nts: convert to monotonic time
Use the monotonic timestamp provided by the scheduler for NTS-KE rate limiting and refresh.
This commit is contained in:
Miroslav Lichvar
parent
bb0553e4c4
commit
fd59877692
2 changed files with 14 additions and 18 deletions
|
|
@ -54,8 +54,8 @@ struct NNC_Instance_Record {
|
||||||
SIV_Instance siv_s2c;
|
SIV_Instance siv_s2c;
|
||||||
NKC_Instance nke;
|
NKC_Instance nke;
|
||||||
|
|
||||||
struct timespec last_nke_attempt;
|
double last_nke_attempt;
|
||||||
struct timespec last_nke_success;
|
double last_nke_success;
|
||||||
NKE_Cookie cookies[NTS_MAX_COOKIES];
|
NKE_Cookie cookies[NTS_MAX_COOKIES];
|
||||||
int num_cookies;
|
int num_cookies;
|
||||||
int cookie_index;
|
int cookie_index;
|
||||||
|
|
@ -70,8 +70,8 @@ struct NNC_Instance_Record {
|
||||||
static void
|
static void
|
||||||
reset_instance(NNC_Instance inst)
|
reset_instance(NNC_Instance inst)
|
||||||
{
|
{
|
||||||
UTI_ZeroTimespec(&inst->last_nke_attempt);
|
inst->last_nke_attempt = -MIN_NKE_RETRY_INTERVAL;
|
||||||
UTI_ZeroTimespec(&inst->last_nke_success);
|
inst->last_nke_success = 0.0;
|
||||||
inst->num_cookies = 0;
|
inst->num_cookies = 0;
|
||||||
inst->cookie_index = 0;
|
inst->cookie_index = 0;
|
||||||
inst->nak_response = 0;
|
inst->nak_response = 0;
|
||||||
|
|
@ -122,8 +122,6 @@ NNC_DestroyInstance(NNC_Instance inst)
|
||||||
static int
|
static int
|
||||||
is_nke_needed(NNC_Instance inst)
|
is_nke_needed(NNC_Instance inst)
|
||||||
{
|
{
|
||||||
struct timespec now;
|
|
||||||
|
|
||||||
/* Force NKE if a NAK was received since last valid auth */
|
/* Force NKE if a NAK was received since last valid auth */
|
||||||
if (inst->nak_response && !inst->ok_response && inst->num_cookies > 0) {
|
if (inst->nak_response && !inst->ok_response && inst->num_cookies > 0) {
|
||||||
inst->num_cookies = 0;
|
inst->num_cookies = 0;
|
||||||
|
|
@ -131,11 +129,9 @@ is_nke_needed(NNC_Instance inst)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Force NKE if the keys encrypting the cookies are too old */
|
/* Force NKE if the keys encrypting the cookies are too old */
|
||||||
if (inst->num_cookies > 0) {
|
if (inst->num_cookies > 0 &&
|
||||||
SCH_GetLastEventTime(&now, NULL, NULL);
|
SCH_GetLastEventMonoTime() - inst->last_nke_success > CNF_GetNtsRefresh())
|
||||||
if (fabs(UTI_DiffTimespecsToDouble(&inst->last_nke_success, &now)) > CNF_GetNtsRefresh())
|
|
||||||
inst->num_cookies = 0;
|
inst->num_cookies = 0;
|
||||||
}
|
|
||||||
|
|
||||||
return inst->num_cookies == 0;
|
return inst->num_cookies == 0;
|
||||||
}
|
}
|
||||||
|
|
@ -177,15 +173,15 @@ get_nke_data(NNC_Instance inst)
|
||||||
NTP_Remote_Address ntp_address;
|
NTP_Remote_Address ntp_address;
|
||||||
SIV_Algorithm siv;
|
SIV_Algorithm siv;
|
||||||
NKE_Key c2s, s2c;
|
NKE_Key c2s, s2c;
|
||||||
struct timespec now;
|
double now;
|
||||||
int got_data;
|
int got_data;
|
||||||
|
|
||||||
assert(is_nke_needed(inst));
|
assert(is_nke_needed(inst));
|
||||||
|
|
||||||
|
now = SCH_GetLastEventMonoTime();
|
||||||
|
|
||||||
if (!inst->nke) {
|
if (!inst->nke) {
|
||||||
SCH_GetLastEventTime(&now, NULL, NULL);
|
if (now - inst->last_nke_attempt < MIN_NKE_RETRY_INTERVAL) {
|
||||||
if (fabs(UTI_DiffTimespecsToDouble(&inst->last_nke_attempt, &now)) <
|
|
||||||
MIN_NKE_RETRY_INTERVAL) {
|
|
||||||
DEBUG_LOG("Limiting NTS-KE request rate");
|
DEBUG_LOG("Limiting NTS-KE request rate");
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
@ -242,7 +238,7 @@ get_nke_data(NNC_Instance inst)
|
||||||
|
|
||||||
inst->nak_response = 0;
|
inst->nak_response = 0;
|
||||||
|
|
||||||
SCH_GetLastEventTime(&inst->last_nke_success, NULL, NULL);
|
inst->last_nke_success = now;
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
@ -422,7 +418,7 @@ NNC_CheckResponseAuth(NNC_Instance inst, NTP_Packet *packet,
|
||||||
|
|
||||||
/* At this point we know the client interoperates with the server. Allow a
|
/* At this point we know the client interoperates with the server. Allow a
|
||||||
new NTS-KE session to be started as soon as the cookies run out. */
|
new NTS-KE session to be started as soon as the cookies run out. */
|
||||||
UTI_ZeroTimespec(&inst->last_nke_attempt);
|
inst->last_nke_attempt = -MIN_NKE_RETRY_INTERVAL;
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -85,7 +85,7 @@ get_request(NNC_Instance inst)
|
||||||
TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info));
|
TEST_CHECK(!NNC_GenerateRequestAuth(inst, &packet, &info));
|
||||||
|
|
||||||
while (!NNC_PrepareForAuth(inst)) {
|
while (!NNC_PrepareForAuth(inst)) {
|
||||||
inst->last_nke_attempt.tv_sec = random();
|
inst->last_nke_attempt = random() % 100000 - 50000;
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST_CHECK(inst->num_cookies > 0);
|
TEST_CHECK(inst->num_cookies > 0);
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue