (commit) via 3e537416a959747d31c919c63499528d4cb2f27a (commit) via 26a1ed8bc349953814ec2df1ee27dcd4106bec72 (commit) via 24538fe3e99b480f444e683f8685172326a77674 (commit) via e43d699973eb3207f1f7948d5d8cbb71106a7ec1 (commit) via 1e727c4497dd028e4ea4f32fc3298e4bd580c68a (commit) via 83010590af1e3a4e317d14747e5f643879701e45 (commit) via fa402a173af53ba59a87959f4927bac406785626 (commit) via ca83d2a804bb65abed667ff080a175447d9aadf4 (commit) via 725beb360a4ea9e40655a182958f723f10445080 (commit) via 86d29221f39c0b47b21fbfae9c800b7e661c4f88 (commit) via e8062b7ff1e8b0578b914e7ad982e7f310452786 (commit) via 9468fd4aa680a1c44a58b0bd5b0977b2b0ec2608 (commit) via 5ed9b888ff2e9d3718971c9ec1e474d4bcde194f (commit) via 7661a6e95b7292c3ab12246920c389d740684c91 (commit) via aca1daf7c91be61a56f27090e07bb7640321d8b5 (commit) via 46cac4e22f3a32f1f7efba34afd6801cdfd22b70 (commit) via 56a102ed4d45ee5652193716ee6f7210e70da742 (commit) via ca28dbd2c3897ddc808d068becfe3261f8ad4d2b (commit) via 588785e160fbee7b04df5df8b7bd17f679fdcad8 (commit) via cabcccd6c39c54ddfccc17a6ffa52f48bcf4ff17 (commit) via 567e66a0bb929e2e48aeb4d1ba9a6f824e295379 (commit) via b8ee6d6e56395d795ee5366f1c3366b53d619efb (commit) via 9ea1e4e40f9b8c21b554f6c39d73034812407546 (commit) via 2d492eacb551f841ca837d86c8d41fcb5760c563 (commit) via cb8660e79a0b2e110ce81dab21346bcfe17a921a (commit) via d29bef93e94d20b0d64a7335c207fc186743b499 (commit) via 5a09adebfd5987ee81789604faf7964de71509a4 (commit) via 8c0ee9c175bab488a40c81c0ee6ee105576f3c0d (commit) via f20fabdbf447a83d1fd210f30e759fe0b9620755 (commit) via 57cea56e6eff9fd03ff13a8c2ead37e79253ee23 (commit) via db7d9639b4f6c75cbf559a1a065b2735e773452b (commit) via beb40d63eddcd46c145eeb71230e5f547ac3dd32 (commit) via 672b98dd3fb17aa7de57d709f1f7b97c0889ec31 (commit) from a24d2713cd5ddcdfec600808e1ab3efeff17bb0d (commit) Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below. - Log ----------------------------------------------------------------- commit c3e34b81452c9b5340886b0f91a67cf3f6ff727c Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Feb 4 14:34:47 2020 +0100 doc: update installation document commit 7bf3ec4aebbd7bac616d1f0d88bf76c776d5b7ff Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Jun 19 12:44:20 2019 +0200 doc: describe NTS directives and options commit 50204a125b33baed90153b0697245e3eef3a5c6c Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Feb 26 14:14:49 2020 +0100 test: add nts unit tests commit 111d170542e5044d4cb70f972c2edc4b469fd961 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Jan 9 12:25:20 2020 +0100 test: update compilation tests commit d6dd6f0bc959d71d0d06a4813bb7cc42217ac530 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Sep 12 16:42:53 2019 +0200 test: add 139-nts test commit 44aac84feb8c491412d18b708e2ccfe55a15d3ee Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Mar 7 11:52:16 2019 +0100 cmdmon: add NTS support Allow the nts and ntsport options to be specified for sources added from chronyc. This is an incompatible change in the request, but there was no release using the new REQ_ADD_SOURCE command yet. commit c41508723fcb67d281ec1693ea97fc225219b752 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Feb 4 15:27:24 2020 +0100 ntp: enable NTS support Add an option to enable NTS for an NTP source. Check for NTS-specific extension fields and pass the packets to the NTS-NTP code in order to enable the NTS client and server. commit 6043632f80679029a158a8eecfe1b3eb8aa9116f Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Feb 4 15:15:03 2020 +0100 nts: add NTS-NTP server and client Add support for the NTS NTP extension fields. commit a420ed57a10f7abebae4ac76c01ccde4ad893cf9 