This is to make sure chronyd will see the remote address as 127.0.0.1
and allow access even when localhost resolves to an address of a
non-loopback interface.
To prevent an attacker using chronyd in an amplification attack, change
the protocol to include padding in request packets so that the largest
possible reply is not larger than the request. Request packets that
don't include this padding are ignored as invalid.
This is an incompatible change in the protocol. Clients from chrony
1.27, 1.28 and 1.29 will receive NULL reply with STT_BADPKTVERSION and
print "Protocol version mismatch". Clients from 1.26 and older will not
receive a reply as it would be larger than the request if it was padded
to be compatible with their protocol.
Before calling PKL_ReplyLength() check that the packet has full header.
This didn't change the outcome of the test if the packet was shorter as
the invalid result from PKL_ReplyLength() was either larger than length
of the packet or smaller than header length, failing the length check in
both cases.
Support for the SUBNETS_ACCESSED and CLIENT_ACCESSES commands was
enabled in chronyd, but in chronyc it was always disabled and the
CLIENT_ACCESSES_BY_INDEX command was used instead. As there is no plan
to enable it in the future, remove the support completely.
When the length of the REQ_SUBNETS_ACCESSED, REQ_CLIENT_ACCESSES
command requests and the RPY_SUBNETS_ACCESSED, RPY_CLIENT_ACCESSES,
RPY_CLIENT_ACCESSES_BY_INDEX, RPY_MANUAL_LIST command replies is
calculated, the number of items stored in the packet is not validated.
A crafted command request/reply can be used to crash the server/client.
Only clients allowed by cmdallow (by default only localhost) can crash
the server.
With chrony versions 1.25 and 1.26 this bug has a smaller security
impact as the server requires the clients to be authenticated in order
to process the subnet and client accesses commands. In 1.27 and 1.28,
however, the invalid calculated length is included also in the
authentication check which may cause another crash.
Combine only sources whose distance is shorter than distance of the
selected source multiplied by the value of combinelimit and their
estimated frequencies are close to the frequency of the selected source.
Add outlyer status for sources which are selectable, but not included in
the combining. The status is displayed as '-' in the chronyc sources
output.
- normalize command line before parsing
- compare whole words
- check for missing/extra arguments in config parsing
- use strdup for string allocation
- share code for reporting syntax errors
- avoid using function pointers
- cleanup the code a bit
Allow different hash functions to be used in the NTP and cmdmon
protocols. This breaks the cmdmon protocol compatibility. Extended key
file format is used to specify the hash functions for chronyd and new
authhash command is added to chronyc. MD5 is the default and the only
function included in the chrony source code, other functions will be
available from libraries.
Require that the ratio of the increase in delay from the minimum one in
the stats data register to the standard deviation of the offsets in the
register is less than maxdelaydevratio or the difference between
measured offset and predicted offset is larger than the increase in
delay. In the allowed delay increase is included also skew and maximum
clock frequency error.
maxdelaydevratio is 10.0 by default.
Instead of following skew changes, adjust polling interval so that the
number of measurements used in the regression algorithm remains close to
a target value. It can be configured with a new polltarget option
(6 by default).
Resolving is retried in increasing intervals (maximum is one hour)
until it succeeds or fails with a non-temporary error.
Unresolved sources are included in the activity report as offline
sources and the online command can be used to retry it immediately.
This could be improved by resolving in a separate thread/process
to avoid blocking.
Instead of retrying to resolve it in the function and blocking for a
long time, return a TryAgain status and let the caller retry it later if
necessary.
This is to avoid incompatibility between 64/32-bit client/server.
While at it, convert all time values in the protocol to timeval
to avoid Y2K38 problem.
GNU readline recently changed license to GPLv3+ which makes it
incompatible with chrony (GPLv2). This patch adds support for editline
library (BSD license).
Thomas wrote:
I found a bug in the chrony client (chronyc) that affects its ability to talk
to remote hosts over the control port (323/udp).
For example, running "chronyc -h 192.168.1.3 sources -v" would just sit there
and hang, and eventually timeout. I found out with tcpdump that chronyc
actually tries to connect to 255.168.1.3 instead of 192.168.1.3.
(Taken from
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=348412
)
Attached is a patchlet to make the "sources" command of chrony output properly
signed numbers. The chronyd code (see e.g. ntp.h) properly uses int32_t and
friends to get the right number of bits per datatype while client.c just uses
short, int, long. But long will be 64 bit or 32 bit depending on the cpu.
Kevin Lyda writes:
I enclose the following patch which removes all but three of the warnings. i
don't have any non-linux systems handy to test a fix to the round() function.
but having it return a double should be fine.
It doesn't actually fix anything, it just shuts up -Wall, so it's certainly an
optional type of patch.
Eric Lammerts writes:
This is known as Debian bug #195620, which is almost three years old!
The problem is that a uint32_t which comes out of ntohl() (but
actually represents a signed value) is directly promoted to long.
Therefore no sign extension takes place.
Patch below solves the problem. There are other places where this
needs to be fixed, but I'll leave that to a less lazy person.
The following is a patch to chronyc that causes it
to flush the buffers to stderr and stdout after
executing each command. This is needed if
you are controling chronyc from a program (i.e. chronyc's
input and output descriptors are pipes which are being
written/read by another program) and
you do not want to block waiting for chronyc response
which is trapped in a buffer!
This is a verbatim copy of the files at that stage of the repository that was
built from the CVS import. It allows future development to see a bit of recent
history, but without carrying around the baggage going back to 1997. If that
is really required, git grafts can be used.
