blob: 8d89046617a974e66f22b729d856fa6f1efaff9f [file] [log] [blame] [raw]
Index: UPDATING
===================================================================
--- UPDATING (版本 330566)
+++ UPDATING (版本 330908)
@@ -16,6 +16,11 @@
the tip of head, and then rebuild without this option. The bootstrap process
from older version of current across the gcc/clang cutover is a bit fragile.
+20180314 p8 FreeBSD-SA-18:03.speculative_execution
+
+ Add mitigations for two classes of speculative execution vulnerabilities
+ on amd64.
+
20180307 p7 FreeBSD-SA-18:01.ipsec
FreeBSD-SA-18:02.ntp
FreeBSD-EN-18:01.tzdata
Index: sys/amd64/vmm/intel/vmx.c
===================================================================
--- sys/amd64/vmm/intel/vmx.c (版本 330566)
+++ sys/amd64/vmm/intel/vmx.c (版本 330908)
@@ -693,7 +693,8 @@
MSR_VMX_TRUE_PINBASED_CTLS, PINBASED_POSTED_INTERRUPT, 0,
&tmp);
if (error == 0) {
- pirvec = lapic_ipi_alloc(&IDTVEC(justreturn));
+ pirvec = lapic_ipi_alloc(pti ? &IDTVEC(justreturn1_pti) :
+ &IDTVEC(justreturn));
if (pirvec < 0) {
if (bootverbose) {
printf("vmx_init: unable to allocate "
Index: sys/conf/Makefile.amd64
===================================================================
--- sys/conf/Makefile.amd64 (版本 330566)
+++ sys/conf/Makefile.amd64 (版本 330908)
@@ -39,6 +39,7 @@
ASM_CFLAGS.acpi_wakecode.S= ${CLANG_NO_IAS34}
ASM_CFLAGS.mpboot.S= ${CLANG_NO_IAS34}
+ASM_CFLAGS.support.S= ${CLANG_NO_IAS}
%BEFORE_DEPEND
Index: sys/dev/cpuctl/cpuctl.c
===================================================================
--- sys/dev/cpuctl/cpuctl.c (版本 330566)
+++ sys/dev/cpuctl/cpuctl.c (版本 330908)
@@ -71,6 +71,7 @@
struct thread *td);
static int cpuctl_do_cpuid_count(int cpu, cpuctl_cpuid_count_args_t *data,
struct thread *td);
+static int cpuctl_do_eval_cpu_features(int cpu, struct thread *td);
static int cpuctl_do_update(int cpu, cpuctl_update_args_t *data,
struct thread *td);
static int update_intel(int cpu, cpuctl_update_args_t *args,
@@ -157,7 +158,8 @@
}
/* Require write flag for "write" requests. */
if ((cmd == CPUCTL_MSRCBIT || cmd == CPUCTL_MSRSBIT ||
- cmd == CPUCTL_UPDATE || cmd == CPUCTL_WRMSR) &&
+ cmd == CPUCTL_UPDATE || cmd == CPUCTL_WRMSR ||
+ cmd == CPUCTL_EVAL_CPU_FEATURES) &&
(flags & FWRITE) == 0)
return (EPERM);
switch (cmd) {
@@ -185,6 +187,9 @@
ret = cpuctl_do_cpuid_count(cpu,
(cpuctl_cpuid_count_args_t *)data, td);
break;
+ case CPUCTL_EVAL_CPU_FEATURES:
+ ret = cpuctl_do_eval_cpu_features(cpu, td);
+ break;
default:
ret = EINVAL;
break;
@@ -502,6 +507,30 @@
return (ret);
}
+static int
+cpuctl_do_eval_cpu_features(int cpu, struct thread *td)
+{
+ int is_bound = 0;
+ int oldcpu;
+
+ KASSERT(cpu >= 0 && cpu <= mp_maxid,
+ ("[cpuctl,%d]: bad cpu number %d", __LINE__, cpu));
+
+#ifdef __i386__
+ if (cpu_id == 0)
+ return (ENODEV);
+#endif
+ oldcpu = td->td_oncpu;
+ is_bound = cpu_sched_is_bound(td);
+ set_cpu(cpu, td);
+ identify_cpu1();
+ identify_cpu2();
+ hw_ibrs_recalculate();
+ restore_cpu(oldcpu, is_bound, td);
+ printcpuinfo();
+ return (0);
+}
+
int
cpuctl_open(struct cdev *dev, int flags, int fmt __unused, struct thread *td)
{
Index: sys/dev/hyperv/vmbus/i386/vmbus_vector.S
===================================================================
--- sys/dev/hyperv/vmbus/i386/vmbus_vector.S (版本 330566)
+++ sys/dev/hyperv/vmbus/i386/vmbus_vector.S (版本 330908)
@@ -37,6 +37,7 @@
*/
.text
SUPERALIGN_TEXT
+IDTVEC(vmbus_isr_pti)
IDTVEC(vmbus_isr)
PUSH_FRAME
SET_KERNEL_SREGS
Index: sys/i386/i386/apic_vector.s
===================================================================
--- sys/i386/i386/apic_vector.s (版本 330566)
+++ sys/i386/i386/apic_vector.s (版本 330908)
@@ -70,6 +70,7 @@
#define ISR_VEC(index, vec_name) \
.text ; \
SUPERALIGN_TEXT ; \
+IDTVEC(vec_name ## _pti) ; \
IDTVEC(vec_name) ; \
PUSH_FRAME ; \
SET_KERNEL_SREGS ; \
@@ -123,6 +124,7 @@
*/
.text
SUPERALIGN_TEXT
+IDTVEC(timerint_pti)
IDTVEC(timerint)
PUSH_FRAME
SET_KERNEL_SREGS
@@ -139,6 +141,7 @@
*/
.text
SUPERALIGN_TEXT
+IDTVEC(cmcint_pti)
IDTVEC(cmcint)
PUSH_FRAME
SET_KERNEL_SREGS
@@ -153,6 +156,7 @@
*/
.text
SUPERALIGN_TEXT
+IDTVEC(errorint_pti)
IDTVEC(errorint)
PUSH_FRAME
SET_KERNEL_SREGS
Index: sys/i386/i386/machdep.c
===================================================================
--- sys/i386/i386/machdep.c (版本 330566)
+++ sys/i386/i386/machdep.c (版本 330908)
@@ -2577,7 +2577,7 @@
GSEL(GCODE_SEL, SEL_KPL));
#endif
#ifdef XENHVM
- setidt(IDT_EVTCHN, &IDTVEC(xen_intr_upcall), SDT_SYS386IGT, SEL_UPL,
+ setidt(IDT_EVTCHN, &IDTVEC(xen_intr_upcall), SDT_SYS386IGT, SEL_KPL,
GSEL(GCODE_SEL, SEL_KPL));
#endif
Index: sys/i386/i386/vm_machdep.c
===================================================================
--- sys/i386/i386/vm_machdep.c (版本 330566)
+++ sys/i386/i386/vm_machdep.c (版本 330908)
@@ -795,7 +795,7 @@
CPU_NAND(&other_cpus, &sf->cpumask);
if (!CPU_EMPTY(&other_cpus)) {
CPU_OR(&sf->cpumask, &other_cpus);
- smp_masked_invlpg(other_cpus, sf->kva);
+ smp_masked_invlpg(other_cpus, sf->kva, kernel_pmap);
}
}
sched_unpin();
Index: sys/x86/include/specialreg.h
===================================================================
--- sys/x86/include/specialreg.h (版本 330566)
+++ sys/x86/include/specialreg.h (版本 330908)
@@ -374,6 +374,17 @@
#define CPUID_STDEXT2_SGXLC 0x40000000
/*
+ * CPUID instruction 7 Structured Extended Features, leaf 0 edx info
+ */
+#define CPUID_STDEXT3_IBPB 0x04000000
+#define CPUID_STDEXT3_STIBP 0x08000000
+#define CPUID_STDEXT3_ARCH_CAP 0x20000000
+
+/* MSR IA32_ARCH_CAP(ABILITIES) bits */
+#define IA32_ARCH_CAP_RDCL_NO 0x00000001
+#define IA32_ARCH_CAP_IBRS_ALL 0x00000002
+
+/*
* CPUID manufacturers identifiers
*/
#define AMD_VENDOR_ID "AuthenticAMD"
@@ -401,6 +412,8 @@
#define MSR_EBL_CR_POWERON 0x02a
#define MSR_TEST_CTL 0x033
#define MSR_IA32_FEATURE_CONTROL 0x03a
+#define MSR_IA32_SPEC_CTRL 0x048
+#define MSR_IA32_PRED_CMD 0x049
#define MSR_BIOS_UPDT_TRIG 0x079
#define MSR_BBL_CR_D0 0x088
#define MSR_BBL_CR_D1 0x089
@@ -413,6 +426,7 @@
#define MSR_APERF 0x0e8
#define MSR_IA32_EXT_CONFIG 0x0ee /* Undocumented. Core Solo/Duo only */
#define MSR_MTRRcap 0x0fe
+#define MSR_IA32_ARCH_CAP 0x10a
#define MSR_BBL_CR_ADDR 0x116
#define MSR_BBL_CR_DECC 0x118
#define MSR_BBL_CR_CTL 0x119
@@ -556,6 +570,17 @@
#define IA32_MISC_EN_XDD 0x0000000400000000ULL
/*
+ * IA32_SPEC_CTRL and IA32_PRED_CMD MSRs are described in the Intel'
+ * document 336996-001 Speculative Execution Side Channel Mitigations.
+ */
+/* MSR IA32_SPEC_CTRL */
+#define IA32_SPEC_CTRL_IBRS 0x00000001
+#define IA32_SPEC_CTRL_STIBP 0x00000002
+
+/* MSR IA32_PRED_CMD */
+#define IA32_PRED_CMD_IBPB_BARRIER 0x0000000000000001ULL
+
+/*
* PAT modes.
*/
#define PAT_UNCACHEABLE 0x00
Index: sys/i386/i386/atpic_vector.s
===================================================================
--- sys/i386/i386/atpic_vector.s (版本 330566)
+++ sys/i386/i386/atpic_vector.s (版本 330908)
@@ -46,6 +46,7 @@
#define INTR(irq_num, vec_name) \
.text ; \
SUPERALIGN_TEXT ; \
+IDTVEC(vec_name ##_pti) ; \
IDTVEC(vec_name) ; \
PUSH_FRAME ; \
SET_KERNEL_SREGS ; \
Index: sys/i386/i386/pmap.c
===================================================================
--- sys/i386/i386/pmap.c (版本 330566)
+++ sys/i386/i386/pmap.c (版本 330908)
@@ -283,6 +283,8 @@
"Number of times pmap_pte_quick didn't change PMAP1");
static struct mtx PMAP2mutex;
+int pti;
+
static void free_pv_chunk(struct pv_chunk *pc);
static void free_pv_entry(pmap_t pmap, pv_entry_t pv);
static pv_entry_t get_pv_entry(pmap_t pmap, boolean_t try);
@@ -1043,7 +1045,7 @@
CPU_AND(&other_cpus, &pmap->pm_active);
mask = &other_cpus;
}
- smp_masked_invlpg(*mask, va);
+ smp_masked_invlpg(*mask, va, pmap);
sched_unpin();
}
@@ -1077,7 +1079,7 @@
CPU_AND(&other_cpus, &pmap->pm_active);
mask = &other_cpus;
}
- smp_masked_invlpg_range(*mask, sva, eva);
+ smp_masked_invlpg_range(*mask, sva, eva, pmap);
sched_unpin();
}
Index: sys/sys/cpuctl.h
===================================================================
--- sys/sys/cpuctl.h (版本 330566)
+++ sys/sys/cpuctl.h (版本 330908)
@@ -57,5 +57,6 @@
#define CPUCTL_MSRSBIT _IOWR('c', 5, cpuctl_msr_args_t)
#define CPUCTL_MSRCBIT _IOWR('c', 6, cpuctl_msr_args_t)
#define CPUCTL_CPUID_COUNT _IOWR('c', 7, cpuctl_cpuid_count_args_t)
+#define CPUCTL_EVAL_CPU_FEATURES _IO('c', 8)
#endif /* _CPUCTL_H_ */
Index: sys/x86/include/x86_smp.h
===================================================================
--- sys/x86/include/x86_smp.h (版本 330566)
+++ sys/x86/include/x86_smp.h (版本 330908)
@@ -37,6 +37,7 @@
extern int cpu_cores;
extern volatile uint32_t smp_tlb_generation;
extern struct pmap *smp_tlb_pmap;
+extern vm_offset_t smp_tlb_addr1, smp_tlb_addr2;
extern u_int xhits_gbl[];
extern u_int xhits_pg[];
extern u_int xhits_rng[];
@@ -95,9 +96,9 @@
u_int mp_bootaddress(u_int);
void set_interrupt_apic_ids(void);
void smp_cache_flush(void);
-void smp_masked_invlpg(cpuset_t mask, vm_offset_t addr);
+void smp_masked_invlpg(cpuset_t mask, vm_offset_t addr, struct pmap *pmap);
void smp_masked_invlpg_range(cpuset_t mask, vm_offset_t startva,
- vm_offset_t endva);
+ vm_offset_t endva, struct pmap *pmap);
void smp_masked_invltlb(cpuset_t mask, struct pmap *pmap);
void mem_range_AP_init(void);
void topo_probe(void);
Index: sys/amd64/amd64/apic_vector.S
===================================================================
--- sys/amd64/amd64/apic_vector.S (版本 330566)
+++ sys/amd64/amd64/apic_vector.S (版本 330908)
@@ -2,7 +2,13 @@
* Copyright (c) 1989, 1990 William F. Jolitz.
* Copyright (c) 1990 The Regents of the University of California.
* All rights reserved.
+ * Copyright (c) 2014-2018 The FreeBSD Foundation
+ * All rights reserved.
*
+ * Portions of this software were developed by
+ * Konstantin Belousov <kib@FreeBSD.org> under sponsorship from
+ * the FreeBSD Foundation.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -38,12 +44,12 @@
#include "opt_smp.h"
+#include "assym.s"
+
#include <machine/asmacros.h>
#include <machine/specialreg.h>
#include <x86/apicreg.h>
-#include "assym.s"
-
#ifdef SMP
#define LK lock ;
#else
@@ -73,30 +79,28 @@
* translates that into a vector, and passes the vector to the
* lapic_handle_intr() function.
*/
-#define ISR_VEC(index, vec_name) \
- .text ; \
- SUPERALIGN_TEXT ; \
-IDTVEC(vec_name) ; \
- PUSH_FRAME ; \
- FAKE_MCOUNT(TF_RIP(%rsp)) ; \
- cmpl $0,x2apic_mode ; \
- je 1f ; \
- movl $(MSR_APIC_ISR0 + index),%ecx ; \
- rdmsr ; \
- jmp 2f ; \
-1: ; \
- movq lapic_map, %rdx ; /* pointer to local APIC */ \
- movl LA_ISR + 16 * (index)(%rdx), %eax ; /* load ISR */ \
-2: ; \
- bsrl %eax, %eax ; /* index of highest set bit in ISR */ \
- jz 3f ; \
- addl $(32 * index),%eax ; \
- movq %rsp, %rsi ; \
- movl %eax, %edi ; /* pass the IRQ */ \
- call lapic_handle_intr ; \
-3: ; \
- MEXITCOUNT ; \
+ .macro ISR_VEC index, vec_name
+ INTR_HANDLER \vec_name
+ FAKE_MCOUNT(TF_RIP(%rsp))
+ cmpl $0,x2apic_mode
+ je 1f
+ movl $(MSR_APIC_ISR0 + \index),%ecx
+ rdmsr
+ jmp 2f
+1:
+ movq lapic_map, %rdx /* pointer to local APIC */
+ movl LA_ISR + 16 * (\index)(%rdx), %eax /* load ISR */
+2:
+ bsrl %eax, %eax /* index of highest set bit in ISR */
+ jz 3f
+ addl $(32 * \index),%eax
+ movq %rsp, %rsi
+ movl %eax, %edi /* pass the IRQ */
+ call lapic_handle_intr
+3:
+ MEXITCOUNT
jmp doreti
+ .endm
/*
* Handle "spurious INTerrupts".
@@ -108,26 +112,21 @@
.text
SUPERALIGN_TEXT
IDTVEC(spuriousint)
-
/* No EOI cycle used here */
-
jmp doreti_iret
- ISR_VEC(1, apic_isr1)
- ISR_VEC(2, apic_isr2)
- ISR_VEC(3, apic_isr3)
- ISR_VEC(4, apic_isr4)
- ISR_VEC(5, apic_isr5)
- ISR_VEC(6, apic_isr6)
- ISR_VEC(7, apic_isr7)
+ ISR_VEC 1, apic_isr1
+ ISR_VEC 2, apic_isr2
+ ISR_VEC 3, apic_isr3
+ ISR_VEC 4, apic_isr4
+ ISR_VEC 5, apic_isr5
+ ISR_VEC 6, apic_isr6
+ ISR_VEC 7, apic_isr7
/*
* Local APIC periodic timer handler.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(timerint)
- PUSH_FRAME
+ INTR_HANDLER timerint
FAKE_MCOUNT(TF_RIP(%rsp))
movq %rsp, %rdi
call lapic_handle_timer
@@ -137,10 +136,7 @@
/*
* Local APIC CMCI handler.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(cmcint)
- PUSH_FRAME
+ INTR_HANDLER cmcint
FAKE_MCOUNT(TF_RIP(%rsp))
call lapic_handle_cmc
MEXITCOUNT
@@ -149,10 +145,7 @@
/*
* Local APIC error interrupt handler.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(errorint)
- PUSH_FRAME
+ INTR_HANDLER errorint
FAKE_MCOUNT(TF_RIP(%rsp))
call lapic_handle_error
MEXITCOUNT
@@ -163,10 +156,7 @@
* Xen event channel upcall interrupt handler.
* Only used when the hypervisor supports direct vector callbacks.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(xen_intr_upcall)
- PUSH_FRAME
+ INTR_HANDLER xen_intr_upcall
FAKE_MCOUNT(TF_RIP(%rsp))
movq %rsp, %rdi
call xen_intr_handle_upcall
@@ -183,59 +173,59 @@
SUPERALIGN_TEXT
invltlb_ret:
call as_lapic_eoi
- POP_FRAME
- jmp doreti_iret
+ jmp ld_regs
SUPERALIGN_TEXT
-IDTVEC(invltlb)
- PUSH_FRAME
-
+ INTR_HANDLER invltlb
call invltlb_handler
jmp invltlb_ret
-IDTVEC(invltlb_pcid)
- PUSH_FRAME
-
+ INTR_HANDLER invltlb_pcid
call invltlb_pcid_handler
jmp invltlb_ret
-IDTVEC(invltlb_invpcid)
- PUSH_FRAME
-
+ INTR_HANDLER invltlb_invpcid_nopti
call invltlb_invpcid_handler
jmp invltlb_ret
+ INTR_HANDLER invltlb_invpcid_pti
+ call invltlb_invpcid_pti_handler
+ jmp invltlb_ret
+
/*
* Single page TLB shootdown
*/
- .text
+ INTR_HANDLER invlpg
+ call invlpg_handler
+ jmp invltlb_ret
- SUPERALIGN_TEXT
-IDTVEC(invlpg)
- PUSH_FRAME
+ INTR_HANDLER invlpg_invpcid
+ call invlpg_invpcid_handler
+ jmp invltlb_ret
- call invlpg_handler
+ INTR_HANDLER invlpg_pcid
+ call invlpg_pcid_handler
jmp invltlb_ret
/*
* Page range TLB shootdown.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(invlrng)
- PUSH_FRAME
-
+ INTR_HANDLER invlrng
call invlrng_handler
jmp invltlb_ret
+ INTR_HANDLER invlrng_invpcid
+ call invlrng_invpcid_handler
+ jmp invltlb_ret
+
+ INTR_HANDLER invlrng_pcid
+ call invlrng_pcid_handler
+ jmp invltlb_ret
+
/*
* Invalidate cache.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(invlcache)
- PUSH_FRAME
-
+ INTR_HANDLER invlcache
call invlcache_handler
jmp invltlb_ret
@@ -242,15 +232,9 @@
/*
* Handler for IPIs sent via the per-cpu IPI bitmap.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(ipi_intr_bitmap_handler)
- PUSH_FRAME
-
+ INTR_HANDLER ipi_intr_bitmap_handler
call as_lapic_eoi
-
FAKE_MCOUNT(TF_RIP(%rsp))
-
call ipi_bitmap_handler
MEXITCOUNT
jmp doreti
@@ -258,13 +242,8 @@
/*
* Executed by a CPU when it receives an IPI_STOP from another CPU.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(cpustop)
- PUSH_FRAME
-
+ INTR_HANDLER cpustop
call as_lapic_eoi
-
call cpustop_handler
jmp doreti
@@ -271,11 +250,7 @@
/*
* Executed by a CPU when it receives an IPI_SUSPEND from another CPU.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(cpususpend)
- PUSH_FRAME
-
+ INTR_HANDLER cpususpend
call cpususpend_handler
call as_lapic_eoi
jmp doreti
@@ -285,10 +260,7 @@
*
* - Calls the generic rendezvous action function.
*/
- .text
- SUPERALIGN_TEXT
-IDTVEC(rendezvous)
- PUSH_FRAME
+ INTR_HANDLER rendezvous
#ifdef COUNT_IPIS
movl PCPU(CPUID), %eax
movq ipi_rendezvous_counts(,%rax,8), %rax
@@ -328,4 +300,8 @@
popq %rax
jmp doreti_iret
+ INTR_HANDLER justreturn1
+ call as_lapic_eoi
+ jmp doreti
+
#endif /* SMP */
Index: sys/amd64/amd64/atpic_vector.S
===================================================================
--- sys/amd64/amd64/atpic_vector.S (版本 330566)
+++ sys/amd64/amd64/atpic_vector.S (版本 330908)
@@ -36,38 +36,35 @@
* master and slave interrupt controllers.
*/
+#include "assym.s"
#include <machine/asmacros.h>
-#include "assym.s"
-
/*
* Macros for interrupt entry, call to handler, and exit.
*/
-#define INTR(irq_num, vec_name) \
- .text ; \
- SUPERALIGN_TEXT ; \
-IDTVEC(vec_name) ; \
- PUSH_FRAME ; \
- FAKE_MCOUNT(TF_RIP(%rsp)) ; \
- movq %rsp, %rsi ; \
- movl $irq_num, %edi; /* pass the IRQ */ \
- call atpic_handle_intr ; \
- MEXITCOUNT ; \
+ .macro INTR irq_num, vec_name
+ INTR_HANDLER \vec_name
+ FAKE_MCOUNT(TF_RIP(%rsp))
+ movq %rsp, %rsi
+ movl $\irq_num, %edi /* pass the IRQ */
+ call atpic_handle_intr
+ MEXITCOUNT
jmp doreti
+ .endm
- INTR(0, atpic_intr0)
- INTR(1, atpic_intr1)
- INTR(2, atpic_intr2)
- INTR(3, atpic_intr3)
- INTR(4, atpic_intr4)
- INTR(5, atpic_intr5)
- INTR(6, atpic_intr6)
- INTR(7, atpic_intr7)
- INTR(8, atpic_intr8)
- INTR(9, atpic_intr9)
- INTR(10, atpic_intr10)
- INTR(11, atpic_intr11)
- INTR(12, atpic_intr12)
- INTR(13, atpic_intr13)
- INTR(14, atpic_intr14)
- INTR(15, atpic_intr15)
+ INTR 0, atpic_intr0
+ INTR 1, atpic_intr1
+ INTR 2, atpic_intr2
+ INTR 3, atpic_intr3
+ INTR 4, atpic_intr4
+ INTR 5, atpic_intr5
+ INTR 6, atpic_intr6
+ INTR 7, atpic_intr7
+ INTR 8, atpic_intr8
+ INTR 9, atpic_intr9
+ INTR 10, atpic_intr10
+ INTR 11, atpic_intr11
+ INTR 12, atpic_intr12
+ INTR 13, atpic_intr13
+ INTR 14, atpic_intr14
+ INTR 15, atpic_intr15
Index: sys/amd64/amd64/cpu_switch.S
===================================================================
--- sys/amd64/amd64/cpu_switch.S (版本 330566)
+++ sys/amd64/amd64/cpu_switch.S (版本 330908)
@@ -191,9 +191,11 @@
done_tss:
movq %r8,PCPU(RSP0)
movq %r8,PCPU(CURPCB)
- /* Update the TSS_RSP0 pointer for the next interrupt */
+ /* Update the COMMON_TSS_RSP0 pointer for the next interrupt */
+ cmpb $0,pti(%rip)
+ jne 1f
movq %r8,COMMON_TSS_RSP0(%rdx)
- movq %r12,PCPU(CURTHREAD) /* into next thread */
+1: movq %r12,PCPU(CURTHREAD) /* into next thread */
/* Test if debug registers should be restored. */
testl $PCB_DBREGS,PCB_FLAGS(%r8)
@@ -270,7 +272,12 @@
shrq $8,%rcx
movl %ecx,8(%rax)
movb $0x89,5(%rax) /* unset busy */
- movl $TSSSEL,%eax
+ cmpb $0,pti(%rip)
+ je 1f
+ movq PCPU(PRVSPACE),%rax
+ addq $PC_PTI_STACK+PC_PTI_STACK_SZ*8,%rax
+ movq %rax,COMMON_TSS_RSP0(%rdx)
+1: movl $TSSSEL,%eax
ltr %ax
jmp done_tss
Index: sys/amd64/amd64/db_trace.c
===================================================================
--- sys/amd64/amd64/db_trace.c (版本 330566)
+++ sys/amd64/amd64/db_trace.c (版本 330908)
@@ -200,6 +200,7 @@
if (name != NULL) {
if (strcmp(name, "calltrap") == 0 ||
strcmp(name, "fork_trampoline") == 0 ||
+ strcmp(name, "mchk_calltrap") == 0 ||
strcmp(name, "nmi_calltrap") == 0 ||
strcmp(name, "Xdblfault") == 0)
frame_type = TRAP;
Index: sys/amd64/amd64/exception.S
===================================================================
--- sys/amd64/amd64/exception.S (版本 330566)
+++ sys/amd64/amd64/exception.S (版本 330908)
@@ -1,12 +1,16 @@
/*-
* Copyright (c) 1989, 1990 William F. Jolitz.
* Copyright (c) 1990 The Regents of the University of California.
- * Copyright (c) 2007 The FreeBSD Foundation
+ * Copyright (c) 2007-2018 The FreeBSD Foundation
* All rights reserved.
*
* Portions of this software were developed by A. Joseph Koshy under
* sponsorship from the FreeBSD Foundation and Google, Inc.
*
+ * Portions of this software were developed by
+ * Konstantin Belousov <kib@FreeBSD.org> under sponsorship from
+ * the FreeBSD Foundation.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -38,13 +42,13 @@
#include "opt_compat.h"
#include "opt_hwpmc_hooks.h"
+#include "assym.s"
+
#include <machine/asmacros.h>
#include <machine/psl.h>
#include <machine/trap.h>
#include <machine/specialreg.h>
-#include "assym.s"
-
#ifdef KDTRACE_HOOKS
.bss
.globl dtrace_invop_jump_addr
@@ -100,69 +104,62 @@
MCOUNT_LABEL(user)
MCOUNT_LABEL(btrap)
-/* Traps that we leave interrupts disabled for.. */
-#define TRAP_NOEN(a) \
- subq $TF_RIP,%rsp; \
- movl $(a),TF_TRAPNO(%rsp) ; \
- movq $0,TF_ADDR(%rsp) ; \
- movq $0,TF_ERR(%rsp) ; \
+/* Traps that we leave interrupts disabled for. */
+ .macro TRAP_NOEN l, trapno
+ PTI_ENTRY \l,X\l
+ .globl X\l
+ .type X\l,@function
+X\l: subq $TF_RIP,%rsp
+ movl $\trapno,TF_TRAPNO(%rsp)
+ movq $0,TF_ADDR(%rsp)
+ movq $0,TF_ERR(%rsp)
jmp alltraps_noen
-IDTVEC(dbg)
- TRAP_NOEN(T_TRCTRAP)
-IDTVEC(bpt)
- TRAP_NOEN(T_BPTFLT)
+ .endm
+
+ TRAP_NOEN dbg, T_TRCTRAP
+ TRAP_NOEN bpt, T_BPTFLT
#ifdef KDTRACE_HOOKS
-IDTVEC(dtrace_ret)
- TRAP_NOEN(T_DTRACE_RET)
+ TRAP_NOEN dtrace_ret, T_DTRACE_RET
#endif
/* Regular traps; The cpu does not supply tf_err for these. */
-#define TRAP(a) \
- subq $TF_RIP,%rsp; \
- movl $(a),TF_TRAPNO(%rsp) ; \
- movq $0,TF_ADDR(%rsp) ; \
- movq $0,TF_ERR(%rsp) ; \
+ .macro TRAP l, trapno
+ PTI_ENTRY \l,X\l
+ .globl X\l
+ .type X\l,@function
+X\l:
+ subq $TF_RIP,%rsp
+ movl $\trapno,TF_TRAPNO(%rsp)
+ movq $0,TF_ADDR(%rsp)
+ movq $0,TF_ERR(%rsp)
jmp alltraps
-IDTVEC(div)
- TRAP(T_DIVIDE)
-IDTVEC(ofl)
- TRAP(T_OFLOW)
-IDTVEC(bnd)
- TRAP(T_BOUND)
-IDTVEC(ill)
- TRAP(T_PRIVINFLT)
-IDTVEC(dna)
- TRAP(T_DNA)
-IDTVEC(fpusegm)
- TRAP(T_FPOPFLT)
-IDTVEC(mchk)
- TRAP(T_MCHK)
-IDTVEC(rsvd)
- TRAP(T_RESERVED)
-IDTVEC(fpu)
- TRAP(T_ARITHTRAP)
-IDTVEC(xmm)
- TRAP(T_XMMFLT)
+ .endm
-/* This group of traps have tf_err already pushed by the cpu */
-#define TRAP_ERR(a) \
- subq $TF_ERR,%rsp; \
- movl $(a),TF_TRAPNO(%rsp) ; \
- movq $0,TF_ADDR(%rsp) ; \
+ TRAP div, T_DIVIDE
+ TRAP ofl, T_OFLOW
+ TRAP bnd, T_BOUND
+ TRAP ill, T_PRIVINFLT
+ TRAP dna, T_DNA
+ TRAP fpusegm, T_FPOPFLT
+ TRAP rsvd, T_RESERVED
+ TRAP fpu, T_ARITHTRAP
+ TRAP xmm, T_XMMFLT
+
+/* This group of traps have tf_err already pushed by the cpu. */
+ .macro TRAP_ERR l, trapno
+ PTI_ENTRY \l,X\l,has_err=1
+ .globl X\l
+ .type X\l,@function
+X\l:
+ subq $TF_ERR,%rsp
+ movl $\trapno,TF_TRAPNO(%rsp)
+ movq $0,TF_ADDR(%rsp)
jmp alltraps
-IDTVEC(tss)
- TRAP_ERR(T_TSSFLT)
-IDTVEC(missing)
- subq $TF_ERR,%rsp
- movl $T_SEGNPFLT,TF_TRAPNO(%rsp)
- jmp prot_addrf
-IDTVEC(stk)
- subq $TF_ERR,%rsp
- movl $T_STKFLT,TF_TRAPNO(%rsp)
- jmp prot_addrf
-IDTVEC(align)
- TRAP_ERR(T_ALIGNFLT)
+ .endm
+ TRAP_ERR tss, T_TSSFLT
+ TRAP_ERR align, T_ALIGNFLT
+
/*
* alltraps entry point. Use swapgs if this is the first time in the
* kernel from userland. Reenable interrupts if they were enabled
@@ -174,25 +171,24 @@
alltraps:
movq %rdi,TF_RDI(%rsp)
testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
- jz alltraps_testi /* already running with kernel GS.base */
+ jz 1f /* already running with kernel GS.base */
swapgs
movq PCPU(CURPCB),%rdi
andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
-alltraps_testi:
- testl $PSL_I,TF_RFLAGS(%rsp)
- jz alltraps_pushregs_no_rdi
+1: SAVE_SEGS
+ movq %rdx,TF_RDX(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
+ jz 2f
+ call handle_ibrs_entry
+2: testl $PSL_I,TF_RFLAGS(%rsp)
+ jz alltraps_pushregs_no_rax
sti
-alltraps_pushregs_no_rdi:
+alltraps_pushregs_no_rax:
movq %rsi,TF_RSI(%rsp)
- movq %rdx,TF_RDX(%rsp)
- movq %rcx,TF_RCX(%rsp)
movq %r8,TF_R8(%rsp)
movq %r9,TF_R9(%rsp)
- movq %rax,TF_RAX(%rsp)
movq %rbx,TF_RBX(%rsp)
movq %rbp,TF_RBP(%rsp)
movq %r10,TF_R10(%rsp)
@@ -248,15 +244,18 @@
alltraps_noen:
movq %rdi,TF_RDI(%rsp)
testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
- jz 1f /* already running with kernel GS.base */
+ jz 1f /* already running with kernel GS.base */
swapgs
movq PCPU(CURPCB),%rdi
andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
-1: movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
- jmp alltraps_pushregs_no_rdi
+1: SAVE_SEGS
+ movq %rdx,TF_RDX(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
+ jz alltraps_pushregs_no_rax
+ call handle_ibrs_entry
+ jmp alltraps_pushregs_no_rax
IDTVEC(dblfault)
subq $TF_ERR,%rsp
@@ -278,10 +277,7 @@
movq %r13,TF_R13(%rsp)
movq %r14,TF_R14(%rsp)
movq %r15,TF_R15(%rsp)
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
+ SAVE_SEGS
movl $TF_HASSEGS,TF_FLAGS(%rsp)
cld
testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
@@ -288,31 +284,54 @@
jz 1f /* already running with kernel GS.base */
swapgs
1:
- movq %rsp,%rdi
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 2f
+ movq %rax,%cr3
+2: movq %rsp,%rdi
call dblfault_handler
-2:
- hlt
- jmp 2b
+3: hlt
+ jmp 3b
+ ALIGN_TEXT
+IDTVEC(page_pti)
+ testb $SEL_RPL_MASK,PTI_CS-2*8(%rsp)
+ jz Xpage
+ swapgs
+ pushq %rax
+ pushq %rdx
+ movq %cr3,%rax
+ movq %rax,PCPU(SAVED_UCR3)
+ PTI_UUENTRY has_err=1
+ subq $TF_ERR,%rsp
+ movq %rdi,TF_RDI(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ jmp page_u
IDTVEC(page)
subq $TF_ERR,%rsp
- movl $T_PAGEFLT,TF_TRAPNO(%rsp)
- movq %rdi,TF_RDI(%rsp) /* free up a GP register */
+ movq %rdi,TF_RDI(%rsp) /* free up GP registers */
+ movq %rax,TF_RAX(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
- jz 1f /* already running with kernel GS.base */
+ jz page_cr2 /* already running with kernel GS.base */
swapgs
- movq PCPU(CURPCB),%rdi
+page_u: movq PCPU(CURPCB),%rdi
andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
-1: movq %cr2,%rdi /* preserve %cr2 before .. */
+ movq PCPU(SAVED_UCR3),%rax
+ movq %rax,PCB_SAVED_UCR3(%rdi)
+ call handle_ibrs_entry
+page_cr2:
+ movq %cr2,%rdi /* preserve %cr2 before .. */
movq %rdi,TF_ADDR(%rsp) /* enabling interrupts. */
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
+ SAVE_SEGS
+ movl $T_PAGEFLT,TF_TRAPNO(%rsp)
testl $PSL_I,TF_RFLAGS(%rsp)
- jz alltraps_pushregs_no_rdi
+ jz alltraps_pushregs_no_rax
sti
- jmp alltraps_pushregs_no_rdi
+ jmp alltraps_pushregs_no_rax
/*
* We have to special-case this one. If we get a trap in doreti() at
@@ -319,30 +338,71 @@
* the iretq stage, we'll reenter with the wrong gs state. We'll have
* to do a special the swapgs in this case even coming from the kernel.
* XXX linux has a trap handler for their equivalent of load_gs().
+ *
+ * On the stack, we have the hardware interrupt frame to return
+ * to usermode (faulted) and another frame with error code, for
+ * fault. For PTI, copy both frames to the main thread stack.
*/
-IDTVEC(prot)
+ .macro PROTF_ENTRY name,trapno
+\name\()_pti_doreti:
+ pushq %rax
+ pushq %rdx
+ swapgs
+ movq PCPU(KCR3),%rax
+ movq %rax,%cr3
+ movq PCPU(RSP0),%rax
+ subq $2*PTI_SIZE-3*8,%rax /* no err, %rax, %rdx in faulted frame */
+ MOVE_STACKS (PTI_SIZE / 4 - 3)
+ movq %rax,%rsp
+ popq %rdx
+ popq %rax
+ swapgs
+ jmp X\name
+IDTVEC(\name\()_pti)
+ cmpq $doreti_iret,PTI_RIP-2*8(%rsp)
+ je \name\()_pti_doreti
+ testb $SEL_RPL_MASK,PTI_CS-2*8(%rsp) /* %rax, %rdx not yet pushed */
+ jz X\name
+ PTI_UENTRY has_err=1
+ swapgs
+IDTVEC(\name)
subq $TF_ERR,%rsp
- movl $T_PROTFLT,TF_TRAPNO(%rsp)
+ movl $\trapno,TF_TRAPNO(%rsp)
+ jmp prot_addrf
+ .endm
+
+ PROTF_ENTRY missing, T_SEGNPFLT
+ PROTF_ENTRY stk, T_STKFLT
+ PROTF_ENTRY prot, T_PROTFLT
+
prot_addrf:
movq $0,TF_ADDR(%rsp)
movq %rdi,TF_RDI(%rsp) /* free up a GP register */
+ movq %rax,TF_RAX(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ movw %fs,TF_FS(%rsp)
+ movw %gs,TF_GS(%rsp)
leaq doreti_iret(%rip),%rdi
cmpq %rdi,TF_RIP(%rsp)
- je 1f /* kernel but with user gsbase!! */
+ je 5f /* kernel but with user gsbase!! */
testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
- jz 2f /* already running with kernel GS.base */
-1: swapgs
-2: movq PCPU(CURPCB),%rdi
+ jz 6f /* already running with kernel GS.base */
+ swapgs
+ movq PCPU(CURPCB),%rdi
+4: call handle_ibrs_entry
orl $PCB_FULL_IRET,PCB_FLAGS(%rdi) /* always full iret from GPF */
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
movw %es,TF_ES(%rsp)
movw %ds,TF_DS(%rsp)
testl $PSL_I,TF_RFLAGS(%rsp)
- jz alltraps_pushregs_no_rdi
+ jz alltraps_pushregs_no_rax
sti
- jmp alltraps_pushregs_no_rdi
+ jmp alltraps_pushregs_no_rax
+5: swapgs
+6: movq PCPU(CURPCB),%rdi
+ jmp 4b
+
/*
* Fast syscall entry point. We enter here with just our new %cs/%ss set,
* and the new privilige level. We are still running on the old user stack
@@ -352,8 +412,18 @@
* We do not support invoking this from a custom %cs or %ss (e.g. using
* entries from an LDT).
*/
+ SUPERALIGN_TEXT
+IDTVEC(fast_syscall_pti)
+ swapgs
+ movq %rax,PCPU(SCRATCH_RAX)
+ movq PCPU(KCR3),%rax
+ movq %rax,%cr3
+ jmp fast_syscall_common
+ SUPERALIGN_TEXT
IDTVEC(fast_syscall)
swapgs
+ movq %rax,PCPU(SCRATCH_RAX)
+fast_syscall_common:
movq %rsp,PCPU(SCRATCH_RSP)
movq PCPU(RSP0),%rsp
/* Now emulate a trapframe. Make the 8 byte alignment odd for call. */
@@ -363,10 +433,11 @@
movq %rcx,TF_RIP(%rsp) /* %rcx original value is in %r10 */
movq PCPU(SCRATCH_RSP),%r11 /* %r11 already saved */
movq %r11,TF_RSP(%rsp) /* user stack pointer */
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
+ movq PCPU(SCRATCH_RAX),%rax
+ movq %rax,TF_RAX(%rsp) /* syscall number */
+ movq %rdx,TF_RDX(%rsp) /* arg 3 */
+ SAVE_SEGS
+ call handle_ibrs_entry
movq PCPU(CURPCB),%r11
andl $~PCB_FULL_IRET,PCB_FLAGS(%r11)
sti
@@ -375,11 +446,9 @@
movq $2,TF_ERR(%rsp)
movq %rdi,TF_RDI(%rsp) /* arg 1 */
movq %rsi,TF_RSI(%rsp) /* arg 2 */
- movq %rdx,TF_RDX(%rsp) /* arg 3 */
movq %r10,TF_RCX(%rsp) /* arg 4 */
movq %r8,TF_R8(%rsp) /* arg 5 */
movq %r9,TF_R9(%rsp) /* arg 6 */
- movq %rax,TF_RAX(%rsp) /* syscall number */
movq %rbx,TF_RBX(%rsp) /* C preserved */
movq %rbp,TF_RBP(%rsp) /* C preserved */
movq %r12,TF_R12(%rsp) /* C preserved */
@@ -398,11 +467,12 @@
/* Disable interrupts before testing PCB_FULL_IRET. */
cli
testl $PCB_FULL_IRET,PCB_FLAGS(%rax)
- jnz 3f
+ jnz 4f
/* Check for and handle AST's on return to userland. */
movq PCPU(CURTHREAD),%rax
testl $TDF_ASTPENDING | TDF_NEEDRESCHED,TD_FLAGS(%rax)
- jne 2f
+ jne 3f
+ call handle_ibrs_exit
/* Restore preserved registers. */
MEXITCOUNT
movq TF_RDI(%rsp),%rdi /* bonus; preserve arg 1 */
@@ -412,16 +482,21 @@
movq TF_RFLAGS(%rsp),%r11 /* original %rflags */
movq TF_RIP(%rsp),%rcx /* original %rip */
movq TF_RSP(%rsp),%rsp /* user stack pointer */
- swapgs
+ cmpb $0,pti
+ je 2f
+ movq PCPU(UCR3),%r9
+ movq %r9,%cr3
+ xorl %r9d,%r9d
+2: swapgs
sysretq
-2: /* AST scheduled. */
+3: /* AST scheduled. */
sti
movq %rsp,%rdi
call ast
jmp 1b
-3: /* Requested full context restore, use doreti for that. */
+4: /* Requested full context restore, use doreti for that. */
MEXITCOUNT
jmp doreti
@@ -477,10 +552,7 @@
movq %r13,TF_R13(%rsp)
movq %r14,TF_R14(%rsp)
movq %r15,TF_R15(%rsp)
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
+ SAVE_SEGS
movl $TF_HASSEGS,TF_FLAGS(%rsp)
cld
xorl %ebx,%ebx
@@ -487,7 +559,8 @@
testb $SEL_RPL_MASK,TF_CS(%rsp)
jnz nmi_fromuserspace
/*
- * We've interrupted the kernel. Preserve GS.base in %r12.
+ * We've interrupted the kernel. Preserve GS.base in %r12,
+ * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d.
*/
movl $MSR_GSBASE,%ecx
rdmsr
@@ -499,10 +572,32 @@
movl %edx,%eax
shrq $32,%rdx
wrmsr
+ movq %cr3,%r13
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 1f
+ movq %rax,%cr3
+1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
+ je nmi_calltrap
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ rdmsr
+ movl %eax,%r14d
+ call handle_ibrs_entry
jmp nmi_calltrap
nmi_fromuserspace:
incl %ebx
swapgs
+ movq %cr3,%r13
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 1f
+ movq %rax,%cr3
+1: call handle_ibrs_entry
+ movq PCPU(CURPCB),%rdi
+ testq %rdi,%rdi
+ jz 3f
+ orl $PCB_FULL_IRET,PCB_FLAGS(%rdi)
+3:
/* Note: this label is also used by ddb and gdb: */
nmi_calltrap:
FAKE_MCOUNT(TF_RIP(%rsp))
@@ -525,14 +620,9 @@
movq PCPU(CURTHREAD),%rax
orq %rax,%rax /* curthread present? */
jz nocallchain
- testl $TDP_CALLCHAIN,TD_PFLAGS(%rax) /* flagged for capture? */
- jz nocallchain
/*
- * A user callchain is to be captured, so:
- * - Move execution to the regular kernel stack, to allow for
- * nested NMI interrupts.
- * - Take the processor out of "NMI" mode by faking an "iret".
- * - Enable interrupts, so that copyin() can work.
+ * Move execution to the regular kernel stack, because we
+ * committed to return through doreti.
*/
movq %rsp,%rsi /* source stack pointer */
movq $TF_SIZE,%rcx
@@ -539,12 +629,20 @@
movq PCPU(RSP0),%rdx
subq %rcx,%rdx
movq %rdx,%rdi /* destination stack pointer */
-
shrq $3,%rcx /* trap frame size in long words */
cld
rep
movsq /* copy trapframe */
+ movq %rdx,%rsp /* we are on the regular kstack */
+ testl $TDP_CALLCHAIN,TD_PFLAGS(%rax) /* flagged for capture? */
+ jz nocallchain
+ /*
+ * A user callchain is to be captured, so:
+ * - Take the processor out of "NMI" mode by faking an "iret",
+ * to allow for nested NMI interrupts.
+ * - Enable interrupts, so that copyin() can work.
+ */
movl %ss,%eax
pushq %rax /* tf_ss */
pushq %rdx /* tf_rsp (on kernel stack) */
@@ -574,33 +672,139 @@
cli
nocallchain:
#endif
- testl %ebx,%ebx
+ testl %ebx,%ebx /* %ebx == 0 => return to userland */
jnz doreti_exit
-nmi_kernelexit:
/*
+ * Restore speculation control MSR, if preserved.
+ */
+ testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
+ je 1f
+ movl %r14d,%eax
+ xorl %edx,%edx
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ wrmsr
+ /*
* Put back the preserved MSR_GSBASE value.
*/
+1: movl $MSR_GSBASE,%ecx
+ movq %r12,%rdx
+ movl %edx,%eax
+ shrq $32,%rdx
+ wrmsr
+ movq %r13,%cr3
+ RESTORE_REGS
+ addq $TF_RIP,%rsp
+ jmp doreti_iret
+
+/*
+ * MC# handling is similar to NMI.
+ *
+ * As with NMIs, machine check exceptions do not respect RFLAGS.IF and
+ * can occur at any time with a GS.base value that does not correspond
+ * to the privilege level in CS.
+ *
+ * Machine checks are not unblocked by iretq, but it is best to run
+ * the handler with interrupts disabled since the exception may have
+ * interrupted a critical section.
+ *
+ * The MC# handler runs on its own stack (tss_ist3). The canonical
+ * GS.base value for the processor is stored just above the bottom of
+ * its MC# stack. For exceptions taken from kernel mode, the current
+ * value in the processor's GS.base is saved at entry to C-preserved
+ * register %r12, the canonical value for GS.base is then loaded into
+ * the processor, and the saved value is restored at exit time. For
+ * exceptions taken from user mode, the cheaper 'SWAPGS' instructions
+ * are used for swapping GS.base.
+ */
+
+IDTVEC(mchk)
+ subq $TF_RIP,%rsp
+ movl $(T_MCHK),TF_TRAPNO(%rsp)
+ movq $0,TF_ADDR(%rsp)
+ movq $0,TF_ERR(%rsp)
+ movq %rdi,TF_RDI(%rsp)
+ movq %rsi,TF_RSI(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ movq %r8,TF_R8(%rsp)
+ movq %r9,TF_R9(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rbx,TF_RBX(%rsp)
+ movq %rbp,TF_RBP(%rsp)
+ movq %r10,TF_R10(%rsp)
+ movq %r11,TF_R11(%rsp)
+ movq %r12,TF_R12(%rsp)
+ movq %r13,TF_R13(%rsp)
+ movq %r14,TF_R14(%rsp)
+ movq %r15,TF_R15(%rsp)
+ SAVE_SEGS
+ movl $TF_HASSEGS,TF_FLAGS(%rsp)
+ cld
+ xorl %ebx,%ebx
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
+ jnz mchk_fromuserspace
+ /*
+ * We've interrupted the kernel. Preserve GS.base in %r12,
+ * %cr3 in %r13, and possibly lower half of MSR_IA32_SPEC_CTL in %r14d.
+ */
movl $MSR_GSBASE,%ecx
+ rdmsr
+ movq %rax,%r12
+ shlq $32,%rdx
+ orq %rdx,%r12
+ /* Retrieve and load the canonical value for GS.base. */
+ movq TF_SIZE(%rsp),%rdx
+ movl %edx,%eax
+ shrq $32,%rdx
+ wrmsr
+ movq %cr3,%r13
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 1f
+ movq %rax,%cr3
+1: testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
+ je mchk_calltrap
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ rdmsr
+ movl %eax,%r14d
+ call handle_ibrs_entry
+ jmp mchk_calltrap
+mchk_fromuserspace:
+ incl %ebx
+ swapgs
+ movq %cr3,%r13
+ movq PCPU(KCR3),%rax
+ cmpq $~0,%rax
+ je 1f
+ movq %rax,%cr3
+1: call handle_ibrs_entry
+/* Note: this label is also used by ddb and gdb: */
+mchk_calltrap:
+ FAKE_MCOUNT(TF_RIP(%rsp))
+ movq %rsp,%rdi
+ call mca_intr
+ MEXITCOUNT
+ testl %ebx,%ebx /* %ebx == 0 => return to userland */
+ jnz doreti_exit
+ /*
+ * Restore speculation control MSR, if preserved.
+ */
+ testl $CPUID_STDEXT3_IBPB,cpu_stdext_feature3(%rip)
+ je 1f
+ movl %r14d,%eax
+ xorl %edx,%edx
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ wrmsr
+ /*
+ * Put back the preserved MSR_GSBASE value.
+ */
+1: movl $MSR_GSBASE,%ecx
movq %r12,%rdx
movl %edx,%eax
shrq $32,%rdx
wrmsr
-nmi_restoreregs:
- movq TF_RDI(%rsp),%rdi
- movq TF_RSI(%rsp),%rsi
- movq TF_RDX(%rsp),%rdx
- movq TF_RCX(%rsp),%rcx
- movq TF_R8(%rsp),%r8
- movq TF_R9(%rsp),%r9
- movq TF_RAX(%rsp),%rax
- movq TF_RBX(%rsp),%rbx
- movq TF_RBP(%rsp),%rbp
- movq TF_R10(%rsp),%r10
- movq TF_R11(%rsp),%r11
- movq TF_R12(%rsp),%r12
- movq TF_R13(%rsp),%r13
- movq TF_R14(%rsp),%r14
- movq TF_R15(%rsp),%r15
+ movq %r13,%cr3
+ RESTORE_REGS
addq $TF_RIP,%rsp
jmp doreti_iret
@@ -767,27 +971,39 @@
ld_ds:
movw TF_DS(%rsp),%ds
ld_regs:
- movq TF_RDI(%rsp),%rdi
- movq TF_RSI(%rsp),%rsi
- movq TF_RDX(%rsp),%rdx
- movq TF_RCX(%rsp),%rcx
- movq TF_R8(%rsp),%r8
- movq TF_R9(%rsp),%r9
- movq TF_RAX(%rsp),%rax
- movq TF_RBX(%rsp),%rbx
- movq TF_RBP(%rsp),%rbp
- movq TF_R10(%rsp),%r10
- movq TF_R11(%rsp),%r11
- movq TF_R12(%rsp),%r12
- movq TF_R13(%rsp),%r13
- movq TF_R14(%rsp),%r14
- movq TF_R15(%rsp),%r15
+ RESTORE_REGS
testb $SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
- jz 1f /* keep running with kernel GS.base */
+ jz 2f /* keep running with kernel GS.base */
cli
+ call handle_ibrs_exit_rs
+ cmpb $0,pti
+ je 1f
+ pushq %rdx
+ movq PCPU(PRVSPACE),%rdx
+ addq $PC_PTI_STACK+PC_PTI_STACK_SZ*8-PTI_SIZE,%rdx
+ movq %rax,PTI_RAX(%rdx)
+ popq %rax
+ movq %rax,PTI_RDX(%rdx)
+ movq TF_RIP(%rsp),%rax
+ movq %rax,PTI_RIP(%rdx)
+ movq TF_CS(%rsp),%rax
+ movq %rax,PTI_CS(%rdx)
+ movq TF_RFLAGS(%rsp),%rax
+ movq %rax,PTI_RFLAGS(%rdx)
+ movq TF_RSP(%rsp),%rax
+ movq %rax,PTI_RSP(%rdx)
+ movq TF_SS(%rsp),%rax
+ movq %rax,PTI_SS(%rdx)
+ movq PCPU(UCR3),%rax
swapgs
-1:
- addq $TF_RIP,%rsp /* skip over tf_err, tf_trapno */
+ movq %rdx,%rsp
+ movq %rax,%cr3
+ popq %rdx
+ popq %rax
+ addq $8,%rsp
+ jmp doreti_iret
+1: swapgs
+2: addq $TF_RIP,%rsp
.globl doreti_iret
doreti_iret:
iretq
@@ -811,22 +1027,20 @@
.globl doreti_iret_fault
doreti_iret_fault:
subq $TF_RIP,%rsp /* space including tf_err, tf_trapno */
- testl $PSL_I,TF_RFLAGS(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ call handle_ibrs_entry
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
jz 1f
sti
1:
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
+ SAVE_SEGS
movl $TF_HASSEGS,TF_FLAGS(%rsp)
movq %rdi,TF_RDI(%rsp)
movq %rsi,TF_RSI(%rsp)
- movq %rdx,TF_RDX(%rsp)
- movq %rcx,TF_RCX(%rsp)
movq %r8,TF_R8(%rsp)
movq %r9,TF_R9(%rsp)
- movq %rax,TF_RAX(%rsp)
movq %rbx,TF_RBX(%rsp)
movq %rbp,TF_RBP(%rsp)
movq %r10,TF_R10(%rsp)
@@ -845,7 +1059,7 @@
.globl ds_load_fault
ds_load_fault:
movl $T_PROTFLT,TF_TRAPNO(%rsp)
- testl $PSL_I,TF_RFLAGS(%rsp)
+ testb $SEL_RPL_MASK,TF_CS(%rsp)
jz 1f
sti
1:
Index: sys/amd64/amd64/genassym.c
===================================================================
--- sys/amd64/amd64/genassym.c (版本 330566)
+++ sys/amd64/amd64/genassym.c (版本 330908)
@@ -145,6 +145,7 @@
ASSYM(PCB_TR, offsetof(struct pcb, pcb_tr));
ASSYM(PCB_FLAGS, offsetof(struct pcb, pcb_flags));
ASSYM(PCB_ONFAULT, offsetof(struct pcb, pcb_onfault));
+ASSYM(PCB_SAVED_UCR3, offsetof(struct pcb, pcb_saved_ucr3));
ASSYM(PCB_TSSP, offsetof(struct pcb, pcb_tssp));
ASSYM(PCB_SAVEFPU, offsetof(struct pcb, pcb_save));
ASSYM(PCB_EFER, offsetof(struct pcb, pcb_efer));
@@ -190,6 +191,16 @@
ASSYM(TF_SIZE, sizeof(struct trapframe));
ASSYM(TF_HASSEGS, TF_HASSEGS);
+ASSYM(PTI_RDX, offsetof(struct pti_frame, pti_rdx));
+ASSYM(PTI_RAX, offsetof(struct pti_frame, pti_rax));
+ASSYM(PTI_ERR, offsetof(struct pti_frame, pti_err));
+ASSYM(PTI_RIP, offsetof(struct pti_frame, pti_rip));
+ASSYM(PTI_CS, offsetof(struct pti_frame, pti_cs));
+ASSYM(PTI_RFLAGS, offsetof(struct pti_frame, pti_rflags));
+ASSYM(PTI_RSP, offsetof(struct pti_frame, pti_rsp));
+ASSYM(PTI_SS, offsetof(struct pti_frame, pti_ss));
+ASSYM(PTI_SIZE, sizeof(struct pti_frame));
+
ASSYM(SIGF_HANDLER, offsetof(struct sigframe, sf_ahu.sf_handler));
ASSYM(SIGF_UC, offsetof(struct sigframe, sf_uc));
ASSYM(UC_EFLAGS, offsetof(ucontext_t, uc_mcontext.mc_rflags));
@@ -206,6 +217,7 @@
ASSYM(PC_CURPCB, offsetof(struct pcpu, pc_curpcb));
ASSYM(PC_CPUID, offsetof(struct pcpu, pc_cpuid));
ASSYM(PC_SCRATCH_RSP, offsetof(struct pcpu, pc_scratch_rsp));
+ASSYM(PC_SCRATCH_RAX, offsetof(struct pcpu, pc_scratch_rax));
ASSYM(PC_CURPMAP, offsetof(struct pcpu, pc_curpmap));
ASSYM(PC_TSSP, offsetof(struct pcpu, pc_tssp));
ASSYM(PC_RSP0, offsetof(struct pcpu, pc_rsp0));
@@ -215,6 +227,12 @@
ASSYM(PC_COMMONTSSP, offsetof(struct pcpu, pc_commontssp));
ASSYM(PC_TSS, offsetof(struct pcpu, pc_tss));
ASSYM(PC_PM_SAVE_CNT, offsetof(struct pcpu, pc_pm_save_cnt));
+ASSYM(PC_KCR3, offsetof(struct pcpu, pc_kcr3));
+ASSYM(PC_UCR3, offsetof(struct pcpu, pc_ucr3));
+ASSYM(PC_SAVED_UCR3, offsetof(struct pcpu, pc_saved_ucr3));
+ASSYM(PC_PTI_STACK, offsetof(struct pcpu, pc_pti_stack));
+ASSYM(PC_PTI_STACK_SZ, PC_PTI_STACK_SZ);
+ASSYM(PC_IBPB_SET, offsetof(struct pcpu, pc_ibpb_set));
ASSYM(LA_EOI, LAPIC_EOI * LAPIC_MEM_MUL);
ASSYM(LA_ISR, LAPIC_ISR0 * LAPIC_MEM_MUL);
Index: sys/amd64/amd64/initcpu.c
===================================================================
--- sys/amd64/amd64/initcpu.c (版本 330566)
+++ sys/amd64/amd64/initcpu.c (版本 330908)
@@ -194,6 +194,7 @@
wrmsr(MSR_EFER, msr);
pg_nx = PG_NX;
}
+ hw_ibrs_recalculate();
switch (cpu_vendor_id) {
case CPU_VENDOR_AMD:
init_amd();
Index: sys/amd64/amd64/machdep.c
===================================================================
--- sys/amd64/amd64/machdep.c (版本 330566)
+++ sys/amd64/amd64/machdep.c (版本 330908)
@@ -114,6 +114,7 @@
#include <machine/clock.h>
#include <machine/cpu.h>
#include <machine/cputypes.h>
+#include <machine/frame.h>
#include <machine/intr_machdep.h>
#include <x86/mca.h>
#include <machine/md_var.h>
@@ -149,6 +150,14 @@
/* Sanity check for __curthread() */
CTASSERT(offsetof(struct pcpu, pc_curthread) == 0);
+/*
+ * The PTI trampoline stack needs enough space for a hardware trapframe and a
+ * couple of scratch registers, as well as the trapframe left behind after an
+ * iret fault.
+ */
+CTASSERT(PC_PTI_STACK_SZ * sizeof(register_t) >= 2 * sizeof(struct pti_frame) -
+ offsetof(struct pti_frame, pti_rip));
+
extern u_int64_t hammer_time(u_int64_t, u_int64_t);
#define CS_SECURE(cs) (ISPL(cs) == SEL_UPL)
@@ -180,12 +189,6 @@
.msi_init = msi_init,
};
-/*
- * The file "conf/ldscript.amd64" defines the symbol "kernphys". Its value is
- * the physical address at which the kernel is loaded.
- */
-extern char kernphys[];
-
struct msgbuf *msgbufp;
/*
@@ -670,7 +673,7 @@
struct gate_descriptor *idt = &idt0[0]; /* interrupt descriptor table */
static char dblfault_stack[PAGE_SIZE] __aligned(16);
-
+static char mce0_stack[PAGE_SIZE] __aligned(16);
static char nmi0_stack[PAGE_SIZE] __aligned(16);
CTASSERT(sizeof(struct nmi_pcpu) == 16);
@@ -824,13 +827,20 @@
IDTVEC(tss), IDTVEC(missing), IDTVEC(stk), IDTVEC(prot),
IDTVEC(page), IDTVEC(mchk), IDTVEC(rsvd), IDTVEC(fpu), IDTVEC(align),
IDTVEC(xmm), IDTVEC(dblfault),
+ IDTVEC(div_pti), IDTVEC(dbg_pti), IDTVEC(bpt_pti),
+ IDTVEC(ofl_pti), IDTVEC(bnd_pti), IDTVEC(ill_pti), IDTVEC(dna_pti),
+ IDTVEC(fpusegm_pti), IDTVEC(tss_pti), IDTVEC(missing_pti),
+ IDTVEC(stk_pti), IDTVEC(prot_pti), IDTVEC(page_pti),
+ IDTVEC(rsvd_pti), IDTVEC(fpu_pti), IDTVEC(align_pti),
+ IDTVEC(xmm_pti),
#ifdef KDTRACE_HOOKS
- IDTVEC(dtrace_ret),
+ IDTVEC(dtrace_ret), IDTVEC(dtrace_ret_pti),
#endif
#ifdef XENHVM
- IDTVEC(xen_intr_upcall),
+ IDTVEC(xen_intr_upcall), IDTVEC(xen_intr_upcall_pti),
#endif
- IDTVEC(fast_syscall), IDTVEC(fast_syscall32);
+ IDTVEC(fast_syscall), IDTVEC(fast_syscall32),
+ IDTVEC(fast_syscall_pti);
#ifdef DDB
/*
@@ -1523,6 +1533,23 @@
#endif
}
+/* Set up the fast syscall stuff */
+void
+amd64_conf_fast_syscall(void)
+{
+ uint64_t msr;
+
+ msr = rdmsr(MSR_EFER) | EFER_SCE;
+ wrmsr(MSR_EFER, msr);
+ wrmsr(MSR_LSTAR, pti ? (u_int64_t)IDTVEC(fast_syscall_pti) :
+ (u_int64_t)IDTVEC(fast_syscall));
+ wrmsr(MSR_CSTAR, (u_int64_t)IDTVEC(fast_syscall32));
+ msr = ((u_int64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) |
+ ((u_int64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48);
+ wrmsr(MSR_STAR, msr);
+ wrmsr(MSR_SF_MASK, PSL_NT | PSL_T | PSL_I | PSL_C | PSL_D);
+}
+
u_int64_t
hammer_time(u_int64_t modulep, u_int64_t physfree)
{
@@ -1531,7 +1558,7 @@
struct pcpu *pc;
struct nmi_pcpu *np;
struct xstate_hdr *xhdr;
- u_int64_t msr;
+ u_int64_t rsp0;
char *env;
size_t kstack0_sz;
int late_console;
@@ -1544,6 +1571,8 @@
kmdp = init_ops.parse_preload_data(modulep);
+ identify_cpu1();
+
/* Init basic tunables, hz etc */
init_param1();
@@ -1600,34 +1629,55 @@
mtx_init(&dt_lock, "descriptor tables", NULL, MTX_DEF);
/* exceptions */
+ pti = pti_get_default();
+ TUNABLE_INT_FETCH("vm.pmap.pti", &pti);
+
for (x = 0; x < NIDT; x++)
- setidt(x, &IDTVEC(rsvd), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_DE, &IDTVEC(div), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_DB, &IDTVEC(dbg), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(x, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_DE, pti ? &IDTVEC(div_pti) : &IDTVEC(div), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_DB, pti ? &IDTVEC(dbg_pti) : &IDTVEC(dbg), SDT_SYSIGT,
+ SEL_KPL, 0);
setidt(IDT_NMI, &IDTVEC(nmi), SDT_SYSIGT, SEL_KPL, 2);
- setidt(IDT_BP, &IDTVEC(bpt), SDT_SYSIGT, SEL_UPL, 0);
- setidt(IDT_OF, &IDTVEC(ofl), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_BR, &IDTVEC(bnd), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_UD, &IDTVEC(ill), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_NM, &IDTVEC(dna), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IDT_BP, pti ? &IDTVEC(bpt_pti) : &IDTVEC(bpt), SDT_SYSIGT,
+ SEL_UPL, 0);
+ setidt(IDT_OF, pti ? &IDTVEC(ofl_pti) : &IDTVEC(ofl), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_BR, pti ? &IDTVEC(bnd_pti) : &IDTVEC(bnd), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_UD, pti ? &IDTVEC(ill_pti) : &IDTVEC(ill), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_NM, pti ? &IDTVEC(dna_pti) : &IDTVEC(dna), SDT_SYSIGT,
+ SEL_KPL, 0);
setidt(IDT_DF, &IDTVEC(dblfault), SDT_SYSIGT, SEL_KPL, 1);
- setidt(IDT_FPUGP, &IDTVEC(fpusegm), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_TS, &IDTVEC(tss), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_NP, &IDTVEC(missing), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_SS, &IDTVEC(stk), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_GP, &IDTVEC(prot), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_PF, &IDTVEC(page), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_MF, &IDTVEC(fpu), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_AC, &IDTVEC(align), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_MC, &IDTVEC(mchk), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IDT_XF, &IDTVEC(xmm), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IDT_FPUGP, pti ? &IDTVEC(fpusegm_pti) : &IDTVEC(fpusegm),
+ SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IDT_TS, pti ? &IDTVEC(tss_pti) : &IDTVEC(tss), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_NP, pti ? &IDTVEC(missing_pti) : &IDTVEC(missing),
+ SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IDT_SS, pti ? &IDTVEC(stk_pti) : &IDTVEC(stk), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_GP, pti ? &IDTVEC(prot_pti) : &IDTVEC(prot), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_PF, pti ? &IDTVEC(page_pti) : &IDTVEC(page), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_MF, pti ? &IDTVEC(fpu_pti) : &IDTVEC(fpu), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_AC, pti ? &IDTVEC(align_pti) : &IDTVEC(align), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IDT_MC, &IDTVEC(mchk), SDT_SYSIGT, SEL_KPL, 3);
+ setidt(IDT_XF, pti ? &IDTVEC(xmm_pti) : &IDTVEC(xmm), SDT_SYSIGT,
+ SEL_KPL, 0);
#ifdef KDTRACE_HOOKS
- setidt(IDT_DTRACE_RET, &IDTVEC(dtrace_ret), SDT_SYSIGT, SEL_UPL, 0);
+ setidt(IDT_DTRACE_RET, pti ? &IDTVEC(dtrace_ret_pti) :
+ &IDTVEC(dtrace_ret), SDT_SYSIGT, SEL_UPL, 0);
#endif
#ifdef XENHVM
- setidt(IDT_EVTCHN, &IDTVEC(xen_intr_upcall), SDT_SYSIGT, SEL_UPL, 0);
+ setidt(IDT_EVTCHN, pti ? &IDTVEC(xen_intr_upcall_pti) :
+ &IDTVEC(xen_intr_upcall), SDT_SYSIGT, SEL_KPL, 0);
#endif
-
r_idt.rd_limit = sizeof(idt0) - 1;
r_idt.rd_base = (long) idt;
lidt(&r_idt);
@@ -1648,7 +1698,7 @@
!= NULL)
vty_set_preferred(VTY_VT);
- identify_cpu(); /* Final stage of CPU initialization */
+ finishidentcpu(); /* Final stage of CPU initialization */
initializecpu(); /* Initialize CPU registers */
initializecpucache();
@@ -1663,6 +1713,14 @@
np->np_pcpu = (register_t) pc;
common_tss[0].tss_ist2 = (long) np;
+ /*
+ * MC# stack, runs on ist3. The pcpu pointer is stored just
+ * above the start of the ist3 stack.
+ */
+ np = ((struct nmi_pcpu *) &mce0_stack[sizeof(mce0_stack)]) - 1;
+ np->np_pcpu = (register_t) pc;
+ common_tss[0].tss_ist3 = (long) np;
+
/* Set the IO permission bitmap (empty due to tss seg limit) */
common_tss[0].tss_iobase = sizeof(struct amd64tss) + IOPERM_BITMAP_SIZE;
@@ -1669,15 +1727,7 @@
gsel_tss = GSEL(GPROC0_SEL, SEL_KPL);
ltr(gsel_tss);
- /* Set up the fast syscall stuff */
- msr = rdmsr(MSR_EFER) | EFER_SCE;
- wrmsr(MSR_EFER, msr);
- wrmsr(MSR_LSTAR, (u_int64_t)IDTVEC(fast_syscall));
- wrmsr(MSR_CSTAR, (u_int64_t)IDTVEC(fast_syscall32));
- msr = ((u_int64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) |
- ((u_int64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48);
- wrmsr(MSR_STAR, msr);
- wrmsr(MSR_SF_MASK, PSL_NT|PSL_T|PSL_I|PSL_C|PSL_D);
+ amd64_conf_fast_syscall();
/*
* Temporary forge some valid pointer to PCB, for exception
@@ -1749,10 +1799,12 @@
xhdr->xstate_bv = xsave_mask;
}
/* make an initial tss so cpu can get interrupt stack on syscall! */
- common_tss[0].tss_rsp0 = (vm_offset_t)thread0.td_pcb;
+ rsp0 = (vm_offset_t)thread0.td_pcb;
/* Ensure the stack is aligned to 16 bytes */
- common_tss[0].tss_rsp0 &= ~0xFul;
- PCPU_SET(rsp0, common_tss[0].tss_rsp0);
+ rsp0 &= ~0xFul;
+ common_tss[0].tss_rsp0 = pti ? ((vm_offset_t)PCPU_PTR(pti_stack) +
+ PC_PTI_STACK_SZ * sizeof(uint64_t)) & ~0xful : rsp0;
+ PCPU_SET(rsp0, rsp0);
PCPU_SET(curpcb, thread0.td_pcb);
/* transfer to user mode */
@@ -1782,6 +1834,8 @@
#endif
thread0.td_critnest = 0;
+ TUNABLE_INT_FETCH("hw.ibrs_disable", &hw_ibrs_disable);
+
/* Location of kernel stack for locore */
return ((u_int64_t)thread0.td_pcb);
}
Index: sys/amd64/amd64/mp_machdep.c
===================================================================
--- sys/amd64/amd64/mp_machdep.c (版本 330566)
+++ sys/amd64/amd64/mp_machdep.c (版本 330908)
@@ -85,10 +85,9 @@
/* Temporary variables for init_secondary() */
char *doublefault_stack;
+char *mce_stack;
char *nmi_stack;
-extern inthand_t IDTVEC(fast_syscall), IDTVEC(fast_syscall32);
-
/*
* Local data and functions.
*/
@@ -132,33 +131,50 @@
/* Install an inter-CPU IPI for TLB invalidation */
if (pmap_pcid_enabled) {
if (invpcid_works) {
- setidt(IPI_INVLTLB, IDTVEC(invltlb_invpcid),
- SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLTLB, pti ?
+ IDTVEC(invltlb_invpcid_pti_pti) :
+ IDTVEC(invltlb_invpcid_nopti), SDT_SYSIGT,
+ SEL_KPL, 0);
+ setidt(IPI_INVLPG, pti ? IDTVEC(invlpg_invpcid_pti) :
+ IDTVEC(invlpg_invpcid), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLRNG, pti ? IDTVEC(invlrng_invpcid_pti) :
+ IDTVEC(invlrng_invpcid), SDT_SYSIGT, SEL_KPL, 0);
} else {
- setidt(IPI_INVLTLB, IDTVEC(invltlb_pcid), SDT_SYSIGT,
- SEL_KPL, 0);
+ setidt(IPI_INVLTLB, pti ? IDTVEC(invltlb_pcid_pti) :
+ IDTVEC(invltlb_pcid), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLPG, pti ? IDTVEC(invlpg_pcid_pti) :
+ IDTVEC(invlpg_pcid), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLRNG, pti ? IDTVEC(invlrng_pcid_pti) :
+ IDTVEC(invlrng_pcid), SDT_SYSIGT, SEL_KPL, 0);
}
} else {
- setidt(IPI_INVLTLB, IDTVEC(invltlb), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLTLB, pti ? IDTVEC(invltlb_pti) : IDTVEC(invltlb),
+ SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLPG, pti ? IDTVEC(invlpg_pti) : IDTVEC(invlpg),
+ SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLRNG, pti ? IDTVEC(invlrng_pti) : IDTVEC(invlrng),
+ SDT_SYSIGT, SEL_KPL, 0);
}
- setidt(IPI_INVLPG, IDTVEC(invlpg), SDT_SYSIGT, SEL_KPL, 0);
- setidt(IPI_INVLRNG, IDTVEC(invlrng), SDT_SYSIGT, SEL_KPL, 0);
/* Install an inter-CPU IPI for cache invalidation. */
- setidt(IPI_INVLCACHE, IDTVEC(invlcache), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_INVLCACHE, pti ? IDTVEC(invlcache_pti) : IDTVEC(invlcache),
+ SDT_SYSIGT, SEL_KPL, 0);
/* Install an inter-CPU IPI for all-CPU rendezvous */
- setidt(IPI_RENDEZVOUS, IDTVEC(rendezvous), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_RENDEZVOUS, pti ? IDTVEC(rendezvous_pti) :
+ IDTVEC(rendezvous), SDT_SYSIGT, SEL_KPL, 0);
/* Install generic inter-CPU IPI handler */
- setidt(IPI_BITMAP_VECTOR, IDTVEC(ipi_intr_bitmap_handler),
- SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_BITMAP_VECTOR, pti ? IDTVEC(ipi_intr_bitmap_handler_pti) :
+ IDTVEC(ipi_intr_bitmap_handler), SDT_SYSIGT, SEL_KPL, 0);
/* Install an inter-CPU IPI for CPU stop/restart */
- setidt(IPI_STOP, IDTVEC(cpustop), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_STOP, pti ? IDTVEC(cpustop_pti) : IDTVEC(cpustop),
+ SDT_SYSIGT, SEL_KPL, 0);
/* Install an inter-CPU IPI for CPU suspend/resume */
- setidt(IPI_SUSPEND, IDTVEC(cpususpend), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IPI_SUSPEND, pti ? IDTVEC(cpususpend_pti) : IDTVEC(cpususpend),
+ SDT_SYSIGT, SEL_KPL, 0);
/* Set boot_cpu_id if needed. */
if (boot_cpu_id == -1) {
@@ -188,7 +204,7 @@
{
struct pcpu *pc;
struct nmi_pcpu *np;
- u_int64_t msr, cr0;
+ u_int64_t cr0;
int cpu, gsel_tss, x;
struct region_descriptor ap_gdt;
@@ -197,7 +213,6 @@
/* Init tss */
common_tss[cpu] = common_tss[0];
- common_tss[cpu].tss_rsp0 = 0; /* not used until after switch */
common_tss[cpu].tss_iobase = sizeof(struct amd64tss) +
IOPERM_BITMAP_SIZE;
common_tss[cpu].tss_ist1 = (long)&doublefault_stack[PAGE_SIZE];
@@ -206,6 +221,10 @@
np = ((struct nmi_pcpu *) &nmi_stack[PAGE_SIZE]) - 1;
common_tss[cpu].tss_ist2 = (long) np;
+ /* The MC# stack runs on IST3. */
+ np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1;
+ common_tss[cpu].tss_ist3 = (long) np;
+
/* Prepare private GDT */
gdt_segs[GPROC0_SEL].ssd_base = (long) &common_tss[cpu];
for (x = 0; x < NGDT; x++) {
@@ -240,10 +259,17 @@
pc->pc_curpmap = kernel_pmap;
pc->pc_pcid_gen = 1;
pc->pc_pcid_next = PMAP_PCID_KERN + 1;
+ common_tss[cpu].tss_rsp0 = pti ? ((vm_offset_t)&pc->pc_pti_stack +
+ PC_PTI_STACK_SZ * sizeof(uint64_t)) & ~0xful : 0;
/* Save the per-cpu pointer for use by the NMI handler. */
+ np = ((struct nmi_pcpu *) &nmi_stack[PAGE_SIZE]) - 1;
np->np_pcpu = (register_t) pc;
+ /* Save the per-cpu pointer for use by the MC# handler. */
+ np = ((struct nmi_pcpu *) &mce_stack[PAGE_SIZE]) - 1;
+ np->np_pcpu = (register_t) pc;
+
wrmsr(MSR_FSBASE, 0); /* User value */
wrmsr(MSR_GSBASE, (u_int64_t)pc);
wrmsr(MSR_KGSBASE, (u_int64_t)pc); /* XXX User value while we're in the kernel */
@@ -263,15 +289,7 @@
cr0 &= ~(CR0_CD | CR0_NW | CR0_EM);
load_cr0(cr0);
- /* Set up the fast syscall stuff */
- msr = rdmsr(MSR_EFER) | EFER_SCE;
- wrmsr(MSR_EFER, msr);
- wrmsr(MSR_LSTAR, (u_int64_t)IDTVEC(fast_syscall));
- wrmsr(MSR_CSTAR, (u_int64_t)IDTVEC(fast_syscall32));
- msr = ((u_int64_t)GSEL(GCODE_SEL, SEL_KPL) << 32) |
- ((u_int64_t)GSEL(GUCODE32_SEL, SEL_UPL) << 48);
- wrmsr(MSR_STAR, msr);
- wrmsr(MSR_SF_MASK, PSL_NT|PSL_T|PSL_I|PSL_C|PSL_D);
+ amd64_conf_fast_syscall();
/* signal our startup to the BSP. */
mp_naps++;
@@ -346,6 +364,8 @@
kstack_pages * PAGE_SIZE, M_WAITOK | M_ZERO);
doublefault_stack = (char *)kmem_malloc(kernel_arena,
PAGE_SIZE, M_WAITOK | M_ZERO);
+ mce_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE,
+ M_WAITOK | M_ZERO);
nmi_stack = (char *)kmem_malloc(kernel_arena, PAGE_SIZE,
M_WAITOK | M_ZERO);
dpcpu = (void *)kmem_malloc(kernel_arena, DPCPU_SIZE,
@@ -428,9 +448,43 @@
}
void
+invltlb_invpcid_pti_handler(void)
+{
+ struct invpcid_descr d;
+ uint32_t generation;
+
+#ifdef COUNT_XINVLTLB_HITS
+ xhits_gbl[PCPU_GET(cpuid)]++;
+#endif /* COUNT_XINVLTLB_HITS */
+#ifdef COUNT_IPIS
+ (*ipi_invltlb_counts[PCPU_GET(cpuid)])++;
+#endif /* COUNT_IPIS */
+
+ generation = smp_tlb_generation;
+ d.pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid;
+ d.pad = 0;
+ d.addr = 0;
+ if (smp_tlb_pmap == kernel_pmap) {
+ /*
+ * This invalidation actually needs to clear kernel
+ * mappings from the TLB in the current pmap, but
+ * since we were asked for the flush in the kernel
+ * pmap, achieve it by performing global flush.
+ */
+ invpcid(&d, INVPCID_CTXGLOB);
+ } else {
+ invpcid(&d, INVPCID_CTX);
+ d.pcid |= PMAP_PCID_USER_PT;
+ invpcid(&d, INVPCID_CTX);
+ }
+ PCPU_SET(smp_tlb_done, generation);
+}
+
+void
invltlb_pcid_handler(void)
{
- uint32_t generation;
+ uint64_t kcr3, ucr3;
+ uint32_t generation, pcid;
#ifdef COUNT_XINVLTLB_HITS
xhits_gbl[PCPU_GET(cpuid)]++;
@@ -451,9 +505,132 @@
* CPU.
*/
if (PCPU_GET(curpmap) == smp_tlb_pmap) {
- load_cr3(smp_tlb_pmap->pm_cr3 |
- smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid);
+ pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid;
+ kcr3 = smp_tlb_pmap->pm_cr3 | pcid;
+ ucr3 = smp_tlb_pmap->pm_ucr3;
+ if (ucr3 != PMAP_NO_CR3) {
+ ucr3 |= PMAP_PCID_USER_PT | pcid;
+ pmap_pti_pcid_invalidate(ucr3, kcr3);
+ } else
+ load_cr3(kcr3);
}
}
PCPU_SET(smp_tlb_done, generation);
}
+
+void
+invlpg_invpcid_handler(void)
+{
+ struct invpcid_descr d;
+ uint32_t generation;
+
+#ifdef COUNT_XINVLTLB_HITS
+ xhits_pg[PCPU_GET(cpuid)]++;
+#endif /* COUNT_XINVLTLB_HITS */
+#ifdef COUNT_IPIS
+ (*ipi_invlpg_counts[PCPU_GET(cpuid)])++;
+#endif /* COUNT_IPIS */
+
+ generation = smp_tlb_generation; /* Overlap with serialization */
+ invlpg(smp_tlb_addr1);
+ if (smp_tlb_pmap->pm_ucr3 != PMAP_NO_CR3) {
+ d.pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid |
+ PMAP_PCID_USER_PT;
+ d.pad = 0;
+ d.addr = smp_tlb_addr1;
+ invpcid(&d, INVPCID_ADDR);
+ }
+ PCPU_SET(smp_tlb_done, generation);
+}
+
+void
+invlpg_pcid_handler(void)
+{
+ uint64_t kcr3, ucr3;
+ uint32_t generation;
+ uint32_t pcid;
+
+#ifdef COUNT_XINVLTLB_HITS
+ xhits_pg[PCPU_GET(cpuid)]++;
+#endif /* COUNT_XINVLTLB_HITS */
+#ifdef COUNT_IPIS
+ (*ipi_invlpg_counts[PCPU_GET(cpuid)])++;
+#endif /* COUNT_IPIS */
+
+ generation = smp_tlb_generation; /* Overlap with serialization */
+ invlpg(smp_tlb_addr1);
+ if (smp_tlb_pmap == PCPU_GET(curpmap) &&
+ (ucr3 = smp_tlb_pmap->pm_ucr3) != PMAP_NO_CR3) {
+ pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid;
+ kcr3 = smp_tlb_pmap->pm_cr3 | pcid | CR3_PCID_SAVE;
+ ucr3 |= pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE;
+ pmap_pti_pcid_invlpg(ucr3, kcr3, smp_tlb_addr1);
+ }
+ PCPU_SET(smp_tlb_done, generation);
+}
+
+void
+invlrng_invpcid_handler(void)
+{
+ struct invpcid_descr d;
+ vm_offset_t addr, addr2;
+ uint32_t generation;
+
+#ifdef COUNT_XINVLTLB_HITS
+ xhits_rng[PCPU_GET(cpuid)]++;
+#endif /* COUNT_XINVLTLB_HITS */
+#ifdef COUNT_IPIS
+ (*ipi_invlrng_counts[PCPU_GET(cpuid)])++;
+#endif /* COUNT_IPIS */
+
+ addr = smp_tlb_addr1;
+ addr2 = smp_tlb_addr2;
+ generation = smp_tlb_generation; /* Overlap with serialization */
+ do {
+ invlpg(addr);
+ addr += PAGE_SIZE;
+ } while (addr < addr2);
+ if (smp_tlb_pmap->pm_ucr3 != PMAP_NO_CR3) {
+ d.pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid |
+ PMAP_PCID_USER_PT;
+ d.pad = 0;
+ d.addr = smp_tlb_addr1;
+ do {
+ invpcid(&d, INVPCID_ADDR);
+ d.addr += PAGE_SIZE;
+ } while (d.addr < addr2);
+ }
+ PCPU_SET(smp_tlb_done, generation);
+}
+
+void
+invlrng_pcid_handler(void)
+{
+ vm_offset_t addr, addr2;
+ uint64_t kcr3, ucr3;
+ uint32_t generation;
+ uint32_t pcid;
+
+#ifdef COUNT_XINVLTLB_HITS
+ xhits_rng[PCPU_GET(cpuid)]++;
+#endif /* COUNT_XINVLTLB_HITS */
+#ifdef COUNT_IPIS
+ (*ipi_invlrng_counts[PCPU_GET(cpuid)])++;
+#endif /* COUNT_IPIS */
+
+ addr = smp_tlb_addr1;
+ addr2 = smp_tlb_addr2;
+ generation = smp_tlb_generation; /* Overlap with serialization */
+ do {
+ invlpg(addr);
+ addr += PAGE_SIZE;
+ } while (addr < addr2);
+ if (smp_tlb_pmap == PCPU_GET(curpmap) &&
+ (ucr3 = smp_tlb_pmap->pm_ucr3) != PMAP_NO_CR3) {
+ pcid = smp_tlb_pmap->pm_pcids[PCPU_GET(cpuid)].pm_pcid;
+ kcr3 = smp_tlb_pmap->pm_cr3 | pcid | CR3_PCID_SAVE;
+ ucr3 |= pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE;
+ pmap_pti_pcid_invlrng(ucr3, kcr3, smp_tlb_addr1, addr2);
+ }
+ PCPU_SET(smp_tlb_done, generation);
+}
Index: sys/amd64/amd64/pmap.c
===================================================================
--- sys/amd64/amd64/pmap.c (版本 330566)
+++ sys/amd64/amd64/pmap.c (版本 330908)
@@ -9,11 +9,17 @@
* All rights reserved.
* Copyright (c) 2005-2010 Alan L. Cox <alc@cs.rice.edu>
* All rights reserved.
+ * Copyright (c) 2014-2018 The FreeBSD Foundation
+ * All rights reserved.
*
* This code is derived from software contributed to Berkeley by
* the Systems Programming Group of the University of Utah Computer
* Science Department and William Jolitz of UUNET Technologies Inc.
*
+ * Portions of this software were developed by
+ * Konstantin Belousov <kib@FreeBSD.org> under sponsorship from
+ * the FreeBSD Foundation.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -147,6 +153,7 @@
#ifdef SMP
#include <machine/smp.h>
#endif
+#include <machine/tss.h>
static __inline boolean_t
pmap_type_guest(pmap_t pmap)
@@ -208,6 +215,8 @@
return (mask);
}
+static pt_entry_t pg_g;
+
static __inline pt_entry_t
pmap_global_bit(pmap_t pmap)
{
@@ -215,7 +224,7 @@
switch (pmap->pm_type) {
case PT_X86:
- mask = X86_PG_G;
+ mask = pg_g;
break;
case PT_RVI:
case PT_EPT:
@@ -405,6 +414,15 @@
SYSCTL_INT(_vm_pmap, OID_AUTO, invpcid_works, CTLFLAG_RD, &invpcid_works, 0,
"Is the invpcid instruction available ?");
+int pti = 0;
+SYSCTL_INT(_vm_pmap, OID_AUTO, pti, CTLFLAG_RDTUN | CTLFLAG_NOFETCH,
+ &pti, 0,
+ "Page Table Isolation enabled");
+static vm_object_t pti_obj;
+static pml4_entry_t *pti_pml4;
+static vm_pindex_t pti_pg_idx;
+static bool pti_finalized;
+
static int
pmap_pcid_save_cnt_proc(SYSCTL_HANDLER_ARGS)
{
@@ -622,6 +640,11 @@
static boolean_t pmap_protect_pde(pmap_t pmap, pd_entry_t *pde, vm_offset_t sva,
vm_prot_t prot);
static void pmap_pte_attr(pt_entry_t *pte, int cache_bits, int mask);
+static void pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva,
+ bool exec);
+static pdp_entry_t *pmap_pti_pdpe(vm_offset_t va);
+static pd_entry_t *pmap_pti_pde(vm_offset_t va);
+static void pmap_pti_wire_pte(void *pte);
static int pmap_remove_pde(pmap_t pmap, pd_entry_t *pdq, vm_offset_t sva,
struct spglist *free, struct rwlock **lockp);
static int pmap_remove_pte(pmap_t pmap, pt_entry_t *ptq, vm_offset_t sva,
@@ -901,7 +924,7 @@
/* XXX not fully used, underneath 2M pages */
pt_p = (pt_entry_t *)KPTphys;
for (i = 0; ptoa(i) < *firstaddr; i++)
- pt_p[i] = ptoa(i) | X86_PG_RW | X86_PG_V | X86_PG_G;
+ pt_p[i] = ptoa(i) | X86_PG_RW | X86_PG_V | pg_g;
/* Now map the page tables at their location within PTmap */
pd_p = (pd_entry_t *)KPDphys;
@@ -912,7 +935,7 @@
/* This replaces some of the KPTphys entries above */
for (i = 0; (i << PDRSHIFT) < *firstaddr; i++)
pd_p[i] = (i << PDRSHIFT) | X86_PG_RW | X86_PG_V | PG_PS |
- X86_PG_G;
+ pg_g;
/* And connect up the PD to the PDP (leaving room for L4 pages) */
pdp_p = (pdp_entry_t *)(KPDPphys + ptoa(KPML4I - KPML4BASE));
@@ -932,7 +955,7 @@
for (i = NPDEPG * ndm1g, j = 0; i < NPDEPG * ndmpdp; i++, j++) {
pd_p[j] = (vm_paddr_t)i << PDRSHIFT;
/* Preset PG_M and PG_A because demotion expects it. */
- pd_p[j] |= X86_PG_RW | X86_PG_V | PG_PS | X86_PG_G |
+ pd_p[j] |= X86_PG_RW | X86_PG_V | PG_PS | pg_g |
X86_PG_M | X86_PG_A;
}
pdp_p = (pdp_entry_t *)DMPDPphys;
@@ -939,7 +962,7 @@
for (i = 0; i < ndm1g; i++) {
pdp_p[i] = (vm_paddr_t)i << PDPSHIFT;
/* Preset PG_M and PG_A because demotion expects it. */
- pdp_p[i] |= X86_PG_RW | X86_PG_V | PG_PS | X86_PG_G |
+ pdp_p[i] |= X86_PG_RW | X86_PG_V | PG_PS | pg_g |
X86_PG_M | X86_PG_A;
}
for (j = 0; i < ndmpdp; i++, j++) {
@@ -982,6 +1005,9 @@
pt_entry_t *pte;
int i;
+ if (!pti)
+ pg_g = X86_PG_G;
+
/*
* Create an initial set of page tables to run the kernel in.
*/
@@ -1014,6 +1040,7 @@
PMAP_LOCK_INIT(kernel_pmap);
kernel_pmap->pm_pml4 = (pdp_entry_t *)PHYS_TO_DMAP(KPML4phys);
kernel_pmap->pm_cr3 = KPML4phys;
+ kernel_pmap->pm_ucr3 = PMAP_NO_CR3;
CPU_FILL(&kernel_pmap->pm_active); /* don't allow deactivation */
TAILQ_INIT(&kernel_pmap->pm_pvchunk);
kernel_pmap->pm_flags = pmap_flags;
@@ -1528,6 +1555,9 @@
pmap_invalidate_page(pmap_t pmap, vm_offset_t va)
{
cpuset_t *mask;
+ struct invpcid_descr d;
+ uint64_t kcr3, ucr3;
+ uint32_t pcid;
u_int cpuid, i;
if (pmap_type_guest(pmap)) {
@@ -1544,9 +1574,32 @@
mask = &all_cpus;
} else {
cpuid = PCPU_GET(cpuid);
- if (pmap == PCPU_GET(curpmap))
+ if (pmap == PCPU_GET(curpmap)) {
invlpg(va);
- else if (pmap_pcid_enabled)
+ if (pmap_pcid_enabled && pmap->pm_ucr3 != PMAP_NO_CR3) {
+ /*
+ * Disable context switching. pm_pcid
+ * is recalculated on switch, which
+ * might make us use wrong pcid below.
+ */
+ critical_enter();
+ pcid = pmap->pm_pcids[cpuid].pm_pcid;
+
+ if (invpcid_works) {
+ d.pcid = pcid | PMAP_PCID_USER_PT;
+ d.pad = 0;
+ d.addr = va;
+ invpcid(&d, INVPCID_ADDR);
+ } else {
+ kcr3 = pmap->pm_cr3 | pcid |
+ CR3_PCID_SAVE;
+ ucr3 = pmap->pm_ucr3 | pcid |
+ PMAP_PCID_USER_PT | CR3_PCID_SAVE;
+ pmap_pti_pcid_invlpg(ucr3, kcr3, va);
+ }
+ critical_exit();
+ }
+ } else if (pmap_pcid_enabled)
pmap->pm_pcids[cpuid].pm_gen = 0;
if (pmap_pcid_enabled) {
CPU_FOREACH(i) {
@@ -1556,7 +1609,7 @@
}
mask = &pmap->pm_active;
}
- smp_masked_invlpg(*mask, va);
+ smp_masked_invlpg(*mask, va, pmap);
sched_unpin();
}
@@ -1567,7 +1620,10 @@
pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
{
cpuset_t *mask;
+ struct invpcid_descr d;
vm_offset_t addr;
+ uint64_t kcr3, ucr3;
+ uint32_t pcid;
u_int cpuid, i;
if (eva - sva >= PMAP_INVLPG_THRESHOLD) {
@@ -1593,6 +1649,26 @@
if (pmap == PCPU_GET(curpmap)) {
for (addr = sva; addr < eva; addr += PAGE_SIZE)
invlpg(addr);
+ if (pmap_pcid_enabled && pmap->pm_ucr3 != PMAP_NO_CR3) {
+ critical_enter();
+ pcid = pmap->pm_pcids[cpuid].pm_pcid;
+ if (invpcid_works) {
+ d.pcid = pcid | PMAP_PCID_USER_PT;
+ d.pad = 0;
+ d.addr = sva;
+ for (; d.addr < eva; d.addr +=
+ PAGE_SIZE)
+ invpcid(&d, INVPCID_ADDR);
+ } else {
+ kcr3 = pmap->pm_cr3 | pcid |
+ CR3_PCID_SAVE;
+ ucr3 = pmap->pm_ucr3 | pcid |
+ PMAP_PCID_USER_PT | CR3_PCID_SAVE;
+ pmap_pti_pcid_invlrng(ucr3, kcr3, sva,
+ eva);
+ }
+ critical_exit();
+ }
} else if (pmap_pcid_enabled) {
pmap->pm_pcids[cpuid].pm_gen = 0;
}
@@ -1604,7 +1680,7 @@
}
mask = &pmap->pm_active;
}
- smp_masked_invlpg_range(*mask, sva, eva);
+ smp_masked_invlpg_range(*mask, sva, eva, pmap);
sched_unpin();
}
@@ -1613,6 +1689,8 @@
{
cpuset_t *mask;
struct invpcid_descr d;
+ uint64_t kcr3, ucr3;
+ uint32_t pcid;
u_int cpuid, i;
if (pmap_type_guest(pmap)) {
@@ -1636,15 +1714,29 @@
cpuid = PCPU_GET(cpuid);
if (pmap == PCPU_GET(curpmap)) {
if (pmap_pcid_enabled) {
+ critical_enter();
+ pcid = pmap->pm_pcids[cpuid].pm_pcid;
if (invpcid_works) {
- d.pcid = pmap->pm_pcids[cpuid].pm_pcid;
+ d.pcid = pcid;
d.pad = 0;
d.addr = 0;
invpcid(&d, INVPCID_CTX);
+ if (pmap->pm_ucr3 != PMAP_NO_CR3) {
+ d.pcid |= PMAP_PCID_USER_PT;
+ invpcid(&d, INVPCID_CTX);
+ }
} else {
- load_cr3(pmap->pm_cr3 | pmap->pm_pcids
- [PCPU_GET(cpuid)].pm_pcid);
+ kcr3 = pmap->pm_cr3 | pcid;
+ ucr3 = pmap->pm_ucr3;
+ if (ucr3 != PMAP_NO_CR3) {
+ ucr3 |= pcid | PMAP_PCID_USER_PT;
+ pmap_pti_pcid_invalidate(ucr3,
+ kcr3);
+ } else {
+ load_cr3(kcr3);
+ }
}
+ critical_exit();
} else {
invltlb();
}
@@ -1749,6 +1841,9 @@
void
pmap_invalidate_page(pmap_t pmap, vm_offset_t va)
{
+ struct invpcid_descr d;
+ uint64_t kcr3, ucr3;
+ uint32_t pcid;
if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) {
pmap->pm_eptgen++;
@@ -1757,9 +1852,26 @@
KASSERT(pmap->pm_type == PT_X86,
("pmap_invalidate_range: unknown type %d", pmap->pm_type));
- if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap))
+ if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) {
invlpg(va);
- else if (pmap_pcid_enabled)
+ if (pmap == PCPU_GET(curpmap) && pmap_pcid_enabled &&
+ pmap->pm_ucr3 != PMAP_NO_CR3) {
+ critical_enter();
+ pcid = pmap->pm_pcids[0].pm_pcid;
+ if (invpcid_works) {
+ d.pcid = pcid | PMAP_PCID_USER_PT;
+ d.pad = 0;
+ d.addr = va;
+ invpcid(&d, INVPCID_ADDR);
+ } else {
+ kcr3 = pmap->pm_cr3 | pcid | CR3_PCID_SAVE;
+ ucr3 = pmap->pm_ucr3 | pcid |
+ PMAP_PCID_USER_PT | CR3_PCID_SAVE;
+ pmap_pti_pcid_invlpg(ucr3, kcr3, va);
+ }
+ critical_exit();
+ }
+ } else if (pmap_pcid_enabled)
pmap->pm_pcids[0].pm_gen = 0;
}
@@ -1766,7 +1878,9 @@
void
pmap_invalidate_range(pmap_t pmap, vm_offset_t sva, vm_offset_t eva)
{
+ struct invpcid_descr d;
vm_offset_t addr;
+ uint64_t kcr3, ucr3;
if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) {
pmap->pm_eptgen++;
@@ -1778,6 +1892,25 @@
if (pmap == kernel_pmap || pmap == PCPU_GET(curpmap)) {
for (addr = sva; addr < eva; addr += PAGE_SIZE)
invlpg(addr);
+ if (pmap == PCPU_GET(curpmap) && pmap_pcid_enabled &&
+ pmap->pm_ucr3 != PMAP_NO_CR3) {
+ critical_enter();
+ if (invpcid_works) {
+ d.pcid = pmap->pm_pcids[0].pm_pcid |
+ PMAP_PCID_USER_PT;
+ d.pad = 0;
+ d.addr = sva;
+ for (; d.addr < eva; d.addr += PAGE_SIZE)
+ invpcid(&d, INVPCID_ADDR);
+ } else {
+ kcr3 = pmap->pm_cr3 | pmap->pm_pcids[0].
+ pm_pcid | CR3_PCID_SAVE;
+ ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[0].
+ pm_pcid | PMAP_PCID_USER_PT | CR3_PCID_SAVE;
+ pmap_pti_pcid_invlrng(ucr3, kcr3, sva, eva);
+ }
+ critical_exit();
+ }
} else if (pmap_pcid_enabled) {
pmap->pm_pcids[0].pm_gen = 0;
}
@@ -1787,6 +1920,7 @@
pmap_invalidate_all(pmap_t pmap)
{
struct invpcid_descr d;
+ uint64_t kcr3, ucr3;
if (pmap->pm_type == PT_RVI || pmap->pm_type == PT_EPT) {
pmap->pm_eptgen++;
@@ -1804,15 +1938,26 @@
}
} else if (pmap == PCPU_GET(curpmap)) {
if (pmap_pcid_enabled) {
+ critical_enter();
if (invpcid_works) {
d.pcid = pmap->pm_pcids[0].pm_pcid;
d.pad = 0;
d.addr = 0;
invpcid(&d, INVPCID_CTX);
+ if (pmap->pm_ucr3 != PMAP_NO_CR3) {
+ d.pcid |= PMAP_PCID_USER_PT;
+ invpcid(&d, INVPCID_CTX);
+ }
} else {
- load_cr3(pmap->pm_cr3 | pmap->pm_pcids[0].
- pm_pcid);
+ kcr3 = pmap->pm_cr3 | pmap->pm_pcids[0].pm_pcid;
+ if (pmap->pm_ucr3 != PMAP_NO_CR3) {
+ ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[
+ 0].pm_pcid | PMAP_PCID_USER_PT;
+ pmap_pti_pcid_invalidate(ucr3, kcr3);
+ } else
+ load_cr3(kcr3);
}
+ critical_exit();
} else {
invltlb();
}
@@ -2094,7 +2239,7 @@
pt_entry_t *pte;
pte = vtopte(va);
- pte_store(pte, pa | X86_PG_RW | X86_PG_V | X86_PG_G);
+ pte_store(pte, pa | X86_PG_RW | X86_PG_V | pg_g);
}
static __inline void
@@ -2105,7 +2250,7 @@
pte = vtopte(va);
cache_bits = pmap_cache_bits(kernel_pmap, mode, 0);
- pte_store(pte, pa | X86_PG_RW | X86_PG_V | X86_PG_G | cache_bits);
+ pte_store(pte, pa | X86_PG_RW | X86_PG_V | pg_g | cache_bits);
}
/*
@@ -2165,7 +2310,7 @@
pa = VM_PAGE_TO_PHYS(m) | cache_bits;
if ((*pte & (PG_FRAME | X86_PG_PTE_CACHE)) != pa) {
oldpte |= *pte;
- pte_store(pte, pa | X86_PG_G | X86_PG_RW | X86_PG_V);
+ pte_store(pte, pa | pg_g | X86_PG_RW | X86_PG_V);
}
pte++;
}
@@ -2284,6 +2429,10 @@
pml4_entry_t *pml4;
pml4 = pmap_pml4e(pmap, va);
*pml4 = 0;
+ if (pmap->pm_pml4u != NULL && va <= VM_MAXUSER_ADDRESS) {
+ pml4 = &pmap->pm_pml4u[pmap_pml4e_index(va)];
+ *pml4 = 0;
+ }
} else if (m->pindex >= NUPDE) {
/* PD page */
pdp_entry_t *pdp;
@@ -2349,7 +2498,10 @@
PMAP_LOCK_INIT(pmap);
pmap->pm_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(KPML4phys);
+ pmap->pm_pml4u = NULL;
pmap->pm_cr3 = KPML4phys;
+ /* hack to keep pmap_pti_pcid_invalidate() alive */
+ pmap->pm_ucr3 = PMAP_NO_CR3;
pmap->pm_root.rt_root = 0;
CPU_ZERO(&pmap->pm_active);
TAILQ_INIT(&pmap->pm_pvchunk);
@@ -2358,6 +2510,8 @@
CPU_FOREACH(i) {
pmap->pm_pcids[i].pm_pcid = PMAP_PCID_NONE;
pmap->pm_pcids[i].pm_gen = 0;
+ if (!pti)
+ __pcpu[i].pc_kcr3 = PMAP_NO_CR3;
}
PCPU_SET(curpmap, kernel_pmap);
pmap_activate(curthread);
@@ -2387,6 +2541,17 @@
X86_PG_A | X86_PG_M;
}
+static void
+pmap_pinit_pml4_pti(vm_page_t pml4pg)
+{
+ pml4_entry_t *pm_pml4;
+ int i;
+
+ pm_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4pg));
+ for (i = 0; i < NPML4EPG; i++)
+ pm_pml4[i] = pti_pml4[i];
+}
+
/*
* Initialize a preallocated and zeroed pmap structure,
* such as one in a vmspace structure.
@@ -2394,7 +2559,7 @@
int
pmap_pinit_type(pmap_t pmap, enum pmap_type pm_type, int flags)
{
- vm_page_t pml4pg;
+ vm_page_t pml4pg, pml4pgu;
vm_paddr_t pml4phys;
int i;
@@ -2411,8 +2576,11 @@
pmap->pm_pcids[i].pm_pcid = PMAP_PCID_NONE;
pmap->pm_pcids[i].pm_gen = 0;
}
- pmap->pm_cr3 = ~0; /* initialize to an invalid value */
+ pmap->pm_cr3 = PMAP_NO_CR3; /* initialize to an invalid value */
+ pmap->pm_ucr3 = PMAP_NO_CR3;
+ pmap->pm_pml4u = NULL;
+ pmap->pm_type = pm_type;
if ((pml4pg->flags & PG_ZERO) == 0)
pagezero(pmap->pm_pml4);
@@ -2420,10 +2588,21 @@
* Do not install the host kernel mappings in the nested page
* tables. These mappings are meaningless in the guest physical
* address space.
+ * Install minimal kernel mappings in PTI case.
*/
- if ((pmap->pm_type = pm_type) == PT_X86) {
+ if (pm_type == PT_X86) {
pmap->pm_cr3 = pml4phys;
pmap_pinit_pml4(pml4pg);
+ if (pti) {
+ while ((pml4pgu = vm_page_alloc(NULL, 0,
+ VM_ALLOC_NORMAL | VM_ALLOC_NOOBJ | VM_ALLOC_WIRED))
+ == NULL)
+ VM_WAIT;
+ pmap->pm_pml4u = (pml4_entry_t *)PHYS_TO_DMAP(
+ VM_PAGE_TO_PHYS(pml4pgu));
+ pmap_pinit_pml4_pti(pml4pgu);
+ pmap->pm_ucr3 = VM_PAGE_TO_PHYS(pml4pgu);
+ }
}
pmap->pm_root.rt_root = 0;
@@ -2495,7 +2674,7 @@
*/
if (ptepindex >= (NUPDE + NUPDPE)) {
- pml4_entry_t *pml4;
+ pml4_entry_t *pml4, *pml4u;
vm_pindex_t pml4index;
/* Wire up a new PDPE page */
@@ -2502,7 +2681,21 @@
pml4index = ptepindex - (NUPDE + NUPDPE);
pml4 = &pmap->pm_pml4[pml4index];
*pml4 = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V | PG_A | PG_M;
+ if (pmap->pm_pml4u != NULL && pml4index < NUPML4E) {
+ /*
+ * PTI: Make all user-space mappings in the
+ * kernel-mode page table no-execute so that
+ * we detect any programming errors that leave
+ * the kernel-mode page table active on return
+ * to user space.
+ */
+ *pml4 |= pg_nx;
+ pml4u = &pmap->pm_pml4u[pml4index];
+ *pml4u = VM_PAGE_TO_PHYS(m) | PG_U | PG_RW | PG_V |
+ PG_A | PG_M;
+ }
+
} else if (ptepindex >= NUPDE) {
vm_pindex_t pml4index;
vm_pindex_t pdpindex;
@@ -2702,6 +2895,13 @@
m->wire_count--;
atomic_subtract_int(&vm_cnt.v_wire_count, 1);
vm_page_free_zero(m);
+
+ if (pmap->pm_pml4u != NULL) {
+ m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((vm_offset_t)pmap->pm_pml4u));
+ m->wire_count--;
+ atomic_subtract_int(&vm_cnt.v_wire_count, 1);
+ vm_page_free(m);
+ }
}
static int
@@ -6867,13 +7067,15 @@
CRITICAL_ASSERT(curthread);
gen = PCPU_GET(pcid_gen);
- if (pmap->pm_pcids[cpuid].pm_pcid == PMAP_PCID_KERN ||
- pmap->pm_pcids[cpuid].pm_gen == gen)
+ if (!pti && (pmap->pm_pcids[cpuid].pm_pcid == PMAP_PCID_KERN ||
+ pmap->pm_pcids[cpuid].pm_gen == gen))
return (CR3_PCID_SAVE);
pcid_next = PCPU_GET(pcid_next);
- KASSERT(pcid_next <= PMAP_PCID_OVERMAX, ("cpu %d pcid_next %#x",
- cpuid, pcid_next));
- if (pcid_next == PMAP_PCID_OVERMAX) {
+ KASSERT((!pti && pcid_next <= PMAP_PCID_OVERMAX) ||
+ (pti && pcid_next <= PMAP_PCID_OVERMAX_KERN),
+ ("cpu %d pcid_next %#x", cpuid, pcid_next));
+ if ((!pti && pcid_next == PMAP_PCID_OVERMAX) ||
+ (pti && pcid_next == PMAP_PCID_OVERMAX_KERN)) {
new_gen = gen + 1;
if (new_gen == 0)
new_gen = 1;
@@ -6892,7 +7094,8 @@
pmap_activate_sw(struct thread *td)
{
pmap_t oldpmap, pmap;
- uint64_t cached, cr3;
+ struct invpcid_descr d;
+ uint64_t cached, cr3, kcr3, ucr3;
register_t rflags;
u_int cpuid;
@@ -6948,11 +7151,41 @@
PCPU_INC(pm_save_cnt);
}
PCPU_SET(curpmap, pmap);
+ if (pti) {
+ kcr3 = pmap->pm_cr3 | pmap->pm_pcids[cpuid].pm_pcid;
+ ucr3 = pmap->pm_ucr3 | pmap->pm_pcids[cpuid].pm_pcid |
+ PMAP_PCID_USER_PT;
+
+ /*
+ * Manually invalidate translations cached
+ * from the user page table, which are not
+ * flushed by reload of cr3 with the kernel
+ * page table pointer above.
+ */
+ if (pmap->pm_ucr3 != PMAP_NO_CR3) {
+ if (invpcid_works) {
+ d.pcid = PMAP_PCID_USER_PT |
+ pmap->pm_pcids[cpuid].pm_pcid;
+ d.pad = 0;
+ d.addr = 0;
+ invpcid(&d, INVPCID_CTX);
+ } else {
+ pmap_pti_pcid_invalidate(ucr3, kcr3);
+ }
+ }
+
+ PCPU_SET(kcr3, kcr3 | CR3_PCID_SAVE);
+ PCPU_SET(ucr3, ucr3 | CR3_PCID_SAVE);
+ }
if (!invpcid_works)
intr_restore(rflags);
} else if (cr3 != pmap->pm_cr3) {
load_cr3(pmap->pm_cr3);
PCPU_SET(curpmap, pmap);
+ if (pti) {
+ PCPU_SET(kcr3, pmap->pm_cr3);
+ PCPU_SET(ucr3, pmap->pm_ucr3);
+ }
}
#ifdef SMP
CPU_CLR_ATOMIC(cpuid, &oldpmap->pm_active);
@@ -7271,6 +7504,291 @@
mtx_unlock_spin(&qframe_mtx);
}
+static vm_page_t
+pmap_pti_alloc_page(void)
+{
+ vm_page_t m;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+ m = vm_page_grab(pti_obj, pti_pg_idx++, VM_ALLOC_NOBUSY |
+ VM_ALLOC_WIRED | VM_ALLOC_ZERO);
+ return (m);
+}
+
+static bool
+pmap_pti_free_page(vm_page_t m)
+{
+
+ KASSERT(m->wire_count > 0, ("page %p not wired", m));
+ m->wire_count--;
+ if (m->wire_count != 0)
+ return (false);
+ atomic_subtract_int(&vm_cnt.v_wire_count, 1);
+ vm_page_free_zero(m);
+ return (true);
+}
+
+static void
+pmap_pti_init(void)
+{
+ vm_page_t pml4_pg;
+ pdp_entry_t *pdpe;
+ vm_offset_t va;
+ int i;
+
+ if (!pti)
+ return;
+ pti_obj = vm_pager_allocate(OBJT_PHYS, NULL, 0, VM_PROT_ALL, 0, NULL);
+ VM_OBJECT_WLOCK(pti_obj);
+ pml4_pg = pmap_pti_alloc_page();
+ pti_pml4 = (pml4_entry_t *)PHYS_TO_DMAP(VM_PAGE_TO_PHYS(pml4_pg));
+ for (va = VM_MIN_KERNEL_ADDRESS; va <= VM_MAX_KERNEL_ADDRESS &&
+ va >= VM_MIN_KERNEL_ADDRESS && va > NBPML4; va += NBPML4) {
+ pdpe = pmap_pti_pdpe(va);
+ pmap_pti_wire_pte(pdpe);
+ }
+ pmap_pti_add_kva_locked((vm_offset_t)&__pcpu[0],
+ (vm_offset_t)&__pcpu[0] + sizeof(__pcpu[0]) * MAXCPU, false);
+ pmap_pti_add_kva_locked((vm_offset_t)gdt, (vm_offset_t)gdt +
+ sizeof(struct user_segment_descriptor) * NGDT * MAXCPU, false);
+ pmap_pti_add_kva_locked((vm_offset_t)idt, (vm_offset_t)idt +
+ sizeof(struct gate_descriptor) * NIDT, false);
+ pmap_pti_add_kva_locked((vm_offset_t)common_tss,
+ (vm_offset_t)common_tss + sizeof(struct amd64tss) * MAXCPU, false);
+ CPU_FOREACH(i) {
+ /* Doublefault stack IST 1 */
+ va = common_tss[i].tss_ist1;
+ pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false);
+ /* NMI stack IST 2 */
+ va = common_tss[i].tss_ist2 + sizeof(struct nmi_pcpu);
+ pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false);
+ /* MC# stack IST 3 */
+ va = common_tss[i].tss_ist3 + sizeof(struct nmi_pcpu);
+ pmap_pti_add_kva_locked(va - PAGE_SIZE, va, false);
+ }
+ pmap_pti_add_kva_locked((vm_offset_t)kernphys + KERNBASE,
+ (vm_offset_t)etext, true);
+ pti_finalized = true;
+ VM_OBJECT_WUNLOCK(pti_obj);
+}
+SYSINIT(pmap_pti, SI_SUB_CPU + 1, SI_ORDER_ANY, pmap_pti_init, NULL);
+
+static pdp_entry_t *
+pmap_pti_pdpe(vm_offset_t va)
+{
+ pml4_entry_t *pml4e;
+ pdp_entry_t *pdpe;
+ vm_page_t m;
+ vm_pindex_t pml4_idx;
+ vm_paddr_t mphys;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+
+ pml4_idx = pmap_pml4e_index(va);
+ pml4e = &pti_pml4[pml4_idx];
+ m = NULL;
+ if (*pml4e == 0) {
+ if (pti_finalized)
+ panic("pml4 alloc after finalization\n");
+ m = pmap_pti_alloc_page();
+ if (*pml4e != 0) {
+ pmap_pti_free_page(m);
+ mphys = *pml4e & ~PAGE_MASK;
+ } else {
+ mphys = VM_PAGE_TO_PHYS(m);
+ *pml4e = mphys | X86_PG_RW | X86_PG_V;
+ }
+ } else {
+ mphys = *pml4e & ~PAGE_MASK;
+ }
+ pdpe = (pdp_entry_t *)PHYS_TO_DMAP(mphys) + pmap_pdpe_index(va);
+ return (pdpe);
+}
+
+static void
+pmap_pti_wire_pte(void *pte)
+{
+ vm_page_t m;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+ m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte));
+ m->wire_count++;
+}
+
+static void
+pmap_pti_unwire_pde(void *pde, bool only_ref)
+{
+ vm_page_t m;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+ m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pde));
+ MPASS(m->wire_count > 0);
+ MPASS(only_ref || m->wire_count > 1);
+ pmap_pti_free_page(m);
+}
+
+static void
+pmap_pti_unwire_pte(void *pte, vm_offset_t va)
+{
+ vm_page_t m;
+ pd_entry_t *pde;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+ m = PHYS_TO_VM_PAGE(DMAP_TO_PHYS((uintptr_t)pte));
+ MPASS(m->wire_count > 0);
+ if (pmap_pti_free_page(m)) {
+ pde = pmap_pti_pde(va);
+ MPASS((*pde & (X86_PG_PS | X86_PG_V)) == X86_PG_V);
+ *pde = 0;
+ pmap_pti_unwire_pde(pde, false);
+ }
+}
+
+static pd_entry_t *
+pmap_pti_pde(vm_offset_t va)
+{
+ pdp_entry_t *pdpe;
+ pd_entry_t *pde;
+ vm_page_t m;
+ vm_pindex_t pd_idx;
+ vm_paddr_t mphys;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+
+ pdpe = pmap_pti_pdpe(va);
+ if (*pdpe == 0) {
+ m = pmap_pti_alloc_page();
+ if (*pdpe != 0) {
+ pmap_pti_free_page(m);
+ MPASS((*pdpe & X86_PG_PS) == 0);
+ mphys = *pdpe & ~PAGE_MASK;
+ } else {
+ mphys = VM_PAGE_TO_PHYS(m);
+ *pdpe = mphys | X86_PG_RW | X86_PG_V;
+ }
+ } else {
+ MPASS((*pdpe & X86_PG_PS) == 0);
+ mphys = *pdpe & ~PAGE_MASK;
+ }
+
+ pde = (pd_entry_t *)PHYS_TO_DMAP(mphys);
+ pd_idx = pmap_pde_index(va);
+ pde += pd_idx;
+ return (pde);
+}
+
+static pt_entry_t *
+pmap_pti_pte(vm_offset_t va, bool *unwire_pde)
+{
+ pd_entry_t *pde;
+ pt_entry_t *pte;
+ vm_page_t m;
+ vm_paddr_t mphys;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+
+ pde = pmap_pti_pde(va);
+ if (unwire_pde != NULL) {
+ *unwire_pde = true;
+ pmap_pti_wire_pte(pde);
+ }
+ if (*pde == 0) {
+ m = pmap_pti_alloc_page();
+ if (*pde != 0) {
+ pmap_pti_free_page(m);
+ MPASS((*pde & X86_PG_PS) == 0);
+ mphys = *pde & ~(PAGE_MASK | pg_nx);
+ } else {
+ mphys = VM_PAGE_TO_PHYS(m);
+ *pde = mphys | X86_PG_RW | X86_PG_V;
+ if (unwire_pde != NULL)
+ *unwire_pde = false;
+ }
+ } else {
+ MPASS((*pde & X86_PG_PS) == 0);
+ mphys = *pde & ~(PAGE_MASK | pg_nx);
+ }
+
+ pte = (pt_entry_t *)PHYS_TO_DMAP(mphys);
+ pte += pmap_pte_index(va);
+
+ return (pte);
+}
+
+static void
+pmap_pti_add_kva_locked(vm_offset_t sva, vm_offset_t eva, bool exec)
+{
+ vm_paddr_t pa;
+ pd_entry_t *pde;
+ pt_entry_t *pte, ptev;
+ bool unwire_pde;
+
+ VM_OBJECT_ASSERT_WLOCKED(pti_obj);
+
+ sva = trunc_page(sva);
+ MPASS(sva > VM_MAXUSER_ADDRESS);
+ eva = round_page(eva);
+ MPASS(sva < eva);
+ for (; sva < eva; sva += PAGE_SIZE) {
+ pte = pmap_pti_pte(sva, &unwire_pde);
+ pa = pmap_kextract(sva);
+ ptev = pa | X86_PG_RW | X86_PG_V | X86_PG_A |
+ (exec ? 0 : pg_nx) | pmap_cache_bits(kernel_pmap,
+ VM_MEMATTR_DEFAULT, FALSE);
+ if (*pte == 0) {
+ pte_store(pte, ptev);
+ pmap_pti_wire_pte(pte);
+ } else {
+ KASSERT(!pti_finalized,
+ ("pti overlap after fin %#lx %#lx %#lx",
+ sva, *pte, ptev));
+ KASSERT(*pte == ptev,
+ ("pti non-identical pte after fin %#lx %#lx %#lx",
+ sva, *pte, ptev));
+ }
+ if (unwire_pde) {
+ pde = pmap_pti_pde(sva);
+ pmap_pti_unwire_pde(pde, true);
+ }
+ }
+}
+
+void
+pmap_pti_add_kva(vm_offset_t sva, vm_offset_t eva, bool exec)
+{
+
+ if (!pti)
+ return;
+ VM_OBJECT_WLOCK(pti_obj);
+ pmap_pti_add_kva_locked(sva, eva, exec);
+ VM_OBJECT_WUNLOCK(pti_obj);
+}
+
+void
+pmap_pti_remove_kva(vm_offset_t sva, vm_offset_t eva)
+{
+ pt_entry_t *pte;
+ vm_offset_t va;
+
+ if (!pti)
+ return;
+ sva = rounddown2(sva, PAGE_SIZE);
+ MPASS(sva > VM_MAXUSER_ADDRESS);
+ eva = roundup2(eva, PAGE_SIZE);
+ MPASS(sva < eva);
+ VM_OBJECT_WLOCK(pti_obj);
+ for (va = sva; va < eva; va += PAGE_SIZE) {
+ pte = pmap_pti_pte(va, NULL);
+ KASSERT((*pte & X86_PG_V) != 0,
+ ("invalid pte va %#lx pte %#lx pt %#lx", va,
+ (u_long)pte, *pte));
+ pte_clear(pte);
+ pmap_pti_unwire_pte(pte, va);
+ }
+ pmap_invalidate_range(kernel_pmap, sva, eva);
+ VM_OBJECT_WUNLOCK(pti_obj);
+}
+
#include "opt_ddb.h"
#ifdef DDB
#include <ddb/ddb.h>
Index: sys/amd64/amd64/support.S
===================================================================
--- sys/amd64/amd64/support.S (版本 330566)
+++ sys/amd64/amd64/support.S (版本 330908)
@@ -33,6 +33,7 @@
#include "opt_ddb.h"
#include <machine/asmacros.h>
+#include <machine/specialreg.h>
#include <machine/pmap.h>
#include "assym.s"
@@ -787,3 +788,115 @@
movl $EFAULT,%eax
POP_FRAME_POINTER
ret
+
+/*
+ * void pmap_pti_pcid_invalidate(uint64_t ucr3, uint64_t kcr3);
+ * Invalidates address space addressed by ucr3, then returns to kcr3.
+ * Done in assembler to ensure no other memory accesses happen while
+ * on ucr3.
+ */
+ ALIGN_TEXT
+ENTRY(pmap_pti_pcid_invalidate)
+ pushfq
+ cli
+ movq %rdi,%cr3 /* to user page table */
+ movq %rsi,%cr3 /* back to kernel */
+ popfq
+ retq
+
+/*
+ * void pmap_pti_pcid_invlpg(uint64_t ucr3, uint64_t kcr3, vm_offset_t va);
+ * Invalidates virtual address va in address space ucr3, then returns to kcr3.
+ */
+ ALIGN_TEXT
+ENTRY(pmap_pti_pcid_invlpg)
+ pushfq
+ cli
+ movq %rdi,%cr3 /* to user page table */
+ invlpg (%rdx)
+ movq %rsi,%cr3 /* back to kernel */
+ popfq
+ retq
+
+/*
+ * void pmap_pti_pcid_invlrng(uint64_t ucr3, uint64_t kcr3, vm_offset_t sva,
+ * vm_offset_t eva);
+ * Invalidates virtual addresses between sva and eva in address space ucr3,
+ * then returns to kcr3.
+ */
+ ALIGN_TEXT
+ENTRY(pmap_pti_pcid_invlrng)
+ pushfq
+ cli
+ movq %rdi,%cr3 /* to user page table */
+1: invlpg (%rdx)
+ addq $PAGE_SIZE,%rdx
+ cmpq %rdx,%rcx
+ ja 1b
+ movq %rsi,%cr3 /* back to kernel */
+ popfq
+ retq
+
+ .altmacro
+ .macro ibrs_seq_label l
+handle_ibrs_\l:
+ .endm
+ .macro ibrs_call_label l
+ call handle_ibrs_\l
+ .endm
+ .macro ibrs_seq count
+ ll=1
+ .rept \count
+ ibrs_call_label %(ll)
+ nop
+ ibrs_seq_label %(ll)
+ addq $8,%rsp
+ ll=ll+1
+ .endr
+ .endm
+
+/* all callers already saved %rax, %rdx, and %rcx */
+ENTRY(handle_ibrs_entry)
+ cmpb $0,hw_ibrs_active(%rip)
+ je 1f
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ movl $(IA32_SPEC_CTRL_IBRS|IA32_SPEC_CTRL_STIBP),%eax
+ movl $(IA32_SPEC_CTRL_IBRS|IA32_SPEC_CTRL_STIBP)>>32,%edx
+ wrmsr
+ movb $1,PCPU(IBPB_SET)
+ testl $CPUID_STDEXT_SMEP,cpu_stdext_feature(%rip)
+ jne 1f
+ ibrs_seq 32
+1: ret
+END(handle_ibrs_entry)
+
+ENTRY(handle_ibrs_exit)
+ cmpb $0,PCPU(IBPB_SET)
+ je 1f
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ xorl %eax,%eax
+ xorl %edx,%edx
+ wrmsr
+ movb $0,PCPU(IBPB_SET)
+1: ret
+END(handle_ibrs_exit)
+
+/* registers-neutral version, but needs stack */
+ENTRY(handle_ibrs_exit_rs)
+ cmpb $0,PCPU(IBPB_SET)
+ je 1f
+ pushq %rax
+ pushq %rdx
+ pushq %rcx
+ movl $MSR_IA32_SPEC_CTRL,%ecx
+ xorl %eax,%eax
+ xorl %edx,%edx
+ wrmsr
+ popq %rcx
+ popq %rdx
+ popq %rax
+ movb $0,PCPU(IBPB_SET)
+1: ret
+END(handle_ibrs_exit_rs)
+
+ .noaltmacro
Index: sys/amd64/amd64/sys_machdep.c
===================================================================
--- sys/amd64/amd64/sys_machdep.c (版本 330566)
+++ sys/amd64/amd64/sys_machdep.c (版本 330908)
@@ -357,7 +357,9 @@
pcb = td->td_pcb;
if (pcb->pcb_tssp == NULL) {
tssp = (struct amd64tss *)kmem_malloc(kernel_arena,
- ctob(IOPAGES+1), M_WAITOK);
+ ctob(IOPAGES + 1), M_WAITOK);
+ pmap_pti_add_kva((vm_offset_t)tssp, (vm_offset_t)tssp +
+ ctob(IOPAGES + 1), false);
iomap = (char *)&tssp[1];
memset(iomap, 0xff, IOPERM_BITMAP_SIZE);
critical_enter();
@@ -452,6 +454,8 @@
struct proc_ldt *pldt, *new_ldt;
struct mdproc *mdp;
struct soft_segment_descriptor sldt;
+ vm_offset_t sva;
+ vm_size_t sz;
mtx_assert(&dt_lock, MA_OWNED);
mdp = &p->p_md;
@@ -459,13 +463,13 @@
return (mdp->md_ldt);
mtx_unlock(&dt_lock);
new_ldt = malloc(sizeof(struct proc_ldt), M_SUBPROC, M_WAITOK);
- new_ldt->ldt_base = (caddr_t)kmem_malloc(kernel_arena,
- max_ldt_segment * sizeof(struct user_segment_descriptor),
- M_WAITOK | M_ZERO);
+ sz = max_ldt_segment * sizeof(struct user_segment_descriptor);
+ sva = kmem_malloc(kernel_arena, sz, M_WAITOK | M_ZERO);
+ new_ldt->ldt_base = (caddr_t)sva;
+ pmap_pti_add_kva(sva, sva + sz, false);
new_ldt->ldt_refcnt = 1;
- sldt.ssd_base = (uint64_t)new_ldt->ldt_base;
- sldt.ssd_limit = max_ldt_segment *
- sizeof(struct user_segment_descriptor) - 1;
+ sldt.ssd_base = sva;
+ sldt.ssd_limit = sz - 1;
sldt.ssd_type = SDT_SYSLDT;
sldt.ssd_dpl = SEL_KPL;
sldt.ssd_p = 1;
@@ -475,8 +479,8 @@
mtx_lock(&dt_lock);
pldt = mdp->md_ldt;
if (pldt != NULL && !force) {
- kmem_free(kernel_arena, (vm_offset_t)new_ldt->ldt_base,
- max_ldt_segment * sizeof(struct user_segment_descriptor));
+ pmap_pti_remove_kva(sva, sva + sz);
+ kmem_free(kernel_arena, sva, sz);
free(new_ldt, M_SUBPROC);
return (pldt);
}
@@ -518,10 +522,14 @@
static void
user_ldt_derefl(struct proc_ldt *pldt)
{
+ vm_offset_t sva;
+ vm_size_t sz;
if (--pldt->ldt_refcnt == 0) {
- kmem_free(kernel_arena, (vm_offset_t)pldt->ldt_base,
- max_ldt_segment * sizeof(struct user_segment_descriptor));
+ sva = (vm_offset_t)pldt->ldt_base;
+ sz = max_ldt_segment * sizeof(struct user_segment_descriptor);
+ pmap_pti_remove_kva(sva, sva + sz);
+ kmem_free(kernel_arena, sva, sz);
free(pldt, M_SUBPROC);
}
}
Index: sys/amd64/amd64/trap.c
===================================================================
--- sys/amd64/amd64/trap.c (版本 330566)
+++ sys/amd64/amd64/trap.c (版本 330908)
@@ -218,11 +218,6 @@
#endif
}
- if (type == T_MCHK) {
- mca_intr();
- goto out;
- }
-
if ((frame->tf_rflags & PSL_I) == 0) {
/*
* Buggy application or kernel code has disabled
@@ -452,9 +447,28 @@
* problem here and not have to check all the
* selectors and pointers when the user changes
* them.
+ *
+ * In case of PTI, the IRETQ faulted while the
+ * kernel used the pti stack, and exception
+ * frame records %rsp value pointing to that
+ * stack. If we return normally to
+ * doreti_iret_fault, the trapframe is
+ * reconstructed on pti stack, and calltrap()
+ * called on it as well. Due to the very
+ * limited pti stack size, kernel does not
+ * survive for too long. Switch to the normal
+ * thread stack for the trap handling.
+ *
+ * Magic '5' is the number of qwords occupied by
+ * the hardware trap frame.
*/
if (frame->tf_rip == (long)doreti_iret) {
frame->tf_rip = (long)doreti_iret_fault;
+ if (pti && frame->tf_rsp == (uintptr_t)PCPU_PTR(
+ pti_stack) + (PC_PTI_STACK_SZ - 5) *
+ sizeof(register_t))
+ frame->tf_rsp = PCPU_GET(rsp0) - 5 *
+ sizeof(register_t);
goto out;
}
if (frame->tf_rip == (long)ld_ds) {
@@ -694,6 +708,17 @@
}
/*
+ * If nx protection of the usermode portion of kernel page
+ * tables caused trap, panic.
+ */
+ if (pti && usermode && pg_nx != 0 && (frame->tf_err & (PGEX_P | PGEX_W |
+ PGEX_U | PGEX_I)) == (PGEX_P | PGEX_U | PGEX_I) &&
+ (curpcb->pcb_saved_ucr3 & ~CR3_PCID_MASK)==
+ (PCPU_GET(curpmap)->pm_cr3 & ~CR3_PCID_MASK))
+ panic("PTI: pid %d comm %s tf_err %#lx\n", p->p_pid,
+ p->p_comm, frame->tf_err);
+
+ /*
* PGEX_I is defined only if the execute disable bit capability is
* supported and enabled.
*/
Index: sys/amd64/amd64/vm_machdep.c
===================================================================
--- sys/amd64/amd64/vm_machdep.c (版本 330566)
+++ sys/amd64/amd64/vm_machdep.c (版本 330908)
@@ -339,6 +339,8 @@
* Clean TSS/iomap
*/
if (pcb->pcb_tssp != NULL) {
+ pmap_pti_remove_kva((vm_offset_t)pcb->pcb_tssp,
+ (vm_offset_t)pcb->pcb_tssp + ctob(IOPAGES + 1));
kmem_free(kernel_arena, (vm_offset_t)pcb->pcb_tssp,
ctob(IOPAGES + 1));
pcb->pcb_tssp = NULL;
Index: sys/amd64/ia32/ia32_exception.S
===================================================================
--- sys/amd64/ia32/ia32_exception.S (版本 330566)
+++ sys/amd64/ia32/ia32_exception.S (版本 330908)
@@ -40,24 +40,27 @@
* that it originated in supervisor mode and skip the swapgs.
*/
SUPERALIGN_TEXT
+IDTVEC(int0x80_syscall_pti)
+ PTI_UENTRY has_err=0
+ jmp int0x80_syscall_common
+ SUPERALIGN_TEXT
IDTVEC(int0x80_syscall)
swapgs
+int0x80_syscall_common:
pushq $2 /* sizeof "int 0x80" */
subq $TF_ERR,%rsp /* skip over tf_trapno */
movq %rdi,TF_RDI(%rsp)
movq PCPU(CURPCB),%rdi
andl $~PCB_FULL_IRET,PCB_FLAGS(%rdi)
- movw %fs,TF_FS(%rsp)
- movw %gs,TF_GS(%rsp)
- movw %es,TF_ES(%rsp)
- movw %ds,TF_DS(%rsp)
+ SAVE_SEGS
+ movq %rax,TF_RAX(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ call handle_ibrs_entry
sti
movq %rsi,TF_RSI(%rsp)
- movq %rdx,TF_RDX(%rsp)
- movq %rcx,TF_RCX(%rsp)
movq %r8,TF_R8(%rsp)
movq %r9,TF_R9(%rsp)
- movq %rax,TF_RAX(%rsp)
movq %rbx,TF_RBX(%rsp)
movq %rbp,TF_RBP(%rsp)
movq %r10,TF_R10(%rsp)
Index: sys/amd64/ia32/ia32_syscall.c
===================================================================
--- sys/amd64/ia32/ia32_syscall.c (版本 330566)
+++ sys/amd64/ia32/ia32_syscall.c (版本 330908)
@@ -93,7 +93,8 @@
#define IDTVEC(name) __CONCAT(X,name)
-extern inthand_t IDTVEC(int0x80_syscall), IDTVEC(rsvd);
+extern inthand_t IDTVEC(int0x80_syscall), IDTVEC(int0x80_syscall_pti),
+ IDTVEC(rsvd), IDTVEC(rsvd_pti);
void ia32_syscall(struct trapframe *frame); /* Called from asm code */
@@ -205,7 +206,8 @@
ia32_syscall_enable(void *dummy)
{
- setidt(IDT_SYSCALL, &IDTVEC(int0x80_syscall), SDT_SYSIGT, SEL_UPL, 0);
+ setidt(IDT_SYSCALL, pti ? &IDTVEC(int0x80_syscall_pti) :
+ &IDTVEC(int0x80_syscall), SDT_SYSIGT, SEL_UPL, 0);
}
static void
@@ -212,7 +214,8 @@
ia32_syscall_disable(void *dummy)
{
- setidt(IDT_SYSCALL, &IDTVEC(rsvd), SDT_SYSIGT, SEL_KPL, 0);
+ setidt(IDT_SYSCALL, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd),
+ SDT_SYSIGT, SEL_KPL, 0);
}
SYSINIT(ia32_syscall, SI_SUB_EXEC, SI_ORDER_ANY, ia32_syscall_enable, NULL);
Index: sys/amd64/include/asmacros.h
===================================================================
--- sys/amd64/include/asmacros.h (版本 330566)
+++ sys/amd64/include/asmacros.h (版本 330908)
@@ -1,7 +1,15 @@
+/* -*- mode: asm -*- */
/*-
* Copyright (c) 1993 The Regents of the University of California.
* All rights reserved.
*
+ * Copyright (c) 2018 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * Portions of this software were developed by
+ * Konstantin Belousov <kib@FreeBSD.org> under sponsorship from
+ * the FreeBSD Foundation.
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
@@ -144,70 +152,135 @@
#ifdef LOCORE
/*
+ * Access per-CPU data.
+ */
+#define PCPU(member) %gs:PC_ ## member
+#define PCPU_ADDR(member, reg) \
+ movq %gs:PC_PRVSPACE, reg ; \
+ addq $PC_ ## member, reg
+
+/*
* Convenience macro for declaring interrupt entry points.
*/
#define IDTVEC(name) ALIGN_TEXT; .globl __CONCAT(X,name); \
.type __CONCAT(X,name),@function; __CONCAT(X,name):
-/*
- * Macros to create and destroy a trap frame.
- */
-#define PUSH_FRAME \
- subq $TF_RIP,%rsp ; /* skip dummy tf_err and tf_trapno */ \
- testb $SEL_RPL_MASK,TF_CS(%rsp) ; /* come from kernel? */ \
- jz 1f ; /* Yes, dont swapgs again */ \
- swapgs ; \
-1: movq %rdi,TF_RDI(%rsp) ; \
- movq %rsi,TF_RSI(%rsp) ; \
- movq %rdx,TF_RDX(%rsp) ; \
- movq %rcx,TF_RCX(%rsp) ; \
- movq %r8,TF_R8(%rsp) ; \
- movq %r9,TF_R9(%rsp) ; \
- movq %rax,TF_RAX(%rsp) ; \
- movq %rbx,TF_RBX(%rsp) ; \
- movq %rbp,TF_RBP(%rsp) ; \
- movq %r10,TF_R10(%rsp) ; \
- movq %r11,TF_R11(%rsp) ; \
- movq %r12,TF_R12(%rsp) ; \
- movq %r13,TF_R13(%rsp) ; \
- movq %r14,TF_R14(%rsp) ; \
- movq %r15,TF_R15(%rsp) ; \
- movw %fs,TF_FS(%rsp) ; \
- movw %gs,TF_GS(%rsp) ; \
- movw %es,TF_ES(%rsp) ; \
- movw %ds,TF_DS(%rsp) ; \
- movl $TF_HASSEGS,TF_FLAGS(%rsp) ; \
+ .macro SAVE_SEGS
+ movw %fs,TF_FS(%rsp)
+ movw %gs,TF_GS(%rsp)
+ movw %es,TF_ES(%rsp)
+ movw %ds,TF_DS(%rsp)
+ .endm
+
+ .macro MOVE_STACKS qw
+ .L.offset=0
+ .rept \qw
+ movq .L.offset(%rsp),%rdx
+ movq %rdx,.L.offset(%rax)
+ .L.offset=.L.offset+8
+ .endr
+ .endm
+
+ .macro PTI_UUENTRY has_err
+ movq PCPU(KCR3),%rax
+ movq %rax,%cr3
+ movq PCPU(RSP0),%rax
+ subq $PTI_SIZE,%rax
+ MOVE_STACKS ((PTI_SIZE / 8) - 1 + \has_err)
+ movq %rax,%rsp
+ popq %rdx
+ popq %rax
+ .endm
+
+ .macro PTI_UENTRY has_err
+ swapgs
+ pushq %rax
+ pushq %rdx
+ PTI_UUENTRY \has_err
+ .endm
+
+ .macro PTI_ENTRY name, cont, has_err=0
+ ALIGN_TEXT
+ .globl X\name\()_pti
+ .type X\name\()_pti,@function
+X\name\()_pti:
+ /* %rax, %rdx and possibly err not yet pushed */
+ testb $SEL_RPL_MASK,PTI_CS-(2+1-\has_err)*8(%rsp)
+ jz \cont
+ PTI_UENTRY \has_err
+ swapgs
+ jmp \cont
+ .endm
+
+ .macro PTI_INTRENTRY vec_name
+ SUPERALIGN_TEXT
+ .globl X\vec_name\()_pti
+ .type X\vec_name\()_pti,@function
+X\vec_name\()_pti:
+ testb $SEL_RPL_MASK,PTI_CS-3*8(%rsp) /* err, %rax, %rdx not pushed */
+ jz \vec_name\()_u
+ PTI_UENTRY has_err=0
+ jmp \vec_name\()_u
+ .endm
+
+ .macro INTR_PUSH_FRAME vec_name
+ SUPERALIGN_TEXT
+ .globl X\vec_name
+ .type X\vec_name,@function
+X\vec_name:
+ testb $SEL_RPL_MASK,PTI_CS-3*8(%rsp) /* come from kernel? */
+ jz \vec_name\()_u /* Yes, dont swapgs again */
+ swapgs
+\vec_name\()_u:
+ subq $TF_RIP,%rsp /* skip dummy tf_err and tf_trapno */
+ movq %rdi,TF_RDI(%rsp)
+ movq %rsi,TF_RSI(%rsp)
+ movq %rdx,TF_RDX(%rsp)
+ movq %rcx,TF_RCX(%rsp)
+ movq %r8,TF_R8(%rsp)
+ movq %r9,TF_R9(%rsp)
+ movq %rax,TF_RAX(%rsp)
+ movq %rbx,TF_RBX(%rsp)
+ movq %rbp,TF_RBP(%rsp)
+ movq %r10,TF_R10(%rsp)
+ movq %r11,TF_R11(%rsp)
+ movq %r12,TF_R12(%rsp)
+ movq %r13,TF_R13(%rsp)
+ movq %r14,TF_R14(%rsp)
+ movq %r15,TF_R15(%rsp)
+ SAVE_SEGS
+ movl $TF_HASSEGS,TF_FLAGS(%rsp)
cld
+ testb $SEL_RPL_MASK,TF_CS(%rsp) /* come from kernel ? */
+ jz 1f /* yes, leave PCB_FULL_IRET alone */
+ movq PCPU(CURPCB),%r8
+ andl $~PCB_FULL_IRET,PCB_FLAGS(%r8)
+1:
+ .endm
-#define POP_FRAME \
- movq TF_RDI(%rsp),%rdi ; \
- movq TF_RSI(%rsp),%rsi ; \
- movq TF_RDX(%rsp),%rdx ; \
- movq TF_RCX(%rsp),%rcx ; \
- movq TF_R8(%rsp),%r8 ; \
- movq TF_R9(%rsp),%r9 ; \
- movq TF_RAX(%rsp),%rax ; \
- movq TF_RBX(%rsp),%rbx ; \
- movq TF_RBP(%rsp),%rbp ; \
- movq TF_R10(%rsp),%r10 ; \
- movq TF_R11(%rsp),%r11 ; \
- movq TF_R12(%rsp),%r12 ; \
- movq TF_R13(%rsp),%r13 ; \
- movq TF_R14(%rsp),%r14 ; \
- movq TF_R15(%rsp),%r15 ; \
- testb $SEL_RPL_MASK,TF_CS(%rsp) ; /* come from kernel? */ \
- jz 1f ; /* keep kernel GS.base */ \
- cli ; \
- swapgs ; \
-1: addq $TF_RIP,%rsp /* skip over tf_err, tf_trapno */
+ .macro INTR_HANDLER vec_name
+ .text
+ PTI_INTRENTRY \vec_name
+ INTR_PUSH_FRAME \vec_name
+ .endm
-/*
- * Access per-CPU data.
- */
-#define PCPU(member) %gs:PC_ ## member
-#define PCPU_ADDR(member, reg) \
- movq %gs:PC_PRVSPACE, reg ; \
- addq $PC_ ## member, reg
+ .macro RESTORE_REGS
+ movq TF_RDI(%rsp),%rdi
+ movq TF_RSI(%rsp),%rsi
+ movq TF_RDX(%rsp),%rdx
+ movq TF_RCX(%rsp),%rcx
+ movq TF_R8(%rsp),%r8
+ movq TF_R9(%rsp),%r9
+ movq TF_RAX(%rsp),%rax
+ movq TF_RBX(%rsp),%rbx
+ movq TF_RBP(%rsp),%rbp
+ movq TF_R10(%rsp),%r10
+ movq TF_R11(%rsp),%r11
+ movq TF_R12(%rsp),%r12
+ movq TF_R13(%rsp),%r13
+ movq TF_R14(%rsp),%r14
+ movq TF_R15(%rsp),%r15
+ .endm
#endif /* LOCORE */
Index: sys/amd64/include/frame.h
===================================================================
--- sys/amd64/include/frame.h (版本 330566)
+++ sys/amd64/include/frame.h (版本 330908)
@@ -1,6 +1,50 @@
/*-
- * This file is in the public domain.
+ * SPDX-License-Identifier: BSD-2-Clause-FreeBSD
+ *
+ * Copyright (c) 2018 The FreeBSD Foundation
+ * All rights reserved.
+ *
+ * This software was developed by Konstantin Belousov <kib@FreeBSD.org>
+ * under sponsorship from the FreeBSD Foundation.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * $FreeBSD$
*/
-/* $FreeBSD$ */
+#ifndef _AMD64_FRAME_H
+#define _AMD64_FRAME_H
+
#include <x86/frame.h>
+
+struct pti_frame {
+ register_t pti_rdx;
+ register_t pti_rax;
+ register_t pti_err;
+ register_t pti_rip;
+ register_t pti_cs;
+ register_t pti_rflags;
+ register_t pti_rsp;
+ register_t pti_ss;
+};
+
+#endif
Index: sys/amd64/include/intr_machdep.h
===================================================================
--- sys/amd64/include/intr_machdep.h (版本 330566)
+++ sys/amd64/include/intr_machdep.h (版本 330908)
@@ -136,7 +136,7 @@
/*
* The following data structure holds per-cpu data, and is placed just
- * above the top of the space used for the NMI stack.
+ * above the top of the space used for the NMI and MC# stacks.
*/
struct nmi_pcpu {
register_t np_pcpu;
Index: sys/amd64/include/md_var.h
===================================================================
--- sys/amd64/include/md_var.h (版本 330566)
+++ sys/amd64/include/md_var.h (版本 330908)
@@ -35,9 +35,17 @@
#include <x86/x86_var.h>
extern uint64_t *vm_page_dump;
+extern int hw_ibrs_disable;
+/*
+ * The file "conf/ldscript.amd64" defines the symbol "kernphys". Its
+ * value is the physical address at which the kernel is loaded.
+ */
+extern char kernphys[];
+
struct savefpu;
+void amd64_conf_fast_syscall(void);
void amd64_db_resume_dbreg(void);
void amd64_syscall(struct thread *td, int traced);
void doreti_iret(void) __asm(__STRING(doreti_iret));
Index: sys/amd64/include/pcb.h
===================================================================
--- sys/amd64/include/pcb.h (版本 330566)
+++ sys/amd64/include/pcb.h (版本 330908)
@@ -90,7 +90,7 @@
/* copyin/out fault recovery */
caddr_t pcb_onfault;
- uint64_t pcb_pad0;
+ uint64_t pcb_saved_ucr3;
/* local tss, with i/o bitmap; NULL for common */
struct amd64tss *pcb_tssp;
Index: sys/amd64/include/pcpu.h
===================================================================
--- sys/amd64/include/pcpu.h (版本 330566)
+++ sys/amd64/include/pcpu.h (版本 330908)
@@ -33,6 +33,7 @@
#error "sys/cdefs.h is a prerequisite for this file"
#endif
+#define PC_PTI_STACK_SZ 16
/*
* The SMP parts are setup in pmap.c and locore.s for the BSP, and
* mp_machdep.c sets up the data for the AP's to "see" when they awake.
@@ -46,8 +47,12 @@
struct pmap *pc_curpmap; \
struct amd64tss *pc_tssp; /* TSS segment active on CPU */ \
struct amd64tss *pc_commontssp;/* Common TSS for the CPU */ \
+ uint64_t pc_kcr3; \
+ uint64_t pc_ucr3; \
+ uint64_t pc_saved_ucr3; \
register_t pc_rsp0; \
register_t pc_scratch_rsp; /* User %rsp in syscall */ \
+ register_t pc_scratch_rax; \
u_int pc_apic_id; \
u_int pc_acpi_id; /* ACPI CPU id */ \
/* Pointer to the CPU %fs descriptor */ \
@@ -61,12 +66,14 @@
uint64_t pc_pm_save_cnt; \
u_int pc_cmci_mask; /* MCx banks for CMCI */ \
uint64_t pc_dbreg[16]; /* ddb debugging regs */ \
+ uint64_t pc_pti_stack[PC_PTI_STACK_SZ]; \
int pc_dbreg_cmd; /* ddb debugging reg cmd */ \
u_int pc_vcpu_id; /* Xen vCPU ID */ \
uint32_t pc_pcid_next; \
uint32_t pc_pcid_gen; \
uint32_t pc_smp_tlb_done; /* TLB op acknowledgement */ \
- char __pad[145] /* be divisor of PAGE_SIZE \
+ uint32_t pc_ibpb_set; \
+ char __pad[96] /* be divisor of PAGE_SIZE \
after cache alignment */
#define PC_DBREG_CMD_NONE 0
Index: sys/amd64/include/pmap.h
===================================================================
--- sys/amd64/include/pmap.h (版本 330566)
+++ sys/amd64/include/pmap.h (版本 330908)
@@ -223,7 +223,11 @@
#define PMAP_PCID_NONE 0xffffffff
#define PMAP_PCID_KERN 0
#define PMAP_PCID_OVERMAX 0x1000
+#define PMAP_PCID_OVERMAX_KERN 0x800
+#define PMAP_PCID_USER_PT 0x800
+#define PMAP_NO_CR3 (~0UL)
+
#ifndef LOCORE
#include <sys/queue.h>
@@ -313,7 +317,9 @@
struct pmap {
struct mtx pm_mtx;
pml4_entry_t *pm_pml4; /* KVA of level 4 page table */
+ pml4_entry_t *pm_pml4u; /* KVA of user l4 page table */
uint64_t pm_cr3;
+ uint64_t pm_ucr3;
TAILQ_HEAD(,pv_chunk) pm_pvchunk; /* list of mappings in pmap */
cpuset_t pm_active; /* active on cpus */
enum pmap_type pm_type; /* regular or nested tables */
@@ -419,6 +425,12 @@
void pmap_get_mapping(pmap_t pmap, vm_offset_t va, uint64_t *ptr, int *num);
boolean_t pmap_map_io_transient(vm_page_t *, vm_offset_t *, int, boolean_t);
void pmap_unmap_io_transient(vm_page_t *, vm_offset_t *, int, boolean_t);
+void pmap_pti_add_kva(vm_offset_t sva, vm_offset_t eva, bool exec);
+void pmap_pti_remove_kva(vm_offset_t sva, vm_offset_t eva);
+void pmap_pti_pcid_invalidate(uint64_t ucr3, uint64_t kcr3);
+void pmap_pti_pcid_invlpg(uint64_t ucr3, uint64_t kcr3, vm_offset_t va);
+void pmap_pti_pcid_invlrng(uint64_t ucr3, uint64_t kcr3, vm_offset_t sva,
+ vm_offset_t eva);
#endif /* _KERNEL */
/* Return various clipped indexes for a given VA */
Index: sys/amd64/include/smp.h
===================================================================
--- sys/amd64/include/smp.h (版本 330566)
+++ sys/amd64/include/smp.h (版本 330908)
@@ -28,12 +28,36 @@
/* IPI handlers */
inthand_t
+ IDTVEC(justreturn), /* interrupt CPU with minimum overhead */
+ IDTVEC(justreturn1_pti),
+ IDTVEC(invltlb_pti),
+ IDTVEC(invltlb_pcid_pti),
IDTVEC(invltlb_pcid), /* TLB shootdowns - global, pcid */
- IDTVEC(invltlb_invpcid),/* TLB shootdowns - global, invpcid */
- IDTVEC(justreturn); /* interrupt CPU with minimum overhead */
+ IDTVEC(invltlb_invpcid_pti_pti),
+ IDTVEC(invltlb_invpcid_nopti),
+ IDTVEC(invlpg_pti),
+ IDTVEC(invlpg_invpcid_pti),
+ IDTVEC(invlpg_invpcid),
+ IDTVEC(invlpg_pcid_pti),
+ IDTVEC(invlpg_pcid),
+ IDTVEC(invlrng_pti),
+ IDTVEC(invlrng_invpcid_pti),
+ IDTVEC(invlrng_invpcid),
+ IDTVEC(invlrng_pcid_pti),
+ IDTVEC(invlrng_pcid),
+ IDTVEC(invlcache_pti),
+ IDTVEC(ipi_intr_bitmap_handler_pti),
+ IDTVEC(cpustop_pti),
+ IDTVEC(cpususpend_pti),
+ IDTVEC(rendezvous_pti);
void invltlb_pcid_handler(void);
void invltlb_invpcid_handler(void);
+void invltlb_invpcid_pti_handler(void);
+void invlpg_invpcid_handler(void);
+void invlpg_pcid_handler(void);
+void invlrng_invpcid_handler(void);
+void invlrng_pcid_handler(void);
int native_start_all_aps(void);
#endif /* !LOCORE */
Index: sys/amd64/vmm/vmm.c
===================================================================
--- sys/amd64/vmm/vmm.c (版本 330566)
+++ sys/amd64/vmm/vmm.c (版本 330908)
@@ -55,6 +55,7 @@
#include <machine/cpu.h>
#include <machine/pcb.h>
#include <machine/smp.h>
+#include <machine/md_var.h>
#include <x86/psl.h>
#include <x86/apicreg.h>
@@ -325,7 +326,8 @@
vmm_host_state_init();
- vmm_ipinum = lapic_ipi_alloc(&IDTVEC(justreturn));
+ vmm_ipinum = lapic_ipi_alloc(pti ? &IDTVEC(justreturn1_pti) :
+ &IDTVEC(justreturn));
if (vmm_ipinum < 0)
vmm_ipinum = IPI_AST;
Index: sys/conf/newvers.sh
===================================================================
--- sys/conf/newvers.sh (版本 330566)
+++ sys/conf/newvers.sh (版本 330908)
@@ -44,7 +44,7 @@
TYPE="FreeBSD"
REVISION="11.1"
-BRANCH="RELEASE-p7"
+BRANCH="RELEASE-p8"
if [ -n "${BRANCH_OVERRIDE}" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Index: sys/dev/hyperv/vmbus/amd64/vmbus_vector.S
===================================================================
--- sys/dev/hyperv/vmbus/amd64/vmbus_vector.S (版本 330566)
+++ sys/dev/hyperv/vmbus/amd64/vmbus_vector.S (版本 330908)
@@ -26,11 +26,11 @@
* $FreeBSD$
*/
+#include "assym.s"
+
#include <machine/asmacros.h>
#include <machine/specialreg.h>
-#include "assym.s"
-
/*
* This is the Hyper-V vmbus channel direct callback interrupt.
* Only used when it is running on Hyper-V.
@@ -37,8 +37,7 @@
*/
.text
SUPERALIGN_TEXT
-IDTVEC(vmbus_isr)
- PUSH_FRAME
+ INTR_HANDLER vmbus_isr
FAKE_MCOUNT(TF_RIP(%rsp))
movq %rsp, %rdi
call vmbus_handle_intr
Index: sys/dev/hyperv/vmbus/vmbus.c
===================================================================
--- sys/dev/hyperv/vmbus/vmbus.c (版本 330566)
+++ sys/dev/hyperv/vmbus/vmbus.c (版本 330908)
@@ -46,6 +46,7 @@
#include <machine/bus.h>
#include <machine/intr_machdep.h>
+#include <machine/md_var.h>
#include <machine/resource.h>
#include <x86/include/apicvar.h>
@@ -128,7 +129,7 @@
static struct vmbus_softc *vmbus_sc;
-extern inthand_t IDTVEC(vmbus_isr);
+extern inthand_t IDTVEC(vmbus_isr), IDTVEC(vmbus_isr_pti);
static const uint32_t vmbus_version[] = {
VMBUS_VERSION_WIN8_1,
@@ -928,7 +929,8 @@
* All Hyper-V ISR required resources are setup, now let's find a
* free IDT vector for Hyper-V ISR and set it up.
*/
- sc->vmbus_idtvec = lapic_ipi_alloc(IDTVEC(vmbus_isr));
+ sc->vmbus_idtvec = lapic_ipi_alloc(pti ? IDTVEC(vmbus_isr_pti) :
+ IDTVEC(vmbus_isr));
if (sc->vmbus_idtvec < 0) {
device_printf(sc->vmbus_dev, "cannot find free IDT vector\n");
return ENXIO;
Index: sys/i386/i386/exception.s
===================================================================
--- sys/i386/i386/exception.s (版本 330566)
+++ sys/i386/i386/exception.s (版本 330908)
@@ -133,6 +133,7 @@
TRAP(T_PAGEFLT)
IDTVEC(mchk)
pushl $0; TRAP(T_MCHK)
+IDTVEC(rsvd_pti)
IDTVEC(rsvd)
pushl $0; TRAP(T_RESERVED)
IDTVEC(fpu)
Index: sys/i386/i386/support.s
===================================================================
--- sys/i386/i386/support.s (版本 330566)
+++ sys/i386/i386/support.s (版本 330908)
@@ -830,3 +830,11 @@
movl $0,PCB_ONFAULT(%ecx)
movl $EFAULT,%eax
ret
+
+ENTRY(handle_ibrs_entry)
+ ret
+END(handle_ibrs_entry)
+
+ENTRY(handle_ibrs_exit)
+ ret
+END(handle_ibrs_exit)
Index: sys/x86/include/apicvar.h
===================================================================
--- sys/x86/include/apicvar.h (版本 330566)
+++ sys/x86/include/apicvar.h (版本 330908)
@@ -179,7 +179,11 @@
IDTVEC(apic_isr1), IDTVEC(apic_isr2), IDTVEC(apic_isr3),
IDTVEC(apic_isr4), IDTVEC(apic_isr5), IDTVEC(apic_isr6),
IDTVEC(apic_isr7), IDTVEC(cmcint), IDTVEC(errorint),
- IDTVEC(spuriousint), IDTVEC(timerint);
+ IDTVEC(spuriousint), IDTVEC(timerint),
+ IDTVEC(apic_isr1_pti), IDTVEC(apic_isr2_pti), IDTVEC(apic_isr3_pti),
+ IDTVEC(apic_isr4_pti), IDTVEC(apic_isr5_pti), IDTVEC(apic_isr6_pti),
+ IDTVEC(apic_isr7_pti), IDTVEC(cmcint_pti), IDTVEC(errorint_pti),
+ IDTVEC(spuriousint_pti), IDTVEC(timerint_pti);
extern vm_paddr_t lapic_paddr;
extern int apic_cpuids[];
Index: sys/x86/include/x86_var.h
===================================================================
--- sys/x86/include/x86_var.h (版本 330566)
+++ sys/x86/include/x86_var.h (版本 330908)
@@ -50,6 +50,8 @@
extern u_int cpu_clflush_line_size;
extern u_int cpu_stdext_feature;
extern u_int cpu_stdext_feature2;
+extern u_int cpu_stdext_feature3;
+extern uint64_t cpu_ia32_arch_caps;
extern u_int cpu_fxsr;
extern u_int cpu_high;
extern u_int cpu_id;
@@ -78,6 +80,7 @@
extern int _ugssel;
extern int use_xsave;
extern uint64_t xsave_mask;
+extern int pti;
struct pcb;
struct thread;
@@ -115,7 +118,9 @@
void cpu_setregs(void);
void dump_add_page(vm_paddr_t);
void dump_drop_page(vm_paddr_t);
-void identify_cpu(void);
+void finishidentcpu(void);
+void identify_cpu1(void);
+void identify_cpu2(void);
void initializecpu(void);
void initializecpucache(void);
bool fix_cpuid(void);
@@ -122,11 +127,15 @@
void fillw(int /*u_short*/ pat, void *base, size_t cnt);
int is_physical_memory(vm_paddr_t addr);
int isa_nmi(int cd);
+void handle_ibrs_entry(void);
+void handle_ibrs_exit(void);
+void hw_ibrs_recalculate(void);
void nmi_call_kdb(u_int cpu, u_int type, struct trapframe *frame);
void nmi_call_kdb_smp(u_int type, struct trapframe *frame);
void nmi_handle_intr(u_int type, struct trapframe *frame);
void pagecopy(void *from, void *to);
void printcpuinfo(void);
+int pti_get_default(void);
int user_dbreg_trap(void);
int minidumpsys(struct dumperinfo *);
struct pcb *get_pcb_td(struct thread *td);
Index: usr.sbin/ntp/config.h
===================================================================
--- usr.sbin/ntp/config.h (版本 330566)
+++ usr.sbin/ntp/config.h (版本 330908)
@@ -1396,9 +1396,6 @@
/* Should we NOT read /dev/kmem? */
#define NOKMEM 1
-/* Define to 1 if your C compiler doesn't accept -c and -o together. */
-/* #undef NO_MINUS_C_MINUS_O */
-
/* Should we avoid #warning on option name collisions? */
/* #undef NO_OPTION_NAME_WARNINGS */
@@ -1448,7 +1445,7 @@
#define PACKAGE_NAME "ntp"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "ntp 4.2.8p10"
+#define PACKAGE_STRING "ntp 4.2.8p11"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "ntp"
@@ -1457,10 +1454,10 @@
#define PACKAGE_URL "http://www.ntp.org./"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "4.2.8p10"
+#define PACKAGE_VERSION "4.2.8p11"
/* data dir */
-#define PERLLIBDIR "/usr/local/share/ntp/lib"
+#define PERLLIBDIR "/usr/share/ntp/lib"
/* define to a working POSIX compliant shell */
#define POSIX_SHELL "/bin/sh"
@@ -1638,7 +1635,7 @@
/* #undef USE_UDP_SIGPOLL */
/* Version number of package */
-#define VERSION "4.2.8p10"
+#define VERSION "4.2.8p11"
/* vsnprintf expands "%m" to strerror(errno) */
/* #undef VSNPRINTF_PERCENT_M */
@@ -1815,5 +1812,5 @@
/*
* FreeBSD specific: Explicitly specify date/time for reproducible build.
*/
-#define MKREPRO_DATE "Mar 22 2017"
-#define MKREPRO_TIME "05:40:15"
+#define MKREPRO_DATE "Feb 28 2018"
+#define MKREPRO_TIME "06:33:03"
Index: usr.sbin/ntp/doc/ntpd.8
===================================================================
--- usr.sbin/ntp/doc/ntpd.8 (版本 330566)
+++ usr.sbin/ntp/doc/ntpd.8 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPD 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:23 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:47 PM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: usr.sbin/ntp/ntp-keygen/Makefile
===================================================================
--- usr.sbin/ntp/ntp-keygen/Makefile (版本 330566)
+++ usr.sbin/ntp/ntp-keygen/Makefile (版本 330908)
@@ -20,7 +20,7 @@
-I${.CURDIR}/lib/libc/${MACHINE_ARCH} \
-I${.CURDIR:H}
-LIBADD+= ntp opts pthread
+LIBADD+= m ntp opts pthread
.if ${MK_OPENSSL} != "no"
LIBADD+= crypto
Index: contrib/file/aclocal.m4
===================================================================
--- contrib/file/aclocal.m4 (版本 330566)
+++ contrib/file/aclocal.m4 (版本 330908)
@@ -21,7 +21,7 @@
To do so, use the procedure documented by the package, typically 'autoreconf'.])])
# visibility.m4 serial 5 (gettext-0.18.2)
-dnl Copyright (C) 2005, 2008, 2010-2014 Free Software Foundation, Inc.
+dnl Copyright (C) 2005, 2008, 2010-2016 Free Software Foundation, Inc.
dnl This file is free software; the Free Software Foundation
dnl gives unlimited permission to copy and/or distribute it,
dnl with or without modifications, as long as this notice is preserved.
Index: contrib/file/configure.ac
===================================================================
--- contrib/file/configure.ac (版本 330566)
+++ contrib/file/configure.ac (版本 330908)
@@ -1,5 +1,5 @@
dnl Process this file with autoconf to produce a configure script.
-AC_INIT([file],[5.29],[christos@astron.com])
+AC_INIT([file],[5.32],[christos@astron.com])
AM_INIT_AUTOMAKE([subdir-objects foreign])
m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
Index: contrib/file/magic/Localstuff
===================================================================
--- contrib/file/magic/Localstuff (版本 330566)
+++ contrib/file/magic/Localstuff (版本 330908)
@@ -2,6 +2,6 @@
#------------------------------------------------------------------------------
# Localstuff: file(1) magic for locally observed files
#
-# $File: Localstuff,v 1.4 2003/03/23 04:17:27 christos Exp $
+# $File: Localstuff,v 1.5 2007/01/12 17:38:27 christos Exp $
# Add any locally observed files here. Remember:
# text if readable, executable if runnable binary, data if unreadable.
Index: contrib/file/magic/Magdir/android
===================================================================
--- contrib/file/magic/Magdir/android (版本 330566)
+++ contrib/file/magic/Magdir/android (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------
-# $File: android,v 1.9 2016/01/11 21:19:18 christos Exp $
+# $File: android,v 1.10 2017/03/17 21:35:28 christos Exp $
# Various android related magic entries
#------------------------------------------------------------
@@ -61,9 +61,9 @@
# http://forum.xda-developers.com/showthread.php?t=816449
# Partition Information Table for Samsung's smartphone with Android
# used by flash software Odin
-0 ulelong 0x12349876
+0 ulelong 0x12349876
# 1st pit entry marker
->0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
+>0x01C ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
# minimal 13 and maximal 18 PIT entries found
>>4 ulelong <128 Partition Information Table for Samsung smartphone
>>>4 ulelong x \b, %d entries
@@ -109,9 +109,9 @@
0 name PIT-entry
# garbage value implies end of pit entries
->0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
+>0x00 ulequad&0xFFFFFFFCFFFFFFFC =0x0000000000000000
# skip empty partition name
->>0x24 ubyte !0
+>>0x24 ubyte !0
# partition name
>>>0x24 string >\0 %-.32s
# flags
@@ -122,7 +122,7 @@
>>>0x08 ulelong x (0x%x)
# filename
>>>0x44 string >\0 "%-.64s"
-#>>>0x18 ulelong >0
+#>>>0x18 ulelong >0
# blocksize in 512 byte units ?
#>>>>0x18 ulelong x \b, %db
# partition size in blocks ?
Index: sys/x86/x86/cpu_machdep.c
===================================================================
--- sys/x86/x86/cpu_machdep.c (版本 330566)
+++ sys/x86/x86/cpu_machdep.c (版本 330908)
@@ -139,6 +139,12 @@
int *state;
/*
+ * A comment in Linux patch claims that 'CPUs run faster with
+ * speculation protection disabled. All CPU threads in a core
+ * must disable speculation protection for it to be
+ * disabled. Disable it while we are idle so the other
+ * hyperthread can run fast.'
+ *
* XXXKIB. Software coordination mode should be supported,
* but all Intel CPUs provide hardware coordination.
*/
@@ -147,9 +153,11 @@
KASSERT(*state == STATE_SLEEPING,
("cpu_mwait_cx: wrong monitorbuf state"));
*state = STATE_MWAIT;
+ handle_ibrs_entry();
cpu_monitor(state, 0, 0);
if (*state == STATE_MWAIT)
cpu_mwait(MWAIT_INTRBREAK, mwait_hint);
+ handle_ibrs_exit();
/*
* We should exit on any event that interrupts mwait, because
@@ -578,3 +586,47 @@
nmi_call_kdb(PCPU_GET(cpuid), type, frame);
#endif
}
+
+int hw_ibrs_active;
+int hw_ibrs_disable = 1;
+
+SYSCTL_INT(_hw, OID_AUTO, ibrs_active, CTLFLAG_RD, &hw_ibrs_active, 0,
+ "Indirect Branch Restricted Speculation active");
+
+void
+hw_ibrs_recalculate(void)
+{
+ uint64_t v;
+
+ if ((cpu_ia32_arch_caps & IA32_ARCH_CAP_IBRS_ALL) != 0) {
+ if (hw_ibrs_disable) {
+ v= rdmsr(MSR_IA32_SPEC_CTRL);
+ v &= ~(uint64_t)IA32_SPEC_CTRL_IBRS;
+ wrmsr(MSR_IA32_SPEC_CTRL, v);
+ } else {
+ v= rdmsr(MSR_IA32_SPEC_CTRL);
+ v |= IA32_SPEC_CTRL_IBRS;
+ wrmsr(MSR_IA32_SPEC_CTRL, v);
+ }
+ return;
+ }
+ hw_ibrs_active = (cpu_stdext_feature3 & CPUID_STDEXT3_IBPB) != 0 &&
+ !hw_ibrs_disable;
+}
+
+static int
+hw_ibrs_disable_handler(SYSCTL_HANDLER_ARGS)
+{
+ int error, val;
+
+ val = hw_ibrs_disable;
+ error = sysctl_handle_int(oidp, &val, 0, req);
+ if (error != 0 || req->newptr == NULL)
+ return (error);
+ hw_ibrs_disable = val != 0;
+ hw_ibrs_recalculate();
+ return (0);
+}
+SYSCTL_PROC(_hw, OID_AUTO, ibrs_disable, CTLTYPE_INT | CTLFLAG_RWTUN |
+ CTLFLAG_NOFETCH | CTLFLAG_MPSAFE, NULL, 0, hw_ibrs_disable_handler, "I",
+ "Disable Indirect Branch Restricted Speculation");
Index: sys/x86/x86/mp_x86.c
===================================================================
--- sys/x86/x86/mp_x86.c (版本 330566)
+++ sys/x86/x86/mp_x86.c (版本 330908)
@@ -1436,7 +1436,7 @@
*/
/* Variables needed for SMP tlb shootdown. */
-static vm_offset_t smp_tlb_addr1, smp_tlb_addr2;
+vm_offset_t smp_tlb_addr1, smp_tlb_addr2;
pmap_t smp_tlb_pmap;
volatile uint32_t smp_tlb_generation;
@@ -1509,11 +1509,11 @@
}
void
-smp_masked_invlpg(cpuset_t mask, vm_offset_t addr)
+smp_masked_invlpg(cpuset_t mask, vm_offset_t addr, pmap_t pmap)
{
if (smp_started) {
- smp_targeted_tlb_shootdown(mask, IPI_INVLPG, NULL, addr, 0);
+ smp_targeted_tlb_shootdown(mask, IPI_INVLPG, pmap, addr, 0);
#ifdef COUNT_XINVLTLB_HITS
ipi_page++;
#endif
@@ -1521,11 +1521,12 @@
}
void
-smp_masked_invlpg_range(cpuset_t mask, vm_offset_t addr1, vm_offset_t addr2)
+smp_masked_invlpg_range(cpuset_t mask, vm_offset_t addr1, vm_offset_t addr2,
+ pmap_t pmap)
{
if (smp_started) {
- smp_targeted_tlb_shootdown(mask, IPI_INVLRNG, NULL,
+ smp_targeted_tlb_shootdown(mask, IPI_INVLRNG, pmap,
addr1, addr2);
#ifdef COUNT_XINVLTLB_HITS
ipi_range++;
Index: usr.sbin/cpucontrol/cpucontrol.c
===================================================================
--- usr.sbin/cpucontrol/cpucontrol.c (版本 330566)
+++ usr.sbin/cpucontrol/cpucontrol.c (版本 330908)
@@ -60,6 +60,7 @@
#define FLAG_I 0x01
#define FLAG_M 0x02
#define FLAG_U 0x04
+#define FLAG_E 0x10
#define OP_INVAL 0x00
#define OP_READ 0x01
@@ -114,7 +115,7 @@
if (name == NULL)
name = "cpuctl";
fprintf(stderr, "Usage: %s [-vh] [-d datadir] [-m msr[=value] | "
- "-i level | -i level,level_type | -u] device\n", name);
+ "-i level | -i level,level_type | -e | -u] device\n", name);
exit(EX_USAGE);
}
@@ -338,6 +339,25 @@
}
static int
+do_eval_cpu_features(const char *dev)
+{
+ int fd, error;
+
+ assert(dev != NULL);
+
+ fd = open(dev, O_RDWR);
+ if (fd < 0) {
+ WARN(0, "error opening %s for writing", dev);
+ return (1);
+ }
+ error = ioctl(fd, CPUCTL_EVAL_CPU_FEATURES, NULL);
+ if (error < 0)
+ WARN(0, "ioctl(%s, CPUCTL_EVAL_CPU_FEATURES)", dev);
+ close(fd);
+ return (error);
+}
+
+static int
do_update(const char *dev)
{
int fd;
@@ -431,11 +451,14 @@
* Add all default data dirs to the list first.
*/
datadir_add(DEFAULT_DATADIR);
- while ((c = getopt(argc, argv, "d:hi:m:uv")) != -1) {
+ while ((c = getopt(argc, argv, "d:ehi:m:uv")) != -1) {
switch (c) {
case 'd':
datadir_add(optarg);
break;
+ case 'e':
+ flags |= FLAG_E;
+ break;
case 'i':
flags |= FLAG_I;
cmdarg = optarg;
@@ -464,22 +487,25 @@
/* NOTREACHED */
}
dev = argv[0];
- c = flags & (FLAG_I | FLAG_M | FLAG_U);
+ c = flags & (FLAG_E | FLAG_I | FLAG_M | FLAG_U);
switch (c) {
- case FLAG_I:
- if (strstr(cmdarg, ",") != NULL)
- error = do_cpuid_count(cmdarg, dev);
- else
- error = do_cpuid(cmdarg, dev);
- break;
- case FLAG_M:
- error = do_msr(cmdarg, dev);
- break;
- case FLAG_U:
- error = do_update(dev);
- break;
- default:
- usage(); /* Only one command can be selected. */
+ case FLAG_I:
+ if (strstr(cmdarg, ",") != NULL)
+ error = do_cpuid_count(cmdarg, dev);
+ else
+ error = do_cpuid(cmdarg, dev);
+ break;
+ case FLAG_M:
+ error = do_msr(cmdarg, dev);
+ break;
+ case FLAG_U:
+ error = do_update(dev);
+ break;
+ case FLAG_E:
+ error = do_eval_cpu_features(dev);
+ break;
+ default:
+ usage(); /* Only one command can be selected. */
}
SLIST_FREE(&datadirs, next, free);
return (error == 0 ? 0 : 1);
Index: usr.sbin/ntp/doc/ntp.keys.5
===================================================================
--- usr.sbin/ntp/doc/ntp.keys.5 (版本 330566)
+++ usr.sbin/ntp/doc/ntp.keys.5 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_KEYS 5 File Formats
.Os SunOS 5.10
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:22 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agmdoc-file.tpl
.Sh NAME
@@ -53,16 +53,24 @@
is a positive integer (between 1 and 65534),
.Ar type
is the message digest algorithm,
-and
.Ar key
is the key itself, and
.Ar opt_IP_list
is an optional comma\-separated list of IPs
+where the
+.Ar keyno
+should be trusted.
that are allowed to serve time.
+Each IP in
+.Ar opt_IP_list
+may contain an optional
+.Cm /subnetbits
+specification which identifies the number of bits for
+the desired subnet of trust.
If
.Ar opt_IP_list
is empty,
-any properly\-authenticated server message will be
+any properly\-authenticated message will be
accepted.
.Pp
The
Index: usr.sbin/ntp/doc/sntp.8
===================================================================
--- usr.sbin/ntp/doc/sntp.8 (版本 330566)
+++ usr.sbin/ntp/doc/sntp.8 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt SNTP 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:36:52 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:13:14 PM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -140,6 +140,11 @@
warning message will be displayed. The file will not be created.
.It Fl k Ar file\-name , Fl \-keyfile Ns = Ns Ar file\-name
Look in this file for the key specified with \fB\-a\fP.
+The default
+.Ar file\-name
+for this option is:
+.ti +4
+ /etc/ntp.keys
.sp
This option specifies the keyfile.
\fBsntp\fP will search for the key specified with \fB\-a\fP
Index: sys/x86/isa/atpic.c
===================================================================
--- sys/x86/isa/atpic.c (版本 330566)
+++ sys/x86/isa/atpic.c (版本 330908)
@@ -86,6 +86,16 @@
IDTVEC(atpic_intr9), IDTVEC(atpic_intr10), IDTVEC(atpic_intr11),
IDTVEC(atpic_intr12), IDTVEC(atpic_intr13), IDTVEC(atpic_intr14),
IDTVEC(atpic_intr15);
+/* XXXKIB i386 uses stubs until pti comes */
+inthand_t
+ IDTVEC(atpic_intr0_pti), IDTVEC(atpic_intr1_pti),
+ IDTVEC(atpic_intr2_pti), IDTVEC(atpic_intr3_pti),
+ IDTVEC(atpic_intr4_pti), IDTVEC(atpic_intr5_pti),
+ IDTVEC(atpic_intr6_pti), IDTVEC(atpic_intr7_pti),
+ IDTVEC(atpic_intr8_pti), IDTVEC(atpic_intr9_pti),
+ IDTVEC(atpic_intr10_pti), IDTVEC(atpic_intr11_pti),
+ IDTVEC(atpic_intr12_pti), IDTVEC(atpic_intr13_pti),
+ IDTVEC(atpic_intr14_pti), IDTVEC(atpic_intr15_pti);
#define IRQ(ap, ai) ((ap)->at_irqbase + (ai)->at_irq)
@@ -98,7 +108,7 @@
#define INTSRC(irq) \
{ { &atpics[(irq) / 8].at_pic }, IDTVEC(atpic_intr ## irq ), \
- (irq) % 8 }
+ IDTVEC(atpic_intr ## irq ## _pti), (irq) % 8 }
struct atpic {
struct pic at_pic;
@@ -110,7 +120,7 @@
struct atpic_intsrc {
struct intsrc at_intsrc;
- inthand_t *at_intr;
+ inthand_t *at_intr, *at_intr_pti;
int at_irq; /* Relative to PIC base. */
enum intr_trigger at_trigger;
u_long at_count;
@@ -435,7 +445,8 @@
ai->at_intsrc.is_count = &ai->at_count;
ai->at_intsrc.is_straycount = &ai->at_straycount;
setidt(((struct atpic *)ai->at_intsrc.is_pic)->at_intbase +
- ai->at_irq, ai->at_intr, SDT_ATPIC, SEL_KPL, GSEL_ATPIC);
+ ai->at_irq, pti ? ai->at_intr_pti : ai->at_intr, SDT_ATPIC,
+ SEL_KPL, GSEL_ATPIC);
}
#ifdef DEV_MCA
Index: sys/x86/x86/local_apic.c
===================================================================
--- sys/x86/x86/local_apic.c (版本 330566)
+++ sys/x86/x86/local_apic.c (版本 330908)
@@ -166,6 +166,16 @@
IDTVEC(apic_isr7), /* 224 - 255 */
};
+static inthand_t *ioint_pti_handlers[] = {
+ NULL, /* 0 - 31 */
+ IDTVEC(apic_isr1_pti), /* 32 - 63 */
+ IDTVEC(apic_isr2_pti), /* 64 - 95 */
+ IDTVEC(apic_isr3_pti), /* 96 - 127 */
+ IDTVEC(apic_isr4_pti), /* 128 - 159 */
+ IDTVEC(apic_isr5_pti), /* 160 - 191 */
+ IDTVEC(apic_isr6_pti), /* 192 - 223 */
+ IDTVEC(apic_isr7_pti), /* 224 - 255 */
+};
static u_int32_t lapic_timer_divisors[] = {
APIC_TDCR_1, APIC_TDCR_2, APIC_TDCR_4, APIC_TDCR_8, APIC_TDCR_16,
@@ -172,7 +182,7 @@
APIC_TDCR_32, APIC_TDCR_64, APIC_TDCR_128
};
-extern inthand_t IDTVEC(rsvd);
+extern inthand_t IDTVEC(rsvd_pti), IDTVEC(rsvd);
volatile char *lapic_map;
vm_paddr_t lapic_paddr;
@@ -489,15 +499,18 @@
PCPU_SET(apic_id, lapic_id());
/* Local APIC timer interrupt. */
- setidt(APIC_TIMER_INT, IDTVEC(timerint), SDT_APIC, SEL_KPL, GSEL_APIC);
+ setidt(APIC_TIMER_INT, pti ? IDTVEC(timerint_pti) : IDTVEC(timerint),
+ SDT_APIC, SEL_KPL, GSEL_APIC);
/* Local APIC error interrupt. */
- setidt(APIC_ERROR_INT, IDTVEC(errorint), SDT_APIC, SEL_KPL, GSEL_APIC);
+ setidt(APIC_ERROR_INT, pti ? IDTVEC(errorint_pti) : IDTVEC(errorint),
+ SDT_APIC, SEL_KPL, GSEL_APIC);
/* XXX: Thermal interrupt */
/* Local APIC CMCI. */
- setidt(APIC_CMC_INT, IDTVEC(cmcint), SDT_APICT, SEL_KPL, GSEL_APIC);
+ setidt(APIC_CMC_INT, pti ? IDTVEC(cmcint_pti) : IDTVEC(cmcint),
+ SDT_APICT, SEL_KPL, GSEL_APIC);
if ((resource_int_value("apic", 0, "clock", &i) != 0 || i != 0)) {
arat = 0;
@@ -1561,8 +1574,8 @@
KASSERT(vector != IDT_DTRACE_RET,
("Attempt to overwrite DTrace entry"));
#endif
- setidt(vector, ioint_handlers[vector / 32], SDT_APIC, SEL_KPL,
- GSEL_APIC);
+ setidt(vector, (pti ? ioint_pti_handlers : ioint_handlers)[vector / 32],
+ SDT_APIC, SEL_KPL, GSEL_APIC);
}
static void
@@ -1581,7 +1594,8 @@
* We can not currently clear the idt entry because other cpus
* may have a valid vector at this offset.
*/
- setidt(vector, &IDTVEC(rsvd), SDT_APICT, SEL_KPL, GSEL_APIC);
+ setidt(vector, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), SDT_APICT,
+ SEL_KPL, GSEL_APIC);
#endif
}
@@ -2084,7 +2098,8 @@
long func;
int idx, vector;
- KASSERT(ipifunc != &IDTVEC(rsvd), ("invalid ipifunc %p", ipifunc));
+ KASSERT(ipifunc != &IDTVEC(rsvd) && ipifunc != &IDTVEC(rsvd_pti),
+ ("invalid ipifunc %p", ipifunc));
vector = -1;
mtx_lock_spin(&icu_lock);
@@ -2091,7 +2106,8 @@
for (idx = IPI_DYN_FIRST; idx <= IPI_DYN_LAST; idx++) {
ip = &idt[idx];
func = (ip->gd_hioffset << 16) | ip->gd_looffset;
- if (func == (uintptr_t)&IDTVEC(rsvd)) {
+ if ((!pti && func == (uintptr_t)&IDTVEC(rsvd)) ||
+ (pti && func == (uintptr_t)&IDTVEC(rsvd_pti))) {
vector = idx;
setidt(vector, ipifunc, SDT_APIC, SEL_KPL, GSEL_APIC);
break;
@@ -2113,8 +2129,10 @@
mtx_lock_spin(&icu_lock);
ip = &idt[vector];
func = (ip->gd_hioffset << 16) | ip->gd_looffset;
- KASSERT(func != (uintptr_t)&IDTVEC(rsvd),
+ KASSERT(func != (uintptr_t)&IDTVEC(rsvd) &&
+ func != (uintptr_t)&IDTVEC(rsvd_pti),
("invalid idtfunc %#lx", func));
- setidt(vector, &IDTVEC(rsvd), SDT_APICT, SEL_KPL, GSEL_APIC);
+ setidt(vector, pti ? &IDTVEC(rsvd_pti) : &IDTVEC(rsvd), SDT_APICT,
+ SEL_KPL, GSEL_APIC);
mtx_unlock_spin(&icu_lock);
}
Index: usr.sbin/cpucontrol/cpucontrol.8
===================================================================
--- usr.sbin/cpucontrol/cpucontrol.8 (版本 330566)
+++ usr.sbin/cpucontrol/cpucontrol.8 (版本 330908)
@@ -24,7 +24,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd June 30, 2009
+.Dd January 5, 2018
.Dt CPUCONTROL 8
.Os
.Sh NAME
@@ -36,44 +36,48 @@
.Nm
.Op Fl vh
.Fl m Ar msr
-.Bk
.Ar device
.Ek
+.Bk
.Nm
.Op Fl vh
.Fl m Ar msr Ns = Ns Ar value
-.Bk
.Ar device
.Ek
+.Bk
.Nm
.Op Fl vh
.Fl m Ar msr Ns &= Ns Ar mask
-.Bk
.Ar device
.Ek
+.Bk
.Nm
.Op Fl vh
.Fl m Ar msr Ns |= Ns Ar mask
-.Bk
.Ar device
.Ek
+.Bk
.Nm
.Op Fl vh
.Fl i Ar level
-.Bk
.Ar device
.Ek
+.Bk
.Nm
.Op Fl vh
.Fl i Ar level,level_type
-.Bk
.Ar device
.Ek
+.Bk
.Nm
.Op Fl vh
.Op Fl d Ar datadir
.Fl u
+.Ar device
+.Ek
.Bk
+.Nm
+.Fl e
.Ar device
.Ek
.Sh DESCRIPTION
@@ -129,6 +133,20 @@
.Nm
utility will walk through the configured data directories
and apply all firmware updates available for this CPU.
+.It Fl e
+Re-evaluate the kernel flags indicating the present CPU features.
+This command is typically executed after a firmware update was applied
+which changes information reported by the
+.Dv CPUID
+instruction.
+.Pp
+.Bf -symbolic
+Only execute the
+.Fl e
+command after the microcode update was applied to all CPUs in the system.
+The kernel does not operate correctly if the features of processors are
+not identical.
+.Ef
.It Fl v
Increase the verbosity level.
.It Fl h
Index: usr.sbin/ntp/doc/ntp.conf.5
===================================================================
--- usr.sbin/ntp/doc/ntp.conf.5 (版本 330566)
+++ usr.sbin/ntp/doc/ntp.conf.5 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_CONF 5 File Formats
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:31:09 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -1534,6 +1534,7 @@
for packets that overflow the rate\-control window.
.It Xo Ic restrict address
.Op Cm mask Ar mask
+.Op Cm ippeerlimit Ar int
.Op Ar flag ...
.Xc
The
@@ -1559,6 +1560,15 @@
.Cm default ,
with no mask option, may
be used to indicate the default entry.
+The
+.Cm ippeerlimit
+directive limits the number of peer requests for each IP to
+.Ar int ,
+where a value of \-1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
.Cm flag
always
@@ -1609,6 +1619,18 @@
This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
+.It Cm noepeer
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+.Pa ntp.keys
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+.Cm noepeer
+to become the default in ntp\-4.4.
.It Cm nomodify
Deny
.Xr ntpq 8
@@ -1626,10 +1648,10 @@
queries.
Time service is not affected.
.It Cm nopeer
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
.Cm pool
associations, so if you want to use servers from a
@@ -1637,8 +1659,9 @@
directive and also want to use
.Cm nopeer
by default, you'll want a
-.Cm "restrict source ..." line as well that does
-.It not
+.Cm "restrict source ..."
+line as well that does
+.Em not
include the
.Cm nopeer
directive.