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Feb 4 15:10:14 2020 +0100 nts: add NTS-KE server and client Add a client and server implementing the Network Time Security (NTS) Key Establishment. Use the GnuTLS library for TLS. commit 72f99033fead955dd9e647c72dd3b814c0f643ce Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Aug 21 17:51:23 2019 +0200 test: add siv unit test commit 2d798bc4cfe2a19e73be998f57cec4ceb4354c4b Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Aug 21 14:09:37 2019 +0200 siv: add internal implementation based on Nettle This adds an internal implementation of the AES-SIV-CMAC-256 cipher based on GNU Nettle and the following patch (which was later reworked and included in Nettle): https://gitlab.com/gnutls/gnutls/uploads/1ab02c51e317264f9dba07ddfbc01d9a/0001-Added-support-for-AES_SIV_CMAC_256-and-AES_SIV_CMAC_.patch This implementation will be dropped when the cipher is widely supported by gnutls or Nettle. commit 881d07fa0a24e34445ee902037757704bbee0f11 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Aug 21 14:02:49 2019 +0200 siv: add support for Nettle commit c5306bed39da59a7d6f1e752268e048a1cf7f230 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Aug 19 17:33:54 2019 +0200 siv: introduce API for SIV Add a header file for Synthetic Initialization Vector (SIV) cipher mode, which will be used by NTS. commit 934b8712a57e324581a15ddb4f6c84cd67a5673e Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 10 11:57:17 2020 +0100 sys_linux: allow getuid() in seccomp filter This will be needed by gnutls when loading certificates. commit 1d4690eb64e1cf1a4bd85f2b3d917aa9cdebddc3 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Nov 26 14:16:47 2019 +0100 sys_linux: add syscall filter context for NTS-KE The NTS-KE helper process will use a more restrictive filter than the main process. commit e6848b1e3f310b1f52bd3ee4e6fec44a5dadea02 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Nov 26 14:10:24 2019 +0100 sys: specify context for syscall filter Specify a context to enable different processes using different (more restrictive) syscall filters. commit 3e537416a959747d31c919c63499528d4cb2f27a Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Feb 4 18:03:30 2020 +0100 sched: remove slew handler in finalization This allows repeated calls of SCH_Initialise() and SCH_Finalise(). commit 26a1ed8bc349953814ec2df1ee27dcd4106bec72 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Nov 20 12:39:32 2019 +0100 sched: add function to remove all timers and descriptors This allows a helper process to be started in an *_Initialise() call and use the scheduler (unlike the privops helper, which has its own loop). commit 24538fe3e99b480f444e683f8685172326a77674 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Nov 11 19:02:30 2019 +0100 nameserv: allow concurrent asynchronous requests Allow multiple resolving threads to be running at the same time in order to support multiple callers, but use a mutex to avoid sending multiple requests to the privops helper. This will be needed for the NTS-KE server negotiation. commit e43d699973eb3207f1f7948d5d8cbb71106a7ec1 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Oct 31 12:52:18 2019 +0100 util: add functions for printing and parsing hexadecimal data commit 1e727c4497dd028e4ea4f32fc3298e4bd580c68a Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Nov 12 18:04:48 2019 +0100 sources: don't reset active status Avoid resetting the active status when an NTP source changes its address in NCR_ChangeRemoteAddress(). This will allow an NTP source to update its address with NTS-KE hostname negotiation and continue in a special reference mode (e.g. -q/-Q option). commit 83010590af1e3a4e317d14747e5f643879701e45 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Nov 7 15:52:34 2019 +0100 ntp: move definition of invalid stratum to ntp.h commit fa402a173af53ba59a87959f4927bac406785626 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Mar 13 17:32:40 2019 +0100 ntp: pass server name to ntp_core instances The server name will be needed for certificate verification in NTS-KE. commit ca83d2a804bb65abed667ff080a175447d9aadf4 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Mar 5 10:43:43 2020 +0100 test: add ntp_ext unit test commit 725beb360a4ea9e40655a182958f723f10445080 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 3 18:28:00 2020 +0100 ntp: add functions for adding extension fields commit 86d29221f39c0b47b21fbfae9c800b7e661c4f88 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Tue Feb 4 11:50:29 2020 +0100 ntp: add function to change authentication-specific address When an NTS source will be replaced, the authentication-specific address of the NTS-KE server will need to be changed too. commit e8062b7ff1e8b0578b914e7ad982e7f310452786 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Sat Mar 23 15:49:06 2019 +0100 ntp: add function to update source NTP address This will allow a source to have its address changed due to NTS-KE server negotiation, which allows the NTS-KE server to have a different address than the NTP server. commit 9468fd4aa680a1c44a58b0bd5b0977b2b0ec2608 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Feb 13 13:27:23 2020 +0100 ntp: allow changing port of source Modify the replace_source() function to not require a different IP address when replacing a source with the same address but different port. This will enable the NTS-KE port negotiation. commit 5ed9b888ff2e9d3718971c9ec1e474d4bcde194f Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 3 16:04:08 2020 +0100 ntp: don't accept packets with unexpected authentication If authentication is not enabled in configuration, responses are not expected to be authenticated. Handle such responses as having failed authentication. A case where this could happen is a misconfigured symmetric association where only one peer has specified the other with a key. Before this change synchronization would work in one direction and used packets with an asymmetric length. commit 7661a6e95b7292c3ab12246920c389d740684c91 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 3 14:03:57 2020 +0100 ntp: don't allow long MACs in NTPv4 packets with extension fields MAC longer than 24 octets in NTPv4 packet is supported only for compatibility with some pre-RFC7822 chrony versions. They didn't use any extension fields. commit aca1daf7c91be61a56f27090e07bb7640321d8b5 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Nov 7 14:57:52 2019 +0100 ntp: add support for sending KoD responses Enable the server to respond with a KoD when authentication fails. This will be used by NTS to respond with a NAK when a client has expired cookies. commit 46cac4e22f3a32f1f7efba34afd6801cdfd22b70 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Aug 15 11:23:44 2019 +0200 ntp: prefix NTP_AuthMode enums commit 56a102ed4d45ee5652193716ee6f7210e70da742 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Aug 15 11:20:36 2019 +0200 ntp: move auth parsing to ntp_auth Move the remaining authentication-specific code to the new file. commit ca28dbd2c3897ddc808d068becfe3261f8ad4d2b Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Aug 14 18:23:45 2019 +0200 ntp: refactor authentication Move most of the authentication-specific code to a new file and introduce authenticator instances in order to support