From 51fe589aeb4f827ed507d6506fc2dc9769046a21 Mon Sep 17 00:00:00 2001 From: Miroslav Lichvar Date: Mon, 18 May 2020 14:21:53 +0200 Subject: [PATCH] cmdmon: add cookie length to authdata report --- candm.h | 2 ++ client.c | 9 +++++---- cmdmon.c | 1 + doc/chronyc.adoc | 24 ++++++++++++++---------- nts_ntp_client.c | 1 + reports.h | 1 + 6 files changed, 24 insertions(+), 14 deletions(-) diff --git a/candm.h b/candm.h index 9d5448c..51de85d 100644 --- a/candm.h +++ b/candm.h @@ -735,7 +735,9 @@ typedef struct { uint16_t ke_attempts; uint32_t last_ke_ago; uint16_t cookies; + uint16_t cookie_length; uint16_t nak; + uint16_t pad; int32_t EOR; } RPY_AuthData; diff --git a/client.c b/client.c index b786b58..dd25f1f 100644 --- a/client.c +++ b/client.c @@ -2383,9 +2383,9 @@ process_cmd_authdata(char *line) n_sources = ntohl(reply.data.n_sources.n_sources); - print_header("Name/IP address Mode KeyID Type Len Last Atmp Cook NAK"); + print_header("Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen"); - /* "NNNNNNNNNNNNNNNNNNNNNNNNNNN MMMM KKKKK AAAA LLLL LLLL AAAA CCCC NNNN" */ + /* "NNNNNNNNNNNNNNNNNNNNNNNNNNN MMMM KKKKK AAAA LLLL LLLL AAAA NNNN CCCC LLLL" */ for (i = 0; i < n_sources; i++) { request.command = htons(REQ_SOURCE_DATA); @@ -2423,15 +2423,16 @@ process_cmd_authdata(char *line) break; } - print_report("%-27s %4s %5U %4d %4d %I %4d %4d %4d\n", + print_report("%-27s %4s %5U %4d %4d %I %4d %4d %4d %4d\n", name, mode_str, (unsigned long)ntohl(reply.data.auth_data.key_id), ntohs(reply.data.auth_data.key_type), ntohs(reply.data.auth_data.key_length), (unsigned long)ntohl(reply.data.auth_data.last_ke_ago), ntohs(reply.data.auth_data.ke_attempts), - ntohs(reply.data.auth_data.cookies), ntohs(reply.data.auth_data.nak), + ntohs(reply.data.auth_data.cookies), + ntohs(reply.data.auth_data.cookie_length), REPORT_END); } diff --git a/cmdmon.c b/cmdmon.c index 6d9962e..204dc24 100644 --- a/cmdmon.c +++ b/cmdmon.c @@ -1276,6 +1276,7 @@ handle_auth_data(CMD_Request *rx_message, CMD_Reply *tx_message) tx_message->data.auth_data.ke_attempts = htons(report.ke_attempts); tx_message->data.auth_data.last_ke_ago = htonl(report.last_ke_ago); tx_message->data.auth_data.cookies = htons(report.cookies); + tx_message->data.auth_data.cookie_length = htons(report.cookie_length); tx_message->data.auth_data.nak = htons(report.nak); } diff --git a/doc/chronyc.adoc b/doc/chronyc.adoc index 0156e9d..54e5eeb 100644 --- a/doc/chronyc.adoc +++ b/doc/chronyc.adoc @@ -461,11 +461,11 @@ those that do not have a known address yet. An example of the output is shown below. + ---- -Name/IP address Mode KeyID Type Len Last Atmp Cook NAK -==================================================================== -foo.example.com NTS 1 15 256 135m 0 8 0 -bar.example.com SK 30 13 128 - 0 0 0 -baz.example.com - 0 0 0 - 0 0 0 +Name/IP address Mode KeyID Type KLen Last Atmp NAK Cook CLen +========================================================================= +foo.example.net NTS 1 15 256 135m 0 0 8 100 +bar.example.net SK 30 13 128 - 0 0 0 0 +baz.example.net - 0 0 0 - 0 0 0 0 ---- + The columns are as follows: @@ -502,7 +502,7 @@ be reported: * 13: AES128 * 14: AES256 * 15: AEAD-AES-SIV-CMAC-256 -*Len*::: +*KLen*::: This column shows the length of the key in bits. *Last*::: This column shows how long ago the last successful key establishment was @@ -512,14 +512,18 @@ hours, days, or years. This column shows the number of attempts to perform the key establishment since the last successful key establishment. A number larger than 1 indicates a problem with the network or server. +*NAK*::: +This column shows whether an NTS NAK was received since the last authenticated +response. A NAK indicates that authentication failed on the server side due to +*chronyd* using a cookie which is no longer valid and that it needs to perform +the key establishment again in order to get new cookies. *Cook*::: This column shows the number of NTS cookies that *chronyd* currently has. If the key establishment was successful, a number smaller than 8 indicates a problem with the network or server. -*NAK*::: -This column shows whether an NTS NAK was received since the last authenticated -response. A non-zero number indicates that *chronyd* has used a cookie which is -no longer valid, or it might be under a denial-of-service attack. +*CLen*::: +This column shows the length in bytes of the NTS cookie which will be used in +the next request. [[ntpdata]]*ntpdata* [_address_]:: The *ntpdata* command displays the last valid measurement and other diff --git a/nts_ntp_client.c b/nts_ntp_client.c index aa01b4f..7ac6690 100644 --- a/nts_ntp_client.c +++ b/nts_ntp_client.c @@ -648,5 +648,6 @@ NNC_GetReport(NNC_Instance inst, RPT_AuthReport *report) else report->last_ke_ago = -1; report->cookies = inst->num_cookies; + report->cookie_length = inst->num_cookies > 0 ? inst->cookies[inst->cookie_index].length : 0; report->nak = inst->nak_response; } diff --git a/reports.h b/reports.h index 20881b4..7545ea2 100644 --- a/reports.h +++ b/reports.h @@ -168,6 +168,7 @@ typedef struct { int ke_attempts; uint32_t last_ke_ago; int cookies; + int cookie_length; int nak; } RPT_AuthReport;