cmdmon: add cookie length to authdata report

candm.h

@@ -735,7 +735,9 @@ typedef struct {
   uint16_t ke_attempts;
   uint32_t last_ke_ago;
   uint16_t cookies;
+  uint16_t cookie_length;
   uint16_t nak;
+  uint16_t pad;
   int32_t EOR;
 } RPY_AuthData;
 

client.c

@@ -2383,9 +2383,9 @@ process_cmd_authdata(char *line)
 
   n_sources = ntohl(reply.data.n_sources.n_sources);
 
-  print_header("Name/IP address             Mode KeyID Type  Len Last Atmp Cook  NAK");
+  print_header("Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen");
 
-  /*           "NNNNNNNNNNNNNNNNNNNNNNNNNNN MMMM KKKKK AAAA LLLL LLLL AAAA CCCC NNNN" */
+  /*           "NNNNNNNNNNNNNNNNNNNNNNNNNNN MMMM KKKKK AAAA LLLL LLLL AAAA NNNN CCCC LLLL" */
 
   for (i = 0; i < n_sources; i++) {
     request.command = htons(REQ_SOURCE_DATA);
@@ -2423,15 +2423,16 @@ process_cmd_authdata(char *line)
         break;
     }
 
-    print_report("%-27s %4s %5U %4d %4d %I %4d %4d %4d\n",
+    print_report("%-27s %4s %5U %4d %4d %I %4d %4d %4d %4d\n",
                  name, mode_str,
                  (unsigned long)ntohl(reply.data.auth_data.key_id),
                  ntohs(reply.data.auth_data.key_type),
                  ntohs(reply.data.auth_data.key_length),
                  (unsigned long)ntohl(reply.data.auth_data.last_ke_ago),
                  ntohs(reply.data.auth_data.ke_attempts),
-                 ntohs(reply.data.auth_data.cookies),
                  ntohs(reply.data.auth_data.nak),
+                 ntohs(reply.data.auth_data.cookies),
+                 ntohs(reply.data.auth_data.cookie_length),
                  REPORT_END);
   }
 

cmdmon.c

@@ -1276,6 +1276,7 @@ handle_auth_data(CMD_Request *rx_message, CMD_Reply *tx_message)
   tx_message->data.auth_data.ke_attempts = htons(report.ke_attempts);
   tx_message->data.auth_data.last_ke_ago = htonl(report.last_ke_ago);
   tx_message->data.auth_data.cookies = htons(report.cookies);
+  tx_message->data.auth_data.cookie_length = htons(report.cookie_length);
   tx_message->data.auth_data.nak = htons(report.nak);
 }
 

doc/chronyc.adoc

@@ -461,11 +461,11 @@ those that do not have a known address yet. An example of the output is
 shown below.
 +
 ----
-Name/IP address             Mode KeyID Type  Len Last Atmp Cook  NAK
+Name/IP address             Mode KeyID Type KLen Last Atmp  NAK Cook CLen
-====================================================================
+=========================================================================
-foo.example.com              NTS     1   15  256 135m    0    8    0
+foo.example.net              NTS     1   15  256 135m    0    0    8  100
-bar.example.com               SK    30   13  128    -    0    0    0
+bar.example.net               SK    30   13  128    -    0    0    0    0
-baz.example.com                -     0    0    0    -    0    0    0
+baz.example.net                -     0    0    0    -    0    0    0    0
 ----
 +
 The columns are as follows:
@@ -502,7 +502,7 @@ be reported:
 * 13: AES128
 * 14: AES256
 * 15: AEAD-AES-SIV-CMAC-256
-*Len*:::
+*KLen*:::
 This column shows the length of the key in bits.
 *Last*:::
 This column shows how long ago the last successful key establishment was
@@ -512,14 +512,18 @@ hours, days, or years.
 This column shows the number of attempts to perform the key establishment since
 the last successful key establishment. A number larger than 1 indicates a
 problem with the network or server.
+*NAK*:::
+This column shows whether an NTS NAK was received since the last authenticated
+response. A NAK indicates that authentication failed on the server side due to
+*chronyd* using a cookie which is no longer valid and that it needs to perform
+the key establishment again in order to get new cookies.
 *Cook*:::
 This column shows the number of NTS cookies that *chronyd* currently has. If
 the key establishment was successful, a number smaller than 8 indicates a
 problem with the network or server.
-*NAK*:::
+*CLen*:::
-This column shows whether an NTS NAK was received since the last authenticated
+This column shows the length in bytes of the NTS cookie which will be used in
-response. A non-zero number indicates that *chronyd* has used a cookie which is
+the next request.
-no longer valid, or it might be under a denial-of-service attack.
 
 [[ntpdata]]*ntpdata* [_address_]::
 The *ntpdata* command displays the last valid measurement and other

nts_ntp_client.c

@@ -648,5 +648,6 @@ NNC_GetReport(NNC_Instance inst, RPT_AuthReport *report)
   else
     report->last_ke_ago = -1;
   report->cookies = inst->num_cookies;
+  report->cookie_length = inst->num_cookies > 0 ? inst->cookies[inst->cookie_index].length : 0;
   report->nak = inst->nak_response;
 }

reports.h

@@ -168,6 +168,7 @@ typedef struct {
   int ke_attempts;
   uint32_t last_ke_ago;
   int cookies;
+  int cookie_length;
   int nak;
 } RPT_AuthReport;