other authentication mechanisms (e.g. NTS). commit 588785e160fbee7b04df5df8b7bd17f679fdcad8 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Aug 14 15:53:17 2019 +0200 ntp: rework packet parsing Rework the code to detect the authentication mode and count extension fields in the first parsing of the packet and store this information in the new packet info structure. commit cabcccd6c39c54ddfccc17a6ffa52f48bcf4ff17 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 18 13:12:49 2019 +0100 ntp: add functions for parsing extension fields commit 567e66a0bb929e2e48aeb4d1ba9a6f824e295379 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Aug 19 13:55:12 2019 +0200 ntp: count packets with invalid format Include packets that cannot be parsed in the total RX count. commit b8ee6d6e56395d795ee5366f1c3366b53d619efb Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Apr 15 12:48:41 2019 +0200 ntp: don't send response longer than request When sending a response in the server or passive mode, make sure the response is not longer than the request to prevent amplification attacks when resposes may contain extension fields (e.g. NTS). commit 9ea1e4e40f9b8c21b554f6c39d73034812407546 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Aug 8 15:41:09 2019 +0200 ntp: provide access to request in transmit_packet() This will allow new authentication code (e.g. NTS) to get data from the request when generating a response. commit 2d492eacb551f841ca837d86c8d41fcb5760c563 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Aug 15 16:30:50 2019 +0200 ntp: rename receive_packet() to process_response() commit cb8660e79a0b2e110ce81dab21346bcfe17a921a Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Aug 14 14:10:28 2019 +0200 ntp: add structure with packet info Add a structure for length and other information about received and transmitted NTP packets to minimize the number of parameters and avoid repeated parsing of the packet. commit d29bef93e94d20b0d64a7335c207fc186743b499 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Fri Feb 15 16:18:39 2019 +0100 ntp: refactor NTP_Packet structure for extension fields commit 5a09adebfd5987ee81789604faf7964de71509a4 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 24 10:42:29 2020 +0100 ntp: don't replace sources with unroutable addresses When changing an address of a source (both known and unknown), make sure the new address is connectable. This should avoid useless replacements, e.g. polling an IPv6 address on IPv4-only systems. commit 8c0ee9c175bab488a40c81c0ee6ee105576f3c0d Author: Miroslav Lichvar <mlich...@redhat.com> Date: Wed Mar 4 09:10:54 2020 +0100 doc: list unsupported options in peer directive commit f20fabdbf447a83d1fd210f30e759fe0b9620755 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Feb 27 09:02:41 2020 +0100 test: make 132-logchange more reliable commit 57cea56e6eff9fd03ff13a8c2ead37e79253ee23 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Feb 27 08:30:40 2020 +0100 test: extend 001-features test commit db7d9639b4f6c75cbf559a1a065b2735e773452b Author: Miroslav Lichvar <mlich...@redhat.com> Date: Thu Feb 27 08:29:58 2020 +0100 test: fix unit tests to build with -NTP and -CMDMON commit beb40d63eddcd46c145eeb71230e5f547ac3dd32 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 24 15:21:53 2020 +0100 test: extend 122-xleave test commit 672b98dd3fb17aa7de57d709f1f7b97c0889ec31 Author: Miroslav Lichvar <mlich...@redhat.com> Date: Mon Feb 24 18:05:09 2020 +0100 sources: don't save or load dumpfiles for unknown addresses Don't open a dumpfile for reading or writing if the NTP source doesn't have a real address. Fixes: d7e3ad17ff7a ("ntp: create sources for unresolved addresses") ----------------------------------------------------------------------- Summary of changes: candm.h | 2 + client.c | 2 + cmdmon.c | 2 + cmdparse.c | 7 + conf.c | 118 ++++++ conf.h | 11 + configure | 39 +- doc/chrony.conf.adoc | 77 +++- doc/installation.adoc | 24 +- keys.c | 21 +- main.c | 11 +- nameserv_async.c | 9 +- ntp.h | 59 ++- ntp_auth.c | 486 +++++++++++++++++++++++++ ntp_auth.h | 89 +++++ ntp_core.c | 406 ++++++++------------- ntp_core.h | 6 +- ntp_ext.c | 192 ++++++++++ cmac.h => ntp_ext.h | 26 +- ntp_io.c | 3 +- ntp_io_linux.c | 2 +- ntp_signd.c | 9 +- ntp_signd.h | 3 +- ntp_sources.c | 60 ++- ntp_sources.h | 4 + nts_ke.h | 69 ++++ nts_ke_client.c | 389 ++++++++++++++++++++ nts_ke_client.h | 58 +++ nts_ke_server.c | 785 ++++++++++++++++++++++++++++++++++++++++ smooth.h => nts_ke_server.h | 30 +- nts_ke_session.c | 779 +++++++++++++++++++++++++++++++++++++++ nts_ke_session.h | 83 +++++ sys_netbsd.h => nts_ntp.h | 20 +- nts_ntp_auth.c | 174 +++++++++ ntp_signd.h => nts_ntp_auth.h | 29 +- nts_ntp_client.c | 445 +++++++++++++++++++++++ ntp_signd.h => nts_ntp_client.h | 28 +- nts_ntp_server.c | 253 +++++++++++++ smooth.h => nts_ntp_server.h | 30 +- sched.c | 16 + sched.h | 3 + siv.h | 70 ++++ siv_nettle.c | 142 ++++++++ siv_nettle_int.c | 452 +++++++++++++++++++++++ socket.c | 2 +- sources.c | 8 +- srcparams.h | 3 + stubs.c | 92 ++++- sys.c | 4 +- sys.h | 7 +- sys_linux.c | 78 ++-- sys_linux.h | 4 +- test/compilation/001-features | 3 + test/compilation/003-sanitizers | 3 +- test/simulation/122-xleave | 18 + test/simulation/132-logchange | 2 +- test/simulation/139-nts | 69 ++++ test/unit/clientlog.c | 13 +- test/unit/keys.c | 13 +- test/unit/ntp_core.c | 98 ++--- test/unit/ntp_ext.c | 167 +++++++++ test/unit/nts_ke.crt | 8 + test/unit/nts_ke.key | 25 ++ test/unit/nts_ke_client.c | 139 +++++++ test/unit/nts_ke_server.c | 223 ++++++++++++ test/unit/nts_ke_session.c | 189 ++++++++++ test/unit/nts_ntp_auth.c | 108 ++++++ test/unit/nts_ntp_client.c | 253 +++++++++++++ test/unit/nts_ntp_server.c | 174 +++++++++ test/unit/siv.c | 280 ++++++++++++++ test/unit/util.c | 15 + util.c | 39 ++ util.h | 7 + 73 files changed, 7047 insertions(+), 520 deletions(-) create mode 100644 ntp_auth.c create mode 100644 ntp_auth.h create mode 100644 ntp_ext.c copy cmac.h => ntp_ext.h (54%) create mode 100644 nts_ke.h create mode 100644 nts_ke_client.c create mode 100644 nts_ke_client.h create mode 100644 nts_ke_server.c copy smooth.h => nts_ke_server.h (64%) create mode 100644 nts_ke_session.c create mode 100644 nts_ke_session.h copy sys_netbsd.h => nts_ntp.h (66%) create mode 100644 nts_ntp_auth.c copy ntp_signd.h => nts_ntp_auth.h (57%) create mode 100644 nts_ntp_client.c copy ntp_signd.h => nts_ntp_client.h (56%) create mode 100644 nts_ntp_server.c copy smooth.h => nts_ntp_server.h (64%) create mode 100644 siv.h create mode 100644 siv_nettle.c create mode 100644 siv_nettle_int.c create mode 100755 test/simulation/139-nts create mode 100644 test/unit/ntp_ext.c create mode 100644 test/unit/nts_ke.crt create mode 100644 test/unit/nts_ke.key create mode 100644 test/unit/nts_ke_client.c create mode 100644 test/unit/nts_ke_server.c create mode 100644 test/unit/nts_ke_session.c create mode 100644 test/unit/nts_ntp_auth.c create mode 100644 test/unit/nts_ntp_client.c create mode 100644 test/unit/nts_ntp_server.c create mode 100644 test/unit/siv.c hooks/post-receive -- chrony/chrony.git -- To unsubscribe email chrony-dev-requ...@chrony.tuxfamily.org with "unsubscribe" in the subject. For help email chrony-dev-requ...@chrony.tuxfamily.org with "help" in the subject. Trouble? Email listmas...@chrony.tuxfamily.org.