@@ -2013,9 +2036,10 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+.El
.Ss Manycast Options
.Bl -tag -width indent
.It Xo Ic tos
@@ -2361,7 +2385,7 @@
page
(available as part of the HTML documentation
provided in
-.Pa /usr/share/doc/ntp ) .
+.Pa /usr/share/doc/ntp ).
.It Cm stratum Ar int
Specifies the stratum number assigned to the driver, an integer
between 0 and 15.
@@ -2639,6 +2663,79 @@
.Xr ntpd 8
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
+.It Xo Ic interface
+.Oo
+.Cm listen | Cm ignore | Cm drop
+.Oc
+.Oo
+.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard
+.Ar name | Ar address
+.Oo Cm / Ar prefixlen
+.Oc
+.Oc
+.Xc
+The
+.Cm interface
+directive controls which network addresses
+.Xr ntpd 8
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+.Ar prefixlen
+determines how many bits must match for this rule to apply.
+.Cm ignore
+prevents opening matching addresses,
+.Cm drop
+causes
+.Xr ntpd 8
+to open the address and drop all received packets without examination.
+Multiple
+.Cm interface
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+.Cm interface
+directives are disabled if any
+.Fl I ,
+.Fl \-interface ,
+.Fl L ,
+or
+.Fl \-novirtualips
+command\-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+.Cm nic
+directive is an alias for
+.Cm interface .
+.It Ic leapfile Ar leapfile
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list
+or
+.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list .
+The
+.Cm leapfile
+is scanned when
+.Xr ntpd 8
+processes the
+.Cm leapfile directive or when
+.Cm ntpd detects that the
+.Ar leapfile
+has changed.
+.Cm ntpd
+checks once a day to see if the
+.Ar leapfile
+has changed.
+The
+.Xr update\-leap 1update_leapmdoc
+script can be run to see if the
+.Ar leapfile
+should be updated.
.It Ic leapsmearinterval Ar seconds
This EXPERIMENTAL option is only available if
.Xr ntpd 8
@@ -2743,6 +2840,181 @@
This is the same operation as the
.Fl l
command line option.
+.It Xo Ic mru
+.Oo
+.Cm maxdepth Ar count | Cm maxmem Ar kilobytes |
+.Cm mindepth Ar count | Cm maxage Ar seconds |
+.Cm initialloc Ar count | Cm initmem Ar kilobytes |
+.Cm incalloc Ar count | Cm incmem Ar kilobytes
+.Oc
+.Xc
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+.Bl -tag -width indent
+.It Ic maxdepth Ar count
+.It Ic maxmem Ar kilobytes
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+.Cm incalloc
+entries or
+.Cm incmem
+kilobytes larger.
+As with all of the
+.Cm mru
+options offered in units of entries or kilobytes, if both
+.Cm maxdepth
+and
+.Cm maxmem are used, the last one used controls.
+The default is 1024 kilobytes.
+.It Cm mindepth Ar count
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+.Cm mindepth
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+.It Cm maxage Ar seconds
+Once the MRU list has
+.Cm mindepth
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+.Cm maxage
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+.Cm maxdepth / moxmem .
+The default is 64 seconds.
+.It Cm initalloc Ar count
+.It Cm initmem Ar kilobytes
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+.It Cm incalloc Ar count
+.It Cm incmem Ar kilobytes
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+.El
+.It Ic nonvolatile Ar threshold
+Specify the
+.Ar threshold
+delta in seconds before an hourly change to the
+.Cm driftfile
+(frequency file) will be written, with a default value of 1e\-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+.Cm threshold
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+.It Ic phone Ar dial ...
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 \- 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 \- 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+.It Xo Ic reset
+.Oo
+.Ic allpeers
+.Oc
+.Oo
+.Ic auth
+.Oc
+.Oo
+.Ic ctl
+.Oc
+.Oo
+.Ic io
+.Oc
+.Oo
+.Ic mem
+.Oc
+.Oo
+.Ic sys
+.Oc
+.Oo
+.Ic timer
+.Oc
+.Xc
+Reset one or more groups of counters maintained by
+.Cm ntpd
+and exposed by
+.Cm ntpq
+and
+.Cm ntpdc .
+.It Xo Ic rlimit
+.Oo
+.Cm memlock Ar Nmegabytes |
+.Cm stacksize Ar N4kPages
+.Cm filenum Ar Nfiledescriptors
+.Oc
+.Xc
+.Bl -tag -width indent
+.It Cm memlock Ar Nmegabytes
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+.Fl i
+option).
+The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+.It Cm stacksize Ar N4kPages
+Specifies the maximum size of the process stack on systems with the
+.Fn mlockall
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+.It Cm filenum Ar Nfiledescriptors
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+.El
+.It Ic saveconfigdir Ar directory_path
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+.Cm saveconfig
+command.
+If
+.Cm saveconfigdir
+does not appear in the configuration file,
+.Cm saveconfig
+requests are rejected by
+.Cm ntpd .
+.It Ic saveconfig Ar filename
+Write the current configuration, including any runtime
+modifications given with
+.Cm :config
+or
+.Cm config\-from\-file
+to the
+.Cm ntpd
+host's
+.Ar filename
+in the
+.Cm saveconfigdir .
+This command will be rejected unless the
+.Cm saveconfigdir
+directive appears in
+.Cm ntpd 's
+configuration file.
+.Ar filename
+can use
+.Xr strftime 3
+format directives to substitute the current date and time,
+for example,
+.Cm saveconfig\ ntp\-%Y%m%d\-%H%M%S.conf .
+The filename used is stored in the system variable
+.Cm savedconfig .
+Authentication is required.
.It Ic setvar Ar variable Op Cm default
This command adds an additional system variable.
These
@@ -2781,6 +3053,10 @@
the names of all peer variables and the
.Va clock_var_list
holds the names of the reference clock variables.
+.It Cm sysinfo
+Display operational summary.
+.It Cm sysstats
+Show statistics counters maintained in the protocol module.
.It Xo Ic tinker
.Oo
.Cm allan Ar allan |
@@ -2870,33 +3146,18 @@
If set to zero, the stepout
pulses will not be suppressed.
.El
-.It Xo Ic rlimit
-.Oo
-.Cm memlock Ar Nmegabytes |
-.Cm stacksize Ar N4kPages
-.Cm filenum Ar Nfiledescriptors
-.Oc
-.Xc
-.Bl -tag -width indent
-.It Cm memlock Ar Nmegabytes
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-.Fl i
-option).
-The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-.It Cm stacksize Ar N4kPages
-Specifies the maximum size of the process stack on systems with the
-.Fn mlockall
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-.It Cm filenum Ar Nfiledescriptors
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-.El
+.It Cm writevar Ar assocID\ name = value [,...]
+Write (create or update) the specified variables.
+If the
+.Cm assocID
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+.Cm assocID
+is required, as the same name can occur in both name spaces.
.It Xo Ic trap Ar host_address
.Op Cm port Ar port_number
.Op Cm interface Ar interface_address
@@ -2911,6 +3172,13 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+.It Cm ttl Ar hop ...
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+.Cm manycast
+mode these values are used in\-turn in an expanding\-ring search.
+The default is eight multiples of 32 starting at 31.
.Pp
The trap receiver will generally log event messages and other
information from the server in a log file.
Index: usr.sbin/ntp/doc/ntpq.8
===================================================================
--- usr.sbin/ntp/doc/ntpq.8 (版本 330566)
+++ usr.sbin/ntp/doc/ntpq.8 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPQ 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:31 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:28 PM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -20,15 +20,12 @@
[ host ...]
.Pp
.Sh DESCRIPTION
+.Pp
The
.Nm
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -39,6 +36,7 @@
utility can also obtain and print a
list of peers in a common format by sending multiple queries to the
server.
+.Pp
If one or more request options is included on the command line
when
.Nm
@@ -56,6 +54,7 @@
.Nm
utility will prompt for
commands if the standard input is a terminal device.
+.Pp
.Nm
uses NTP mode 6 packets to communicate with the
NTP server, and hence can be used to query any compatible server on
@@ -69,6 +68,17 @@
one attempt to retransmit requests, and will time requests out if
the remote host is not heard from within a suitable timeout
time.
+.Pp
+Note that in contexts where a host name is expected, a
+.Fl 4
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+.Fl 6
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+.Dq NTP Debugging Techniques
+page.
+.Pp
Specifying a
command line option other than
.Fl i
@@ -82,51 +92,46 @@
will attempt to read
interactive format commands from the standard input.
.Ss "Internal Commands"
+.Pp
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
uniquely identify the command need be typed.
+.Pp
A
number of interactive format commands are executed entirely within
the
.Nm
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
-.Bl -tag -width "? [command_keyword]" -compact -offset indent
-.It Ic ? Op Ar command_keyword
-.It Ic help Op Ar command_keyword
+.Bl -tag -width "help [command]" -compact -offset indent
+.It Ic ? Op Ar command
+.It Ic help Op Ar command
A
.Ql \&?
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
.Nm .
A
.Ql \&?
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-.Nm
-than this manual
-page.
-.It Ic addvars Ar variable_name Ns Xo Op Ic =value
-.Ic ...
-.Xc
-.It Ic rmvars Ar variable_name Ic ...
+.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,...
+.It Ic rmvars Ar name Ns Op ,...
.It Ic clearvars
.It Ic showvars
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-.Ql variable_name=value ,
+.Ar name Ns Op \&= Ns Ar value ,
where the
-.Ql =value
+.No \&= Ns Ar value
is ignored, and can be omitted,
in requests to the server to read variables.
The
.Nm
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
.Ic readlist
and
.Ic writelist
@@ -141,35 +146,31 @@
.Ic rmvars
command can be used to remove individual variables from the list,
while the
-.Ic clearlist
+.Ic clearvars
command removes all variables from the
list.
The
.Ic showvars
command displays the current list of optional variables.
-.It Ic authenticate Op yes | no
+.It Ic authenticate Op Cm yes Ns | Ns Cm no
Normally
.Nm
does not authenticate requests unless
they are write requests.
The command
-.Ql authenticate yes
+.Ic authenticate Cm yes
causes
.Nm
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-.Ic peer
-display.
+requests slightly differently.
The command
-.Ql authenticate
+.Ic authenticate
causes
.Nm
to display whether or not
-.Nm
-is currently autheinticating requests.
+it is currently authenticating requests.
.It Ic cooked
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -178,20 +179,13 @@
values reformatted for human consumption.
Variables which
.Nm
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
.Ql \&? .
-.It Xo
-.Ic debug
-.Oo
-.Cm more |
-.Cm less |
-.Cm off
-.Oc
-.Xc
+.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
-.It Ic delay Ar milliseconds
+Otherwise, the debugging level is changed as indicated.
+.It Ic delay Op Ar milliseconds
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -200,14 +194,21 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
+.It Ic drefid Op Cm hash Ns | Ns Cm ipv4
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
.It Ic exit
Exit
.Nm .
-.It Ic host Ar hostname
+.It Ic host Op Ar name
Set the host to which future queries will be sent.
-.Ar hostname
+The
+.Ar name
may be either a host name or a numeric address.
-.It Ic hostnames Op Cm yes | Cm no
+Without any arguments, displays the current host.
+.It Ic hostnames Op Cm yes Ns | Ns Cm no
If
.Cm yes
is specified, host names are printed in
@@ -222,7 +223,9 @@
modified using the command line
.Fl n
switch.
-.It Ic keyid Ar keyid
+Without any arguments, displays whether host names or numeric addresses
+are shown.
+.It Ic keyid Op Ar keyid
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -230,28 +233,20 @@
.Cm controlkey
key number the server has been configured to use for this
purpose.
-.It Ic keytype Xo Oo
-.Cm md5 |
-.Cm OpenSSLDigestType
-.Oc
-.Xc
-Specify the type of key to use for authenticating requests.
-.Cm md5
-is alway supported.
+Without any arguments, displays the current
+.Ar keyid .
+.It Ic keytype Op Ar digest
+Specify the digest algorithm to use for authenticating requests, with default
+.Cm MD5 .
If
.Nm
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+.Ar digest
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-.Ic keytype
-is displayed.
-.It Ic ntpversion Xo Oo
-.Cm 1 |
-.Cm 2 |
-.Cm 3 |
-.Cm 4
-.Oc
-.Xc
+.Ic keytype Ar digest
+algorithm used is displayed.
+.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4
Sets the NTP version number which
.Nm
claims in
@@ -269,13 +264,11 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-.\" Not yet implemented.
-.\" .It Ic poll
-.\" .Op Ar n
-.\" .Op Ic verbose
-.\" Poll an NTP server in client mode
-.\" .Ar n
-.\" times.
+.It Ic poll Oo Ar n Oc Op Cm verbose
+Poll an NTP server in client mode
+.Ar n
+times.
+Poll not implemented yet.
.It Ic quit
Exit
.Nm .
@@ -285,95 +278,150 @@
The only formating/interpretation done on
the data is to transform nonascii data into a printable (but barely
understandable) form.
-.It Ic timeout Ar milliseconds
+.It Ic timeout Op Ar milliseconds
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
.Nm
retries each query once after a timeout, the total waiting time for
a timeout will be twice the timeout value set.
.It Ic version
-Print the version of the
+Display the version of the
.Nm
program.
.El
.Ss "Control Message Commands"
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode\-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
-.Li peers
+.Ic peers
command, which sends a series of messages,
and the
-.Li mreadlist
+.Ic mreadlist
and
-.Li mreadvar
+.Ic mreadvar
commands, which iterate over a range of associations.
.Bl -tag -width "something" -compact -offset indent
-.It Cm associations
+.It Ic apeers
+Display a list of peers in the form:
+.Dl [tally]remote refid assid st t when pool reach delay offset jitter
+where the output is just like the
+.Ic peers
+command except that the
+.Cm refid
+is displayed in hex format and the association number is also displayed.
+.It Ic associations
Display a list of mobilized associations in the form:
.Dl ind assid status conf reach auth condition last_event cnt
-.Bl -column -offset indent ".Sy Variable" ".Sy Description"
-.It Sy String Ta Sy Description
-.It Li ind Ta index on this list
-.It Li assid Ta association ID
-.It Li status Ta peer status word
-.It Li conf Ta Li yes : persistent, Li no : ephemeral
-.It Li reach Ta Li yes : reachable, Li no : unreachable
-.It Li auth Ta Li ok , Li yes , Li bad and Li none
-.It Li condition Ta selection status (see the Li select field of the peer status word)
-.It Li last_event Ta event report (see the Li event field of the peer status word)
-.It Li cnt Ta event count (see the Li count field of the peer status word)
+.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word"
+.It Sy Variable Ta Sy Description
+.It Cm ind Ta index on this list
+.It Cm assid Ta association id
+.It Cm status Ta peer status word
+.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral
+.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable
+.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none
+.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&)
+.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&)
+.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&)
.El
-.It Cm authinfo
-Display the authentication statistics.
-.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-Display a list of clock variables for those associations supporting a reference clock.
-.It Cm :config Op ...
-Send the remainder of the command line, including whitespace, to the server as a run\-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
-.It Cm config\-from\-file Ar filename
-Send the each line of
+.It Ic authinfo
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
+.It Ic clocklist Op Ar associd
+.It Ic cl Op Ar associd
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
+.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+Display a list of clock variables for those associations supporting a
+reference clock.
+.It Ic :config Ar "configuration command line"
+Send the remainder of the command line, including whitespace, to the
+server as a run\-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+.It Ic config\-from\-file Ar filename
+Send each line of
.Ar filename
-to the server as run\-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run\-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
.It Ic ifstats
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
.It Ic iostats
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
.It Ic kerninfo
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
.It Ic lassociations
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
-.It Ic lopeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
+.It Ic lopeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients showing
+.Cm dstadr
+(associated with the given IP version).
+.It Ic lpassociations
+Display the last obtained list of associations, including all clients.
+.It Ic lpeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients (associated with the given IP version).
+.It Ic monstats
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
+.It Ic mreadlist Ar associdlo Ar associdhi
+.It Ic mrl Ar associdlo Ar associdhi
+Perform the same function as the
+.Ic readlist
+command for a range of association ids.
+.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+This range may be determined from the list displayed by any
+command showing associations.
+.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+Perform the same function as the
+.Ic readvar
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count |
+.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder |
+.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc
.Xc
-Obtain and print a list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version).
-.It Ic lpeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
-.Xc
-Print a peer spreadsheet for the appropriate IP version(s).
-.Ar dstadr
-(associated with any given IP version).
-.It Ic monstats
-Display monitor facility statistics.
-.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc
-Obtain and print traffic counts collected and maintained by the monitor facility.
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-.Cm sort Ns = Ns Ar sortorder ,
+.Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder ,
the options filter the list returned by
-.Cm ntpd.
+.Xr ntpd 8 .
The
.Cm limited
and
.Cm kod
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
.Cm mincount Ns = Ns Ar count
option filters entries representing less than
@@ -394,18 +442,21 @@
.Ar sortorder
defaults to
.Cm lstint
-and may be any of
+and may be
.Cm addr ,
+.Cm avgint ,
.Cm count ,
-.Cm avgint ,
.Cm lstint ,
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+.Ql \&\-
+to reverse the sort order.
The output columns are:
.Bl -tag -width "something" -compact -offset indent
.It Column
Description
.It Ic lstint
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
.Nm .
.It Ic avgint
Average interval in s between packets from this address.
@@ -413,7 +464,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
.Ic restrict
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
.It Ic r
Rate control indicator, either
a period,
@@ -431,27 +483,15 @@
.It Ic rport
Source port of last packet from this address.
.It Ic remote address
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
.El
-.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-Perform the same function as the
-.Ic readvar
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-.Ic associations
-command.
-.It Ic opeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
-.Xc
+.It Ic opeers Op Fl 4 | Fl 6
Obtain and print the old\-style list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version),
+.Cm dstadr
+(associated with the given IP version),
rather than the
-.Ar refid .
+.Cm refid .
.It Ic passociations
Perform the same function as the
.Ic associations
@@ -463,28 +503,32 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic [tally]
+.It Cm [tally]
single\-character code indicating current value of the
.Ic select
field of the
.Lk decode.html#peer "peer status word"
-.It Ic remote
+.It Cm remote
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+.Nm
.Fl w
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
-.It Ic refid
-association ID or
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
+.It Cm refid
+source IP address or
.Lk decode.html#kiss "'kiss code"
-.It Ic st
-stratum
-.It Ic t
+.It Cm st
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
+.It Cm t
.Ic u :
unicast or manycast client,
.Ic b :
broadcast or multicast client,
+.Ic p :
+pool source,
.Ic l :
local (reference clock),
.Ic s :
@@ -495,38 +539,40 @@
broadcast server,
.Ic M :
multicast server
-.It Ic when
-sec/min/hr since last received packet
-.It Ic poll
-poll interval (log2 s)
-.It Ic reach
+.It Cm when
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+.Ql \&\-
+if a packet has never been received
+.It Cm poll
+poll interval (s)
+.It Cm reach
reach shift register (octal)
-.It Ic delay
+.It Cm delay
roundtrip delay
-.It Ic offset
+.It Cm offset
offset of server relative to this host
-.It Ic jitter
-jitter
+.It Cm jitter
+offset RMS error estimate.
.El
-.It Ic apeers
-Display a list of peers in the form:
-.Dl [tally]remote refid assid st t when pool reach delay offset jitter
-where the output is just like the
-.Ic peers
-command except that the
-.Ic refid
-is displayed in hex format and the association number is also displayed.
-.It Ic pstats Ar assocID
-Show the statistics for the peer with the given
-.Ar assocID .
-.It Ic readlist Ar assocID
-.It Ic rl Ar assocID
-Read the system or peer variables included in the variable list.
-.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-Display the specified variables.
+.It Ic pstats Ar associd
+Display the statistics for the peer with the given
+.Ar associd :
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
+.It Ic readlist Op Ar associd
+.It Ic rl Op Ar associd
+Display all system or peer variables.
+If the
+.Ar associd
+is omitted, it is assumed to be zero.
+.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+Display the specified system or peer variables.
If
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -533,55 +579,76 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
If no
.Ar name
is included, all operative variables in the name space are displayed.
In this case only, if the
-.Ar assocID
-is omitted, it is assumed zero.
+.Ar associd
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts\-per\-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+.Ar YYYY Ns Ar MM Ar DD Ar TTTT ,
+where
+.Ar YYYY
+is the year,
+.Ar MM
+the month of year,
+.Ar DD
+the day of month and
+.Ar TTTT
+the time of day.
.It Ic reslist
-Show the access control (restrict) list for
+Display the access control (restrict) list for
.Nm .
+Authentication is required.
.It Ic saveconfig Ar filename
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
.Ic :config
or
.Ic config\-from\-file ,
-to the ntpd host's file
+to the NTP server host file
.Ar filename .
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-.Ic ntpd
+.Xr ntpd 8
configuration file.
.Ar filename
can use
-.Xr strftime
-format specifies to substitute the current date and time, for example,
-.Ic q]saveconfig ntp\-%Y%m%d\-%H%M%S.confq] .
+.Xr date 1
+format specifiers to substitute the current date and time, for
+example,
+.D1 Ic saveconfig Pa ntp\-%Y%m%d\-%H%M%S.conf .
The filename used is stored in system variable
-.Ic savedconfig .
+.Cm savedconfig .
Authentication is required.
+.It Ic sysinfo
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+.It Ic sysstats
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
.It Ic timerstats
-Display interval timer counters.
-.It Ic writelist Ar assocID
-Write the system or peer variables included in the variable list.
-.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ...
-Write the specified variables.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
+.It Ic writelist Ar associd
+Set all system or peer variables included in the variable list.
+.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ...
+Set the specified variables in the variable list.
If the
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -588,12 +655,9 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
-.It Ic sysinfo
-Display operational summary.
-.It Ic sysstats
-Print statistics counters maintained in the protocol module.
+Authentication is required.
.El
.Ss Status Words and Kiss Codes
The current state of the operating program is shown
@@ -600,10 +664,10 @@
in a set of status words
maintained by the system.
Status information is also available on a per\-association basis.
-These words are displayed in the
-.Ic rv
+These words are displayed by the
+.Ic readlist
and
-.Ic as
+.Ic associations
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -620,58 +684,59 @@
in the reference identifier field in various billboards.
.Ss System Variables
The following system variables appear in the
-.Ic rv
+.Ic readlist
billboard.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic status
+.It Cm status
.Lk decode.html#sys "system status word"
-.It Ic version
+.It Cm version
NTP software version and build time
-.It Ic processor
+.It Cm processor
hardware platform and version
-.It Ic system
+.It Cm system
operating system and version
-.It Ic leap
+.It Cm leap
leap warning indicator (0\-3)
-.It Ic stratum
+.It Cm stratum
stratum (1\-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total dispersion to the primary reference clock
-.It Ic peer
-system peer association ID
-.It Ic tc
+.It Cm refid
+reference id or
+.Lk decode.html#kiss "kiss code"
+.It Cm reftime
+reference time
+.It Ic clock
+date and time of day
+.It Cm peer
+system peer association id
+.It Cm tc
time constant and poll exponent (log2 s) (3\-17)
-.It Ic mintc
+.It Cm mintc
minimum time constant (log2 s) (3\-10)
-.It Ic clock
-date and time of day
-.It Ic refid
-reference ID or
-.Lk decode.html#kiss "kiss code"
-.It Ic reftime
-reference time
-.It Ic offset
-combined offset of server relative to this host
-.It Ic sys_jitter
+.It Cm offset
+combined offset of server relative to this host
+.It Cm frequency
+frequency drift (PPM) relative to hardware clock
+.It Cm sys_jitter
combined system jitter
-.It Ic frequency
-frequency offset (PPM) relative to hardware clock
-.It Ic clk_wander
+.It Cm clk_wander
clock frequency wander (PPM)
-.It Ic clk_jitter
+.It Cm clk_jitter
clock jitter
-.It Ic tai
+.It Cm tai
TAI\-UTC offset (s)
-.It Ic leapsec
+.It Cm leapsec
NTP seconds when the next leap second is/was inserted
-.It Ic expire
+.It Cm expire
NTP seconds when the NIST leapseconds file expires
.El
The jitter and wander statistics are exponentially\-weighted RMS averages.
@@ -685,98 +750,102 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic host
+.It Cm host
Autokey host name for this host
-.It Ic ident
+.It Cm ident
Autokey group name for this host
-.It Ic flags
+.It Cm flags
host flags (see Autokey specification)
-.It Ic digest
+.It Cm digest
OpenSSL message digest algorithm
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic update
+.It Cm update
NTP seconds at last signature update
-.It Ic cert
+.It Cm cert
certificate subject, issuer and certificate flags
-.It Ic until
+.It Cm until
NTP seconds when the certificate expires
.El
.Ss Peer Variables
The following peer variables appear in the
-.Ic rv
+.Ic readlist
billboard for each association.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#peer "peer status word"
-.It Ic srcadr
+.It Cm srcadr
source (remote) IP address
-.It Ic srcport
+.It Cm srcport
source (remote) port
-.It Ic dstadr
+.It Cm dstadr
destination (local) IP address
-.It Ic dstport
+.It Cm dstport
destination (local) port
-.It Ic leap
+.It Cm leap
leap indicator (0\-3)
-.It Ic stratum
+.It Cm stratum
stratum (0\-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total root dispersion to the primary reference clock
-.It Ic refid
-reference ID or
+.It Cm refid
+reference id or
.Lk decode.html#kiss "kiss code"
-.It Ic reftime
+.It Cm reftime
reference time
-.It Ic reach
+.It Cm rec
+last packet received time
+.It Cm reach
reach register (octal)
-.It Ic unreach
+.It Cm unreach
unreach counter
-.It Ic hmode
+.It Cm hmode
host mode (1\-6)
-.It Ic pmode
+.It Cm pmode
peer mode (1\-5)
-.It Ic hpoll
+.It Cm hpoll
host poll exponent (log2 s) (3\-17)
-.It Ic ppoll
+.It Cm ppoll
peer poll exponent (log2 s) (3\-17)
-.It Ic headway
+.It Cm headway
headway (see
.Lk rate.html "Rate Management and the Kiss\-o'\-Death Packet" )
-.It Ic flash
+.It Cm flash
.Lk decode.html#flash "flash status word"
-.It Ic offset
+.It Cm keyid
+symmetric key id
+.It Cm offset
filter offset
-.It Ic delay
+.It Cm delay
filter delay
-.It Ic dispersion
+.It Cm dispersion
filter dispersion
-.It Ic jitter
+.It Cm jitter
filter jitter
-.It Ic ident
-Autokey group name for this association
-.It Ic bias
+.It Cm bias
unicast/broadcast bias
-.It Ic xleave
+.It Cm xleave
interleave delay (see
.Lk xleave.html "NTP Interleaved Modes" )
.El
The
-.Ic bias
+.Cm bias
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
-.Ic xleave
+.Cm xleave
variable appears only for the interleaved symmetric and interleaved modes.
It represents the internal queuing, buffering and transmission delays
for the preceding packet.
@@ -786,71 +855,73 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic host
+.It Cm host
Autokey server name
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic initsequence
-initial key ID
-.It Ic initkey
+.It Cm initsequence
+initial key id
+.It Cm initkey
initial key index
-.It Ic timestamp
+.It Cm timestamp
Autokey signature timestamp
+.It Cm ident
+Autokey group name for this association
.El
.Ss Clock Variables
The following clock variables appear in the
-.Ic cv
+.Ic clocklist
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#clock "clock status word"
-.It Ic device
+.It Cm device
device description
-.It Ic timecode
+.It Cm timecode
ASCII time code string (specific to device)
-.It Ic poll
+.It Cm poll
poll messages sent
-.It Ic noreply
+.It Cm noreply
no reply
-.It Ic badformat
+.It Cm badformat
bad format
-.It Ic baddata
+.It Cm baddata
bad date or time
-.It Ic fudgetime1
+.It Cm fudgetime1
fudge time 1
-.It Ic fudgetime2
+.It Cm fudgetime2
fudge time 2
-.It Ic stratum
+.It Cm stratum
driver stratum
-.It Ic refid
-driver reference ID
-.It Ic flags
+.It Cm refid
+driver reference id
+.It Cm flags
driver flags
.El
.Sh "OPTIONS"
.Bl -tag
.It Fl 4 , Fl \-ipv4
-Force IPv4 DNS name resolution.
+Force IPv4 name resolution.
This option must not appear in combination with any of the following options:
ipv6.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv4 namespace.
.It Fl 6 , Fl \-ipv6
-Force IPv6 DNS name resolution.
+Force IPv6 name resolution.
This option must not appear in combination with any of the following options:
ipv4.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv6 namespace.
.It Fl c Ar cmd , Fl \-command Ns = Ns Ar cmd
run a command and exit.
@@ -880,7 +951,7 @@
numeric host addresses.
.sp
Output all host addresses in dotted\-quad numeric format rather than
-converting to the canonical host names.
+converting to the canonical host names.
.It Fl \-old\-rv
Always output status line with readvar.
.sp
Index: usr.sbin/ntp/scripts/mkver
===================================================================
--- usr.sbin/ntp/scripts/mkver (版本 330566)
+++ usr.sbin/ntp/scripts/mkver (版本 330908)
@@ -6,7 +6,7 @@
ConfStr="$PROG"
-ConfStr="$ConfStr 4.2.8p10"
+ConfStr="$ConfStr 4.2.8p11"
case "$CSET" in
'') ;;
Index: contrib/file/config.sub
===================================================================
--- contrib/file/config.sub (版本 330566)
+++ contrib/file/config.sub (版本 330908)
@@ -1,8 +1,8 @@
#! /bin/sh
# Configuration validation subroutine script.
-# Copyright 1992-2015 Free Software Foundation, Inc.
+# Copyright 1992-2017 Free Software Foundation, Inc.
-timestamp='2015-03-08'
+timestamp='2017-01-01'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -33,7 +33,7 @@
# Otherwise, we print the canonical config type on stdout and succeed.
# You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
# This file is supposed to be the same for all GNU packages
# and recognize all the CPU types, system types and aliases
@@ -53,8 +53,7 @@
me=`echo "$0" | sed -e 's,.*/,,'`
usage="\
-Usage: $0 [OPTION] CPU-MFR-OPSYS
- $0 [OPTION] ALIAS
+Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS
Canonicalize a configuration name.
@@ -68,7 +67,7 @@
version="\
GNU config.sub ($timestamp)
-Copyright 1992-2015 Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -118,7 +117,7 @@
nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \
linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \
knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \
- kopensolaris*-gnu* | \
+ kopensolaris*-gnu* | cloudabi*-eabi* | \
storm-chaos* | os2-emx* | rtmk-nova*)
os=-$maybe_os
basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
@@ -255,6 +254,7 @@
| arc | arceb \
| arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \
| avr | avr32 \
+ | ba \
| be32 | be64 \
| bfin \
| c4x | c8051 | clipper \
@@ -301,11 +301,12 @@
| open8 | or1k | or1knd | or32 \
| pdp10 | pdp11 | pj | pjl \
| powerpc | powerpc64 | powerpc64le | powerpcle \
+ | pru \
| pyramid \
| riscv32 | riscv64 \
| rl78 | rx \
| score \
- | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
+ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \
| sh64 | sh64le \
| sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \
| sparcv8 | sparcv9 | sparcv9b | sparcv9v \
@@ -376,6 +377,7 @@
| alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \
| arm-* | armbe-* | armle-* | armeb-* | armv*-* \
| avr-* | avr32-* \
+ | ba-* \
| be32-* | be64-* \
| bfin-* | bs2000-* \
| c[123]* | c30-* | [cjt]90-* | c4x-* \
@@ -427,13 +429,15 @@
| orion-* \
| pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \
| powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \
+ | pru-* \
| pyramid-* \
+ | riscv32-* | riscv64-* \
| rl78-* | romp-* | rs6000-* | rx-* \
| sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \
| shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \
| sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \
| sparclite-* \
- | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \
+ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \
| tahoe-* \
| tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \
| tile*-* \
@@ -518,7 +522,7 @@
basic_machine=i386-pc
os=-aros
;;
- asmjs)
+ asmjs)
basic_machine=asmjs-unknown
;;
aux)
@@ -641,6 +645,14 @@
basic_machine=m68k-bull
os=-sysv3
;;
+ e500v[12])
+ basic_machine=powerpc-unknown
+ os=$os"spe"
+ ;;
+ e500v[12]-*)
+ basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
+ os=$os"spe"
+ ;;
ebmon29k)
basic_machine=a29k-amd
os=-ebmon
@@ -1020,7 +1032,7 @@
ppc-* | ppcbe-*)
basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
- ppcle | powerpclittle | ppc-le | powerpc-little)
+ ppcle | powerpclittle)
basic_machine=powerpcle-unknown
;;
ppcle-* | powerpclittle-*)
@@ -1030,7 +1042,7 @@
;;
ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'`
;;
- ppc64le | powerpc64little | ppc64-le | powerpc64-little)
+ ppc64le | powerpc64little)
basic_machine=powerpc64le-unknown
;;
ppc64le-* | powerpc64little-*)
@@ -1376,18 +1388,18 @@
| -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \
| -sym* | -kopensolaris* | -plan9* \
| -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \
- | -aos* | -aros* | -cloudabi* \
+ | -aos* | -aros* | -cloudabi* | -sortix* \
| -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
| -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
| -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \
- | -bitrig* | -openbsd* | -solidbsd* \
+ | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \
| -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \
| -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
| -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
| -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
- | -chorusos* | -chorusrdb* | -cegcc* \
+ | -chorusos* | -chorusrdb* | -cegcc* | -glidix* \
| -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
- | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
+ | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \
| -linux-newlib* | -linux-musl* | -linux-uclibc* \
| -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \
| -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \
@@ -1396,7 +1408,8 @@
| -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \
| -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \
| -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \
- | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* | -tirtos*)
+ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \
+ | -onefs* | -tirtos* | -phoenix* | -fuchsia* | -redox*)
# Remember, each alternative MUST END IN *, to match a version number.
;;
-qnx*)
@@ -1528,6 +1541,8 @@
;;
-nacl*)
;;
+ -ios)
+ ;;
-none)
;;
*)
@@ -1623,6 +1638,9 @@
sparc-* | *-sun)
os=-sunos4.1.1
;;
+ pru-*)
+ os=-elf
+ ;;
*-be)
os=-beos
;;
Index: contrib/file/doc/libmagic.man
===================================================================
--- contrib/file/doc/libmagic.man (版本 330566)
+++ contrib/file/doc/libmagic.man (版本 330908)
@@ -1,4 +1,4 @@
-.\" $File: libmagic.man,v 1.40 2016/03/31 17:51:12 christos Exp $
+.\" $File: libmagic.man,v 1.41 2017/05/23 21:54:07 christos Exp $
.\"
.\" Copyright (c) Christos Zoulas 2003.
.\" All Rights Reserved.
@@ -25,7 +25,7 @@
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
-.Dd September 11, 2015
+.Dd May 23, 2017
.Dt LIBMAGIC 3
.Os
.Sh NAME
@@ -35,6 +35,7 @@
.Nm magic_errno ,
.Nm magic_descriptor ,
.Nm magic_buffer ,
+.Nm magic_getflags ,
.Nm magic_setflags ,
.Nm magic_check ,
.Nm magic_compile ,
@@ -64,6 +65,8 @@
.Ft const char *
.Fn magic_buffer "magic_t cookie" "const void *buffer" "size_t length"
.Ft int
+.Fn magic_getflags "magic_t cookie"
+.Ft int
.Fn magic_setflags "magic_t cookie" "int flags"
.Ft int
.Fn magic_check "magic_t cookie" "const char *filename"
@@ -206,6 +209,12 @@
bytes size.
.Pp
The
+.Fn magic_getflags
+functions returns a value representing current
+.Ar flags
+set.
+.Pp
+The
.Fn magic_setflags
function sets the
.Ar flags
Index: contrib/file/magic/Magdir/amanda
===================================================================
--- contrib/file/magic/Magdir/amanda (版本 330566)
+++ contrib/file/magic/Magdir/amanda (版本 330908)
@@ -1,9 +1,9 @@
#------------------------------------------------------------------------------
-# $File: amanda,v 1.5 2009/09/19 16:28:07 christos Exp $
+# $File: amanda,v 1.6 2017/03/17 21:35:28 christos Exp $
# amanda: file(1) magic for amanda file format
#
-0 string AMANDA:\ AMANDA
+0 string AMANDA:\ AMANDA
>8 string TAPESTART\ DATE tape header file,
>>23 string X
>>>25 string >\ Unused %s
Index: sys/x86/x86/identcpu.c
===================================================================
--- sys/x86/x86/identcpu.c (版本 330566)
+++ sys/x86/x86/identcpu.c (版本 330908)
@@ -104,8 +104,10 @@
u_int cpu_fxsr; /* SSE enabled */
u_int cpu_mxcsr_mask; /* Valid bits in mxcsr */
u_int cpu_clflush_line_size = 32;
-u_int cpu_stdext_feature;
-u_int cpu_stdext_feature2;
+u_int cpu_stdext_feature; /* %ebx */
+u_int cpu_stdext_feature2; /* %ecx */
+u_int cpu_stdext_feature3; /* %edx */
+uint64_t cpu_ia32_arch_caps;
u_int cpu_max_ext_state_size;
u_int cpu_mon_mwait_flags; /* MONITOR/MWAIT flags (CPUID.05H.ECX) */
u_int cpu_mon_min_size; /* MONITOR minimum range size, bytes */
@@ -978,6 +980,16 @@
);
}
+ if (cpu_stdext_feature3 != 0) {
+ printf("\n Structured Extended Features3=0x%b",
+ cpu_stdext_feature3,
+ "\020"
+ "\033IBPB"
+ "\034STIBP"
+ "\036ARCH_CAP"
+ );
+ }
+
if ((cpu_feature2 & CPUID2_XSAVE) != 0) {
cpuid_count(0xd, 0x1, regs);
if (regs[0] != 0) {
@@ -991,6 +1003,15 @@
}
}
+ if (cpu_ia32_arch_caps != 0) {
+ printf("\n IA32_ARCH_CAPS=0x%b",
+ (u_int)cpu_ia32_arch_caps,
+ "\020"
+ "\001RDCL_NO"
+ "\002IBRS_ALL"
+ );
+ }
+
if (via_feature_rng != 0 || via_feature_xcrypt != 0)
print_via_padlock_info();
@@ -1370,23 +1391,11 @@
return (false);
}
-/*
- * Final stage of CPU identification.
- */
-#ifdef __i386__
void
-finishidentcpu(void)
-#else
-void
-identify_cpu(void)
-#endif
+identify_cpu1(void)
{
- u_int regs[4], cpu_stdext_disable;
-#ifdef __i386__
- u_char ccr3;
-#endif
+ u_int regs[4];
-#ifdef __amd64__
do_cpuid(0, regs);
cpu_high = regs[0];
((u_int *)&cpu_vendor)[0] = regs[1];
@@ -1399,6 +1408,44 @@
cpu_procinfo = regs[1];
cpu_feature = regs[3];
cpu_feature2 = regs[2];
+}
+
+void
+identify_cpu2(void)
+{
+ u_int regs[4], cpu_stdext_disable;
+
+ if (cpu_high >= 7) {
+ cpuid_count(7, 0, regs);
+ cpu_stdext_feature = regs[1];
+
+ /*
+ * Some hypervisors failed to filter out unsupported
+ * extended features. Allow to disable the
+ * extensions, activation of which requires setting a
+ * bit in CR4, and which VM monitors do not support.
+ */
+ cpu_stdext_disable = 0;
+ TUNABLE_INT_FETCH("hw.cpu_stdext_disable", &cpu_stdext_disable);
+ cpu_stdext_feature &= ~cpu_stdext_disable;
+
+ cpu_stdext_feature2 = regs[2];
+ cpu_stdext_feature3 = regs[3];
+
+ if ((cpu_stdext_feature3 & CPUID_STDEXT3_ARCH_CAP) != 0)
+ cpu_ia32_arch_caps = rdmsr(MSR_IA32_ARCH_CAP);
+ }
+}
+
+/*
+ * Final stage of CPU identification.
+ */
+void
+finishidentcpu(void)
+{
+ u_int regs[4];
+#ifdef __i386__
+ u_char ccr3;
#endif
identify_hypervisor();
@@ -1416,26 +1463,8 @@
cpu_mon_max_size = regs[1] & CPUID5_MON_MAX_SIZE;
}
- if (cpu_high >= 7) {
- cpuid_count(7, 0, regs);
- cpu_stdext_feature = regs[1];
+ identify_cpu2();
- /*
- * Some hypervisors fail to filter out unsupported
- * extended features. For now, disable the
- * extensions, activation of which requires setting a
- * bit in CR4, and which VM monitors do not support.
- */
- if (cpu_feature2 & CPUID2_HV) {
- cpu_stdext_disable = CPUID_STDEXT_FSGSBASE |
- CPUID_STDEXT_SMEP;
- } else
- cpu_stdext_disable = 0;
- TUNABLE_INT_FETCH("hw.cpu_stdext_disable", &cpu_stdext_disable);
- cpu_stdext_feature &= ~cpu_stdext_disable;
- cpu_stdext_feature2 = regs[2];
- }
-
#ifdef __i386__
if (cpu_high > 0 &&
(cpu_vendor_id == CPU_VENDOR_INTEL ||
@@ -1563,6 +1592,17 @@
#endif
}
+int
+pti_get_default(void)
+{
+
+ if (strcmp(cpu_vendor, AMD_VENDOR_ID) == 0)
+ return (0);
+ if ((cpu_ia32_arch_caps & IA32_ARCH_CAP_RDCL_NO) != 0)
+ return (0);
+ return (1);
+}
+
static u_int
find_cpu_vendor_id(void)
{
Index: sys/x86/xen/pv.c
===================================================================
--- sys/x86/xen/pv.c (版本 330566)
+++ sys/x86/xen/pv.c (版本 330908)
@@ -97,6 +97,7 @@
#ifdef SMP
/* Variables used by amd64 mp_machdep to start APs */
extern char *doublefault_stack;
+extern char *mce_stack;
extern char *nmi_stack;
#endif
@@ -217,6 +218,8 @@
(void *)kmem_malloc(kernel_arena, stacksize, M_WAITOK | M_ZERO);
doublefault_stack =
(char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO);
+ mce_stack =
+ (char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO);
nmi_stack =
(char *)kmem_malloc(kernel_arena, PAGE_SIZE, M_WAITOK | M_ZERO);
dpcpu =
Index: usr.sbin/ntp/doc/ntp-keygen.8
===================================================================
--- usr.sbin/ntp/doc/ntp-keygen.8 (版本 330566)
+++ usr.sbin/ntp/doc/ntp-keygen.8 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_KEYGEN 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:59 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -23,26 +23,29 @@
.Sh DESCRIPTION
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
.Pp
-All files are in PEM\-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM\-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
.Pp
-When used to generate message digest keys, the program produces a file
-containing ten pseudo\-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo\-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex\-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -62,31 +65,42 @@
Some files used by this program are encrypted using a private password.
The
.Fl p
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
.Fl q
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
+.Xr hostname 1
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+.Nm
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
.Pp
The
-.Ar pw
+.Cm pw
option of the
-.Ar crypto
+.Ic crypto
+.Xr ntpd 8
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-.Ar ntpd
-without password but only on the same host.
+.Xr ntpd 8
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
.Pp
Normally, encrypted files for each host are generated by that host and
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-.Ar ntp.keys ,
+.Pa ntp.keys ,
is usually installed in
.Pa /etc .
Other files and links are usually installed in
@@ -93,188 +107,89 @@
.Pa /usr/local/etc ,
which is normally in a shared filesystem in
NFS\-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-.Ar keysdir
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
+In these cases, NFS clients can specify the files in another
+directory such as
+.Pa /etc
+using the
+.Ic keysdir
+.Xr ntpd 8
+configuration file command.
.Pp
This program directs commentary and error messages to the standard
error stream
-.Ar stderr
+.Pa stderr
and remote files to the standard output stream
-.Ar stdout
+.Pa stdout
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-.Ar ntpkey
+.Pa ntpkey\&*
and include the file type, generating host and filestamp,
as described in the
-.Dq Cryptographic Data Files
+.Sx "Cryptographic Data Files"
section below.
.Ss Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc
-When run for the first time, or if all files with names beginning with
-.Ar ntpkey
-have been removed, use the
-.Nm
-command without arguments to generate a
-default RSA host key and matching RSA\-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.Pp
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.Nm
-with the
-.Fl T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.Pp
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-.Fl S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-.Fl c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken\-and\-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball\-and\-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re\-generated.
-.Pp
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public\-Key Authentication
-page.
-.Pp
-The
-.Xr ntpd 8
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.Pp
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-.Ar _hostname.filestamp ,
-where
-.Ar hostname
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-.Ar filestamp
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-.Ar \&*filestamp
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS\-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write\-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 8
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
The safest way to run the
.Nm
program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
+The recommended procedure is change to the
+.Ar keys
+directory, usually
.Pa /usr/local/etc ,
then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA\-MD5 certificate file,
+.Pp
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+.Ar keys
+directory, usually
+.Pa /usr/local/etc .
+When run for the first time, or if all files with names beginning with
+.Pa ntpkey\&*
+have been removed, use the
+.Nm
+command without arguments to generate a default
+.Cm RSA
+host key and matching
+.Cm RSA\-MD5
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+.Cm RSA
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the message digest type is
+.Cm MD5 ,
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1
+and
+.Cm RIPE160
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+.Cm RSA
+sign keys;
+however, only
+.Cm SHA
+and
+.Cm SHA1
+certificates are compatible with
+.Cm DSA
+sign keys.
.Pp
Private/public key files and certificates are compatible with
other OpenSSL applications and very likely other libraries as well.
@@ -285,19 +200,19 @@
as the other files, are probably not compatible with anything other than Autokey.
.Pp
Running the program as other than root and using the Unix
-.Ic su
+.Xr su 1
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-.Cm .rnd
+.Pa .rnd
in the user home directory.
However, there should be only one
-.Cm .rnd ,
+.Pa .rnd ,
most conveniently
in the root directory, so it is convenient to define the
-.Cm $RANDFILE
+.Ev RANDFILE
environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+.Pa .rnd .
.Pp
Installing the keys as root might not work in NFS\-mounted
shared file systems, as NFS clients may not be able to write
@@ -307,7 +222,8 @@
.Pa /etc
using the
.Ic keysdir
-command.
+.Xr ntpd 8
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -340,8 +256,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+.Ar hostname
+and
+.Ar filestamp
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
.Pp
The recommended practice is to keep the file name extensions
@@ -350,98 +269,97 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+.Xr ntpd 8
+follows it to the file name to extract the
+.Ar filestamp .
If a link is not present,
.Xr ntpd 8
-extracts the filestamp from the file itself.
+extracts the
+.Ar filestamp
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
.Nm
-program uses the same timestamp extension for all files generated
+program uses the same
+.Ar filestamp
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
+.Pp
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA\-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+with the
+.Fl T
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+.Fl S
+option and this can be either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the signature
+message digest type is
+.Cm MD5 ,
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+.Fl c
+option.
.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken\-and\-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball\-and\-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re\-generated.
.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+Additional information on trusted groups and identity schemes is on the
+.Dq Autokey Public\-Key Authentication
+page.
.Pp
-Installing the keys as root might not work in NFS\-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
+File names begin with the prefix
+.Pa ntpkey Ns _
+and end with the suffix
+.Pa _ Ns Ar hostname . Ar filestamp ,
+where
+.Ar hostname
+is the owner name, usually the string returned
+by the Unix
+.Xr hostname 1
+command, and
+.Ar filestamp
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+.Ic rm Pa ntpkey\&*
+command or all files generated
+at a specific time can be removed by a
+.Ic rm Pa \&* Ns Ar filestamp
command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
+.Ss Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -448,8 +366,14 @@
.Sx Authentication Options
section of
.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+.Cm RSA
+encryption,
+.Cm MD5
+message digest
+and
+.Cm TC
+identification.
First, configure a NTP subnet including one or more low\-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -467,7 +391,7 @@
.Pp
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-.Cm ntpkey
+.Pa ntpkey
files.
Then run
.Nm
@@ -492,7 +416,9 @@
.Cm RSA
or
.Cm DSA .
-The most often need to do this is when a DSA\-signed certificate is used.
+The most frequent need to do this is when a
+.Cm DSA Ns \-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
.Nm
@@ -501,10 +427,10 @@
option and selected
.Ar scheme
as needed.
-f
+If
.Nm
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
.Pp
After setting up the environment it is advisable to update certificates
from time to time, if only to extend the validity interval.
@@ -511,7 +437,7 @@
Simply run
.Nm
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
.Xr ntpd 8
should be restarted.
@@ -522,13 +448,15 @@
at which time the protocol is restarted.
.Ss Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+.Cm TC
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
+including
+.Cm PC , IFF , GQ
+and
+.Cm MV
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -553,12 +481,15 @@
.Fl P
.Fl p Ar password
to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
+.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp
and trusted private certificate file
-.Pa ntpkey_RSA\-MD5_cert_ Ns Ar alice.filestamp .
+.Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp ,
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+.Ar bob
+install a soft link from the generic name
.Pa ntpkey_host_ Ns Ar bob
to the host key file and soft link
.Pa ntpkey_cert_ Ns Ar bob
@@ -567,11 +498,17 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
.Pp
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+.Cm IFF
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -578,15 +515,17 @@
.Fl I
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_IFFpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+.Cm IFF
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
.Pp
If a rogue client has the parameter file, it could masquerade
@@ -596,17 +535,23 @@
After generating the parameter file, on alice run
.Nm
.Fl e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
.Pp
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+.Cm GQ
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -613,20 +558,30 @@
.Fl G
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_GQpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-.Pa ntpkey_gq_ Ns Ar alice
+.Pa ntpkey_gq_alice
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+.Ar bob
+install a soft link
from generic
.Pa ntpkey_gq_ Ns Ar bob
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+.Cm GQ
+scheme updates the
+.Cm GQ
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
.Pp
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+.Cm MV
+scheme, proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -638,9 +593,9 @@
.Ar n
is the number of revokable keys (typically 5) to produce
the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVpar_trish. Ns Ar filestamp
and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp
where
.Ar d
is the key number (0 \&<
@@ -649,80 +604,217 @@
.Ar n ) .
Copy the parameter file to alice and install a soft link
from the generic
-.Pa ntpkey_mv_ Ns Ar alice
+.Pa ntpkey_mv_alice
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
+.Pa ntpkey_mvkey_bob
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+.Cm MV
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
.Ss Command Line Options
.Bl -tag -width indent
-.It Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
+.It Fl b Fl \-imbits Ns = Ar modulus
+Set the number of bits in the identity modulus for generating identity keys to
+.Ar modulus
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl c Fl \-certificate Ns = Ar scheme
+Select certificate signature encryption/message digest scheme.
The
.Ar scheme
can be one of the following:
-. Cm RSA\-MD2 , RSA\-MD5 , RSA\-SHA , RSA\-SHA1 , RSA\-MDC2 , RSA\-RIPEMD160 , DSA\-SHA ,
+.Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA ,
or
.Cm DSA\-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+.Cm RSA
+schemes must be used with an
+.Cm RSA
+sign key and
+.Cm DSA
+schemes must be used with a
+.Cm DSA
+sign key.
The default without this option is
.Cm RSA\-MD5 .
-.It Fl d
-Enable debugging.
+If compatibility with FIPS 140\-2 is required, either the
+.Cm DSA\-SHA
+or
+.Cm DSA\-SHA1
+scheme must be used.
+.It Fl C Fl \-cipher Ns = Ar cipher
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three\-key triple DES in CBC mode,
+.Cm des\-ede3\-cbc .
+The
+.Ic openssl Fl h
+command provided with OpenSSL displays available ciphers.
+.It Fl d Fl \-debug\-level
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye\-friendly billboards.
-.It Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.It Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.It Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.It Fl H
-Generate new host keys, obsoleting any that may exist.
-.It Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.It Fl i Ar name
-Set the suject name to
-.Ar name .
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.It Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.It Fl P
-Generate a private certificate.
+.It Fl D Fl \-set\-debug\-level Ns = Ar level
+Set the debugging verbosity to
+.Ar level .
+This option displays the cryptographic data produced in eye\-friendly billboards.
+.It Fl e Fl \-id\-key
+Write the
+.Cm IFF
+or
+.Cm GQ
+public parameters from the
+.Ar IFFkey or GQkey
+client keys file previously specified
+as unencrypted data to the standard output stream
+.Pa stdout .
+This is intended for automatic key distribution by email.
+.It Fl G Fl \-gq\-params
+Generate a new encrypted
+.Cm GQ
+parameters and key file for the Guillou\-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl V
+options.
+.It Fl H Fl \-host\-key
+Generate a new encrypted
+.Cm RSA
+public/private host key file.
+.It Fl I Fl \-iffkey
+Generate a new encrypted
+.Cm IFF
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+.Fl G
+and
+Fl V
+options.
+.It Fl i Fl \-ident Ns = Ar group
+Set the optional Autokey group name to
+.Ar group .
+This is used in the identity scheme parameter file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+.Fl i
+or
+.Fl s
+following an
+.Ql @
+character, is also used in certificate subject and issuer names in the form
+.Ar host @ group
+and should match the group specified via
+.Ic crypto Cm ident
+or
+.Ic server Cm ident
+in the ntpd configuration file.
+.It Fl l Fl \-lifetime Ns = Ar days
+Set the lifetime for certificate expiration to
+.Ar days .
+The default lifetime is one year (365 days).
+.It Fl m Fl \-modulus Ns = Ar bits
+Set the number of bits in the prime modulus for generating files to
+.Ar bits .
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl M Fl \-md5key
+Generate a new symmetric keys file containing 10
+.Cm MD5
+keys, and if OpenSSL is available, 10
+.Cm SHA
+keys.
+An
+.Cm MD5
+key is a string of 20 random printable ASCII characters, while a
+.Cm SHA
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+.It Fl p Fl \-password Ns = Ar passwd
+Set the password for reading and writing encrypted files to
+.Ar passwd .
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl P Fl \-pvt\-cert
+Generate a new private certificate used by the
+.Cm PC
+identity scheme.
By default, the program generates public certificates.
-.It Fl p Ar password
-Encrypt generated files containing private data with
-.Ar password
-and the DES\-CBC algorithm.
-.It Fl q
-Set the password for reading files to password.
-.It Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.It Fl s Ar name
-Set the issuer name to
-.Ar name .
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.It Fl T
+Note: the PC identity scheme is not recommended for new installations.
+.It Fl q Fl \-export\-passwd Ns = Ar passwd
+Set the password for writing encrypted
+.Cm IFF , GQ and MV
+identity files redirected to
+.Pa stdout
+to
+.Ar passwd .
+In effect, these files are decrypted with the
+.Fl p
+password, then encrypted with the
+.Fl q
+password.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group
+Specify the Autokey host name, where
+.Ar host
+is the optional host name and
+.Ar group
+is the optional group name.
+The host name, and if provided, group name are used in
+.Ar host @ group
+form as certificate subject and issuer.
+Specifying
+.Fl s @ Ar group
+is allowed, and results in leaving the host name unchanged, as with
+.Fl i Ar group .
+The group name, or if no group is provided, the host name are also used in the
+file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+identity scheme client parameter files.
+If
+.Ar host
+is not specified, the default host name is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140\-2 is required, the sign key type must be
+.Cm DSA .
+.It Fl T Fl \-trusted\-cert
Generate a trusted certificate.
By default, the program generates a non\-trusted certificate.
-.It Fl V Ar nkeys
-Generate parameters and keys for the Mu\-Varadharajan (MV) identification scheme.
+.It Fl V Fl \-mv\-params Ar nkeys
+Generate
+.Ar nkeys
+encrypted server keys and parameters for the Mu\-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl G
+options.
+Note: support for this option should be considered a work in progress.
.El
.Ss Random Seed File
All cryptographically sound key generation schemes must have means
@@ -746,7 +838,7 @@
.Pp
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-.Cm .rnd ,
+.Pa .rnd ,
which must be available when starting the NTP daemon
or the
.Nm
@@ -753,7 +845,7 @@
program.
The NTP daemon will first look for the file
using the path specified by the
-.Ic randfile
+.Cm randfile
subcommand of the
.Ic crypto
configuration command.
@@ -769,44 +861,118 @@
.Ev RANDFILE
environment variable is not present,
the library will look for the
-.Cm .rnd
+.Pa .rnd
file in the user home directory.
+Since both the
+.Nm
+program and
+.Xr ntpd 8
+daemon must run as root, the logical place to put this file is in
+.Pa /.rnd
+or
+.Pa /root/.rnd .
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
.Ss Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp ,
+where
+.Ar key
+is the key or parameter type,
+.Ar name
+is the host or group name and
+.Ar filestamp
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+.Ar key
+names in generated file names include both upper and lower case
+characters, while
+.Ar key
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+.Pa date
+format.
+Lines beginning with
+.Ql #
+are considered comments and ignored by the
.Nm
program and
.Xr ntpd 8
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM\-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
.Pp
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES\-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM\-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+.Pp
+The format of the symmetric keys file, ordinarily named
+.Pa ntp.keys ,
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+.Bd -literal -unfilled -offset center
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+.Ed
+.D1 Figure 1. Typical Symmetric Key File
+.Pp
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+.D1 Ar keyno Ar type Ar key
where
.Ar keyno
-is a positive integer in the range 1\-65,535,
+is a positive integer in the range 1\-65534;
.Ar type
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+.Cm MD5
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140\-2 is required,
+the key type must be either
+.Cm SHA
+or
+.Cm SHA1 ;
.Ar key
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+.Ql !
+through
+.Ql ~
+\&) excluding space and the
.Ql #
+character, and terminated by whitespace or a
+.Ql #
character.
+An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which
+is truncated as necessary.
.Pp
Note that the keys used by the
.Xr ntpq 8
@@ -819,8 +985,8 @@
.Pp
The
.Nm
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
+program generates a symmetric keys file
+.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp .
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -858,10 +1024,10 @@
certificate scheme.
.sp
scheme is one of
-RSA\-MD2, RSA\-MD5, RSA\-SHA, RSA\-SHA1, RSA\-MDC2, RSA\-RIPEMD160,
+RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160,
DSA\-SHA, or DSA\-SHA1.
.sp
-Select the certificate message digest/signature encryption scheme.
+Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA\-MD5.
@@ -870,7 +1036,7 @@
.sp
Select the cipher which is used to encrypt the files containing
private keys. The default is three\-key triple DES in CBC mode,
-equivalent to "@code{\-C des\-ede3\-cbc". The openssl tool lists ciphers
+equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers
available in "\fBopenssl \-h\fP" output.
.It Fl d , Fl \-debug\-level
Increase debug verbosity level.
@@ -884,8 +1050,9 @@
.It Fl e , Fl \-id\-key
Write IFF or GQ identity keys.
.sp
-Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
.It Fl G , Fl \-gq\-params
Generate GQ parameters and keys.
.sp
@@ -908,21 +1075,17 @@
that role, the default is the host name if this option is not
provided. The group name, if specified using \fB\-i/\-\-ident\fP or
using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character,
-is also a part of the self\-signed host certificate's subject and
+is also a part of the self\-signed host certificate subject and
issuer names in the form \fBhost@group\fP and should match the
-\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in
-\fBntpd\fP's configuration file.
+\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the
+\fBntpd\fP configuration file.
.It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime
set certificate lifetime.
This option takes an integer number as its argument.
.sp
Set the certificate expiration to lifetime days from now.
-.It Fl M , Fl \-md5key
-generate MD5 keys.
-.sp
-Generate MD5 keys, obsoleting any that may exist.
.It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus
-modulus.
+prime modulus.
This option takes an integer number as its argument.
The value of
.Ar modulus
@@ -935,6 +1098,10 @@
.in -4
.sp
The number of bits in the prime modulus. The default is 512.
+.It Fl M , Fl \-md5key
+generate symmetric keys.
+.sp
+Generate symmetric keys, obsoleting any that may exist.
.It Fl P , Fl \-pvt\-cert
generate PC private certificate.
.sp
@@ -956,12 +1123,6 @@
The same password must be specified to the remote ntpd via the
"crypto pw password" configuration command. See also the option
-\-id\-key (\-e) for unencrypted exports.
-.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
-generate sign key (RSA or DSA).
-.sp
-Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
.It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group
set host and optionally group name.
.sp
@@ -969,12 +1130,18 @@
following an '\fB@\fP' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
-in \fBhost@group\fP form for the host certificate's subject and issuer
+in \fBhost@group\fP form for the host certificate subject and issuer
fields. Specifying '\fB\-s @group\fP' is allowed, and results in
leaving the host name unchanged while appending \fB@group\fP to the
subject and issuer fields, as with \fB\-i group\fP. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
+.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
+generate sign key (RSA or DSA).
+.sp
+Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
.It Fl T , Fl \-trusted\-cert
trusted certificate (TC scheme).
.sp
@@ -1023,18 +1190,6 @@
If any of these are directories, then the file \fI.ntprc\fP
is searched for within those directories.
.Sh USAGE
-The
-.Fl p Ar password
-option specifies the write password and
-.Fl q Ar password
-option the read password for previously encrypted files.
-The
-.Nm
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
.Sh "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.Sh "FILES"
@@ -1058,10 +1213,7 @@
Copyright (C) 1992\-2017 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
+It can take quite a while to generate some cryptographic values.
.Pp
Please report bugs to http://bugs.ntp.org .
.Pp
Index: usr.sbin/ntp/doc/ntpdc.8
===================================================================
--- usr.sbin/ntp/doc/ntpdc.8 (版本 330566)
+++ usr.sbin/ntp/doc/ntpdc.8 (版本 330908)
@@ -1,4 +1,4 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPDC 8 User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc)
@@ -5,7 +5,7 @@
.\"
.\" $FreeBSD$
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:57 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:09 PM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: usr.sbin/ntp/ntptime/Makefile
===================================================================
--- usr.sbin/ntp/ntptime/Makefile (版本 330566)
+++ usr.sbin/ntp/ntptime/Makefile (版本 330908)
@@ -11,6 +11,6 @@
-I${SRCTOP}/contrib/ntp/lib/isc/pthreads/include \
-I${.CURDIR:H}
-LIBADD= ntp pthread
+LIBADD= m ntp pthread
.include <bsd.prog.mk>
Index: contrib/file/config.guess
===================================================================
--- contrib/file/config.guess (版本 330566)
+++ contrib/file/config.guess (版本 330908)
@@ -1,8 +1,8 @@
#! /bin/sh
# Attempt to guess a canonical system name.
-# Copyright 1992-2015 Free Software Foundation, Inc.
+# Copyright 1992-2017 Free Software Foundation, Inc.
-timestamp='2015-03-04'
+timestamp='2017-01-01'
# This file is free software; you can redistribute it and/or modify it
# under the terms of the GNU General Public License as published by
@@ -27,7 +27,7 @@
# Originally written by Per Bothner; maintained since 2000 by Ben Elliston.
#
# You can get the latest version of this script from:
-# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
#
# Please send patches to <config-patches@gnu.org>.
@@ -50,7 +50,7 @@
GNU config.guess ($timestamp)
Originally written by Per Bothner.
-Copyright 1992-2015 Free Software Foundation, Inc.
+Copyright 1992-2017 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE."
@@ -186,9 +186,12 @@
*) machine=${UNAME_MACHINE_ARCH}-unknown ;;
esac
# The Operating System including object format, if it has switched
- # to ELF recently, or will in the future.
+ # to ELF recently (or will in the future) and ABI.
case "${UNAME_MACHINE_ARCH}" in
- arm*|earm*|i386|m68k|ns32k|sh3*|sparc|vax)
+ earm*)
+ os=netbsdelf
+ ;;
+ arm*|i386|m68k|ns32k|sh3*|sparc|vax)
eval $set_cc_for_build
if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
| grep -q __ELF__
@@ -221,7 +224,7 @@
release='-gnu'
;;
*)
- release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+ release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2`
;;
esac
# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
@@ -237,6 +240,10 @@
UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'`
echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE}
exit ;;
+ *:LibertyBSD:*:*)
+ UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'`
+ echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE}
+ exit ;;
*:ekkoBSD:*:*)
echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE}
exit ;;
@@ -249,6 +256,9 @@
*:MirBSD:*:*)
echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE}
exit ;;
+ *:Sortix:*:*)
+ echo ${UNAME_MACHINE}-unknown-sortix
+ exit ;;
alpha:OSF1:*:*)
case $UNAME_RELEASE in
*4.0)
@@ -265,35 +275,35 @@
ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1`
case "$ALPHA_CPU_TYPE" in
"EV4 (21064)")
- UNAME_MACHINE="alpha" ;;
+ UNAME_MACHINE=alpha ;;
"EV4.5 (21064)")
- UNAME_MACHINE="alpha" ;;
+ UNAME_MACHINE=alpha ;;
"LCA4 (21066/21068)")
- UNAME_MACHINE="alpha" ;;
+ UNAME_MACHINE=alpha ;;
"EV5 (21164)")
- UNAME_MACHINE="alphaev5" ;;
+ UNAME_MACHINE=alphaev5 ;;
"EV5.6 (21164A)")
- UNAME_MACHINE="alphaev56" ;;
+ UNAME_MACHINE=alphaev56 ;;
"EV5.6 (21164PC)")
- UNAME_MACHINE="alphapca56" ;;
+ UNAME_MACHINE=alphapca56 ;;
"EV5.7 (21164PC)")
- UNAME_MACHINE="alphapca57" ;;
+ UNAME_MACHINE=alphapca57 ;;
"EV6 (21264)")
- UNAME_MACHINE="alphaev6" ;;
+ UNAME_MACHINE=alphaev6 ;;
"EV6.7 (21264A)")
- UNAME_MACHINE="alphaev67" ;;
+ UNAME_MACHINE=alphaev67 ;;
"EV6.8CB (21264C)")
- UNAME_MACHINE="alphaev68" ;;
+ UNAME_MACHINE=alphaev68 ;;
"EV6.8AL (21264B)")
- UNAME_MACHINE="alphaev68" ;;
+ UNAME_MACHINE=alphaev68 ;;
"EV6.8CX (21264D)")
- UNAME_MACHINE="alphaev68" ;;
+ UNAME_MACHINE=alphaev68 ;;
"EV6.9A (21264/EV69A)")
- UNAME_MACHINE="alphaev69" ;;
+ UNAME_MACHINE=alphaev69 ;;
"EV7 (21364)")
- UNAME_MACHINE="alphaev7" ;;
+ UNAME_MACHINE=alphaev7 ;;
"EV7.9 (21364A)")
- UNAME_MACHINE="alphaev79" ;;
+ UNAME_MACHINE=alphaev79 ;;
esac
# A Pn.n version is a patched version.
# A Vn.n version is a released version.
@@ -300,7 +310,7 @@
# A Tn.n version is a released field test version.
# A Xn.n version is an unreleased experimental baselevel.
# 1.2 uses "1.2" for uname -r.
- echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+ echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
# Reset EXIT trap before exiting to avoid spurious non-zero exit code.
exitcode=$?
trap '' 0
@@ -373,16 +383,16 @@
exit ;;
i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*)
eval $set_cc_for_build
- SUN_ARCH="i386"
+ SUN_ARCH=i386
# If there is a compiler, see if it is configured for 64-bit objects.
# Note that the Sun cc does not turn __LP64__ into 1 like gcc does.
# This test works for both compilers.
- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+ if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \
- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
- SUN_ARCH="x86_64"
+ SUN_ARCH=x86_64
fi
fi
echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'`
@@ -407,7 +417,7 @@
exit ;;
sun*:*:4.2BSD:*)
UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null`
- test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3
+ test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3
case "`/bin/arch`" in
sun3)
echo m68k-sun-sunos${UNAME_RELEASE}
@@ -632,13 +642,13 @@
sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null`
sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null`
case "${sc_cpu_version}" in
- 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0
- 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1
+ 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0
+ 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1
532) # CPU_PA_RISC2_0
case "${sc_kernel_bits}" in
- 32) HP_ARCH="hppa2.0n" ;;
- 64) HP_ARCH="hppa2.0w" ;;
- '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20
+ 32) HP_ARCH=hppa2.0n ;;
+ 64) HP_ARCH=hppa2.0w ;;
+ '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20
esac ;;
esac
fi
@@ -677,11 +687,11 @@
exit (0);
}
EOF
- (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
+ (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy`
test -z "$HP_ARCH" && HP_ARCH=hppa
fi ;;
esac
- if [ ${HP_ARCH} = "hppa2.0w" ]
+ if [ ${HP_ARCH} = hppa2.0w ]
then
eval $set_cc_for_build
@@ -694,12 +704,12 @@
# $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess
# => hppa64-hp-hpux11.23
- if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) |
+ if echo __LP64__ | (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) |
grep -q __LP64__
then
- HP_ARCH="hppa2.0w"
+ HP_ARCH=hppa2.0w
else
- HP_ARCH="hppa64"
+ HP_ARCH=hppa64
fi
fi
echo ${HP_ARCH}-hp-hpux${HPUX_REV}
@@ -804,14 +814,14 @@
echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
exit ;;
F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*)
- FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
+ FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`
+ FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
5000:UNIX_System_V:4.*:*)
- FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
- FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'`
+ FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'`
+ FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'`
echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
exit ;;
i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
@@ -893,7 +903,7 @@
exit ;;
*:GNU/*:*:*)
# other systems with GNU libc and userland
- echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
+ echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC}
exit ;;
i*86:Minix:*:*)
echo ${UNAME_MACHINE}-pc-minix
@@ -916,7 +926,7 @@
EV68*) UNAME_MACHINE=alphaev68 ;;
esac
objdump --private-headers /bin/sh | grep -q ld.so.1
- if test "$?" = 0 ; then LIBC="gnulibc1" ; fi
+ if test "$?" = 0 ; then LIBC=gnulibc1 ; fi
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
arc:Linux:*:* | arceb:Linux:*:*)
@@ -962,6 +972,9 @@
ia64:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
+ k1om:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ exit ;;
m32r*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
exit ;;
@@ -987,6 +1000,9 @@
eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'`
test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; }
;;
+ mips64el:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ exit ;;
openrisc*:Linux:*:*)
echo or1k-unknown-linux-${LIBC}
exit ;;
@@ -1019,6 +1035,9 @@
ppcle:Linux:*:*)
echo powerpcle-unknown-linux-${LIBC}
exit ;;
+ riscv32:Linux:*:* | riscv64:Linux:*:*)
+ echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ exit ;;
s390:Linux:*:* | s390x:Linux:*:*)
echo ${UNAME_MACHINE}-ibm-linux-${LIBC}
exit ;;
@@ -1038,7 +1057,7 @@
echo ${UNAME_MACHINE}-dec-linux-${LIBC}
exit ;;
x86_64:Linux:*:*)
- echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
+ echo ${UNAME_MACHINE}-pc-linux-${LIBC}
exit ;;
xtensa*:Linux:*:*)
echo ${UNAME_MACHINE}-unknown-linux-${LIBC}
@@ -1117,7 +1136,7 @@
# uname -m prints for DJGPP always 'pc', but it prints nothing about
# the processor, so we play safe by assuming i586.
# Note: whatever this is, it MUST be the same as what config.sub
- # prints for the "djgpp" host, or else GDB configury will decide that
+ # prints for the "djgpp" host, or else GDB configure will decide that
# this is a cross-build.
echo i586-pc-msdosdjgpp
exit ;;
@@ -1266,6 +1285,9 @@
SX-8R:SUPER-UX:*:*)
echo sx8r-nec-superux${UNAME_RELEASE}
exit ;;
+ SX-ACE:SUPER-UX:*:*)
+ echo sxace-nec-superux${UNAME_RELEASE}
+ exit ;;
Power*:Rhapsody:*:*)
echo powerpc-apple-rhapsody${UNAME_RELEASE}
exit ;;
@@ -1279,9 +1301,9 @@
UNAME_PROCESSOR=powerpc
fi
if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then
- if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then
+ if [ "$CC_FOR_BUILD" != no_compiler_found ]; then
if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \
- (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \
+ (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \
grep IS_64BIT_ARCH >/dev/null
then
case $UNAME_PROCESSOR in
@@ -1303,7 +1325,7 @@
exit ;;
*:procnto*:*:* | *:QNX:[0123456789]*:*)
UNAME_PROCESSOR=`uname -p`
- if test "$UNAME_PROCESSOR" = "x86"; then
+ if test "$UNAME_PROCESSOR" = x86; then
UNAME_PROCESSOR=i386
UNAME_MACHINE=pc
fi
@@ -1334,7 +1356,7 @@
# "uname -m" is not consistent, so use $cputype instead. 386
# is converted to i386 for consistency with other x86
# operating systems.
- if test "$cputype" = "386"; then
+ if test "$cputype" = 386; then
UNAME_MACHINE=i386
else
UNAME_MACHINE="$cputype"
@@ -1376,7 +1398,7 @@
echo i386-pc-xenix
exit ;;
i*86:skyos:*:*)
- echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//'
+ echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'`
exit ;;
i*86:rdos:*:*)
echo ${UNAME_MACHINE}-pc-rdos
@@ -1387,23 +1409,25 @@
x86_64:VMkernel:*:*)
echo ${UNAME_MACHINE}-unknown-esx
exit ;;
+ amd64:Isilon\ OneFS:*:*)
+ echo x86_64-unknown-onefs
+ exit ;;
esac
cat >&2 <<EOF
$0: unable to guess system type
-This script, last modified $timestamp, has failed to recognize
-the operating system you are using. It is advised that you
-download the most up to date version of the config scripts from
+This script (version $timestamp), has failed to recognize the
+operating system you are using. If your script is old, overwrite
+config.guess and config.sub with the latest versions from:
- http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD
+ http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess
and
- http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD
+ http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub
-If the version you run ($0) is already up to date, please
-send the following data and any information you think might be
-pertinent to <config-patches@gnu.org> in order to provide the needed
-information to handle your system.
+If $0 has already been updated, send the following data and any
+information you think might be pertinent to config-patches@gnu.org to
+provide the necessary information to handle your system.
config.guess timestamp = $timestamp
Index: contrib/file/doc/file.man
===================================================================
--- contrib/file/doc/file.man (版本 330566)
+++ contrib/file/doc/file.man (版本 330908)
@@ -1,4 +1,4 @@
-.\" $File: file.man,v 1.124 2016/10/19 20:52:45 christos Exp $
+.\" $File: file.man,v 1.125 2017/01/03 11:24:46 christos Exp $
.Dd October 19, 2016
.Dt FILE __CSECTION__
.Os
@@ -238,8 +238,8 @@
to test the standard input, use
.Sq -
as a filename argument.
-Please note that
-.Ar namefile
+Please note that
+.Ar namefile
is unwrapped and the enclosed filenames are processed when this option is
encountered and before any further options processing is done.
This allows one to process multiple lists of files with different command line
@@ -411,10 +411,10 @@
.Fl h
options.
.Sh SEE ALSO
-.Xr magic __FSECTION__ ,
.Xr hexdump 1 ,
.Xr od 1 ,
.Xr strings 1 ,
+.Xr magic __FSECTION__ ,
.Xr fstyp 8
.Sh STANDARDS CONFORMANCE
This program is believed to exceed the System V Interface Definition
@@ -531,16 +531,15 @@
the first version.
Geoff Collyer found several inadequacies
and provided some magic file entries.
-Contributions by the
+Contributions of the
.Sq \*[Am]
operator by Rob McMahon,
.Aq cudcv@warwick.ac.uk ,
1989.
.Pp
-Guy Harris,
+Guy Harris,
.Aq guy@netapp.com ,
made many changes from 1993 to the present.
-1989.
.Pp
Primary development and maintenance from 1990 to the present by
Christos Zoulas
@@ -588,7 +587,6 @@
.Nm
returns 0 on success, and non-zero on error.
.Sh BUGS
-.Pp
Please report bugs and send patches to the bug tracker at
.Pa http://bugs.gw.com/
or the mailing list at
@@ -597,7 +595,6 @@
.Pa http://mx.gw.com/mailman/listinfo/file
first to subscribe).
.Sh TODO
-.Pp
Fix output so that tests for MIME and APPLE flags are not needed all
over the place, and actual output is only done in one place.
This needs a design.
@@ -646,16 +643,16 @@
.Dq name
and
.Dq use
-to check for consistency at compile time (duplicate
+to check for consistency at compile time (duplicate
.Dq name ,
.Dq use
pointing to undefined
.Dq name
).
-Make
+Make
.Dq name
/
-.Dq use
+.Dq use
more efficient by keeping a sorted list of names.
Special-case ^ to flip endianness in the parser so that it does not
have to be escaped, and document it.
Index: contrib/file/magic/Magdir/adventure
===================================================================
--- contrib/file/magic/Magdir/adventure (版本 330566)
+++ contrib/file/magic/Magdir/adventure (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: adventure,v 1.15 2015/09/07 10:03:21 christos Exp $
+# $File: adventure,v 1.17 2017/07/03 16:03:40 christos Exp $
# adventure: file(1) magic for Adventure game files
#
# from Allen Garvin <earendil@faeryland.tamu-commerce.edu>
@@ -36,11 +36,12 @@
>0 ubyte <9
>>16 belong&0xfe00f0f0 0x3030
>>>0 ubyte < 10
->>>>2 ubeshort < 10
+>>>>2 ubeshort x
>>>>>18 regex [0-9][0-9][0-9][0-9][0-9][0-9]
->>>>>>0 ubyte < 10 Infocom (Z-machine %d,
->>>>>>>2 ubeshort < 10 Release %d /
->>>>>>>>18 string >\0 Serial %.6s)
+>>>>>>0 ubyte < 10 Infocom (Z-machine %d
+>>>>>>>2 ubeshort x \b, Release %d
+>>>>>>>>18 string >\0 \b, Serial %.6s
+>>>>>>>>18 string x \b)
!:strength + 40
!:mime application/x-zmachine
@@ -78,7 +79,7 @@
!:mime application/x-tads
# Some saved game files start with "TADS2 save/g\n\r\032\0", a little-endian
# 2-byte length N, the N-char name of the game file *without* a NUL (darn!),
-# "TADS2 save\n\r\032\0" and the interpreter version.
+# "TADS2 save\n\r\032\0" and the interpreter version.
0 string TADS2\ save/g TADS
>12 belong !0x0A0D1A00 saved game data, CORRUPTED
>12 belong 0x0A0D1A00
@@ -109,7 +110,7 @@
# edited by David Griffith <dave@661.org>
# Danny Milosavljevic <danny.milo@gmx.net>
# These are ADRIFT (adventure game standard) game files, extension .taf
-# Checked from source at (http://www.adrift.co/) and various taf files
+# Checked from source at (http://www.adrift.co/) and various taf files
# found at the Interactive Fiction Archive (http://ifarchive.org/)
0 belong 0x3C423FC9
>4 belong 0x6A87C2CF Adrift game file version
Index: contrib/file/magic/Magdir/animation
===================================================================
--- contrib/file/magic/Magdir/animation (版本 330566)
+++ contrib/file/magic/Magdir/animation (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: animation,v 1.58 2016/07/03 14:13:11 christos Exp $
+# $File: animation,v 1.63 2017/05/26 14:33:07 christos Exp $
# animation: file(1) magic for animation/movie formats
#
# animation formats
@@ -34,14 +34,23 @@
!:mime image/jp2
# http://www.ftyps.com/ with local additions
4 string ftyp ISO Media
+# http://aeroquartet.com/wordpress/2016/03/05/3-xavc-s/
+>8 string XAVC \b, MPEG v4 system, Sony XAVC Codec
+>>96 string x \b, Audio "%.4s"
+>>118 beshort x at %dHz
+>>140 string x \b, Video "%.4s"
+>>168 beshort x %d
+>>170 beshort x \bx%d
>8 string 3g2 \b, MPEG v4 system, 3GPP2
!:mime video/3gpp2
>>11 byte 4 \b v4 (H.263/AMR GSM 6.10)
>>11 byte 5 \b v5 (H.263/AMR GSM 6.10)
>>11 byte 6 \b v6 (ITU H.264/AMR GSM 6.10)
->>11 byte a \b C.S0050-0 V1.0
->>11 byte b \b C.S0050-0-A V1.0.0
->>11 byte c \b C.S0050-0-B V1.0
+# http://www.3gpp2.org/Public_html/Specs/C.S0050-B_v1.0_070521.pdf
+# Section 8.1.1, corresponds to a, b, c
+>>11 byte 0x61 \b C.S0050-0 V1.0
+>>11 byte 0x62 \b C.S0050-0-A V1.0.0
+>>11 byte 0x63 \b C.S0050-0-B V1.0
>8 string 3ge \b, MPEG v4 system, 3GPP
!:mime video/3gpp
>>11 byte 6 \b, Release 6 MBMS Extended Presentations
@@ -186,13 +195,13 @@
# MPEG sequences
# Scans for all common MPEG header start codes
-0 belong 0x00000001
+0 belong 0x00000001
>4 byte&0x1F 0x07 JVT NAL sequence, H.264 video
>>5 byte 66 \b, baseline
>>5 byte 77 \b, main
>>5 byte 88 \b, extended
>>7 byte x \b @ L %u
-0 belong&0xFFFFFF00 0x00000100
+0 belong&0xFFFFFF00 0x00000100
>3 byte 0xBA MPEG sequence
!:mime video/mpeg
>>4 byte &0x40 \b, v2, program multiplex
@@ -493,8 +502,8 @@
# GRR the original test are too common for many DOS files, so test 32 <= kbits <= 448
# GRR this test is still too general as it catches a BOM of UTF-16 files (0xFFFE)
# FIXME: Almost all little endian UTF-16 text with BOM are clobbered by these entries
-#0 beshort&0xFFFE 0xFFFE
-#>2 ubyte&0xF0 >0x0F
+#0 beshort&0xFFFE 0xFFFE
+#>2 ubyte&0xF0 >0x0F
#>>2 ubyte&0xF0 <0xE1 MPEG ADTS, layer I, v1
## rate
#>>>2 byte&0xF0 0x10 \b, 32 kbps
@@ -566,9 +575,9 @@
# MP2, M2A
0 beshort&0xFFFE 0xFFF4 MPEG ADTS, layer II, v2
!:mime audio/mpeg
-# rate
+# rate
>2 byte&0xF0 0x10 \b, 8 kbps
->2 byte&0xF0 0x20 \b, 16 kbps
+>2 byte&0xF0 0x20 \b, 16 kbps
>2 byte&0xF0 0x30 \b, 24 kbps
>2 byte&0xF0 0x40 \b, 32 kbps
>2 byte&0xF0 0x50 \b, 40 kbps
@@ -636,7 +645,7 @@
# MP3, M25A
0 beshort&0xFFFE 0xFFE2 MPEG ADTS, layer III, v2.5
!:mime audio/mpeg
-# rate
+# rate
>2 byte&0xF0 0x10 \b, 8 kbps
>2 byte&0xF0 0x20 \b, 16 kbps
>2 byte&0xF0 0x30 \b, 24 kbps
@@ -855,10 +864,12 @@
# X3D (Extensible 3D) [http://www.web3d.org/specifications/x3d-3.0.dtd]
# From Michel Briand <michelbriand@free.fr>
-0 string/t \<?xml\ version="
-!:strength +1
->20 search/1000/cw \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text
-!:mime model/x3d
+# mimetype from https://www.iana.org/assignments/media-types/model/x3d+xml
+# Example http://www.web3d.org/x3d/content/examples/Basic/course/CreateX3DFromStringRandomSpheres.x3d
+0 string/w \<?xml\ version=
+!:strength + 5
+>20 search/1000/w \<!DOCTYPE\ X3D X3D (Extensible 3D) model xml text
+!:mime model/x3d+xml
#---------------------------------------------------------------------------
# HVQM4: compressed movie format designed by Hudson for Nintendo GameCube
Index: contrib/file/magic/Magdir/att3b
===================================================================
--- contrib/file/magic/Magdir/att3b (版本 330566)
+++ contrib/file/magic/Magdir/att3b (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: att3b,v 1.9 2014/04/30 21:41:02 christos Exp $
+# $File: att3b,v 1.10 2017/03/17 21:35:28 christos Exp $
# att3b: file(1) magic for AT&T 3B machines
#
# The `versions' should be un-commented if they work for you.
@@ -36,6 +36,6 @@
#>18 beshort &00040000 and MAU hardware required
#>22 beshort >0 - version %d
#
-# core file for 3b2
+# core file for 3b2
0 string \000\004\036\212\200 3b2 core file
>364 string >\0 of '%s'
Index: contrib/file/magic/Magdir/blender
===================================================================
--- contrib/file/magic/Magdir/blender (版本 330566)
+++ contrib/file/magic/Magdir/blender (版本 330908)
@@ -1,11 +1,11 @@
#------------------------------------------------------------------------------
-# $File: blender,v 1.6 2014/08/30 08:34:17 christos Exp $
+# $File: blender,v 1.7 2017/03/17 21:35:28 christos Exp $
# blender: file(1) magic for Blender 3D related files
#
-# Native format rule v1.2. For questions use the developers list
+# Native format rule v1.2. For questions use the developers list
# http://lists.blender.org/mailman/listinfo/bf-committers
-# GLOB chunk was moved near start and provides subversion info since 2.42
+# GLOB chunk was moved near start and provides subversion info since 2.42
0 string =BLENDER Blender3D,
>7 string =_ saved as 32-bits
Index: contrib/file/magic/Magdir/clipper
===================================================================
--- contrib/file/magic/Magdir/clipper (版本 330566)
+++ contrib/file/magic/Magdir/clipper (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: clipper,v 1.7 2014/04/30 21:41:02 christos Exp $
+# $File: clipper,v 1.8 2017/03/17 21:35:28 christos Exp $
# clipper: file(1) magic for Intergraph (formerly Fairchild) Clipper.
#
# XXX - what byte order does the Clipper use?
@@ -7,7 +7,7 @@
#
# XXX - what's the "!" stuff:
#
-# >18 short !074000,000000 C1 R1
+# >18 short !074000,000000 C1 R1
# >18 short !074000,004000 C2 R1
# >18 short !074000,010000 C3 R1
# >18 short !074000,074000 TEST
@@ -15,7 +15,7 @@
# I shall assume it's ANDing the field with the first value and
# comparing it with the second, and rewrite it as:
#
-# >18 short&074000 000000 C1 R1
+# >18 short&074000 000000 C1 R1
# >18 short&074000 004000 C2 R1
# >18 short&074000 010000 C3 R1
# >18 short&074000 074000 TEST
@@ -37,7 +37,7 @@
>12 long >0 not stripped
>22 short >0 - version %d
0 short 0577 CLIPPER COFF executable
->18 short&074000 000000 C1 R1
+>18 short&074000 000000 C1 R1
>18 short&074000 004000 C2 R1
>18 short&074000 010000 C3 R1
>18 short&074000 074000 TEST
Index: contrib/file/magic/Magdir/archive
===================================================================
--- contrib/file/magic/Magdir/archive (版本 330566)
+++ contrib/file/magic/Magdir/archive (版本 330908)
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# $File: archive,v 1.103 2016/05/05 17:07:40 christos Exp $
+# $File: archive,v 1.108 2017/08/30 13:45:10 christos Exp $
# archive: file(1) magic for archive formats (see also "msdos" for self-
# extracting compressed archives)
#
@@ -249,9 +249,9 @@
# URL: http://fileformats.archiveteam.org/wiki/TTComp_archive
# Update: Joerg Jenderek
# GRR: line below is too general as it matches also Panorama database "TCDB 2003-10 demo.pan", others
-0 string \0\6
+0 string \0\6
# look for first keyword of Panorama database *.pan
->12 search/261 DESIGN
+>12 search/261 DESIGN
# skip keyword with low entropy
>12 default x TTComp archive, binary, 4K dictionary
# (version 5.25) labeled the above entry as "TTComp archive data"
@@ -447,9 +447,9 @@
0 string SZ\x0a\4 SZip archive data
# XPack DiskImage
# *.XDI updated by Joerg Jenderek Sep 2015
-# ftp://ftp.sac.sk/pub/sac/pack/0index.txt
+# ftp://ftp.sac.sk/pub/sac/pack/0index.txt
# GRR: this test is still too general as it catches also text files starting with jm
-0 string jm
+0 string jm
# only found examples with this additional characteristic 2 bytes
>2 string \x2\x4 Xpack DiskImage archive data
#!:ext xdi
@@ -462,7 +462,7 @@
# ftp://ftp.elf.stuba.sk/pub/pc/pack/xpa32.zip
# created by XPA32.EXE version 1.0.2 for Windows
>0 string xpa\0\1 \b32 archive data
-# created by XPACK.COM version 1.67m or 1.67r with short 0x1800
+# created by XPACK.COM version 1.67m or 1.67r with short 0x1800
>3 ubeshort !0x0001 \bck archive data
# XPack Single Data
# changed by Joerg Jenderek Sep 2015 back to like in version 5.12
@@ -552,7 +552,7 @@
>>0x36 string >\0 fstype %.8s
# LHARC/LHA archiver (Greg Roelofs, newt@uchicago.edu)
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
# Reference: http://web.archive.org/web/20021005080911/http://www.osirusoft.com/joejared/lzhformat.html
#
@@ -561,14 +561,14 @@
# check 1st character of method id like -lz4- -lh5- or -pm2-
>2 string -
# check 5th character of method id
->>6 string -
+>>6 string -
# check header level 0 1 2 3
->>>20 ubyte <4
+>>>20 ubyte <4
# check 2nd, 3th and 4th character of method id
>>>>3 regex \^(lh[0-9a-ex]|lz[s2-8]|pm[012]|pc1) \b
!:mime application/x-lzh-compressed
# creator type "LHA "
-!:apple ????LHA
+!:apple ????LHA
# display archive type name like "LHa/LZS archive data" or "LArc archive"
>>>>>2 string -lz \b
!:ext lzs
@@ -578,7 +578,7 @@
# missing -lz?- with wikipedia names
>>>>>>3 regex \^lz[2378] LArc archive
# display archive type name like "LHa (2.x) archive data"
->>>>>2 string -lh \b
+>>>>>2 string -lh \b
# already known -lh0- -lh1- -lh2- -lh3- -lh4- -lh5- -lh6- -lh7- -lhd- variants with old names
>>>>>>3 regex \^lh[01] LHarc 1.x/ARX archive data
# LHice archiver use ".ICE" as name extension instead usual one ".lzh"
@@ -614,10 +614,10 @@
# check and display information of lharc header
0 name lharc-header
# header size 0x4 , 0x1b-0x61
->0 ubyte x
+>0 ubyte x
# compressed data size != compressed file size
#>7 ulelong x \b, data size %d
-# attribute: 0x2~?? 0x10~symlink|target 0x20~normal
+# attribute: 0x2~?? 0x10~symlink|target 0x20~normal
#>19 ubyte x \b, 19_0x%x
# level identifier 0 1 2 3
#>20 ubyte x \b, level %d
@@ -624,18 +624,18 @@
# time stamp
#>15 ubelong x DATE 0x%8.8x
# OS ID for level 1
->20 ubyte 1
+>20 ubyte 1
# 0x20 types find for *.rom files
>>(21.b+24) ubyte <0x21 \b, 0x%x OS
# ascii type like M for MSDOS
>>(21.b+24) ubyte >0x20 \b, '%c' OS
# OS ID for level 2
->20 ubyte 2
+>20 ubyte 2
#>>23 ubyte x \b, OS ID 0x%x
>>23 ubyte <0x21 \b, 0x%x OS
>>23 ubyte >0x20 \b, '%c' OS
# filename only for level 0 and 1
->20 ubyte <2
+>20 ubyte <2
# length of filename
>>21 ubyte >0 \b, with
# filename
@@ -643,73 +643,73 @@
#
#2 string -lh0- LHarc 1.x/ARX archive data [lh0]
#!:mime application/x-lharc
-2 string -lh0-
+2 string -lh0-
>0 use lharc-file
#2 string -lh1- LHarc 1.x/ARX archive data [lh1]
#!:mime application/x-lharc
-2 string -lh1-
+2 string -lh1-
>0 use lharc-file
# NEW -lz2- ... -lz8-
-2 string -lz2-
+2 string -lz2-
>0 use lharc-file
-2 string -lz3-
+2 string -lz3-
>0 use lharc-file
-2 string -lz4-
+2 string -lz4-
>0 use lharc-file
-2 string -lz5-
+2 string -lz5-
>0 use lharc-file
-2 string -lz7-
+2 string -lz7-
>0 use lharc-file
-2 string -lz8-
+2 string -lz8-
>0 use lharc-file
# [never seen any but the last; -lh4- reported in comp.compression:]
#2 string -lzs- LHa/LZS archive data [lzs]
-2 string -lzs-
+2 string -lzs-
>0 use lharc-file
# According to wikipedia and others such a version does not exist
#2 string -lh\40- LHa 2.x? archive data [lh ]
#2 string -lhd- LHa 2.x? archive data [lhd]
-2 string -lhd-
+2 string -lhd-
>0 use lharc-file
#2 string -lh2- LHa 2.x? archive data [lh2]
-2 string -lh2-
+2 string -lh2-
>0 use lharc-file
#2 string -lh3- LHa 2.x? archive data [lh3]
-2 string -lh3-
+2 string -lh3-
>0 use lharc-file
#2 string -lh4- LHa (2.x) archive data [lh4]
-2 string -lh4-
+2 string -lh4-
>0 use lharc-file
#2 string -lh5- LHa (2.x) archive data [lh5]
-2 string -lh5-
+2 string -lh5-
>0 use lharc-file
#2 string -lh6- LHa (2.x) archive data [lh6]
-2 string -lh6-
+2 string -lh6-
>0 use lharc-file
#2 string -lh7- LHa (2.x)/LHark archive data [lh7]
-2 string -lh7-
+2 string -lh7-
# !:mime application/x-lha
# >20 byte x - header level %d
>0 use lharc-file
# NEW -lh8- ... -lhe- , -lhx-
-2 string -lh8-
+2 string -lh8-
>0 use lharc-file
-2 string -lh9-
+2 string -lh9-
>0 use lharc-file
-2 string -lha-
+2 string -lha-
>0 use lharc-file
-2 string -lhb-
+2 string -lhb-
>0 use lharc-file
-2 string -lhc-
+2 string -lhc-
>0 use lharc-file
-2 string -lhe-
+2 string -lhe-
>0 use lharc-file
-2 string -lhx-
+2 string -lhx-
>0 use lharc-file
# taken from idarc [JW]
2 string -lZ PUT archive data
# already done by LHarc magics
-# this should never happen if all sub types of LZS archive are identified
+# this should never happen if all sub types of LZS archive are identified
#2 string -lz LZS archive data
2 string -sw1- Swag archive data
@@ -908,7 +908,17 @@
>>>4 byte 0x0a \b, at least v1.0 to extract
>>>4 byte 0x0b \b, at least v1.1 to extract
>>>4 byte 0x14 \b, at least v2.0 to extract
+>>>4 byte 0x15 \b, at least v2.1 to extract
+>>>4 byte 0x19 \b, at least v2.5 to extract
+>>>4 byte 0x1b \b, at least v2.7 to extract
>>>4 byte 0x2d \b, at least v4.5 to extract
+>>>4 byte 0x2e \b, at least v4.6 to extract
+>>>4 byte 0x32 \b, at least v5.0 to extract
+>>>4 byte 0x33 \b, at least v5.1 to extract
+>>>4 byte 0x34 \b, at least v5.2 to extract
+>>>4 byte 0x3d \b, at least v6.1 to extract
+>>>4 byte 0x3e \b, at least v6.2 to extract
+>>>4 byte 0x3f \b, at least v6.3 to extract
>>>0x161 string WINZIP \b, WinZIP self-extracting
# StarView Metafile
@@ -940,17 +950,17 @@
0 string \0\ \ \ \ \ \ \ \ \ \ \ \0\0 LBR archive data
#
# PMA (CP/M derivative of LHA)
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/LHA_(file_format)
#
#2 string -pm0- PMarc archive data [pm0]
-2 string -pm0-
+2 string -pm0-
>0 use lharc-file
#2 string -pm1- PMarc archive data [pm1]
-2 string -pm1-
+2 string -pm1-
>0 use lharc-file
#2 string -pm2- PMarc archive data [pm2]
-2 string -pm2-
+2 string -pm2-
>0 use lharc-file
2 string -pms- PMarc SFX archive (CP/M, DOS)
#!:mime application/x-foobar-exec
@@ -1145,12 +1155,12 @@
>3 ubyte 0 \b, no compression
>3 ubyte 2 \b, fast compression (Z1)
>3 ubyte 3 \b, medium compression (Z2)
->3 ubyte >3
+>3 ubyte >3
>>3 ubyte <11 \b, compression (Z%d-1)
->2 ubyte&0x08 0x00
+>2 ubyte&0x08 0x00
# ~ 30 byte password field only for *.gho
>>12 ubequad !0 \b, password protected
->>44 ubyte !1
+>>44 ubyte !1
# 1~Image All, sector-by-sector only for *.gho
>>>10 ubyte 1 \b, sector copy
# 1~Image Boot track only for *.gho
@@ -1160,8 +1170,8 @@
# optional image description only *.gho
>>0xff string >\0 "%-.254s"
# look for DOS sector end sequence
->0xE08 search/7776 \x55\xAA
->>&-512 indirect x \b; contains
+>0xE08 search/7776 \x55\xAA
+>>&-512 indirect x \b; contains
# Google Chrome extensions
# https://developer.chrome.com/extensions/crx
@@ -1169,3 +1179,10 @@
0 string Cr24 Google Chrome extension
!:mime application/x-chrome-extension
>4 ulong x \b, version %u
+
+# SeqBox - Sequenced container
+# ext: sbx, seqbox
+# Marco Pontello marcopon@gmail.com
+# reference: https://github.com/MarcoPon/SeqBox
+0 string SBx SeqBox,
+>3 byte x version %d
Index: contrib/file/magic/Magdir/blackberry
===================================================================
--- contrib/file/magic/Magdir/blackberry (版本 330566)
+++ contrib/file/magic/Magdir/blackberry (版本 330908)
@@ -1,8 +1,8 @@
#------------------------------------------------------------------------------
-# $File: blackberry,v 1.1 2014/01/31 01:51:32 christos Exp $
+# $File: blackberry,v 1.2 2017/03/17 21:35:28 christos Exp $
# blackberry: file(1) magic for BlackBerry file formats
#
-5 belong 0
+5 belong 0
>8 belong 010010010 BlackBerry RIM ETP file
>>22 string x \b for %s
Index: contrib/file/magic/Magdir/cafebabe
===================================================================
--- contrib/file/magic/Magdir/cafebabe (版本 330566)
+++ contrib/file/magic/Magdir/cafebabe (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: cafebabe,v 1.21 2015/10/15 20:56:51 christos Exp $
+# $File: cafebabe,v 1.23 2017/05/25 20:07:23 christos Exp $
# Cafe Babes unite!
#
# Since Java bytecode and Mach-O universal binaries have the same magic number,
@@ -7,8 +7,8 @@
# the test must be performed in the same "magic" sequence to get both right.
# The long at offset 4 in a Mach-O universal binary tells the number of
# architectures; the short at offset 4 in a Java bytecode file is the JVM minor
-# version and the short at offset 6 is the JVM major version. Since there are only
-# only 18 labeled Mach-O architectures at current, and the first released
+# version and the short at offset 6 is the JVM major version. Since there are only
+# only 18 labeled Mach-O architectures at current, and the first released
# Java class format was version 43.0, we can safely choose any number
# between 18 and 39 to test the number of architectures against
# (and use as a hack). Let's not use 18, because the Mach-O people
@@ -47,7 +47,7 @@
0 name mach-o \b [
>0 use mach-o-cpu \b
->(8.L) indirect \b:
+>(8.L) indirect x \b:
>0 belong x \b]
0 belong 0xcafebabe
Index: contrib/file/magic/Magdir/apache
===================================================================
--- contrib/file/magic/Magdir/apache (不存在的)
+++ contrib/file/magic/Magdir/apache (版本 330908)
@@ -0,0 +1,28 @@
+
+#------------------------------------------------------------------------------
+# $File: apache,v 1.1 2017/04/11 14:52:15 christos Exp $
+# apache: file(1) magic for Apache Big Data formats
+
+# Avro files
+0 string Obj Apache Avro
+>3 byte x version %d
+
+# ORC files
+# Important information is in file footer, which we can't index to :(
+0 string ORC Apache ORC
+
+# Parquet files
+0 string PAR1 Apache Parquet
+
+# Hive RC files
+0 string RCF Apache Hive RC file
+>3 byte x version %d
+
+# Sequence files (and the careless first version of RC file)
+
+0 string SEQ
+>3 byte <6 Apache Hadoop Sequence file version %d
+>3 byte >6 Apache Hadoop Sequence file version %d
+>3 byte =6
+>>5 string org.apache.hadoop.hive.ql.io.RCFile$KeyBuffer Apache Hive RC file version 0
+>>3 default x Apache Hadoop Sequence file version 6
Index: contrib/file/magic/Magdir/audio
===================================================================
--- contrib/file/magic/Magdir/audio (版本 330566)
+++ contrib/file/magic/Magdir/audio (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: audio,v 1.75 2016/02/08 17:30:11 christos Exp $
+# $File: audio,v 1.80 2017/08/13 00:21:47 christos Exp $
# audio: file(1) magic for sound formats (see also "iff")
#
# Jan Nicolai Langfeldt (janl@ifi.uio.no), Dan Quinlan (quinlan@yggdrasil.com),
@@ -300,7 +300,7 @@
>>5 byte &0x40 \b, extended header
>>5 byte &0x20 \b, experimental
>>5 byte &0x10 \b, footer present
->(6.I+10) indirect x \b, contains:
+>(6.I+10) indirect x \b, contains:
# NSF (NES sound file) magic
0 string NESM\x1a NES Sound File
@@ -314,7 +314,7 @@
>122 byte&0x1 =0 NTSC
# NSFE (Extended NES sound file) magic
-# http://slickproductions.org/docs/NSF/nsfespec.txt
+# http://slickproductions.org/docs/NSF/nsfespec.txt
# From: David Pflug <david@pflug.email>
0 string NSFE Extended NES Sound File
>48 search/0x1000 auth
@@ -469,6 +469,8 @@
>>20 byte&0xe 0xc \b, 7 channels
>>20 byte&0xe 0xe \b, 8 channels
# some common sample rates
+>>17 belong&0xfffff0 0x2ee000 \b, 192 kHz
+>>17 belong&0xfffff0 0x158880 \b, 88.2 kHz
>>17 belong&0xfffff0 0x0ac440 \b, 44.1 kHz
>>17 belong&0xfffff0 0x0bb800 \b, 48 kHz
>>17 belong&0xfffff0 0x07d000 \b, 32 kHz
@@ -658,7 +660,7 @@
# From Fabio R. Schmidlin <frs@pop.com.br>
# VGM music file
-0 string Vgm\
+0 string Vgm\040
>9 ubyte >0 VGM Video Game Music dump v
>>9 ubyte/16 >0 \b%d
>>9 ubyte&0x0F x \b%d
@@ -723,7 +725,7 @@
# URL: http://www.garmin.com/
# Reference: http://turboccc.wikispaces.com/share/view/28622555
# NOTE: there exist 2 other Garmin VPM formats
-0 string AUDIMG
+0 string AUDIMG
# skip text files starting with string "AUDIMG"
>13 ubyte <13 Garmin Voice Processing Module
!:mime audio/x-vpm-wav-garmin
@@ -743,16 +745,68 @@
# second of release (0-59)
>>9 ubyte x \b:%.2d
# if you select a language like german on your garmin device
-# you can only select voice modules with correponding language byte ID like 1
+# you can only select voice modules with corresponding language byte ID like 1
>>18 ubyte x \b, language ID %d
# pointer to 1st audio WAV sample
->>16 uleshort >0
+>>16 uleshort >0
>>>(16.s) ulelong >0 \b, at offset 0x%x
# WAV length
>>>>(16.s+4) ulelong >0 %d Bytes
# look for magic
->>>>>(&-8.l) string RIFF
+>>>>>(&-8.l) string RIFF
# determine type by ./riff
->>>>>>&-4 indirect x \b
+>>>>>>&-4 indirect x \b
# 2 - ~ 131 WAV samples following same way
+# From Martin Mueller Skarbiniks Pedersen
+0 string GDM
+>0x3 byte 0xFE General Digital Music.
+>0x4 string >\0 title: "%s"
+>0x24 string >\0 musician: "%s"
+>>0x44 beshort 0x0D0A
+>>>0x46 byte 0x1A
+>>>>0x47 string GMFS Version
+>>>>0x4B byte x %d.
+>>>>0x4C byte x \b%02d
+>>>>0x4D beshort 0x000 (2GDM v
+>>>>0x4F byte x \b%d.
+>>>>>0x50 byte x \b%d)
+
+0 string MTM Multitracker
+>0x3 byte/16 x Version %d.
+>0x3 byte&0x0F x \b%02d
+>>0x4 string >\0 title: "%s"
+
+0 string HVL
+>3 byte <2 Hively Tracker Song
+>3 byte 0 1 module data
+>3 byte 1 2 module data
+
+0 string MO3
+>3 ubyte <6 MOdule with MP3
+>>3 byte 0 Version 0 (With MP3 and lossless)
+>>3 byte 1 Version 1 (With ogg and lossless)
+>>3 byte 3 Version 2.2
+>>3 byte 4 (With no LAME header)
+>>3 byte 5 Version 2.4
+
+0 string ADRVPACK AProSys module
+
+# ftp://ftp.modland.com/pub/documents/format_documentation/\
+# Art%20Of%20Noise%20(.aon).txt
+0 string AON
+>4 string "ArtOfNoise by Bastian Spiegel(twice/lego)"
+>0x2e string NAME Art of Noise Tracker Song
+>3 string <9
+>3 string 4 (4 voices)
+>3 string 8 (8 voices)
+>>0x36 string >\0 Title: "%s"
+
+0 string FAR
+>0x2c byte 0x0d
+>0x2d byte 0x0a
+>0x2e byte 0x1a
+>>0x3 byte 0xFE Farandole Tracker Song
+>>>0x31 byte/16 x Version %d.
+>>>0x31 byte&0x0F x \b%02d
+>>>>0x4 string >\0 \b, title: "%s"
Index: contrib/file/magic/Magdir/c-lang
===================================================================
--- contrib/file/magic/Magdir/c-lang (版本 330566)
+++ contrib/file/magic/Magdir/c-lang (版本 330908)
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# $File: c-lang,v 1.24 2016/07/01 23:31:13 christos Exp $
+# $File: c-lang,v 1.26 2017/08/14 07:40:38 christos Exp $
# c-lang: file(1) magic for C and related languages programs
#
# The strength is to beat standard HTML
@@ -11,49 +11,72 @@
!:mime text/x-bcpl
# C
-0 regex \^#include C source text
-!:strength +25
+# Check for class if include is found, otherwise class is beaten by include becouse of lowered strength
+0 regex \^#include C
+>0 regex \^class[[:space:]]+
+>>&0 regex \\{[\.\*]\\}(;)?$ \b++
+>&0 clear x source text
+!:strength + 13
!:mime text/x-c
-0 regex \^char[\ \t\n]+ C source text
+0 regex \^#[[:space:]]*pragma C source text
!:mime text/x-c
-0 regex \^double[\ \t\n]+ C source text
+0 regex \^#[[:space:]]*(if\|ifn)def
+>&0 regex \^#[[:space:]]*endif$ C source text
!:mime text/x-c
-0 regex \^extern[\ \t\n]+ C source text
+0 regex \^#[[:space:]]*(if\|ifn)def
+>&0 regex \^#[[:space:]]*define C source text
!:mime text/x-c
-0 regex \^float[\ \t\n]+ C source text
+0 regex \^[[:space:]]*char(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text
!:mime text/x-c
-0 regex \^struct[\ \t\n]+ C source text
+0 regex \^[[:space:]]*double(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text
!:mime text/x-c
-0 regex \^union[\ \t\n]+ C source text
+0 regex \^[[:space:]]*extern[[:space:]]+ C source text
!:mime text/x-c
-0 search/8192 main( C source text
+0 regex \^[[:space:]]*float(\ \\*|\\*)(.+)(=.*)?;[[:space:]]*$ C source text
!:mime text/x-c
+0 regex \^struct[[:space:]]+ C source text
+!:mime text/x-c
+0 regex \^union[[:space:]]+ C source text
+!:mime text/x-c
+0 search/8192 main(
+>&0 regex \\)[[:space:]]*\\{ C source text
+!:mime text/x-c
# C++
# The strength of these rules is increased so they beat the C rules above
-0 regex \^template[\ \t]+<.*>[\ \t\n]+ C++ source text
+0 regex \^namespace[[:space:]]+[_[:alpha:]]{1,30}[[:space:]]*\\{ C++ source text
!:strength + 30
!:mime text/x-c++
-0 regex \^virtual[\ \t\n]+ C++ source text
+# using namespace [namespace] or using std::[lib]
+0 regex \^using[[:space:]]+(namespace\ )?std(::)?[[:alpha:]]*[[:space:]]*; C++ source text
!:strength + 30
!:mime text/x-c++
-0 regex \^class[\ \t\n]+ C++ source text
-# But class is reduced to avoid beating php (Jens Schleusener)
+0 regex \^[[:space:]]*template[[:space:]]*<.*>[[:space:]]*$ C++ source text
+!:strength + 30
+!:mime text/x-c++
+0 regex \^[[:space:]]*virtual[[:space:]]+.*[};][[:space:]]*$ C++ source text
+!:strength + 30
+!:mime text/x-c++
+# But class alone is reduced to avoid beating php (Jens Schleusener)
+0 regex \^[[:space:]]*class[[:space:]]+[[:digit:][:alpha:]:_]+[[:space:]]*\\{(.*[\n]*)*\\}(;)?$ C++ source text
!:strength + 13
!:mime text/x-c++
-0 regex \^public: C++ source text
+0 regex \^[[:space:]]*public: C++ source text
!:strength + 30
!:mime text/x-c++
-0 regex \^private: C++ source text
+0 regex \^[[:space:]]*private: C++ source text
!:strength + 30
!:mime text/x-c++
+0 regex \^[[:space:]]*protected: C++ source text
+!:strength + 30
+!:mime text/x-c++
# Objective-C
-0 regex \^#import Objective-C source text
-!:strength +25
+0 regex \^#import Objective-C source text
+!:strength + 25
!:mime text/x-objective-c
-# From: Mikhail Teterin <mi@aldan.algebra.com>
+# From: Mikhail Teterin <mi@aldan.algebra.com>
0 string cscope cscope reference data
>7 string x version %.2s
# We skip the path here, because it is often long (so file will
Index: contrib/file/magic/Magdir/coff
===================================================================
--- contrib/file/magic/Magdir/coff (版本 330566)
+++ contrib/file/magic/Magdir/coff (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: coff,v 1.1 2015/09/30 20:32:35 christos Exp $
+# $File: coff,v 1.2 2017/03/17 21:35:28 christos Exp $
# coff: file(1) magic for Common Object Files not specific to known cpu types or manufactures
#
# COFF
@@ -15,7 +15,7 @@
# mips,motorola,msdos,osf1,sharc,varied.out,vax
0 name display-coff
# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags
->18 uleshort&0x8E80 0
+>18 uleshort&0x8E80 0
>>0 clear x
# f_magic - magic number
# DJGPP, 80386 COFF executable, MS Windows COFF Intel 80386 object file (./intel)
@@ -25,7 +25,7 @@
# Hitachi SH little-endian COFF (./hitachi-sh)
>>0 uleshort 0x0550 Hitachi SH little-endian
# executable (RISC System/6000 V3.1) or obj module (./ibm6000)
-#>>0 uleshort 0x01DF
+#>>0 uleshort 0x01DF
# TODO for other COFFs
#>>0 uleshort 0xABCD COFF_TEMPLATE
>>0 default x
@@ -45,12 +45,12 @@
>>18 leshort &0x0008 \b, stripped
>>18 leshort ^0x0008 \b, not stripped
# flags in other COFF versions
-#0x0010 F_FDPR_PROF
+#0x0010 F_FDPR_PROF
#0x0020 F_FDPR_OPTI
#0x0040 F_DSA
# F_AR32WR flag bit
#>>>18 leshort &0x0100 \b, 32 bit little endian
-#0x1000 F_DYNLOAD
+#0x1000 F_DYNLOAD
#0x2000 F_SHROBJ
#0x4000 F_LOADONLY
# f_nscns - number of sections
@@ -62,7 +62,7 @@
>>8 ulelong >0 \b, symbol offset=0x%x
# f_nsyms - number of symbols, only for not stripped
>>12 ulelong >0 \b, %d symbols
-# f_opthdr - optional header size
+# f_opthdr - optional header size
>>16 uleshort >0 \b, optional header size %d
# at offset 20 can be optional header, extra bytes FILHSZ-20 because
# do not rely on sizeof(FILHDR) to give the correct size for header.
Index: contrib/file/magic/Magdir/cups
===================================================================
--- contrib/file/magic/Magdir/cups (版本 330566)
+++ contrib/file/magic/Magdir/cups (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: cups,v 1.4 2016/10/17 18:51:02 christos Exp $
+# $File: cups,v 1.5 2017/03/17 21:35:28 christos Exp $
# Cups: file(1) magic for the cups raster file format
# From: Laurent Martelli <martellilaurent@gmail.com>
# http://www.cups.org/documentation.php/spec-raster.html
@@ -39,7 +39,7 @@
>404 lelong 20 ColorSpace=AdobeRGB
# Cups Raster image format, Big Endian
-0 string RaS
+0 string RaS
>3 string t Cups Raster version 1, Big Endian
>3 string 2 Cups Raster version 2, Big Endian
>3 string 3 Cups Raster version 3, Big Endian
@@ -48,7 +48,7 @@
# Cups Raster image format, Little Endian
-1 string SaR
+1 string SaR
>0 string t Cups Raster version 1, Little Endian
>0 string 2 Cups Raster version 2, Little Endian
>0 string 3 Cups Raster version 3, Little Endian
Index: contrib/file/magic/Magdir/dolby
===================================================================
--- contrib/file/magic/Magdir/dolby (版本 330566)
+++ contrib/file/magic/Magdir/dolby (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: dolby,v 1.7 2014/01/08 22:37:23 christos Exp $
+# $File: dolby,v 1.8 2017/03/17 21:35:28 christos Exp $
# ATSC A/53 aka AC-3 aka Dolby Digital <ashitaka@gmx.at>
# from http://www.atsc.org/standards/a_52a.pdf
# corrections, additions, etc. are always welcome!
@@ -23,7 +23,7 @@
>5 byte&0x07 = 0x04 \b, dialogue (D)
>5 byte&0x07 = 0x05 \b, commentary (C)
>5 byte&0x07 = 0x06 \b, emergency (E)
->5 beshort&0x07e0 0x0720 \b, voiceover (VO)
+>5 beshort&0x07e0 0x0720 \b, voiceover (VO)
>5 beshort&0x07e0 >0x0720 \b, karaoke
# acmod
>6 byte&0xe0 = 0x00 1+1 front,
Index: contrib/file/magic/Magdir/filesystems
===================================================================
--- contrib/file/magic/Magdir/filesystems (版本 330566)
+++ contrib/file/magic/Magdir/filesystems (版本 330908)
@@ -1,8 +1,8 @@
#------------------------------------------------------------------------------
-# $File: filesystems,v 1.114 2016/09/05 08:34:25 christos Exp $
+# $File: filesystems,v 1.122 2017/07/21 10:34:41 christos Exp $
# filesystems: file(1) magic for different filesystems
#
-0 name partid
+0 name partid
>0 ubyte 0x00 Unused
>0 ubyte 0x01 12-bit FAT
>0 ubyte 0x02 XENIX /
@@ -187,7 +187,7 @@
0 string \366\366\366\366 PC formatted floppy with no filesystem
# Sun disk labels
# From /usr/include/sun/dklabel.h:
-0774 beshort 0xdabe
+0774 beshort 0xdabe
# modified by Joerg Jenderek, because original test
# succeeds for Cabinet archive dao360.dl_ with negative blocks
>0770 long >0 Sun disk label
@@ -213,30 +213,30 @@
# (http://btmgr.sourceforge.net/docs/user-guide-3.html)
0 string SBMBAKUP_ Smart Boot Manager backup file
>9 string x \b, version %-5.5s
->>14 string =_
+>>14 string =_
>>>15 string x %-.1s
>>>>16 string =_ \b.
>>>>>17 string x \b%-.1s
>>>>>>18 string =_ \b.
>>>>>>>19 string x \b%-.1s
->>>22 ubyte 0
+>>>22 ubyte 0
>>>>21 ubyte x \b, from drive 0x%x
->>>22 ubyte >0
+>>>22 ubyte >0
>>>>21 string x \b, from drive %s
->>>535 search/17 \x55\xAA
->>>>&-512 indirect x \b; contains
+>>>535 search/17 \x55\xAA
+>>>>&-512 indirect x \b; contains
# updated by Joerg Jenderek at Nov 2012
# DOS Emulator image is 128 byte, null right padded header + harddisc image
-0 string DOSEMU\0
->0x27E leshort 0xAA55
+0 string DOSEMU\0
+>0x27E leshort 0xAA55
#offset is 128
->>19 ubyte 128
+>>19 ubyte 128
>>>(19.b-1) ubyte 0x0 DOS Emulator image
>>>>7 ulelong >0 \b, %u heads
>>>>11 ulelong >0 \b, %d sectors/track
>>>>15 ulelong >0 \b, %d cylinders
->>>>128 indirect x \b; contains
+>>>>128 indirect x \b; contains
# added by Joerg Jenderek at Nov 2012
# http://www.thenakedpc.com/articles/v04/08/0408-05.html
@@ -243,8 +243,8 @@
# Symantec (Peter Norton) Image.dat file consists of variable header, bootrecord, part of FAT and root directory data
0 string PNCIHISK\0 Norton Utilities disc image data
# real x86 boot sector with jump instruction
->509 search/1026 \x55\xAA\xeb
->>&-1 indirect x \b; contains
+>509 search/1026 \x55\xAA\xeb
+>>&-1 indirect x \b; contains
# http://file-extension.net/seeker/file_extension_dat
0 string PNCIUNDO Norton Disk Doctor UnDo file
#
@@ -251,12 +251,12 @@
# DOS/MBR boot sector updated by Joerg Jenderek at Sep 2007,May 2011,2013
# for any allowed sector sizes
-30 search/481 \x55\xAA
+30 search/481 \x55\xAA
# to display DOS/MBR boot sector (40) before old one (strength=50+21),Syslinux bootloader (71),SYSLINUX MBR (37+36),NetBSD mbr (110),AdvanceMAME mbr (111)
# DOS BPB information (70) and after DOS floppy (120) like in previous file version
!:strength +65
# for sector sizes < 512 Bytes
->11 uleshort <512
+>11 uleshort <512
>>(11.s-2) uleshort 0xAA55 DOS/MBR boot sector
# for sector sizes with 512 or more Bytes
>0x1FE leshort 0xAA55 DOS/MBR boot sector
@@ -270,18 +270,18 @@
>2 string OSBS OS/BS MBR
# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/
# and http://en.wikipedia.org/wiki/Master_Boot_Record
-# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by
+# test for nearly all MS-DOS Master Boot Record initial program loader (IPL) is now done by
# characteristic assembler instructions: xor ax,ax;mov ss,ax;mov sp,7c00
>0 search/2 \x33\xc0\x8e\xd0\xbc\x00\x7c MS-MBR
# Microsoft Windows 95A and early ( http://thestarman.pcministry.com/asm/mbr/STDMBR.htm )
# assembler instructions: mov si,sp;push ax;pop es;push ax;pop ds;sti;cld
->>8 ubequad 0x8bf45007501ffbfc
+>>8 ubequad 0x8bf45007501ffbfc
# http://thestarman.pcministry.com/asm/mbr/200MBR.htm
>>>0x16 ubyte 0xF3 \b,DOS 2
>>>>219 regex Author\ -\ Author:
# found "David Litton" , "A Pehrsson "
>>>>>&0 string x "%s"
->>>0x16 ubyte 0xF2
+>>>0x16 ubyte 0xF2
# NEC MS-DOS 3.30 Rev. 3 . See http://thestarman.pcministry.com/asm/mbr/DOS33MBR.htm
# assembler instructions: mov di,077c;cmp word ptrl[di],a55a;jnz
>>>>0x22 ubequad 0xbf7c07813d5aa575 \b,NEC 3.3
@@ -316,7 +316,7 @@
>>>>>>(0x79.b) string >\0 "%s"
# Microsoft Windows 95B to XP (http://thestarman.pcministry.com/asm/mbr/95BMEMBR.htm)
# assembler instructions: push ax;pop es;push ax;pop ds;cld;mov si,7c1b
->>8 ubequad 0x5007501ffcbe1b7c
+>>8 ubequad 0x5007501ffcbe1b7c
# assembler instructions: rep;movsb;retf;mov si,07be;mov cl,04
>>>24 ubequad 0xf3a4cbbebe07b104 9M
# "Invalid partition table" nn=0x10F for english version
@@ -361,7 +361,7 @@
>>>>(0x1b7.b+0x100) string >\0 "%s"
# Microsoft Windows Vista or 7
# assembler instructions: ..;mov ds,ax;mov si,7c00;mov di,..00
->>8 ubequad 0xc08ed8be007cbf00
+>>8 ubequad 0xc08ed8be007cbf00
# Microsoft Windows Vista (http://thestarman.pcministry.com/asm/mbr/VistaMBR.htm)
# assembler instructions: jnz 0729;cmp ebx,"TCPA"
>>>0xEC ubequad 0x753b6681fb544350 Vista
@@ -402,38 +402,38 @@
# http://en.wikipedia.org/wiki/MBR_disk_signature#ID
>>0x1b8 ulelong >0 \b, disk signature 0x%-.4x
# driveID/timestamp for Win 95B,98,98SE and ME. See http://thestarman.pcministry.com/asm/mbr/mystery.htm
->>0xDA uleshort 0
+>>0xDA uleshort 0
>>>0xDC ulelong >0 \b, created
# physical drive number (0x80-0xFF) when the Windows wrote that byte to the drive
>>>>0xDC ubyte x with driveID 0x%x
-# hours, minutes and seconds
+# hours, minutes and seconds
>>>>0xDf ubyte x at %x
>>>>0xDe ubyte x \b:%x
>>>>0xDd ubyte x \b:%x
# special case for Microsoft MS-DOS 3.21 spanish
-# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov
->0 ubequad 0xfab830008ed0bc00
-# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov
+# assembler instructions: cli;mov $0x30,%ax;mov %ax,%ss;mov
+>0 ubequad 0xfab830008ed0bc00
+# assembler instructions: $0x1f00,%sp;mov $0x80cb,%di;add %cl,(%bx,%si);in (%dx),%ax;mov
>>8 ubequad 0x1fbfcb800008ed8 MS-MBR,D0S version 3.21 spanish
# Microsoft MBR IPL end
# dr-dos with some upper-, lowercase variants
->0x9D string Invalid\ partition\ table$
->>181 string No\ Operating\ System$
+>0x9D string Invalid\ partition\ table$
+>>181 string No\ Operating\ System$
>>>201 string Operating\ System\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03
->0x9D string Invalid\ partition\ table$
->>181 string No\ operating\ system$
+>0x9D string Invalid\ partition\ table$
+>>181 string No\ operating\ system$
>>>201 string Operating\ system\ load\ error$ \b, DR-DOS MBR, Version 7.01 to 7.03
->342 string Invalid\ partition\ table$
->>366 string No\ operating\ system$
+>342 string Invalid\ partition\ table$
+>>366 string No\ operating\ system$
>>>386 string Operating\ system\ load\ error$ \b, DR-DOS MBR, version 7.01 to 7.03
->295 string NEWLDR\0
->>302 string Bad\ PT\ $
->>>310 string No\ OS\ $
->>>>317 string OS\ load\ err$
->>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r
->>>>>>358 string Press\ any\ key\ to\ continue.\n\r$
->>>>>>>387 string Copyright\ (c)\ 1984,1998
+>295 string NEWLDR\0
+>>302 string Bad\ PT\ $
+>>>310 string No\ OS\ $
+>>>>317 string OS\ load\ err$
+>>>>>329 string Moved\ or\ missing\ IBMBIO.LDR\n\r
+>>>>>>358 string Press\ any\ key\ to\ continue.\n\r$
+>>>>>>>387 string Copyright\ (c)\ 1984,1998
>>>>>>>>411 string Caldera\ Inc.\0 \b, DR-DOS MBR (IBMBIO.LDR)
#
# tests for different MS-DOS Master Boot Records (MBR) moved and merged
@@ -441,15 +441,15 @@
#>0x145 string Default:\ F \b, FREE-DOS MBR
#>0x14B string Default:\ F \b, FREE-DOS 1.0 MBR
>0x145 search/7 Default:\ F \b, FREE-DOS MBR
-#>>313 string F0\ .\ .\ .
-#>>>322 string disk\ 1
-#>>>>382 string FAT3
->64 string no\ active\ partition\ found
+#>>313 string F0\ .\ .\ .
+#>>>322 string disk\ 1
+#>>>>382 string FAT3
+>64 string no\ active\ partition\ found
>>96 string read\ error\ while\ reading\ drive \b, FREE-DOS Beta 0.9 MBR
# Ranish Partition Manager http://www.ranish.com/part/
->387 search/4 \0\ Error!\r
->>378 search/7 Virus!
->>>397 search/4 Booting\
+>387 search/4 \0\ Error!\r
+>>378 search/7 Virus!
+>>>397 search/4 Booting\040
>>>>408 search/4 HD1/\0 \b, Ranish MBR (
>>>>>416 string Writing\ changes... \b2.37
>>>>>>438 ubyte x \b,0x%x dots
@@ -466,23 +466,23 @@
#
# SYSLINUX MBR moved
# http://www.acronis.de/
->362 string MBR\ Error\ \0\r
->>376 string ress\ any\ key\ to\
+>362 string MBR\ Error\ \0\r
+>>376 string ress\ any\ key\ to\040
>>>392 string boot\ from\ floppy...\0 \b, Acronis MBR
# added by Joerg Jenderek
# http://www.visopsys.org/
# http://partitionlogic.org.uk/
->309 string No\ bootable\ partition\ found\r
+>309 string No\ bootable\ partition\ found\r
>>339 string I/O\ Error\ reading\ boot\ sector\r \b, Visopsys MBR
->349 string No\ bootable\ partition\ found\r
+>349 string No\ bootable\ partition\ found\r
>>379 string I/O\ Error\ reading\ boot\ sector\r \b, simple Visopsys MBR
# bootloader, bootmanager
->0x40 string SBML
+>0x40 string SBML
# label with 11 characters of FAT 12 bit filesystem
->>43 string SMART\ BTMGR
+>>43 string SMART\ BTMGR
>>>430 string SBMK\ Bad!\r \b, Smart Boot Manager
# OEM-ID not always "SBM"
-#>>>>3 strings SBM
+#>>>>3 strings SBM
>>>>6 string >\0 \b, version %s
>382 string XOSLLOADXCF \b, eXtended Operating System Loader
>6 string LILO \b, LInux i386 boot LOader
@@ -492,11 +492,11 @@
# variables according to grub-0.97/stage1/stage1.S or
# http://www.gnu.org/software/grub/manual/grub.html#Embedded-data
# usual values are marked with comments to get only informations of strange GRUB loaders
->342 search/60 \0Geom\0
+>342 search/60 \0Geom\0
#>0 ulelong x %x=0x009048EB , 0x2a9048EB 0
->>0x41 ubyte <2
+>>0x41 ubyte <2
>>>0x3E ubyte >2 \b; GRand Unified Bootloader
-# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90
+# 0x3 for 0.5.95,0.93,0.94,0.96 0x4 for 1.90
>>>>0x3E ubyte x \b, stage1 version 0x%x
#If it is 0xFF, use a drive passed by BIOS
>>>>0x40 ubyte <0xFF \b, boot drive 0x%x
@@ -521,7 +521,7 @@
>>>>391 string Geom\0Hard\ Disk\0Read\0\ Error\0
>>>>>385 string GRUB\ \0 \b, GRUB version 0.97
# unknown version
->>>343 string Geom\0Read\0\ Error\0
+>>>343 string Geom\0Read\0\ Error\0
>>>>321 string Loading\ stage1.5 \b, GRUB version x.y
>>>380 string Geom\0Hard\ Disk\0Read\0\ Error\0
>>>>374 string GRUB\ \0 \b, GRUB version n.m
@@ -528,37 +528,37 @@
# SYSLINUX bootloader moved
>395 string chksum\0\ ERROR!\0 \b, Gujin bootloader
# http://www.bcdwb.de/bcdw/index_e.htm
->3 string BCDL
+>3 string BCDL
>>498 string BCDL\ \ \ \ BIN \b, Bootable CD Loader (1.50Z)
# mbr partition table entries updated by Joerg Jenderek at Sep 2013
# skip Norton Utilities disc image data
->3 string !IHISK
+>3 string !IHISK
# skip Linux style boot sector starting with assember instructions mov 0x7c0,ax;
->>0 belong !0xb8c0078e
-# not Linux kernel
->>>514 string !HdrS
+>>0 belong !0xb8c0078e
+# not Linux kernel
+>>>514 string !HdrS
# not BeOS
->>>>422 string !Be\ Boot\ Loader
-# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr
->>>>>0 ubelong&0xFD000000 =0xE9000000
+>>>>422 string !Be\ Boot\ Loader
+# jump over BPB instruction implies DOS bootsector or AdvanceMAME mbr
+>>>>>0 ubelong&0xFD000000 =0xE9000000
# AdvanceMAME mbr
->>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e
+>>>>>>(1.b+2) ubequad 0xfa31c08ed88ec08e
>>>>>>>446 use partition-table
# mbr, Norton Utilities disc image data, or 2nd,etc. sector of x86 bootloader
->>>>>0 ubelong&0xFD000000 !0xE9000000
+>>>>>0 ubelong&0xFD000000 !0xE9000000
# skip FSInfosector
->>>>>>0 string !RRaA
+>>>>>>0 string !RRaA
# skip 3rd sector of MS x86 bootloader with assember instructions cli;MOVZX EAX,BYTE PTR [BP+10];MOV ECX,
# http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm
->>>>>>>0 ubequad !0xfa660fb64610668b
+>>>>>>>0 ubequad !0xfa660fb64610668b
# skip 13rd sector of MS x86 bootloader
->>>>>>>>0 ubequad !0x660fb64610668b4e
+>>>>>>>>0 ubequad !0x660fb64610668b4e
# skip sector starting with DOS new line
->>>>>>>>>0 string !\r\n
+>>>>>>>>>0 string !\r\n
# allowed active flag 0,80h-FFh
->>>>>>>>>>446 ubyte 0
+>>>>>>>>>>446 ubyte 0
>>>>>>>>>>>446 use partition-table
->>>>>>>>>>446 ubyte >0x7F
+>>>>>>>>>>446 ubyte >0x7F
>>>>>>>>>>>446 use partition-table
# TODO: test for extended bootrecord (ebr) moved and merged with mbr partition table entries
# mbr partition table entries end
@@ -565,328 +565,328 @@
# http://www.acronis.de/
#FAT label=ACRONIS\ SZ
#OEM-ID=BOOTWIZ0
->442 string Non-system\ disk,\
+>442 string Non-system\ disk,\040
>>459 string press\ any\ key...\x7\0 \b, Acronis Startup Recovery Loader
# updated by Joerg Jenderek at Nov 2012, Sep 2013
# DOS names like F11.SYS or BOOTWIZ.SYS are 8 right space padded bytes+3 bytes
# display 1 space
->>>447 ubyte x \b
+>>>447 ubyte x \b
>>>477 use DOS-filename
#
->185 string FDBOOT\ Version\
->>204 string \rNo\ Systemdisk.\
->>>220 string Booting\ from\ harddisk.\n\r
->>>245 string Cannot\ load\ from\ harddisk.\n\r
->>>>273 string Insert\ Systemdisk\
+>185 string FDBOOT\ Version\040
+>>204 string \rNo\ Systemdisk.\040
+>>>220 string Booting\ from\ harddisk.\n\r
+>>>245 string Cannot\ load\ from\ harddisk.\n\r
+>>>>273 string Insert\ Systemdisk\040
>>>>>291 string and\ press\ any\ key.\n\r \b, FDBOOT harddisk Bootloader
>>>>>>200 string >\0 \b, version %-3s
->242 string Bootsector\ from\ C.H.\ Hochst\204
+>242 string Bootsector\ from\ C.H.\ Hochst\204
# http://freecode.com/projects/dosfstools dosfstools-n.m/src/mkdosfs.c
# updated by Joerg Jenderek at Nov 2012. Use search directive with offset instead of string
# skip name "C.H. Hochstaetter" partly because it is sometimes written without umlaut
->242 search/127 Bootsector\ from\ C.H.\ Hochst
->>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk
+>242 search/127 Bootsector\ from\ C.H.\ Hochst
+>>278 search/127 No\ Systemdisk.\ Booting\ from\ harddisk
# followed by variants with point,CR-NL or NL-CR
->>>208 search/261 Cannot\ load\ from\ harddisk.
+>>>208 search/261 Cannot\ load\ from\ harddisk.
# followed by variants CR-NL or NL-CR
->>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key.
+>>>>236 search/235 Insert\ Systemdisk\ and\ press\ any\ key.
# followed by variants with point,CR-NL or NL-CR
>>>>>180 search/96 Disk\ formatted\ with\ WinImage\ \b, WinImage harddisk Bootloader
# followed by string like "6.50 (c) 1993-2004 Gilles Vollant"
>>>>>>&0 string x \b, version %-4.4s
->(1.b+2) ubyte 0xe
->>(1.b+3) ubyte 0x1f
->>>(1.b+4) ubyte 0xbe
+>(1.b+2) ubyte 0xe
+>>(1.b+3) ubyte 0x1f
+>>>(1.b+4) ubyte 0xbe
# message offset found at (1.b+5) is 0x77 for FAT32 or 0x5b for others
->>>>(1.b+5) ubyte&0xd3 0x53
->>>>>(1.b+6) ubyte 0x7c
+>>>>(1.b+5) ubyte&0xd3 0x53
+>>>>>(1.b+6) ubyte 0x7c
# assembler instructions: lodsb;and al,al;jz 0xb;push si;mov ah,
->>>>>>(1.b+7) ubyte 0xac
->>>>>>>(1.b+8) ubyte 0x22
->>>>>>>>(1.b+9) ubyte 0xc0
->>>>>>>>>(1.b+10) ubyte 0x74
->>>>>>>>>>(1.b+11) ubyte 0x0b
->>>>>>>>>>>(1.b+12) ubyte 0x56
+>>>>>>(1.b+7) ubyte 0xac
+>>>>>>>(1.b+8) ubyte 0x22
+>>>>>>>>(1.b+9) ubyte 0xc0
+>>>>>>>>>(1.b+10) ubyte 0x74
+>>>>>>>>>>(1.b+11) ubyte 0x0b
+>>>>>>>>>>>(1.b+12) ubyte 0x56
>>>>>>>>>>>>(1.b+13) ubyte 0xb4 \b, mkdosfs boot message display
# FAT1X version
->>>>>>>>>>>>>(1.b+5) ubyte 0x5b
+>>>>>>>>>>>>>(1.b+5) ubyte 0x5b
>>>>>>>>>>>>>>0x5b string >\0 "%-s"
# FAT32 version
->>>>>>>>>>>>>(1.b+5) ubyte 0x77
+>>>>>>>>>>>>>(1.b+5) ubyte 0x77
>>>>>>>>>>>>>>0x77 string >\0 "%-s"
>214 string Please\ try\ to\ install\ FreeDOS\ \b, DOS Emulator boot message display
-#>>244 string from\ dosemu-freedos-*-bin.tgz\r
-#>>>170 string Sorry,\ could\ not\ load\ an\
-#>>>>195 string operating\ system.\r\n
+#>>244 string from\ dosemu-freedos-*-bin.tgz\r
+#>>>170 string Sorry,\ could\ not\ load\ an\040
+#>>>>195 string operating\ system.\r\n
#
->103 string This\ is\ not\ a\ bootable\ disk.\
->>132 string Please\ insert\ a\ bootable\
->>>157 string floppy\ and\r\n
+>103 string This\ is\ not\ a\ bootable\ disk.\040
+>>132 string Please\ insert\ a\ bootable\040
+>>>157 string floppy\ and\r\n
>>>>169 string press\ any\ key\ to\ try\ again...\r \b, FREE-DOS message display
#
->66 string Solaris\ Boot\ Sector
->>99 string Incomplete\ MDBoot\ load.
+>66 string Solaris\ Boot\ Sector
+>>99 string Incomplete\ MDBoot\ load.
>>>89 string Version \b, Sun Solaris Bootloader
>>>>97 byte x version %c
#
->408 string OS/2\ !!\ SYS01475\r\0
->>429 string OS/2\ !!\ SYS02025\r\0
->>>450 string OS/2\ !!\ SYS02027\r\0
+>408 string OS/2\ !!\ SYS01475\r\0
+>>429 string OS/2\ !!\ SYS02025\r\0
+>>>450 string OS/2\ !!\ SYS02027\r\0
>>>469 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp bootloader
#
->409 string OS/2\ !!\ SYS01475\r\0
->>430 string OS/2\ !!\ SYS02025\r\0
->>>451 string OS/2\ !!\ SYS02027\r\0
+>409 string OS/2\ !!\ SYS01475\r\0
+>>430 string OS/2\ !!\ SYS02025\r\0
+>>>451 string OS/2\ !!\ SYS02027\r\0
>>>470 string OS2BOOT\ \ \ \ \b, IBM OS/2 Warp Bootloader
->112 string This\ disk\ is\ not\ bootable\r
->>142 string If\ you\ wish\ to\ make\ it\ bootable
->>>176 string run\ the\ DOS\ program\ SYS\
->>>200 string after\ the\r
->>>>216 string system\ has\ been\ loaded\r\n
->>>>>242 string Please\ insert\ a\ DOS\ diskette\
->>>>>271 string into\r\n\ the\ drive\ and\
+>112 string This\ disk\ is\ not\ bootable\r
+>>142 string If\ you\ wish\ to\ make\ it\ bootable
+>>>176 string run\ the\ DOS\ program\ SYS\040
+>>>200 string after\ the\r
+>>>>216 string system\ has\ been\ loaded\r\n
+>>>>>242 string Please\ insert\ a\ DOS\ diskette\040
+>>>>>271 string into\r\n\ the\ drive\ and\040
>>>>>>292 string strike\ any\ key...\0 \b, IBM OS/2 Warp message display
# XP
->430 string NTLDR\ is\ missing\xFF\r\n
->>449 string Disk\ error\xFF\r\n
+>430 string NTLDR\ is\ missing\xFF\r\n
+>>449 string Disk\ error\xFF\r\n
>>>462 string Press\ any\ key\ to\ restart\r \b, Microsoft Windows XP Bootloader
# DOS names like NTLDR,CMLDR,$LDR$ are 8 right space padded bytes+3 bytes
->>>>417 ubyte&0xDF >0
+>>>>417 ubyte&0xDF >0
>>>>>417 string x %-.5s
->>>>>>422 ubyte&0xDF >0
+>>>>>>422 ubyte&0xDF >0
>>>>>>>422 string x \b%-.3s
->>>>>425 ubyte&0xDF >0
+>>>>>425 ubyte&0xDF >0
>>>>>>425 string >\ \b.%-.3s
#
->>>>371 ubyte >0x20
->>>>>368 ubyte&0xDF >0
+>>>>371 ubyte >0x20
+>>>>>368 ubyte&0xDF >0
>>>>>>368 string x %-.5s
->>>>>>>373 ubyte&0xDF >0
+>>>>>>>373 ubyte&0xDF >0
>>>>>>>>373 string x \b%-.3s
->>>>>>376 ubyte&0xDF >0
+>>>>>>376 ubyte&0xDF >0
>>>>>>>376 string x \b.%-.3s
#
->430 string NTLDR\ nicht\ gefunden\xFF\r\n
->>453 string Datentr\204gerfehler\xFF\r\n
+>430 string NTLDR\ nicht\ gefunden\xFF\r\n
+>>453 string Datentr\204gerfehler\xFF\r\n
>>>473 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (german)
->>>>417 ubyte&0xDF >0
+>>>>417 ubyte&0xDF >0
>>>>>417 string x %-.5s
->>>>>>422 ubyte&0xDF >0
+>>>>>>422 ubyte&0xDF >0
>>>>>>>422 string x \b%-.3s
->>>>>425 ubyte&0xDF >0
+>>>>>425 ubyte&0xDF >0
>>>>>>425 string >\ \b.%-.3s
# offset variant
->>>>379 string \0
->>>>>368 ubyte&0xDF >0
+>>>>379 string \0
+>>>>>368 ubyte&0xDF >0
>>>>>>368 string x %-.5s
->>>>>>>373 ubyte&0xDF >0
+>>>>>>>373 ubyte&0xDF >0
>>>>>>>>373 string x \b%-.3s
#
->430 string NTLDR\ fehlt\xFF\r\n
->>444 string Datentr\204gerfehler\xFF\r\n
+>430 string NTLDR\ fehlt\xFF\r\n
+>>444 string Datentr\204gerfehler\xFF\r\n
>>>464 string Neustart\ mit\ beliebiger\ Taste\r \b, Microsoft Windows XP Bootloader (2.german)
->>>>417 ubyte&0xDF >0
+>>>>417 ubyte&0xDF >0
>>>>>417 string x %-.5s
->>>>>>422 ubyte&0xDF >0
+>>>>>>422 ubyte&0xDF >0
>>>>>>>422 string x \b%-.3s
->>>>>425 ubyte&0xDF >0
+>>>>>425 ubyte&0xDF >0
>>>>>>425 string >\ \b.%-.3s
# variant
->>>>371 ubyte >0x20
->>>>>368 ubyte&0xDF >0
+>>>>371 ubyte >0x20
+>>>>>368 ubyte&0xDF >0
>>>>>>368 string x %-.5s
->>>>>>>373 ubyte&0xDF >0
+>>>>>>>373 ubyte&0xDF >0
>>>>>>>>373 string x \b%-.3s
->>>>>>376 ubyte&0xDF >0
+>>>>>>376 ubyte&0xDF >0
>>>>>>>376 string x \b.%-.3s
#
->430 string NTLDR\ fehlt\xFF\r\n
->>444 string Medienfehler\xFF\r\n
+>430 string NTLDR\ fehlt\xFF\r\n
+>>444 string Medienfehler\xFF\r\n
>>>459 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (3.german)
->>>>371 ubyte >0x20
->>>>>368 ubyte&0xDF >0
+>>>>371 ubyte >0x20
+>>>>>368 ubyte&0xDF >0
>>>>>>368 string x %-.5s
->>>>>>>373 ubyte&0xDF >0
+>>>>>>>373 ubyte&0xDF >0
>>>>>>>>373 string x \b%-.3s
->>>>>>376 ubyte&0xDF >0
+>>>>>>376 ubyte&0xDF >0
>>>>>>>376 string x \b.%-.3s
# variant
->>>>417 ubyte&0xDF >0
+>>>>417 ubyte&0xDF >0
>>>>>417 string x %-.5s
->>>>>>422 ubyte&0xDF >0
+>>>>>>422 ubyte&0xDF >0
>>>>>>>422 string x \b%-.3s
->>>>>425 ubyte&0xDF >0
+>>>>>425 ubyte&0xDF >0
>>>>>>425 string >\ \b.%-.3s
#
->430 string Datentr\204ger\ entfernen\xFF\r\n
->>454 string Medienfehler\xFF\r\n
+>430 string Datentr\204ger\ entfernen\xFF\r\n
+>>454 string Medienfehler\xFF\r\n
>>>469 string Neustart:\ Taste\ dr\201cken\r \b, Microsoft Windows XP Bootloader (4.german)
->>>>379 string \0
->>>>>368 ubyte&0xDF >0
+>>>>379 string \0
+>>>>>368 ubyte&0xDF >0
>>>>>>368 string x %-.5s
->>>>>>>373 ubyte&0xDF >0
+>>>>>>>373 ubyte&0xDF >0
>>>>>>>>373 string x \b%-.3s
->>>>>>376 ubyte&0xDF >0
+>>>>>>376 ubyte&0xDF >0
>>>>>>>376 string x \b.%-.3s
# variant
->>>>417 ubyte&0xDF >0
+>>>>417 ubyte&0xDF >0
>>>>>417 string x %-.5s
->>>>>>422 ubyte&0xDF >0
+>>>>>>422 ubyte&0xDF >0
>>>>>>>422 string x \b%-.3s
->>>>>425 ubyte&0xDF >0
+>>>>>425 ubyte&0xDF >0
>>>>>>425 string >\ \b.%-.3s
#
-#>3 string NTFS\ \ \ \
->389 string Fehler\ beim\ Lesen\
+#>3 string NTFS\ \ \ \040
+>389 string Fehler\ beim\ Lesen\040
>>407 string des\ Datentr\204gers
->>>426 string NTLDR\ fehlt
+>>>426 string NTLDR\ fehlt
>>>>440 string NTLDR\ ist\ komprimiert
>>>>>464 string Neustart\ mit\ Strg+Alt+Entf\r \b, Microsoft Windows XP Bootloader NTFS (german)
-#>3 string NTFS\ \ \ \
+#>3 string NTFS\ \ \ \040
>313 string A\ disk\ read\ error\ occurred.\r
->>345 string A\ kernel\ file\ is\ missing\
->>>370 string from\ the\ disk.\r
->>>>484 string NTLDR\ is\ compressed
->>>>>429 string Insert\ a\ system\ diskette\
+>>345 string A\ kernel\ file\ is\ missing\040
+>>>370 string from\ the\ disk.\r
+>>>>484 string NTLDR\ is\ compressed
+>>>>>429 string Insert\ a\ system\ diskette\040
>>>>>>454 string and\ restart\r\nthe\ system.\r \b, Microsoft Windows XP Bootloader NTFS
# DOS loader variants different languages,offsets
>472 ubyte&0xDF >0
->>389 string Invalid\ system\ disk\xFF\r\n
->>>411 string Disk\ I/O\ error
->>>>428 string Replace\ the\ disk,\ and\
+>>389 string Invalid\ system\ disk\xFF\r\n
+>>>411 string Disk\ I/O\ error
+>>>>428 string Replace\ the\ disk,\ and\040
>>>>>455 string press\ any\ key \b, Microsoft Windows 98 Bootloader
#IO.SYS
->>>>>>472 ubyte&0xDF >0
+>>>>>>472 ubyte&0xDF >0
>>>>>>>472 string x \b %-.2s
->>>>>>>>474 ubyte&0xDF >0
+>>>>>>>>474 ubyte&0xDF >0
>>>>>>>>>474 string x \b%-.5s
->>>>>>>>>>479 ubyte&0xDF >0
+>>>>>>>>>>479 ubyte&0xDF >0
>>>>>>>>>>>479 string x \b%-.1s
->>>>>>>480 ubyte&0xDF >0
+>>>>>>>480 ubyte&0xDF >0
>>>>>>>>480 string x \b.%-.3s
#MSDOS.SYS
>>>>>>>483 ubyte&0xDF >0 \b+
>>>>>>>>483 string x \b%-.5s
->>>>>>>>>488 ubyte&0xDF >0
+>>>>>>>>>488 ubyte&0xDF >0
>>>>>>>>>>488 string x \b%-.3s
->>>>>>>>491 ubyte&0xDF >0
+>>>>>>>>491 ubyte&0xDF >0
>>>>>>>>>491 string x \b.%-.3s
#
->>390 string Invalid\ system\ disk\xFF\r\n
->>>412 string Disk\ I/O\ error\xFF\r\n
->>>>429 string Replace\ the\ disk,\ and\
+>>390 string Invalid\ system\ disk\xFF\r\n
+>>>412 string Disk\ I/O\ error\xFF\r\n
+>>>>429 string Replace\ the\ disk,\ and\040
>>>>>451 string then\ press\ any\ key\r \b, Microsoft Windows 98 Bootloader
->>388 string Ungueltiges\ System\ \xFF\r\n
->>>410 string E/A-Fehler\ \ \ \ \xFF\r\n
->>>>427 string Datentraeger\ wechseln\ und\
+>>388 string Ungueltiges\ System\ \xFF\r\n
+>>>410 string E/A-Fehler\ \ \ \ \xFF\r\n
+>>>>427 string Datentraeger\ wechseln\ und\040
>>>>>453 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (german)
#WINBOOT.SYS only not spaces (0xDF)
->>>>>>497 ubyte&0xDF >0
+>>>>>>497 ubyte&0xDF >0
>>>>>>>497 string x %-.5s
->>>>>>>>502 ubyte&0xDF >0
+>>>>>>>>502 ubyte&0xDF >0
>>>>>>>>>502 string x \b%-.1s
->>>>>>>>>>503 ubyte&0xDF >0
+>>>>>>>>>>503 ubyte&0xDF >0
>>>>>>>>>>>503 string x \b%-.1s
->>>>>>>>>>>>504 ubyte&0xDF >0
+>>>>>>>>>>>>504 ubyte&0xDF >0
>>>>>>>>>>>>>504 string x \b%-.1s
->>>>>>505 ubyte&0xDF >0
+>>>>>>505 ubyte&0xDF >0
>>>>>>>505 string x \b.%-.3s
#IO.SYS
>>>>>>472 ubyte&0xDF >0 or
>>>>>>>472 string x \b %-.2s
->>>>>>>>474 ubyte&0xDF >0
+>>>>>>>>474 ubyte&0xDF >0
>>>>>>>>>474 string x \b%-.5s
->>>>>>>>>>479 ubyte&0xDF >0
+>>>>>>>>>>479 ubyte&0xDF >0
>>>>>>>>>>>479 string x \b%-.1s
->>>>>>>480 ubyte&0xDF >0
+>>>>>>>480 ubyte&0xDF >0
>>>>>>>>480 string x \b.%-.3s
#MSDOS.SYS
>>>>>>>483 ubyte&0xDF >0 \b+
>>>>>>>>483 string x \b%-.5s
->>>>>>>>>488 ubyte&0xDF >0
+>>>>>>>>>488 ubyte&0xDF >0
>>>>>>>>>>488 string x \b%-.3s
->>>>>>>>491 ubyte&0xDF >0
+>>>>>>>>491 ubyte&0xDF >0
>>>>>>>>>491 string x \b.%-.3s
#
->>390 string Ungueltiges\ System\ \xFF\r\n
->>>412 string E/A-Fehler\ \ \ \ \xFF\r\n
->>>>429 string Datentraeger\ wechseln\ und\
+>>390 string Ungueltiges\ System\ \xFF\r\n
+>>>412 string E/A-Fehler\ \ \ \ \xFF\r\n
+>>>>429 string Datentraeger\ wechseln\ und\040
>>>>>455 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (German)
#WINBOOT.SYS only not spaces (0xDF)
->>>>>>497 ubyte&0xDF >0
+>>>>>>497 ubyte&0xDF >0
>>>>>>>497 string x %-.7s
->>>>>>>>504 ubyte&0xDF >0
+>>>>>>>>504 ubyte&0xDF >0
>>>>>>>>>504 string x \b%-.1s
->>>>>>505 ubyte&0xDF >0
+>>>>>>505 ubyte&0xDF >0
>>>>>>>505 string x \b.%-.3s
#IO.SYS
>>>>>>472 ubyte&0xDF >0 or
>>>>>>>472 string x \b %-.2s
->>>>>>>>474 ubyte&0xDF >0
+>>>>>>>>474 ubyte&0xDF >0
>>>>>>>>>474 string x \b%-.6s
->>>>>>>480 ubyte&0xDF >0
+>>>>>>>480 ubyte&0xDF >0
>>>>>>>>480 string x \b.%-.3s
#MSDOS.SYS
>>>>>>>483 ubyte&0xDF >0 \b+
>>>>>>>>483 string x \b%-.5s
->>>>>>>>>488 ubyte&0xDF >0
+>>>>>>>>>488 ubyte&0xDF >0
>>>>>>>>>>488 string x \b%-.3s
->>>>>>>>491 ubyte&0xDF >0
+>>>>>>>>491 ubyte&0xDF >0
>>>>>>>>>491 string x \b.%-.3s
#
->>389 string Ungueltiges\ System\ \xFF\r\n
->>>411 string E/A-Fehler\ \ \ \ \xFF\r\n
->>>>428 string Datentraeger\ wechseln\ und\
+>>389 string Ungueltiges\ System\ \xFF\r\n
+>>>411 string E/A-Fehler\ \ \ \ \xFF\r\n
+>>>>428 string Datentraeger\ wechseln\ und\040
>>>>>454 string Taste\ druecken\r \b, Microsoft Windows 95/98/ME Bootloader (GERMAN)
# DOS names like IO.SYS,WINBOOT.SYS,MSDOS.SYS,WINBOOT.INI are 8 right space padded bytes+3 bytes
>>>>>>472 string x %-.2s
->>>>>>>474 ubyte&0xDF >0
+>>>>>>>474 ubyte&0xDF >0
>>>>>>>>474 string x \b%-.5s
->>>>>>>>479 ubyte&0xDF >0
+>>>>>>>>479 ubyte&0xDF >0
>>>>>>>>>479 string x \b%-.1s
->>>>>>480 ubyte&0xDF >0
+>>>>>>480 ubyte&0xDF >0
>>>>>>>480 string x \b.%-.3s
>>>>>>483 ubyte&0xDF >0 \b+
>>>>>>>483 string x \b%-.5s
->>>>>>>488 ubyte&0xDF >0
+>>>>>>>488 ubyte&0xDF >0
>>>>>>>>488 string x \b%-.2s
->>>>>>>>490 ubyte&0xDF >0
+>>>>>>>>490 ubyte&0xDF >0
>>>>>>>>>490 string x \b%-.1s
->>>>>>>491 ubyte&0xDF >0
+>>>>>>>491 ubyte&0xDF >0
>>>>>>>>491 string x \b.%-.3s
>479 ubyte&0xDF >0
->>416 string Kein\ System\ oder\
->>>433 string Laufwerksfehler
+>>416 string Kein\ System\ oder\040
+>>>433 string Laufwerksfehler
>>>>450 string Wechseln\ und\ Taste\ dr\201cken \b, Microsoft DOS Bootloader (german)
#IO.SYS
>>>>>479 string x \b %-.2s
->>>>>>481 ubyte&0xDF >0
+>>>>>>481 ubyte&0xDF >0
>>>>>>>481 string x \b%-.6s
->>>>>487 ubyte&0xDF >0
+>>>>>487 ubyte&0xDF >0
>>>>>>487 string x \b.%-.3s
#MSDOS.SYS
>>>>>>490 ubyte&0xDF >0 \b+
>>>>>>>490 string x \b%-.5s
->>>>>>>>495 ubyte&0xDF >0
+>>>>>>>>495 ubyte&0xDF >0
>>>>>>>>>495 string x \b%-.3s
->>>>>>>498 ubyte&0xDF >0
+>>>>>>>498 ubyte&0xDF >0
>>>>>>>>498 string x \b.%-.3s
#
->376 search/41 Non-System\ disk\ or\
->>395 search/41 disk\ error\r
->>>407 search/41 Replace\ and\
+>376 search/41 Non-System\ disk\ or\040
+>>395 search/41 disk\ error\r
+>>>407 search/41 Replace\ and\040
>>>>419 search/41 press\ \b,
>>>>419 search/41 strike\ \b, old
>>>>426 search/41 any\ key\ when\ ready\r MS or PC-DOS bootloader
#449 Disk\ Boot\ failure\r MS 3.21
#466 Boot\ Failure\r MS 3.30
->>>>>468 search/18 \0
+>>>>>468 search/18 \0
#IO.SYS,IBMBIO.COM
>>>>>>&0 string x \b %-.2s
->>>>>>>&-20 ubyte&0xDF >0
+>>>>>>>&-20 ubyte&0xDF >0
>>>>>>>>&-1 string x \b%-.4s
->>>>>>>>>&-16 ubyte&0xDF >0
+>>>>>>>>>&-16 ubyte&0xDF >0
>>>>>>>>>>&-1 string x \b%-.2s
>>>>>>&8 ubyte&0xDF >0 \b.
>>>>>>>&-1 string x \b%-.3s
@@ -893,125 +893,125 @@
#MSDOS.SYS,IBMDOS.COM
>>>>>>&11 ubyte&0xDF >0 \b+
>>>>>>>&-1 string x \b%-.5s
->>>>>>>>&-6 ubyte&0xDF >0
+>>>>>>>>&-6 ubyte&0xDF >0
>>>>>>>>>&-1 string x \b%-.1s
->>>>>>>>>>&-5 ubyte&0xDF >0
+>>>>>>>>>>&-5 ubyte&0xDF >0
>>>>>>>>>>>&-1 string x \b%-.2s
>>>>>>>&7 ubyte&0xDF >0 \b.
>>>>>>>>&-1 string x \b%-.3s
>441 string Cannot\ load\ from\ harddisk.\n\r
->>469 string Insert\ Systemdisk\
+>>469 string Insert\ Systemdisk\040
>>>487 string and\ press\ any\ key.\n\r \b, MS (2.11) DOS bootloader
-#>43 string \224R-LOADER\ \ SYS =label
+#>43 string \224R-LOADER\ \ SYS =label
>54 string SYS
>>324 string VASKK
>>>495 string NEWLDR\0 \b, DR-DOS Bootloader (LOADER.SYS)
#
->98 string Press\ a\ key\ to\ retry\0\r
->>120 string Cannot\ find\ file\ \0\r
->>>139 string Disk\ read\ error\0\r
+>98 string Press\ a\ key\ to\ retry\0\r
+>>120 string Cannot\ find\ file\ \0\r
+>>>139 string Disk\ read\ error\0\r
>>>>156 string Loading\ ...\0 \b, DR-DOS (3.41) Bootloader
#DRBIOS.SYS
->>>>>44 ubyte&0xDF >0
+>>>>>44 ubyte&0xDF >0
>>>>>>44 string x \b %-.6s
->>>>>>>50 ubyte&0xDF >0
+>>>>>>>50 ubyte&0xDF >0
>>>>>>>>50 string x \b%-.2s
->>>>>>52 ubyte&0xDF >0
+>>>>>>52 ubyte&0xDF >0
>>>>>>>52 string x \b.%-.3s
#
->70 string IBMBIO\ \ COM
->>472 string Cannot\ load\ DOS!\
+>70 string IBMBIO\ \ COM
+>>472 string Cannot\ load\ DOS!\040
>>>489 string Any\ key\ to\ retry \b, DR-DOS Bootloader
->>471 string Cannot\ load\ DOS\
+>>471 string Cannot\ load\ DOS\040
>>487 string press\ key\ to\ retry \b, Open-DOS Bootloader
#??
->444 string KERNEL\ \ SYS
+>444 string KERNEL\ \ SYS
>>314 string BOOT\ error! \b, FREE-DOS Bootloader
->499 string KERNEL\ \ SYS
+>499 string KERNEL\ \ SYS
>>305 string BOOT\ err!\0 \b, Free-DOS Bootloader
->449 string KERNEL\ \ SYS
+>449 string KERNEL\ \ SYS
>>319 string BOOT\ error! \b, FREE-DOS 0.5 Bootloader
#
->449 string Loading\ FreeDOS
+>449 string Loading\ FreeDOS
>>0x1AF ulelong >0 \b, FREE-DOS 0.95,1.0 Bootloader
->>>497 ubyte&0xDF >0
+>>>497 ubyte&0xDF >0
>>>>497 string x \b %-.6s
->>>>>503 ubyte&0xDF >0
+>>>>>503 ubyte&0xDF >0
>>>>>>503 string x \b%-.1s
->>>>>>>504 ubyte&0xDF >0
+>>>>>>>504 ubyte&0xDF >0
>>>>>>>>504 string x \b%-.1s
->>>>505 ubyte&0xDF >0
+>>>>505 ubyte&0xDF >0
>>>>>505 string x \b.%-.3s
#
>331 string Error!.0 \b, FREE-DOS 1.0 bootloader
#
->125 string Loading\ FreeDOS...\r
+>125 string Loading\ FreeDOS...\r
>>311 string BOOT\ error!\r \b, FREE-DOS bootloader
->>>441 ubyte&0xDF >0
+>>>441 ubyte&0xDF >0
>>>>441 string x \b %-.6s
->>>>>447 ubyte&0xDF >0
+>>>>>447 ubyte&0xDF >0
>>>>>>447 string x \b%-.1s
->>>>>>>448 ubyte&0xDF >0
+>>>>>>>448 ubyte&0xDF >0
>>>>>>>>448 string x \b%-.1s
->>>>449 ubyte&0xDF >0
+>>>>449 ubyte&0xDF >0
>>>>>449 string x \b.%-.3s
->124 string FreeDOS\0
+>124 string FreeDOS\0
>>331 string \ err\0 \b, FREE-DOS BETa 0.9 Bootloader
# DOS names like KERNEL.SYS,KERNEL16.SYS,KERNEL32.SYS,METAKERN.SYS are 8 right space padded bytes+3 bytes
->>>497 ubyte&0xDF >0
+>>>497 ubyte&0xDF >0
>>>>497 string x \b %-.6s
->>>>>503 ubyte&0xDF >0
+>>>>>503 ubyte&0xDF >0
>>>>>>503 string x \b%-.1s
->>>>>>>504 ubyte&0xDF >0
+>>>>>>>504 ubyte&0xDF >0
>>>>>>>>504 string x \b%-.1s
->>>>505 ubyte&0xDF >0
+>>>>505 ubyte&0xDF >0
>>>>>505 string x \b.%-.3s
>>333 string \ err\0 \b, FREE-DOS BEta 0.9 Bootloader
->>>497 ubyte&0xDF >0
+>>>497 ubyte&0xDF >0
>>>>497 string x \b %-.6s
->>>>>503 ubyte&0xDF >0
+>>>>>503 ubyte&0xDF >0
>>>>>>503 string x \b%-.1s
->>>>>>>504 ubyte&0xDF >0
+>>>>>>>504 ubyte&0xDF >0
>>>>>>>>504 string x \b%-.1s
->>>>505 ubyte&0xDF >0
+>>>>505 ubyte&0xDF >0
>>>>>505 string x \b.%-.3s
>>334 string \ err\0 \b, FREE-DOS Beta 0.9 Bootloader
->>>497 ubyte&0xDF >0
+>>>497 ubyte&0xDF >0
>>>>497 string x \b %-.6s
->>>>>503 ubyte&0xDF >0
+>>>>>503 ubyte&0xDF >0
>>>>>>503 string x \b%-.1s
->>>>>>>504 ubyte&0xDF >0
+>>>>>>>504 ubyte&0xDF >0
>>>>>>>>504 string x \b%-.1s
->>>>505 ubyte&0xDF >0
+>>>>505 ubyte&0xDF >0
>>>>>505 string x \b.%-.3s
->336 string Error!\
+>336 string Error!\040
>>343 string Hit\ a\ key\ to\ reboot. \b, FREE-DOS Beta 0.9sr1 Bootloader
->>>497 ubyte&0xDF >0
+>>>497 ubyte&0xDF >0
>>>>497 string x \b %-.6s
->>>>>503 ubyte&0xDF >0
+>>>>>503 ubyte&0xDF >0
>>>>>>503 string x \b%-.1s
->>>>>>>504 ubyte&0xDF >0
+>>>>>>>504 ubyte&0xDF >0
>>>>>>>>504 string x \b%-.1s
->>>>505 ubyte&0xDF >0
+>>>>505 ubyte&0xDF >0
>>>>>505 string x \b.%-.3s
# added by Joerg Jenderek
# http://www.visopsys.org/
# http://partitionlogic.org.uk/
# OEM-ID=Visopsys
->478 ulelong 0
->>(1.b+326) string I/O\ Error\ reading\
->>>(1.b+344) string Visopsys\ loader\r
+>478 ulelong 0
+>>(1.b+326) string I/O\ Error\ reading\040
+>>>(1.b+344) string Visopsys\ loader\r
>>>>(1.b+361) string Press\ any\ key\ to\ continue.\r \b, Visopsys loader
# http://alexfru.chat.ru/epm.html#bootprog
->494 ubyte >0x4D
->>495 string >E
->>>495 string <S
+>494 ubyte >0x4D
+>>495 string >E
+>>>495 string <S
#OEM-ID is not reliable
->>>>3 string BootProg
+>>>>3 string BootProg
# It just looks for a program file name at the root directory
# and loads corresponding file with following execution.
# DOS names like STARTUP.BIN,STARTUPC.COM,STARTUPE.EXE are 8 right space padded bytes+3 bytes
->>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader
+>>>>499 ubyte&0xDF >0 \b, COM/EXE Bootloader
>>>>>499 use DOS-filename
#If the boot sector fails to read any other sector,
#it prints a very short message ("RE") to the screen and hangs the computer.
@@ -1025,7 +1025,7 @@
# added by Joerg Jenderek at Feb 2013 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO
# and http://en.wikipedia.org/wiki/File_Allocation_Table#FS_Information_Sector
->0 string RRaA
+>0 string RRaA
>>0x1E4 string rrAa \b, FSInfosector
#>>0x1FC uleshort =0 SHOULD BE ZERO
>>>0x1E8 ulelong <0xffffffff \b, %u free clusters
@@ -1032,16 +1032,16 @@
>>>0x1EC ulelong <0xffffffff \b, last allocated cluster %u
# updated by Joerg Jenderek at Sep 2007
->3 ubyte 0
+>3 ubyte 0
#no active flag
->>446 ubyte 0
+>>446 ubyte 0
# partition 1 not empty
->>>450 ubyte >0
+>>>450 ubyte >0
# partitions 3,4 empty
->>>>482 ubyte 0
->>>>>498 ubyte 0
+>>>>482 ubyte 0
+>>>>>498 ubyte 0
# partition 2 ID=0,5,15
->>>>>>466 ubyte <0x10
+>>>>>>466 ubyte <0x10
>>>>>>>466 ubyte 0x05 \b, extended partition table
>>>>>>>466 ubyte 0x0F \b, extended partition table (LBA)
>>>>>>>466 ubyte 0x0 \b, extended partition table (last)
@@ -1054,35 +1054,35 @@
# Print the DOS filenames from directory entry form with 8 right space padded bytes + 3 bytes for extension
# like IO.SYS. MSDOS.SYS , KERNEL.SYS , DRBIO.SYS
0 name DOS-filename
-# space=0x20 (00100000b) means empty
->0 ubyte&0xDF >0
+# space=0x20 (00100000b) means empty
+>0 ubyte&0xDF >0
>>0 ubyte x \b%c
->>>1 ubyte&0xDF >0
+>>>1 ubyte&0xDF >0
>>>>1 ubyte x \b%c
->>>>>2 ubyte&0xDF >0
+>>>>>2 ubyte&0xDF >0
>>>>>>2 ubyte x \b%c
->>>>>>>3 ubyte&0xDF >0
+>>>>>>>3 ubyte&0xDF >0
>>>>>>>>3 ubyte x \b%c
->>>>>>>>>4 ubyte&0xDF >0
+>>>>>>>>>4 ubyte&0xDF >0
>>>>>>>>>>4 ubyte x \b%c
->>>>>>>>>>>5 ubyte&0xDF >0
+>>>>>>>>>>>5 ubyte&0xDF >0
>>>>>>>>>>>>5 ubyte x \b%c
->>>>>>>>>>>>>6 ubyte&0xDF >0
+>>>>>>>>>>>>>6 ubyte&0xDF >0
>>>>>>>>>>>>>>6 ubyte x \b%c
->>>>>>>>>>>>>>>7 ubyte&0xDF >0
+>>>>>>>>>>>>>>>7 ubyte&0xDF >0
>>>>>>>>>>>>>>>>7 ubyte x \b%c
# DOS filename extension
>>8 ubyte&0xDF >0 \b.
>>>8 ubyte x \b%c
->>>>9 ubyte&0xDF >0
+>>>>9 ubyte&0xDF >0
>>>>>9 ubyte x \b%c
->>>>>>10 ubyte&0xDF >0
+>>>>>>10 ubyte&0xDF >0
>>>>>>>10 ubyte x \b%c
# Print 2 following DOS filenames from directory entry form
# like IO.SYS+MSDOS.SYS or ibmbio.com+ibmdos.com
0 name 2xDOS-filename
# display 1 space
->0 ubyte x \b
+>0 ubyte x \b
>0 use DOS-filename
>11 ubyte x \b+
>11 use DOS-filename
@@ -1101,10 +1101,10 @@
# partition type ID > 0
>4 ubyte >0
# active flag 0
->>0 ubyte 0
+>>0 ubyte 0
>>>0 use partition-entry
-# active flag 0x80, 0x81, ...
->>0 ubyte >0x7F
+# active flag 0x80, 0x81, ...
+>>0 ubyte >0x7F
>>>0 use partition-entry
# Print entry of partition table
0 name partition-entry
@@ -1136,7 +1136,7 @@
# sector
>1 ubyte&0x3F x \b,%u
-# FATX
+# FATX
0 string FATX FATX filesystem data
# romfs filesystems - Juan Cespedes <cespedes@debian.org>
@@ -1157,7 +1157,7 @@
# http://syslinux.zytor.com/iso.php
# tested with versions 1.47,1.48,1.49,1.50,1.62,1.76,2.00,2.10;3.00,3.11,3.31,;3.70,3.71,3.73,3.75,3.80,3.82,3.84,3.86,4.01,4.03 and 4.05
# assembler instructions: cli;jmp 0:7Cyy (yy=0x40,0x5e,0x6c,0x6e,0x77);nop;nop
-0 ulequad&0x909000007cc0eafa 0x909000007c40eafa
+0 ulequad&0x909000007cc0eafa 0x909000007c40eafa
>631 search/689 ISOLINUX\ isolinux Loader
>>&0 string x (version %-4.4s)
# http://syslinux.zytor.com/pxe.php
@@ -1174,43 +1174,43 @@
>11 string x (version %-4.4s)
# syslinux updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012
# assembler instructions: jmp yy (yy=0x3c,0x58);nop;"SYSLINUX"
-0 ulelong&0x80909bEB 0x009018EB
+0 ulelong&0x80909bEB 0x009018EB
# OEM-ID not always "SYSLINUX"
->434 search/47 Boot\ failed
-# followed by \r\n\0 or :\
+>434 search/47 Boot\ failed
+# followed by \r\n\0 or :\
>>482 search/132 \0LDLINUX\ SYS Syslinux bootloader (version 2.13 or older)
>>1 ubyte 0x58 Syslinux bootloader (version 3.0-3.9)
->459 search/30 Boot\ error\r\n\0
+>459 search/30 Boot\ error\r\n\0
>>1 ubyte 0x58 Syslinux bootloader (version 3.10 or newer)
# SYSLINUX MBR updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at Sep 2012
# assembler instructions: mov di,0600h;mov cx,0100h
-16 search/4 \xbf\x00\x06\xb9\x00\x01
+16 search/4 \xbf\x00\x06\xb9\x00\x01
# to display SYSLINUX MBR (36) before old DOS/MBR boot sector one with partition table (strength=50+21)
!:strength +36
->94 search/249 Missing\ operating\ system
+>94 search/249 Missing\ operating\ system
# followed by \r for versions older 3.35 , .\r for versions newer 3.52 and point for other
# skip Ranish MBR
->>408 search/4 HD1/\0
->>408 default x
+>>408 search/4 HD1/\0
+>>408 default x
>>>250 search/118 \0Operating\ system\ load SYSLINUX MBR
# followed by "ing " or space
->>>>292 search/98 error
+>>>>292 search/98 error
>>>>>&0 string \r (version 3.35 or older)
>>>>>&0 string .\r (version 3.52 or newer)
>>>>>&0 default x (version 3.36-3.51 )
>368 search/106 \0Disk\ error\ on\ boot\r\n SYSLINUX GPT-MBR
->>156 search/10 \0Boot\ partition\ not\ found\r\n
+>>156 search/10 \0Boot\ partition\ not\ found\r\n
>>>270 search/10 \0OS\ not\ bootable\r\n (version 3.86 or older)
->>174 search/10 \0Missing\ OS\r\n
+>>174 search/10 \0Missing\ OS\r\n
>>>189 search/10 \0Multiple\ active\ partitions\r\n (version 4.00 or newer)
# SYSLINUX END
# NetBSD mbr variants (master-boot-code version 1.22) added by Joerg Jenderek at Nov 2012
# assembler instructions: xor ax,ax;mov ax,ss;mov sp,0x7c00;mov ax,
-0 ubequad 0x31c08ed0bc007c8e
+0 ubequad 0x31c08ed0bc007c8e
# mbr_bootsel magic before partition table not reliable with small ipl fragments
-#>444 uleshort 0xb5e1
->0004 uleshort x
+#>444 uleshort 0xb5e1
+>0004 uleshort x
# ERRorTeXT
>>181 search/166 Error\ \0\r\n NetBSD mbr
# NT Drive Serial Number http://thestarman.pcministry.com/asm/mbr/Win2kmbr.htm#DS
@@ -1217,14 +1217,14 @@
>>>0x1B8 ubelong >0 \b,Serial 0x%-.8x
# BOOTSEL definitions contains assembler instructions: int 0x13;pop dx;push dx;push dx
>>>0xbb search/71 \xcd\x13\x5a\x52\x52 \b,bootselector
-# BOOT_EXTENDED definitions contains assembler instructions:
+# BOOT_EXTENDED definitions contains assembler instructions:
# xchg ecx,edx;addl ecx,edx;movw lba_info,si;movb 0x42,ah;pop dx;push dx;int 0x13
>>>0x96 search/1 \x66\x87\xca\x66\x01\xca\x66\x89\x16\x3a\x07\xbe\x32\x07\xb4\x42\x5a\x52\xcd\x13 \b,boot extended
# COM_PORT_VAL definitions contains assembler instructions: outb al,dx;add 5,dl;inb %dx;test 0x40,al
>>>0x130 search/55 \xee\x80\xc2\x05\xec\xa8\x40 \b,serial IO
# not TERSE_ERROR
->>>196 search/106 No\ active\ partition\0
->>>>&0 string Disk\ read\ error\0
+>>>196 search/106 No\ active\ partition\0
+>>>>&0 string Disk\ read\ error\0
>>>>>&0 string No\ operating\ system\0 \b,verbose
# not NO_CHS definitions contains assembler instructions: pop dx;push dx;movb $8,ah;int0x13
>>>0x7d search/7 \x5a\x52\xb4\x08\xcd\x13 \b,CHS
@@ -1231,10 +1231,10 @@
# not NO_LBA_CHECK definitions contains assembler instructions: movw 0x55aa,bx;movb 0x41,ah;pop dx;push dx;int 0x13
>>>0xa4 search/84 \xbb\xaa\x55\xb4\x41\x5a\x52\xcd\x13 \b,LBA-check
# assembler instructions: movw nametab,bx
->>>0x26 search/21 \xBB\x94\x07
+>>>0x26 search/21 \xBB\x94\x07
# not NO_BANNER definitions contains assembler instructions: mov banner,si;call message_crlf
->>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94
->>>>>181 search/166 Error\ \0
+>>>>&-9 ubequad&0xBE00f0E800febb94 0xBE0000E80000bb94
+>>>>>181 search/166 Error\ \0
# "a: disk" , "Fn: diskn" or "NetBSD MBR boot"
>>>>>>&3 string x \b,"%s"
>>>446 use partition-table
@@ -1241,21 +1241,21 @@
# Andrea Mazzoleni AdvanceCD mbr loader of http://advancemame.sourceforge.net/boot-readme.html
# added by Joerg Jenderek at Nov 2012 for versions 1.3 - 1.4
# assembler instructions: jmp short 0x58;nop;ASCII
-0 ubequad&0xeb58908000000000 0xeb58900000000000
+0 ubequad&0xeb58908000000000 0xeb58900000000000
# assembler instructions: cli;xor ax,ax;mov ds,ax;mov es,ax;mov ss,
->(1.b+2) ubequad 0xfa31c08ed88ec08e
+>(1.b+2) ubequad 0xfa31c08ed88ec08e
# Error messages at end of code
->>376 string No\ operating\ system\r\n\0
->>>398 string Disk\ error\r\n\0FDD\0HDD\0
+>>376 string No\ operating\ system\r\n\0
+>>>398 string Disk\ error\r\n\0FDD\0HDD\0
>>>>419 string \ EBIOS\r\n\0 AdvanceMAME mbr
-# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/
+# Neil Turton mbr loader variant of http://www.chiark.greenend.org.uk/~neilt/mbr/
# added by Joerg Jenderek at Mar 2011 for versions 1.0.0 - 1.1.11
# for 1st version assembler instructions: cld;xor ax,ax;mov DS,ax;MOV ES,AX;mov SI,
# or cld;xor ax,ax;mov SS,ax;XOR SP,SP;mov DS,
-0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC
+0 ulequad&0xcE1b40D48EC031FC 0x8E0000D08EC031FC
# pointer to the data starting with Neil Turton signature string
->(0x1BC.s) string NDTmbr
+>(0x1BC.s) string NDTmbr
>>&-14 string 1234F\0 Turton mbr (
# parameters also viewed by install-mbr --list
>>>(0x1BC.s+7) ubyte x \b%u<=
@@ -1269,23 +1269,23 @@
#0x0~1,0x1~2,...,0x3~4,0x4~F,0x7~D default boot
#>>>(0x1BC.s+11) ubyte x \b,cfg_def 0x%x
# for older versions
->>>(0x1BC.s+9) ubyte <2
+>>>(0x1BC.s+9) ubyte <2
#>>>>(0x1BC.s+12) ubyte 18 \b,%hhu/18 seconds
>>>>(0x1BC.s+12) ubyte !18 \b,%u/18 seconds
# floppy A: or B:
>>>>(0x1BC.s+13) ubyte <2 \b,floppy 0x%x
->>>>(0x1BC.s+13) ubyte >1
+>>>>(0x1BC.s+13) ubyte >1
# 1st hard disc
#>>>>>(0x1BC.s+13) ubyte 0x80 \b,drive 0x%x
# not 1st hard disc
>>>>>(0x1BC.s+13) ubyte !0x80 \b,drive 0x%x
# for version >= 2 maximal timeout can be 65534
->>>(0x1BC.s+9) ubyte >1
+>>>(0x1BC.s+9) ubyte >1
#>>>>(0x1BC.s+12) uleshort 18 \b,%u/18 seconds
>>>>(0x1BC.s+12) uleshort !18 \b,%u/18 seconds
# floppy A: or B:
>>>>(0x1BC.s+14) ubyte <2 \b,floppy 0x%x
->>>>(0x1BC.s+14) ubyte >1
+>>>>(0x1BC.s+14) ubyte >1
# 1st hard disc
#>>>>>(0x1BC.s+14) ubyte 0x80 \b,drive 0x%x
# not 1st hard disc
@@ -1297,14 +1297,14 @@
# grub-1.94/kern/i386/pc/startup.S
# http://www.gnu.org/software/grub/manual/grub.html#Embedded-data
# usual values are marked with comments to get only informations of strange GRUB loaders
-0x200 uleshort 0x70EA
+0x200 uleshort 0x70EA
# found only version 3.{1,2}
->0x206 ubeshort >0x0300
+>0x206 ubeshort >0x0300
# GRUB version (0.5.)95,0.93,0.94,0.96,0.97 > "00"
->>0x212 ubyte >0x29
->>>0x213 ubyte >0x29
+>>0x212 ubyte >0x29
+>>>0x213 ubyte >0x29
# not iso9660_stage1_5
-#>>>0 ulelong&0x00BE5652 0x00BE5652
+#>>>0 ulelong&0x00BE5652 0x00BE5652
>>>>0x213 ubyte >0x29 GRand Unified Bootloader
# config_file for stage1_5 is 0xffffffff + default "/boot/grub/stage2"
>>>>0x217 ubyte 0xFF stage1_5
@@ -1316,7 +1316,7 @@
#>>>>0x208 ulelong =0xffffff \b, %lu (default)
>>>>0x208 ulelong >0xffffff \b, installed partition %u
# GRUB 0.5.95 unofficial
->>>>0x20C ulelong&0x2E300000 0x2E300000
+>>>>0x20C ulelong&0x2E300000 0x2E300000
# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs
>>>>>0x20C ubyte x \b, identifier 0x%x
#>>>>>0x20D ubyte =0 \b, LBA flag 0x%x (default)
@@ -1324,17 +1324,17 @@
# GRUB version as string
>>>>>0x20E string >\0 \b, GRUB version %-s
# for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default
->>>>>>0x215 ulong 0xffffffff
+>>>>>>0x215 ulong 0xffffffff
>>>>>>>0x219 string >\0 \b, configuration file %-s
->>>>>>0x215 ulong !0xffffffff
+>>>>>>0x215 ulong !0xffffffff
>>>>>>>0x215 string >\0 \b, configuration file %-s
# newer GRUB versions
->>>>0x20C ulelong&0x2E300000 !0x2E300000
+>>>>0x20C ulelong&0x2E300000 !0x2E300000
##>>>>>0x20C ulelong =0 \b, saved entry %d (usual)
>>>>>0x20C ulelong >0 \b, saved entry %d
# for 1.94 contains kernel image size
# for 0.93,0.94,0.96,0.97
-# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2
+# 0=stage2 1=ffs 2=e2fs 3=fat 4=minix 5=reiserfs 6=vstafs 7=jfs 8=xfs 9=iso9660 a=ufs2
>>>>>0x210 ubyte x \b, identifier 0x%x
# The flag for LBA forcing is in most cases 0
#>>>>>0x211 ubyte =0 \b, LBA flag 0x%x (default)
@@ -1342,9 +1342,9 @@
# GRUB version as string
>>>>>0x212 string >\0 \b, GRUB version %-s
# for stage1_5 is 0xffffffff + config_file "/boot/grub/stage2" default
->>>>>0x217 ulong 0xffffffff
+>>>>>0x217 ulong 0xffffffff
>>>>>>0x21b string >\0 \b, configuration file %-s
->>>>>0x217 ulong !0xffffffff
+>>>>>0x217 ulong !0xffffffff
>>>>>>0x217 string >\0 \b, configuration file %-s
# DOS x86 sector updated and separated from "DOS/MBR boot sector" by Joerg Jenderek at May 2011
@@ -1360,13 +1360,13 @@
# mtools-3.9.8/msdos.h
# usual values are marked with comments to get only informations of strange FAT systems
# valid sectorsize must be a power of 2 from 32 to 32768
->11 uleshort&0x001f 0
->>11 uleshort <32769
->>>11 uleshort >31
->>>>21 ubyte&0xf0 0xF0
+>11 uleshort&0x001f 0
+>>11 uleshort <32769
+>>>11 uleshort >31
+>>>>21 ubyte&0xf0 0xF0
>>>>>0 ubyte 0xEB DOS/MBR boot sector
>>>>>>1 ubyte x \b, code offset 0x%x+2
->>>>>0 ubyte 0xE9
+>>>>>0 ubyte 0xE9
>>>>>>1 uleshort x \b, code offset 0x%x+3
>>>>>3 string >\0 \b, OEM-ID "%-.8s"
#http://mirror.href.com/thestarman/asm/debug/debug2.htm#IHC
@@ -1377,10 +1377,10 @@
>>>>>13 ubyte >1 \b, sectors/cluster %u
#>>>>>13 ubyte =1 \b, sectors/cluster %u (usual on Floppies)
# for lazy FAT32 implementation like Transcend digital photo frame PF830
->>>>>82 string/c fat32
+>>>>>82 string/c fat32
>>>>>>14 uleshort !32 \b, reserved sectors %u
#>>>>>>14 uleshort =32 \b, reserved sectors %u (usual Fat32)
->>>>>82 string/c !fat32
+>>>>>82 string/c !fat32
>>>>>>14 uleshort >1 \b, reserved sectors %u
#>>>>>>14 uleshort =1 \b, reserved sectors %u (usual FAT12,FAT16)
#>>>>>>14 uleshort 0 \b, reserved sectors %u (usual NTFS)
@@ -1390,7 +1390,7 @@
>>>>>16 ubyte >0
>>>>>17 uleshort >0 \b, root entries %u
#>>>>>17 uleshort =0 \b, root entries %hu=0 (usual Fat32)
->>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB)
+>>>>>19 uleshort >0 \b, sectors %u (volumes <=32 MB)
#>>>>>19 uleshort =0 \b, sectors %hu=0 (usual Fat32)
>>>>>21 ubyte >0xF0 \b, Media descriptor 0x%x
#>>>>>21 ubyte =0xF0 \b, Media descriptor 0x%x (usual floppy)
@@ -1402,20 +1402,20 @@
#>>>>>26 ubyte =2 \b, heads %u (usual floppy)
>>>>>26 ubyte =1 \b, heads %u
# valid only for sector sizes with more then 32 Bytes
->>>>>11 uleshort >32
+>>>>>11 uleshort >32
# http://en.wikipedia.org/wiki/Design_of_the_FAT_file_system#Extended_BIOS_Parameter_Block
# skip for values 2,2Ah,70h,73h,DFh
# and continue for extended boot signature values 0,28h,29h,80h
->>>>>>38 ubyte&0x56 =0
+>>>>>>38 ubyte&0x56 =0
>>>>>>>28 ulelong >0 \b, hidden sectors %u
#>>>>>>>28 ulelong =0 \b, hidden sectors %u (usual floppy)
->>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB)
+>>>>>>>32 ulelong >0 \b, sectors %u (volumes > 32 MB)
#>>>>>>>32 ulelong =0 \b, sectors %u (volumes > 32 MB)
-# FAT<32 bit specific
->>>>>>>82 string/c !fat32
+# FAT<32 bit specific
+>>>>>>>82 string/c !fat32
#>>>>>>>>36 ubyte 0x80 \b, physical drive 0x%x=0x80 (usual harddisk)
#>>>>>>>>36 ubyte 0 \b, physical drive 0x%x=0 (usual floppy)
->>>>>>>>36 ubyte !0x80
+>>>>>>>>36 ubyte !0x80
>>>>>>>>>36 ubyte !0 \b, physical drive 0x%x
# VGA-copy CRC or
# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too
@@ -1435,27 +1435,27 @@
# if it is small enough FAT is 12 bit, if it is too big enough FAT is 32 bit,
# otherwise FAT is 16 bit.
# http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/determining-fat-widths.html
->>>>>82 string/c !fat32
+>>>>>82 string/c !fat32
>>>>>>54 string FAT12 \b, FAT (12 bit)
>>>>>>54 string FAT16 \b, FAT (16 bit)
->>>>>>54 default x
+>>>>>>54 default x
# determinate FAT bit size by media descriptor
# small floppies implies FAT12
>>>>>>>21 ubyte <0xF0 \b, FAT (12 bit by descriptor)
# with media descriptor F0h floppy or maybe superfloppy with FAT16
->>>>>>>21 ubyte =0xF0
+>>>>>>>21 ubyte =0xF0
# superfloppy (many sectors) implies FAT16
>>>>>>>>32 ulelong >0xFFFF \b, FAT (16 bit by descriptor+sectors)
# no superfloppy with media descriptor F0h implies FAT12
>>>>>>>>32 default x \b, FAT (12 bit by descriptor+sectors)
# with media descriptor F8h floppy or hard disc with FAT12 or FAT16
->>>>>>>21 ubyte =0xF8
+>>>>>>>21 ubyte =0xF8
# 360 KiB with media descriptor F8h, 9 sectors per track ,single sided floppy implies FAT12
>>>>>>>>19 ubequad 0xd002f80300090001 \b, FAT (12 bit by descriptor+geometry)
# hard disc with FAT12 or FAT16
>>>>>>>>19 default x \b, FAT (1Y bit by descriptor)
# with media descriptor FAh floppy, RAM disc with FAT12 or FAT16 or Tandy hard disc
->>>>>>>21 ubyte =0xFA
+>>>>>>>21 ubyte =0xFA
# 320 KiB with media descriptor FAh, 8 sectors per track ,single sided floppy implies FAT12
>>>>>>>>19 ubequad 0x8002fa0200080001 \b, FAT (12 bit by descriptor+geometry)
# RAM disc with FAT12 or FAT16 or Tandy hard disc
@@ -1479,17 +1479,17 @@
# 0 or 0xFFFF instead of usual 6 means no backup sector
>>>>>>50 uleshort =0xFFFF \b, no Backup boot sector
>>>>>>50 uleshort =0 \b, no Backup boot sector
-#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual)
->>>>>>50 default x
+#>>>>>>50 uleshort =6 \b, Backup boot sector %u (usual)
+>>>>>>50 default x
>>>>>>>50 uleshort x \b, Backup boot sector %u
# corrected by Joerg Jenderek at Feb 2011 according to http://thestarman.pcministry.com/asm/mbr/MSWIN41.htm#FSINFO
>>>>>>52 ulelong >0 \b, reserved1 0x%x
>>>>>>56 ulelong >0 \b, reserved2 0x%x
>>>>>>60 ulelong >0 \b, reserved3 0x%x
-# same structure as FAT1X
+# same structure as FAT1X
#>>>>>>64 ubyte =0x80 \b, physical drive 0x%x=80 (usual harddisk)
#>>>>>>64 ubyte =0 \b, physical drive 0x%x=0 (usual floppy)
->>>>>>64 ubyte !0x80
+>>>>>>64 ubyte !0x80
>>>>>>>64 ubyte >0 \b, physical drive 0x%x
# in Windows NT bit 0 is a dirty flag to request chkdsk at boot time. bit 1 requests surface scan too
>>>>>>65 ubyte >0 \b, reserved 0x%x
@@ -1500,10 +1500,10 @@
>>>>>>>71 string >NO\ NAME \b, label: "%11.11s"
>>>>>>>71 string =NO\ NAME \b, unlabeled
# additional tests for floppy image added by Joerg Jenderek
-# no fixed disk
->>>>>21 ubyte !0xF8
+# no fixed disk
+>>>>>21 ubyte !0xF8
# floppy media with 12 bit FAT
->>>>>>54 string !FAT16
+>>>>>>54 string !FAT16
# test for FAT after bootsector
>>>>>>>(11.s) ulelong&0x00ffffF0 0x00ffffF0 \b, followed by FAT
# floppy image
@@ -1511,11 +1511,11 @@
# NTFS specific added by Joerg Jenderek at Mar 2011 according to http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm
# and http://homepage.ntlworld.com/jonathan.deboynepollard/FGA/bios-parameter-block.html
# 0 FATs
->>>>>16 ubyte =0
+>>>>>16 ubyte =0
# 0 root entries
->>>>>>17 uleshort =0
+>>>>>>17 uleshort =0
# 0 DOS sectors
->>>>>>>19 uleshort =0
+>>>>>>>19 uleshort =0
# 0 sectors/FAT
# dos < 4.0 BootSector value found is 0x80
#38 ubyte =0x80 \b, dos < 4.0 BootSector (0x%x)
@@ -1526,13 +1526,13 @@
>>>>>>>>>48 ulequad >0 \b, $MFT start cluster %lld
>>>>>>>>>56 ulequad >0 \b, $MFTMirror start cluster %lld
# Values 0 to 127 represent MFT record sizes of 0 to 127 clusters.
-# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes.
->>>>>>>>>64 lelong <256
+# Values 128 to 255 represent MFT record sizes of 2^(256-N) bytes.
+>>>>>>>>>64 lelong <256
>>>>>>>>>>64 lelong <128 \b, clusters/RecordSegment %d
>>>>>>>>>>64 ubyte >127 \b, bytes/RecordSegment 2^(-1*%i)
# Values 0 to 127 represent index block sizes of 0 to 127 clusters.
# Values 128 to 255 represent index block sizes of 2^(256-N) byte
->>>>>>>>>68 ulelong <256
+>>>>>>>>>68 ulelong <256
>>>>>>>>>>68 ulelong <128 \b, clusters/index block %d
#>>>>>>>>>>68 ulelong >127 \b, bytes/index block 2^(256-%d)
>>>>>>>>>>68 ubyte >127 \b, bytes/index block 2^(-1*%i)
@@ -1539,20 +1539,30 @@
>>>>>>>>>72 ulequad x \b, serial number 0%llx
>>>>>>>>>80 ulelong >0 \b, checksum 0x%x
#>>>>>>>>>80 ulelong =0 \b, checksum 0x%x=0 (usual)
->>>>>>>>>0x258 ulelong&0x00009090 =0x00009090
->>>>>>>>>>&-92 indirect x \b; contains
+>>>>>>>>>0x258 ulelong&0x00009090 =0x00009090
+>>>>>>>>>>&-92 indirect x \b; contains
# For 2nd NTFS sector added by Joerg Jenderek at Jan 2013
# http://thestarman.pcministry.com/asm/mbr/NTFSbrHexEd.htm
# unused assembler instructions JMP y2;NOP;NOP
-0x056 ulelong&0xFFFF0FFF 0x909002EB
+0x056 ulelong&0xFFFF0FFF 0x909002EB
# unicode loadername terminated by CTRL-D
->(0.s*2) ulelong&0xFFFFFF00 0x00040000
+>(0.s*2) ulelong&0xFFFFFF00 0x00040000
# loadernames are NTLDR,CMLDR,PELDR,$LDR$ or BOOTMGR
>>0x002 lestring16 x Microsoft Windows XP/VISTA bootloader %-5.5s
->>0x12 string $
+>>0x12 string $
>>>0x0c lestring16 x \b%-2.2s
### DOS,NTFS boot sectors end
+# ntfsclone-image is a special save format for NTFS volumes,
+# created and restored by the ntfsclone program
+0 string \0ntfsclone-image ntfsclone image,
+>0x10 byte x version %d.
+>0x11 byte x \b%d,
+>0x12 lelong x cluster size %d,
+>0x16 lequad x device size %lld,
+>0x1e lequad x %lld total clusters,
+>0x26 lequad x %lld clusters in use
+
9564 lelong 0x00011954 Unix Fast File system [v1] (little-endian),
>8404 string x last mounted on %s,
#>9504 ledate x last checked at %s,
@@ -1669,6 +1679,13 @@
>&-1248 belong 0 TIME optimization
>&-1248 belong 1 SPACE optimization
+0 ulequad 0xc8414d4dc5523031 HAMMER filesystem (little-endian),
+>0x90 lelong+1 x volume %d
+>0x94 lelong x (of %d),
+>0x50 string x name %s,
+>0x98 ulelong x version %u,
+>0xa0 ulelong x flags 0x%x
+
# ext2/ext3 filesystems - Andreas Dilger <adilger@dilger.ca>
# ext4 filesystem - Eric Sandeen <sandeen@sandeen.net>
# volume label and UUID Russell Coker
@@ -1818,7 +1835,7 @@
# FE 250K 8-inch, 1-sided, single-density
# FD 500K 8-inch, 2-sided, single-density
# FE 1.2 MB 8-inch, 2-sided, double-density
-# F8 ----- Fixed disk
+# F8 ----- Fixed disk
#
# FC xxxK Apricot 70x1x9 boot disk.
#
@@ -1846,7 +1863,7 @@
# all FAT12 (strength=70) floppies with sectorsize 512 added by Joerg Jenderek at Jun 2013
# http://en.wikipedia.org/wiki/File_Allocation_Table#Exceptions
# Too Weak.
-#512 ubelong&0xE0ffff00 0xE0ffff00
+#512 ubelong&0xE0ffff00 0xE0ffff00
# without valid Media descriptor in place of BPB, cases with are done at other places
#>21 ubyte <0xE5 floppy with old FAT filesystem
# but valid Media descriptor at begin of FAT
@@ -1858,61 +1875,61 @@
#>>512 ubyte =0xfb 640k
#>>512 ubyte =0xfc 180k
# look like an an old DOS directory entry
-#>>>0xA0E ubequad 0
-#>>>>0xA00 ubequad !0
+#>>>0xA0E ubequad 0
+#>>>>0xA00 ubequad !0
#!:mime application/x-ima
-#>>512 ubyte =0xfd
+#>>512 ubyte =0xfd
# look for 2nd FAT at different location to distinguish between 360k and 500k
#>>>0x600 ubelong&0xE0ffff00 0xE0ffff00 360k
#>>>0x500 ubelong&0xE0ffff00 0xE0ffff00 500k
-#>>>0xA0E ubequad 0
+#>>>0xA0E ubequad 0
#!:mime application/x-ima
-#>>512 ubyte =0xfe
+#>>512 ubyte =0xfe
#>>>0x400 ubelong&0xE0ffff00 0xE0ffff00 160k
-#>>>>0x60E ubequad 0
-#>>>>>0x600 ubequad !0
+#>>>>0x60E ubequad 0
+#>>>>>0x600 ubequad !0
#!:mime application/x-ima
#>>>0xC00 ubelong&0xE0ffff00 0xE0ffff00 1200k
#>>512 ubyte =0xff 320k
-#>>>0x60E ubequad 0
-#>>>>0x600 ubequad !0
+#>>>0x60E ubequad 0
+#>>>>0x600 ubequad !0
#!:mime application/x-ima
#>>512 ubyte x \b, Media descriptor 0x%x
# without x86 jump instruction
-#>>0 ulelong&0x804000E9 !0x000000E9
-# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV
+#>>0 ulelong&0x804000E9 !0x000000E9
+# assembler instructions: CLI;MOV SP,1E7;MOV AX;07c0;MOV
#>>>0 ubequad 0xfabce701b8c0078e \b, MS-DOS 1.12 bootloader
# IOSYS.COM+MSDOS.COM
#>>>>0xc4 use 2xDOS-filename
-#>>0 ulelong&0x804000E9 =0x000000E9
+#>>0 ulelong&0x804000E9 =0x000000E9
# only x86 short jump instruction found
#>>>0 ubyte =0xEB
#>>>>1 ubyte x \b, code offset 0x%x+2
# http://thestarman.pcministry.com/DOS/ibm100/Boot.htm
-# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0
-#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader
+# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;MOV DX,0
+#>>>>(1.b+2) ubequad 0xfa8cc88ed8ba0000 \b, PC-DOS 1.0 bootloader
# ibmbio.com+ibmdos.com
#>>>>>0x176 use DOS-filename
#>>>>>0x181 ubyte x \b+
#>>>>>0x182 use DOS-filename
# http://thestarman.pcministry.com/DOS/ibm110/Boot.htm
-# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV
-#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader
+# assembler instructions: CLI;MOV AX,CS;MOV DS,AX;XOR DX,DX;MOV
+#>>>>(1.b+2) ubequad 0xfa8cc88ed833d28e \b, PC-DOS 1.1 bootloader
# ibmbio.com+ibmdos.com
#>>>>>0x18b use DOS-filename
#>>>>>0x196 ubyte x \b+
#>>>>>0x197 use DOS-filename
# http://en.wikipedia.org/wiki/Zenith_Data_Systems
-# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6
+# assembler instructions: MOV BX,07c0;MOV SS,BX;MOV SP,01c6
#>>>>(1.b+2) ubequad 0xbbc0078ed3bcc601 \b, Zenith Data Systems MS-DOS 1.25 bootloader
# IO.SYS+MSDOS.SYS
#>>>>>0x20 use 2xDOS-filename
# http://en.wikipedia.org/wiki/Corona_Data_Systems
-# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX;
+# assembler instructions: MOV AX,CS;MOV DS,AX;CLI;MOV SS,AX;
#>>>>(1.b+2) ubequad 0x8cc88ed8fa8ed0bc \b, MS-DOS 1.25 bootloader
# IO.SYS+MSDOS.SYS
#>>>>>0x69 use 2xDOS-filename
-# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00;
+# assembler instructions: CLI;PUSH CS;POP SS;MOV SP,7c00;
#>>>>(1.b+2) ubequad 0xfa0e17bc007cb860 \b, MS-DOS 2.11 bootloader
# defect IO.SYS+MSDOS.SYS ?
#>>>>>0x162 use 2xDOS-filename
@@ -1942,14 +1959,25 @@
32769 string CD001
# mime line at that position does not work
# to display CD-ROM (70=81-11) after MBR (113=40+72+1), partition-table (71=50+21) and before Apple Driver Map (51)
-!:strength -11
+#!:strength -11
# to display CD-ROM (114=81+33) before MBR (113=40+72+1), partition-table (71=50+21) and Apple Driver Map (51)
-# does not work
-#!:strength +33
->0 use cdrom
+!:strength +34
+>0 use cdrom
# .cso files
-0 string CISO Compressed ISO CD image
+# Reference: http://pismotec.com/ciso/ciso.h
+# NOTE: There are two other formats with the same magic but
+# completely incompatible specifications:
+# - GameCube/Wii CISO: https://github.com/dolphin-emu/dolphin/blob/master/Source/Core/DiscIO/CISOBlob.h
+# - PSP CISO: https://github.com/jamie/ciso/blob/master/ciso.h
+0 string CISO
+# Other fields are used to determine what type of CISO this is:
+# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size)
+# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size)
+# - None of the above: Compact ISO.
+>4 lelong !0
+>>4 lelong !0x200000
+>>>0x10 lelong !0x800 Compressed ISO CD image
# cramfs filesystem - russell@coker.com.au
0 lelong 0x28cd3d45 Linux Compressed ROM File System data, little endian
@@ -2041,6 +2069,13 @@
>29 byte 16 \bBlackfin,
>29 byte 17 \bAVR32,
>29 byte 18 \bSTMicroelectronics ST200,
+>29 byte 19 \bSandbox architecture,
+>29 byte 20 \bANDES Technology NDS32,
+>29 byte 21 \bOpenRISC 1000,
+>29 byte 22 \bARM 64-bit,
+>29 byte 23 \bDesignWare ARC,
+>29 byte 24 \bx86_64,
+>29 byte 25 \bXtensa,
>30 byte 0 Invalid Image
>30 byte 1 Standalone Program
>30 byte 2 OS Kernel Image
@@ -2114,7 +2149,7 @@
>>8 ledate x created: %s
# AFS Dump Magic
-# From: Ty Sarna <tsarna@sarna.org>
+# From: Ty Sarna <tsarna@sarna.org>
0 string \x01\xb3\xa1\x13\x22 AFS Dump
>&0 belong x (v%d)
>>&0 byte 0x76
@@ -2229,7 +2264,7 @@
# From: "Nelson A. de Oliveira" <naoliv@gmail.com>
0 string *dvdisaster* dvdisaster error correction file
-# xfs metadump image
+# xfs metadump image
# mb_magic XFSM at 0; superblock magic XFSB at 1 << mb_blocklog
# but can we do the << ? For now it's always 512 (0x200) anyway.
0 string XFSM
@@ -2301,8 +2336,8 @@
0 string td\000 floppy image data (TeleDisk, compressed)
0 string TD\000 floppy image data (TeleDisk)
-0 string CQ\024 floppy image data (CopyQM,
->16 leshort x %d sectors,
+0 string CQ\024 floppy image data (CopyQM,
+>16 leshort x %d sectors,
>18 leshort x %d heads.)
0 string ACT\020Apricot\020disk\020image\032\004 floppy image data (ApriDisk)
@@ -2352,3 +2387,13 @@
>>>>>>>>0x1B ubyte 0x30 \b, media=1D
>>>>>>>>0x1B ubyte 0x40 \b, media=1DD
>>>>>>>>0x1A ubyte 0x10 \b, write-protected
+
+# HDD Raw Copy Tool disk image, file extension: .imgc
+# From Benjamin Vanheuverzwijn <bvanheu@gmail.com>
+0 pstring HDD\ Raw\ Copy\ Tool %s
+>0x100 pstring x %s
+>0x200 pstring x - HD model: %s
+#>0x300 pstring x unknown %s
+>0x400 pstring x serial: %s
+#>0x500 pstring x unknown: %s
+!:ext imgc
Index: contrib/file/magic/Magdir/games
===================================================================
--- contrib/file/magic/Magdir/games (版本 330566)
+++ contrib/file/magic/Magdir/games (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: games,v 1.14 2014/04/30 21:41:02 christos Exp $
+# $File: games,v 1.15 2017/03/17 21:35:28 christos Exp $
# games: file(1) for games
# Fabio Bonelli <fabiobonelli@libero.it>
@@ -39,7 +39,7 @@
#0 string -1\x0a Quake I demo
#>30 string x version %.4s
-#>61 string x level %s
+#>61 string x level %s
#0 string 5\x0a Quake I save
@@ -240,7 +240,7 @@
# Summary: NetImmerse game engine file
# Extension .nif
# Created by: Abel Cheung <abelcheung@gmail.com>
-0 string NetImmerse\ File\ Format,\ Versio
+0 string NetImmerse\ File\ Format,\ Versio
>&0 string n\ NetImmerse game engine file
>>&0 regex [0-9a-z.]+ \b, version %s
Index: contrib/file/magic/Magdir/gpt
===================================================================
--- contrib/file/magic/Magdir/gpt (版本 330566)
+++ contrib/file/magic/Magdir/gpt (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: gpt,v 1.3 2014/04/30 21:41:02 christos Exp $
+# $File: gpt,v 1.4 2017/03/17 21:35:28 christos Exp $
#
# GPT Partition table patterns.
# Author: Rogier Goossens (goossens.rogier@gmail.com)
@@ -36,7 +36,7 @@
>>>>>>>>>>>>>(454.l*8192) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>0 use gpt-mbr-type
>>>>>>>>>>>>>>&-8 use gpt-table
->>>>>>>>>>>>>>0 ubyte x of 8192 bytes
+>>>>>>>>>>>>>>0 ubyte x of 8192 bytes
>>>>>>>>>>>>>(454.l*8192) string !EFI\ PART
>>>>>>>>>>>>>>(454.l*4096) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>>0 use gpt-mbr-type
@@ -66,7 +66,7 @@
>>>>>>>>>>>>>(470.l*8192) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>0 use gpt-mbr-type
>>>>>>>>>>>>>>&-8 use gpt-table
->>>>>>>>>>>>>>0 ubyte x of 8192 bytes
+>>>>>>>>>>>>>>0 ubyte x of 8192 bytes
>>>>>>>>>>>>>(470.l*8192) string !EFI\ PART
>>>>>>>>>>>>>>(470.l*4096) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>>0 use gpt-mbr-type
@@ -96,7 +96,7 @@
>>>>>>>>>>>>>(486.l*8192) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>0 use gpt-mbr-type
>>>>>>>>>>>>>>&-8 use gpt-table
->>>>>>>>>>>>>>0 ubyte x of 8192 bytes
+>>>>>>>>>>>>>>0 ubyte x of 8192 bytes
>>>>>>>>>>>>>(486.l*8192) string !EFI\ PART
>>>>>>>>>>>>>>(486.l*4096) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>>0 use gpt-mbr-type
@@ -126,7 +126,7 @@
>>>>>>>>>>>>>(502.l*8192) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>0 use gpt-mbr-type
>>>>>>>>>>>>>>&-8 use gpt-table
->>>>>>>>>>>>>>0 ubyte x of 8192 bytes
+>>>>>>>>>>>>>>0 ubyte x of 8192 bytes
>>>>>>>>>>>>>(502.l*8192) string !EFI\ PART
>>>>>>>>>>>>>>(502.l*4096) string EFI\ PART GPT partition table
>>>>>>>>>>>>>>>0 use gpt-mbr-type
@@ -166,7 +166,7 @@
##>(8.l*8192) string EFI\ PART
##>>(8.l*8192) use gpt-mbr-type
##>>&-8 use gpt-table
-##>>0 ubyte x of 8192 bytes
+##>>0 ubyte x of 8192 bytes
##>(8.l*8192) string !EFI\ PART
##>>(8.l*4096) string EFI\ PART GPT partition table
##>>>0 use gpt-mbr-type
@@ -212,7 +212,7 @@
>>486 ulelong !1 \b (nonstandard: not at LBA 1)
# GPT with protective MBR entry in partition 4
>498 ubyte 0xee
->>502 ulelong 1
+>>502 ulelong 1
>>>446 string !\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0 \b (with hybrid MBR)
>>502 ulelong !1 \b (nonstandard: not at LBA 1)
Index: contrib/file/magic/Magdir/ibm370
===================================================================
--- contrib/file/magic/Magdir/ibm370 (版本 330566)
+++ contrib/file/magic/Magdir/ibm370 (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: ibm370,v 1.9 2014/04/30 21:41:02 christos Exp $
+# $File: ibm370,v 1.10 2017/03/17 21:35:28 christos Exp $
# ibm370: file(1) magic for IBM 370 and compatibles.
#
# "ibm370" said that 0x15d == 0535 was "ibm 370 pure executable".
@@ -7,11 +7,11 @@
# What the heck *is* "USS/370"?
# AIX 4.1's "/etc/magic" has
#
-# 0 short 0535 370 sysV executable
+# 0 short 0535 370 sysV executable
# >12 long >0 not stripped
# >22 short >0 - version %d
# >30 long >0 - 5.2 format
-# 0 short 0530 370 sysV pure executable
+# 0 short 0530 370 sysV pure executable
# >12 long >0 not stripped
# >22 short >0 - version %d
# >30 long >0 - 5.2 format
@@ -18,11 +18,11 @@
#
# instead of the "USS/370" versions of the same magic numbers.
#
-0 beshort 0537 370 XA sysV executable
+0 beshort 0537 370 XA sysV executable
>12 belong >0 not stripped
>22 beshort >0 - version %d
>30 belong >0 - 5.2 format
-0 beshort 0532 370 XA sysV pure executable
+0 beshort 0532 370 XA sysV pure executable
>12 belong >0 not stripped
>22 beshort >0 - version %d
>30 belong >0 - 5.2 format
Index: contrib/file/magic/Magdir/console
===================================================================
--- contrib/file/magic/Magdir/console (版本 330566)
+++ contrib/file/magic/Magdir/console (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: console,v 1.26 2016/06/12 15:20:37 christos Exp $
+# $File: console,v 1.32 2017/08/13 00:21:47 christos Exp $
# Console game magic
# Toby Deshane <hac@shoelace.digivill.net>
@@ -9,10 +9,12 @@
# References:
# - http://wiki.nesdev.com/w/index.php/INES
# - http://wiki.nesdev.com/w/index.php/NES_2.0
-0 string NES\x1A iNES ROM image
+
+# Common header for iNES, NES 2.0, and Wii U iNES.
+0 name nes-rom-image-ines
>7 byte&0x0C =0x8 (NES 2.0)
>4 byte x \b: %ux16k PRG
->5 byte x \b, %ux16k CHR
+>5 byte x \b, %ux8k CHR
>6 byte&0x08 =0x8 [4-Scr]
>6 byte&0x09 =0x0 [H-mirror]
>6 byte&0x09 =0x1 [V-mirror]
@@ -19,7 +21,7 @@
>6 byte&0x02 =0x2 [SRAM]
>6 byte&0x04 =0x4 [Trainer]
>7 byte&0x03 =0x2 [PC10]
->7 byte&0x03 =0x1 [VS
+>7 byte&0x03 =0x1 [VS]
>>7 byte&0x0C =0x8
# NES 2.0: VS PPU
>>>13 byte&0x0F =0x0 \b, RP2C03B
@@ -43,17 +45,24 @@
>>12 byte&0x03 =0x1 [PAL]
>>12 byte&0x02 =0x2 [NTSC+PAL]
+# Standard iNES ROM header.
+0 string NES\x1A NES ROM image (iNES)
+>0 use nes-rom-image-ines
+
+# Wii U Virtual Console iNES ROM header.
+0 belong 0x4E455300 NES ROM image (Wii U Virtual Console)
+>0 use nes-rom-image-ines
+
#------------------------------------------------------------------------------
# unif: file(1) magic for UNIF-format Nintendo Entertainment System ROM images
# Reference: http://wiki.nesdev.com/w/index.php/UNIF
# From: David Korth <gerbilsoft@gerbilsoft.com>
-# TODO commit on 2016/03/21
#
# NOTE: The UNIF format uses chunks instead of a fixed header,
# so most of the data isn't easily parseable.
#
0 string UNIF
->4 lelong <16 UNIF v%d format NES ROM image
+>4 lelong <16 NES ROM image (UNIF v%d format)
#------------------------------------------------------------------------------
# fds: file(1) magic for Famciom Disk System disk images
@@ -63,25 +72,40 @@
# Disk info block. (block 1)
0 name nintendo-fds-disk-info-block
->1 string *NINTENDO-HVC* Famicom Disk System disk image:
>23 byte !1 FMC-
>23 byte 1 FSC-
>16 string x \b%.3s
->15 byte x \b, mfr 0x%02X
+>15 byte x \b, mfr %02X
>20 byte x (Rev.%02u)
# Headered version.
0 string FDS\x1A
->0x11 string *NINTENDO-HVC*
+>0x11 string *NINTENDO-HVC* Famicom Disk System disk image:
>>0x10 use nintendo-fds-disk-info-block
>4 byte 1 (%u side)
>4 byte !1 (%u sides)
# Unheadered version.
-1 string *NINTENDO-HVC*
+1 string *NINTENDO-HVC* Famicom Disk System disk image:
>0 use nintendo-fds-disk-info-block
#------------------------------------------------------------------------------
+# tnes: file(1) magic for TNES-format Nintendo Entertainment System ROM images
+# Used by Nintendo 3DS NES Virtual Console games.
+# From: David Korth <gerbilsoft@gerbilsoft.com>
+#
+0 string TNES NES ROM image (Nintendo 3DS Virtual Console)
+>4 byte 100 \b: FDS,
+>>0x2010 use nintendo-fds-disk-info-block
+>4 byte !100 \b: TNES mapper %u
+>>5 byte x \b, %ux8k PRG
+>>6 byte x \b, %ux8k CHR
+>>7 byte&0x08 =1 [WRAM]
+>>8 byte&0x09 =1 [H-mirror]
+>>8 byte&0x09 =2 [V-mirror]
+>>8 byte&0x02 =3 [VRAM]
+
+#------------------------------------------------------------------------------
# gameboy: file(1) magic for the Nintendo (Color) Gameboy raw ROM format
# Reference: http://gbdev.gg8.se/wiki/articles/The_Cartridge_Header
#
@@ -389,6 +413,15 @@
>0x1E byte x \b, Rev.%02u)
>0x12 byte 2 (DSi enhanced)
>0x12 byte 3 (DSi only)
+# Secure Area check.
+>0x20 lelong <0x4000 (homebrew)
+>0x20 lelong >0x3FFF
+>>0x4000 lequad 0x0000000000000000 (multiboot)
+>>0x4000 lequad !0x0000000000000000
+>>>0x4000 lequad 0xE7FFDEFFE7FFDEFF (decrypted)
+>>>0x4000 lequad !0xE7FFDEFFE7FFDEFF
+>>>>0x1000 lequad 0x0000000000000000 (encrypted)
+>>>>0x1000 lequad !0x0000000000000000 (mask ROM)
#------------------------------------------------------------------------------
# nds_passme: file(1) magic for Nintendo DS ROM images for GBA cartridge boot.
@@ -412,7 +445,7 @@
#------------------------------------------------------------------------------
# msx: file(1) magic for MSX game cartridge dumps
# Too simple - MPi
-#0 beshort 0x4142 MSX game cartridge dump
+#0 beshort 0x4142 MSX game cartridge dump
#------------------------------------------------------------------------------
# Sony Playstation executables (Adam Sjoegren <asjo@diku.dk>) :
@@ -467,7 +500,7 @@
# Double-check that the image type matches too, 0x8008 conflicts with
# 8 character OMF-86 object file headers.
-0 beshort 0x8008
+0 beshort 0x8008
>6 string BS93 Lynx homebrew cartridge
>>2 beshort x \b, RAM start $%04x
>6 string LYNX Lynx cartridge
@@ -482,7 +515,7 @@
# is the offset 12 or the offset 16 correct?
# GBS (Game Boy Sound) magic
# ftp://ftp.modland.com/pub/documents/format_documentation/\
-# Gameboy%20Sound%20System%20(.gbs).txt
+# Gameboy%20Sound%20System%20(.gbs).txt
0 string GBS Nintendo Gameboy Music/Audio Data
#12 string GameBoy\ Music\ Module Nintendo Gameboy Music Module
>16 string >\0 ("%s" by
@@ -491,6 +524,10 @@
>3 byte x version %d,
>4 byte x %d tracks
+# IPS Patch Files from: From: Thomas Klausner <tk@giga.or.at>
+# see http://zerosoft.zophar.net/ips.php
+0 string PATCH IPS patch file
+
# Playstations Patch Files from: From: Thomas Klausner <tk@giga.or.at>
0 string PPF30 Playstation Patch File version 3.0
>5 byte 0 \b, PPF 1.0 patch
@@ -518,7 +555,7 @@
# SNES9x .smv "movie" file format.
0 string SMV\x1A SNES9x input recording
>0x4 lelong x \b, version %d
-# version 4 is latest so far
+# version 4 is latest so far
>0x4 lelong <5
>>0x8 ledate x \b, recorded at %s
>>0xc lelong >0 \b, rerecorded %d times
@@ -617,6 +654,52 @@
>0x218 belong 0x5D1C9EA3 Nintendo Wii disc image (WBFS format):
>>0x200 use nintendo-gcn-disc-common
+# Type: Nintendo GameCube/Wii disc image (CISO format)
+# NOTE: This is NOT the same as Compact ISO or PSP CISO,
+# though it has the same magic number.
+0 string CISO
+# Other fields are used to determine what type of CISO this is:
+# - 0x04 == 0x00200000: GameCube/Wii CISO (block_size)
+# - 0x10 == 0x00000800: PSP CISO (ISO-9660 sector size)
+# - None of the above: Compact ISO.
+>4 lelong 0x200000
+>>8 byte 1
+>>>0x801C belong 0xC2339F3D Nintendo GameCube disc image (CISO format):
+>>>>0x8000 use nintendo-gcn-disc-common
+>>>0x8018 belong 0x5D1C9EA3 Nintendo Wii disc image (CISO format):
+>>>>0x8000 use nintendo-gcn-disc-common
+
+# Type: Nintendo GameCube/Wii disc image (GCZ format)
+# Due to zlib compression, we can't get the actual disc information.
+0 lelong 0xB10BC001
+>4 lelong 0 Nintendo GameCube disc image (GCZ format)
+>4 lelong 1 Nintendo Wii disc image (GCZ format)
+>4 lelong >1 Nintendo GameCube/Wii disc image (GCZ format)
+
+# Type: Nintendo GameCube/Wii disc image (WDF format)
+0 string WII\001DISC
+>8 belong 1
+# WDFv1
+>>0x54 belong 0xC2339F3D Nintendo GameCube disc image (WDFv1 format):
+>>>0x38 use nintendo-gcn-disc-common
+>>0x58 belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv1 format):
+>>>0x38 use nintendo-gcn-disc-common
+>8 belong 2
+# WDFv2
+>>(12.L+0x1C) belong 0xC2339F3D Nintendo GameCube disc image (WDFv2 format):
+>>>(12.L) use nintendo-gcn-disc-common
+>>(12.L+0x18) belong 0x5D1C9EA3 Nintendo Wii disc image (WDFv2 format):
+>>>(12.L) use nintendo-gcn-disc-common
+
+# Type: Nintendo GameCube/Wii disc image (WIA format)
+0 string WIA\001 Nintendo
+>0x48 belong 0 GameCube/Wii
+>0x48 belong 1 GameCube
+>0x48 belong 2 Wii
+>0x48 belong >2 GameCube/Wii
+>0x48 belong x disc image (WIA format):
+>>0x58 use nintendo-gcn-disc-common
+
#------------------------------------------------------------------------------
# Nintendo 3DS file formats.
#
@@ -722,7 +805,7 @@
# Type: Nintendo 3DS Homebrew Application.
# From: David Korth <gerbilsoft@gerbilsoft.com>
-# Refernece: https://3dbrew.org/wiki/3DSX_Format
+# Reference: https://3dbrew.org/wiki/3DSX_Format
0 string 3DSX Nintendo 3DS Homebrew Application (3DSX)
#------------------------------------------------------------------------------
@@ -750,3 +833,17 @@
#
0 string g\ GCE Vectrex ROM image
>0x11 string >\0 \b: "%.16s"
+
+#------------------------------------------------------------------------------
+# amiibo: file(1) magic for Nintendo amiibo NFC dumps.
+# From: David Korth <gerbilsoft@gerbilsoft.com>
+# Reference: https://www.3dbrew.org/wiki/Amiibo
+0x00 byte 0x04
+>0x0A beshort 0x0FE0
+>>0x0C belong 0xF110FFEE
+>>>0x208 beshort 0x0100
+>>>>0x020A byte 0x0F
+>>>>>0x020C bequad 0x000000045F000000
+>>>>>>0x5B byte 0x02
+>>>>>>>0x54 belong x Nintendo amiibo NFC dump - amiibo ID: %08X-
+>>>>>>>0x58 belong x \b%08X
Index: contrib/file/magic/Magdir/diff
===================================================================
--- contrib/file/magic/Magdir/diff (版本 330566)
+++ contrib/file/magic/Magdir/diff (版本 330908)
@@ -1,15 +1,15 @@
#------------------------------------------------------------------------------
-# $File: diff,v 1.14 2012/09/16 23:08:54 christos Exp $
+# $File: diff,v 1.16 2017/03/17 22:20:22 christos Exp $
# diff: file(1) magic for diff(1) output
#
-0 search/1 diff\ diff output text
+0 search/1 diff\040 diff output text
!:mime text/x-diff
-0 search/1 ***\ diff output text
+0 search/1 ***\040 diff output text
!:mime text/x-diff
-0 search/1 Only\ in\ diff output text
+0 search/1 Only\040in\040 diff output text
!:mime text/x-diff
-0 search/1 Common\ subdirectories:\ diff output text
+0 search/1 Common\040subdirectories:\040 diff output text
!:mime text/x-diff
0 search/1 Index: RCS/CVS diff output text
@@ -20,9 +20,9 @@
# unified diff
-0 search/4096 ---\
+0 search/4096 ---\040
>&0 search/1024 \n
->>&0 search/1 +++\
+>>&0 search/1 +++\040
>>>&0 search/1024 \n
>>>>&0 search/1 @@ unified diff output text
!:mime text/x-diff
Index: contrib/file/magic/Magdir/editors
===================================================================
--- contrib/file/magic/Magdir/editors (版本 330566)
+++ contrib/file/magic/Magdir/editors (版本 330908)
@@ -1,7 +1,7 @@
#------------------------------------------------------------------------------
-# $File: editors,v 1.10 2016/07/18 17:44:49 christos Exp $
-# T602 editor documents
+# $File: editors,v 1.11 2017/03/17 21:35:28 christos Exp $
+# T602 editor documents
# by David Necas <yeti@physics.muni.cz>
0 string @CT\ T602 document data,
>4 string 0 Kamenicky
@@ -9,7 +9,7 @@
>4 string 2 KOI8-CS
>4 string >2 unknown encoding
-# Vi IMproved Encrypted file
+# Vi IMproved Encrypted file
# by David Necas <yeti@physics.muni.cz>
0 string VimCrypt~ Vim encrypted file data
Index: contrib/file/magic/Magdir/fsav
===================================================================
--- contrib/file/magic/Magdir/fsav (版本 330566)
+++ contrib/file/magic/Magdir/fsav (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: fsav,v 1.13 2013/03/25 17:18:47 christos Exp $
+# $File: fsav,v 1.14 2017/03/17 21:35:28 christos Exp $
# fsav: file(1) magic for datafellows fsav virus definition files
# Anthon van der Neut (anthon@mnt.org)
@@ -29,11 +29,11 @@
#>>>>10 byte 11 \b12-
#>>>>9 ubyte >0 \b%02d)
# ftp://ftp.f-prot.com/pub/sign2.zip
-#0 ubyte 0x62
-#>1 ubyte 0xF5
-#>>2 ubyte 0x1
-#>>>3 ubyte 0x1
-#>>>>4 ubyte 0x0e
+#0 ubyte 0x62
+#>1 ubyte 0xF5
+#>>2 ubyte 0x1
+#>>>3 ubyte 0x1
+#>>>>4 ubyte 0x0e
#>>>>>13 ubyte >0 fsav virus signatures
#>>>>>>11 ubyte x size 0x%02x
#>>>>>>12 ubyte x \b%02x
@@ -44,16 +44,16 @@
# .cvd files start with a 512 bytes colon separated header
# ClamAV-VDB:buildDate:version:signaturesNumbers:functionalityLevelRequired:MD5:Signature:builder:buildTime
# + gzipped tarball files
-0 string ClamAV-VDB:
+0 string ClamAV-VDB:
>11 string >\0 Clam AntiVirus database %-.23s
->>34 string :
->>>35 string !: \b, version
+>>34 string :
+>>>35 string !: \b, version
>>>>35 string x \b%-.1s
->>>>>36 string !:
+>>>>>36 string !:
>>>>>>36 string x \b%-.1s
->>>>>>>37 string !:
+>>>>>>>37 string !:
>>>>>>>>37 string x \b%-.1s
->>>>>>>>>38 string !:
+>>>>>>>>>38 string !:
>>>>>>>>>>38 string x \b%-.1s
>512 string \037\213 \b, gzipped
>769 string ustar\0 \b, tarred
Index: contrib/file/magic/Magdir/gnu
===================================================================
--- contrib/file/magic/Magdir/gnu (版本 330566)
+++ contrib/file/magic/Magdir/gnu (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: gnu,v 1.17 2016/07/16 22:17:04 christos Exp $
+# $File: gnu,v 1.18 2017/03/17 21:35:28 christos Exp $
# gnu: file(1) magic for various GNU tools
#
# GNU nlsutils message catalog file format
@@ -71,7 +71,7 @@
# they will ordinarily reported as "compressed", but at least -z helps
39 string =<gmr:Workbook Gnumeric spreadsheet
-# From: James Youngman <jay@gnu.org>
+# From: James Youngman <jay@gnu.org>
# gnu find magic
0 string \0LOCATE GNU findutils locate database data
>7 string >\0 \b, format %s
Index: contrib/file/magic/Magdir/hitachi-sh
===================================================================
--- contrib/file/magic/Magdir/hitachi-sh (版本 330566)
+++ contrib/file/magic/Magdir/hitachi-sh (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: hitachi-sh,v 1.7 2015/09/30 20:32:35 christos Exp $
+# $File: hitachi-sh,v 1.8 2017/03/17 21:35:28 christos Exp $
# hitach-sh: file(1) magic for Hitachi Super-H
#
# Super-H COFF
@@ -9,20 +9,20 @@
# https://en.wikipedia.org/wiki/COFF
# https://de.wikipedia.org/wiki/Common_Object_File_Format
# http://www.delorie.com/djgpp/doc/coff/filhdr.html
-# below test line conflicts with 2nd NTFS filesystem sector
+# below test line conflicts with 2nd NTFS filesystem sector
# 2nd NTFS filesystem sector often starts with 0x05004e00 for unicode string 5 NTLDR
# and Portable Gaming Notation Compressed format (*.WID http://pgn.freeservers.com/)
-0 beshort 0x0500
+0 beshort 0x0500
# test for unused flag bits (0x8000,0x0800,0x0400,0x0200,x0080) in f_flags
->18 ubeshort&0x8E80 0
+>18 ubeshort&0x8E80 0
# use big endian variant of subroutine to display name+variables+flags
-# for common object formated files
+# for common object formated files
>>0 use \^display-coff
-0 leshort 0x0550
+0 leshort 0x0550
# test for unused flag bits in f_flags
->18 uleshort&0x8E80 0
-# use little endian variant of subroutine to
-# display name+variables+flags for common object formated files
+>18 uleshort&0x8E80 0
+# use little endian variant of subroutine to
+# display name+variables+flags for common object formated files
>>0 use display-coff
Index: contrib/file/magic/Magdir/images
===================================================================
--- contrib/file/magic/Magdir/images (版本 330566)
+++ contrib/file/magic/Magdir/images (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: images,v 1.117 2016/07/05 19:12:21 christos Exp $
+# $File: images,v 1.126 2017/06/11 22:25:44 christos Exp $
# images: file(1) magic for image formats (see also "iff", and "c-lang" for
# XPM bitmaps)
#
@@ -26,23 +26,28 @@
# test of Color Map Type 0~no 1~color map
# and Image Type 1 2 3 9 10 11 32 33
# and Color Map Entry Size 0 15 16 24 32
-0 ubequad&0x00FeC400000000C0 0
+0 ubequad&0x00FeC400000000C0 0
# skip more garbage by looking for positive image type
->2 ubyte >0
+>2 ubyte >0
# skip some compiled terminfo by looking for image type less equal 33
->>2 ubyte <34
+>>2 ubyte <34
# skip arches.3200 , Finder.Root , Slp.1 by looking for low pixel sizes 15 16 24 32
->>>16 ubyte <33
+>>>16 ubyte <33
# skip more by looking for pixel size 0Fh 10h 18h 20h
->>>>16 ubyte&0xC0 0x00
+>>>>16 ubyte&0xC0 0x00
+# Color Map
+>>>>>1 belong&0xfff7ffff 0x01010000
+>>>>>>0 use tga-image
+>>>>>1 belong&0xfff7ffff 0x00020000
+>>>>>>0 use tga-image
+>>>>>1 belong&0xfff7ffff 0x00030000
+>>>>>>0 use tga-image
+>>>>>1 default x
# skip 260-16.ico by looking for no color map
->>>>>1 ubyte 0
+>>>>>>1 ubyte 0
# implies no first map entry
->>>>>>3 uleshort 0
->>>>>>>0 use tga-image
-# Color Map
->>>>>1 ubyte >0
->>>>>>0 use tga-image
+>>>>>>>3 uleshort 0
+>>>>>>>>0 use tga-image
# display tga bitmap image information
0 name tga-image
>2 ubyte <34 Targa image data
@@ -78,7 +83,7 @@
>14 uleshort =0 65536
# Image Pixel Size 15 16 24 32
>16 ubyte x x %d
-# X origin of image. 0 normal
+# X origin of image. 0 normal
>8 uleshort >0 +%d
# Y origin of image. 0 normal; positive for top
>10 uleshort >0 +%d
@@ -90,27 +95,27 @@
>17 ubyte &0x10 - right
#>17 ubyte ^0x10 - left
# some info say other bits 6-7 should be zero
-# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm
+# but data storage interleave by http://www.fileformat.info/format/tga/corion.htm
# 00 - no interleave;01 - even/odd interleave; 10 - four way interleave; 11 - reserved
#>17 ubyte&0xC0 0x00 - no interleave
>17 ubyte&0xC0 0x40 - interleave
>17 ubyte&0xC0 0x80 - four way interleave
>17 ubyte&0xC0 0xC0 - reserved
-# positive length implies identification field
->0 ubyte >0
+# positive length implies identification field
+>0 ubyte >0
>>18 string x "%s"
# last 18 bytes of newer tga file footer signature
->18 search/4261301/s TRUEVISION-XFILE.\0
+>18 search/4261301/s TRUEVISION-XFILE.\0
# extension area offset if not 0
->>&-8 ulelong >0
+>>&-8 ulelong >0
# length of the extension area. normal 495 for version 2.0
->>>(&-4.l) uleshort 0x01EF
+>>>(&-4.l) uleshort 0x01EF
# AuthorName[41]
>>>>&0 string >\0 - author "%-.40s"
# Comment[324]=4 * 80 null terminated
>>>>&41 string >\0 - comment "%-.80s"
# date
->>>>&365 ubequad&0xffffFFFFffff0000 !0
+>>>>&365 ubequad&0xffffFFFFffff0000 !0
# Day
>>>>>&-6 uleshort x %d
# Month
@@ -118,7 +123,7 @@
# Year
>>>>>&-4 uleshort x \b-%d
# time
->>>>&371 ubequad&0xffffFFFFffff0000 !0
+>>>>&371 ubequad&0xffffFFFFffff0000 !0
# hour
>>>>>&-8 uleshort x %d
# minutes
@@ -128,7 +133,7 @@
# JobName[41]
>>>>&377 string >\0 - job "%-.40s"
# JobHour Jobminute Jobsecond
->>>>&418 ubequad&0xffffFFFFffff0000 !0
+>>>>&418 ubequad&0xffffFFFFffff0000 !0
>>>>>&-8 uleshort x %d
>>>>>&-6 uleshort x \b:%.2d
>>>>>&-4 uleshort x \b:%.2d
@@ -135,7 +140,7 @@
# SoftwareId[41]
>>>>&424 string >\0 - %-.40s
# SoftwareVersionNumber
->>>>&424 ubyte >0
+>>>>&424 ubyte >0
>>>>>&40 uleshort/100 x %d
>>>>>&40 uleshort%100 x \b.%d
# VersionLetter
@@ -143,16 +148,16 @@
# KeyColor
>>>>&468 ulelong >0 - keycolor 0x%8.8x
# Denominator of Pixel ratio. 0~no pixel aspect
->>>>&474 uleshort >0
+>>>>&474 uleshort >0
# Numerator
>>>>>&-4 uleshort >0 - aspect %d
>>>>>&-2 uleshort x \b/%d
# Denominator of Gamma ratio. 0~no Gamma value
->>>>&478 uleshort >0
+>>>>&478 uleshort >0
# Numerator
>>>>>&-4 uleshort >0 - gamma %d
>>>>>&-2 uleshort x \b/%d
-# ColorOffset
+# ColorOffset
#>>>>&480 ulelong x - col offset 0x%8.8x
# StampOffset
#>>>>&484 ulelong x - stamp offset 0x%8.8x
@@ -170,15 +175,15 @@
>>&0 regex =[0-9]{1,50} \b, size = %s x
>>>&0 regex =[0-9]{1,50} \b %s
-0 search/1 P1
->0 regex/4 P1\\s
+0 search/1 P1
+>0 regex/4 P1[\040\t\f\r\n]
>>0 use netpbm
>>>0 string x \b, bitmap
!:strength + 45
!:mime image/x-portable-bitmap
-0 search/1 P2
->0 regex/4 P2\\s
+0 search/1 P2
+>0 regex/4 P2[\040\t\f\r\n]
>>0 use netpbm
>>>0 string x \b, greymap
!:strength + 45
@@ -185,28 +190,28 @@
!:mime image/x-portable-greymap
0 search/1 P3
->0 regex/4 P3\\s
+>0 regex/4 P3[\040\t\f\r\n]
>>0 use netpbm
>>>0 string x \b, pixmap
!:strength + 45
!:mime image/x-portable-pixmap
-0 string P4
->0 regex/4 P4\\s
+0 string P4
+>0 regex/4 P4[\040\t\f\r\n]
>>0 use netpbm
>>>0 string x \b, rawbits, bitmap
!:strength + 45
!:mime image/x-portable-bitmap
-0 string P5
->0 regex/4 P5\\s
+0 string P5
+>0 regex/4 P5[\040\t\f\r\n]
>>0 use netpbm
>>>0 string x \b, rawbits, greymap
!:strength + 45
!:mime image/x-portable-greymap
-0 string P6
->0 regex/4 P6\\s
+0 string P6
+>0 regex/4 P6[\040\t\f\r\n]
>>0 use netpbm
>>>0 string x \b, rawbits, pixmap
!:strength + 45
@@ -303,7 +308,7 @@
>>>8 leshort 0x8765 \bJBIG
>>>8 leshort 0x8798 \bJPEG2000
>>>8 leshort 0x8799 \bNikon NEF Compressed
->>>8 default x
+>>>8 default x
>>>>8 leshort x \b(unknown 0x%x)
>>>12 use tiff_entry
>0 leshort 0x106 \b, PhotometricIntepretation=
@@ -414,22 +419,36 @@
# (Greg Roelofs, newt@uchicago.edu)
# (Albert Cahalan, acahalan@cs.uml.edu)
#
-# 137 P N G \r \n ^Z \n [4-byte length] H E A D [HEAD data] [HEAD crc] ...
+# 137 P N G \r \n ^Z \n [4-byte length] I H D R [HEAD data] [HEAD crc] ...
#
-0 string \x89PNG\x0d\x0a\x1a\x0a PNG image data
+
+# IHDR parser
+0 name png-ihdr
+>0 belong x \b, %d x
+>4 belong x %d,
+>8 byte x %d-bit
+>9 byte 0 grayscale,
+>9 byte 2 \b/color RGB,
+>9 byte 3 colormap,
+>9 byte 4 gray+alpha,
+>9 byte 6 \b/color RGBA,
+#>10 byte 0 deflate/32K,
+>12 byte 0 non-interlaced
+>12 byte 1 interlaced
+
+# Standard PNG image.
+0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data
!:mime image/png
->16 belong x \b, %d x
->20 belong x %d,
->24 byte x %d-bit
->25 byte 0 grayscale,
->25 byte 2 \b/color RGB,
->25 byte 3 colormap,
->25 byte 4 gray+alpha,
->25 byte 6 \b/color RGBA,
-#>26 byte 0 deflate/32K,
->28 byte 0 non-interlaced
->28 byte 1 interlaced
+!:strength +10
+>16 use png-ihdr
+# Apple CgBI PNG image.
+0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x04CgBI
+>24 string \x00\x00\x00\x0DIHDR PNG image data (CgBI)
+!:mime image/png
+!:strength +10
+>>32 use png-ihdr
+
# possible GIF replacements; none yet released!
# (Greg Roelofs, newt@uchicago.edu)
#
@@ -438,13 +457,13 @@
!:mime image/x-unknown
#
# GRR 950115: this is Jeremy Wohl's Free Graphics Format (better):
-#
+#
0 string FGF95a FGF image (GIF+deflate beta)
!:mime image/x-unknown
#
# GRR 950115: this is Thomas Boutell's Portable Bitmap Format proposal
# (best; not yet implemented):
-#
+#
0 string PBF PBF image (deflate compression)
!:mime image/x-unknown
@@ -528,19 +547,19 @@
# http://www.blackfiveservices.co.uk/awbmtools.shtml
# http://biosgfx.narod.ru/v3/
# http://biosgfx.narod.ru/abr-2/
-0 string AWBM
+0 string AWBM
>4 leshort <1981 Award BIOS bitmap
!:mime image/x-award-bmp
# image width is a multiple of 4
->>4 leshort&0x0003 0
+>>4 leshort&0x0003 0
>>>4 leshort x \b, %d
>>>6 leshort x x %d
>>4 leshort&0x0003 >0 \b,
->>>4 leshort&0x0003 =1
+>>>4 leshort&0x0003 =1
>>>>4 leshort x %d+3
->>>4 leshort&0x0003 =2
+>>>4 leshort&0x0003 =2
>>>>4 leshort x %d+2
->>>4 leshort&0x0003 =3
+>>>4 leshort&0x0003 =3
>>>>4 leshort x %d+1
>>>6 leshort x x %d
# at offset 8 starts imagedata followed by "RGB " marker
@@ -764,11 +783,11 @@
# http://web.archive.org/web/20100206055706/http://www.qzx.com/pc-gpe/pcx.txt
# GRR: original test was still too general as it catches xbase examples T5.DBT,T6.DBT with 0xa000000
# test for bytes 0x0a,version byte (0,2,3,4,5),compression byte flag(0,1), bit depth (>0) of PCX or T5.DBT,T6.DBT
-0 ubelong&0xffF8fe00 0x0a000000
-# for PCX bit depth > 0
->3 ubyte >0
+0 ubelong&0xffF8fe00 0x0a000000
+# for PCX bit depth > 0
+>3 ubyte >0
# test for valid versions
->>1 ubyte <6
+>>1 ubyte <6
>>>1 ubyte !1 PCX
!:mime image/x-pcx
#!:mime image/pcx
@@ -828,29 +847,29 @@
# Update: Joerg Jenderek
# See http://fileformats.archiveteam.org/wiki/GEM_Raster
# For variations, also see:
-# http://www.seasip.info/Gem/ff_img.html (Ventura)
+# http://www.seasip.info/Gem/ff_img.html (Ventura)
# http://www.atari-wiki.com/?title=IMG_file (XIMG, STTT)
# http://www.fileformat.info/format/gemraster/spec/index.htm (XIMG, STTT)
# http://sylvana.net/1stguide/1STGUIDE.ENG (TIMG)
0 beshort 0x0001
# header_size
->2 beshort 0x0008
+>2 beshort 0x0008
>>0 use gem_info
->2 beshort 0x0009
+>2 beshort 0x0009
>>0 use gem_info
# no example for NOSIG
->2 beshort 24
+>2 beshort 24
>>0 use gem_info
# no example for HYPERPAINT
->2 beshort 25
+>2 beshort 25
>>0 use gem_info
-16 string XIMG\0
+16 string XIMG\0
>0 use gem_info
# no example
-16 string STTT\0\x10
+16 string STTT\0\x10
>0 use gem_info
# no example or description
-16 string TIMG\0
+16 string TIMG\0
>0 use gem_info
0 name gem_info
@@ -859,15 +878,15 @@
# http://www.snowstone.org.uk/riscos/mimeman/mimemap.txt
!:mime image/x-gem
# header_size 24 25 27 59 779 words for colored bitmaps
->>2 beshort >9
+>>2 beshort >9
>>>16 string STTT\0\x10 STTT
>>>16 string TIMG\0 TIMG
# HYPERPAINT or NOSIG variant
->>>16 string \0\x80
+>>>16 string \0\x80
>>>>2 beshort =24 NOSIG
>>>>2 beshort !24 HYPERPAINT
# NOSIG or XIMG variant
->>>16 default x
+>>>16 default x
>>>>16 string !XIMG\0 NOSIG
>>16 string =XIMG\0 XIMG Image data
!:ext img/ximg
@@ -1177,7 +1196,7 @@
# updated by: Joerg Jenderek
# URL: http://techmods.net/nuvi/
0 string GARMIN\ BITMAP\ 01 Garmin Bitmap file
-# extension is also used for
+# extension is also used for
# Sony SRF raw image (image/x-sony-srf)
# SRF map
# Terragen Surface Map (http://www.planetside.co.uk/terragen)
@@ -1318,7 +1337,7 @@
!:mime image/x-icns
!:apple ????icns
!:ext icns
->4 ubelong >0
+>4 ubelong >0
# file size
>>4 ubelong x \b, %d bytes
# icon type
@@ -1451,3 +1470,12 @@
>0x10 string GVRT Sega GVR image:
>>0x10 use sega-gvr-image-header
>>0x08 belong x \b, global index = %u
+
+# Light Field Picture
+# Documentation: http://optics.miloush.net/lytro/TheFileFormat.aspx
+# Typical file extensions: .lfp .lfr .lfx
+
+0 belong 0x894C4650
+>4 belong 0x0D0A1A0A
+>12 belong 0x00000000 Lytro Light Field Picture
+>8 belong x \b, version %d
Index: contrib/file/magic/Magdir/kerberos
===================================================================
--- contrib/file/magic/Magdir/kerberos (版本 330566)
+++ contrib/file/magic/Magdir/kerberos (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: kerberos,v 1.1 2014/12/10 18:45:43 christos Exp $
+# $File: kerberos,v 1.2 2017/03/17 21:35:28 christos Exp $
# kerberos: MIT kerberos file binary formats
#
@@ -38,7 +38,7 @@
>>>>>&0 bedate x \b, date=%s
>>>>>>&0 byte x \b, kvno=%u
#>>>>>>>&0 pstring/H x
-#>>>>>>>>&0 belong x
+#>>>>>>>>&0 belong x
#>>>>>>>>>>&0 use keytab_entry
0 belong 0x05020000 Kerberos Keytab file
Index: contrib/file/magic/Magdir/compress
===================================================================
--- contrib/file/magic/Magdir/compress (版本 330566)
+++ contrib/file/magic/Magdir/compress (版本 330908)
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# $File: compress,v 1.66 2016/09/16 12:12:05 christos Exp $
+# $File: compress,v 1.68 2017/05/25 20:07:23 christos Exp $
# compress: file(1) magic for pure-compression formats (no archives)
#
# compress, gzip, pack, compact, huf, squeeze, crunch, freeze, yabba, etc.
@@ -223,7 +223,7 @@
# Zstandard/LZ4 skippable frames
# https://github.com/facebook/zstd/blob/dev/zstd_compression_format.md
0 lelong&0xFFFFFFF0 0x184D2A50
->(4.l+8) indirect
+>(4.l+8) indirect x
# Zstandard Dictionary ID subroutine
0 name zstd-dictionary-id
@@ -310,7 +310,7 @@
# Zlib https://www.ietf.org/rfc/rfc6713.txt
0 string/b x
->0 beshort%31 =0
+>0 beshort%31 =0
>>0 byte&0xf =8
>>>0 byte&0x80 =0 zlib compressed data
!:mime application/zlib
Index: contrib/file/magic/Magdir/der
===================================================================
--- contrib/file/magic/Magdir/der (版本 330566)
+++ contrib/file/magic/Magdir/der (版本 330908)
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# $File: der,v 1.1 2016/01/19 15:07:45 christos Exp $
+# $File: der,v 1.2 2017/03/17 21:35:28 christos Exp $
# der: file(1) magic for DER encoded files
#
@@ -32,37 +32,37 @@
# Key Pairs
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int65=x
>&0 der int3=010001 DER Encoded Key Pair, 512 bits
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int129=x
>&0 der int3=010001 DER Encoded Key Pair, 1024 bits
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int257=x
>&0 der int3=010001 DER Encoded Key Pair, 2048 bits
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int513=x
>&0 der int3=010001 DER Encoded Key Pair, 4096 bits
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int1025=x
>&0 der int3=010001 DER Encoded Key Pair, 8192 bits
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int2049=x
>&0 der int3=010001 DER Encoded Key Pair, 16k bits
0 der seq
->&0 der int1=00
+>&0 der int1=00
>&0 der int4097=x
>&0 der int3=010001 DER Encoded Key Pair, 32k bits
Index: contrib/file/magic/Magdir/intel
===================================================================
--- contrib/file/magic/Magdir/intel (版本 330566)
+++ contrib/file/magic/Magdir/intel (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: intel,v 1.14 2015/11/10 00:13:27 christos Exp $
+# $File: intel,v 1.15 2017/03/17 21:35:28 christos Exp $
# intel: file(1) magic for x86 Unix
#
# Various flavors of x86 UNIX executable/object (other than Xenix, which
@@ -36,8 +36,8 @@
# ./msdos (version 5.25) labeled the next entry as "MS Windows COFF Intel 80386 object file"
# ./intel (version 5.25) label labeled the next entry as "80386 COFF executable"
# SGI labeled the next entry as "iAPX 386 executable" --Dan Quinlan
-0 leshort =0514
-# use subroutine to display name+flags+variables for common object formated files
+0 leshort =0514
+# use subroutine to display name+flags+variables for common object formated files
>0 use display-coff
#>12 lelong >0 not stripped
# no hint found, that at offset 22 is version
Index: contrib/file/magic/Magdir/kml
===================================================================
--- contrib/file/magic/Magdir/kml (版本 330566)
+++ contrib/file/magic/Magdir/kml (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: kml,v 1.3 2010/11/25 15:00:12 christos Exp $
+# $File: kml,v 1.4 2017/03/17 21:35:28 christos Exp $
# Type: Google KML, formerly Keyhole Markup Language
# Future development of this format has been handed
# over to the Open Geospatial Consortium.
@@ -7,7 +7,7 @@
# http://www.opengeospatial.org/standards/kml/
# From: Asbjoern Sloth Toennesen <asbjorn@lila.io>
0 string/t \<?xml
->20 search/400 \ xmlns=
+>20 search/400 \ xmlns=
>>&0 regex ['"]http://earth.google.com/kml Google KML document
!:mime application/vnd.google-earth.kml+xml
>>>&1 string 2.0' \b, version 2.0
@@ -25,7 +25,7 @@
>>>&1 string/t 2.2 \b, version 2.2
#------------------------------------------------------------------------------
-# Type: Google KML Archive (ZIP based)
+# Type: Google KML Archive (ZIP based)
# http://code.google.com/apis/kml/documentation/kml_tut.html
# From: Asbjoern Sloth Toennesen <asbjorn@lila.io>
0 string PK\003\004
Index: contrib/file/magic/Magdir/macintosh
===================================================================
--- contrib/file/magic/Magdir/macintosh (版本 330566)
+++ contrib/file/magic/Magdir/macintosh (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: macintosh,v 1.26 2015/11/25 00:36:02 christos Exp $
+# $File: macintosh,v 1.27 2017/03/17 21:35:28 christos Exp $
# macintosh description
#
# BinHex is the Macintosh ASCII-encoded file format (see also "apple")
@@ -109,9 +109,9 @@
# the assumption that 65-72 will all be ASCII (0x20-0x7F), that 73 will
# have bits 1 (changed), 2 (busy), 3 (bozo), and 6 (invisible) unset,
# and that 74 will be 0. So something like
-#
+#
# 71 belong&0x80804EFF 0x00000000 Macintosh MacBinary data
-#
+#
# >73 byte&0x01 0x01 \b, inited
# >73 byte&0x02 0x02 \b, changed
# >73 byte&0x04 0x04 \b, busy
@@ -254,7 +254,7 @@
>0x9C string INDEX data file index
>0x9C string VIEW data view
-# spss magic for SPSS system and portable files,
+# spss magic for SPSS system and portable files,
# from Bruce Foster (bef@nwu.edu).
0 long 0xc1e2c3c9 SPSS Portable File
@@ -273,7 +273,7 @@
# entries depend on the data arithmetic added after v.35
# There's also some Pascal strings in here, ditto...
-# The boot block signature, according to IM:Files, is
+# The boot block signature, according to IM:Files, is
# "for HFS volumes, this field always contains the value 0x4C4B."
# But if this is true for MFS or HFS+ volumes, I don't know.
# Alternatively, the boot block is supposed to be zeroed if it's
@@ -291,10 +291,10 @@
# *.hfs updated by Joerg Jenderek
# http://en.wikipedia.org/wiki/Hierarchical_File_System
# "BD" gives many false positives
-0x400 beshort 0x4244
+0x400 beshort 0x4244
# ftp://ftp.mars.org/pub/hfs/hfsutils-3.2.6.tar.gz/hfsutils-3.2.6/libhfs/apple.h
# first block of volume bit map (always 3)
->0x40e ubeshort 0x0003
+>0x40e ubeshort 0x0003
# maximal length of volume name is 27
>>0x424 ubyte <28 Macintosh HFS data
!:mime application/x-apple-diskimage
@@ -351,15 +351,15 @@
#>0x230 string x first type: %s,
#>0x210 string x name: %s,
#>0x254 belong x number of blocks: %d,
-#>0x400 beshort 0x504D
+#>0x400 beshort 0x504D
#>>0x430 string x second type: %s,
#>>0x410 string x name: %s,
#>>0x454 belong x number of blocks: %d,
-#>>0x800 beshort 0x504D
+#>>0x800 beshort 0x504D
#>>>0x830 string x third type: %s,
#>>>0x810 string x name: %s,
#>>>0x854 belong x number of blocks: %d,
-#>>>0xa00 beshort 0x504D
+#>>>0xa00 beshort 0x504D
#>>>>0xa30 string x fourth type: %s,
#>>>>0xa10 string x name: %s,
#>>>>0xa54 belong x number of blocks: %d
Index: contrib/file/magic/Magdir/mathematica
===================================================================
--- contrib/file/magic/Magdir/mathematica (版本 330566)
+++ contrib/file/magic/Magdir/mathematica (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: mathematica,v 1.8 2015/04/09 20:01:40 christos Exp $
+# $File: mathematica,v 1.9 2017/03/17 21:35:28 christos Exp $
# mathematica: file(1) magic for mathematica files
# "H. Nanosecond" <aldomel@ix.netcom.com>
# Mathematica a multi-purpose math program
@@ -49,7 +49,7 @@
#0 string (*This\ is\ a\ Mathematica\ binary\ dump\ file.\ It\ can\ be\ loaded\ with\ Get.*) Mathematica binary file
0 string (*This\ is\ a\ Mathematica\ binary\ Mathematica binary file
-#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000
+#>71 string \000\010\010\010\010\000\000\000\000\000\000\010\100\010\000\000\000
# >71... is optional
>88 string >\0 from %s
@@ -59,7 +59,7 @@
0 string MMAPBF\000\001\000\000\000\203\000\001\000 Mathematica PBF (fonts I think)
# .ml files These are menu resources I think
-# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\
+# these start with "[0-9][0-9][0-9]\ A~[0-9][0-9][0-9]\
# how to put that into a magic rule?
4 string \ A~ MAthematica .ml file
Index: contrib/file/magic/Magdir/mime
===================================================================
--- contrib/file/magic/Magdir/mime (版本 330566)
+++ contrib/file/magic/Magdir/mime (版本 330908)
@@ -1,9 +1,9 @@
#------------------------------------------------------------------------------
-# $File: mime,v 1.6 2010/11/25 15:00:12 christos Exp $
+# $File: mime,v 1.8 2017/03/17 22:20:22 christos Exp $
# mime: file(1) magic for MIME encoded files
#
-0 string/t Content-Type:\
+0 string/t Content-Type:\040
>14 string >\0 %s
0 string/t Content-Type:
>13 string >\0 %s
Index: contrib/file/magic/Magdir/msdos
===================================================================
--- contrib/file/magic/Magdir/msdos (版本 330566)
+++ contrib/file/magic/Magdir/msdos (版本 330908)
@@ -1,12 +1,12 @@
#------------------------------------------------------------------------------
-# $File: msdos,v 1.111 2016/09/14 01:26:26 christos Exp $
+# $File: msdos,v 1.120 2017/08/13 00:21:47 christos Exp $
# msdos: file(1) magic for MS-DOS files
#
# .BAT files (Daniel Quinlan, quinlan@yggdrasil.com)
# updated by Joerg Jenderek at Oct 2008,Apr 2011
-0 string/t @
+0 string/t @
>1 string/cW \ echo\ off DOS batch file text
!:mime text/x-msdos-batch
>1 string/cW echo\ off DOS batch file text
@@ -230,7 +230,7 @@
>>(8.s*16) string go32stub for MS-DOS, DJGPP go32 DOS extender
>>(8.s*16) string emx
>>>&1 string x for DOS, Win or OS/2, emx %s
->>&(&0x42.l-3) byte x
+>>&(&0x42.l-3) byte x
>>>&0x26 string UPX \b, UPX compressed
# and yet another guess: small .text, and after large .data is unusal, could be 32lite
>>&0x2c search/0xa0 .text
@@ -240,8 +240,8 @@
>(8.s*16) string $WdX \b, WDos/X DOS extender
# By now an executable type should have been printed out. The executable
-# may be a self-uncompressing archive, so look for evidence of that and
-# print it out.
+# may be a self-uncompressing archive, so look for evidence of that and
+# print it out.
#
# Some signatures below from Greg Roelofs, newt@uchicago.edu.
#
@@ -283,8 +283,8 @@
# Skip to the end of the EXE. This will usually work fine in the PE case
# because the MZ image is hardcoded into the toolchain and almost certainly
# won't match any of these signatures.
->(4.s*512) long x
->>&(2.s-517) byte x
+>(4.s*512) long x
+>>&(2.s-517) byte x
>>>&0 string PK\3\4 \b, ZIP self-extracting archive
>>>&0 string Rar! \b, RAR self-extracting archive
>>>&0 string =!\x11 \b, AIN 2.x self-extracting archive
@@ -312,71 +312,77 @@
# only version=0x100 found
>3 uleshort x \b, version 0x%x
# length of string containing author,info and special characters
->6 ubyte >0
+>6 ubyte >0
#>>6 pstring x \b, name=%s
>>7 string >\0 \b, author=%-.14s
>>7 search/254 \xff \b, info=
#>>>&0 string x \b%-s
>>>&0 string x \b%-.15s
-# for FreeDOS *.KL files
+# for FreeDOS *.KL files
0 string/b KLF FreeDOS KEYBoard Layout file
# only version=0x100 or 0x101 found
>3 uleshort x \b, version 0x%x
# stringlength
->5 ubyte >0
+>5 ubyte >0
>>8 string x \b, name=%-.2s
-0 string \xffKEYB\ \ \ \0\0\0\0
+0 string \xffKEYB\ \ \ \0\0\0\0
>12 string \0\0\0\0`\004\360 MS-DOS KEYBoard Layout file
-# DOS device driver updated by Joerg Jenderek at May 2011
-# http://maben.homeip.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
-0 ulequad&0x07a0ffffffff 0xffffffff DOS executable (
->40 search/7 UPX! \bUPX compressed
+# DOS device driver updated by Joerg Jenderek at May 2011,Mar 2017
+# https://amaus.net/static/S100/IBM/software/DOS/DOS%20techref/CHAPTER.009
+0 ulequad&0x07a0ffffffff 0xffffffff
+>0 use msdos-driver
+0 name msdos-driver DOS executable (
+#!:mime application/octet-stream
+!:mime application/x-dosdriver
+# also found FreeDOS print driver SPOOL.DEV and disc compression driver STACLOAD.BIN
+!:ext sys/dev/bin
+>40 search/7 UPX! \bUPX compressed
# DOS device driver attributes
>4 uleshort&0x8000 0x0000 \bblock device driver
# character device
>4 uleshort&0x8000 0x8000 \b
->>4 uleshort&0x0008 0x0008 \bclock
+>>4 uleshort&0x0008 0x0008 \bclock
# fast video output by int 29h
->>4 uleshort&0x0010 0x0010 \bfast
+>>4 uleshort&0x0010 0x0010 \bfast
# standard input/output device
->>4 uleshort&0x0003 >0 \bstandard
+>>4 uleshort&0x0003 >0 \bstandard
>>>4 uleshort&0x0001 0x0001 \binput
>>>4 uleshort&0x0003 0x0003 \b/
->>>4 uleshort&0x0002 0x0002 \boutput
+>>>4 uleshort&0x0002 0x0002 \boutput
>>4 uleshort&0x8000 0x8000 \bcharacter device driver
->0 ubyte x
+>0 ubyte x
# upx compressed device driver has garbage instead of real in name field of header
->>40 search/7 UPX!
->>40 default x
+>>40 search/7 UPX!
+>>40 default x
# leading/trailing nulls, zeros or non ASCII characters in 8-byte name field at offset 10 are skipped
->>>12 ubyte >0x27 \b
->>>>10 ubyte >0x20
->>>>>10 ubyte !0x2E
+>>>12 ubyte >0x2E \b
+>>>>10 ubyte >0x20
+>>>>>10 ubyte !0x2E
>>>>>>10 ubyte !0x2A \b%c
->>>>11 ubyte >0x20
+>>>>11 ubyte >0x20
>>>>>11 ubyte !0x2E \b%c
->>>>12 ubyte >0x20
->>>>>12 ubyte !0x39
+>>>>12 ubyte >0x20
+>>>>>12 ubyte !0x39
>>>>>>12 ubyte !0x2E \b%c
->>>13 ubyte >0x20
+>>>13 ubyte >0x20
>>>>13 ubyte !0x2E \b%c
->>>>14 ubyte >0x20
+>>>>14 ubyte >0x20
>>>>>14 ubyte !0x2E \b%c
->>>>15 ubyte >0x20
+>>>>15 ubyte >0x20
>>>>>15 ubyte !0x2E \b%c
->>>>16 ubyte >0x20
->>>>>16 ubyte !0x2E
+>>>>16 ubyte >0x20
+>>>>>16 ubyte !0x2E
>>>>>>16 ubyte <0xCB \b%c
->>>>17 ubyte >0x20
->>>>>17 ubyte !0x2E
+>>>>17 ubyte >0x20
+>>>>>17 ubyte !0x2E
>>>>>>17 ubyte <0x90 \b%c
# some character device drivers like ASPICD.SYS, btcdrom.sys and Cr_atapi.sys contain only spaces or points in name field
->>>4 uleshort&0x8000 0x8000
->>>>12 ubyte <0x2F
+>>>12 ubyte <0x2F
# they have their real name at offset 22
->>>>>22 string >\0 \b%-.5s
->4 uleshort&0x8000 0x0000
+# also block device drivers like DUMBDRV.SYS
+>>>>22 string >\056 %-.6s
+>4 uleshort&0x8000 0x0000
# 32 bit sector addressing ( > 32 MB) for block devices
>>4 uleshort&0x0002 0x0002 \b,32-bit sector-
# support by driver functions 13h, 17h, 18h
@@ -384,33 +390,42 @@
# open, close, removable media support by driver functions 0Dh, 0Eh, 0Fh
>4 uleshort&0x0800 0x0800 \b,close media-
# output until busy support by int 10h for character device driver
->4 uleshort&0x8000 0x8000
+>4 uleshort&0x8000 0x8000
>>4 uleshort&0x2000 0x2000 \b,until busy-
# direct read/write support by driver functions 03h,0Ch
>4 uleshort&0x4000 0x4000 \b,control strings-
->4 uleshort&0x8000 0x8000
+>4 uleshort&0x8000 0x8000
>>4 uleshort&0x6840 >0 \bsupport
->4 uleshort&0x8000 0x0000
+>4 uleshort&0x8000 0x0000
>>4 uleshort&0x4842 >0 \bsupport
>0 ubyte x \b)
-# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
-# Too weak, matches files that only contain 0's
-#0 ulequad&0x000007a0ffffffed 0x0000000000000000 DOS-executable (
-#>4 uleshort&0x8000 0x8000 \bcharacter device driver
-#>>10 string x %-.8s
-#>4 uleshort&0x4000 0x4000 \b,control strings-support)
+# DOS driver cmd640x.sys has 0x12 instead of 0xffffffff for pointer field to next device header
+0 ulequad 0x0513c00000000012
+>0 use msdos-driver
+# DOS drivers DC2975.SYS, DUMBDRV.SYS, ECHO.SYS has also none 0xffffffff for pointer field
+0 ulequad 0x32f28000ffff0016
+>0 use msdos-driver
+0 ulequad 0x007f00000000ffff
+>0 use msdos-driver
+0 ulequad 0x001600000000ffff
+>0 use msdos-driver
+# DOS drivers LS120.SYS, MKELS120.SYS use reserved bits of attribute field
+0 ulequad 0x0bf708c2ffffffff
+>0 use msdos-driver
+0 ulequad 0x07bd08c2ffffffff
+>0 use msdos-driver
# updated by Joerg Jenderek
-# GRR: line below too general as it catches also
+# GRR: line below too general as it catches also
# rt.lib DYADISKS.PIC and many more
# start with assembler instruction MOV
-0 ubyte 0x8c
+0 ubyte 0x8c
# skip "AppleWorks word processor data" like ARTICLE.1 ./apple
->4 string !O====
+>4 string !O====
# skip some unknown basic binaries like RocketRnger.SHR
->>5 string !MAIN
+>>5 string !MAIN
# skip "GPG symmetrically encrypted data" ./gnu
-# skip "PGP symmetric key encrypted data" ./pgp
+# skip "PGP symmetric key encrypted data" ./pgp
# openpgpdefs.h: fourth byte < 14 indicate cipher algorithm type
>>>4 ubyte >13 DOS executable (COM, 0x8C-variant)
# the remaining files should be DOS *.COM executables
@@ -428,7 +443,7 @@
# updated by Joerg Jenderek at Oct 2008
0 ulelong 0xffff10eb DR-DOS executable (COM)
# byte 0xeb conflicts with "sequent" magic leshort 0xn2eb
-0 ubeshort&0xeb8d >0xeb00
+0 ubeshort&0xeb8d >0xeb00
# DR-DOS STACKER.COM SCREATE.SYS missed
0 name msdos-com
@@ -463,9 +478,9 @@
# updated by Joerg Jenderek at Oct 2008,2015
# following line is too general
-0 ubyte 0xb8
+0 ubyte 0xb8
# skip 2 linux kernels like memtest.bin with "\xb8\xc0\x07\x8e" in ./linux
->0 string !\xb8\xc0\x07\x8e
+>0 string !\xb8\xc0\x07\x8e
# modified by Joerg Jenderek
# syslinux COM32 or COM32R executable
>>1 lelong&0xFFFFFFFe 0x21CD4CFe COM executable (32-bit COMBOOT
@@ -496,8 +511,8 @@
#!:mime application/x-msdos-program
!:ext com
-0 string/b \x81\xfc
->4 string \x77\x02\xcd\x20\xb9
+0 string/b \x81\xfc
+>4 string \x77\x02\xcd\x20\xb9
>>36 string UPX! FREE-DOS executable (COM), UPX compressed
252 string Must\ have\ DOS\ version DR-DOS executable (COM)
# added by Joerg Jenderek at Oct 2008
@@ -514,10 +529,10 @@
#IFMEMDSK.cOM ASSIGN.cOM COMP.cOM
5 string \xcd\x21 COM executable for DOS
#DELTMP.COm HASFAT32.cOM
-7 string \xcd\x21
+7 string \xcd\x21
>0 byte !0xb8 COM executable for DOS
#COMP.cOM MORE.COm
-10 string \xcd\x21
+10 string \xcd\x21
>5 string !\xcd\x21 COM executable for DOS
#comecho.com
13 string \xcd\x21 COM executable for DOS
@@ -565,10 +580,23 @@
0 string/b PO^Q` Microsoft Word 6.0 Document
!:mime application/msword
#
-0 string/b \376\067\0\043 Microsoft Office Document
+4 long 0
+>0 belong 0xfe320000 Microsoft Word for Macintosh 1.0
!:mime application/msword
-0 string/b \333\245-\0\0\0 Microsoft Office Document
+!:ext mcw
+>0 belong 0xfe340000 Microsoft Word for Macintosh 3.0
!:mime application/msword
+!:ext mcw
+>0 belong 0xfe37001c Microsoft Word for Macintosh 4.0
+!:mime application/msword
+!:ext mcw
+>0 belong 0xfe370023 Microsoft Word for Macintosh 5.0
+!:mime application/msword
+!:ext mcw
+
+0 string/b \333\245-\0\0\0 Microsoft Word 2.0 Document
+!:mime application/msword
+!:ext doc
512 string/b \354\245\301 Microsoft Word Document
!:mime application/msword
@@ -599,11 +627,11 @@
# Reference: http://www.aboutvb.de/bas/formate/pdf/wk3.pdf
# Note: newer Lotus versions >2 use longer BOF record
# record type (BeginningOfFile=0000h) + length (001Ah)
-0 belong 0x00001a00
+0 belong 0x00001a00
# reserved should be 0h but 8c0dh for TUTMAC.WK3, 5h for SAMPADNS.WK3, 1h for a_readme.wk3, 1eh for K&G86.WK3
-#>18 uleshort&0x73E0 0
+#>18 uleshort&0x73E0 0
# Lotus Multi Byte Character Set (LMBCS=1-31)
->20 ubyte >0
+>20 ubyte >0
>>20 ubyte <32 Lotus 1-2-3
#!:mime application/x-123
!:mime application/vnd.lotus-1-2-3
@@ -640,10 +668,10 @@
!:ext fXX
# main revision number
>>>>4 uleshort x \b, revision 0x%x
->>>6 uleshort =0x0004 \b, cell range
+>>>6 uleshort =0x0004 \b, cell range
# active cellcoord range (start row, page,column ; end row, page, column)
# start values normally 0~1st sheet A1
->>>>8 ulelong !0
+>>>>8 ulelong !0
>>>>>10 ubyte >0 \b%d*
>>>>>8 uleshort x \b%d,
>>>>>11 ubyte x \b%d-
@@ -656,9 +684,9 @@
>>>>20 ubyte >1 \b, character set 0x%x
# flags
>>>>21 ubyte x \b, flags 0x%x
->>>6 uleshort !0x0004
+>>>6 uleshort !0x0004
# record type (FONTNAME=00AEh)
->>>>30 search/29 \0\xAE
+>>>>30 search/29 \0\xAE
# variable length m (2) + entries (1) + ?? (1) + LCMBS string (n)
>>>>>&4 string >\0 \b, 1st font "%s"
#
@@ -667,12 +695,12 @@
# Reference: http://www.schnarff.com/file-formats/lotus-1-2-3/WSFF2.TXT
# Note: Used by both old Lotus 1-2-3 and Lotus Symphony (DOS) til version 2.x
# record type (BeginningOfFile=0000h) + length (0002h)
-0 belong 0x00000200
+0 belong 0x00000200
# GRR: line above is too general as it catches also MS Windows CURsor
# to display MS Windows cursor (strength=70) before Lotus 1-2-3 (strength=70-1)
!:strength -1
# skip Windows cursors with image height <256 and keep Lotus with low opcode 0001-0083h
->7 ubyte 0
+>7 ubyte 0
# skip Windows cursors with image width 256 and keep Lotus with positiv opcode
>>6 ubyte >0 Lotus
# !:mime application/x-123
@@ -737,9 +765,9 @@
# check and then display Lotus worksheet cells range
0 name lotus-cells
# look for type (RANGE=0006h) + length (0008h) at record begin
->0 ubelong 0x06000800 \b, cell range
+>0 ubelong 0x06000800 \b, cell range
# cell range (start column, row, end column, row) start values normally 0,0~A1 cell
->>4 ulong !0
+>>4 ulong !0
>>>4 uleshort x \b%d,
>>>6 uleshort x \b%d-
# end of cell range
@@ -792,19 +820,19 @@
# Windows icons
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
-# Note: similiar to Windows CURsor. container for BMP (only DIB part) or PNG
+# Note: similar to Windows CURsor. container for BMP (only DIB part) or PNG
0 belong 0x00000100
>9 byte 0
->>0 byte x
+>>0 byte x
>>0 use cur-ico-dir
>9 ubyte 0xff
->>0 byte x
+>>0 byte x
>>0 use cur-ico-dir
# displays number of icons and information for icon or cursor
0 name cur-ico-dir
# skip some Lotus 1-2-3 worksheets, CYCLE.PIC and keep Windows cursors with
# 1st data offset = dir header size + n * dir entry size = 6 + n * 10h = ?6h
->18 ulelong &0x00000006
+>18 ulelong &0x00000006
# skip remaining worksheets, because valid only for DIB image (40) or PNG image (\x89PNG)
>>(18.l) ulelong x MS Windows
>>>0 ubelong 0x00000100 icon resource
@@ -817,7 +845,7 @@
# 1st icon
>>>>0x06 use ico-entry
# 2nd icon
->>>>4 uleshort >1
+>>>>4 uleshort >1
>>>>>0x16 use ico-entry
>>>0 ubelong 0x00000200 cursor resource
#!:mime image/x-cur
@@ -854,16 +882,16 @@
# offset of PNG or DIB image
#>12 ulelong x \b, offset 0x%x
# PNG header (\x89PNG)
->(12.l) ubelong =0x89504e47
->>&-4 indirect x \b with
+>(12.l) ubelong =0x89504e47
+>>&-4 indirect x \b with
# DIB image
->(12.l) ubelong !0x89504e47
+>(12.l) ubelong !0x89504e47
#>>&-4 use dib-image
# Windows non-animated cursors
# Update: Joerg Jenderek
# URL: https://en.wikipedia.org/wiki/CUR_(file_format)
-# Note: similiar to Windows ICOn. container for BMP ( only DIB part)
+# Note: similar to Windows ICOn. container for BMP ( only DIB part)
# GRR: line below is too general as it catches also Lotus 1-2-3 files
0 belong 0x00000200
>9 byte 0
@@ -872,13 +900,13 @@
>>0 use cur-ico-dir
# .chr files
-0 string/b PK\010\010BGI Borland font
+0 string/b PK\010\010BGI Borland font
>4 string >\0 %s
# then there is a copyright notice
# .bgi files
-0 string/b pk\010\010BGI Borland device
+0 string/b pk\010\010BGI Borland device
>4 string >\0 %s
# then there is a copyright notice
@@ -909,7 +937,7 @@
0 lelong 0x08086b70 TurboC BGI file
0 lelong 0x08084b50 TurboC Font file
-# Debian#712046: The magic below identifies "Delphi compiled form data".
+# Debian#712046: The magic below identifies "Delphi compiled form data".
# An additional source of information is available at:
# http://www.woodmann.com/fravia/dafix_t1.htm
0 string TPF0
@@ -918,7 +946,7 @@
# tests for DBase files moved, updated and merged to database
0 string PMCC Windows 3.x .GRP file
-1 string RDC-meg MegaDots
+1 string RDC-meg MegaDots
>8 byte >0x2F version %c
>9 byte >0x2F \b.%c file
0 lelong 0x4C
@@ -935,16 +963,16 @@
#>0x181 leshort x \b, offset %x
#>0x183 leshort x \b, offsetdata %x
#>0x185 leshort x \b, section length %x
->0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
->>&0x5e ubyte >0
+>0x187 search/0xB55 WINDOWS\ VMM\ 4.0\0
+>>&0x5e ubyte >0
>>>&-1 string <PIFMGR.DLL \b, icon=%s
#>>>&-1 string PIFMGR.DLL \b, icon=%s
>>>&-1 string >PIFMGR.DLL \b, icon=%s
->>&0xF0 ubyte >0
+>>&0xF0 ubyte >0
>>>&-1 string <Terminal \b, font=%.32s
#>>>&-1 string =Terminal \b, font=%.32s
>>>&-1 string >Terminal \b, font=%.32s
->>&0x110 ubyte >0
+>>&0x110 ubyte >0
>>>&-1 string <Lucida\ Console \b, TrueTypeFont=%.32s
#>>>&-1 string =Lucida\ Console \b, TrueTypeFont=%.32s
>>>&-1 string >Lucida\ Console \b, TrueTypeFont=%.32s
@@ -960,6 +988,7 @@
# DOS EPS Binary File Header
# From: Ed Sznyter <ews@Black.Market.NET>
0 belong 0xC5D0D3C6 DOS EPS Binary File
+!:mime image/x-eps
>4 long >0 Postscript starts at byte %d
>>8 long >0 length %d
>>>12 long >0 Metafile starts at byte %d
@@ -967,15 +996,15 @@
>>>20 long >0 TIFF starts at byte %d
>>>>24 long >0 length %d
-# TNEF magic From "Joomy" <joomy@se-ed.net>
+# TNEF magic From "Joomy" <joomy@se-ed.net>
# Microsoft Outlook's Transport Neutral Encapsulation Format (TNEF)
-0 leshort 0x223e9f78 TNEF
+0 lelong 0x223e9f78 TNEF
!:mime application/vnd.ms-tnef
# Norton Guide (.NG , .HLP) files added by Joerg Jenderek from source NG2HTML.C
# of http://www.davep.org/norton-guides/ng2h-105.tgz
# http://en.wikipedia.org/wiki/Norton_Guides
-0 string NG\0\001
+0 string NG\0\001
# only value 0x100 found at offset 2
>2 ulelong 0x00000100 Norton Guide
# Title[40]
@@ -985,7 +1014,7 @@
>>48 string >\0 \b, %-.66s
>>114 string >\0 %-.66s
-# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
+# 4DOS help (.HLP) files added by Joerg Jenderek from source TPHELP.PAS
# of http://www.4dos.info/
# pointer,HelpID[8]=4DHnnnmm
0 ulelong 0x48443408 4DOS help file
@@ -1033,7 +1062,7 @@
# Windows Enhanced Metafile (EMF)
-# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
+# See msdn.microsoft.com/archive/en-us/dnargdi/html/msdn_enhmeta.asp
# for further information.
0 ulelong 1
>40 string \ EMF Windows Enhanced Metafile (EMF) image data
@@ -1095,7 +1124,7 @@
0 string/b MSWIM\000\000\000 Windows imaging (WIM) image
0 string/b WLPWM\000\000\000 Windows imaging (WIM) image, wimlib pipable format
-# The second byte of these signatures is a file version; I don't know what,
+# The second byte of these signatures is a file version; I don't know what,
# if anything, produced files with version numbers 0-2.
# From: John Elliott <johne@seasip.demon.co.uk>
0 string \xfc\x03\x00 Mallard BASIC program data (v1.11)
@@ -1106,3 +1135,66 @@
0 string MIOPEN Mallard BASIC Jetsam data
0 string Jetsam0 Mallard BASIC Jetsam index data
+# DOS backup 2.0 to 3.2
+
+# backupid.@@@
+
+# plausibility check for date
+0x3 ushort >1979
+>0x5 ubyte-1 <31
+>>0x6 ubyte-1 <12
+# actually 121 nul bytes
+>>>0x7 string \0\0\0\0\0\0\0\0
+>>>>0x1 ubyte x DOS 2.0 backup id file, sequence %d
+!:ext @@@
+>>>>0x0 ubyte 0xff \b, last disk
+
+# backed up file
+
+# skip some AppleWorks word like Tomahawk.Awp, WIN98SE-DE.vhd
+# by looking for trailing nul of maximal file name string
+0x52 ubyte 0
+# test for flag byte: FFh~complete file, 00h~split file
+# FFh -127 = -1 -127 = -128
+# 00h -127 = 0 -127 = -127
+>0 byte-127 <-126
+# plausibility check for file name length
+>>0x53 ubyte-1 <78
+# looking for terminating nul of file name string
+>>>(0x53.b+4) ubyte 0
+# looking if last char of string is valid DOS file name
+>>>>(0x53.b+3) ubyte >0x1F
+# actually 44 nul bytes
+# but sometimes garbage according to Ralf Quint. So can not be used as test
+#>0x54 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
+# first char of full file name is DOS (5Ch) or UNIX (2Fh) path separator
+# only DOS variant found. UNIX variant according to V32SLASH.TXT in archive PD0315.EXE
+>>>>>5 ubyte&0x8C 0x0C
+# ./msdos (version 5.30) labeled the entry as
+# "DOS 2.0 backed up file %s, split file, sequence %d" or
+# "DOS 2.0 backed up file %s, complete file"
+>>>>>>0 ubyte x DOS 2.0-3.2 backed up
+#>>>>>>0 ubyte 0xff complete
+>>>>>>0 ubyte 0
+>>>>>>>1 uleshort x sequence %d of
+# full file name with path but without drive letter and colon stored from 0x05 til 0x52
+>>>>>>0x5 string x file %s
+# backup name is original filename
+#!:ext *
+# magic/Magdir/msdos, 1169: Warning: EXTENSION type ` *' has bad char '*'
+# file: line 1169: Bad magic entry ' *'
+# after header original file content
+>>>>>>128 indirect x \b;
+
+
+# DOS backup 3.3 to 5.x
+
+# CONTROL.nnn files
+0 string \x8bBACKUP\x20
+# actually 128 nul bytes
+>0xa string \0\0\0\0\0\0\0\0
+>>0x9 ubyte x DOS 3.3 backup control file, sequence %d
+>>0x8a ubyte 0xff \b, last disk
+
+# NB: The BACKUP.nnn files consist of the files backed up,
+# concatenated.
