cmdmon: add cookie length to authdata report

2020-05-18 14:21:53 +02:00 · 2020-05-18 14:21:53 +02:00 · 51fe589aeb
commit 51fe589aeb
parent 28cf4acf13
6 changed files with 24 additions and 14 deletions
--- a/candm.h
+++ b/candm.h
@ -735,7 +735,9 @@ typedef struct {
  uint16_t ke_attempts;
  uint32_t last_ke_ago;
  uint16_t cookies;
+  uint16_t cookie_length;
  uint16_t nak;
+  uint16_t pad;
  int32_t EOR;
 } RPY_AuthData;

--- a/client.c
+++ b/client.c
@ -2383,9 +2383,9 @@ process_cmd_authdata(char *line)

  n_sources = ntohl(reply.data.n_sources.n_sources);

-  print_header("Name/IP address             Mode KeyID Type  Len Last Atmp Cook  NAK");
+  print_header("Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen");

-  /*           "NNNNNNNNNNNNNNNNNNNNNNNNNNN MMMM KKKKK AAAA LLLL LLLL AAAA CCCC NNNN" */
+  /*           "NNNNNNNNNNNNNNNNNNNNNNNNNNN MMMM KKKKK AAAA LLLL LLLL AAAA NNNN CCCC LLLL" */

  for (i = 0; i < n_sources; i++) {
    request.command = htons(REQ_SOURCE_DATA);
@ -2423,15 +2423,16 @@ process_cmd_authdata(char *line)
        break;
    }

-    print_report("%-27s %4s %5U %4d %4d %I %4d %4d %4d\n",
+    print_report("%-27s %4s %5U %4d %4d %I %4d %4d %4d %4d\n",
                 name, mode_str,
                 (unsigned long)ntohl(reply.data.auth_data.key_id),
                 ntohs(reply.data.auth_data.key_type),
                 ntohs(reply.data.auth_data.key_length),
                 (unsigned long)ntohl(reply.data.auth_data.last_ke_ago),
                 ntohs(reply.data.auth_data.ke_attempts),
-                 ntohs(reply.data.auth_data.cookies),
                 ntohs(reply.data.auth_data.nak),
+                 ntohs(reply.data.auth_data.cookies),
+                 ntohs(reply.data.auth_data.cookie_length),
                 REPORT_END);
  }

--- a/cmdmon.c
+++ b/cmdmon.c
@ -1276,6 +1276,7 @@ handle_auth_data(CMD_Request *rx_message, CMD_Reply *tx_message)
  tx_message->data.auth_data.ke_attempts = htons(report.ke_attempts);
  tx_message->data.auth_data.last_ke_ago = htonl(report.last_ke_ago);
  tx_message->data.auth_data.cookies = htons(report.cookies);
+  tx_message->data.auth_data.cookie_length = htons(report.cookie_length);
  tx_message->data.auth_data.nak = htons(report.nak);
 }

--- a/doc/chronyc.adoc
+++ b/doc/chronyc.adoc
@ -461,11 +461,11 @@ those that do not have a known address yet. An example of the output is
 shown below.
 +
 ----
-Name/IP address             Mode KeyID Type  Len Last Atmp Cook  NAK
-====================================================================
-foo.example.com              NTS     1   15  256 135m    0    8    0
-bar.example.com               SK    30   13  128    -    0    0    0
-baz.example.com                -     0    0    0    -    0    0    0
+Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
+=========================================================================
+foo.example.net              NTS     1   15  256 135m    0    0    8  100
+bar.example.net               SK    30   13  128    -    0    0    0    0
+baz.example.net                -     0    0    0    -    0    0    0    0
 ----
 +
 The columns are as follows:
@ -502,7 +502,7 @@ be reported:
 * 13: AES128
 * 14: AES256
 * 15: AEAD-AES-SIV-CMAC-256
-*Len*:::
+*KLen*:::
 This column shows the length of the key in bits.
 *Last*:::
 This column shows how long ago the last successful key establishment was
@ -512,14 +512,18 @@ hours, days, or years.
 This column shows the number of attempts to perform the key establishment since
 the last successful key establishment. A number larger than 1 indicates a
 problem with the network or server.
+*NAK*:::
+This column shows whether an NTS NAK was received since the last authenticated
+response. A NAK indicates that authentication failed on the server side due to
+*chronyd* using a cookie which is no longer valid and that it needs to perform
+the key establishment again in order to get new cookies.
 *Cook*:::
 This column shows the number of NTS cookies that *chronyd* currently has. If
 the key establishment was successful, a number smaller than 8 indicates a
 problem with the network or server.
-*NAK*:::
-This column shows whether an NTS NAK was received since the last authenticated
-response. A non-zero number indicates that *chronyd* has used a cookie which is
-no longer valid, or it might be under a denial-of-service attack.
+*CLen*:::
+This column shows the length in bytes of the NTS cookie which will be used in
+the next request.

 [[ntpdata]]*ntpdata* [_address_]::
 The *ntpdata* command displays the last valid measurement and other
--- a/nts_ntp_client.c
+++ b/nts_ntp_client.c
@ -648,5 +648,6 @@ NNC_GetReport(NNC_Instance inst, RPT_AuthReport *report)
  else
    report->last_ke_ago = -1;
  report->cookies = inst->num_cookies;
+  report->cookie_length = inst->num_cookies > 0 ? inst->cookies[inst->cookie_index].length : 0;
  report->nak = inst->nak_response;
 }
--- a/reports.h
+++ b/reports.h
@ -168,6 +168,7 @@ typedef struct {
  int ke_attempts;
  uint32_t last_ke_ago;
  int cookies;
+  int cookie_length;
  int nak;
 } RPT_AuthReport;