Index: contrib/file/ChangeLog
===================================================================
--- contrib/file/ChangeLog (版本 330566)
+++ contrib/file/ChangeLog (版本 330908)
@@ -1,6 +1,60 @@
+2017-09-02 11:53 Christos Zoulas <christos@zoulas.com>
+
+ * release 5.32
+
+2017-08-28 16:37 Christos Zoulas <christos@zoulas.com>
+
+ * Always reset state in {file,buffer}_apprentice (Krzysztof Wilczynski)
+
+2017-08-27 03:55 Christos Zoulas <christos@zoulas.com>
+
+ * Fix always true condition (Thomas Jarosch)
+
+2017-05-24 17:30 Christos Zoulas <christos@zoulas.com>
+
+ * pickier parsing of numeric values in magic files.
+
+2017-05-23 17:55 Christos Zoulas <christos@zoulas.com>
+
+ * PR/615 add magic_getflags()
+
+2017-05-23 13:55 Christos Zoulas <christos@zoulas.com>
+
+ * release 5.31
+
+2017-03-17 20:32 Christos Zoulas <christos@zoulas.com>
+
+ * remove trailing spaces from magic files
+ * refactor is_tar
+ * better bounds checks for cdf
+
+2017-02-10 12:24 Christos Zoulas <christos@zoulas.com>
+
+ * release 5.30
+
+2017-02-07 23:27 Christos Zoulas <christos@zoulas.com>
+
+ * If we exceeded the offset in a search return no match
+ (Christoph Biedl)
+ * Be more lenient on corrupt CDF files (Christoph Biedl)
+
+2017-02-04 16:46 Christos Zoulas <christos@zoulas.com>
+
+ * pacify ubsan sign extension (oss-fuzz/524)
+
+2017-02-01 12:42 Christos Zoulas <christos@zoulas.com>
+
+ * off by one in cdf parsing (PR/593)
+ * report debugging sections in elf (PR/591)
+
+2016-11-06 10:52 Christos Zoulas <christos@zoulas.com>
+
+ * Allow @@@ in extensions
+ * Add missing overflow check in der magic (Jonas Wagner)
+
2016-10-25 10:40 Christos Zoulas <christos@zoulas.com>
- * release 5.28
+ * release 5.29
2016-10-24 11:20 Christos Zoulas <christos@zoulas.com>
@@ -387,7 +441,7 @@
`
2013-11-06 14:40 Christos Zoulas <christos@zoulas.com>
- * fix erroneous non-zero exit code from non-existant file and message
+ * fix erroneous non-zero exit code from non-existent file and message
2013-10-29 14:25 Christos Zoulas <christos@zoulas.com>
Index: contrib/file/configure
===================================================================
--- contrib/file/configure (版本 330566)
+++ contrib/file/configure (版本 330908)
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for file 5.29.
+# Generated by GNU Autoconf 2.69 for file 5.32.
#
# Report bugs to <christos@astron.com>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='file'
PACKAGE_TARNAME='file'
-PACKAGE_VERSION='5.29'
-PACKAGE_STRING='file 5.29'
+PACKAGE_VERSION='5.32'
+PACKAGE_STRING='file 5.32'
PACKAGE_BUGREPORT='christos@astron.com'
PACKAGE_URL=''
@@ -1328,7 +1328,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures file 5.29 to adapt to many kinds of systems.
+\`configure' configures file 5.32 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1398,7 +1398,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of file 5.29:";;
+ short | recursive ) echo "Configuration of file 5.32:";;
esac
cat <<\_ACEOF
@@ -1509,7 +1509,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-file configure 5.29
+file configure 5.32
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2165,7 +2165,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by file $as_me 5.29, which was
+It was created by file $as_me 5.32, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3031,7 +3031,7 @@
# Define the identity of the package.
PACKAGE='file'
- VERSION='5.29'
+ VERSION='5.32'
cat >>confdefs.h <<_ACEOF
@@ -15075,7 +15075,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by file $as_me 5.29, which was
+This file was extended by file $as_me 5.32, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -15141,7 +15141,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-file config.status 5.29
+file config.status 5.32
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Index: contrib/file/doc/magic.man
===================================================================
--- contrib/file/doc/magic.man (版本 330566)
+++ contrib/file/doc/magic.man (版本 330908)
@@ -1,5 +1,5 @@
-.\" $File: magic.man,v 1.88 2016/07/27 09:42:49 rrt Exp $
-.Dd July 20, 2016
+.\" $File: magic.man,v 1.91 2017/02/12 15:30:08 christos Exp $
+.Dd February 12, 2017
.Dt MAGIC __FSECTION__
.Os
.\" install as magic.4 on USG, magic.5 on V7, Berkeley and Linux systems.
@@ -7,7 +7,7 @@
.Nm magic
.Nd file command's magic pattern file
.Sh DESCRIPTION
-This manual page documents the format of the magic file as
+This manual page documents the format of magic files as
used by the
.Xr file __CSECTION__
command, version __VERSION__.
@@ -17,13 +17,19 @@
among other tests,
a test for whether the file contains certain
.Dq "magic patterns" .
-The file
-.Pa __MAGIC__
-specifies what patterns are to be tested for, what message or
+The database of these
+.Dq "magic patterns"
+is usually located in a binary file in
+.Pa __MAGIC__.mgc
+or a directory of source text magic pattern fragment files in
+.Pa __MAGIC__ .
+The database specifies what patterns are to be tested for, what message or
MIME type to print if a particular pattern is found,
and additional information to extract from the file.
.Pp
-Each line of the file specifies a test to be performed.
+The format of the source fragment files that are used to build this database
+is as follows:
+Each line of a fragment file specifies a test to be performed.
A test compares the data starting at a particular offset
in the file with a byte value, a string or a numeric value.
If the test succeeds, a message is printed.
@@ -98,13 +104,13 @@
.It B
A byte length (default).
.It H
+A 4 byte big endian length.
+.It h
A 2 byte big endian length.
-.It h
-A 2 byte big little length.
.It L
-A 4 byte big endian length.
+A 4 byte little endian length.
.It l
-A 4 byte big little length.
+A 2 byte little endian length.
.It J
The length includes itself in its count.
.El
@@ -651,7 +657,7 @@
\*[Gt]\*[Gt]\*[Gt]\*[Gt](\*[Am]0xe.l+(-4)) string PK\e3\e4 \eb, ZIP self-extracting archive
.Ed
.Pp
-If you have a list of known avalues at a particular continuation level,
+If you have a list of known values at a particular continuation level,
and you want to provide a switch-like default case:
.Bd -literal -offset indent
# clear that continuation level match
Index: contrib/file/magic/Magdir/amigaos
===================================================================
--- contrib/file/magic/Magdir/amigaos (版本 330566)
+++ contrib/file/magic/Magdir/amigaos (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: amigaos,v 1.15 2012/06/21 01:13:59 christos Exp $
+# $File: amigaos,v 1.16 2017/03/17 21:35:28 christos Exp $
# amigaos: file(1) magic for AmigaOS binary formats:
#
@@ -11,7 +11,7 @@
0 belong 0x000003e7 AmigaOS object/library data
#
0 beshort 0xe310 Amiga Workbench
->2 beshort 1
+>2 beshort 1
>>48 byte 1 disk icon
>>48 byte 2 drawer icon
>>48 byte 3 tool icon
@@ -49,7 +49,7 @@
0 string/c @database AmigaGuide file
# Amiga disk types
-#
+#
0 string RDSK Rigid Disk Block
>160 string x on %.24s
0 string DOS\0 Amiga DOS disk
Index: contrib/file/magic/Magdir/apple
===================================================================
--- contrib/file/magic/Magdir/apple (版本 330566)
+++ contrib/file/magic/Magdir/apple (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: apple,v 1.35 2016/08/17 09:45:13 christos Exp $
+# $File: apple,v 1.36 2017/03/17 21:35:28 christos Exp $
# apple: file(1) magic for Apple file formats
#
0 search/1/t FiLeStArTfIlEsTaRt binscii (apple ][) text
@@ -67,15 +67,15 @@
# AppleWorks word processor:
# URL: https://en.wikipedia.org/wiki/AppleWorks
# Reference: http://www.gno.org/pub/apple2/doc/apple/filetypes/ftn.1a.xxxx
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# NOTE:
# The "O" is really the magic number, but that's so common that it's
# necessary to check the tab stops that follow it to avoid false positives.
# and/or look for unused bits of booleans bytes like zoom, paginated, mail merge
# the newer AppleWorks is from claris with extension CWK
-4 string O
+4 string O
# test for unused bits of zoom- , paginated-boolean bytes
->84 ubequad ^0x00Fe00000000Fe00
+>84 ubequad ^0x00Fe00000000Fe00
# look for tabstop definitions "=" no tab, "|" no tab
# "<" left tab,"^" center tab,">" right tab, "." decimal tab,
# unofficial "!" other , "\x8a" other
@@ -92,9 +92,9 @@
!:ext awp
# minimum version needed to read this files. SFMinVers (0 , 30~3.0 )
>>>183 ubyte 30 3.0
->>>183 ubyte !30
+>>>183 ubyte !30
>>>>183 ubyte !0 0x%x
-# usual tabstop start sequence "=====<"
+# usual tabstop start sequence "=====<"
>>>5 string x \b, tabstop ruler "%6.6s"
# tabstop ruler
#>>>5 string >\0 \b, tabstops "%-79s"
@@ -105,7 +105,7 @@
# contains any mail-merge commands
>>>92 byte&0x01 >0 \b, with mail merge
# left margin in 1/10 inches ( normally 0 or 10 )
->>>91 ubyte >0
+>>>91 ubyte >0
>>>>91 ubyte x \b, %d/10 inch left margin
# AppleWorks database:
@@ -140,13 +140,13 @@
# GRR: this test is still too general as it catches also Gujin BOOT144.SYS (0xfa080000)
#0 belong&0xff00ff 0x80000 Applesoft BASIC program data
-0 belong&0x00ff00ff 0x00080000
+0 belong&0x00ff00ff 0x00080000
# assuming that line number must be positive
>2 leshort >0 Applesoft BASIC program data, first line number %d
#>2 leshort x \b, first line number %d
# ORCA/EZ assembler:
-#
+#
# This will not identify ORCA/M source files, since those have
# some sort of date code instead of the two zero bytes at 6 and 7
# XXX Conflicts with ELF
@@ -186,11 +186,11 @@
# From Johan Gade.
# These entries are disabled for now until we fix the following issues.
#
-# Note there might be some problems with the "VAX COFF executable"
-# entry. Note this entry should be placed before the mac filesystem section,
+# Note there might be some problems with the "VAX COFF executable"
+# entry. Note this entry should be placed before the mac filesystem section,
# particularly the "Apple Partition data" entry.
#
-# The intended meaning of these tests is, that the file is only of the
+# The intended meaning of these tests is, that the file is only of the
# specified type if both of the lines are correct - i.e. if the first
# line matches and the second doesn't then it is not of that type.
#
@@ -197,7 +197,7 @@
#0 long 0x7801730d
#>4 long 0x62626060 UDIF read-only zlib-compressed image (UDZO)
#
-# Note that this entry is recognized correctly by the "Apple Partition
+# Note that this entry is recognized correctly by the "Apple Partition
# data" entry - however since this entry is more specific - this
# information seems to be more useful.
#0 long 0x45520200
@@ -288,7 +288,7 @@
# Apple disk partition stuff
# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map
# Reference: https://ftp.netbsd.org/pub/NetBSD/NetBSD-current/src/sys/sys/bootblock.h
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# "ER" is APPLE_DRVR_MAP_MAGIC signature
0 beshort 0x4552
# display Apple Driver Map (strength=50) after Syslinux bootloader (71)
@@ -315,7 +315,7 @@
# device id 0 1 (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
>>10 ubeshort x \b, devid %u
# driver data 0 (2425393296 garbage for super_grub2_disk_hybrid_2.02s3.iso)
->>12 ubelong >0
+>>12 ubelong >0
>>>12 ubelong x \b, driver data %u
# number of driver descriptors sbDrvrCount <= 61
# (37008 garbage for super_grub2_disk_hybrid_2.02s3.iso)
@@ -327,26 +327,26 @@
# >>500 use apple-driver-map
# number of partitions is always same in every partition (map block count)
#>>0x0204 ubelong x \b, %u partitions
->>0x0204 ubelong >0 \b, contains[@0x200]:
+>>0x0204 ubelong >0 \b, contains[@0x200]:
>>>0x0200 use apple-apm
->>0x0204 ubelong >1 \b, contains[@0x400]:
+>>0x0204 ubelong >1 \b, contains[@0x400]:
>>>0x0400 use apple-apm
->>0x0204 ubelong >2 \b, contains[@0x600]:
+>>0x0204 ubelong >2 \b, contains[@0x600]:
>>>0x0600 use apple-apm
->>0x0204 ubelong >3 \b, contains[@0x800]:
+>>0x0204 ubelong >3 \b, contains[@0x800]:
>>>0x0800 use apple-apm
->>0x0204 ubelong >4 \b, contains[@0xA00]:
+>>0x0204 ubelong >4 \b, contains[@0xA00]:
>>>0x0A00 use apple-apm
->>0x0204 ubelong >5 \b, contains[@0xC00]:
+>>0x0204 ubelong >5 \b, contains[@0xC00]:
>>>0x0C00 use apple-apm
->>0x0204 ubelong >6 \b, contains[@0xE00]:
+>>0x0204 ubelong >6 \b, contains[@0xE00]:
>>>0x0E00 use apple-apm
->>0x0204 ubelong >7 \b, contains[@0x1000]:
+>>0x0204 ubelong >7 \b, contains[@0x1000]:
>>>0x1000 use apple-apm
# display apple driver descriptor map (start-block, # blocks in sbBlkSize sizes, type)
0 name apple-driver-map
->0 ubequad !0
-# descBlock first block of driver
+>0 ubequad !0
+# descBlock first block of driver
>>0 ubelong x \b, driver start block %u
# descSize driver size in blocks
>>4 ubeshort x \b, size %u
@@ -355,11 +355,11 @@
# URL: https://en.wikipedia.org/wiki/Apple_Partition_Map
# Reference: http://opensource.apple.com/source/IOStorageFamily/IOStorageFamily-116/IOApplePartitionScheme.h
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# Yes, the 3rd and 4th bytes pmSigPad are reserved, but we use them to make the
# magic stronger.
# for apple partition map stored as a single file
-0 belong 0x504d0000
+0 belong 0x504d0000
# to display Apple Partition Map (strength=70) after Syslinux bootloader (71)
#!:strength +0
>0 use apple-apm
@@ -417,7 +417,7 @@
0 name appleworks
>0 belong&0x00ffffff 0x07e100 AppleWorks CWK Document
>0 belong&0x00ffffff 0x008803 ClarisWorks CWK Document
->0 default x
+>0 default x
>>0 belong x AppleWorks/ClarisWorks CWK Document
>0 byte x \b, version %d
>30 beshort x \b, %d
Index: contrib/file/magic/Magdir/bhl
===================================================================
--- contrib/file/magic/Magdir/bhl (不存在的)
+++ contrib/file/magic/Magdir/bhl (版本 330908)
@@ -0,0 +1,10 @@
+
+#------------------------------------------------------------------------------
+# $File: bhl,v 1.1 2017/06/11 22:20:02 christos Exp $
+# BlockHashLoc
+# ext: bhl
+# Marco Pontello marcopon@gmail.com
+# reference: https://github.com/MarcoPon/BlockHashLoc
+0 string BlockHashLoc\x1a BlockHashLoc recovery info,
+>13 byte x version %d
+!:ext bhl
Index: contrib/file/magic/Magdir/dyadic
===================================================================
--- contrib/file/magic/Magdir/dyadic (版本 330566)
+++ contrib/file/magic/Magdir/dyadic (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: dyadic,v 1.7 2015/05/27 18:02:48 christos Exp $
+# $File: dyadic,v 1.8 2017/03/17 21:35:28 christos Exp $
# Dyadic: file(1) magic for Dyalog APL.
#
# updated by Joerg Jenderek at Oct 2013
@@ -10,9 +10,9 @@
# .DIN Dyalog APL Input Table
# .DOT Dyalog APL Output Table
# .DFT Dyalog APL Format File
-0 ubeshort&0xFF60 0xaa00
+0 ubeshort&0xFF60 0xaa00
# skip biblio.dbt
->1 byte !4
+>1 byte !4
# real Dyalog APL have non zero version numbers like 7.3 or 13.4
>>2 ubeshort >0x0000 Dyalog APL
>>>1 byte 0x00 aplcore
Index: contrib/file/magic/Magdir/fonts
===================================================================
--- contrib/file/magic/Magdir/fonts (版本 330566)
+++ contrib/file/magic/Magdir/fonts (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: fonts,v 1.33 2016/09/14 01:26:26 christos Exp $
+# $File: fonts,v 1.37 2017/06/24 00:39:00 christos Exp $
# fonts: file(1) magic for font data
#
0 search/1 FONT ASCII vfont text
@@ -19,17 +19,17 @@
# URL: https://en.wikipedia.org/wiki/PostScript_fonts
# Reference: http://partners.adobe.com/public/developer/en/font/5178.PFM.pdf
# Modified by: Joerg Jenderek
-# Note: moved from ./msdos magic
-# dfVersion 256=0100h
-0 uleshort 0x0100
+# Note: moved from ./msdos magic
+# dfVersion 256=0100h
+0 uleshort 0x0100
# GRR: line above is too general as it catches also TrueType font,
# raw G3 data FAX, WhatsApp encrypted and Panorama database
# dfType 129=0081h
->66 uleshort 0x0081
+>66 uleshort 0x0081
# dfVertRes 300=012Ch not needed as additional test
-#>>70 uleshort 0x012c
+#>>70 uleshort 0x012c
# dfHorizRes 300=012Ch
-#>>>72 uleshort 0x012c
+#>>>72 uleshort 0x012c
# dfDriverInfo points to postscript information section
>>(101.l) string/c Postscript Printer Font Metrics
# above labeled "PFM data" by ./msdos (version 5.28) or "Adobe Printer Font Metrics" by TrID
@@ -40,13 +40,13 @@
# dfCopyright 60 byte null padded Copyright string. uncomment it to get old looking
#>>>6 string >\060 - %-.60s
# dfDriverInfo
->>>139 ulelong >0
+>>>139 ulelong >0
# often abbreviated and same as filename
>>>>(139.l) string x %s
# dfSize
>>>2 ulelong x \b, %d bytes
# dfFace 210=D2h 9Eh
->>>105 ulelong >0
+>>>105 ulelong >0
# Windows font name
>>>>(105.l) string x \b, %s
# dfItalic
@@ -72,7 +72,7 @@
#>104 belong 00000004 X11 SNF font data, MSB first
!:mime application/x-font-sfn
# GRR: line below too general as it catches also Xbase index file t3-CHAR.NDX
-0 lelong 00000004
+0 lelong 00000004
>104 lelong 00000004 X11 SNF font data, LSB first
!:mime application/x-font-sfn
@@ -82,27 +82,29 @@
# From: Joerg Jenderek
# URL: http://grub.gibibit.com/New_font_format
# Reference: util/grub-mkfont.c
-# include/grub/fontformat.h
+# include/grub/fontformat.h
# FONT_FORMAT_SECTION_NAMES_FILE
-0 string FILE
+0 string FILE
# FONT_FORMAT_PFF2_MAGIC
->8 string PFF2
+>8 string PFF2
# leng 4 only at the moment
->>4 ubelong 4
+>>4 ubelong 4
# FONT_FORMAT_SECTION_NAMES_FONT_NAME
>>>12 string NAME GRUB2 font
!:mime application/x-font-pf2
!:ext pf2
# length of font_name
->>>>16 ubelong >0
+>>>>16 ubelong >0
# font_name
>>>>>20 string >\0 "%-s"
# X11 fonts, from Daniel Quinlan (quinlan@yggdrasil.com)
# PCF must come before SGI additions ("MIPSEL MIPS-II COFF" collides)
-0 string \001fcp X11 Portable Compiled Font data
->12 byte 0x02 \b, LSB first
->12 byte 0x0a \b, MSB first
+0 string \001fcp X11 Portable Compiled Font data,
+>12 lelong ^0x08 bit: LSB,
+>12 lelong &0x08 bit: MSB,
+>12 lelong ^0x04 byte: LSB first
+>12 lelong &0x04 byte: MSB first
0 string D1.0\015 X11 Speedo font data
#------------------------------------------------------------------------------
@@ -134,28 +136,166 @@
>4 beshort >0 version %d
# True Type fonts
-0 string \000\001\000\000\000 TrueType font data
-!:mime application/x-font-ttf
+# Modified by: Joerg Jenderek
+# URL: https://en.wikipedia.org/wiki/TrueType
+# Reference: https://developer.apple.com/fonts/TrueType-Reference-Manual/
+#
+# sfnt version "typ1" used by some Apple, but no example found
+0 string typ1
+>0 use sfnt-font
+>0 use sfnt-names
+# sfnt version "true" used by some Apple
+0 string true
+>0 use sfnt-font
+>0 use sfnt-names
+# GRR: below test is too general
+# sfnt version often 0x00010000
+0 string \000\001\000\000
+>0 use sfnt-font
+>0 use sfnt-names
+# validate and display sfnt font data like number of tables
+0 name sfnt-font
+# file 5.30 version assumes 00FFh as maximal number of tables
+#>4 ubeshort <0x0100
+# maximal 27 tables found like in Skia.ttf
+# 46 different table names mentioned on Apple specification
+# skip 1st sequence of DOS 2 backup with path separator (\~92 or /~47) misinterpreted as table number
+>4 ubeshort <47
+# skip bad examples with garbage table names like in a5.show HYPERC MAC
+# tag names consist of up to four characters padded with spaces at end like
+# BASE DSIG OS/2 Zapf acnt glyf cvt vmtx xref ...
+>>12 regex/4l \^[A-Za-z][A-Za-z][A-Za-z/][A-Za-z2\ ]
+#>>>0 ubelong x \b, sfnt version 0x%x
+>>>0 ubelong !0x4f54544f TrueType
+!:mime application/font-sfnt
+#!:mime font/ttf
+!:apple ????tfil
+# .ttf for TrueType font
+# EUDC.tte created by privat character editor %WINDIR%\system32\eudcedit.exe
+!:ext ttf/tte
+# sfnt version 4F54544Fh~OTTO
+>>>0 ubelong =0x4f54544f OpenType
+!:mime application/font-sfnt
+#!:mime font/otf
+!:apple ????OTTO
+!:ext otf
+>>>0 ubelong x Font data
+# DSIG=44454947h table name implies a digitally signed font
+# search range = number of tables * 16 =< maximal number of tables * 16 = 27 * 16 = 432
+>>>12 search/432 DSIG \b, digitally signed
+>>>4 ubeshort x \b, %d tables
+# minimal 9 tables found like in NISC18030.ttf
+#>>>4 ubeshort <10 TMIN
+#>>>4 ubeshort >24 TBIG
+# table directory entries
+>>>12 string x \b, 1st "%4.4s"
+# search and display 1st name in sfnt font which is often copyright text
+# does not work inside font collections
+0 name sfnt-names
+# search for naming table
+>12 search/432/s name
+# biggest offset 0x0100bd28 like Windows10 Fonts\simsunb.ttf
+#>>>>&8 ubelong >0x0100bd27 BIGGEST OFFSET
+>>&8 ubelong >0x00100000
+# offset of name table
+>>>&-4 ubelong x \b, name offset 0x%x
+# GRR: pointer to name table only works if offset ~< FILE_BYTES_MAX = 100000h defined in src\file.h
+>>&8 ubelong <0x00100000
+>>>&-16 ubelong x
+# name table
+>>>>(&8.L) ubequad x
+# invalid format selector
+#>>>>>&-8 ubeshort !0 \b, invalid selector %x
+# minimal 3 name records found like in c:\Program Files (x86)\Tesseract-OCR\tessdata\pdf.ttf
+# maximal 1227 name records found like in Apple Chancery.ttf
+#>>>>>&-6 ubeshort <0x4 mincount
+#>>>>>&-6 ubeshort >130 maxcount
+>>>>>&-6 ubeshort x \b, %d names
+# offset to start of string storage from start of table
+#>>>>>&-4 ubeshort x \b, record offset %d
+# 1st name record
+# string offset from start of storage area
+#>>>>>&8 ubeshort x \b, string offset %d
+# string length
+#>>>>>&6 ubeshort x \b, string length %d
+# minimal name string 7 like in c:\Program Files (x86)\Kodi\addons\webinterface.default\lib\video-js\font\VideoJS.ttf
+# also found 0 like in SWZCONLN.TTF
+#>>>>>&6 ubeshort <8 MIN STRING
+# maximal name string 806 like in c:\Windows\Fonts\palabi.ttf
+#>>>>>&6 ubeshort >805 MAX STRING
+# platform identifier: 0~Apple Unicode, 1~Macintosh, 3~Microsoft
+#>>>>>&-2 ubeshort >3 BAD PLATFORM
+>>>>>&-2 ubeshort 0 \b, Unicode
+>>>>>&-2 ubeshort 1 \b, Macintosh
+>>>>>&-2 ubeshort 3 \b, Microsoft
+# languageID (0~english Macintosh, 0409h~english Microsoft, ...)
+>>>>>&2 ubeshort >0 \b, language 0x%x
+# name identifiers
+# often 0~copyright, 1~font, 2~font subfamily, 5~version, 13~license, 19~sample, ...
+>>>>>&4 ubeshort >0 \b, type %d string
+# platform specific encoding:
+# 0~undefined character set, 1~UGL set with Unicode, 3~Unicode 2.0 BMP only, 4~Unicode 2.0
+#>>>>>&0 ubeshort x \b, %d encoding
+>>>>>&0 ubeshort 0
+# handle only name string offset 0 because do not know how to add 2 relative offsets
+>>>>>>&6 ubeshort 0
+>>>>>>>&(&-14.S-18) ubyte !0
+# GRR: instead 806 only first MAXstring = 96 characters are displayed as defined in src\file.h
+# often copyright string that starts like \251 2006 The Monotype Corporation
+>>>>>>>>&-1 string x \b, %-11.96s
+# test for unicode string
+>>>>>>>&(&-14.S-18) ubyte 0
+>>>>>>>>&0 lestring16 x \b, %-11.96s
+# unicode encoding
+>>>>>&0 ubeshort >0
+>>>>>>&6 ubeshort 0
+>>>>>>>&(&-14.S-17) lestring16 x \b, %-11.96s
+
0 string \007\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font
0 string \012\001\001\000Copyright\ (c)\ 199 Adobe Multiple Master font
# TrueType/OpenType font collections (.ttc)
+# URL: https://en.wikipedia.org/wiki/OpenType
# http://www.microsoft.com/typography/otspec/otff.htm
-0 string ttcf TrueType font collection data
->4 belong 0x00010000 \b, 1.0
->>8 belong >0 \b, %d fonts
->4 belong 0x00020000 \b, 2.0
->>8 belong >0 \b, %d fonts
+# Modified by: Joerg Jenderek
+# Note: container for TrueType, OpenType font
+0 string ttcf
+# skip ASCII text
+>4 ubyte 0
+# sfnt version often 0x00010000 of 1st table is TrueType
+>>(12.L) ubelong !0x4f54544f TrueType
+#!:mime font/ttf
+!:apple ????tfil
+!:ext ttc
+# sfnt version 4F54544Fh~OTTO of 1st table is OpenType font
+>>(12.L) ubelong =0x4f54544f OpenType
+#!:mime font/otf
+!:apple ????OTTO
+# no example found for otc
+!:ext ttc/otc
+>>4 ubyte x font collection data
+!:mime application/font-sfnt
+#!:mime font/collection
+# TCC version
+>>4 belong 0x00010000 \b, 1.0
+>>4 belong 0x00020000 \b, 2.0
+>>8 ubelong >0 \b, %d fonts
+# array offset size = fonts * offsetsize = fonts * 4
+>>(8.L*4) ubequad x
# 0x44454947 = 'DSIG'
->>>16 belong 0x44534947 \b, digitally signed
+>>>&4 belong 0x44534947 \b, digitally signed
+# offset to 1st font
+>>12 ubelong x \b, at 0x%x
+# point to 1st font that starts with sfnt version
+>>(12.L) use sfnt-font
# Opentype font data from Avi Bercovich
0 string OTTO OpenType font data
!:mime application/vnd.ms-opentype
-# Gurkan Sengun <gurkan@linuks.mine.nu>, www.linuks.mine.nu
-0 string SplineFontDB: Spline Font Database
+# Gurkan Sengun <gurkan@linuks.mine.nu>, www.linuks.mine.nu
+0 string SplineFontDB: Spline Font Database
!:mime application/vnd.font-fontforge-sfd
>14 string x version %s
Index: contrib/file/magic/Magdir/geo
===================================================================
--- contrib/file/magic/Magdir/geo (版本 330566)
+++ contrib/file/magic/Magdir/geo (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: geo,v 1.3 2013/01/04 00:47:02 christos Exp $
+# $File: geo,v 1.4 2017/03/17 21:35:28 christos Exp $
# Geo- files from Kurt Schwehr <schwehr@ccom.unh.edu>
######################################################################
@@ -57,7 +57,7 @@
4 beshort 0x2002 GeoSwath RDF
0 string Start:- GeoSwatch auf text file
-# Seabeam 2100
+# Seabeam 2100
# mbsystem code mb41
0 string SB2100 SeaBeam 2100 multibeam sonar
0 string SB2100DR SeaBeam 2100 DR multibeam sonar
Index: contrib/file/magic/Magdir/gringotts
===================================================================
--- contrib/file/magic/Magdir/gringotts (版本 330566)
+++ contrib/file/magic/Magdir/gringotts (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: gringotts,v 1.5 2009/09/19 16:28:09 christos Exp $
+# $File: gringotts,v 1.6 2017/03/17 21:35:28 christos Exp $
# gringotts: file(1) magic for Gringotts
# http://devel.pluto.linux.it/projects/Gringotts/
# author: Germano Rizzo <mano@pluto.linux.it>
@@ -9,10 +9,10 @@
#file format 1
>3 string 1 v.1, MCRYPT S2K, SERPENT crypt, SHA-256 hash, ZLib lvl.9
#file format 2
->3 string 2 v.2, MCRYPT S2K,
+>3 string 2 v.2, MCRYPT S2K,
>>8 byte&0x70 0x00 RIJNDAEL-128 crypt,
>>8 byte&0x70 0x10 SERPENT crypt,
->>8 byte&0x70 0x20 TWOFISH crypt,
+>>8 byte&0x70 0x20 TWOFISH crypt,
>>8 byte&0x70 0x30 CAST-256 crypt,
>>8 byte&0x70 0x40 SAFER+ crypt,
>>8 byte&0x70 0x50 LOKI97 crypt,
@@ -27,10 +27,10 @@
>>8 byte&0x03 0x02 lvl.6
>>8 byte&0x03 0x03 lvl.9
#file format 3
->3 string 3 v.3, OpenPGP S2K,
+>3 string 3 v.3, OpenPGP S2K,
>>8 byte&0x70 0x00 RIJNDAEL-128 crypt,
>>8 byte&0x70 0x10 SERPENT crypt,
->>8 byte&0x70 0x20 TWOFISH crypt,
+>>8 byte&0x70 0x20 TWOFISH crypt,
>>8 byte&0x70 0x30 CAST-256 crypt,
>>8 byte&0x70 0x40 SAFER+ crypt,
>>8 byte&0x70 0x50 LOKI97 crypt,
Index: contrib/file/magic/Magdir/icc
===================================================================
--- contrib/file/magic/Magdir/icc (版本 330566)
+++ contrib/file/magic/Magdir/icc (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: icc,v 1.1 2013/01/08 01:43:18 christos Exp $
+# $File: icc,v 1.5 2017/08/13 00:21:47 christos Exp $
# icc: file(1) magic for International Color Consortium file formats
#
@@ -11,41 +11,204 @@
# http://www.color.org/specification/ICC1v43_2010-12.pdf
#
# for Specification ICC.1:2010 (Profile version 4.3.0.0).
+# URL: http://fileformats.archiveteam.org/wiki/ICC_profile
+# Reference: http://www.color.org/iccmax/ICC.2-2016-7.pdf
+# Update: Joerg Jenderek
#
# Bytes 36 to 39 contain a generic profile file signature of "acsp";
# bytes 40 to 43 "may be used to identify the primary platform/operating
# system framework for which the profile was created".
#
-# There are other fields that might be worth dumping as well.
+# check and display ICC/ICM color profile
+0 name color-profile
+>36 string acsp
+# skip ASCII like Cognacspirit.txt by month <= 12
+>>26 ubeshort <13
+# platform/operating system. Only 5 mentioned
+
#
-
# This appears to be what's used for Apple ColorSync profiles.
# Instead of adding that, Apple just changed the generic "acsp" entry
# to be for "ColorSync ICC Color Profile" rather than "Kodak Color
# Management System, ICC Profile".
# Yes, it's "APPL", not "AAPL"; see the spec.
-36 string acspAPPL ColorSync ICC Profile
-!:mime application/vnd.iccprofile
+>>>40 string APPL ColorSync
# Microsoft ICM color profile
-36 string acspMSFT Microsoft ICM Color Profile
-!:mime application/vnd.iccprofile
+>>>40 string MSFT Microsoft
# Yes, that's a blank after "SGI".
-36 string acspSGI\ SGI ICC Profile
-!:mime application/vnd.iccprofile
+>>>40 string SGI\ SGI
# XXX - is this what's used for the Sun KCMS or not? The standard file
# uses just "acsp" for that, but Apple's file uses it for "ColorSync",
# and there *is* an identified "primary platform" value of SUNW.
-36 string acspSUNW Sun KCMS ICC Profile
+>>>40 string SUNW Sun KCMS
+
+# 5th platform
+>>>40 string TGNT Taligent
+
+# remaining "l" "e" of "color profile" printed later to avoid error
+>>>40 string x color profi
+#>>>40 string x (%.4s)
!:mime application/vnd.iccprofile
+# for "ICM" extension only versions 2.x and for Kodak "CC" 2.0 is found
+>>>8 ubyte =2
+# do not use empty message text to a avoid error like
+# icc, 82: Warning: Current entry does not yet have a description for adding a EXTENSION type
+# file.exe: could not find any valid magic files!
+>>>>9 ubyte !0 \ble
+!:ext icc/icm
+# minor version
+>>>>9 ubyte =0 \bl
+# Kodak colour management system
+>>>>>4 string =KCMS \be
+!:ext icc/icm/cc
+>>>>>4 string !KCMS \be
+!:ext icc/icm
+>>>8 ubyte !2 \ble
+!:ext icc
+# Profile version major.4bit-minor.sub1.sub2 like 4.3.0.0 (04300000h)
+>>>8 ubyte x %u
+>>>9 ubyte/16 x \b.%u
+# reserved and shall be null but 205.205 in umx1220u.icm
+>>>10 ubyte >0 \b.%u
+>>>>11 ubyte >0 \b.%u
+# preferred colour management module like appl CCMS KCMS Lino UCCM "Win " "FF "
+# skip space like in brmsl08f.icm and null like in brmsl09f.icm, brmsl07f.icm
+>>>4 string >\ \b, type %.2s
+>>>>6 string >\ \b%.1s
+>>>>>7 string >\ \b%.1s
+# colour space "XYZ " "Lab " "RGB " CMYK GRAY ...
+>>>16 string x \b, %.3s
+>>>19 string >\ \b%.1s
+# Profile Connection Space (PCS) field usually "XYZ " or "Lab " but sometimes
+# null or CMYK like in ISOcoated_v2_to_PSOcoated_v3_DeviceLink.icc
+>>>20 string >\0 \b/%.3s
+>>>>23 string >\ \b%.1s
+# eleven device classes
+>>>12 string x \b-%.4s device
+# skip 00001964h in hpf69000.icc or 0h in XRDC50Q.ICM or " ROT" in brmsl05f.icm
+>>>52 string >\040
+# skip "none" model like in "Trinitron Compatible 9300K G2.2.icm"
+>>>>52 ubelong !0x6e6f6e65
+# device manufacturer field like "HP " "IBM " EPSO
+>>>>>48 string x \b, %.2s
+>>>>>50 string >\ \b%.1s
+>>>>>51 string >\ \b%.1s
+# model like "ADI " "A265" and skip 20000404h in IS330.icm for RICOH RUSSIAN-SC
+>>>>>52 string >\ \ \b/%.3s
+>>>>>>55 string >\ \b%.1s
+>>>>>52 string x model
+# creator (often same as manufacture) like HP SONY XROX or null like in A925A.icm
+>>>80 string >\0 by %.2s
+>>>>82 string >\ \b%.1s
+>>>>>83 string >\ \b%.1s
+# profile size
+>>>0 ubelong x \b, %u bytes
+# skip invalid date 0 like in linearSRGB.icc
+>>>24 ubequad !0
+# datetime dd-mm-yyyy hh:mm:ss
+>>>>28 ubeshort x \b, %u
+# month <= 12
+>>>>26 ubeshort x \b-%u
+# year
+>>>>24 ubeshort x \b-%u
+# do not display midnight time like in CNHP8308.ICC
+>>>>30 ubequad&0xFFffFFffFFff0000 !0
+# hour <= 24
+>>>>>30 ubeshort x %u
+# minutes <= 59
+>>>>>32 ubeshort x \b:%.2u
+# seconds <= 59
+>>>>>34 ubeshort x \b:%.2u
+# vendor specific flags like 2 in HPCLJ5.ICM
+>>>44 ubeshort >0 \b, 0x%x vendor flags
+# profile flags bits 0-2 of least 16 used by ICC
+#>>>44 ubelong >0 \b, 0x%x flags
+# icEmbeddedProfileTrue
+>>>44 ubelong &1 \b, embedded
+# icEmbeddedProfileFalse
+#>>>44 ubelong ^1 \b, not embedded
+# icUseWithEmbeddedDataOnly
+>>>44 ubelong &2 \b, dependently
+# icUseAnywhere
+#>>>44 ubelong ^2 \b, independently
+>>>44 ubelong &4 \b, MCS
+#>>>44 ubelong ^4 \b, no MCS
+# vendor specific device attributes 1~srgb.icc
+# E000D00h~CNB7QEDA.ICM C000A00h~CNB5FCAA.ICM 01040401h~CNB25PE3.ICM
+>>>56 ubelong >0 \b, 0x%x vendor attribute
+# ICC device attributes bits 0-7 used
+#>>>60 ubelong x \b, 0x%x attribute
+# http://www.color.org/icc34.h
+>>>60 ubelong &0x01 \b, transparent
+#>>>60 ubelong ^0x01 \b, reflective
+>>>60 ubelong &0x02 \b, matte
+#>>>60 ubelong ^0x02 \b, glossy
+>>>60 ubelong &0x04 \b, negative
+#>>>60 ubelong ^0x04 \b, positive
+>>>60 ubelong &0x08 \b, black&white
+#>>>60 ubelong ^0x08 \b, colour
+>>>60 ubelong &0x10 \b, non-paper
+#>>>60 ubelong ^0x10 \b, paper
+>>>60 ubelong &0x20 \b, non-textured
+#>>>60 ubelong ^0x20 \b, textured
+>>>60 ubelong &0x40 \b, non-isotropic
+#>>>60 ubelong ^0x40 \b, isotropic
+>>>60 ubelong &0x80 \b, self-luminous
+#>>>60 ubelong ^0x80 \b, non-self-luminous
+# rendering intent 0-3 but 7AEA5027h in EE051__1.ICM 6CB1BCh in EE061__1.ICM
+>>>64 ubelong >3 \b, 0x%x rendering intent
+#>>>64 ubelong =0 \b, perceptual
+>>>64 ubelong =1 \b, relative colorimetric
+>>>64 ubelong =2 \b, saturation
+>>>64 ubelong =3 \b, absolute colorimetric
+# PCS illuminant (3*s15Fixed16Numbers) often 0000f6d6 00010000 0000d32d
+>>>71 ubequad !0xd6000100000000d3 \b, PCS
+# usually X~0.9642*65536=63189.8112~63190=F6D5h ; but also found
+# often F6D6 in gt5000r.icm, F6B8 in kodakce.icm, F6CA in RSWOP.icm
+>>>>68 ubelong !0x0000f6d5 X=0x%x
+# usually Y=1.0~00010000h but Y=0 in brmsl07f.icm
+>>>>72 ubelong !0x00010000 Y=0x%x
+# usually Z~0.8249*65536=54060.6464~54061=D32Dh ; but also found
+# D2F7 in hp1200c.icm, often D32C in A925A.icm, D309 in RSWOP.icm , D2F8 in kodak_dc.icm
+>>>>76 ubelong !0x0000d32d Z=0x%x
+# Profile ID. MD5 fingerprinting method as defined in Internet RFC 1321.
+>>>84 ubequad >0 \b, 0x%llx MD5
+# reserved in older versions should be zero but also found CDCDCDCDCDCDCDCD
+#>>100 ubequad x \b 0x%llx reserved
+# tag table
+# 6 <= tags count <= 43
+#>>>128 ubelong >43 \b, %u tags
+>>>128 ubelong x
+# shall contain the profileDescriptionTag "desc" , copyrightTag "cprt"
+# search range = tags count * 12 -8=< maximal tag count * 12 -8= 43 * 12 -8= 508
+>>>>132 search/508 cprt
+# but no copyright tag in linearSRGB.icc
+# beneath /System/Library/Frameworks/WebKit.framework/
+# Versions/A/Frameworks/WebCore.framework/Versions/A/Resources
+>>>>132 default x \b, no copyright tag
+# 1st tag
+#>>>132 string x \b, 1st tag %.4s
+#>>>136 ubelong x 0x%x offset
+#>>>140 ubelong x 0x%x len
+# 2nd tag,...
+# look also for profileDescriptionTag "desc"
+>>>132 search/508 desc
+# look further for TextDescriptionType "desc" signature
+>>>>(&0.L) string =desc
+>>>>>&4 pstring/l x "%s"
+# look alternative for multiLocalizedUnicodeType "mluc" signature like in VideoPAL.icc
+>>>>(&0.L) string =mluc
+>>>>>&(&8.L) ubequad x
+>>>>>>&4 bestring16 x '%s'
# Any other profile.
# XXX - should we use "acsp\0\0\0\0" for "no primary platform" profiles,
# and use "acsp" for everything else and dump the "primary platform"
# string in those cases?
-36 string acsp ICC Profile
-!:mime application/vnd.iccprofile
+36 string acsp
+>0 use color-profile
Index: contrib/file/magic/Magdir/jpeg
===================================================================
--- contrib/file/magic/Magdir/jpeg (版本 330566)
+++ contrib/file/magic/Magdir/jpeg (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: jpeg,v 1.30 2016/07/04 15:18:23 christos Exp $
+# $File: jpeg,v 1.31 2017/03/17 21:35:28 christos Exp $
# JPEG images
# SunOS 5.5.1 had
#
@@ -53,7 +53,7 @@
>>5 beshort x \b%d
>>9 byte x \b, frames %d
->0 beshort 0xFFC1
+>0 beshort 0xFFC1
>>(2.S+2) use jpeg_segment
>>4 byte x \b, extended sequential, precision %d
>>7 beshort x \b, %dx
@@ -60,7 +60,7 @@
>>5 beshort x \b%d
>>9 byte x \b, frames %d
->0 beshort 0xFFC2
+>0 beshort 0xFFC2
>>(2.S+2) use jpeg_segment
>>4 byte x \b, progressive, precision %d
>>7 beshort x \b, %dx
@@ -71,11 +71,11 @@
>0 beshort 0xFFC4
>>(2.S+2) use jpeg_segment
->0 beshort 0xFFE1
+>0 beshort 0xFFE1
# Recursion handled by FFE0
#>>(2.S+2) use jpeg_segment
>>4 string Exif \b, Exif Standard: [
->>>10 indirect/r x
+>>>10 indirect/r x
>>>10 string x \b]
# Application specific markers
Index: contrib/file/magic/Magdir/lisp
===================================================================
--- contrib/file/magic/Magdir/lisp (版本 330566)
+++ contrib/file/magic/Magdir/lisp (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: lisp,v 1.24 2015/11/30 20:54:26 christos Exp $
+# $File: lisp,v 1.25 2017/03/17 21:35:28 christos Exp $
# lisp: file(1) magic for lisp programs
#
# various lisp types, from Daniel Quinlan (quinlan@yggdrasil.com)
@@ -7,7 +7,7 @@
# updated by Joerg Jenderek
# GRR: This lot is too weak
-#0 string ;;
+#0 string ;;
# windows INF files often begin with semicolon and use CRLF as line end
# lisp files are mainly created on unix system with LF as line end
#>2 search/4096 !\r Lisp/Scheme program text
@@ -28,9 +28,9 @@
# URL: https://en.wikipedia.org/wiki/Emacs_Lisp
# Reference: http://ftp.gnu.org/old-gnu/emacs/elisp-manual-18-1.03.tar.gz
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# Emacs 18 - this is always correct, but not very magical.
-0 string \012(
+0 string \012(
# look for emacs lisp keywords
# GRR: split regex because it is too long or get error like
# lisp, 36: Warning: cannot get string from `^(defun|defvar|defconst|defmacro|setq|fset|put|provide|require|'
@@ -50,13 +50,13 @@
# Emacs 19+ - ver. recognition added by Ian Springer
# Also applies to XEmacs 19+ .elc files; could tell them apart with regexs
# - Chris Chittleborough <cchittleborough@yahoo.com.au>
-# Update: Joerg Jenderek
-0 string ;ELC
+# Update: Joerg Jenderek
+0 string ;ELC
# version\0\0\0
>4 byte >18 Emacs/XEmacs v%d byte-compiled Lisp data
# why less than 32 ? does not make sense to me. GNU Emacs version is 24.5 at April 2015
#>4 byte <32 Emacs/XEmacs v%d byte-compiled Lisp data
-!:mime application/x-elc
+!:mime application/x-elc
!:apple EMAxTEXT
!:ext elc
@@ -67,7 +67,7 @@
0 long 0x70768BD2 CLISP memory image data
0 long 0xD28B7670 CLISP memory image data, other endian
-#.com and .bin for MIT scheme
+#.com and .bin for MIT scheme
0 string \372\372\372\372 MIT scheme (library?)
# From: David Allouche <david@allouche.net>
Index: contrib/file/magic/Magdir/maple
===================================================================
--- contrib/file/magic/Magdir/maple (版本 330566)
+++ contrib/file/magic/Magdir/maple (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: maple,v 1.7 2013/01/11 16:45:23 christos Exp $
+# $File: maple,v 1.8 2017/03/17 21:35:28 christos Exp $
# maple: file(1) magic for maple files
# "H. Nanosecond" <aldomel@ix.netcom.com>
# Maple V release 4, a multi-purpose math program
@@ -13,7 +13,7 @@
# no magic for these :-(
# they are compiled indexes for maple files
-# .hdb
+# .hdb
0 string \000\004\000\000 Maple help database
# .mhp
@@ -40,7 +40,7 @@
# from byte 4 it is either 'nul E' or 'soh R'
# I think 'nul E' means a file that was saved as a different name
# a sort of revision marking
-# 'soh R' means new
+# 'soh R' means new
>4 string \000\105 An old revision
>4 string \001\122 The latest save
Index: contrib/file/magic/Magdir/meteorological
===================================================================
--- contrib/file/magic/Magdir/meteorological (版本 330566)
+++ contrib/file/magic/Magdir/meteorological (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: meteorological,v 1.1 2014/08/04 06:26:16 christos Exp $
+# $File: meteorological,v 1.2 2017/03/17 21:35:28 christos Exp $
# rinex: file(1) magic for RINEX files
# http://igscb.jpl.nasa.gov/igscb/data/format/rinex210.txt
# ftp://cddis.gsfc.nasa.gov/pub/reports/formats/rinex300.pdf
@@ -34,7 +34,7 @@
>>&32 string x \b, date %15.15s
>>5 string x \b, version %6.6s
!:mime rinex/meteorological
->80 search/256 XXRINEXN RINEX Data, Navigation
+>80 search/256 XXRINEXN RINEX Data, Navigation
>>&32 string x \b, date %15.15s
>>5 string x \b, version %6.6s
!:mime rinex/navigation
Index: contrib/file/magic/Magdir/nasa
===================================================================
--- contrib/file/magic/Magdir/nasa (版本 330566)
+++ contrib/file/magic/Magdir/nasa (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# nasa: file(1) magic
+# nasa: file(1) magic
# From: Barry Carter <carter.barry@gmail.com>
0 string DAF/SPK NASA SPICE file (binary format)
Index: contrib/file/magic/Magdir/m4
===================================================================
--- contrib/file/magic/Magdir/m4 (版本 330566)
+++ contrib/file/magic/Magdir/m4 (版本 330908)
@@ -1,6 +1,9 @@
#------------------------------------------------------------------------------
-# $File: m4,v 1.1 2011/12/08 12:12:46 rrt Exp $
+# $File: m4,v 1.2 2017/08/14 07:40:38 christos Exp $
# make: file(1) magic for M4 scripts
#
0 regex \^dnl\ M4 macro processor script text
!:mime text/x-m4
+0 regex \^AC_DEFUN\\(\\[ M4 macro processor script text
+!:strength + 15
+!:mime text/x-m4
Index: contrib/file/magic/Magdir/marc21
===================================================================
--- contrib/file/magic/Magdir/marc21 (版本 330566)
+++ contrib/file/magic/Magdir/marc21 (版本 330908)
@@ -2,7 +2,7 @@
# marc21: file(1) magic for MARC 21 Format
#
# Kevin Ford (kefo@loc.gov)
-#
+#
# MARC21 formats are for the representation and communication
# of bibliographic and related information in machine-readable
# form. For more info, see http://www.loc.gov/marc/
@@ -9,20 +9,22 @@
# leader position 20-21 must be 45
-20 string 45
+# and 22-23 also 00 so far, but we check that later.
+20 string 45
+>0 search/2048 \x1e
# leader starts with 5 digits, followed by codes specific to MARC format
->0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic
+>>0 regex/1l (^[0-9]{5})[acdnp][^bhlnqsu-z] MARC21 Bibliographic
!:mime application/marc
->0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority
+>>0 regex/1l (^[0-9]{5})[acdnosx][z] MARC21 Authority
!:mime application/marc
->0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings
+>>0 regex/1l (^[0-9]{5})[cdn][uvxy] MARC21 Holdings
!:mime application/marc
-0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification
+>>0 regex/1l (^[0-9]{5})[acdn][w] MARC21 Classification
!:mime application/marc
->0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community
+>>0 regex/1l (^[0-9]{5})[cdn][q] MARC21 Community
!:mime application/marc
# leader position 22-23, should be "00" but is it?
->0 regex/1l (^.{21})([^0]{2}) (non-conforming)
+>>0 regex/1l (^.{21})([^0]{2}) (non-conforming)
!:mime application/marc
Index: contrib/file/magic/Magdir/microfocus
===================================================================
--- contrib/file/magic/Magdir/microfocus (版本 330566)
+++ contrib/file/magic/Magdir/microfocus (版本 330908)
@@ -1,7 +1,7 @@
#------------------------------------------------------------------------------
-# $File: microfocus,v 1.1 2016/02/09 01:22:49 christos Exp $
-# Micro Focus COBOL data files.
+# $File: microfocus,v 1.2 2017/03/17 21:35:28 christos Exp $
+# Micro Focus COBOL data files.
# http://documentation.microfocus.com/help/index.jsp?topic=\
# %2FGUID-0E0191D8-C39A-44D1-BA4C-D67107BAF784%2FHRFLRHFILE05.html
Index: contrib/file/magic/Magdir/mozilla
===================================================================
--- contrib/file/magic/Magdir/mozilla (版本 330566)
+++ contrib/file/magic/Magdir/mozilla (版本 330908)
@@ -1,7 +1,7 @@
#------------------------------------------------------------------------------
-# $File: mozilla,v 1.6 2015/01/25 16:20:46 christos Exp $
-# mozilla: file(1) magic for Mozilla XUL fastload files
+# $File: mozilla,v 1.7 2017/03/17 21:35:28 christos Exp $
+# mozilla: file(1) magic for Mozilla XUL fastload files
# (XUL.mfasl and XPC.mfasl)
# URL: http://www.mozilla.org/
# From: Josh Triplett <josh@freedesktop.org>
Index: contrib/file/magic/Magdir/mup
===================================================================
--- contrib/file/magic/Magdir/mup (版本 330566)
+++ contrib/file/magic/Magdir/mup (版本 330908)
@@ -1,6 +1,6 @@
# ------------------------------------------------------------------------
-# $File: mup,v 1.4 2009/09/19 16:28:11 christos Exp $
+# $File: mup,v 1.5 2017/03/17 21:35:28 christos Exp $
# mup: file(1) magic for Mup (Music Publisher) input file.
#
# From: Abel Cheung <abel (@) oaka.org>
@@ -12,13 +12,13 @@
#
0 search/1 //!Mup Mup music publication program input text
>6 string -Arkkra (Arkkra)
->>13 string -
->>>16 string .
+>>13 string -
+>>>16 string .
>>>>14 string x \b, need V%.4s
->>>15 string .
+>>>15 string .
>>>>14 string x \b, need V%.3s
->6 string -
->>9 string .
+>6 string -
+>>9 string .
>>>7 string x \b, need V%.4s
->>8 string .
+>>8 string .
>>>7 string x \b, need V%.3s
Index: contrib/file/magic/Magdir/nitpicker
===================================================================
--- contrib/file/magic/Magdir/nitpicker (版本 330566)
+++ contrib/file/magic/Magdir/nitpicker (版本 330908)
@@ -1,9 +1,9 @@
#------------------------------------------------------------------------------
-# $File: nitpicker,v 1.6 2014/04/30 21:41:02 christos Exp $
+# $File: nitpicker,v 1.7 2017/03/17 21:35:28 christos Exp $
# nitpicker: file(1) magic for Flowfiles.
# From: Christian Jachmann <C.Jachmann@gmx.net> http://www.nitpicker.de
-0 string NPFF NItpicker Flow File
+0 string NPFF NItpicker Flow File
>4 byte x V%d.
>5 byte x %d
>6 bedate x started: %s
Index: contrib/file/magic/Magdir/pc88
===================================================================
--- contrib/file/magic/Magdir/pc88 (版本 330566)
+++ contrib/file/magic/Magdir/pc88 (版本 330908)
@@ -9,7 +9,7 @@
>>0x280 string \0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
>>>0x1A ubyte&0xEF 0
>>>>0x1B ubyte&0x8F 0
->>>>>0x1B ubyte&70 <0x40
+>>>>>0x1B ubyte&70 <0x40
>>>>>>0x1C ulelong >0x21
>>>>>>>0 regex [[:print:]]* NEC PC-88 disk image, name=%s
>>>>>>>>0x1B ubyte 0 \b, media=2D
Index: contrib/file/magic/Magdir/perl
===================================================================
--- contrib/file/magic/Magdir/perl (版本 330566)
+++ contrib/file/magic/Magdir/perl (版本 330908)
@@ -1,5 +1,5 @@
#------------------------------------------------------------------------------
-# $File: perl,v 1.25 2016/06/07 23:28:37 rrt Exp $
+# $File: perl,v 1.26 2017/02/21 18:34:55 christos Exp $
# perl: file(1) magic for Larry Wall's perl language.
#
# The `eval' lines recognizes an outrageously clever hack.
@@ -33,14 +33,14 @@
# by Dmitry V. Levin and Alexey Tourbin
# check the first line
-0 search/1024 package
+0 search/8192 package
>0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *; Perl5 module source text
-!:strength + 10
+!:strength + 40
# not 'p', check other lines
-0 search/1024 !p
+0 search/8192 !p
>0 regex \^package[\ \t]+[0-9A-Za-z_:]+\ *;
>>0 regex \^1\ *;|\^(use|sub|my)\ .*[(;{=] Perl5 module source text
-!:strength + 10
+!:strength + 75
# Perl POD documents
# From: Tom Hukins <tom@eborcom.com>
Index: contrib/file/magic/Magdir/project
===================================================================
--- contrib/file/magic/Magdir/project (版本 330566)
+++ contrib/file/magic/Magdir/project (版本 330908)
@@ -1,8 +1,8 @@
#------------------------------------------------------------------------------
-# $File: project,v 1.4 2009/09/19 16:28:11 christos Exp $
+# $File: project,v 1.5 2017/03/17 21:35:28 christos Exp $
# project: file(1) magic for Project management
-#
+#
# Magic strings for ftnchek project files. Alexander Mai
0 string FTNCHEK_\ P project file for ftnchek
>10 string 1 version 2.7
Index: contrib/file/magic/Magdir/ruby
===================================================================
--- contrib/file/magic/Magdir/ruby (版本 330566)
+++ contrib/file/magic/Magdir/ruby (版本 330908)
@@ -1,21 +1,21 @@
#------------------------------------------------------------------------------
-# $File: ruby,v 1.6 2016/07/27 09:46:29 rrt Exp $
+# $File: ruby,v 1.7 2017/08/14 13:39:18 christos Exp $
# ruby: file(1) magic for Ruby scripting language
# URL: http://www.ruby-lang.org/
# From: Reuben Thomas <rrt@sc3d.org>
# Ruby scripts
-0 search/1/w #!\ /usr/bin/ruby Ruby script text executable
+0 search/1/w #!\ /usr/bin/ruby Ruby script text executable
!:strength + 15
!:mime text/x-ruby
0 search/1/w #!\ /usr/local/bin/ruby Ruby script text executable
!:strength + 15
!:mime text/x-ruby
-0 search/1 #!/usr/bin/env\ ruby Ruby script text executable
+0 search/1 #!/usr/bin/env\ ruby Ruby script text executable
!:strength + 15
!:mime text/x-ruby
-0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable
+0 search/1 #!\ /usr/bin/env\ ruby Ruby script text executable
!:strength + 15
!:mime text/x-ruby
@@ -22,11 +22,30 @@
# What looks like ruby, but does not have a shebang
# (modules and such)
# From: Lubomir Rintel <lkundrak@v3.sk>
-0 regex \^[\ \t]*require[\ \t]'[A-Za-z_/]+'
->0 regex include\ [A-Z]|def\ [a-z]|\ do$
->>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby script text
+0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/]+'
+>0 regex def\ [a-z]|\ do$
+>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text
+!:strength + 30
!:mime text/x-ruby
-0 regex \^[\ \t]*(class|module)[\ \t][A-Z]
+0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z]
>0 regex (modul|includ)e\ [A-Z]|def\ [a-z]
->>0 regex \^[\ \t]*end([\ \t]*[;#].*)?$ Ruby module source text
+>>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text
+!:strength + 30
!:mime text/x-ruby
+# Classes with no modules or defs, beats simple ASCII
+0 regex \^[[:space:]]*(class|module)[[:space:]][A-Z]
+>&0 regex \^[[:space:]]*end([[:space:]]+[;#if].*)?$ Ruby script text
+!:strength + 10
+!:mime text/x-ruby
+# Looks for function definition to balance python magic
+# def name (args)
+# end
+0 regex \^[[:space:]]*def\ [a-z]|def\ [[:alpha:]]+::[a-z]
+>&0 regex \^[[:space:]]*end([[:space:]]+[;#].*)?$ Ruby script text
+!:strength + 10
+!:mime text/x-ruby
+
+0 regex \^[[:space:]]*require[[:space:]]'[A-Za-z_/]+' Ruby script text
+!:mime text/x-ruby
+0 regex \^[[:space:]]*include\ ([A-Z]+[a-z]*(::))+ Ruby script text
+!:mime text/x-ruby
Index: contrib/file/magic/Magdir/sequent
===================================================================
--- contrib/file/magic/Magdir/sequent (版本 330566)
+++ contrib/file/magic/Magdir/sequent (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: sequent,v 1.12 2014/08/16 16:07:12 christos Exp $
+# $File: sequent,v 1.13 2017/03/17 21:35:28 christos Exp $
# sequent: file(1) magic for Sequent machines
#
# Sequent information updated by Don Dwiggins <atsun!dwiggins>.
@@ -33,9 +33,9 @@
# http://en.wikipedia.org/wiki/Sequent_Computer_Systems
# below test line conflicts with MS-DOS 2.11 floppies and Acronis loader
#0 leshort 0x42eb SYMMETRY i386 standalone executable
-0 leshort 0x42eb
+0 leshort 0x42eb
# skip unlike negative version
->124 lelong >-1
+>124 lelong >-1
# assuming version 28867614 is very low probable
>>124 lelong !28867614 SYMMETRY i386 standalone executable
>>>16 lelong >0 not stripped
Index: contrib/file/magic/Magdir/sql
===================================================================
--- contrib/file/magic/Magdir/sql (版本 330566)
+++ contrib/file/magic/Magdir/sql (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: sql,v 1.20 2016/07/05 19:49:59 christos Exp $
+# $File: sql,v 1.21 2017/03/17 21:35:28 christos Exp $
# sql: file(1) magic for SQL files
#
# From: "Marty Leisner" <mleisner@eng.mc.xerox.com>
@@ -73,7 +73,7 @@
>>3 byte x Version %d
#------------------------------------------------------------------------------
-# iRiver H Series database file
+# iRiver H Series database file
# From Ken Guest <ken@linux.ie>
# As observed from iRivNavi.iDB and unencoded firmware
#
@@ -133,9 +133,9 @@
0 string PSDB\0 Panasonic channel list DataBase
!:ext db/bin
#!:mime application/x-db-svl-panasonic
->126 string SQLite\ format\ 3
+>126 string SQLite\ format\ 3
#!:mime application/x-panasonic-sqlite3
->>&-15 indirect x \b; contains
+>>&-15 indirect x \b; contains
# H2 Database from http://www.h2database.com/
0 string --\ H2\ 0.5/B\ --\ \n H2 Database file
Index: contrib/file/magic/Magdir/modem
===================================================================
--- contrib/file/magic/Magdir/modem (版本 330566)
+++ contrib/file/magic/Magdir/modem (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: modem,v 1.7 2016/01/08 00:56:42 christos Exp $
+# $File: modem,v 1.8 2017/03/17 21:35:28 christos Exp $
# modem: file(1) magic for modem programs
#
# From: Florian La Roche <florian@knorke.saar.de>
@@ -13,24 +13,24 @@
# URL: https://de.wikipedia.org/wiki/Fax
# Reference: http://web.archive.org/web/20020628195336/http://www.netnam.vn/unescocourse/computervision/104.htm
# GRR: EOL of G3 is too general as it catches also TrueType fonts, Postscript PrinterFontMetric, others
-0 short 0x0100
+0 short 0x0100
# 16 0-bits near beginning like True Type fonts *.ttf, Postscript PrinterFontMetric *.pfm, FTYPE.HYPERCARD, XFER
->2 search/9 \0\0
+>2 search/9 \0\0
# maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3
->2 default x
+>2 default x
# skip IRCAM file (VAX big-endian) ./audio
->>0 belong !0x0001a364
+>>0 belong !0x0001a364
# skip GEM Image data ./images
->>>2 beshort !0x0008
+>>>2 beshort !0x0008
# look for first keyword of Panorama database *.pan
->>>>11 search/262 \x06DESIGN
+>>>>11 search/262 \x06DESIGN
# skip Panorama database
->>>>11 default x
+>>>>11 default x
# old Apple DreamWorld DreamGrafix *.3200 with keyword at end of g3 looking files
->>>>>27118 search/1864 DreamWorld
->>>>>27118 default x
+>>>>>27118 search/1864 DreamWorld
+>>>>>27118 default x
# skip MouseTrap/Mt.Defaults with file size 16 found on Golden Orchard Apple II CD Rom
->>>>>>8 ubequad !0x2e01010454010203
+>>>>>>8 ubequad !0x2e01010454010203
# skip PICTUREH.SML found on Golden Orchard Apple II CD Rom
>>>>>>>8 ubequad !0x5dee74ad1aa56394 raw G3 (Group 3) FAX, byte-padded
# version 5.25 labeled the entry above "raw G3 data, byte-padded"
@@ -39,9 +39,9 @@
!:ext g3
# unusual image starting with black pixel
#0 short 0x1300 raw G3 (Group 3) FAX
-0 short 0x1400
+0 short 0x1400
# 16 0-bits near beginning like PicturePuzzler found on Golden Orchard Apple CD Rom
->2 search/9 \0\0
+>2 search/9 \0\0
# maximal 7 0-bits for pixel sequences or 11 0-bits for EOL in G3
>2 default x raw G3 (Group 3) FAX
# version 5.25 labeled the above entry as "raw G3 data"
Index: contrib/file/magic/Magdir/msx
===================================================================
--- contrib/file/magic/Magdir/msx (版本 330566)
+++ contrib/file/magic/Magdir/msx (版本 330908)
@@ -7,7 +7,7 @@
############## MSX Music file formats ##############
# Gigamix MGSDRV music file
-0 string/b MGS MSX Gigamix MGSDRV3 music file,
+0 string/b MGS MSX Gigamix MGSDRV3 music file,
>6 ubeshort 0x0D0A
>>3 byte x \bv%c
>>4 byte x \b.%c
@@ -35,7 +35,7 @@
>>0xF byte&0x02 0 \b, soundchips: AY-3-8910, SCC(+)
>>0xF byte&0x02 0x02 \b, soundchips: SN76489
>>>0xF byte&0x04 0x04 stereo
->>0xF byte&0x01 0x01 \b,
+>>0xF byte&0x01 0x01 \b,
>>>0xF byte&0x18 0x00 \bYM2413
>>>0xF byte&0x18 0x08 \bYM2413, Y8950
>>>0xF byte&0x18 0x18 \bYM2413+Y8950 pseudostereo
@@ -245,18 +245,18 @@
0x4000 string/b AB
>0x4002 uleshort >0x400F
>>0x400A string \0\0\0\0\0\0 MSX ROM with nonstandard page order
->>0x4002 uleshort x \b, init=0x%04x
->>0x4004 uleshort >0 \b, stahdl=0x%04x
->>0x4006 uleshort >0 \b, devhdl=0x%04x
->>0x4008 uleshort >0 \b, bas=0x%04x
+>>>0x4002 uleshort x \b, init=0x%04x
+>>>0x4004 uleshort >0 \b, stahdl=0x%04x
+>>>0x4006 uleshort >0 \b, devhdl=0x%04x
+>>>0x4008 uleshort >0 \b, bas=0x%04x
0x8000 string/b AB
>0x8002 uleshort >0x400F
>>0x800A string \0\0\0\0\0\0 MSX ROM with nonstandard page order
->>0x8002 uleshort x \b, init=0x%04x
->>0x8004 uleshort >0 \b, stahdl=0x%04x
->>0x8006 uleshort >0 \b, devhdl=0x%04x
->>0x8008 uleshort >0 \b, bas=0x%04x
+>>>0x8002 uleshort x \b, init=0x%04x
+>>>0x8004 uleshort >0 \b, stahdl=0x%04x
+>>>0x8006 uleshort >0 \b, devhdl=0x%04x
+>>>0x8008 uleshort >0 \b, bas=0x%04x
0x3C000 string/b AB
@@ -296,7 +296,7 @@
4 uleshort 0x0900
>0xF byte 1
>>0x14 byte 0
->>>0x1E string \ \ \
+>>>0x1E string \040\040\040
>>>>0x23 byte 1
>>>>>0x25 byte 0
>>>>>>0x15 string >\x30
Index: contrib/file/magic/Magdir/netscape
===================================================================
--- contrib/file/magic/Magdir/netscape (版本 330566)
+++ contrib/file/magic/Magdir/netscape (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: netscape,v 1.7 2015/08/24 05:20:52 christos Exp $
+# $File: netscape,v 1.8 2017/03/17 21:35:28 christos Exp $
# netscape: file(1) magic for Netscape files
# "H. Nanosecond" <aldomel@ix.netcom.com>
# version 3 and 4 I think
@@ -15,8 +15,8 @@
# .snm Caches
0 string #\ Netscape\ folder\ cache Netscape folder cache
0 string \000\036\204\220\000 Netscape folder cache
-# .n2p
-# Net 2 Phone
+# .n2p
+# Net 2 Phone
#0 string 123\130\071\066\061\071\071\071\060\070\061\060\061\063\060
0 string SX961999 Net2phone
Index: contrib/file/magic/Magdir/pbf
===================================================================
--- contrib/file/magic/Magdir/pbf (版本 330566)
+++ contrib/file/magic/Magdir/pbf (版本 330908)
@@ -1,11 +1,11 @@
#------------------------------------------------------------------------------
-# $File: pbf,v 1.1 2013/12/21 14:27:24 christos Exp $
+# $File: pbf,v 1.2 2017/01/18 16:16:21 christos Exp $
# file(1) magic(5) data for OpenStreetMap
# OpenStreetMap Protocolbuffer Binary Format (.osm.pbf)
# http://wiki.openstreetmap.org/wiki/PBF_Format
# From: Markus Heidelberg <markus.heidelberg@web.de>
-0 belong 0x0000000D
->4 beshort 0x0A09
->>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format
+0 belong&0xfffffff0 0
+>4 beshort 0x0A09
+>>6 string OSMHeader OpenStreetMap Protocolbuffer Binary Format
Index: contrib/file/magic/Magdir/pdp
===================================================================
--- contrib/file/magic/Magdir/pdp (版本 330566)
+++ contrib/file/magic/Magdir/pdp (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: pdp,v 1.10 2014/04/30 21:41:02 christos Exp $
+# $File: pdp,v 1.11 2017/03/17 21:35:28 christos Exp $
# pdp: file(1) magic for PDP-11 executable/object and APL workspace
#
0 lelong 0101555 PDP-11 single precision APL workspace
@@ -14,8 +14,8 @@
# updated by Joerg Jenderek at Mar 2013
# GRR: line below too general as it catches also Windows precompiled setup information *.PNF
-0 leshort 0401
-# skip *.PNF with WinDirPathOffset 58h
+0 leshort 0401
+# skip *.PNF with WinDirPathOffset 58h
>68 ulelong !0x00000058 PDP-11 UNIX/RT ldp
# skip *.PNF with high byte of InfVersionDatumCount zero
#>>15 byte !0 PDP-11 UNIX/RT ldp
Index: contrib/file/magic/Magdir/printer
===================================================================
--- contrib/file/magic/Magdir/printer (版本 330566)
+++ contrib/file/magic/Magdir/printer (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: printer,v 1.26 2014/04/12 14:51:52 christos Exp $
+# $File: printer,v 1.28 2017/03/17 22:20:22 christos Exp $
# printer: file(1) magic for printer-formatted files
#
@@ -13,7 +13,7 @@
>>>15 string EPS \b, type %s
>>>15 string Query \b, type %s
>>>15 string ExitServer \b, type %s
->>>15 search/1000 %%LanguageLevel:\
+>>>15 search/1000 %%LanguageLevel:\040
>>>>&0 string >\0 \b, Level %s
# Some PCs have the annoying habit of adding a ^D as a document separator
0 string \004%! PostScript document text
@@ -24,7 +24,7 @@
>>>16 string EPS \b, type %s
>>>16 string Query \b, type %s
>>>16 string ExitServer \b, type %s
->>>16 search/1000 %%LanguageLevel:\
+>>>16 search/1000 %%LanguageLevel:\040
>>>>&0 string >\0 \b, Level %s
0 string \033%-12345X%!PS PostScript document
@@ -49,18 +49,18 @@
# HP Printer Job Language
0 string \033%-12345X@PJL HP Printer Job Language data
# HP Printer Job Language
-# The header found on Win95 HP plot files is the "Silliest Thing possible"
+# The header found on Win95 HP plot files is the "Silliest Thing possible"
# (TM)
# Every driver puts the language at some random position, with random case
# (LANGUAGE and Language)
# For example the LaserJet 5L driver puts the "PJL ENTER LANGUAGE" in line 10
# From: Uwe Bonnes <bon@elektron.ikp.physik.th-darmstadt.de>
-#
+#
0 string \033%-12345X@PJL HP Printer Job Language data
->&0 string >\0 %s
->>&0 string >\0 %s
->>>&0 string >\0 %s
->>>>&0 string >\0 %s
+>&0 string >\0 %s
+>>&0 string >\0 %s
+>>>&0 string >\0 %s
+>>>>&0 string >\0 %s
#>15 string \ ENTER\ LANGUAGE\ =
#>31 string PostScript PostScript
@@ -143,8 +143,8 @@
#------------------------------------------------------------------------------
# HP LaserJet 1000 series downloadable firmware file
-0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware
+0 string \xbe\xefABCDEFGH HP LaserJet 1000 series downloadable firmware
# From: Paolo <oopla@users.sf.net>
-# Epson ESC/Page, ESC/PageColor
+# Epson ESC/Page, ESC/PageColor
0 string \x1b\x01@EJL Epson ESC/Page language printer data
Index: contrib/file/magic/Magdir/riff
===================================================================
--- contrib/file/magic/Magdir/riff (版本 330566)
+++ contrib/file/magic/Magdir/riff (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: riff,v 1.31 2015/02/14 17:30:03 christos Exp $
+# $File: riff,v 1.32 2017/03/17 21:35:28 christos Exp $
# riff: file(1) magic for RIFF format
# See
#
@@ -75,7 +75,7 @@
>>18 leshort x \b, %d entries
# RIFF Device Independent Bitmap format
>8 string RDIB \b, device-independent bitmap
->>16 string BM
+>>16 string BM
>>>30 leshort 12 \b, OS/2 1.x format
>>>>34 leshort x \b, %d x
>>>>36 leshort x %d
@@ -226,9 +226,9 @@
>8 string sfbk SoundFont/Bank
# MPEG-1 wrapped in a RIFF, apparently
>8 string CDXA \b, wrapped MPEG-1 (CDXA)
->8 string 4XMV \b, 4X Movie file
+>8 string 4XMV \b, 4X Movie file
# AMV-type AVI file: http://wiki.multimedia.cx/index.php?title=AMV
->8 string AMV\040 \b, AMV
+>8 string AMV\040 \b, AMV
>8 string WEBP \b, Web/P image
!:mime image/webp
>>12 use riff-walk
@@ -246,7 +246,7 @@
>>18 beshort x \b, %d entries
# RIFF Device Independent Bitmap format
>8 string RDIB \b, device-independent bitmap
->>16 string BM
+>>16 string BM
>>>30 beshort 12 \b, OS/2 1.x format
>>>>34 beshort x \b, %d x
>>>>36 beshort x %d
@@ -284,7 +284,7 @@
#------------------------------------------------------------------------------
# Sony Wave64
# see http://www.vcs.de/fileadmin/user_upload/MBS/PDF/Whitepaper/Informations_about_Sony_Wave64.pdf
-# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian
+# 128 bit RIFF-GUID { 66666972-912E-11CF-A5D6-28DB04C10000 } in little-endian
0 string riff\x2E\x91\xCF\x11\xA5\xD6\x28\xDB\x04\xC1\x00\x00 Sony Wave64 RIFF data
# 128 bit + total file size (64 bits) so 24 bytes
# then WAVE-GUID { 65766177-ACF3-11D3-8CD1-00C04F8EDB8A }
Index: contrib/file/magic/Magdir/sendmail
===================================================================
--- contrib/file/magic/Magdir/sendmail (版本 330566)
+++ contrib/file/magic/Magdir/sendmail (版本 330908)
@@ -1,27 +1,27 @@
#------------------------------------------------------------------------------
-# $File: sendmail,v 1.8 2015/11/11 15:27:03 christos Exp $
+# $File: sendmail,v 1.10 2017/08/13 00:21:47 christos Exp $
# sendmail: file(1) magic for sendmail config files
#
# XXX - byte order?
#
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# GRR: this test is too general as it catches also
# READ.ME.FIRST.AWP Sendmail frozen configuration
# - version ====|====|====|====|====|====|====|====|====|====|====|====|===
# Email_23_f217153422.ts Sendmail frozen configuration
# - version \330jK\354
-0 byte 046
+0 byte 046
# http://www.sendmail.com/sm/open_source/docs/older_release_notes/
# freezed configuration file (dbm format?) created from sendmal.cf with -bz
# by older sendmail. til version 8.6 support for frozen configuration files is removed
-# valid version numbers look like "7.14.4" and should be simliar to output of commands
-# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf"
+# valid version numbers look like "7.14.4" and should be similar to output of commands
+# "sendmail -d0 -bt < /dev/null |grep -i Version" or "egrep '^DZ' /etc/sendmail.cf"
>16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration
# normally only /etc/sendmail.fc or /var/adm/sendmail/sendmail.fc
!:ext fc
>>16 string >\0 - version %s
-0 short 0x271c
+0 short 0x271c
# look for valid version number
>16 regex/s =^[0-78][0-9.]{4} Sendmail frozen configuration
!:ext fc
Index: contrib/file/magic/Magdir/sketch
===================================================================
--- contrib/file/magic/Magdir/sketch (版本 330566)
+++ contrib/file/magic/Magdir/sketch (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: sketch,v 1.4 2009/09/19 16:28:12 christos Exp $
-# Sketch Drawings: http://sketch.sourceforge.net/
+# $File: sketch,v 1.5 2017/03/17 21:35:28 christos Exp $
+# Sketch Drawings: http://sketch.sourceforge.net/
# From: Edwin Mons <e@ik.nu>
0 search/1 ##Sketch Sketch document text
Index: contrib/file/magic/Magdir/vms
===================================================================
--- contrib/file/magic/Magdir/vms (版本 330566)
+++ contrib/file/magic/Magdir/vms (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: vms,v 1.9 2014/08/17 13:47:59 christos Exp $
+# $File: vms,v 1.10 2017/03/17 21:35:28 christos Exp $
# vms: file(1) magic for VMS executables (experimental)
#
# VMS .exe formats, both VAX and AXP (Greg Roelofs, newt@uchicago.edu)
@@ -25,6 +25,6 @@
# 00040 00 00 00 00 ff ff ff ff ff ff ff ff 02 00 00 00 ................
#
# GRR this test is still too general as it catches example adressen.dbt
-0 belong 0x03000000
+0 belong 0x03000000
>8 ubelong 0xec020000 VMS Alpha executable
>>75264 string PK\003\004 \b, Info-ZIP SFX archive v5.12 w/decryption
Index: contrib/file/magic/Magdir/terminfo
===================================================================
--- contrib/file/magic/Magdir/terminfo (版本 330566)
+++ contrib/file/magic/Magdir/terminfo (版本 330908)
@@ -1,24 +1,51 @@
#------------------------------------------------------------------------------
-# $File: terminfo,v 1.7 2016/03/17 21:02:29 christos Exp $
+# $File: terminfo,v 1.9 2017/04/28 16:28:58 christos Exp $
# terminfo: file(1) magic for terminfo
#
-# XXX - byte order for screen images?
+# URL: http://invisible-island.net/ncurses/man/term.5.html
+# URL: http://invisible-island.net/ncurses/man/scr_dump.5.html
#
-# URL: https://en.wikipedia.org/wiki/Terminfo
-# Reference: ncurses-5.9/ncurses/tinfo/write_entry.c
-# Update: Joerg Jenderek
-#
-# GRR: line below too general as it catches also
+# Workaround for Targa image type by Joerg Jenderek
+# GRR: line below too general as it catches also
# Targa image type 1 with 26 long identification field
# and HELP.DSK
-0 string \032\001
+0 string \032\001
# 5th character of terminal name list, but not Targa image pixel size (15 16 24 32)
->16 ubyte >32
+>16 ubyte >32
# namelist, if more than 1 separated by "|" like "st|stterm| simpleterm 0.4.1"
>>12 regex \^[a-zA-Z0-9][a-zA-Z0-9.][^|]* Compiled terminfo entry "%-s"
!:mime application/x-terminfo
# no extension
-#!:ext
-0 short 0433 Curses screen image
-0 short 0434 Curses screen image
+#!:ext
+#
+# While the compiled terminfo uses little-endian format irregardless of
+# platform, SystemV screen dumps do not. They came later, and that detail was
+# overlooked.
+#
+# AIX and HPUX use the SVr4 big-endian format
+# Solaris uses the SVr3 formats (sparc and x86 differ endian-ness)
+0 beshort 0433 SVr2 curses screen image, big-endian
+0 beshort 0434 SVr3 curses screen image, big-endian
+0 beshort 0435 SVr4 curses screen image, big-endian
+#
+0 leshort 0433 SVr2 curses screen image, little-endian
+0 leshort 0434 SVr3 curses screen image, little-endian
+0 leshort 0435 SVr4 curses screen image, little-endian
+#
+# Rather than SVr4, Solaris "xcurses" writes this header:
+0 regex \^MAX=[0-9]+,[0-9]+$
+>1 regex \^BEG=[0-9]+,[0-9]+$
+>2 regex \^SCROLL=[0-9]+,[0-9]+$
+>3 regex \^VMIN=[0-9]+$
+>4 regex \^VTIME=[0-9]+$
+>5 regex \^FLAGS=0x[[:xdigit:]]+$
+>6 regex \^FG=[0-9],[0-9]+$
+>7 regex \^BG=[0-9]+,[0-9]+, Solaris xcurses screen image
+#
+# ncurses5 (and before) did not use a magic number, making screen dumps "data".
+# ncurses6 (2015) uses this format, ignoring byte-order
+0 string \210\210\210\210ncurses ncurses6 screen image
+#
+# PDCurses added this in 2005
+0 string PDC\001 PDCurses screen image
Index: contrib/file/magic/Magdir/webassembly
===================================================================
--- contrib/file/magic/Magdir/webassembly (不存在的)
+++ contrib/file/magic/Magdir/webassembly (版本 330908)
@@ -0,0 +1,15 @@
+#------------------------------------------------------------------------------
+# $File: webassembly,v 1.2 2017/05/02 14:05:29 christos Exp $
+# webassembly: file(1) magic for WebAssembly modules
+#
+# WebAssembly is a virtual architecture developed by a W3C Community
+# Group at http://webassembly.org/. The file extension is .wasm, and
+# the MIME type is application/wasm.
+#
+# http://webassembly.org/docs/binary-encoding/ is the main
+# document describing the binary format.
+# From: Pip Cet <pipcet@gmail.com> and Joel Martin
+
+0 string \0asm WebAssembly (wasm) binary module
+>4 lelong =1 version %#x (MVP)
+>4 lelong >1 version %#x
Index: contrib/file/magic/Magdir/cad
===================================================================
--- contrib/file/magic/Magdir/cad (版本 330566)
+++ contrib/file/magic/Magdir/cad (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: cad,v 1.13 2014/03/23 18:05:38 christos Exp $
+# $File: cad,v 1.15 2017/06/24 15:24:56 christos Exp $
# autocad: file(1) magic for cad files
#
@@ -9,7 +9,7 @@
# DGN is the default file extension of Microstation/Intergraph CAD files.
# CIT is the proprietary raster format (similar to TIFF) used to attach
# raster underlays to Microstation DGN (vector) drawings.
-#
+#
# http://www.wotsit.org/search.asp
# http://filext.com/detaillist.php?extdetail=DGN
# http://filext.com/detaillist.php?extdetail=CIT
@@ -42,7 +42,7 @@
>4 string \030\000\000 CITFile
>4 string \030\000\003 CITFile
-# AutoCAD
+# AutoCAD
# Merge of the different contributions and updates from http://en.wikipedia.org/wiki/Dwg
# and http://www.iana.org/assignments/media-types/image/vnd.dwg
0 string MC0.0 DWG AutoDesk AutoCAD Release 1.0
@@ -99,12 +99,12 @@
0 string AC1027 DWG AutoDesk AutoCAD 2013/2014
!:mime image/vnd.dwg
-# KOMPAS 2D drawing from ASCON
+# KOMPAS 2D drawing from ASCON
# This is KOMPAS 2D drawing or fragment of drawing but is not detailed nor
# gathered nor specification
# ASCON http://ascon.net/main/ in English,
# http://ascon.ru/ main site in Russian
-# Extension is CDW for drawing and FRW for fragment of drawing
+# Extension is CDW for drawing and FRW for fragment of drawing
# Sergey Zaykov (mail_of_sergey@mail.ru, sergey_zaikov@rambler.ru,
# ICQ 358572321, http://vkontakte.ru/id16076543)
# From:
@@ -111,30 +111,30 @@
# http://sd.ascon.ru/otrs/customer.pl?Action=CustomerFAQ&CategoryID=4&ItemID=292
# (in russian) and my experiments
0 string KF
->2 belong 0x4E00000C Kompas drawing 12.0 SP1
->2 belong 0x4D00000C Kompas drawing 12.0
->2 belong 0x3200000B Kompas drawing 11.0 SP1
->2 belong 0x3100000B Kompas drawing 11.0
->2 belong 0x2310000A Kompas drawing 10.0 SP1
->2 belong 0x2110000A Kompas drawing 10.0
->2 belong 0x08000009 Kompas drawing 9.0 SP1
->2 belong 0x05000009 Kompas drawing 9.0
->2 belong 0x33010008 Kompas drawing 8+
->2 belong 0x1A000008 Kompas drawing 8.0
->2 belong 0x2C010107 Kompas drawing 7+
->2 belong 0x05000007 Kompas drawing 7.0
->2 belong 0x32000006 Kompas drawing 6+
->2 belong 0x09000006 Kompas drawing 6.0
->2 belong 0x5C009005 Kompas drawing 5.11R03
->2 belong 0x54009005 Kompas drawing 5.11R02
->2 belong 0x51009005 Kompas drawing 5.11R01
->2 belong 0x22009005 Kompas drawing 5.10R03
->2 belong 0x22009005 Kompas drawing 5.10R02 mar
->2 belong 0x21009005 Kompas drawing 5.10R02 febr
->2 belong 0x19009005 Kompas drawing 5.10R01
->2 belong 0xF4008005 Kompas drawing 5.9R01.003
->2 belong 0x1C008005 Kompas drawing 5.9R01.002
->2 belong 0x11008005 Kompas drawing 5.8R01.003
+>2 belong 0x4E00000C Kompas drawing 12.0 SP1
+>2 belong 0x4D00000C Kompas drawing 12.0
+>2 belong 0x3200000B Kompas drawing 11.0 SP1
+>2 belong 0x3100000B Kompas drawing 11.0
+>2 belong 0x2310000A Kompas drawing 10.0 SP1
+>2 belong 0x2110000A Kompas drawing 10.0
+>2 belong 0x08000009 Kompas drawing 9.0 SP1
+>2 belong 0x05000009 Kompas drawing 9.0
+>2 belong 0x33010008 Kompas drawing 8+
+>2 belong 0x1A000008 Kompas drawing 8.0
+>2 belong 0x2C010107 Kompas drawing 7+
+>2 belong 0x05000007 Kompas drawing 7.0
+>2 belong 0x32000006 Kompas drawing 6+
+>2 belong 0x09000006 Kompas drawing 6.0
+>2 belong 0x5C009005 Kompas drawing 5.11R03
+>2 belong 0x54009005 Kompas drawing 5.11R02
+>2 belong 0x51009005 Kompas drawing 5.11R01
+>2 belong 0x22009005 Kompas drawing 5.10R03
+>2 belong 0x22009005 Kompas drawing 5.10R02 mar
+>2 belong 0x21009005 Kompas drawing 5.10R02 febr
+>2 belong 0x19009005 Kompas drawing 5.10R01
+>2 belong 0xF4008005 Kompas drawing 5.9R01.003
+>2 belong 0x1C008005 Kompas drawing 5.9R01.002
+>2 belong 0x11008005 Kompas drawing 5.8R01.003
# CAD: file(1) magic for computer aided design files
# Phillip Griffith <phillip dot griffith at gmail dot com>
@@ -147,8 +147,13 @@
>0x02 byte 0xfe
>>0x04 beshort 0x1800 CIT raster CAD
-# 3DS (3d Studio files) Conflicts with diff output 0x3d '='
-#16 beshort 0x3d3d image/x-3ds
+# 3DS (3d Studio files)
+0 leshort 0x4d4d
+>6 leshort 0x2
+>>8 lelong 0xa
+>>>16 leshort 0x3d3d 3D Studio model
+!:mime image/x-3ds
+!:extension 3ds
# MegaCAD 2D/3D drawing (.prt)
# http://megacad.de/
Index: contrib/file/magic/Magdir/commands
===================================================================
--- contrib/file/magic/Magdir/commands (版本 330566)
+++ contrib/file/magic/Magdir/commands (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: commands,v 1.56 2016/07/14 19:01:12 christos Exp $
+# $File: commands,v 1.59 2017/08/14 07:40:38 christos Exp $
# commands: file(1) magic for various shells and interpreters
#
#0 string/w : shell archive or script for antique kernel text
@@ -56,7 +56,7 @@
!:mime text/x-awk
0 string/wt #!\ /usr/bin/awk awk script text executable
!:mime text/x-awk
-0 regex/4096 =^\\s{0,100}BEGIN\\s{0,100}[{] awk or perl script text
+0 regex/4096 =^[\040\t\f\r\n]{0,100}BEGIN[\040\t\f\r\n]{0,100}[{] awk or perl script text
# AT&T Bell Labs' Plan 9 shell
0 string/wt #!\ /bin/rc Plan 9 rc shell script text executable
@@ -84,7 +84,7 @@
# PHP scripts
# Ulf Harnhammar <ulfh@update.uu.se>
0 search/1/c =<?php PHP script text
-!:strength + 10
+!:strength + 30
!:mime text/x-php
0 search/1 =<?\n PHP script text
!:mime text/x-php
Index: contrib/file/magic/Magdir/database
===================================================================
--- contrib/file/magic/Magdir/database (版本 330566)
+++ contrib/file/magic/Magdir/database (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: database,v 1.49 2016/06/11 17:01:51 christos Exp $
+# $File: database,v 1.52 2017/08/13 00:21:47 christos Exp $
# database: file(1) magic for various databases
#
# extracted from header/code files by Graeme Wilford (eep2gw@ee.surrey.ac.uk)
@@ -84,7 +84,7 @@
# From Max Bowsher.
12 long 0x00040988 Berkeley DB
>16 long >0 (Log, version %d, native byte-order)
-12 belong 0x00040988 Berkeley DB
+12 belong 0x00040988 Berkeley DB
>16 belong >0 (Log, version %d, big-endian)
12 lelong 0x00040988 Berkeley DB
>16 lelong >0 (Log, version %d, little-endian)
@@ -103,7 +103,7 @@
>>>12 long !0 32bit aligned
>>>>12 bedouble 8.642135e+130 big-endian
>>>>>20 long 0 64bit long
->>>>>20 long !0 32bit long
+>>>>>20 long !0 32bit long
>>>>12 ledouble 8.642135e+130 little-endian
>>>>>24 long 0 64bit long
>>>>>24 long !0 32bit long (i386)
@@ -128,22 +128,22 @@
# XXX: Weak magic.
# Alex Ott <ott@jet.msk.su>
## Paradox file formats
-#2 leshort 0x0800 Paradox
-#>0x39 byte 3 v. 3.0
-#>0x39 byte 4 v. 3.5
-#>0x39 byte 9 v. 4.x
-#>0x39 byte 10 v. 5.x
-#>0x39 byte 11 v. 5.x
-#>0x39 byte 12 v. 7.x
-#>>0x04 byte 0 indexed .DB data file
-#>>0x04 byte 1 primary index .PX file
-#>>0x04 byte 2 non-indexed .DB data file
-#>>0x04 byte 3 non-incrementing secondary index .Xnn file
-#>>0x04 byte 4 secondary index .Ynn file
-#>>0x04 byte 5 incrementing secondary index .Xnn file
-#>>0x04 byte 6 non-incrementing secondary index .XGn file
-#>>0x04 byte 7 secondary index .YGn file
-#>>>0x04 byte 8 incrementing secondary index .XGn file
+#2 leshort 0x0800 Paradox
+#>0x39 byte 3 v. 3.0
+#>0x39 byte 4 v. 3.5
+#>0x39 byte 9 v. 4.x
+#>0x39 byte 10 v. 5.x
+#>0x39 byte 11 v. 5.x
+#>0x39 byte 12 v. 7.x
+#>>0x04 byte 0 indexed .DB data file
+#>>0x04 byte 1 primary index .PX file
+#>>0x04 byte 2 non-indexed .DB data file
+#>>0x04 byte 3 non-incrementing secondary index .Xnn file
+#>>0x04 byte 4 secondary index .Ynn file
+#>>0x04 byte 5 incrementing secondary index .Xnn file
+#>>0x04 byte 6 non-incrementing secondary index .XGn file
+#>>0x04 byte 7 secondary index .YGn file
+#>>>0x04 byte 8 incrementing secondary index .XGn file
## XBase database files
# updated by Joerg Jenderek at Feb 2013
@@ -151,33 +151,33 @@
# http://www.clicketyclick.dk/databases/xbase/format/dbf.html
# http://home.f1.htw-berlin.de/scheibl/db/intern/dBase.htm
# inspect VVYYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
-0 ubelong&0x0000FFFF <0x00000C20
+0 ubelong&0x0000FFFF <0x00000C20
# skip Infocom game Z-machine
->2 ubyte >0
+>2 ubyte >0
# skip Androids *.xml
->>3 ubyte >0
->>>3 ubyte <32
+>>3 ubyte >0
+>>>3 ubyte <32
# 1 < version VV
->>>>0 ubyte >1
+>>>>0 ubyte >1
# skip HELP.CA3 by test for reserved byte ( NULL )
->>>>>27 ubyte 0
+>>>>>27 ubyte 0
# reserved bytes not always 0 ; also found 0x3901 (T4.DBF) ,0x7101 (T5.DBF,T6.DBF)
#>>>>>30 ubeshort x 30NULL?%x
-# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
->>>>>>24 ubelong&0xffFFFFff >0x01302000
+# possible production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
+>>>>>>24 ubelong&0xffFFFFff >0x01302000
# .DBF or .MDX
->>>>>>24 ubelong&0xffFFFFff <0x01302001
+>>>>>>24 ubelong&0xffFFFFff <0x01302001
# for Xbase Database file (*.DBF) reserved (NULL) for multi-user
->>>>>>>24 ubelong&0xffFFFFff =0
+>>>>>>>24 ubelong&0xffFFFFff =0
# test for 2 reserved NULL bytes,transaction and encryption byte flag
->>>>>>>>12 ubelong&0xFFFFfEfE 0
+>>>>>>>>12 ubelong&0xFFFFfEfE 0
# test for MDX flag
->>>>>>>>>28 ubyte x
->>>>>>>>>28 ubyte&0xf8 0
+>>>>>>>>>28 ubyte x
+>>>>>>>>>28 ubyte&0xf8 0
# header size >= 32
->>>>>>>>>>8 uleshort >31
+>>>>>>>>>>8 uleshort >31
# skip PIC15736.PCX by test for language driver name or field name
->>>>>>>>>>>32 ubyte >0
+>>>>>>>>>>>32 ubyte >0
#!:mime application/x-dbf; charset=unknown-8bit ??
#!:mime application/x-dbase
>>>>>>>>>>>>0 use xbase-type
@@ -202,22 +202,22 @@
>>>>>>>>>>>>28 ubyte&0x02 2 \b, with memo .FPT
>>>>>>>>>>>>28 ubyte&0x04 4 \b, DataBaseContainer
# 1st record offset + 1 = header size
->>>>>>>>>>>>8 uleshort >0
->>>>>>>>>>>>(8.s+1) ubyte >0
+>>>>>>>>>>>>8 uleshort >0
+>>>>>>>>>>>>(8.s+1) ubyte >0
>>>>>>>>>>>>>8 uleshort >0 \b, at offset %d
->>>>>>>>>>>>>(8.s+1) ubyte >0
+>>>>>>>>>>>>>(8.s+1) ubyte >0
>>>>>>>>>>>>>>&-1 string >\0 1st record "%s"
-# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserverd (NULL)
->>>>>>>24 ubelong&0x0133f7ff >0
+# for multiple index files (*.MDX) Production flag,tag numbers(<=0x30),tag length(<=0x20), reserved (NULL)
+>>>>>>>24 ubelong&0x0133f7ff >0
# test for reserved NULL byte
->>>>>>>>47 ubyte 0
+>>>>>>>>47 ubyte 0
# test for valid TAG key format (0x10 or 0)
->>>>>>>>>559 ubyte&0xeF 0
+>>>>>>>>>559 ubyte&0xeF 0
# test MM <= 12
->>>>>>>>>>45 ubeshort <0x0C20
->>>>>>>>>>>45 ubyte >0
->>>>>>>>>>>>46 ubyte <32
->>>>>>>>>>>>>46 ubyte >0
+>>>>>>>>>>45 ubeshort <0x0C20
+>>>>>>>>>>>45 ubyte >0
+>>>>>>>>>>>>46 ubyte <32
+>>>>>>>>>>>>>46 ubyte >0
#!:mime application/x-mdx
>>>>>>>>>>>>>>0 use xbase-type
>>>>>>>>>>>>>>0 ubyte x \b MDX
@@ -236,11 +236,11 @@
# 2nd tag name
#>>>>>>>>>>>>(26.b+548) string x \b, 2nd tag "%.11s"
#
-# Print the xBase names of different version variants
+# Print the xBase names of different version variants
0 name xbase-type
->0 ubyte <2
+>0 ubyte <2
# 1 < version
->0 ubyte >1
+>0 ubyte >1
>>0 ubyte 0x02 FoxBase
# FoxBase+/dBaseIII+, no memo
>>0 ubyte 0x03 FoxBase+/dBase III
@@ -293,7 +293,7 @@
# dBASE IV with SQL table, with memo .DBT
>>0 ubyte 0xCB dBase IV with SQL table, with memo .DBT
!:mime application/x-dbf
-# HiPer-Six format;Clipper SIX, with SMT memo file
+# HiPer-Six format;Clipper SIX, with SMT memo file
>>0 ubyte 0xE5 Clipper SIX with memo
!:mime application/x-dbf
# http://msdn.microsoft.com/en-US/library/st4a0s68(v=vs.80).aspx
@@ -318,12 +318,12 @@
# test and print the date of xBase .DBF .MDX
0 name xbase-date
# inspect YYMMDD , where 1<= MM <= 12 and 1<= DD <= 31
->0 ubelong x
->1 ubyte <13
->>1 ubyte >0
->>>2 ubyte >0
->>>>2 ubyte <32
->>>>>0 ubyte x
+>0 ubelong x
+>1 ubyte <13
+>>1 ubyte >0
+>>>2 ubyte >0
+>>>>2 ubyte <32
+>>>>>0 ubyte x
# YY is interpreted as 20YY or 19YY
>>>>>>0 ubyte <100 \b %.2d
# YY is interpreted 1900+YY; TODO: display yy or 20yy instead 1YY
@@ -333,56 +333,56 @@
# dBase memo files .DBT or .FPT
# http://msdn.microsoft.com/en-us/library/8599s21w(v=vs.80).aspx
-16 ubyte <4
->16 ubyte !2
->>16 ubyte !1
+16 ubyte <4
+>16 ubyte !2
+>>16 ubyte !1
# next free block index is positive
->>>0 ulelong >0
+>>>0 ulelong >0
# skip many JPG. ZIP, BZ2 by test for reserved bytes NULL , 0|2 , 0|1 , low byte of block size
->>>>17 ubelong&0xFFfdFE00 0x00000000
+>>>>17 ubelong&0xFFfdFE00 0x00000000
# skip many RAR by test for low byte 0 ,high byte 0|2|even of block size, 0|a|e|d7 , 0|64h
->>>>>20 ubelong&0xFF01209B 0x00000000
+>>>>>20 ubelong&0xFF01209B 0x00000000
# dBASE III
->>>>>>16 ubyte 3
+>>>>>>16 ubyte 3
# dBASE III DBT
>>>>>>>0 use dbase3-memo-print
# dBASE III DBT without version, dBASE IV DBT , FoxPro FPT , or many ZIP , DBF garbage
->>>>>>16 ubyte 0
+>>>>>>16 ubyte 0
# unusual dBASE III DBT like angest.dbt, dBASE IV DBT with block size 0 , FoxPro FPT , or garbage PCX DBF
->>>>>>>20 uleshort 0
+>>>>>>>20 uleshort 0
# FoxPro FPT , unusual dBASE III DBT like biblio.dbt or garbage
->>>>>>>>8 ulong =0
->>>>>>>>>6 ubeshort >0
+>>>>>>>>8 ulong =0
+>>>>>>>>>6 ubeshort >0
# skip emacs.PIF
->>>>>>>>>>4 ushort 0
+>>>>>>>>>>4 ushort 0
>>>>>>>>>>>0 use foxpro-memo-print
# dBASE III DBT , garbage
->>>>>>>>>6 ubeshort 0
+>>>>>>>>>6 ubeshort 0
# skip MM*DD*.bin by test for for reserved NULL byte
->>>>>>>>>>510 ubeshort 0
+>>>>>>>>>>510 ubeshort 0
# skip TK-DOS11.img image by looking for memo text
->>>>>>>>>>>512 ubelong <0xfeffff03
+>>>>>>>>>>>512 ubelong <0xfeffff03
# skip EFI executables by looking for memo text
->>>>>>>>>>>>512 ubelong >0x1F202020
->>>>>>>>>>>>>513 ubyte >0
+>>>>>>>>>>>>512 ubelong >0x1F202020
+>>>>>>>>>>>>>513 ubyte >0
# unusual dBASE III DBT like adressen.dbt
>>>>>>>>>>>>>>0 use dbase3-memo-print
# dBASE III DBT like angest.dbt, or garbage PCX DBF
->>>>>>>>8 ubelong !0
+>>>>>>>>8 ubelong !0
# skip PCX and some DBF by test for for reserved NULL bytes
->>>>>>>>>510 ubeshort 0
+>>>>>>>>>510 ubeshort 0
# skip some DBF by test of invalid version
->>>>>>>>>>0 ubyte >5
->>>>>>>>>>>0 ubyte <48
+>>>>>>>>>>0 ubyte >5
+>>>>>>>>>>>0 ubyte <48
>>>>>>>>>>>>0 use dbase3-memo-print
# dBASE IV DBT with positive block size
->>>>>>>20 uleshort >0
-# dBASE IV DBT with valid block length like 512, 1024
+>>>>>>>20 uleshort >0
+# dBASE IV DBT with valid block length like 512, 1024
# multiple of 2 in between 16 and 16 K ,implies upper and lower bits are zero
->>>>>>>>20 uleshort&0x800f 0
+>>>>>>>>20 uleshort&0x800f 0
>>>>>>>>>0 use dbase4-memo-print
-# Print the information of dBase III DBT memo file
+# Print the information of dBase III DBT memo file
0 name dbase3-memo-print
>0 ubyte x dBase III DBT
# instead 3 as version number 0 for unusual examples like biblio.dbt
@@ -395,20 +395,20 @@
>20 uleshort !0 \b, block length %u
# dBase III memo field terminated by \032\032
>512 string >\0 \b, 1st item "%s"
-# Print the information of dBase IV DBT memo file
+# Print the information of dBase IV DBT memo file
0 name dbase4-memo-print
>0 lelong x dBase IV DBT
!:mime application/x-dbt
!:ext dbt
# 8 character shorted main name of coresponding dBASE IV DBF file
->8 ubelong >0x20000000
+>8 ubelong >0x20000000
# skip unusual like for angest.dbt
->>20 uleshort >0
+>>20 uleshort >0
>>>8 string >\0 \b of %-.8s.DBF
# value 0 implies 512 as size
#>4 ulelong =0 \b, blocks size %u
# size of blocks not reliable like 0x2020204C in angest.dbt
->4 ulelong !0
+>4 ulelong !0
>>4 ulelong&0x0000003f 0 \b, blocks size %u
# dBase IV DBT with positive block length (found 512 , 1024)
>20 uleshort >0 \b, block length %u
@@ -415,25 +415,25 @@
# next available block
#>0 lelong =0 \b, next free block index %u
>0 lelong !0 \b, next free block index %u
->20 uleshort >0
->>(20.s) ubelong x
+>20 uleshort >0
+>>(20.s) ubelong x
>>>&-4 use dbase4-memofield-print
# unusual dBase IV DBT without block length (implies 512 as length)
->20 uleshort =0
->>512 ubelong x
+>20 uleshort =0
+>>512 ubelong x
>>>&-4 use dbase4-memofield-print
-# Print the information of dBase IV memo field
+# Print the information of dBase IV memo field
0 name dbase4-memofield-print
# free dBase IV memo field
->0 ubelong !0xFFFF0800
+>0 ubelong !0xFFFF0800
>>0 lelong x \b, next free block %u
>>4 lelong x \b, next used block %u
# used dBase IV memo field
->0 ubelong =0xFFFF0800
+>0 ubelong =0xFFFF0800
# length of memo field
>>4 lelong x \b, field length %d
>>>8 string >\0 \b, 1st used item "%s"
-# Print the information of FoxPro FPT memo file
+# Print the information of FoxPro FPT memo file
0 name foxpro-memo-print
>0 belong x FoxPro FPT
# Size of blocks for FoxPro ( 64,256 )
@@ -441,14 +441,14 @@
# next available block
#>0 belong =0 \b, next free block index %u
>0 belong !0 \b, next free block index %u
-# field type ( 0~picture, 1~memo, 2~object )
+# field type ( 0~picture, 1~memo, 2~object )
>512 ubelong <3 \b, field type %u
# length of memo field
->512 ubelong 1
+>512 ubelong 1
>>516 belong >0 \b, field length %d
>>>520 string >\0 \b, 1st item "%s"
-# TODO:
+# TODO:
# DBASE index file *.NDX
# DBASE Compound Index file *.CDX
# dBASE IV Printer Driver *.PRF
@@ -465,9 +465,9 @@
# Reference: https://github.com/libyal/libesedb/archive/master.zip
# libesedb-master/documentation/
# Extensible Storage Engine (ESE) Database File (EDB) format.asciidoc
-# Note: also known as "JET Blue". Used by numerous Windows components such as
+# Note: also known as "JET Blue". Used by numerous Windows components such as
# Windows Search, Mail, Exchange and Active Directory.
-4 ubelong 0xefcdab89
+4 ubelong 0xefcdab89
# unknown1
>132 ubelong 0 Extensible storage engine
!:mime application/x-ms-ese
@@ -497,8 +497,8 @@
# From: Joerg Jenderek
# URL: http://forensicswiki.org/wiki/Windows_Application_Compatibility
# Note: files contain application compatibility fixes, application compatibility modes and application help messages.
-8 string sdbf
->7 ubyte 0
+8 string sdbf
+>7 ubyte 0
# TAG_TYPE_LIST+TAG_INDEXES
>>12 uleshort 0x7802 Windows application compatibility Shim DataBase
# version? 2 3
@@ -600,10 +600,10 @@
# Reference: http://www.provue.com/Panorama/
# From: Joerg Jenderek
# NOTE: test only versions 4 and 6.0 with Windows
-# length of Panorama database name
-5 ubyte >0
+# length of Panorama database name
+5 ubyte >0
# look after database name for "some" null bits
->(5.B+7) ubelong&0xF3ffF000 0
+>(5.B+7) ubelong&0xF3ffF000 0
# look for first keyword
>>&1 search/2 DESIGN Panorama database
#!:mime application/x-panorama-database
@@ -622,3 +622,13 @@
# MUIbase Database Tool by Stefan A. Haubenthal <polluks@web.de>
0 string MBSTV\040 MUIbase DB
>6 string x version %s
+
+#
+# CDB database
+0 string NBCDB\012 NetBSD Constant Database
+>7 byte x \b, version %d
+>8 string x \b, for '%s'
+>24 lelong x \b, datasize %d
+>28 lelong x \b, entries %d
+>32 lelong x \b, index %d
+>36 lelong x \b, seed %#x
Index: contrib/file/magic/Magdir/dump
===================================================================
--- contrib/file/magic/Magdir/dump (版本 330566)
+++ contrib/file/magic/Magdir/dump (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: dump,v 1.13 2014/04/30 21:41:02 christos Exp $
+# $File: dump,v 1.16 2017/07/22 19:21:02 christos Exp $
# dump: file(1) magic for dump file format--for new and old dump filesystems
#
# We specify both byte orders in order to recognize byte-swapped dumps.
@@ -62,23 +62,25 @@
>824 string >\0 Host %s,
>888 belong >0 Flags %x
-24 belong 60012 new-fs dump file (big endian),
+24 belong 60012 new-fs dump file (big endian),
>0 use new-dump-be
-24 belong 60011 old-fs dump file (big endian),
+24 belong 60011 old-fs dump file (big endian),
>0 use old-dump-be
-24 lelong 60012 new-fs dump file (little endian),
+24 lelong 60012 new-fs dump file (little endian),
+# to correctly recognize '*.mo' GNU message catalog (little endian)
+!:strength - 15
>0 use \^new-dump-be
-24 lelong 60011 old-fs dump file (little endian),
+24 lelong 60011 old-fs dump file (little endian),
>0 use \^old-dump-be
-24 belong 0x19540119 new-fs dump file (ufs2, big endian),
+24 belong 0x19540119 new-fs dump file (ufs2, big endian),
>0 use ufs2-dump-be
-24 lelong 0x19540119 new-fs dump file (ufs2, little endian),
+24 lelong 0x19540119 new-fs dump file (ufs2, little endian),
>0 use \^ufs2-dump-be
18 leshort 60011 old-fs dump file (16-bit, assuming PDP-11 endianness),
Index: contrib/file/magic/Magdir/flash
===================================================================
--- contrib/file/magic/Magdir/flash (版本 330566)
+++ contrib/file/magic/Magdir/flash (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: flash,v 1.11 2014/05/02 00:26:49 christos Exp $
+# $File: flash,v 1.14 2017/05/25 20:09:55 christos Exp $
# flash: file(1) magic for Macromedia Flash file format
#
# See
@@ -10,24 +10,46 @@
# en/devnet/swf/pdf/swf-file-format-spec.pdf page 27
#
-0 name swf-details
->0 string F Macromedia Flash data
+0 name swf-details
+
+>0 string F
+>>8 byte&0xfd 0x08 Macromedia Flash data
!:mime application/x-shockwave-flash
->0 string C Macromedia Flash data (compressed)
+>>>3 byte x \b, version %d
+>>8 byte&0xfe 0x10 Macromedia Flash data
!:mime application/x-shockwave-flash
->0 string Z Macromedia Flash data (lzma compressed)
+>>>3 byte x \b, version %d
+>>8 byte 0x18 Macromedia Flash data
!:mime application/x-shockwave-flash
->3 byte x \b, version %d
+>>>3 byte x \b, version %d
+>>8 beshort&0xff87 0x2000 Macromedia Flash data
+!:mime application/x-shockwave-flash
+>>>3 byte x \b, version %d
+>>8 beshort&0xffe0 0x3000 Macromedia Flash data
+!:mime application/x-shockwave-flash
+>>>3 byte x \b, version %d
+>>8 byte&0x7 0
+>>>8 ubyte >0x2f
+>>>>9 ubyte <0x20 Macromedia Flash data
+!:mime application/x-shockwave-flash
+>>>>>3 byte x \b, version %d
-1 string WS
->4 lelong !0
->>3 byte 255 Suspicious
->>>0 use swf-details
+>0 string C
+>>8 byte 0x78 Macromedia Flash data (compressed)
+!:mime application/x-shockwave-flash
+>>>3 byte x \b, version %d
->>3 ubyte <32
->>>3 ubyte !0
->>>>0 use swf-details
+>0 string Z
+>>8 byte 0x5d Macromedia Flash data (lzma compressed)
+!:mime application/x-shockwave-flash
+>>>3 byte x \b, version %d
+
+1 string WS
+>4 ulelong >14
+>>3 ubyte !0
+>>>0 use swf-details
+
# From: Cal Peake <cp@absolutedigital.net>
0 string FLV\x01 Macromedia Flash Video
!:mime video/x-flv
@@ -34,7 +56,7 @@
#
# Yosu Gomez
-0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document
-0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document
+0 string AGD2\xbe\xb8\xbb\xcd\x00 Macromedia Freehand 7 Document
+0 string AGD3\xbe\xb8\xbb\xcc\x00 Macromedia Freehand 8 Document
# From Dave Wilson
-0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document
+0 string AGD4\xbe\xb8\xbb\xcb\x00 Macromedia Freehand 9 Document
Index: contrib/file/magic/Magdir/gconv
===================================================================
--- contrib/file/magic/Magdir/gconv (不存在的)
+++ contrib/file/magic/Magdir/gconv (版本 330908)
@@ -0,0 +1,10 @@
+
+#------------------------------------------------------------------------------
+# $File: gconv
+# gconv: file(1) magic for iconv/gconv module configuration cache
+#
+# Magic number defined in glibc/iconv/iconvconfig.h as GCONVCACHE_MAGIC
+#
+# From: Marek Cermak <macermak@redhat.com>
+#
+0 lelong 0x20010324 gconv module configuration cache data
Index: contrib/file/magic/Magdir/gpu
===================================================================
--- contrib/file/magic/Magdir/gpu (不存在的)
+++ contrib/file/magic/Magdir/gpu (版本 330908)
@@ -0,0 +1,28 @@
+
+#------------------------------------------------------------------------------
+# $File: gpu,v 1.2 2017/03/23 22:11:53 christos Exp $
+# gpu: file(1) magic for GPU input files
+
+# Standard Portable Intermediate Representation (SPIR)
+# Documentation: https://www.khronos.org/spir
+# Typical file extension: .spv
+
+0 belong 0x07230203 Khronos SPIR-V binary, big-endian
+>4 belong x \b, version 0x%08x
+>8 belong x \b, generator 0x%08x
+
+0 lelong 0x07230203 Khronos SPIR-V binary, little-endian
+>4 lelong x \b, version 0x%08x
+>8 lelong x \b, generator 0x%08x
+
+# Vulkan Trace file
+# Documentation:
+# https://github.com/LunarG/VulkanTools/blob/master/vktrace/vktrace_common/\
+# vktrace_trace_packet_identifiers.h
+# Typical file extension: .vktrace
+
+8 lequad 0xABADD068ADEAFD0C Vulkan trace file, little-endian
+>0 leshort x \b, version %d
+
+8 bequad 0xABADD068ADEAFD0C Vulkan trace file, big-endian
+>0 beshort x \b, version %d
Index: contrib/file/magic/Magdir/os2
===================================================================
--- contrib/file/magic/Magdir/os2 (版本 330566)
+++ contrib/file/magic/Magdir/os2 (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: os2,v 1.9 2016/05/11 15:51:57 christos Exp $
+# $File: os2,v 1.10 2017/03/17 21:35:28 christos Exp $
# os2: file(1) magic for OS/2 files
#
@@ -25,7 +25,7 @@
#>5 string >\ (Local file) <%s>
# >>>>> OS/2 INF/HLP <<<<< (source: Daniel Dissett ddissett@netcom.com)
-# Carl Hauser (chauser.parc@xerox.com) and
+# Carl Hauser (chauser.parc@xerox.com) and
# Marcus Groeber (marcusg@ph-cip.uni-koeln.de)
# list the following header format in inf02a.doc:
#
@@ -35,11 +35,11 @@
# // bit 0: set if INF style file
# // bit 4: set if HLP style file
# // patching this byte allows reading HLP files
-# // using the VIEW command, while help files
+# // using the VIEW command, while help files
# // seem to work with INF settings here as well.
# int16 hdrsize; // total size of header
# int16 unknown2; // unknown purpose
-#
+#
0 string HSP\x01\x9b\x00 OS/2 INF
>107 string >0 (%s)
0 string HSP\x10\x9b\x00 OS/2 HLP
Index: contrib/file/magic/Magdir/pc98
===================================================================
--- contrib/file/magic/Magdir/pc98 (版本 330566)
+++ contrib/file/magic/Magdir/pc98 (版本 330908)
@@ -8,7 +8,7 @@
# http://www.jisyo.com/viewer/faq/maki_tech.htm
0 string/b MAKI01 Maki-chan v1.
>6 ubyte|0x20 x \b%c image
->8 ubelong >0x40404040 \b, system ID:
+>8 ubelong >0x40404040 \b, system ID:
>>8 byte x %c
>>9 byte x \b%c
>>10 byte x \b%c
Index: contrib/file/magic/Magdir/pgf
===================================================================
--- contrib/file/magic/Magdir/pgf (版本 330566)
+++ contrib/file/magic/Magdir/pgf (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: pgf,v 1.1 2013/04/22 15:19:49 christos Exp $
+# $File: pgf,v 1.2 2017/03/17 21:35:28 christos Exp $
# pgf: file(1) magic for Progressive Graphics File (PGF)
#
# <http://www.libpgf.org/uploads/media/PGF_Details_01.pdf>
@@ -42,7 +42,7 @@
>>20 byte 19 RGB color 12,
>>20 byte 20 RGB color 16,
>>20 byte 255 unknown format,
->>20 default x format
+>>20 default x format
>>>20 byte x \b %d,
>>21 byte x %d bpc
# PGFPostHeader
Index: contrib/file/magic/Magdir/psdbms
===================================================================
--- contrib/file/magic/Magdir/psdbms (版本 330566)
+++ contrib/file/magic/Magdir/psdbms (版本 330908)
@@ -1,12 +1,12 @@
#------------------------------------------------------------------------------
-# $File: psdbms,v 1.7 2016/01/08 00:41:02 christos Exp $
+# $File: psdbms,v 1.8 2017/03/17 21:35:28 christos Exp $
# psdbms: file(1) magic for psdatabase
#
# Update: Joerg Jenderek
# GRR: line below too general as it catches also some Panorama database *.pan ,
# AppleWorks word processor
-0 belong&0xff00ffff 0x56000000
+0 belong&0xff00ffff 0x56000000
# assume version starts with digit
>1 regex/s =^[0-9] ps database
>>1 string >\0 version %s
Index: contrib/file/magic/Magdir/sccs
===================================================================
--- contrib/file/magic/Magdir/sccs (版本 330566)
+++ contrib/file/magic/Magdir/sccs (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: sccs,v 1.6 2009/09/19 16:28:12 christos Exp $
+# $File: sccs,v 1.7 2017/03/17 21:35:28 christos Exp $
# sccs: file(1) magic for SCCS archives
#
# SCCS archive structure:
@@ -17,6 +17,6 @@
# Maybe we should just switch everybody from SCCS to RCS!
# Further, you can't just say '\001h0', because the five-digit number
# is a checksum that could (presumably) have any leading digit,
-# and we don't have regular expression matching yet.
+# and we don't have regular expression matching yet.
# Hence the following official kludge:
8 string \001s\ SCCS archive data
Index: contrib/file/magic/Magdir/sgml
===================================================================
--- contrib/file/magic/Magdir/sgml (版本 330566)
+++ contrib/file/magic/Magdir/sgml (版本 330908)
@@ -1,8 +1,10 @@
-#------------------------------------------------------------------------------ # $File: sgml,v 1.34 2016/09/11 13:56:42 christos Exp $
+
+#------------------------------------------------------------------------------
+# $File: sgml,v 1.37 2017/07/23 08:23:33 christos Exp $
# Type: SVG Vectorial Graphics
# From: Noel Torres <tecnico@ejerciciosresueltos.com>
-0 string \<?xml\ version="
->15 string >\0
+0 string \<?xml\ version=
+>14 regex ['"\ \t]*[0-9.]+['"\ \t]*
>>19 search/4096 \<svg SVG Scalable Vector Graphics image
!:mime image/svg+xml
>>19 search/4096 \<gnc-v2 GnuCash file
@@ -11,8 +13,8 @@
!:mime image/svg
# Sitemap file
-0 string/t \<?xml\ version="
->15 string >\0
+0 string/t \<?xml\ version=
+>14 regex ['"\ \t]*[0-9.]+['"\ \t]*
>>19 search/4096 \<urlset XML Sitemap document text
!:mime application/xml-sitemap
@@ -19,8 +21,8 @@
# OpenStreetMap XML (.osm)
# http://wiki.openstreetmap.org/wiki/OSM_XML
# From: Markus Heidelberg <markus.heidelberg@web.de>
-0 string \<?xml\ version="
->15 string >\0
+0 string \<?xml\ version=
+>14 regex ['"\ \t]*[0-9.]+['"\ \t]*
>>19 search/4096 \<osm OpenStreetMap XML data
# xhtml
@@ -46,6 +48,12 @@
!:mime text/html
!:strength + 5
+# SVG document
+# https://www.w3.org/TR/SVG/single-page.html
+0 search/4096/cWbt \<!doctype\ svg SVG XML document
+!:mime image/svg+xml
+!:strength + 5
+
0 search/4096/cwt \<head\> HTML document text
!:mime text/html
!:strength + 5
Index: contrib/file/magic/Magdir/ssl
===================================================================
--- contrib/file/magic/Magdir/ssl (版本 330566)
+++ contrib/file/magic/Magdir/ssl (版本 330908)
@@ -1,8 +1,20 @@
+
+#------------------------------------------------------------------------------
+# $File: ssl,v 1.4 2017/01/22 21:14:25 christos Exp $
+# ssl: file(1) magic for SSL file formats
+
# Type: OpenSSL certificates/key files
# From: Nicolas Collignon <tsointsoin@gmail.com>
-0 string -----BEGIN\ CERTIFICATE----- PEM certificate
-0 string -----BEGIN\ CERTIFICATE\ REQ PEM certificate request
-0 string -----BEGIN\ RSA\ PRIVATE PEM RSA private key
-0 string -----BEGIN\ DSA\ PRIVATE PEM DSA private key
-0 string -----BEGIN\ EC\ PRIVATE PEM EC private key
+0 string -----BEGIN\040CERTIFICATE----- PEM certificate
+0 string -----BEGIN\040CERTIFICATE\040REQ PEM certificate request
+0 string -----BEGIN\040RSA\040PRIVATE PEM RSA private key
+0 string -----BEGIN\040DSA\040PRIVATE PEM DSA private key
+0 string -----BEGIN\040EC\040PRIVATE PEM EC private key
+0 string -----BEGIN\040ECDSA\040PRIVATE PEM ECDSA private key
+
+# From Luc Gommans
+# OpenSSL enc file (recognized by a magic string preceding the password's salt)
+0 string Salted__ openssl enc'd data with salted password
+# Using the -a or -base64 option, OpenSSL will base64-encode the data.
+0 string U2FsdGVkX19 openssl enc'd data with salted password, base64 encoded
Index: contrib/file/magic/Magdir/vmware
===================================================================
--- contrib/file/magic/Magdir/vmware (版本 330566)
+++ contrib/file/magic/Magdir/vmware (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: vmware,v 1.7 2009/09/19 16:28:13 christos Exp $
+# $File: vmware,v 1.8 2017/03/17 21:35:28 christos Exp $
# VMware specific files (deducted from version 1.1 and log file entries)
# Anthon van der Neut (anthon@mnt.org)
-0 belong 0x4d52564e VMware nvram
+0 belong 0x4d52564e VMware nvram
Index: contrib/file/magic/Magdir/windows
===================================================================
--- contrib/file/magic/Magdir/windows (版本 330566)
+++ contrib/file/magic/Magdir/windows (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: windows,v 1.14 2015/12/15 01:06:17 christos Exp $
+# $File: windows,v 1.16 2017/03/17 22:20:22 christos Exp $
# windows: file(1) magic for Microsoft Windows
#
# This file is mainly reserved for files where programs
@@ -29,7 +29,7 @@
# Created by: Andreas Schuster (http://computer.forensikblog.de/)
# Reference (1): http://computer.forensikblog.de/en/2008/02/64bit_magic.html
# Modified by (1): Abel Cheung (Avoid match with first 4 bytes only)
-0 string PAGE
+0 string PAGE
>4 string DUMP MS Windows 32bit crash dump
>>0x05c byte 0 \b, no PAE
>>0x05c byte 1 \b, PAE
@@ -66,13 +66,13 @@
# Summary: Old format help files
# URL: https://en.wikipedia.org/wiki/WinHelp
# Reference: http://www.oocities.org/mwinterhoff/helpfile.htm
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# Created by: Dirk Jagdmann <doj@cubic.org>
#
# check and then display version and date inside MS Windows HeLP file fragment
0 name help-ver-date
# look for Magic of SYSTEMHEADER
->0 leshort 0x036C
+>0 leshort 0x036C
# version Major 1 for right file fragment
>>4 leshort 1 Windows
# print non empty string above to avoid error message
@@ -93,7 +93,7 @@
>>>6 ldate x \b, %s
#
# Magic for HeLP files
-0 lelong 0x00035f3f
+0 lelong 0x00035f3f
# ./windows (version 5.25) labeled the entry as "MS Windows 3.x help file"
# file header magic 0x293B at DirectoryStart+9
>(4.l+9) uleshort 0x293B MS
@@ -101,7 +101,7 @@
>>0xD4 string =\x62\x6D\x66\x01\x00 Windows help annotation
!:mime application/x-winhelp
!:ext ann
->>0xD4 string !\x62\x6D\x66\x01\x00
+>>0xD4 string !\x62\x6D\x66\x01\x00
# "GID Help index" by TrID
>>>(4.l+0x65) string =|Pete Windows help Global Index
!:mime application/x-winhelp
@@ -108,30 +108,30 @@
!:ext gid
# HeLP Bookmark or
# "Windows HELP File" by TrID
->>>(4.l+0x65) string !|Pete
+>>>(4.l+0x65) string !|Pete
# maybe there exist a cleaner way to detect HeLP fragments
# brute search for Magic 0x036C with matching Major maximal 7 iterations
# discapp.hlp
->>>>16 search/0x49AF/s \x6c\x03
+>>>>16 search/0x49AF/s \x6c\x03
>>>>>&0 use help-ver-date
->>>>>&4 leshort !1
+>>>>>&4 leshort !1
# putty.hlp
->>>>>>&0 search/0x69AF/s \x6c\x03
+>>>>>>&0 search/0x69AF/s \x6c\x03
>>>>>>>&0 use help-ver-date
->>>>>>>&4 leshort !1
->>>>>>>>&0 search/0x49AF/s \x6c\x03
+>>>>>>>&4 leshort !1
+>>>>>>>>&0 search/0x49AF/s \x6c\x03
>>>>>>>>>&0 use help-ver-date
->>>>>>>>>&4 leshort !1
->>>>>>>>>>&0 search/0x49AF/s \x6c\x03
+>>>>>>>>>&4 leshort !1
+>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
>>>>>>>>>>>&0 use help-ver-date
->>>>>>>>>>>&4 leshort !1
->>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
+>>>>>>>>>>>&4 leshort !1
+>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
>>>>>>>>>>>>>&0 use help-ver-date
->>>>>>>>>>>>>&4 leshort !1
->>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
+>>>>>>>>>>>>>&4 leshort !1
+>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
>>>>>>>>>>>>>>>&0 use help-ver-date
->>>>>>>>>>>>>>>&4 leshort !1
->>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
+>>>>>>>>>>>>>>>&4 leshort !1
+>>>>>>>>>>>>>>>>&0 search/0x49AF/s \x6c\x03
# GCC.HLP is detected after 7 iterations
>>>>>>>>>>>>>>>>>&0 use help-ver-date
# this only happens if bigger hlp file is detected after used search iterations
@@ -139,7 +139,7 @@
!:mime application/winhelp
!:ext hlp
# repeat search again or following default line does not work
->>>>16 search/0x49AF/s \x6c\x03
+>>>>16 search/0x49AF/s \x6c\x03
# remaining files should be HeLP Bookmark WinHlp32.BMK (XP 32-bit) or WinHlp32 (Windows 8.1 64-bit)
>>>>16 default x Windows help Bookmark
!:mime application/x-winhelp
@@ -180,21 +180,21 @@
#>>(4.l+47) ubequad x \b, PageStart 0x%16.16llx
# start with colon or semicolon for comment line like Back2Life.cnt
-0 regex \^(:|;)
+0 regex \^(:|;)
# look for first keyword Base
->0 search/45 :Base
+>0 search/45 :Base
>>&0 use cnt-name
# only solution to search again from beginning , because relative offsets changes when use is called
->0 search/45 :Base
->0 default x
+>0 search/45 :Base
+>0 default x
# look for other keyword Title like in putty.cnt
->>0 search/45 :Title
+>>0 search/45 :Title
>>>&0 use cnt-name
#
# display mime type and name of Windows help Content source
0 name cnt-name
# skip space at beginning
->0 string \
+>0 string \040
# name without extension and greater character or name with hlp extension
>>1 regex/c \^([^\xd>]*|.*\.hlp) MS Windows help file Content, based "%s"
!:mime text/plain
@@ -210,10 +210,10 @@
# Summary: Hyper terminal
# Extension: .ht
# Created by: unknown
-0 string HyperTerminal\
+0 string HyperTerminal\040
>15 string 1.0\ --\ HyperTerminal\ data\ file MS Windows HyperTerminal profile
-# http://ithreats.files.wordpress.com/2009/05/\
+# http://ithreats.files.wordpress.com/2009/05/\040
# lnk_the_windows_shortcut_file_format.pdf
# Summary: Windows shortcut
# Extension: .lnk
@@ -293,7 +293,7 @@
# Extension: .reg
# Submitted by: Abel Cheung <abelcheung@gmail.com>
0 string REGEDIT4\r\n\r\n Windows Registry text (Win95 or above)
-0 string Windows\ Registry\ Editor\
+0 string Windows\ Registry\ Editor\040
>&0 string Version\ 5.00\r\n\r\n Windows Registry text (Win2K or above)
# Windows *.INF *.INI files updated by Joerg Jenderek at Apr 2013
@@ -301,10 +301,10 @@
# PR/383: remove unicode BOM because it is not portable across regex impls
0 regex/s \\`(\\r\\n|;|[[])
# left bracket in section line
->&0 search/8192 [
+>&0 search/8192 [
# http://en.wikipedia.org/wiki/Autorun.inf
# http://msdn.microsoft.com/en-us/library/windows/desktop/cc144200.aspx
->>&0 regex/c \^(autorun)]\r\n
+>>&0 regex/c \^(autorun)]\r\n
>>>&0 ubyte =0x5b INItialization configuration
!:mime application/x-wine-extension-ini
# From: Pal Tamas <folti@balabit.hu>
@@ -343,31 +343,31 @@
# http://en.wikipedia.org/wiki/NTLDR Windows Boot Loader information
>>&0 regex/c \^(boot\x20loader)] Windows boot.ini
!:mime application/x-wine-extension-ini
->>>&0 ubyte x
+>>>&0 ubyte x
# http://en.wikipedia.org/wiki/CONFIG.SYS
>>&0 regex/c \^(menu)]\r\n MS-DOS CONFIG.SYS
# http://support.microsoft.com/kb/118579/
>>&0 regex/c \^(Paths)]\r\n MS-DOS MSDOS.SYS
# VERS string unicoded case-independent
->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053
+>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053
# ION] string unicoded case-independent
->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation
+>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation
!:mime application/x-setupscript
# STRI string unicoded case-independent
->>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049
+>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0053005400520049
# NGS] string unicoded case-independent
->>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation
+>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x004e00470053005D Windows setup INFormation
!:mime application/x-setupscript
# unknown keyword after opening bracket
->>&0 default x
->>>&0 search/8192 [
+>>&0 default x
+>>>&0 search/8192 [
# version Strings FileIdentification
->>>>&0 string/c version Windows setup INFormation
+>>>>&0 string/c version Windows setup INFormation
!:mime application/x-setupscript
# VERS string unicoded case-independent
->>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053
+>>>>&0 ubequad&0xFFdfFFdfFFdfFFdf 0x0056004500520053
# ION] string unicoded case-independent
->>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation
+>>>>>&0 ubequad&0xFFdfFFdfFFdfFFff 0x0049004f004e005d Windows setup INFormation
!:mime application/x-setupscript
# http://en.wikipedia.org/wiki/Initialization_file Windows Initialization File or other
#>>>>&0 default x Generic INItialization configuration
@@ -376,21 +376,21 @@
# Windows Precompiled INF files *.PNF added by Joerg Jenderek at Mar 2013 of _PNF_HEADER inf.h
# http://read.pudn.com/downloads3/sourcecode/windows/248345/win2k/private/windows/setup/setupapi/inf.h__.htm
# GRR: line below too general as it catches also PDP-11 UNIX/RT ldp
-0 leshort&0xFeFe 0x0000
+0 leshort&0xFeFe 0x0000
!:strength -5
# test for unused null bits in PNF_FLAGs
->4 ulelong&0xFCffFe00 0x00000000
+>4 ulelong&0xFCffFe00 0x00000000
# only found 58h for Offset of WinDirPath immediately after _PNF_HEADER structure
->>68 ulelong >0x57
+>>68 ulelong >0x57
# test for zero high byte of InfValueBlockSize, followed by WinDirPath like
# C:\WINDOWS (ASCII 0x433a5c.. , unicode 0x43003a005c..) or X:\MININT
>>>(68.l-1) ubelong&0xffE0C519 =0x00400018 Windows Precompiled iNF
!:mime application/x-pnf
# currently only found Major Version=1 and Minor Version=1
-#>>>>0 uleshort =0x0101
+#>>>>0 uleshort =0x0101
#>>>>>1 ubyte x \b, version %u
#>>>>>0 ubyte x \b.%u
->>>>0 uleshort !0x0101
+>>>>0 uleshort !0x0101
>>>>>1 ubyte x \b, version %u
>>>>>0 ubyte x \b.%u
# 1 ,2 (windows 98 SE)
@@ -416,10 +416,10 @@
#>>>>16 ulelong x \b, InfVersionDataSize 0x%x
# only found positive values lower 0x00ffFFff for InfVersionDataOffset
>>>>20 ulelong x \b, at 0x%x
->>>>4 ulelong&0x00000001 =0x00000001
-# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature
+>>>>4 ulelong&0x00000001 =0x00000001
+# case independent: CatalogFile Class DriverVer layoutfile LayoutFile SetupClass signature Signature
>>>>>(20.l) lestring16 x "%s"
->>>>4 ulelong&0x00000001 !0x00000001
+>>>>4 ulelong&0x00000001 !0x00000001
>>>>>(20.l) string x "%s"
# FILETIME is number of 100-nanosecond intervals since 1 January 1601
#>>>>24 ulequad x \b, InfVersionLastWriteTime %16.16llx
@@ -435,23 +435,23 @@
#>>>>64 ulelong x \b, InfValueBlockSize 0x%x
# WinDirPathOffset
#>>>>68 ulelong x \b, at 0x%x
->>>>68 ulelong >0x57
->>>>>4 ulelong&0x00000001 =0x00000001
->>>>>>(68.l) ubequad =0x43003a005c005700
+>>>>68 ulelong >0x57
+>>>>>4 ulelong&0x00000001 =0x00000001
+>>>>>>(68.l) ubequad =0x43003a005c005700
# normally unicoded C:\Windows
#>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s"
->>>>>>(68.l) ubequad !0x43003a005c005700
+>>>>>>(68.l) ubequad !0x43003a005c005700
>>>>>>>(68.l) lestring16 x \b, WinDirPath "%s"
->>>>>4 ulelong&0x00000001 !0x00000001
+>>>>>4 ulelong&0x00000001 !0x00000001
# normally ASCII C:\WINDOWS
#>>>>>>(68.l) string =C:\\WINDOWS \b, WinDirPath "%s"
>>>>>>(68.l) string !C:\\WINDOWS \b, WinDirPath "%s"
-# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF
+# found OsLoaderPathOffset values often 0 , once 70h corelist.PNF, once 68h ASCII machine.PNF
#>>>>72 ulelong >0 \b, at 0x%x
>>>>72 ulelong >0 \b,
->>>>>4 ulelong&0x00000001 =0x00000001
+>>>>>4 ulelong&0x00000001 =0x00000001
>>>>>>(72.l) lestring16 x OsLoaderPath "%s"
->>>>>4 ulelong&0x00000001 !0x00000001
+>>>>>4 ulelong&0x00000001 !0x00000001
# seldom C:\ instead empty
>>>>>>(72.l) string x OsLoaderPath "%s"
# 1fdh
@@ -462,16 +462,16 @@
# InfSourcePathOffset often 0
#>>>>80 ulelong >0 \b, at 0x%x
>>>>80 ulelong >0 \b,
->>>>>4 ulelong&0x00000001 =0x00000001
+>>>>>4 ulelong&0x00000001 =0x00000001
>>>>>>(80.l) lestring16 x SourcePath "%s"
->>>>>4 ulelong&0x00000001 !0x00000001
+>>>>>4 ulelong&0x00000001 !0x00000001
>>>>>>(80.l) string >\0 SourcePath "%s"
# OriginalInfNameOffset often 0
#>>>>84 ulelong >0 \b, at 0x%x
>>>>84 ulelong >0 \b,
->>>>>4 ulelong&0x00000001 =0x00000001
+>>>>>4 ulelong&0x00000001 =0x00000001
>>>>>>(84.l) lestring16 x InfName "%s"
->>>>>4 ulelong&0x00000001 !0x00000001
+>>>>>4 ulelong&0x00000001 !0x00000001
>>>>>>(84.l) string >\0 InfName "%s"
# Summary: backup file created with utility like NTBACKUP.EXE shipped with Windows NT/2K/XP/2003
@@ -480,13 +480,13 @@
# URL: http://en.wikipedia.org/wiki/NTBackup
# Reference: http://laytongraphics.com/mtf/MTF_100a.PDF
# Descriptor BloCK name of Microsoft Tape Format
-0 string TAPE
+0 string TAPE
# Format Logical Address is zero
->20 ulequad 0
+>20 ulequad 0
# Reserved for MBC is zero
->>28 uleshort 0
+>>28 uleshort 0
# Control Block ID is zero
->>>36 ulelong 0
+>>>36 ulelong 0
# BIT4-BIT15, BIT18-BIT31 of block attributes are unused
>>>>4 ulelong&0xFFfcFFe0 0 Windows NTbackup archive
#!:mime application/x-ntbackup
@@ -508,7 +508,7 @@
>>>>>4 ulelong&0x00000004 !0 \b, compressed
# MTF_EOS_AT_EOM End Of Medium was hit during end of set processing
>>>>>4 ulelong&0x00000008 !0 \b, End Of Medium hit
->>>>>4 ulelong&0x00020000 0
+>>>>>4 ulelong&0x00020000 0
# MTF_SET_MAP_EXISTS A Media Based Catalog Set Map may exist on tape
>>>>>>4 ulelong&0x00010000 !0 \b, with catalog
# MTF_FDD_ALLOWED However File/Directory Detail can only exist if a Set Map is also present
@@ -531,24 +531,24 @@
# Media Based Catalog Type (1,2)
#>>>>>66 uleshort x \b, catalog type %4.4x
# size of Media Name (66,68,6Eh)
->>>>>68 uleshort >0
+>>>>>68 uleshort >0
# offset of Media Name (5Eh)
->>>>>>70 uleshort >0
+>>>>>>70 uleshort >0
# 0~, 1~ANSI, 2~UNICODE
->>>>>>>48 ubyte 1
+>>>>>>>48 ubyte 1
# size terminated ansi coded string normally followed by "MTF Media Label"
>>>>>>>>(70.s) string >\0 \b, name: %s
->>>>>>>48 ubyte 2
+>>>>>>>48 ubyte 2
# Not null, but size terminated unicoded string
>>>>>>>>(70.s) lestring16 x \b, name: %s
# size of Media Label (104h)
->>>>>72 uleshort >0
+>>>>>72 uleshort >0
# offset of Media Label (C4h,C6h,CCh)
->>>>>74 uleshort >0
->>>>>>48 ubyte 1
+>>>>>74 uleshort >0
+>>>>>>48 ubyte 1
#Tag|Version|Vendor|Vendor ID|Creation Time Stamp|Cartridge Label|Side|Media ID|Media Domain ID|Vendor Specific fields
>>>>>>>(74.s) string >\0 \b, label: %s
->>>>>>48 ubyte 2
+>>>>>>48 ubyte 2
>>>>>>>(74.s) lestring16 x \b, label: %s
# size of password name (0,1Ch)
#>>>>>76 uleshort >0 \b, password size %4.4x
@@ -555,13 +555,13 @@
# Software Vendor ID (CBEh)
>>>>>86 uleshort x \b, software (0x%x)
# size of Software Name (6Eh)
->>>>>80 uleshort >0
+>>>>>80 uleshort >0
# offset of Software Name (1C8h,1CAh,1D0h)
->>>>>>82 uleshort >0
+>>>>>>82 uleshort >0
# 1~ANSI, 2~UNICODE
->>>>>>>48 ubyte 1
+>>>>>>>48 ubyte 1
>>>>>>>>(82.s) string >\0 \b: %s
->>>>>>>48 ubyte 2
+>>>>>>>48 ubyte 2
# size terminated unicoded coded string normally followed by "SPAD"
>>>>>>>>(82.s) lestring16 x \b: %s
# Format Logical Block Size (512,1024)
Index: contrib/file/magic/Magdir/yara
===================================================================
--- contrib/file/magic/Magdir/yara (不存在的)
+++ contrib/file/magic/Magdir/yara (版本 330908)
@@ -0,0 +1,17 @@
+
+
+#------------------------------------------------------------------------------
+# $File: yara,v 1.2 2017/05/25 20:07:23 christos Exp $
+# yara: file(1) magic for http://virustotal.github.io/yara/
+#
+
+0 string YARA
+>4 lelong >2047
+>8 byte <20 YARA 3.x compiled rule set
+# version
+>>8 clear x
+>>8 byte 6 created with version 3.3.0
+>>8 byte 8 created with version 3.4.0
+>>8 byte 11 created with version 3.5.0
+>>8 default x
+>>>8 byte x development version 0x%02x
Index: contrib/file/magic/Magdir/xwindows
===================================================================
--- contrib/file/magic/Magdir/xwindows (版本 330566)
+++ contrib/file/magic/Magdir/xwindows (版本 330908)
@@ -1,9 +1,9 @@
#------------------------------------------------------------------------------
-# $File: xwindows,v 1.9 2014/04/30 21:41:02 christos Exp $
+# $File: xwindows,v 1.10 2017/03/17 21:35:28 christos Exp $
# xwindows: file(1) magic for various X/Window system file formats.
-# Compiled X Keymap
+# Compiled X Keymap
# XKM (compiled X keymap) files (including version and byte ordering)
1 string mkx Compiled XKB Keymap: lsb,
>0 byte >0 version %d
Index: contrib/file/magic/Magdir/ibm6000
===================================================================
--- contrib/file/magic/Magdir/ibm6000 (版本 330566)
+++ contrib/file/magic/Magdir/ibm6000 (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: ibm6000,v 1.12 2013/09/16 15:12:42 christos Exp $
+# $File: ibm6000,v 1.13 2017/03/17 21:35:28 christos Exp $
# ibm6000: file(1) magic for RS/6000 and the RT PC.
#
0 beshort 0x01df executable (RISC System/6000 V3.1) or obj module
@@ -21,7 +21,7 @@
0 beshort 0x01f7 64-bit XCOFF executable or object module
>20 belong 0 not stripped
# GRR: this test is still too general as it catches also many FATs of DOS filesystems
-4 belong &0x0feeddb0
+4 belong &0x0feeddb0
# real core dump could not be 32-bit and 64-bit together
>7 byte&0x03 !3 AIX core file
>>1 byte &0x01 fulldump
Index: contrib/file/magic/Magdir/isz
===================================================================
--- contrib/file/magic/Magdir/isz (版本 330566)
+++ contrib/file/magic/Magdir/isz (版本 330908)
@@ -1,7 +1,7 @@
#------------------------------------------------------------------------------
-# $File: isz,v 1.3 2014/04/30 21:41:02 christos Exp $
-# ISO Zipped file format
+# $File: isz,v 1.4 2017/03/17 21:35:28 christos Exp $
+# ISO Zipped file format
# http://www.ezbsystems.com/isz/iszspec.txt
0 string IsZ! ISO Zipped file
>4 byte x \b, header size %u
Index: contrib/file/magic/Magdir/linux
===================================================================
--- contrib/file/magic/Magdir/linux (版本 330566)
+++ contrib/file/magic/Magdir/linux (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: linux,v 1.63 2015/08/24 05:16:11 christos Exp $
+# $File: linux,v 1.64 2017/03/17 21:35:28 christos Exp $
# linux: file(1) magic for Linux files
#
# Values for Linux/i386 binaries, from Daniel Quinlan <quinlan@yggdrasil.com>
@@ -199,7 +199,7 @@
############################################################################
# Linux 8086 executable
0 lelong&0xFF0000FF 0xC30000E9 Linux-Dev86 executable, headerless
->5 string .
+>5 string .
>>4 string >\0 \b, libc version %s
0 lelong&0xFF00FFFF 0x4000301 Linux-8086 executable
@@ -213,7 +213,7 @@
>2 byte&0x40 !0 \b, A_PURE
>2 byte&0x80 !0 \b, A_TOVLY
>28 long !0 \b, not stripped
->37 string .
+>37 string .
>>36 string >\0 \b, libc version %s
# 0 lelong&0xFF00FFFF 0x10000301 ld86 I80386 executable
@@ -241,7 +241,7 @@
>24 lelong x %d symbols
>28 lelong x %d ocons
-# Linux Logical Volume Manager (LVM)
+# Linux Logical Volume Manager (LVM)
# Emmanuel VARAGNAT <emmanuel.varagnat@guzu.net>
#
# System ID, UUID and volume group name are 128 bytes long
@@ -301,7 +301,7 @@
>>&0x20 lequad x \b, size: %lld
0x618 string LVM2\ 001 LVM2 PV (Linux Logical Volume Manager)
->&(&-12.l-0x21) byte x
+>&(&-12.l-0x21) byte x
# display UUID in LVM format + display all 32 bytes (instead of max string length: 31)
>>&0x0 string >\x2f \b, UUID: %.6s
>>&0x6 string >\x2f \b-%.4s
@@ -340,7 +340,7 @@
# Summary: Xen saved domain file
# Created by: Radek Vokal <rvokal@redhat.com>
0 string LinuxGuestRecord Xen saved domain
->20 search/256 (name
+>20 search/256 (name
>>&1 string x (name %s)
# Type: Xen, the virtual machine monitor
@@ -397,7 +397,7 @@
>>0x1046 ubeshort x \b%04x
# Linux device tree:
-# File format description can be found in the Linux kernel sources at
+# File format description can be found in the Linux kernel sources at
# Documentation/devicetree/booting-without-of.txt
# From Christoph Biedl
0 belong 0xd00dfeed
Index: contrib/file/magic/Magdir/make
===================================================================
--- contrib/file/magic/Magdir/make (版本 330566)
+++ contrib/file/magic/Magdir/make (版本 330908)
@@ -1,7 +1,8 @@
#------------------------------------------------------------------------------
-# $File: make,v 1.2 2015/08/25 07:34:06 christos Exp $
+# $File: make,v 1.3 2016/12/10 14:21:29 christos Exp $
# make: file(1) magic for makefiles
#
+# URL: https://en.wikipedia.org/wiki/Make_(software)
0 regex/100l \^CFLAGS makefile script text
!:mime text/x-makefile
0 regex/100l \^VPATH makefile script text
@@ -10,12 +11,19 @@
!:mime text/x-makefile
0 regex/100l \^all: makefile script text
!:mime text/x-makefile
-0 regex/100l \^\.PRECIOUS makefile script text
+0 regex/100l \^\\.PRECIOUS makefile script text
!:mime text/x-makefile
-0 regex/100l \^\.BEGIN BSD makefile script text
+# Update: Joerg Jenderek
+# Reference: https://www.freebsd.org/cgi/man.cgi?make(1)
+# exclude grub-core\lib\libgcrypt\mpi\Makefile.am with "#BEGIN_ASM_LIST"
+# by additional escaping point character
+0 regex/100l \^\\.BEGIN BSD makefile script text with "%s"
!:mime text/x-makefile
-0 regex/100l \^\.include BSD makefile script text
+!:ext /mk
+# exclude MS Windows help file CoNtenT with ":include FOOBAR.CNT"
+# and NSIS script with "!include" by additional escaping point character
+0 regex/100l \^\\.include BSD makefile script text with "%s"
!:mime text/x-makefile
-
+!:ext /mk
0 regex/100l \^SUBDIRS automake makefile script text
!:mime text/x-makefile
Index: contrib/file/magic/Magdir/metastore
===================================================================
--- contrib/file/magic/Magdir/metastore (版本 330566)
+++ contrib/file/magic/Magdir/metastore (版本 330908)
@@ -1,8 +1,8 @@
#------------------------------------------------------------------------------
-# $File: metastore,v 1.1 2011/04/06 12:37:44 christos Exp $
+# $File: metastore,v 1.2 2017/03/17 21:35:28 christos Exp $
# metastore: file(1) magic for metastore files
# From: Thomas Wissen
# see http://david.hardeman.nu/software.php#metastore
-0 string MeTaSt00r3 Metastore data file,
+0 string MeTaSt00r3 Metastore data file,
>10 bequad x version %0llx
Index: contrib/file/magic/Magdir/misctools
===================================================================
--- contrib/file/magic/Magdir/misctools (版本 330566)
+++ contrib/file/magic/Magdir/misctools (版本 330908)
@@ -1,6 +1,6 @@
#-----------------------------------------------------------------------------
-# $File: misctools,v 1.16 2016/02/14 15:46:52 christos Exp $
+# $File: misctools,v 1.17 2017/03/17 21:35:28 christos Exp $
# misctools: file(1) magic for miscellaneous UNIX tools.
#
0 search/1 %%!! X-Post-It-Note text
@@ -14,7 +14,7 @@
#!:mime text/x-vcard
!:mime text/vcard
# VERSION must come right after BEGIN for 3.0 or 4.0 except in 2.1 , where it can be anywhere
->12 search/14000/c VERSION:
+>12 search/14000/c VERSION:
# VERSION 2.1 , 3.0 or 4.0
>>&0 string x \b, version %-.3s
@@ -48,7 +48,7 @@
>12 ulelong !0x20 \b, 0x%8.8x RVA
# CheckSum 0
>16 ulelong !0 \b, CheckSum 0x%8.8x
-# Reserved or TimeDateStamp
+# Reserved or TimeDateStamp
>20 ledate x \b, %s
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms680519%28v=vs.85%29.aspx
# Flags MINIDUMP_TYPE enumeration type 0 0x121 0x800
Index: contrib/file/magic/Magdir/msvc
===================================================================
--- contrib/file/magic/Magdir/msvc (版本 330566)
+++ contrib/file/magic/Magdir/msvc (版本 330908)
@@ -1,10 +1,10 @@
#------------------------------------------------------------------------------
-# $File: msvc,v 1.6 2016/01/26 00:03:19 christos Exp $
+# $File: msvc,v 1.9 2017/08/02 08:15:20 christos Exp $
# msvc: file(1) magic for msvc
# "H. Nanosecond" <aldomel@ix.netcom.com>
# Microsoft visual C
-#
+#
# I have version 1.0
# .aps
@@ -30,10 +30,10 @@
# Summary: Symbol Table / Debug info used by Microsoft compilers
# URL: https://en.wikipedia.org/wiki/Program_database
# Reference: https://code.google.com/p/pdbparser/wiki/MSF_Format
-# Update: Joerg Jenderek
+# Update: Joerg Jenderek
# Note: test only for Windows XP+SP3 x86 , 8.1 x64 arm and 10.1 x86
# info does only applies partly for older files like msvbvm50.pdb about year 2001
-0 string Microsoft\ C/C++\
+0 string Microsoft\ C/C++\040
# "Microsoft Program DataBase" by TrID
>24 search/14 \r\n\x1A MSVC program database
!:mime application/x-ms-pdb
@@ -42,18 +42,21 @@
>>16 regex \([0-9.]+\) ver %s
#>>>0x38 search/128123456 /LinkInfo \b with linkinfo
# "MSF 7.00" variant
->>0x1e leshort 0
+>>0x1e leshort 0
# PageSize 400h 1000h
>>>0x20 lelong x \b, %d
# Page Count
>>>0x28 lelong x \b*%d bytes
# "program database 2.00" variant
->>0x1e leshort !0
+>>0x1e leshort !0
# PageSize 400h
>>>0x2c lelong x \b, %d
# Page Count for msoo-dll.pdb 4379h
>>>0x32 leshort x \b*%d bytes
+# Reference: https://github.com/Microsoft/vstest/pull/856/commits/fdc7a9f074ca5a8dfeec83b1be9162bf0cf4000d
+0 string/c bsjb\001\000\001\000\000\000\000\000\f\000\000\000pdb\ v1.0 Microsoft Rosyln C# debugging symbols version 1.0
+
#.sbr
0 string \000\002\000\007\000 MSVC .sbr
>5 string >\0 %s
Index: contrib/file/magic/Magdir/netbsd
===================================================================
--- contrib/file/magic/Magdir/netbsd (版本 330566)
+++ contrib/file/magic/Magdir/netbsd (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: netbsd,v 1.23 2015/11/29 01:55:14 christos Exp $
+# $File: netbsd,v 1.24 2017/03/17 21:35:28 christos Exp $
# netbsd: file(1) magic for NetBSD objects
#
# All new-style magic numbers are in network byte order.
@@ -10,7 +10,7 @@
#
0 belong&0377777777 041400413 a.out NetBSD/i386 demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 lelong <4096 shared library
>>20 lelong =4096 dynamically linked executable
>>20 lelong >4096 dynamically linked executable
@@ -32,7 +32,7 @@
>32 lelong !0 (signal %d)
0 belong&0377777777 041600413 a.out NetBSD/m68k demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 belong <8192 shared library
>>20 belong =8192 dynamically linked executable
>>20 belong >8192 dynamically linked executable
@@ -54,7 +54,7 @@
>32 belong !0 (signal %d)
0 belong&0377777777 042000413 a.out NetBSD/m68k4k demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 belong <4096 shared library
>>20 belong =4096 dynamically linked executable
>>20 belong >4096 dynamically linked executable
@@ -76,7 +76,7 @@
>32 belong !0 (signal %d)
0 belong&0377777777 042200413 a.out NetBSD/ns32532 demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 lelong <4096 shared library
>>20 lelong =4096 dynamically linked executable
>>20 lelong >4096 dynamically linked executable
@@ -101,7 +101,7 @@
>12 string >\0 from '%s'
0 belong&0377777777 042400413 a.out NetBSD/SPARC demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 belong <8192 shared library
>>20 belong =8192 dynamically linked executable
>>20 belong >8192 dynamically linked executable
@@ -123,7 +123,7 @@
>32 belong !0 (signal %d)
0 belong&0377777777 042600413 a.out NetBSD/pmax demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 lelong <4096 shared library
>>20 lelong =4096 dynamically linked executable
>>20 lelong >4096 dynamically linked executable
@@ -145,7 +145,7 @@
>32 lelong !0 (signal %d)
0 belong&0377777777 043000413 a.out NetBSD/vax 1k demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 lelong <4096 shared library
>>20 lelong =4096 dynamically linked executable
>>20 lelong >4096 dynamically linked executable
@@ -167,7 +167,7 @@
>32 lelong !0 (signal %d)
0 belong&0377777777 045400413 a.out NetBSD/vax 4k demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 lelong <4096 shared library
>>20 lelong =4096 dynamically linked executable
>>20 lelong >4096 dynamically linked executable
@@ -189,7 +189,7 @@
>32 lelong !0 (signal %d)
# NetBSD/alpha does not support (and has never supported) a.out objects,
-# so no rules are provided for them. NetBSD/alpha ELF objects are
+# so no rules are provided for them. NetBSD/alpha ELF objects are
# dealt with in "elf".
0 lelong 0x00070185 ECOFF NetBSD/alpha binary
>10 leshort 0x0001 not stripped
@@ -199,7 +199,7 @@
>32 lelong !0 (signal %d)
0 belong&0377777777 043400413 a.out NetBSD/mips demand paged
->0 byte &0x80
+>0 byte &0x80
>>20 belong <8192 shared library
>>20 belong =8192 dynamically linked executable
>>20 belong >8192 dynamically linked executable
Index: contrib/file/magic/Magdir/xenix
===================================================================
--- contrib/file/magic/Magdir/xenix (版本 330566)
+++ contrib/file/magic/Magdir/xenix (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: xenix,v 1.10 2016/04/19 18:14:19 christos Exp $
+# $File: xenix,v 1.11 2017/03/17 21:35:28 christos Exp $
# xenix: file(1) magic for Microsoft Xenix
#
# "Middle model" stuff, and "Xenix 8086 relocatable or 80286 small
@@ -16,14 +16,14 @@
# Reference: http://www.azillionmonkeys.com/qed/Omfg.pdf
# Update: Joerg Jenderek
# recordtype~TranslatorHEADerRecord
-0 byte 0x80
+0 byte 0x80
# GRR: line above is too general as it catches also Extensible storage engine DataBase
# skip examples like GENA.SND Switch.Snd by looking for record length maximal 1024-3
->1 uleshort <1022
+>1 uleshort <1022
# skip examples like GAME.PICTURE Strange.Pic by looking for positiv record length
->>1 uleshort >0
+>>1 uleshort >0
# skip examples like Xtable.Data FRACTAL.GEN SHR.VIEW by looking for positiv string length
->>>3 ubyte >0
+>>>3 ubyte >0
# skip examples like OMBRE.6 with "UUUUUU" by looking for filename like "hello.c"
>>>>4 regex [a-zA-Z_/]{1,8}[.] 8086 relocatable (Microsoft)
#!:mime application/octet-stream
@@ -54,8 +54,8 @@
>0x1c byte &0x9 286
>0x1c byte &0xa 386
>0x1f byte <0x040 small model
->0x1f byte =0x048 large model
->0x1f byte =0x049 huge model
+>0x1f byte =0x048 large model
+>0x1f byte =0x049 huge model
>0x1e leshort &0x1 executable
>0x1e leshort ^0x1 object file
>0x1e leshort &0x40 Large Text
Index: contrib/file/magic/Makefile.am
===================================================================
--- contrib/file/magic/Makefile.am (版本 330566)
+++ contrib/file/magic/Makefile.am (版本 330908)
@@ -1,5 +1,5 @@
#
-# $File: Makefile.am,v 1.120 2016/10/17 19:52:29 christos Exp $
+# $File: Makefile.am,v 1.126 2017/08/10 11:01:38 christos Exp $
#
MAGIC_FRAGMENT_BASE = Magdir
MAGIC_DIR = $(top_srcdir)/magic
@@ -21,6 +21,7 @@
$(MAGIC_FRAGMENT_DIR)/android \
$(MAGIC_FRAGMENT_DIR)/animation \
$(MAGIC_FRAGMENT_DIR)/aout \
+$(MAGIC_FRAGMENT_DIR)/apache \
$(MAGIC_FRAGMENT_DIR)/apl \
$(MAGIC_FRAGMENT_DIR)/apple \
$(MAGIC_FRAGMENT_DIR)/application \
@@ -34,6 +35,7 @@
$(MAGIC_FRAGMENT_DIR)/basis \
$(MAGIC_FRAGMENT_DIR)/ber \
$(MAGIC_FRAGMENT_DIR)/bflt \
+$(MAGIC_FRAGMENT_DIR)/bhl \
$(MAGIC_FRAGMENT_DIR)/bioinformatics \
$(MAGIC_FRAGMENT_DIR)/blackberry \
$(MAGIC_FRAGMENT_DIR)/blcr \
@@ -97,6 +99,7 @@
$(MAGIC_FRAGMENT_DIR)/fusecompress \
$(MAGIC_FRAGMENT_DIR)/games \
$(MAGIC_FRAGMENT_DIR)/gcc \
+$(MAGIC_FRAGMENT_DIR)/gconv \
$(MAGIC_FRAGMENT_DIR)/geo \
$(MAGIC_FRAGMENT_DIR)/geos \
$(MAGIC_FRAGMENT_DIR)/gimp \
@@ -104,6 +107,7 @@
$(MAGIC_FRAGMENT_DIR)/gnu \
$(MAGIC_FRAGMENT_DIR)/gnumeric \
$(MAGIC_FRAGMENT_DIR)/gpt \
+$(MAGIC_FRAGMENT_DIR)/gpu \
$(MAGIC_FRAGMENT_DIR)/grace \
$(MAGIC_FRAGMENT_DIR)/graphviz \
$(MAGIC_FRAGMENT_DIR)/gringotts \
@@ -275,6 +279,7 @@
$(MAGIC_FRAGMENT_DIR)/vxl \
$(MAGIC_FRAGMENT_DIR)/warc \
$(MAGIC_FRAGMENT_DIR)/weak \
+$(MAGIC_FRAGMENT_DIR)/webassembly \
$(MAGIC_FRAGMENT_DIR)/windows \
$(MAGIC_FRAGMENT_DIR)/wireless \
$(MAGIC_FRAGMENT_DIR)/wordprocessors \
@@ -285,6 +290,7 @@
$(MAGIC_FRAGMENT_DIR)/xilinx \
$(MAGIC_FRAGMENT_DIR)/xo65 \
$(MAGIC_FRAGMENT_DIR)/xwindows \
+$(MAGIC_FRAGMENT_DIR)/yara \
$(MAGIC_FRAGMENT_DIR)/zfs \
$(MAGIC_FRAGMENT_DIR)/zilog \
$(MAGIC_FRAGMENT_DIR)/zyxel
Index: contrib/file/src/cdf.c
===================================================================
--- contrib/file/src/cdf.c (版本 330566)
+++ contrib/file/src/cdf.c (版本 330908)
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: cdf.c,v 1.85 2016/10/24 18:02:17 christos Exp $")
+FILE_RCSID("@(#)$File: cdf.c,v 1.106 2017/04/30 17:05:02 christos Exp $")
#endif
#include <assert.h>
@@ -80,7 +80,35 @@
CDF_TOLE8(CAST(uint64_t, x))))
#define CDF_GETUINT32(x, y) cdf_getuint32(x, y)
+#define CDF_MALLOC(n) cdf_malloc(__FILE__, __LINE__, (n))
+#define CDF_REALLOC(p, n) cdf_realloc(__FILE__, __LINE__, (p), (n))
+#define CDF_CALLOC(n, u) cdf_calloc(__FILE__, __LINE__, (n), (u))
+
+static void *
+cdf_malloc(const char *file __attribute__((__unused__)),
+ size_t line __attribute__((__unused__)), size_t n)
+{
+ DPRINTF(("%s,%zu: %s %zu\n", file, line, __func__, n));
+ return malloc(n);
+}
+
+static void *
+cdf_realloc(const char *file __attribute__((__unused__)),
+ size_t line __attribute__((__unused__)), void *p, size_t n)
+{
+ DPRINTF(("%s,%zu: %s %zu\n", file, line, __func__, n));
+ return realloc(p, n);
+}
+
+static void *
+cdf_calloc(const char *file __attribute__((__unused__)),
+ size_t line __attribute__((__unused__)), size_t n, size_t u)
+{
+ DPRINTF(("%s,%zu: %s %zu %zu\n", file, line, __func__, n, u));
+ return calloc(n, u);
+}
+
/*
* swap a short
*/
@@ -340,7 +368,7 @@
cdf_unpack_header(h, buf);
cdf_swap_header(h);
if (h->h_magic != CDF_MAGIC) {
- DPRINTF(("Bad magic 0x%" INT64_T_FORMAT "x != 0x%"
+ DPRINTF(("Bad magic %#" INT64_T_FORMAT "x != %#"
INT64_T_FORMAT "x\n",
(unsigned long long)h->h_magic,
(unsigned long long)CDF_MAGIC));
@@ -347,11 +375,11 @@
goto out;
}
if (h->h_sec_size_p2 > 20) {
- DPRINTF(("Bad sector size 0x%u\n", h->h_sec_size_p2));
+ DPRINTF(("Bad sector size %hu\n", h->h_sec_size_p2));
goto out;
}
if (h->h_short_sec_size_p2 > 20) {
- DPRINTF(("Bad short sector size 0x%u\n",
+ DPRINTF(("Bad short sector size %hu\n",
h->h_short_sec_size_p2));
goto out;
}
@@ -408,7 +436,7 @@
if (h->h_master_sat[i] == CDF_SECID_FREE)
break;
-#define CDF_SEC_LIMIT (UINT32_MAX / (4 * ss))
+#define CDF_SEC_LIMIT (UINT32_MAX / (8 * ss))
if ((nsatpersec > 0 &&
h->h_num_sectors_in_master_sat > CDF_SEC_LIMIT / nsatpersec) ||
i > CDF_SEC_LIMIT) {
@@ -421,7 +449,7 @@
sat->sat_len = h->h_num_sectors_in_master_sat * nsatpersec + i;
DPRINTF(("sat_len = %" SIZE_T_FORMAT "u ss = %" SIZE_T_FORMAT "u\n",
sat->sat_len, ss));
- if ((sat->sat_tab = CAST(cdf_secid_t *, calloc(sat->sat_len, ss)))
+ if ((sat->sat_tab = CAST(cdf_secid_t *, CDF_CALLOC(sat->sat_len, ss)))
== NULL)
return -1;
@@ -435,7 +463,7 @@
}
}
- if ((msa = CAST(cdf_secid_t *, calloc(1, ss))) == NULL)
+ if ((msa = CAST(cdf_secid_t *, CDF_CALLOC(1, ss))) == NULL)
goto out1;
mid = h->h_secid_first_sector_in_master_sat;
@@ -527,13 +555,16 @@
ssize_t nr;
scn->sst_tab = NULL;
scn->sst_len = cdf_count_chain(sat, sid, ss);
- scn->sst_dirlen = len;
+ scn->sst_dirlen = MAX(h->h_min_size_standard_stream, len);
scn->sst_ss = ss;
+ if (sid == CDF_SECID_END_OF_CHAIN || len == 0)
+ return cdf_zero_stream(scn);
+
if (scn->sst_len == (size_t)-1)
goto out;
- scn->sst_tab = calloc(scn->sst_len, ss);
+ scn->sst_tab = CDF_CALLOC(scn->sst_len, ss);
if (scn->sst_tab == NULL)
return cdf_zero_stream(scn);
@@ -579,7 +610,7 @@
if (scn->sst_len == (size_t)-1)
goto out;
- scn->sst_tab = calloc(scn->sst_len, ss);
+ scn->sst_tab = CDF_CALLOC(scn->sst_len, ss);
if (scn->sst_tab == NULL)
return cdf_zero_stream(scn);
@@ -637,11 +668,11 @@
dir->dir_len = ns * nd;
dir->dir_tab = CAST(cdf_directory_t *,
- calloc(dir->dir_len, sizeof(dir->dir_tab[0])));
+ CDF_CALLOC(dir->dir_len, sizeof(dir->dir_tab[0])));
if (dir->dir_tab == NULL)
return -1;
- if ((buf = CAST(char *, malloc(ss))) == NULL) {
+ if ((buf = CAST(char *, CDF_MALLOC(ss))) == NULL) {
free(dir->dir_tab);
return -1;
}
@@ -687,7 +718,7 @@
if (ssat->sat_len == (size_t)-1)
goto out;
- ssat->sat_tab = CAST(cdf_secid_t *, calloc(ssat->sat_len, ss));
+ ssat->sat_tab = CAST(cdf_secid_t *, CDF_CALLOC(ssat->sat_len, ss));
if (ssat->sat_tab == NULL)
goto out1;
@@ -808,7 +839,7 @@
== 0)
break;
if (i > 0)
- return i;
+ return CAST(int, i);
DPRINTF(("Cannot find type %d `%s'\n", type, name));
errno = ESRCH;
@@ -815,6 +846,100 @@
return 0;
}
+#define CDF_SHLEN_LIMIT (UINT32_MAX / 8)
+#define CDF_PROP_LIMIT (UINT32_MAX / (8 * sizeof(cdf_property_info_t)))
+
+static const void *
+cdf_offset(const void *p, size_t l)
+{
+ return CAST(const void *, CAST(const uint8_t *, p) + l);
+}
+
+static const uint8_t *
+cdf_get_property_info_pos(const cdf_stream_t *sst, const cdf_header_t *h,
+ const uint8_t *p, const uint8_t *e, size_t i)
+{
+ size_t tail = (i << 1) + 1;
+ size_t ofs;
+ const uint8_t *q;
+
+ if (p >= e) {
+ DPRINTF(("Past end %p < %p\n", e, p));
+ return NULL;
+ }
+ if (cdf_check_stream_offset(sst, h, p, (tail + 1) * sizeof(uint32_t),
+ __LINE__) == -1)
+ return NULL;
+ ofs = CDF_GETUINT32(p, tail);
+ q = CAST(const uint8_t *, cdf_offset(CAST(const void *, p),
+ ofs - 2 * sizeof(uint32_t)));
+
+ if (q < p) {
+ DPRINTF(("Wrapped around %p < %p\n", q, p));
+ return NULL;
+ }
+
+ if (q >= e) {
+ DPRINTF(("Ran off the end %p >= %p\n", q, e));
+ return NULL;
+ }
+ return q;
+}
+
+static cdf_property_info_t *
+cdf_grow_info(cdf_property_info_t **info, size_t *maxcount, size_t incr)
+{
+ cdf_property_info_t *inp;
+ size_t newcount = *maxcount + incr;
+
+ if (newcount > CDF_PROP_LIMIT) {
+ DPRINTF(("exceeded property limit %zu > %zu\n",
+ newcount, CDF_PROP_LIMIT));
+ goto out;
+ }
+ inp = CAST(cdf_property_info_t *,
+ CDF_REALLOC(*info, newcount * sizeof(*inp)));
+ if (inp == NULL)
+ goto out;
+
+ *info = inp;
+ *maxcount = newcount;
+ return inp;
+out:
+ free(*info);
+ *maxcount = 0;
+ *info = NULL;
+ return NULL;
+}
+
+static int
+cdf_copy_info(cdf_property_info_t *inp, const void *p, const void *e,
+ size_t len)
+{
+ if (inp->pi_type & CDF_VECTOR)
+ return 0;
+
+ if ((size_t)(CAST(const char *, e) - CAST(const char *, p)) < len)
+ return 0;
+
+ (void)memcpy(&inp->pi_val, p, len);
+
+ switch (len) {
+ case 2:
+ inp->pi_u16 = CDF_TOLE2(inp->pi_u16);
+ break;
+ case 4:
+ inp->pi_u32 = CDF_TOLE4(inp->pi_u32);
+ break;
+ case 8:
+ inp->pi_u64 = CDF_TOLE8(inp->pi_u64);
+ break;
+ default:
+ abort();
+ }
+ return 1;
+}
+
int
cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
uint32_t offs, cdf_property_info_t **info, size_t *count, size_t *maxcount)
@@ -822,13 +947,7 @@
const cdf_section_header_t *shp;
cdf_section_header_t sh;
const uint8_t *p, *q, *e;
- int16_t s16;
- int32_t s32;
- uint32_t u32;
- int64_t s64;
- uint64_t u64;
- cdf_timestamp_t tp;
- size_t i, o, o4, nelements, j;
+ size_t i, o4, nelements, j, slen, left;
cdf_property_info_t *inp;
if (offs > UINT32_MAX / 4) {
@@ -835,79 +954,62 @@
errno = EFTYPE;
goto out;
}
- shp = CAST(const cdf_section_header_t *, (const void *)
- ((const char *)sst->sst_tab + offs));
+ shp = CAST(const cdf_section_header_t *,
+ cdf_offset(sst->sst_tab, offs));
if (cdf_check_stream_offset(sst, h, shp, sizeof(*shp), __LINE__) == -1)
goto out;
sh.sh_len = CDF_TOLE4(shp->sh_len);
-#define CDF_SHLEN_LIMIT (UINT32_MAX / 8)
if (sh.sh_len > CDF_SHLEN_LIMIT) {
errno = EFTYPE;
goto out;
}
+
+ if (cdf_check_stream_offset(sst, h, shp, sh.sh_len, __LINE__) == -1)
+ goto out;
+
sh.sh_properties = CDF_TOLE4(shp->sh_properties);
-#define CDF_PROP_LIMIT (UINT32_MAX / (4 * sizeof(*inp)))
+ DPRINTF(("section len: %u properties %u\n", sh.sh_len,
+ sh.sh_properties));
if (sh.sh_properties > CDF_PROP_LIMIT)
goto out;
- DPRINTF(("section len: %u properties %u\n", sh.sh_len,
- sh.sh_properties));
- if (*maxcount) {
- if (*maxcount > CDF_PROP_LIMIT)
- goto out;
- *maxcount += sh.sh_properties;
- inp = CAST(cdf_property_info_t *,
- realloc(*info, *maxcount * sizeof(*inp)));
- } else {
- *maxcount = sh.sh_properties;
- inp = CAST(cdf_property_info_t *,
- malloc(*maxcount * sizeof(*inp)));
- }
+ inp = cdf_grow_info(info, maxcount, sh.sh_properties);
if (inp == NULL)
- goto out1;
- *info = inp;
+ goto out;
inp += *count;
*count += sh.sh_properties;
- p = CAST(const uint8_t *, (const void *)
- ((const char *)(const void *)sst->sst_tab +
- offs + sizeof(sh)));
- e = CAST(const uint8_t *, (const void *)
- (((const char *)(const void *)shp) + sh.sh_len));
- if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+ p = CAST(const uint8_t *, cdf_offset(sst->sst_tab, offs + sizeof(sh)));
+ e = CAST(const uint8_t *, cdf_offset(shp, sh.sh_len));
+ if (p >= e || cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
goto out;
+
for (i = 0; i < sh.sh_properties; i++) {
- size_t tail = (i << 1) + 1;
- size_t ofs;
- if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
- __LINE__) == -1)
+ if ((q = cdf_get_property_info_pos(sst, h, p, e, i)) == NULL)
goto out;
- ofs = CDF_GETUINT32(p, tail);
- q = (const uint8_t *)(const void *)
- ((const char *)(const void *)p + ofs
- - 2 * sizeof(uint32_t));
- if (q < p) {
- DPRINTF(("Wrapped around %p < %p\n", q, p));
+ inp[i].pi_id = CDF_GETUINT32(p, i << 1);
+ left = CAST(size_t, e - q);
+ if (left < sizeof(uint32_t)) {
+ DPRINTF(("short info (no type)_\n"));
goto out;
}
- if (q > e) {
- DPRINTF(("Ran of the end %p > %p\n", q, e));
- goto out;
- }
- inp[i].pi_id = CDF_GETUINT32(p, i << 1);
inp[i].pi_type = CDF_GETUINT32(q, 0);
- DPRINTF(("%" SIZE_T_FORMAT "u) id=%x type=%x offs=0x%tx,0x%x\n",
+ DPRINTF(("%" SIZE_T_FORMAT "u) id=%#x type=%#x offs=%#tx,%#x\n",
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
if (inp[i].pi_type & CDF_VECTOR) {
+ if (left < sizeof(uint32_t) * 2) {
+ DPRINTF(("missing CDF_VECTOR length\n"));
+ goto out;
+ }
nelements = CDF_GETUINT32(q, 1);
if (nelements == 0) {
DPRINTF(("CDF_VECTOR with nelements == 0\n"));
goto out;
}
- o = 2;
+ slen = 2;
} else {
nelements = 1;
- o = 1;
+ slen = 1;
}
- o4 = o * sizeof(uint32_t);
+ o4 = slen * sizeof(uint32_t);
if (inp[i].pi_type & (CDF_ARRAY|CDF_BYREF|CDF_RESERVED))
goto unknown;
switch (inp[i].pi_type & CDF_TYPEMASK) {
@@ -915,64 +1017,31 @@
case CDF_EMPTY:
break;
case CDF_SIGNED16:
- if (inp[i].pi_type & CDF_VECTOR)
+ if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int16_t)))
goto unknown;
- (void)memcpy(&s16, &q[o4], sizeof(s16));
- inp[i].pi_s16 = CDF_TOLE2(s16);
break;
case CDF_SIGNED32:
- if (inp[i].pi_type & CDF_VECTOR)
- goto unknown;
- (void)memcpy(&s32, &q[o4], sizeof(s32));
- inp[i].pi_s32 = CDF_TOLE4((uint32_t)s32);
- break;
case CDF_BOOL:
case CDF_UNSIGNED32:
- if (inp[i].pi_type & CDF_VECTOR)
+ case CDF_FLOAT:
+ if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int32_t)))
goto unknown;
- (void)memcpy(&u32, &q[o4], sizeof(u32));
- inp[i].pi_u32 = CDF_TOLE4(u32);
break;
case CDF_SIGNED64:
- if (inp[i].pi_type & CDF_VECTOR)
- goto unknown;
- (void)memcpy(&s64, &q[o4], sizeof(s64));
- inp[i].pi_s64 = CDF_TOLE8((uint64_t)s64);
- break;
case CDF_UNSIGNED64:
- if (inp[i].pi_type & CDF_VECTOR)
- goto unknown;
- (void)memcpy(&u64, &q[o4], sizeof(u64));
- inp[i].pi_u64 = CDF_TOLE8((uint64_t)u64);
- break;
- case CDF_FLOAT:
- if (inp[i].pi_type & CDF_VECTOR)
- goto unknown;
- (void)memcpy(&u32, &q[o4], sizeof(u32));
- u32 = CDF_TOLE4(u32);
- memcpy(&inp[i].pi_f, &u32, sizeof(inp[i].pi_f));
- break;
case CDF_DOUBLE:
- if (inp[i].pi_type & CDF_VECTOR)
+ case CDF_FILETIME:
+ if (!cdf_copy_info(&inp[i], &q[o4], e, sizeof(int64_t)))
goto unknown;
- (void)memcpy(&u64, &q[o4], sizeof(u64));
- u64 = CDF_TOLE8((uint64_t)u64);
- memcpy(&inp[i].pi_d, &u64, sizeof(inp[i].pi_d));
break;
case CDF_LENGTH32_STRING:
case CDF_LENGTH32_WSTRING:
if (nelements > 1) {
size_t nelem = inp - *info;
- if (*maxcount > CDF_PROP_LIMIT
- || nelements > CDF_PROP_LIMIT)
+ inp = cdf_grow_info(info, maxcount, nelements);
+ if (inp == NULL)
goto out;
- *maxcount += nelements;
- inp = CAST(cdf_property_info_t *,
- realloc(*info, *maxcount * sizeof(*inp)));
- if (inp == NULL)
- goto out1;
- *info = inp;
- inp = *info + nelem;
+ inp += nelem;
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
@@ -979,29 +1048,33 @@
for (j = 0; j < nelements && i < sh.sh_properties;
j++, i++)
{
- uint32_t l = CDF_GETUINT32(q, o);
+ uint32_t l;
+
+ if (o4 + sizeof(uint32_t) > left)
+ goto out;
+
+ l = CDF_GETUINT32(q, slen);
+ o4 += sizeof(uint32_t);
+ if (o4 + l > left)
+ goto out;
+
inp[i].pi_str.s_len = l;
- inp[i].pi_str.s_buf = (const char *)
- (const void *)(&q[o4 + sizeof(l)]);
- DPRINTF(("l = %d, r = %" SIZE_T_FORMAT
- "u, s = %s\n", l,
- CDF_ROUND(l, sizeof(l)),
+ inp[i].pi_str.s_buf = CAST(const char *,
+ CAST(const void *, &q[o4]));
+
+ DPRINTF(("o=%zu l=%d(%" SIZE_T_FORMAT
+ "u), t=%zu s=%s\n", o4, l,
+ CDF_ROUND(l, sizeof(l)), left,
inp[i].pi_str.s_buf));
+
if (l & 1)
l++;
- o += l >> 1;
- if (q + o >= e)
- goto out;
- o4 = o * sizeof(uint32_t);
+
+ slen += l >> 1;
+ o4 = slen * sizeof(uint32_t);
}
i--;
break;
- case CDF_FILETIME:
- if (inp[i].pi_type & CDF_VECTOR)
- goto unknown;
- (void)memcpy(&tp, &q[o4], sizeof(tp));
- inp[i].pi_tp = CDF_TOLE8((uint64_t)tp);
- break;
case CDF_CLIPBOARD:
if (inp[i].pi_type & CDF_VECTOR)
goto unknown;
@@ -1008,7 +1081,8 @@
break;
default:
unknown:
- DPRINTF(("Don't know how to deal with %x\n",
+ memset(&inp[i].pi_val, 0, sizeof(inp[i].pi_val));
+ DPRINTF(("Don't know how to deal with %#x\n",
inp[i].pi_type));
break;
}
@@ -1015,9 +1089,11 @@
}
return 0;
out:
+ free(*info);
+ *info = NULL;
+ *count = 0;
+ *maxcount = 0;
errno = EFTYPE;
-out1:
- free(*info);
return -1;
}
@@ -1065,7 +1141,7 @@
{
size_t ss = cdf_check_stream(sst, h);
const char *b = CAST(const char *, sst->sst_tab);
- const char *eb = b + ss * sst->sst_len;
+ const char *nb, *eb = b + ss * sst->sst_len;
size_t nr, i, j, k;
cdf_catalog_entry_t *ce;
uint16_t reclen;
@@ -1084,7 +1160,7 @@
return -1;
nr--;
*cat = CAST(cdf_catalog_t *,
- malloc(sizeof(cdf_catalog_t) + nr * sizeof(*ce)));
+ CDF_MALLOC(sizeof(cdf_catalog_t) + nr * sizeof(*ce)));
if (*cat == NULL)
return -1;
ce = (*cat)->cat_e;
@@ -1110,7 +1186,9 @@
cep->ce_namlen = rlen;
np = CAST(const uint16_t *, CAST(const void *, (b + 16)));
- if (RCAST(const char *, np + cep->ce_namlen) > eb) {
+ nb = CAST(const char *, CAST(const void *,
+ (np + cep->ce_namlen)));
+ if (nb > eb) {
cep->ce_namlen = 0;
break;
}
@@ -1169,7 +1247,7 @@
for (i = 0; i < __arraycount(vn); i++)
if (vn[i].v == p)
return snprintf(buf, bufsiz, "%s", vn[i].n);
- return snprintf(buf, bufsiz, "0x%x", p);
+ return snprintf(buf, bufsiz, "%#x", p);
}
int
@@ -1228,7 +1306,7 @@
h->h_ ## b, 1 << h->h_ ## b)
DUMP("%d", revision);
DUMP("%d", version);
- DUMP("0x%x", byte_order);
+ DUMP("%#x", byte_order);
DUMP2("%d", sec_size_p2);
DUMP2("%d", short_sec_size_p2);
DUMP("%d", num_sectors_in_sat);
@@ -1322,7 +1400,7 @@
d->d_color ? "black" : "red");
(void)fprintf(stderr, "Left child: %d\n", d->d_left_child);
(void)fprintf(stderr, "Right child: %d\n", d->d_right_child);
- (void)fprintf(stderr, "Flags: 0x%x\n", d->d_flags);
+ (void)fprintf(stderr, "Flags: %#x\n", d->d_flags);
cdf_timestamp_to_timespec(&ts, d->d_created);
(void)fprintf(stderr, "Created %s", cdf_ctime(&ts.tv_sec, buf));
cdf_timestamp_to_timespec(&ts, d->d_modified);
@@ -1415,7 +1493,7 @@
(void)fprintf(stderr, "CLIPBOARD %u\n", info[i].pi_u32);
break;
default:
- DPRINTF(("Don't know how to deal with %x\n",
+ DPRINTF(("Don't know how to deal with %#x\n",
info[i].pi_type));
break;
}
@@ -1434,7 +1512,7 @@
(void)&h;
if (cdf_unpack_summary_info(sst, h, &ssi, &info, &count) == -1)
return;
- (void)fprintf(stderr, "Endian: %x\n", ssi.si_byte_order);
+ (void)fprintf(stderr, "Endian: %#x\n", ssi.si_byte_order);
(void)fprintf(stderr, "Os Version %d.%d\n", ssi.si_os_version & 0xff,
ssi.si_os_version >> 8);
(void)fprintf(stderr, "Os %d\n", ssi.si_os);
Index: contrib/file/src/der.c
===================================================================
--- contrib/file/src/der.c (版本 330566)
+++ contrib/file/src/der.c (版本 330908)
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: der.c,v 1.10 2016/10/24 18:02:17 christos Exp $")
+FILE_RCSID("@(#)$File: der.c,v 1.12 2017/02/10 18:14:01 christos Exp $")
#endif
#endif
@@ -159,31 +159,49 @@
return tag;
}
+/*
+ * Read the length of a DER tag from the input.
+ *
+ * `c` is the input, `p` is an output parameter that specifies how much of the
+ * input we consumed, and `l` is the maximum input length.
+ *
+ * Returns the length, or DER_BAD if the end of the input is reached or the
+ * length exceeds the remaining input.
+ */
static uint32_t
getlength(const uint8_t *c, size_t *p, size_t l)
{
uint8_t digits, i;
size_t len;
+ int is_onebyte_result;
if (*p >= l)
return DER_BAD;
- digits = c[(*p)++];
+ /*
+ * Digits can either be 0b0 followed by the result, or 0b1
+ * followed by the number of digits of the result. In either case,
+ * we verify that we can read so many bytes from the input.
+ */
+ is_onebyte_result = (c[*p] & 0x80) == 0;
+ digits = c[(*p)++] & 0x7f;
+ if (*p + digits >= l)
+ return DER_BAD;
- if ((digits & 0x80) == 0)
+ if (is_onebyte_result)
return digits;
- digits &= 0x7f;
+ /*
+ * Decode len. We've already verified that we're allowed to read
+ * `digits` bytes.
+ */
len = 0;
-
- if (*p + digits >= l)
- return DER_BAD;
-
for (i = 0; i < digits; i++)
len = (len << 8) | c[(*p)++];
+
if (*p + len >= l)
return DER_BAD;
- return len;
+ return CAST(uint32_t, len);
}
static const char *
@@ -242,12 +260,12 @@
#endif
if (m->cont_level != 0) {
if (offs + tlen > nbytes)
- return DER_BAD;
- ms->c.li[m->cont_level - 1].off = offs + tlen;
+ return -1;
+ ms->c.li[m->cont_level - 1].off = CAST(int, offs + tlen);
DPRINTF(("cont_level[%u] = %u\n", m->cont_level - 1,
ms->c.li[m->cont_level - 1].off));
}
- return offs;
+ return CAST(int32_t, offs);
}
int
Index: contrib/file/src/is_tar.c
===================================================================
--- contrib/file/src/is_tar.c (版本 330566)
+++ contrib/file/src/is_tar.c (版本 330908)
@@ -40,7 +40,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: is_tar.c,v 1.38 2015/04/09 20:01:41 christos Exp $")
+FILE_RCSID("@(#)$File: is_tar.c,v 1.39 2017/03/17 20:45:01 christos Exp $")
#endif
#include "magic.h"
@@ -51,7 +51,7 @@
#define isodigit(c) ( ((c) >= '0') && ((c) <= '7') )
private int is_tar(const unsigned char *, size_t);
-private int from_oct(int, const char *); /* Decode octal number */
+private int from_oct(const char *, size_t); /* Decode octal number */
static const char tartype[][32] = {
"tar archive",
@@ -93,31 +93,35 @@
is_tar(const unsigned char *buf, size_t nbytes)
{
const union record *header = (const union record *)(const void *)buf;
- int i;
- int sum, recsum;
- const unsigned char *p;
+ size_t i;
+ int sum, recsum;
+ const unsigned char *p, *ep;
- if (nbytes < sizeof(union record))
+ if (nbytes < sizeof(*header))
return 0;
- recsum = from_oct(8, header->header.chksum);
+ recsum = from_oct(header->header.chksum, sizeof(header->header.chksum));
sum = 0;
p = header->charptr;
- for (i = sizeof(union record); --i >= 0;)
+ ep = header->charptr + sizeof(*header);
+ while (p < ep)
sum += *p++;
/* Adjust checksum to count the "chksum" field as blanks. */
- for (i = sizeof(header->header.chksum); --i >= 0;)
+ for (i = 0; i < sizeof(header->header.chksum); i++)
sum -= header->header.chksum[i];
- sum += ' ' * sizeof header->header.chksum;
+ sum += ' ' * sizeof(header->header.chksum);
if (sum != recsum)
return 0; /* Not a tar archive */
- if (strcmp(header->header.magic, GNUTMAGIC) == 0)
+ if (strncmp(header->header.magic, GNUTMAGIC,
+ sizeof(header->header.magic)) == 0)
return 3; /* GNU Unix Standard tar archive */
- if (strcmp(header->header.magic, TMAGIC) == 0)
+
+ if (strncmp(header->header.magic, TMAGIC,
+ sizeof(header->header.magic)) == 0)
return 2; /* Unix Standard tar archive */
return 1; /* Old fashioned tar archive */
@@ -130,19 +134,22 @@
* Result is -1 if the field is invalid (all blank, or non-octal).
*/
private int
-from_oct(int digs, const char *where)
+from_oct(const char *where, size_t digs)
{
int value;
+ if (digs == 0)
+ return -1;
+
while (isspace((unsigned char)*where)) { /* Skip spaces */
where++;
- if (--digs <= 0)
+ if (digs-- == 0)
return -1; /* All blank field */
}
value = 0;
while (digs > 0 && isodigit(*where)) { /* Scan til non-octal */
value = (value << 3) | (*where++ - '0');
- --digs;
+ digs--;
}
if (digs > 0 && *where && !isspace((unsigned char)*where))
Index: contrib/file/src/readcdf.c
===================================================================
--- contrib/file/src/readcdf.c (版本 330566)
+++ contrib/file/src/readcdf.c (版本 330908)
@@ -26,7 +26,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: readcdf.c,v 1.63 2016/10/18 22:25:42 christos Exp $")
+FILE_RCSID("@(#)$File: readcdf.c,v 1.65 2017/04/08 20:58:03 christos Exp $")
#endif
#include <assert.h>
@@ -152,7 +152,7 @@
struct timespec ts;
char buf[64];
const char *str = NULL;
- const char *s;
+ const char *s, *e;
int len;
if (!NOTMIME(ms) && root_storage)
@@ -199,7 +199,9 @@
if (info[i].pi_type == CDF_LENGTH32_WSTRING)
k++;
s = info[i].pi_str.s_buf;
- for (j = 0; j < sizeof(vbuf) && len--; s += k) {
+ e = info[i].pi_str.s_buf + len;
+ for (j = 0; s < e && j < sizeof(vbuf)
+ && len--; s += k) {
if (*s == '\0')
break;
if (isprint((unsigned char)*s))
@@ -603,7 +605,7 @@
if ((i = cdf_read_user_stream(&info, &h, &sat, &ssat, &sst, &dir,
"FileHeader", &scn)) != -1) {
#define HWP5_SIGNATURE "HWP Document File"
- if (scn.sst_dirlen >= sizeof(HWP5_SIGNATURE) - 1
+ if (scn.sst_len * scn.sst_ss >= sizeof(HWP5_SIGNATURE) - 1
&& memcmp(scn.sst_tab, HWP5_SIGNATURE,
sizeof(HWP5_SIGNATURE) - 1) == 0) {
if (NOTMIME(ms)) {
Index: contrib/file/src/vasprintf.c
===================================================================
--- contrib/file/src/vasprintf.c (版本 330566)
+++ contrib/file/src/vasprintf.c (版本 330908)
@@ -88,7 +88,7 @@
The function needs to allocate memory to store the full text before to
-actually writting it. i.e if you want to fnprintf() 1000 characters, the
+actually writing it. i.e if you want to fnprintf() 1000 characters, the
functions will allocate 1000 bytes.
This behaviour can be modified: you have to customise the code to flush the
internal buffer (writing to screen or file) when it reach a given size. Then
@@ -108,7 +108,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: vasprintf.c,v 1.13 2014/12/04 15:56:46 christos Exp $")
+FILE_RCSID("@(#)$File: vasprintf.c,v 1.14 2017/08/13 00:21:47 christos Exp $")
#endif /* lint */
#include <assert.h>
Index: contrib/file/src/apprentice.c
===================================================================
--- contrib/file/src/apprentice.c (版本 330566)
+++ contrib/file/src/apprentice.c (版本 330908)
@@ -32,7 +32,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: apprentice.c,v 1.255 2016/10/24 18:02:17 christos Exp $")
+FILE_RCSID("@(#)$File: apprentice.c,v 1.262 2017/08/28 13:39:18 christos Exp $")
#endif /* lint */
#include "magic.h"
@@ -549,8 +549,10 @@
break;
case MAP_TYPE_MALLOC:
for (i = 0; i < MAGIC_SETS; i++) {
- if ((char *)map->magic[i] >= (char *)map->p &&
- (char *)map->magic[i] <= (char *)map->p + map->len)
+ void *b = map->magic[i];
+ void *p = map->p;
+ if (CAST(char *, b) >= CAST(char *, p) &&
+ CAST(char *, b) <= CAST(char *, p) + map->len)
continue;
free(map->magic[i]);
}
@@ -610,8 +612,7 @@
if (nbufs == 0)
return -1;
- if (ms->mlist[0] != NULL)
- file_reset(ms);
+ (void)file_reset(ms, 0);
init_file_tables();
@@ -654,8 +655,7 @@
int file_err, errs = -1;
size_t i;
- if (ms->mlist[0] != NULL)
- file_reset(ms);
+ (void)file_reset(ms, 0);
if ((fn = magic_getpath(fn, action)) == NULL)
return -1;
@@ -777,6 +777,59 @@
return rv == 0 ? 1 : rv; /* Return at least 1 */
}
+
+private size_t
+typesize(int type)
+{
+ switch (type) {
+ case FILE_BYTE:
+ return 1;
+
+ case FILE_SHORT:
+ case FILE_LESHORT:
+ case FILE_BESHORT:
+ return 2;
+
+ case FILE_LONG:
+ case FILE_LELONG:
+ case FILE_BELONG:
+ case FILE_MELONG:
+ return 4;
+
+ case FILE_DATE:
+ case FILE_LEDATE:
+ case FILE_BEDATE:
+ case FILE_MEDATE:
+ case FILE_LDATE:
+ case FILE_LELDATE:
+ case FILE_BELDATE:
+ case FILE_MELDATE:
+ case FILE_FLOAT:
+ case FILE_BEFLOAT:
+ case FILE_LEFLOAT:
+ return 4;
+
+ case FILE_QUAD:
+ case FILE_BEQUAD:
+ case FILE_LEQUAD:
+ case FILE_QDATE:
+ case FILE_LEQDATE:
+ case FILE_BEQDATE:
+ case FILE_QLDATE:
+ case FILE_LEQLDATE:
+ case FILE_BEQLDATE:
+ case FILE_QWDATE:
+ case FILE_LEQWDATE:
+ case FILE_BEQWDATE:
+ case FILE_DOUBLE:
+ case FILE_BEDOUBLE:
+ case FILE_LEDOUBLE:
+ return 8;
+ default:
+ return (size_t)~0;
+ }
+}
+
/*
* Get weight of this magic entry, for sorting purposes.
*/
@@ -784,7 +837,7 @@
apprentice_magic_strength(const struct magic *m)
{
#define MULT 10
- size_t v, val = 2 * MULT; /* baseline strength */
+ size_t ts, v, val = 2 * MULT; /* baseline strength */
switch (m->type) {
case FILE_DEFAULT: /* make sure this sorts last */
@@ -793,41 +846,13 @@
return 0;
case FILE_BYTE:
- val += 1 * MULT;
- break;
-
case FILE_SHORT:
case FILE_LESHORT:
case FILE_BESHORT:
- val += 2 * MULT;
- break;
-
case FILE_LONG:
case FILE_LELONG:
case FILE_BELONG:
case FILE_MELONG:
- val += 4 * MULT;
- break;
-
- case FILE_PSTRING:
- case FILE_STRING:
- val += m->vallen * MULT;
- break;
-
- case FILE_BESTRING16:
- case FILE_LESTRING16:
- val += m->vallen * MULT / 2;
- break;
-
- case FILE_SEARCH:
- val += m->vallen * MAX(MULT / m->vallen, 1);
- break;
-
- case FILE_REGEX:
- v = nonmagic(m->value.s);
- val += v * MAX(MULT / v, 1);
- break;
-
case FILE_DATE:
case FILE_LEDATE:
case FILE_BEDATE:
@@ -839,9 +864,6 @@
case FILE_FLOAT:
case FILE_BEFLOAT:
case FILE_LEFLOAT:
- val += 4 * MULT;
- break;
-
case FILE_QUAD:
case FILE_BEQUAD:
case FILE_LEQUAD:
@@ -857,9 +879,31 @@
case FILE_DOUBLE:
case FILE_BEDOUBLE:
case FILE_LEDOUBLE:
- val += 8 * MULT;
+ ts = typesize(m->type);
+ if (ts == (size_t)~0)
+ abort();
+ val += ts * MULT;
break;
+ case FILE_PSTRING:
+ case FILE_STRING:
+ val += m->vallen * MULT;
+ break;
+
+ case FILE_BESTRING16:
+ case FILE_LESTRING16:
+ val += m->vallen * MULT / 2;
+ break;
+
+ case FILE_SEARCH:
+ val += m->vallen * MAX(MULT / m->vallen, 1);
+ break;
+
+ case FILE_REGEX:
+ v = nonmagic(m->value.s);
+ val += v * MAX(MULT / v, 1);
+ break;
+
case FILE_INDIRECT:
case FILE_NAME:
case FILE_USE:
@@ -1314,6 +1358,8 @@
goto out;
}
while ((d = readdir(dir)) != NULL) {
+ if (d->d_name[0] == '.')
+ continue;
if (asprintf(&mfn, "%s/%s", fn, d->d_name) < 0) {
file_oomem(ms,
strlen(fn) + strlen(d->d_name) + 2);
@@ -2291,7 +2337,7 @@
return parse_extra(ms, me, line,
CAST(off_t, offsetof(struct magic, ext)),
- sizeof(m->ext), "EXTENSION", ",!+-/", 0);
+ sizeof(m->ext), "EXTENSION", ",!+-/@", 0);
}
/*
@@ -2352,6 +2398,8 @@
ptr++;
if (*ptr == '.')
ptr++;
+ if (*ptr == '#')
+ ptr++;
#define CHECKLEN() do { \
for (len = cnt = 0; isdigit((unsigned char)*ptr); ptr++, cnt++) \
len = len * 10 + (*ptr - '0'); \
@@ -2617,9 +2665,46 @@
default:
if (m->reln != 'x') {
char *ep;
+ uint64_t ull;
errno = 0;
- m->value.q = file_signextend(ms, m,
- (uint64_t)strtoull(*p, &ep, 0));
+ ull = (uint64_t)strtoull(*p, &ep, 0);
+ m->value.q = file_signextend(ms, m, ull);
+ if (*p == ep) {
+ file_magwarn(ms, "Unparseable number `%s'", *p);
+ } else {
+ size_t ts = typesize(m->type);
+ uint64_t x;
+ const char *q;
+
+ if (ts == (size_t)~0) {
+ file_magwarn(ms, "Expected numeric type got `%s'",
+ type_tbl[m->type].name);
+ }
+ for (q = *p; isspace((unsigned char)*q); q++)
+ continue;
+ if (*q == '-')
+ ull = -(int64_t)ull;
+ switch (ts) {
+ case 1:
+ x = ull & ~0xffULL;
+ break;
+ case 2:
+ x = ull & ~0xffffULL;
+ break;
+ case 4:
+ x = ull & ~0xffffffffULL;
+ break;
+ case 8:
+ x = 0;
+ break;
+ default:
+ abort();
+ }
+ if (x) {
+ file_magwarn(ms, "Overflow for numeric type `%s' value %#" PRIx64,
+ type_tbl[m->type].name, ull);
+ }
+ }
if (errno == 0) {
*p = ep;
eatsize(p);
@@ -3271,6 +3356,7 @@
{
size_t len = 0;
const unsigned char *s = (const unsigned char *)ss;
+ unsigned int s3, s2, s1, s0;
switch (m->str_flags & PSTRING_LEN) {
case PSTRING_1_LE:
@@ -3277,16 +3363,28 @@
len = *s;
break;
case PSTRING_2_LE:
- len = (s[1] << 8) | s[0];
+ s0 = s[0];
+ s1 = s[1];
+ len = (s1 << 8) | s0;
break;
case PSTRING_2_BE:
- len = (s[0] << 8) | s[1];
+ s0 = s[0];
+ s1 = s[1];
+ len = (s0 << 8) | s1;
break;
case PSTRING_4_LE:
- len = (s[3] << 24) | (s[2] << 16) | (s[1] << 8) | s[0];
+ s0 = s[0];
+ s1 = s[1];
+ s2 = s[2];
+ s3 = s[3];
+ len = (s3 << 24) | (s2 << 16) | (s1 << 8) | s0;
break;
case PSTRING_4_BE:
- len = (s[0] << 24) | (s[1] << 16) | (s[2] << 8) | s[3];
+ s0 = s[0];
+ s1 = s[1];
+ s2 = s[2];
+ s3 = s[3];
+ len = (s0 << 24) | (s1 << 16) | (s2 << 8) | s3;
break;
default:
abort(); /* Impossible */
Index: contrib/file/src/compress.c
===================================================================
--- contrib/file/src/compress.c (版本 330566)
+++ contrib/file/src/compress.c (版本 330908)
@@ -35,7 +35,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: compress.c,v 1.100 2016/10/24 18:02:17 christos Exp $")
+FILE_RCSID("@(#)$File: compress.c,v 1.105 2017/05/25 00:13:03 christos Exp $")
#endif
#include "magic.h"
@@ -62,7 +62,7 @@
#if defined(HAVE_SYS_TIME_H)
#include <sys/time.h>
#endif
-#if defined(HAVE_ZLIB_H)
+#if defined(HAVE_ZLIB_H) && defined(ZLIBSUPPORT)
#define BUILTIN_DECOMPRESS
#include <zlib.h>
#endif
@@ -83,6 +83,7 @@
/*
* The following python code is not really used because ZLIBSUPPORT is only
* defined if we have a built-in zlib, and the built-in zlib handles that.
+ * That is not true for android where we have zlib.h and not -lz.
*/
static const char zlibcode[] =
"import sys, zlib; sys.stdout.write(zlib.decompress(sys.stdin.read()))";
@@ -93,7 +94,7 @@
zlibcmp(const unsigned char *buf)
{
unsigned short x = 1;
- unsigned char *s = (unsigned char *)&x;
+ unsigned char *s = CAST(unsigned char *, CAST(void *, &x));
if ((buf[0] & 0xf) != 8 || (buf[0] & 0x80) != 0)
return 0;
@@ -497,7 +498,7 @@
z.next_in = CCAST(Bytef *, old);
z.avail_in = CAST(uint32_t, *n);
z.next_out = *newch;
- z.avail_out = bytes_max;
+ z.avail_out = CAST(unsigned int, bytes_max);
z.zalloc = Z_NULL;
z.zfree = Z_NULL;
z.opaque = Z_NULL;
@@ -632,7 +633,7 @@
while (isspace((unsigned char)*p))
p++;
n = strlen(p);
- memmove(ubuf, p, n + 1);
+ memmove(ubuf, p, CAST(size_t, n + 1));
}
DPRINTF("Filter error after[[[%s]]]\n", (char *)ubuf);
if (islower(*ubuf))
@@ -688,7 +689,7 @@
}
for (i = 0; i < __arraycount(fdp); i++)
- copydesc(i, fdp[i]);
+ copydesc(CAST(int, i), fdp[i]);
(void)execvp(compr[method].argv[0],
(char *const *)(intptr_t)compr[method].argv);
@@ -748,9 +749,9 @@
rv = makeerror(newch, n, "Wait failed, %s", strerror(errno));
DPRINTF("Child wait return %#x\n", status);
} else if (!WIFEXITED(status)) {
- DPRINTF("Child not exited (0x%x)\n", status);
+ DPRINTF("Child not exited (%#x)\n", status);
} else if (WEXITSTATUS(status) != 0) {
- DPRINTF("Child exited (0x%d)\n", WEXITSTATUS(status));
+ DPRINTF("Child exited (%#x)\n", WEXITSTATUS(status));
}
closefd(fdp[STDIN_FILENO], 0);
Index: contrib/file/src/funcs.c
===================================================================
--- contrib/file/src/funcs.c (版本 330566)
+++ contrib/file/src/funcs.c (版本 330908)
@@ -27,7 +27,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: funcs.c,v 1.90 2016/10/19 20:51:17 christos Exp $")
+FILE_RCSID("@(#)$File: funcs.c,v 1.93 2017/08/28 13:39:18 christos Exp $")
#endif /* lint */
#include "magic.h"
@@ -76,7 +76,7 @@
ms->o.buf = buf;
return 0;
out:
- file_error(ms, errno, "vasprintf failed");
+ fprintf(stderr, "vasprintf failed (%s)", strerror(errno));
return -1;
}
@@ -328,9 +328,9 @@
#endif
protected int
-file_reset(struct magic_set *ms)
+file_reset(struct magic_set *ms, int checkloaded)
{
- if (ms->mlist[0] == NULL) {
+ if (checkloaded && ms->mlist[0] == NULL) {
file_error(ms, 0, "no magic files loaded");
return -1;
}
@@ -509,6 +509,8 @@
regmatch_t* pmatch, int eflags)
{
assert(rx->rc == 0);
+ /* XXX: force initialization because glibc does not always do this */
+ memset(pmatch, 0, nmatch * sizeof(*pmatch));
return regexec(&rx->rx, str, nmatch, pmatch, eflags);
}
Index: contrib/file/src/print.c
===================================================================
--- contrib/file/src/print.c (版本 330566)
+++ contrib/file/src/print.c (版本 330908)
@@ -32,7 +32,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: print.c,v 1.81 2016/01/19 15:09:03 christos Exp $")
+FILE_RCSID("@(#)$File: print.c,v 1.82 2017/02/10 18:14:01 christos Exp $")
#endif /* lint */
#include <string.h>
@@ -238,7 +238,7 @@
if (flags & FILE_T_WINDOWS) {
struct timespec ts;
- cdf_timestamp_to_timespec(&ts, v);
+ cdf_timestamp_to_timespec(&ts, CAST(cdf_timestamp_t, v));
t = ts.tv_sec;
} else {
// XXX: perhaps detect and print something if overflow
Index: contrib/file/src/softmagic.c
===================================================================
--- contrib/file/src/softmagic.c (版本 330566)
+++ contrib/file/src/softmagic.c (版本 330908)
@@ -32,7 +32,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: softmagic.c,v 1.238 2016/10/24 18:02:17 christos Exp $")
+FILE_RCSID("@(#)$File: softmagic.c,v 1.249 2017/06/19 18:30:25 christos Exp $")
#endif /* lint */
#include "magic.h"
@@ -192,6 +192,7 @@
while (magindex < nmagic - 1 &&
magic[magindex + 1].cont_level != 0)
magindex++;
+ cont_level = 0;
continue; /* Skip to next top-level test*/
}
@@ -370,6 +371,7 @@
case -1:
case 0:
flush = 1;
+ cont_level--;
break;
default:
break;
@@ -1017,9 +1019,8 @@
mconvert(struct magic_set *ms, struct magic *m, int flip)
{
union VALUETYPE *p = &ms->ms_value;
- uint8_t type;
- switch (type = cvt_flip(m->type, flip)) {
+ switch (cvt_flip(m->type, flip)) {
case FILE_BYTE:
if (cvt_8(p, m) == -1)
goto out;
@@ -1184,7 +1185,7 @@
case FILE_DER:
case FILE_SEARCH:
if (offset > nbytes)
- offset = nbytes;
+ offset = CAST(uint32_t, nbytes);
ms->search.s = RCAST(const char *, s) + offset;
ms->search.s_len = nbytes - offset;
ms->search.offset = offset;
@@ -1198,7 +1199,7 @@
const char *end;
size_t lines, linecnt, bytecnt;
- if (s == NULL) {
+ if (s == NULL || nbytes < offset) {
ms->search.s_len = 0;
ms->search.s = NULL;
return 0;
@@ -1260,7 +1261,8 @@
if (*dst == '\0') {
if (type == FILE_BESTRING16 ?
*(src - 1) != '\0' :
- *(src + 1) != '\0')
+ ((src + 1 < esrc) &&
+ *(src + 1) != '\0'))
*dst = ' ';
}
}
@@ -1365,7 +1367,7 @@
return -1;
if ((ms->flags & MAGIC_DEBUG) != 0) {
- fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, o=%"
+ fprintf(stderr, "mget(type=%d, flag=%#x, offset=%u, o=%"
SIZE_T_FORMAT "u, " "nbytes=%" SIZE_T_FORMAT
"u, il=%hu, nc=%hu)\n",
m->type, m->flag, offset, o, nbytes,
@@ -1632,6 +1634,7 @@
*/
const unsigned char *a = (const unsigned char *)s1;
const unsigned char *b = (const unsigned char *)s2;
+ const unsigned char *eb = b + len;
uint64_t v;
/*
@@ -1646,6 +1649,10 @@
}
else { /* combine the others */
while (len-- > 0) {
+ if (b >= eb) {
+ v = 1;
+ break;
+ }
if ((flags & STRING_IGNORE_LOWERCASE) &&
islower(*a)) {
if ((v = tolower(*b++) - *a++) != '\0')
@@ -1661,7 +1668,7 @@
a++;
if (isspace(*b++)) {
if (!isspace(*a))
- while (isspace(*b))
+ while (b < eb && isspace(*b))
b++;
}
else {
@@ -1672,7 +1679,7 @@
else if ((flags & STRING_COMPACT_OPTIONAL_WHITESPACE) &&
isspace(*a)) {
a++;
- while (isspace(*b))
+ while (b < eb && isspace(*b))
b++;
}
else {
@@ -1843,13 +1850,13 @@
for (idx = 0; m->str_range == 0 || idx < m->str_range; idx++) {
if (slen + idx > ms->search.s_len)
- break;
+ return 0;
v = file_strncmp(m->value.s, ms->search.s + idx, slen,
m->str_flags);
if (v == 0) { /* found match */
ms->search.offset += idx;
- ms->search.rm_len = m->str_range - idx;
+ ms->search.rm_len = ms->search.s_len - idx;
break;
}
}
@@ -1887,7 +1894,7 @@
copy[--slen] = '\0';
search = copy;
} else {
- search = ms->search.s;
+ search = CCAST(char *, "");
copy = NULL;
}
rc = file_regexec(&rx, (const char *)search,
Index: contrib/file/tests/hddrawcopytool.result
===================================================================
--- contrib/file/tests/hddrawcopytool.result (不存在的)
+++ contrib/file/tests/hddrawcopytool.result (版本 330908)
@@ -0,0 +1 @@
+HDD Raw Copy Tool 1.10 - HD model: ST500DM0 02-1BD142 serial: 51D20233A7C0
\ No newline at end of file
Index: contrib/file/python/magic.py
===================================================================
--- contrib/file/python/magic.py (版本 330566)
+++ contrib/file/python/magic.py (版本 330908)
@@ -117,30 +117,43 @@
"""
_close(self._magic_t)
+ @staticmethod
+ def __tostr(s):
+ if s is None:
+ return None
+ if isinstance(s, str):
+ return s
+ try: # keep Python 2 compatibility
+ return str(s, 'utf-8')
+ except TypeError:
+ return str(s)
+
+ @staticmethod
+ def __tobytes(b):
+ if b is None:
+ return None
+ if isinstance(b, bytes):
+ return b
+ try: # keep Python 2 compatibility
+ return bytes(b, 'utf-8')
+ except TypeError:
+ return bytes(b)
+
def file(self, filename):
"""
Returns a textual description of the contents of the argument passed
as a filename or None if an error occurred and the MAGIC_ERROR flag
- is set. A call to errno() will return the numeric error code.
+ is set. A call to errno() will return the numeric error code.
"""
- if isinstance(filename, bytes):
- bi = filename
- else:
- try: # keep Python 2 compatibility
- bi = bytes(filename, 'utf-8')
- except TypeError:
- bi = bytes(filename)
- r = _file(self._magic_t, bi)
- if isinstance(r, str):
- return r
- else:
- return str(r, 'utf-8')
+ return Magic.__tostr(_file(self._magic_t, Magic.__tobytes(filename)))
def descriptor(self, fd):
"""
- Like the file method, but the argument is a file descriptor.
+ Returns a textual description of the contents of the argument passed
+ as a file descriptor or None if an error occurred and the MAGIC_ERROR
+ flag is set. A call to errno() will return the numeric error code.
"""
- return _descriptor(self._magic_t, fd)
+ return Magic.__tostr(_descriptor(self._magic_t, fd))
def buffer(self, buf):
"""
@@ -148,11 +161,7 @@
as a buffer or None if an error occurred and the MAGIC_ERROR flag
is set. A call to errno() will return the numeric error code.
"""
- r = _buffer(self._magic_t, buf, len(buf))
- if isinstance(r, str):
- return r
- else:
- return str(r, 'utf-8')
+ return Magic.__tostr(_buffer(self._magic_t, buf, len(buf)))
def error(self):
"""
@@ -159,11 +168,7 @@
Returns a textual explanation of the last error or None
if there was no error.
"""
- e = _error(self._magic_t)
- if isinstance(e, str):
- return e
- else:
- return str(e, 'utf-8')
+ return Magic.__tostr(_error(self._magic_t))
def setflags(self, flags):
"""
@@ -184,17 +189,18 @@
Returns 0 on success and -1 on failure.
"""
- return _load(self._magic_t, filename)
+ return _load(self._magic_t, Magic.__tobytes(filename))
def compile(self, dbs):
"""
Compile entries in the colon separated list of database files
passed as argument or the default database file if no argument.
- Returns 0 on success and -1 on failure.
The compiled files created are named from the basename(1) of each file
argument with ".mgc" appended to it.
+
+ Returns 0 on success and -1 on failure.
"""
- return _compile(self._magic_t, dbs)
+ return _compile(self._magic_t, Magic.__tobytes(dbs))
def check(self, dbs):
"""
@@ -201,9 +207,10 @@
Check the validity of entries in the colon separated list of
database files passed as argument or the default database file
if no argument.
+
Returns 0 on success and -1 on failure.
"""
- return _check(self._magic_t, dbs)
+ return _check(self._magic_t, Magic.__tobytes(dbs))
def list(self, dbs):
"""
@@ -210,9 +217,10 @@
Check the validity of entries in the colon separated list of
database files passed as argument or the default database file
if no argument.
+
Returns 0 on success and -1 on failure.
"""
- return _list(self._magic_t, dbs)
+ return _list(self._magic_t, Magic.__tobytes(dbs))
def errno(self):
"""
Index: contrib/file/src/cdf_time.c
===================================================================
--- contrib/file/src/cdf_time.c (版本 330566)
+++ contrib/file/src/cdf_time.c (版本 330908)
@@ -27,7 +27,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: cdf_time.c,v 1.15 2014/05/14 23:15:42 christos Exp $")
+FILE_RCSID("@(#)$File: cdf_time.c,v 1.16 2017/03/29 15:57:48 christos Exp $")
#endif
#include <time.h>
@@ -171,7 +171,7 @@
char *ptr = ctime_r(sec, buf);
if (ptr != NULL)
return buf;
- (void)snprintf(buf, 26, "*Bad* 0x%16.16" INT64_T_FORMAT "x\n",
+ (void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
(long long)*sec);
return buf;
}
Index: contrib/file/src/fsmagic.c
===================================================================
--- contrib/file/src/fsmagic.c (版本 330566)
+++ contrib/file/src/fsmagic.c (版本 330908)
@@ -32,7 +32,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: fsmagic.c,v 1.76 2015/04/09 20:01:41 christos Exp $")
+FILE_RCSID("@(#)$File: fsmagic.c,v 1.77 2017/05/24 19:17:50 christos Exp $")
#endif /* lint */
#include "magic.h"
@@ -104,6 +104,7 @@
{
int ret, did = 0;
int mime = ms->flags & MAGIC_MIME;
+ int silent = ms->flags & (MAGIC_APPLE|MAGIC_EXTENSION);
#ifdef S_IFLNK
char buf[BUFSIZ+4];
ssize_t nch;
@@ -110,8 +111,6 @@
struct stat tstatbuf;
#endif
- if (ms->flags & (MAGIC_APPLE|MAGIC_EXTENSION))
- return 0;
if (fn == NULL)
return 0;
@@ -168,7 +167,7 @@
}
ret = 1;
- if (!mime) {
+ if (!mime && !silent) {
#ifdef S_ISUID
if (sb->st_mode & S_ISUID)
if (file_printf(ms, "%ssetuid", COMMA) == -1)
@@ -191,6 +190,7 @@
if (mime) {
if (handle_mime(ms, mime, "directory") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms, "%sdirectory", COMMA) == -1)
return -1;
break;
@@ -208,6 +208,7 @@
if (mime) {
if (handle_mime(ms, mime, "chardevice") == -1)
return -1;
+ } else if (silent) {
} else {
#ifdef HAVE_STRUCT_STAT_ST_RDEV
# ifdef dv_unit
@@ -242,6 +243,7 @@
if (mime) {
if (handle_mime(ms, mime, "blockdevice") == -1)
return -1;
+ } else if (silent) {
} else {
#ifdef HAVE_STRUCT_STAT_ST_RDEV
# ifdef dv_unit
@@ -270,6 +272,7 @@
if (mime) {
if (handle_mime(ms, mime, "fifo") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms, "%sfifo (named pipe)", COMMA) == -1)
return -1;
break;
@@ -279,6 +282,7 @@
if (mime) {
if (handle_mime(ms, mime, "door") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms, "%sdoor", COMMA) == -1)
return -1;
break;
@@ -294,6 +298,7 @@
if (mime) {
if (handle_mime(ms, mime, "symlink") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms,
"%sunreadable symlink `%s' (%s)", COMMA, fn,
strerror(errno)) == -1)
@@ -323,6 +328,7 @@
if (handle_mime(ms, mime,
"x-path-too-long") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms,
"%spath too long: `%s'", COMMA,
fn) == -1)
@@ -352,6 +358,7 @@
if (mime) {
if (handle_mime(ms, mime, "symlink") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms, "%ssymbolic link to %s",
COMMA, buf) == -1)
return -1;
@@ -364,6 +371,7 @@
if (mime) {
if (handle_mime(ms, mime, "socket") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms, "%ssocket", COMMA) == -1)
return -1;
break;
@@ -386,6 +394,7 @@
if (mime) {
if (handle_mime(ms, mime, "x-empty") == -1)
return -1;
+ } else if (silent) {
} else if (file_printf(ms, "%sempty", COMMA) == -1)
return -1;
break;
@@ -399,7 +408,7 @@
/*NOTREACHED*/
}
- if (!mime && did && ret == 0) {
+ if (!silent && !mime && did && ret == 0) {
if (file_printf(ms, " ") == -1)
return -1;
}
Index: contrib/file/src/magic.h.in
===================================================================
--- contrib/file/src/magic.h.in (版本 330566)
+++ contrib/file/src/magic.h.in (版本 330908)
@@ -73,6 +73,35 @@
0 \
)
+#define MAGIC_SNPRINTB "\177\020\
+b\0debug\0\
+b\1symlink\0\
+b\2compress\0\
+b\3devices\0\
+b\4mime_type\0\
+b\5continue\0\
+b\6check\0\
+b\7preserve_atime\0\
+b\10raw\0\
+b\11error\0\
+b\12mime_encoding\0\
+b\13apple\0\
+b\14no_check_compress\0\
+b\15no_check_tar\0\
+b\16no_check_soft\0\
+b\17no_check_sapptype\0\
+b\20no_check_elf\0\
+b\21no_check_text\0\
+b\22no_check_cdf\0\
+b\23no_check_reserved0\0\
+b\24no_check_tokens\0\
+b\25no_check_encoding\0\
+b\26no_check_reserved1\0\
+b\27no_check_reserved2\0\
+b\30extension\0\
+b\31transp_compression\0\
+"
+
/* Defined for backwards compatibility (renamed) */
#define MAGIC_NO_CHECK_ASCII MAGIC_NO_CHECK_TEXT
@@ -97,6 +126,7 @@
const char *magic_buffer(magic_t, const void *, size_t);
const char *magic_error(magic_t);
+int magic_getflags(magic_t);
int magic_setflags(magic_t, int);
int magic_version(void);
Index: contrib/file/src/readelf.h
===================================================================
--- contrib/file/src/readelf.h (版本 330566)
+++ contrib/file/src/readelf.h (版本 330908)
@@ -141,7 +141,7 @@
#define SHT_SYMTAB 2
#define SHT_NOTE 7
#define SHT_DYNSYM 11
-#define SHT_SUNW_cap 0x6ffffff5 /* SunOS 5.x hw/sw capabilites */
+#define SHT_SUNW_cap 0x6ffffff5 /* SunOS 5.x hw/sw capabilities */
/* elf type */
#define ELFDATANONE 0 /* e_ident[EI_DATA] */
@@ -230,7 +230,34 @@
} Elf64_Shdr;
#define NT_NETBSD_CORE_PROCINFO 1
+#define NT_NETBSD_CORE_AUXV 2
+struct NetBSD_elfcore_procinfo {
+ /* Version 1 fields start here. */
+ uint32_t cpi_version; /* our version */
+ uint32_t cpi_cpisize; /* sizeof(this struct) */
+ uint32_t cpi_signo; /* killing signal */
+ uint32_t cpi_sigcode; /* signal code */
+ uint32_t cpi_sigpend[4]; /* pending signals */
+ uint32_t cpi_sigmask[4]; /* blocked signals */
+ uint32_t cpi_sigignore[4]; /* ignored signals */
+ uint32_t cpi_sigcatch[4]; /* caught signals */
+ int32_t cpi_pid; /* process ID */
+ int32_t cpi_ppid; /* parent process ID */
+ int32_t cpi_pgrp; /* process group ID */
+ int32_t cpi_sid; /* session ID */
+ uint32_t cpi_ruid; /* real user ID */
+ uint32_t cpi_euid; /* effective user ID */
+ uint32_t cpi_svuid; /* saved user ID */
+ uint32_t cpi_rgid; /* real group ID */
+ uint32_t cpi_egid; /* effective group ID */
+ uint32_t cpi_svgid; /* saved group ID */
+ uint32_t cpi_nlwps; /* number of LWPs */
+ int8_t cpi_name[32]; /* copy of p->p_comm */
+ /* Add version 2 fields below here. */
+ int32_t cpi_siglwp; /* LWP target of killing signal */
+};
+
/* Note header in a PT_NOTE section */
typedef struct elf_note {
Elf32_Word n_namesz; /* Name size */
@@ -328,6 +355,11 @@
*/
#define NT_NETBSD_CMODEL 6
+/*
+ * FreeBSD specific notes
+ */
+#define NT_FREEBSD_PROCSTAT_AUXV 16
+
#if !defined(ELFSIZE) && defined(ARCH_ELFSIZE)
#define ELFSIZE ARCH_ELFSIZE
#endif
Index: contrib/file/tests/Makefile.in
===================================================================
--- contrib/file/tests/Makefile.in (版本 330566)
+++ contrib/file/tests/Makefile.in (版本 330908)
@@ -290,12 +290,14 @@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
test_LDADD = $(top_builddir)/src/libmagic.la
-test_CPPFLAGS = -I$(top_srcdir)/src
+test_CPPFLAGS = -I$(top_builddir)/src
EXTRA_DIST = \
escapevel.result \
escapevel.testfile \
gedcom.result \
gedcom.testfile \
+hddrawcopytool.result \
+hddrawcopytool.testfile \
issue311docx.result \
issue311docx.testfile
Index: contrib/file/magic/Magdir/os9
===================================================================
--- contrib/file/magic/Magdir/os9 (版本 330566)
+++ contrib/file/magic/Magdir/os9 (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: os9,v 1.7 2011/05/13 22:15:54 christos Exp $
+# $File: os9,v 1.8 2017/03/17 21:35:28 christos Exp $
#
# Copyright (c) 1996 Ignatios Souvatzis. All rights reserved.
#
@@ -15,7 +15,7 @@
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
Index: contrib/file/magic/Magdir/pdf
===================================================================
--- contrib/file/magic/Magdir/pdf (版本 330566)
+++ contrib/file/magic/Magdir/pdf (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: pdf,v 1.8 2015/01/11 18:19:18 christos Exp $
+# $File: pdf,v 1.9 2017/05/24 17:35:20 christos Exp $
# pdf: file(1) magic for Portable Document Format
#
@@ -20,3 +20,8 @@
!:mime application/vnd.fdf
>5 byte x \b, version %c
>7 byte x \b.%c
+
+0 search/256 %PDF- PDF document
+!:mime application/pdf
+>&0 byte x \b, version %c
+>&2 byte x \b.%c
Index: contrib/file/magic/Magdir/pgp
===================================================================
--- contrib/file/magic/Magdir/pgp (版本 330566)
+++ contrib/file/magic/Magdir/pgp (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: pgp,v 1.12 2016/10/07 20:22:12 christos Exp $
+# $File: pgp,v 1.14 2017/03/17 21:35:28 christos Exp $
# pgp: file(1) magic for Pretty Good Privacy
# see http://lists.gnupg.org/pipermail/gnupg-devel/1999-September/016052.html
#
@@ -19,15 +19,15 @@
#>15 string SIGNED\040MESSAGE- signed message
#>15 string PGP\040SIGNATURE- signature
-2 string ---BEGIN\ PGP\ PUBLIC\ KEY\ BLOCK- PGP public key block
+2 string ---BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK- PGP public key block
!:mime application/pgp-keys
>10 search/100 \n\n
>>&0 use pgp
-0 string -----BEGIN\040PGP\40MESSAGE- PGP message
+0 string -----BEGIN\040PGP\040MESSAGE- PGP message
!:mime application/pgp
>10 search/100 \n\n
>>&0 use pgp
-0 string -----BEGIN\040PGP\40SIGNATURE- PGP signature
+0 string -----BEGIN\040PGP\040SIGNATURE- PGP signature
!:mime application/pgp-signature
>10 search/100 \n\n
>>&0 use pgp
@@ -77,7 +77,7 @@
>0 byte 0x30
>>1 byte&0xc0 0x00 Unused [0%x]
>>1 byte&0xc0 0x40 User Attribute
->>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data
+>>1 byte&0xc0 0x80 Sym. Encrypted and Integrity Protected Data
>>1 byte&0xc0 0xc0 Modification Detection Code
# magic signatures to detect PGP crypto material (from stef)
@@ -206,7 +206,7 @@
>0 byte 19 ECDSA
>0 byte 20 ElGamal (Encrypt or Sign)
>0 byte 21 Diffie-Hellman
->0 default x
+>0 default x
>>0 ubyte <22 unknown (pub %d)
# this should never happen
>>0 ubyte >21 invalid (%d)
@@ -482,16 +482,16 @@
>1 use pgpkey
0 byte 0x97 PGP Secret Sub-key -
>1 use pgpkey
-0 byte 0x9d
+0 byte 0x9d
# Update: Joerg Jenderek
# secret subkey packet (tag 7) with same structure as secret key packet (tag 5)
# skip Fetus.Sys16 CALIBUS.MAIN OrbFix.Sys16.Ex by looking for positive len
->1 ubeshort >0
+>1 ubeshort >0
#>1 ubeshort x \b, body length 0x%x
# next packet type often 88h,89h~(tag 2)~Signature Packet
#>>(1.S+3) ubyte x \b, next packet type 0x%x
# skip Dragon.SHR DEMO.INIT by looking for positive version
->>3 ubyte >0
+>>3 ubyte >0
# skip BUISSON.13 GUITAR1 by looking for low version number
>>>3 ubyte <5 PGP Secret Sub-key
# sub-key are normally part of secret key. So it does not occur as standalone file
@@ -500,7 +500,7 @@
>>>>3 ubyte x (v%d)
>>>>3 ubyte x -
# old versions 2 or 3 but no real example found
->>>>3 ubyte <4
+>>>>3 ubyte <4
# 2 byte for key bits in version 5.28 look
>>>>>11 ubeshort x %db
>>>>>4 beldate x created on %s -
@@ -508,15 +508,15 @@
#>>>>>8 ubeshort x 0x%x
# display key algorithm 1~RSA Encrypt|Sign - 21~Diffie-Hellman
>>>>>10 use key_algo
->>>>>(11.S/8) ubequad x
+>>>>>(11.S/8) ubequad x
# look after first key
>>>>>>&5 use keyend
# new version
->>>>3 ubyte >3
+>>>>3 ubyte >3
>>>>>9 ubeshort x %db
>>>>>4 beldate x created on %s -
# display key algorithm
>>>>>8 use key_algo
->>>>>(9.S/8) ubequad x
+>>>>>(9.S/8) ubequad x
# look after first key for something like s2k
>>>>>>&3 use keyend
Index: contrib/file/magic/Magdir/python
===================================================================
--- contrib/file/magic/Magdir/python (版本 330566)
+++ contrib/file/magic/Magdir/python (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: python,v 1.29 2016/07/27 09:42:16 rrt Exp $
+# $File: python,v 1.34 2017/08/14 07:40:38 christos Exp $
# python: file(1) magic for python
#
# Outlook puts """ too for urgent messages
@@ -24,8 +24,12 @@
0 belong 0x6c0c0d0a python 3.2 byte-compiled
0 belong 0x9e0c0d0a python 3.3 byte-compiled
0 belong 0xee0c0d0a python 3.4 byte-compiled
-0 belong 0x160d0d0a python 3.5 byte-compiled
+0 belong 0x160d0d0a python 3.5.1- byte-compiled
+0 belong 0x170d0d0a python 3.5.2+ byte-compiled
+0 belong 0x330d0d0a python 3.6 byte-compiled
+0 belong 0x3e0d0d0a python 3.7 byte-compiled
+
0 search/1/w #!\ /usr/bin/python Python script text executable
!:strength + 15
!:mime text/x-python
@@ -41,14 +45,27 @@
# from module.submodule import func1, func2
-0 regex \^from\\s+(\\w|\\.)+\\s+import.*$ Python script text executable
+0 regex \^from[\040\t\f\r\n]+([A-Za-z0-9_]|\\.)+[\040\t\f\r\n]+import.*$ Python script text executable
+!:strength + 15
!:mime text/x-python
# def __init__ (self, ...):
0 search/4096 def\ __init__
>&0 search/64 self Python script text executable
+!:strength + 15
!:mime text/x-python
+# if __name__ == "__main__":
+0 search/4096 if\ __name__
+>&0 search/64 '__main__' Python script text executable
+>&0 search/64 "__main__" Python script text executable
+!:strength + 15
+!:mime text/x-python
+
+# import module [as abrev]
+0 regex \^import\ [_[:alpha:]]+\ as\ [[:alpha:]][[:space:]]*$ Python script text executable
+!:mime text/x-python
+
# comments
#0 search/4096 '''
#>&0 regex .*'''$ Python script text executable
@@ -62,12 +79,19 @@
# except: or finally:
# block
0 search/4096 try:
->&0 regex \^\\s*except.*: Python script text executable
+>&0 regex \^[[:space:]]*except.*:$ Python script text executable
+!:strength + 15
!:mime text/x-python
>&0 search/4096 finally: Python script text executable
!:mime text/x-python
-# def name(args, args):
-0 regex \^(\ |\\t){0,50}def\ {1,50}[a-zA-Z]{1,100}
->&0 regex \ {0,50}\\(([a-zA-Z]|,|\ ){1,255}\\):$ Python script text executable
+# class name[(base classes,)]: [pass]
+0 regex \^class\ [_[:alpha:]]+(\\(.*\\))?(\ )*:([\ \t]+pass)?$ Python script text executable
+!:strength + 15
!:mime text/x-python
+
+# def name(*args, **kwargs):
+0 regex \^[[:space:]]{0,50}def\ {1,50}[_a-zA-Z]{1,100}
+>&0 regex \\(([[:alpha:]*_,\ ]){0,255}\\):$ Python script text executable
+!:strength + 15
+!:mime text/x-python
Index: contrib/file/magic/Magdir/scientific
===================================================================
--- contrib/file/magic/Magdir/scientific (版本 330566)
+++ contrib/file/magic/Magdir/scientific (版本 330908)
@@ -1,7 +1,7 @@
#------------------------------------------------------------------------------
-# $File: scientific,v 1.10 2015/08/24 05:18:55 christos Exp $
-# scientific: file(1) magic for scientific formats
+# $File: scientific,v 1.12 2017/03/17 22:20:22 christos Exp $
+# scientific: file(1) magic for scientific formats
#
# From: Joe Krahn <krahn@niehs.nih.gov>
@@ -90,7 +90,7 @@
# format DD-MMM-YY, e.g., 01-JAN-70, and the IDcode consists of numbers and
# uppercase letters. However, examples have been seen without the date string,
# e.g., the example on the chemime site.
-0 string HEADER\ \ \ \
+0 string HEADER\ \ \ \040
>&0 regex/1l \^.{40}
>>&0 regex/1l [0-9]{2}-[A-Z]{3}-[0-9]{2}\ {3}
>>>&0 regex/1ls [A-Z0-9]{4}.{14}$
Index: contrib/file/magic/Magdir/sharc
===================================================================
--- contrib/file/magic/Magdir/sharc (版本 330566)
+++ contrib/file/magic/Magdir/sharc (版本 330908)
@@ -1,9 +1,9 @@
#------------------------------------------------------------------------
-# $File: sharc,v 1.7 2014/04/30 21:41:02 christos Exp $
+# $File: sharc,v 1.8 2017/03/17 21:35:28 christos Exp $
# file(1) magic for sharc files
#
-# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by
+# SHARC DSP, MIDI SysEx and RiscOS filetype definitions added by
# FutureGroove Music (dsp@futuregroove.de)
#------------------------------------------------------------------------
Index: contrib/file/magic/Magdir/sysex
===================================================================
--- contrib/file/magic/Magdir/sysex (版本 330566)
+++ contrib/file/magic/Magdir/sysex (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------
-# $File: sysex,v 1.8 2014/06/03 19:17:27 christos Exp $
+# $File: sysex,v 1.9 2017/03/17 21:35:28 christos Exp $
# sysex: file(1) magic for MIDI sysex files
#
# GRR: original 1 byte test at offset was too general as it catches also many FATs of DOS filesystems
@@ -256,7 +256,7 @@
>1 belong&0xffffff00 0x00011d00 Nemesys
>1 belong&0xffffff00 0x00011e00 DBX
>1 belong&0xffffff00 0x00011f00 Syndyne
->1 belong&0xffffff00 0x00012000 Bitheadz
+>1 belong&0xffffff00 0x00012000 Bitheadz
>1 belong&0xffffff00 0x00012100 Cakewalk
>1 belong&0xffffff00 0x00012200 Staccato
>1 belong&0xffffff00 0x00012300 National Semicon.
Index: contrib/file/magic/Magdir/vorbis
===================================================================
--- contrib/file/magic/Magdir/vorbis (版本 330566)
+++ contrib/file/magic/Magdir/vorbis (版本 330908)
@@ -1,6 +1,6 @@
#------------------------------------------------------------------------------
-# $File: vorbis,v 1.22 2015/03/28 15:14:55 christos Exp $
+# $File: vorbis,v 1.23 2017/03/17 21:35:28 christos Exp $
# vorbis: file(1) magic for Ogg/Vorbis files
#
# From Felix von Leitner <leitner@fefe.de>
@@ -95,7 +95,7 @@
# in a different place, so we must use an indirect offset.
>>>(84.b+85) string \x03vorbis
>>>>(84.b+96) string/c Xiphophorus\ libVorbis\ I \b, created by: Xiphophorus libVorbis I
->>>>>(84.b+120) string >00000000
+>>>>>(84.b+120) string >00000000
# Map to beta version numbers:
>>>>>>(84.b+120) string <20000508 (<beta1, prepublic)
>>>>>>(84.b+120) string 20000508 (1.0 beta 1 or beta 2)
@@ -117,7 +117,7 @@
>>>>>>(84.b+120) string >20011231 (pre-1.0 CVS)
# For the 1.0 release, Xiphophorus is replaced by Xiph.Org
>>>>(84.b+96) string/c Xiph.Org\ libVorbis\ I \b, created by: Xiph.Org libVorbis I
->>>>>(84.b+117) string >00000000
+>>>>>(84.b+117) string >00000000
>>>>>>(84.b+117) string <20020717 (pre-1.0 CVS)
>>>>>>(84.b+117) string 20020717 (1.0)
>>>>>>(84.b+117) string 20030909 (1.0.1)
@@ -128,13 +128,13 @@
!:mime audio/ogg
>>>36 ubyte >0x0F UNKNOWN VERSION %u,
>>>36 ubyte &0x0F version 0.%d
->>>>46 ubyte >1
+>>>>46 ubyte >1
>>>>>46 ubyte !255 unknown channel mapping family %u,
>>>>>37 ubyte x %u channels
>>>>46 ubyte 0
>>>>>37 ubyte 1 mono
>>>>>37 ubyte 2 stereo
->>>>46 ubyte 1
+>>>>46 ubyte 1
>>>>>37 ubyte 1 mono
>>>>>37 ubyte 2 stereo
>>>>>37 ubyte 3 linear surround
Index: contrib/file/magic/Magdir/xilinx
===================================================================
--- contrib/file/magic/Magdir/xilinx (版本 330566)
+++ contrib/file/magic/Magdir/xilinx (版本 330908)
@@ -1,12 +1,12 @@
#------------------------------------------------------------------------------
-# $File: xilinx,v 1.7 2014/04/30 21:41:02 christos Exp $
+# $File: xilinx,v 1.8 2017/03/17 21:35:28 christos Exp $
# This is Aaron's attempt at a MAGIC file for Xilinx .bit files.
# Xilinx-Magic@RevRagnarok.com
# Got the info from FPGA-FAQ 0026
#
-# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth,
-# fixes at least reading of bitfiles from Spartan 2, 3, 6.
+# Rewritten to use pstring/H instead of hardcoded lengths by O. Freyermuth,
+# fixes at least reading of bitfiles from Spartan 2, 3, 6.
# http://www.fpga-faq.com/FAQ_Pages/0026_Tell_me_about_bit_files.htm
#
# First there is the sync header and its length
@@ -20,7 +20,7 @@
>>>>&0 pstring/H x - from %s
# And then 'b'
>>>>>&1 string b
-# Then the model / part number:
+# Then the model / part number:
>>>>>>&0 pstring/H x - for %s
# Then 'c'
>>>>>>>&1 string c
@@ -36,5 +36,5 @@
>>>>>>>>>>>>&0 belong x - data length 0x%x
# Raw bitstream files
-0 long 0xffffffff
+0 long 0xffffffff
>&0 belong 0xaa995566 Xilinx RAW bitstream (.BIN)
Index: contrib/tzdata/README
===================================================================
--- contrib/tzdata/README (版本 330566)
+++ contrib/tzdata/README (版本 330908)
@@ -11,7 +11,7 @@
and daylight-saving rules.
See <https://www.iana.org/time-zones/repository/tz-link.html> or the
-file tz-link.htm for how to acquire the code and data. Once acquired,
+file tz-link.html for how to acquire the code and data. Once acquired,
read the comments in the file 'Makefile' and make any changes needed
to make things right for your system, especially if you are using some
platform other than GNU/Linux. Then run the following commands,
@@ -18,7 +18,7 @@
substituting your desired installation directory for "$HOME/tzdir":
make TOPDIR=$HOME/tzdir install
- $HOME/tzdir/etc/zdump -v America/Los_Angeles
+ $HOME/tzdir/usr/bin/zdump -v America/Los_Angeles
Historical local time information has been included here to:
Index: contrib/tzdata/backzone
===================================================================
--- contrib/tzdata/backzone (版本 330566)
+++ contrib/tzdata/backzone (版本 330908)
@@ -145,11 +145,6 @@
Zone Africa/Harare 2:04:12 - LMT 1903 Mar
2:00 - CAT
-# South Sudan
-Zone Africa/Juba 2:06:24 - LMT 1931
- 2:00 Sudan CA%sT 2000 Jan 15 12:00
- 3:00 - EAT
-
# Uganda
Zone Africa/Kampala 2:09:40 - LMT 1928 Jul
3:00 - EAT 1930
@@ -242,11 +237,6 @@
0:00 - GMT 1934 Feb 26
1:00 - WAT
-# São Tomé and Príncipe
-Zone Africa/Sao_Tome 0:26:56 - LMT 1884
- -0:36:32 - LMT 1912 # Lisbon Mean Time
- 0:00 - GMT
-
# Mali (northern)
Zone Africa/Timbuktu -0:12:04 - LMT 1912
0:00 - GMT
Index: contrib/tzdata/northamerica
===================================================================
--- contrib/tzdata/northamerica (版本 330566)
+++ contrib/tzdata/northamerica (版本 330908)
@@ -348,6 +348,18 @@
# Nebraska, eastern North Dakota, Oklahoma, eastern South Dakota,
# western Tennessee, most of Texas, Wisconsin
+# From Paul Eggert (2018-01-07):
+# In 1869 the Chicago Astronomical Society contracted with the city to keep
+# time. Though delayed by the Great Fire, by 1880 a wire ran from the
+# Dearborn Observatory (on the University of Chicago campus) to City Hall,
+# which then sent signals to police and fire stations. However, railroads got
+# their time signals from the Allegheny Observatory, the Madison Observatory,
+# the Ann Arbor Observatory, etc., so their clocks did not agree with each
+# other or with the city's official time. The confusion took some years to
+# clear up. See:
+# Moser M. How Chicago gave America its time zones. Chicago. 2018-01-04.
+# http://www.chicagomag.com/city-life/January-2018/How-Chicago-Gave-America-Its-Time-Zones/
+
# From Larry M. Smith (2006-04-26) re Wisconsin:
# https://docs.legis.wisconsin.gov/statutes/statutes/175.pdf
# is currently enforced at the 01:00 time of change. Because the local
@@ -1896,7 +1908,7 @@
# manager of the Creston & District Museum. The article was written in May 2009.
# http://www.ilovecreston.com/?p=articles&t=spec&ar=260
# According to the article, Creston has not changed its clocks since June 1918.
-# i.e. Creston has been stuck on UTC-7 for 93 years.
+# i.e. Creston has been stuck on UT-7 for 93 years.
# Dawson Creek, on the other hand, changed its clocks as recently as April 1972.
# Unfortunately the exact date for the time change in June 1918 remains
Index: contrib/tzdata/zishrink.awk
===================================================================
--- contrib/tzdata/zishrink.awk (版本 330566)
+++ contrib/tzdata/zishrink.awk (版本 330908)
@@ -37,7 +37,7 @@
# Remove comments, normalize spaces, and append a space to each line.
sub(/#.*/, "", line)
line = line " "
- gsub(/[[:space:]]+/, " ", line)
+ gsub(/[\f\r\t\v ]+/, " ", line)
# Abbreviate keywords. Do not abbreviate "Link" to just "L",
# as pre-2017c zic erroneously diagnoses "Li" as ambiguous.
@@ -94,7 +94,7 @@
sub(/ 0+$/, "", line)
# Remove unnecessary trailing days-of-month "1".
- if (match(line, /[[:alpha:]] 1$/))
+ if (match(line, /[A-Za-z] 1$/))
line = substr(line, 1, RSTART)
# Remove unnecessary trailing " Ja" (for January).
@@ -144,10 +144,11 @@
}
BEGIN {
+ print "# version", version
print "# This zic input file is in the public domain."
}
-/^[[:space:]]*[^#[:space:]]/ {
+/^[\f\r\t\v ]*[^#\f\r\t\v ]/ {
process_input_line($0)
}
Index: contrib/ntp/Makefile.am
===================================================================
--- contrib/ntp/Makefile.am (版本 330566)
+++ contrib/ntp/Makefile.am (版本 330908)
@@ -5,10 +5,10 @@
# moved sntp first to get libtool and libevent built.
SUBDIRS = \
- sntp \
scripts \
include \
libntp \
+ sntp \
libparse \
ntpd \
ntpdate \
Index: contrib/ntp/adjtimed/Makefile.in
===================================================================
--- contrib/ntp/adjtimed/Makefile.in (版本 330566)
+++ contrib/ntp/adjtimed/Makefile.in (版本 330908)
@@ -108,6 +108,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -952,7 +953,6 @@
#
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/html/access.html
===================================================================
--- contrib/ntp/html/access.html (版本 330566)
+++ contrib/ntp/html/access.html (版本 330908)
@@ -19,7 +19,7 @@
<p><img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a></p>
<p>The skunk watches for intruders and sprays.</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->11-Sep-2010 05:53<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->26-Jul-2017 20:10<!-- #EndDate -->
UTC</p>
<br clear="left">
<h4>Related Links</h4>
@@ -32,7 +32,7 @@
<p>The ACL is specified as a list of <tt>restrict</tt> commands in the following format:</p>
<p><tt>restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></p>
<p>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the <tt><i>address</i></tt> is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 and IPv6 default entries. <tt>restrict source</tt> configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptable, and removed when the association is demobilized.</p>
-<p>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.</p>
+<p>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server.</p>
<p>An example may clarify how it works. Our campus has two class-B networks, 128.4 for the ECE and CIS departments and 128.175 for the rest of campus. Let's assume (not true!) that subnet 128.4.1 homes critical services like class rosters and spread sheets. A suitable ACL might look like this:</p>
<pre>
restrict default nopeer # deny new associations
Index: contrib/file/tests/test.c
===================================================================
--- contrib/file/tests/test.c (版本 330566)
+++ contrib/file/tests/test.c (版本 330908)
@@ -80,7 +80,8 @@
return 10;
}
if (magic_load(ms, NULL) == -1) {
- (void)fprintf(stderr, "ERROR loading with NULL file: %s\n", magic_error(ms));
+ (void)fprintf(stderr, "ERROR loading with NULL file: %s\n",
+ magic_error(ms));
return 11;
}
Index: contrib/tzdata/africa
===================================================================
--- contrib/tzdata/africa (版本 330566)
+++ contrib/tzdata/africa (版本 330908)
@@ -158,7 +158,6 @@
Link Africa/Abidjan Africa/Lome # Togo
Link Africa/Abidjan Africa/Nouakchott # Mauritania
Link Africa/Abidjan Africa/Ouagadougou # Burkina Faso
-Link Africa/Abidjan Africa/Sao_Tome # São Tomé and Príncipe
Link Africa/Abidjan Atlantic/St_Helena # St Helena
# Djibouti
@@ -425,7 +424,7 @@
#
# The Nautical Almanac for the Year 1970, p 264, is the source for -0:44:30.
#
-# In 1972 Liberia was the last country to switch from a UTC offset
+# In 1972 Liberia was the last country to switch from a UT offset
# that was not a multiple of 15 or 20 minutes. The 1972 change was on
# 1972-01-07, according to an entry dated 1972-01-04 on p 330 of:
# Presidential Papers: First year of the administration of
@@ -1037,6 +1036,19 @@
# Inaccessible, Nightingale: uninhabited
# São Tomé and Príncipe
+
+# From Steffen Thorsen (2018-01-08):
+# Multiple sources tell that São Tomé changed from UTC to UTC+1 as
+# they entered the year 2018.
+# From Michael Deckers (2018-01-08):
+# the switch is from 01:00 to 02:00 ... [Decree No. 25/2017]
+# http://www.mnec.gov.st/index.php/publicacoes/documentos/file/90-decreto-lei-n-25-2017
+
+Zone Africa/Sao_Tome 0:26:56 - LMT 1884
+ -0:36:45 - LMT 1912 # Lisbon Mean Time
+ 0:00 - GMT 2018 Jan 1 01:00
+ 1:00 - WAT
+
# Senegal
# See Africa/Abidjan.
Index: contrib/tzdata/europe
===================================================================
--- contrib/tzdata/europe (版本 330566)
+++ contrib/tzdata/europe (版本 330908)
@@ -68,6 +68,7 @@
# 0:00 WET WEST WEMT Western Europe
# 0:19:32.13 AMT* NST* Amsterdam, Netherlands Summer (1835-1937)
# 1:00 BST British Standard (1968-1971)
+# 1:00 IST GMT Irish Standard (1968-) with winter DST
# 1:00 CET CEST CEMT Central Europe
# 1:00:14 SET Swedish (1879-1899)
# 1:36:34 RMT* LST* Riga, Latvian Summer (1880-1926)*
@@ -74,8 +75,8 @@
# 2:00 EET EEST Eastern Europe
# 3:00 MSK MSD MDST* Moscow
-# From Peter Ilieve (1994-12-04),
-# The original six [EU members]: Belgium, France, (West) Germany, Italy,
+# From Peter Ilieve (1994-12-04), re EEC/EC/EU members:
+# The original six: Belgium, France, (West) Germany, Italy,
# Luxembourg, the Netherlands.
# Plus, from 1 Jan 73: Denmark, Ireland, United Kingdom.
# Plus, from 1 Jan 81: Greece.
@@ -278,16 +279,31 @@
# The following claim by Shanks & Pottenger is possible though doubtful;
# we'll ignore it for now.
# * Dublin's 1971-10-31 switch was at 02:00, even though London's was 03:00.
+
+# From Paul Eggert (2017-12-04):
#
+# Dunsink Observatory (8 km NW of Dublin's center) was to Dublin as
+# Greenwich was to London. For example:
#
-# Whitman says Dublin Mean Time was -0:25:21, which is more precise than
-# Shanks & Pottenger.
-# Perhaps this was Dunsink Observatory Time, as Dunsink Observatory
-# (8 km NW of Dublin's center) seemingly was to Dublin as Greenwich was
-# to London. For example:
-#
# "Timeball on the ballast office is down. Dunsink time."
# -- James Joyce, Ulysses
+#
+# The abbreviation DMT stood for "Dublin Mean Time" or "Dunsink Mean Time";
+# this being Ireland, opinions differed.
+#
+# Whitman says Dublin/Dunsink Mean Time was UT-00:25:21, which agrees
+# with measurements of recent visitors to the Meridian Room of Dunsink
+# Observatory; see Malone D. Dunsink and timekeeping. 2016-01-24.
+# <https://www.maths.tcd.ie/~dwmalone/time/dunsink.html>. Malone
+# writes that the Nautical Almanac listed UT-00:25:22 until 1896, when
+# it moved to UT-00:25:21.1 (I confirmed that the 1893 edition used
+# the former and the 1896 edition used the latter). Evidently the
+# news of this change propagated slowly, as Milne 1899 still lists
+# UT-00:25:22 and cites the International Telegraph Bureau. As it is
+# not clear that there was any practical significance to the change
+# from UT-00:25:22 to UT-00:25:21.1 in civil timekeeping, omit this
+# transition for now and just use the latter value, omitting its
+# fraction since our format cannot represent fractions.
# "Countess Markievicz ... claimed that the [1916] abolition of Dublin Mean Time
# was among various actions undertaken by the 'English' government that
@@ -347,12 +363,28 @@
# regulations. I spoke this morning with the Secretary of the Department of
# Justice (tel +353 1 678 9711) who confirmed to me that the correct name is
# "Irish Summer Time", abbreviated to "IST".
+#
+# From Paul Eggert (2017-12-07):
+# The 1996 anonymous contributor's goal was to determine the correct
+# abbreviation for summer time in Dublin and so the contributor
+# focused on the "IST", not on the "Irish Summer Time". Though the
+# "IST" was correct, the "Irish Summer Time" appears to have been an
+# error, as Ireland's Standard Time (Amendment) Act, 1971 states that
+# standard time in Ireland remains at UT +01 and is observed in
+# summer, and that Greenwich mean time is observed in winter. (Thanks
+# to Derick Rethans for pointing out the error.) That is, when
+# Ireland amended the 1968 act that established UT +01 as Irish
+# Standard Time, it left standard time unchanged and established GMT
+# as a negative daylight saving time in winter. So, in this database
+# IST stands for Irish Summer Time for timestamps before 1968, and for
+# Irish Standard Time after that. See:
+# http://www.irishstatutebook.ie/eli/1971/act/17/enacted/en/print
# Michael Deckers (2017-06-01) gave the following URLs for Ireland's
# Summer Time Act, 1925 and Summer Time Orders, 1926 and 1947:
-# http://www.irishstatutebook.ie/eli/1925/act/8/enacted/en/print.html
-# http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print.html
-# http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print.html
+# http://www.irishstatutebook.ie/eli/1925/act/8/enacted/en/print
+# http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print
+# http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
# Summer Time Act, 1916
@@ -476,9 +508,23 @@
Link Europe/London Europe/Guernsey
Link Europe/London Europe/Isle_of_Man
+# From Paul Eggert (2018-01-19):
+# The following is like GB-Eire and EU, except with standard time in
+# summer and negative daylight saving time in winter.
+# Although currently commented out, this will need to become uncommented
+# once the ICU/OpenJDK workaround is removed; see below.
+# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
+#Rule Eire 1971 only - Oct 31 2:00u -1:00 GMT
+#Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 IST
+#Rule Eire 1972 1980 - Oct Sun>=23 2:00u -1:00 GMT
+#Rule Eire 1981 max - Mar lastSun 1:00u 0 IST
+#Rule Eire 1981 1989 - Oct Sun>=23 1:00u -1:00 GMT
+#Rule Eire 1990 1995 - Oct Sun>=22 1:00u -1:00 GMT
+#Rule Eire 1996 max - Oct lastSun 1:00u -1:00 GMT
+
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone Europe/Dublin -0:25:00 - LMT 1880 Aug 2
- -0:25:21 - DMT 1916 May 21 2:00s # Dublin MT
+ -0:25:21 - DMT 1916 May 21 2:00s
-0:25:21 1:00 IST 1916 Oct 1 2:00s
0:00 GB-Eire %s 1921 Dec 6 # independence
0:00 GB-Eire GMT/IST 1940 Feb 25 2:00s
@@ -487,16 +533,33 @@
0:00 1:00 IST 1947 Nov 2 2:00s
0:00 - GMT 1948 Apr 18 2:00s
0:00 GB-Eire GMT/IST 1968 Oct 27
+# From Paul Eggert (2018-01-18):
+# The next line should look like this:
+# 1:00 Eire IST/GMT
+# However, in January 2018 we discovered that the Eire rules cause
+# problems with tests for ICU:
+# https://mm.icann.org/pipermail/tz/2018-January/025825.html
+# and with tests for OpenJDK:
+# https://mm.icann.org/pipermail/tz/2018-January/025822.html
+# To work around this problem, use a traditional approximation for
+# time stamps after 1971-10-31 02:00 UTC, to give ICU and OpenJDK
+# developers breathing room to fix bugs. This approximation has
+# correct UTC offsets, but results in tm_isdst flags are the reverse
+# of what they should be. This workaround is temporary and should be
+# removed reasonably soon.
1:00 - IST 1971 Oct 31 2:00u
0:00 GB-Eire GMT/IST 1996
0:00 EU GMT/IST
+# End of workaround for ICU and OpenJDK bugs.
+
###############################################################################
# Europe
-# EU rules are for the European Union, previously known as the EC, EEC,
-# Common Market, etc.
+# The following rules are for the European Union and for its
+# predecessor organization, the European Communities.
+# For brevity they are called "EU rules" elsewhere in this file.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule EU 1977 1980 - Apr Sun>=1 1:00u 1:00 S
@@ -929,7 +992,7 @@
# The page http://www.retsinfo.dk/_GETDOCI_/ACCN/A18930008330-REGL
# confirms this, and states that the law was put forth 1893-03-29.
#
-# The EU treaty with effect from 1973:
+# The EU [actually, EEC and Euratom] treaty with effect from 1973:
# http://www.retsinfo.dk/_GETDOCI_/ACCN/A19722110030-REGL
#
# This provoked a new law from 1974 to make possible summer time changes
@@ -985,9 +1048,10 @@
# East Greenland and Franz Josef Land, but we don't know their time zones.
# My source for this is Wilhelm Dege's book mentioned under Svalbard.
#
-# From Paul Eggert (2006-03-22):
-# Greenland joined the EU as part of Denmark, obtained home rule on 1979-05-01,
-# and left the EU on 1985-02-01. It therefore should have been using EU
+# From Paul Eggert (2017-12-10):
+# Greenland joined the European Communities as part of Denmark,
+# obtained home rule on 1979-05-01, and left the European Communities
+# on 1985-02-01. It therefore should have been using EU
# rules at least through 1984. Shanks & Pottenger say Scoresbysund and Godthåb
# used C-Eur rules after 1980, but IATA SSIM (1991/1996) says they use EU
# rules since at least 1991. Assume EU rules since 1980.
@@ -1301,7 +1365,7 @@
# From Markus Kuhn (1998-09-29):
# The German time zone web site by the Physikalisch-Technische
# Bundesanstalt contains DST information back to 1916.
-# [See tz-link.htm for the URL.]
+# [See tz-link.html for the URL.]
# From Jörg Schilling (2002-10-23):
# In 1945, Berlin was switched to Moscow Summer time (GMT+4) by
@@ -1398,7 +1462,7 @@
1:00 Greece CE%sT 1944 Apr 4
2:00 Greece EE%sT 1981
# Shanks & Pottenger say it switched to C-Eur in 1981;
- # go with EU instead, since Greece joined it on Jan 1.
+ # go with EU rules instead, since Greece joined Jan 1.
2:00 EU EE%sT
# Hungary
@@ -2097,7 +2161,7 @@
# IATA SSIM (1991/1992) reports that the Azores were at -1:00.
# IATA SSIM (1993-02) says +0:00; later issues (through 1996-09) say -1:00.
# Guess that the Azores changed to EU rules in 1992 (since that's when Portugal
-# harmonized with the EU), and that they stayed +0:00 that winter.
+# harmonized with EU rules), and that they stayed +0:00 that winter.
#
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
# DSH writes that despite Decree 1,469 (1915), the change to the clocks was not
@@ -2772,9 +2836,9 @@
#
# https://regnum.ru/news/society/1957270.html
# has some historical data for Altai Krai:
-# before 1957: west part on UTC+6, east on UTC+7
-# after 1957: UTC+7
-# since 1995: UTC+6
+# before 1957: west part on UT+6, east on UT+7
+# after 1957: UT+7
+# since 1995: UT+6
# http://barnaul.rusplt.ru/index/pochemu_altajskij_kraj_okazalsja_v_neprivychnom_chasovom_pojase-17648.html
# confirms that and provides more details including 1995-05-28 transition date.
@@ -3582,6 +3646,17 @@
# The change is permanent, so this is the new standard time in Turkey.
# It takes effect today, which is not much notice.
+# From Kıvanç Yazan (2017-10-28):
+# Turkey will go back to Daylight Saving Time starting 2018-10.
+# http://www.resmigazete.gov.tr/eskiler/2017/10/20171028-5.pdf
+#
+# From Even Scharning (2017-11-08):
+# ... today it was announced that the DST will become "continuous":
+# http://www.hurriyet.com.tr/son-dakika-yaz-saati-uygulamasi-surekli-hale-geldi-40637482
+# From Paul Eggert (2017-11-08):
+# Although Google Translate misfires on that source, it looks like
+# Turkey reversed last month's decision, and so will stay at +03.
+
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
Rule Turkey 1916 only - May 1 0:00 1:00 S
Rule Turkey 1916 only - Oct 1 0:00 0 -
Index: contrib/tzdata/southamerica
===================================================================
--- contrib/tzdata/southamerica (版本 330566)
+++ contrib/tzdata/southamerica (版本 330908)
@@ -25,7 +25,7 @@
# https://www.jstor.org/stable/1774359
#
# These tables use numeric abbreviations like -03 and -0330 for
-# integer hour and minute UTC offsets. Although earlier editions used
+# integer hour and minute UT offsets. Although earlier editions used
# alphabetic time zone abbreviations, these abbreviations were
# invented and did not reflect common practice.
@@ -579,7 +579,7 @@
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
Zone America/La_Paz -4:32:36 - LMT 1890
-4:32:36 - CMT 1931 Oct 15 # Calamarca MT
- -4:32:36 1:00 BOST 1932 Mar 21 # Bolivia ST
+ -4:32:36 1:00 BST 1932 Mar 21 # Bolivia ST
-4:00 - -04
# Brazil
@@ -908,12 +908,25 @@
# [t]he DST period in Brazil now on will be from the 3rd Oct Sunday to the
# 3rd Feb Sunday. There is an exception on the return date when this is
# the Carnival Sunday then the return date will be the next Sunday...
-Rule Brazil 2008 max - Oct Sun>=15 0:00 1:00 S
+Rule Brazil 2008 2017 - Oct Sun>=15 0:00 1:00 S
Rule Brazil 2008 2011 - Feb Sun>=15 0:00 0 -
+# Decree 7,584 <http://pcdsh01.on.br/HVdecreto7584_20111013.jpg> (2011-10-13)
+# added Bahia.
Rule Brazil 2012 only - Feb Sun>=22 0:00 0 -
+# Decree 7,826 <http://pcdsh01.on.br/HVdecreto7826_20121015.jpg> (2012-10-15)
+# removed Bahia and added Tocantins.
+# Decree 8,112 <http://pcdsh01.on.br/HVdecreto8112_20130930.JPG> (2013-09-30)
+# removed Tocantins.
Rule Brazil 2013 2014 - Feb Sun>=15 0:00 0 -
Rule Brazil 2015 only - Feb Sun>=22 0:00 0 -
Rule Brazil 2016 2022 - Feb Sun>=15 0:00 0 -
+# From Steffen Thorsen (2017-12-18):
+# According to many media sources, next year's DST start in Brazil will move to
+# the first Sunday of November, and it will stay like that for the years after.
+# ... https://www.timeanddate.com/news/time/brazil-delays-dst-2018.html
+# From Steffen Thorsen (2017-12-20):
+# http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2017/decreto/D9242.htm
+Rule Brazil 2018 max - Nov Sun>=1 0:00 1:00 S
Rule Brazil 2023 only - Feb Sun>=22 0:00 0 -
Rule Brazil 2024 2025 - Feb Sun>=15 0:00 0 -
Rule Brazil 2026 only - Feb Sun>=22 0:00 0 -
@@ -1068,7 +1081,7 @@
# From Paul Eggert (2015-04-03):
# Shanks & Pottenger says America/Santiago introduced standard time in
-# 1890 and rounds its UTC offset to 70W40; guess that in practice this
+# 1890 and rounds its UT offset to 70W40; guess that in practice this
# was the same offset as in 1916-1919. It also says Pacific/Easter
# standardized on 109W22 in 1890; assume this didn't change the clocks.
#
Index: contrib/tzdata/zone.tab
===================================================================
--- contrib/tzdata/zone.tab (版本 330566)
+++ contrib/tzdata/zone.tab (版本 330908)
@@ -372,7 +372,7 @@
SN +1440-01726 Africa/Dakar
SO +0204+04522 Africa/Mogadishu
SR +0550-05510 America/Paramaribo
-SS +0451+03136 Africa/Juba
+SS +0451+03137 Africa/Juba
ST +0020+00644 Africa/Sao_Tome
SV +1342-08912 America/El_Salvador
SX +180305-0630250 America/Lower_Princes
Index: contrib/ntp/Makefile.in
===================================================================
--- contrib/ntp/Makefile.in (版本 330566)
+++ contrib/ntp/Makefile.in (版本 330908)
@@ -99,6 +99,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -523,10 +524,10 @@
# moved sntp first to get libtool and libevent built.
SUBDIRS = \
- sntp \
scripts \
include \
libntp \
+ sntp \
libparse \
ntpd \
ntpdate \
Index: contrib/ntp/clockstuff/Makefile.in
===================================================================
--- contrib/ntp/clockstuff/Makefile.in (版本 330566)
+++ contrib/ntp/clockstuff/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -793,7 +794,6 @@
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/html/accopt.html
===================================================================
--- contrib/ntp/html/accopt.html (版本 330566)
+++ contrib/ntp/html/accopt.html (版本 330908)
@@ -3,89 +3,185 @@
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<meta name="generator" content="HTML Tidy, see www.w3.org">
-<title>Access Control Commands and Options</title>
-<!-- Changed by: Harlan &, 13-Nov-2014 -->
+<title>Access Control Commands and Options</title> <!-- Changed by: Harlan
+&, 13-Nov-2014 -->
<link href="scripts/style.css" type="text/css" rel="stylesheet">
<style type="text/css">
<!--
<style1 {
-color: #FF0000;
- font-weight: bold;
-}
--->
+color: #FF0000; font-weight: bold; } -->
</style>
</head>
<body>
<h3>Access Control Commands and Options</h3>
-<img src="pic/pogo6.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
+<img src="pic/pogo6.gif" alt="gif"
+align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>,
+Walt Kelly</a>
<p>The skunk watches for intruders and sprays.</p>
-<p>Last update:
- <!-- #BeginDate format:En2m -->13-Nov-2014 03:00<!-- #EndDate -->
- UTC</p>
+<p>Last update: <!-- #BeginDate format:En2m -->7-Jan-2018 23:56<!-- #EndDate
+ --> UTC</p>
<br clear="left">
<h4>Related Links</h4>
-<script type="text/javascript" language="javascript" src="scripts/command.txt"></script>
-<script type="text/javascript" language="javascript" src="scripts/accopt.txt"></script>
+<script type="text/javascript" language="javascript"
+src="scripts/command.txt"></script>
+<script type="text/javascript" language="javascript"
+src="scripts/accopt.txt"></script>
<hr>
<h4>Commands and Options</h4>
-<p>Unless noted otherwise, further information about these ccommands is on the <a href="accopt.html">Access Control Support</a> page.</p>
+<p>Unless noted otherwise, further information about these ccommands is on
+the <a href="accopt.html">Access Control Support</a> page.</p>
<dl>
- <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ] [ monitor <i>prob</i> ]</tt></dt>
- <dd>Set the parameters of the rate control facility which protects the server from client abuse. If the <tt>limited</tt> flag is present in the ACL, packets that violate these limits are discarded. If, in addition, the <tt>kod</tt> flag is present, a kiss-o'-death packet is returned. See the <a href="rate.html">Rate Management</a> page for further information. The options are:
+ <dt id="discard"><tt>discard [ average <i>avg</i> ][ minimum <i>min</i> ]
+ [ monitor <i>prob</i> ]</tt></dt>
+ <dd>Set the parameters of the rate control facility which protects the
+ server from client abuse. If the <tt>limited</tt> flag is present in the
+ ACL, packets that violate these limits are discarded. If, in addition,
+ the <tt>kod</tt> flag is present, a kiss-o'-death packet is
+ returned. See the <a href="rate.html">Rate Management</a> page for
+ further information. The options are:
<dl>
<dt><tt>average <i>avg</i></tt></dt>
- <dd>Specify the minimum average interpacket spacing (minimum average headway
- time) in log<sub>2</sub> s with default 3.</dd>
+ <dd>Specify the minimum average interpacket spacing (minimum average
+ headway time) in log<sub>2</sub> s with default 3.</dd>
<dt><tt>minimum <i>min</i></tt></dt>
- <dd>Specify the minimum interpacket spacing (guard time) in seconds with default 2.</dd>
+ <dd>Specify the minimum interpacket spacing (guard time) in seconds
+ with default 2.</dd>
<dt><tt>monitor</tt></dt>
- <dd>Specify the probability of being recorded for packets that overflow the MRU list size limit set by <tt>mru maxmem</tt> or <tt>mru maxdepth</tt>. This is a performance optimization for servers with aggregate arrivals of 1000 packets per second or more.</dd>
+ <dd>Specify the probability of being recorded for packets that
+ overflow the MRU list size limit set by <tt>mru maxmem</tt>
+ or <tt>mru maxdepth</tt>. This is a performance optimization for
+ servers with aggregate arrivals of 1000 packets per second or
+ more.</dd>
</dl>
</dd>
- <dt id="restrict"><tt>restrict default [<i>flag</i>][...]<br>
- restrict source [<i>flag</i>][...]<br>
- restrict <i>address</i> [mask <i>mask</i>] [<i>flag</i>][...]</tt></dt>
- <dd>The <tt><i>address</i></tt> argument expressed in dotted-quad form is the address of a host or network. Alternatively, the <tt><i>address</i></tt> argument can be a valid host DNS name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6 numeric address form defaults to all mask bits on, meaning that the <tt><i>address</i></tt> is treated as the address of an individual host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and address :: mask :: for IPv6) is always the first entry in the list. <tt>restrict default</tt>, with no mask option, modifies both IPv4 and IPv6 default entries. <tt>restrict source</tt> configures a template restriction automatically added at runtime for each association, whether configured, ephemeral, or preemptible, and removed when the association is demobilized.</dd>
- <dd>Some flags have the effect to deny service, some have the effect to enable service and some are conditioned by other flags. The flags. are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags that deny service are classed in two categories, those that restrict time service and those that restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:</dd>
+ <dt id="restrict"><tt>restrict [-4 | -6] default [ippeerlimit <i>num</i>]
+ [<i>flag</i>][...]<br> restrict source [ippeerlimit <i>num</i>]
+ [<i>flag</i>][...]<br> restrict <i>address</i> [mask <i>mask</i>]
+ [ippeerlimit <i>num</i>] [<i>flag</i>][...]</tt></dt>
+ <dd>The <tt><i>address</i></tt> argument expressed in IPv4 or IPv6 numeric
+ address form is the address of a host or network. Alternatively,
+ the <tt><i>address</i></tt> argument can be a valid host DNS
+ name. The <tt><i>mask</i></tt> argument expressed in IPv4 or IPv6
+ numeric address form defaults to all mask bits on, meaning that
+ the <tt><i>address</i></tt> is treated as the address of an individual
+ host. A default entry (address 0.0.0.0, mask 0.0.0.0 for IPv4 and
+ address :: mask :: for IPv6) is always the first entry in the
+ list. <tt>restrict default</tt>, with no mask option, modifies both IPv4
+ and IPv6 default entries. <tt>restrict source</tt> configures a template
+ restriction automatically added at runtime for each association, whether
+ configured, ephemeral, or preemptible, and removed when the association
+ is demobilized.</dd>
+ <dd>The optional <tt>ippeerlimit</tt> takes a numeric argument that
+ indicates how many incoming (at present) peer requests will be permitted
+ for each IP, regardless of whether or not the request comes from an
+ authenticated source. A value of -1 means "unlimited", which is the
+ current default. A value of 0 means "none". Ordinarily one would
+ expect at most 1 of these sessions to exist per IP, however if the
+ remote side is operating thru a proxy there would be one association for
+ each remote peer at that IP.</dd>
+ <dd>Some flags have the effect to deny service, some have the effect to
+ enable service and some are conditioned by other flags. The flags are
+ not orthogonal, in that more restrictive flags will often make less
+ restrictive ones redundant. The flags that deny service are classed in
+ two categories, those that restrict time service and those that restrict
+ informational queries and attempts to do run-time reconfiguration of the
+ server. One or more of the following flags may be specified:</dd>
<dd>
<dl>
<dt><tt>flake</tt></dt>
- <dd>Discard received NTP packets with probability 0.1; that is, on average drop one packet in ten. This is for testing and amusement. The name comes from Bob Braden's <i>flakeway</i>, which once did a similar thing for early Internet testing.</dd>
+ <dd>Discard received NTP packets with probability 0.1; that is, on
+ average drop one packet in ten. This is for testing and
+ amusement. The name comes from Bob Braden's <i>flakeway</i>, which
+ once did a similar thing for early Internet testing.</dd>
<dt><tt>ignore</tt></dt>
- <dd>Deny packets of all kinds, including <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
+ <dd>Deny packets of all kinds, including <tt>ntpq</tt>
+ and <tt>ntpdc</tt> queries.</dd>
<dt><tt>kod</tt></dt>
- <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is present and a packet violates the rate limits established by the <tt>discard</tt> command. KoD packets are themselves rate limited for each source address separately. If the <tt>kod</tt> flag is used in a restriction which does not have the <tt>limited</tt> flag, no KoD responses will result.</dd>
+ <dd>Send a kiss-o'-death (KoD) packet if the <tt>limited</tt> flag is
+ present and a packet violates the rate limits established by
+ the <tt>discard</tt> command. KoD packets are themselves rate
+ limited for each source address separately. If the <tt>kod</tt> flag
+ is used in a restriction which does not have the <tt>limited</tt>
+ flag, no KoD responses will result.</dd>
<dt id="limited"><tt>limited</tt></dt>
- <dd>Deny time service if the packet violates the rate limits established by the <tt>discard</tt> command. This does not apply to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
+ <dd>Deny time service if the packet violates the rate limits
+ established by the <tt>discard</tt> command. This does not apply
+ to <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
<dt><tt>lowpriotrap</tt></dt>
- <dd>Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.</dd>
+ <dd>Declare traps set by matching hosts to be low priority. The number
+ of traps a server can maintain is limited (the current limit is
+ 3). Traps are usually assigned on a first come, first served basis,
+ with later trap requestors being denied service. This flag modifies
+ the assignment algorithm by allowing low priority traps to be
+ overridden by later requests for normal priority traps.</dd>
<dt><tt>mssntp</tt></dt>
- <dd>Enable Microsoft Windows MS-SNTP authentication using Active Directory services. <span class="style1"><b>Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.</b></span></dd>
+ <dd>Enable Microsoft Windows MS-SNTP authentication using Active
+ Directory services. <span class="style1"><b>Note: Potential users
+ should be aware that these services involve a TCP connection to
+ another process that could potentially block, denying services to
+ other users. Therefore, this flag should be used only for a
+ dedicated server with no clients other than MS-SNTP.</b></span></dd>
+ <dt><tt>noepeer</tt></dt>
+ <dd>Deny packets that would mobilize an ephemeral peering association,
+ even if authenticated.</dd>
<dt><tt>nomodify</tt></dt>
- <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.</dd>
+ <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries which attempt to
+ modify the state of the server (i.e., run time
+ reconfiguration). Queries which return information are
+ permitted.</dd>
<dt><tt>noquery</tt></dt>
- <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not affected.</dd>
+ <dd>Deny <tt>ntpq</tt> and <tt>ntpdc</tt> queries. Time service is not
+ affected.</dd>
<dt><tt>nopeer</tt></dt>
- <dd>Deny packets that might mobilize an association unless authenticated. This includes broadcast, symmetric-active and manycast server packets when a configured association does not exist. It also includes <tt>pool</tt> associations, so if you want to use servers from a <tt>pool</tt> directive and also want to use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source ..."</tt> line as well that does <i>not</i> include the <tt>nopeer</tt> directive. Note that this flag does not apply to packets that do not attempt to mobilize an association. </dd>
+ <dd>Deny packets that might mobilize an association unless
+ authenticated. This includes broadcast, symmetric-active and
+ manycast server packets when a configured association does not
+ exist. It also includes <tt>pool</tt> associations, so if you want
+ to use servers from a <tt>pool</tt> directive and also want to
+ use <tt>nopeer</tt> by default, you'll want a <tt>"restrict source
+ ..."</tt> line as well that does <i>not</i> include
+ the <tt>nopeer</tt> directive. Note that this flag does not apply
+ to packets that do not attempt to mobilize an association. </dd>
<dt><tt>noserve</tt></dt>
- <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt> queries.</dd>
+ <dd>Deny all packets except <tt>ntpq</tt> and <tt>ntpdc</tt>
+ queries.</dd>
<dt><tt>notrap</tt></dt>
- <dd>Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control message protocol which is intended for use by remote event logging programs.</dd>
+ <dd>Decline to provide mode 6 control message trap service to matching
+ hosts. The trap service is a subsystem of the <tt>ntpdc</tt> control
+ message protocol which is intended for use by remote event logging
+ programs.</dd>
<dt><tt>notrust</tt></dt>
- <dd>Deny packets that are not cryptographically authenticated. Note carefully how this flag interacts with the <tt>auth</tt> option of the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt> is enabled, which is the default, authentication is required for all packets that might mobilize an association. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag is not present, an association can be mobilized whether or not authenticated. If <tt>auth</tt> is disabled, but the <tt>notrust</tt> flag is present, authentication is required only for the specified address/mask range. </dd>
+ <dd>Deny packets that are not cryptographically authenticated. Note
+ carefully how this flag interacts with the <tt>auth</tt> option of
+ the <tt>enable</tt> and <tt>disable</tt> commands. If <tt>auth</tt>
+ is enabled, which is the default, authentication is required for all
+ packets that might mobilize an association. If <tt>auth</tt> is
+ disabled, but the <tt>notrust</tt> flag is not present, an
+ association can be mobilized whether or not
+ authenticated. If <tt>auth</tt> is disabled, but
+ the <tt>notrust</tt> flag is present, authentication is required
+ only for the specified address/mask range. </dd>
<dt><tt>ntpport</tt></dt>
- <dd>This is actually a match algorithm modifier, rather than a restriction
- flag. Its presence causes the restriction entry to be matched only if the
- source port in the packet is the standard NTP UDP port (123). A restrict line
- containing <tt>ntpport</tt> is considered more specific than one with the
- same address and mask, but lacking <tt>ntpport</tt>.</dd>
+ <dd>This is actually a match algorithm modifier, rather than a
+ restriction flag. Its presence causes the restriction entry to be
+ matched only if the source port in the packet is the standard NTP
+ UDP port (123). A restrict line containing <tt>ntpport</tt> is
+ considered more specific than one with the same address and mask,
+ but lacking <tt>ntpport</tt>.</dd>
<dt><tt>version</tt></dt>
<dd>Deny packets that do not match the current NTP version.</dd>
</dl>
</dd>
- <dd>Default restriction list entries with the flags <tt>ignore, ntpport</tt>, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).</dd>
+ <dd>Default restriction list entries with the flags <tt>ignore,
+ ntpport</tt>, for each of the local host's interface addresses are
+ inserted into the table at startup to prevent the server from
+ attempting to synchronize to its own time. A default entry is also
+ always present, though if it is otherwise unconfigured; no flags are
+ associated with the default entry (i.e., everything besides your own
+ NTP server is unrestricted).</dd>
</dl>
<hr>
-<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+<script type="text/javascript" language="javascript"
+src="scripts/footer.txt"></script>
</body>
</html>
Index: contrib/ntp/html/keygen.html
===================================================================
--- contrib/ntp/html/keygen.html (版本 330566)
+++ contrib/ntp/html/keygen.html (版本 330908)
@@ -1,116 +1,354 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
-<head>
-<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
-<meta name="generator" content="HTML Tidy, see www.w3.org">
-<title>ntp-keygen - generate public and private keys</title>
-<link href="scripts/style.css" type="text/css" rel="stylesheet">
-</head>
-<body>
-<h3><tt>ntp-keygen</tt> - generate public and private keys</h3>
-<p><img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a></p>
-<p>Alice holds the key.</p>
-<p>Last update:
- <!-- #BeginDate format:En2m -->10-Mar-2014 05:11<!-- #EndDate -->
- UTC</p>
-<br clear="left">
-<h4>Related Links</h4>
-<script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
-<h4>Table of Contents</h4>
-<ul>
- <li class="inline"><a href="#synop">Synopsis</a></li>
- <li class="inline"><a href="#descrip">Description</a></li>
- <li class="inline"><a href="#run">Running the program</a></li>
- <li class="inline"><a href="#cmd">Command Line Options</a></li>
- <li class="inline"><a href="#rand">Random Seed File</a></li>
- <li class="inline"><a href="#fmt">Cryptographic Data Files</a></li>
- <li class="inline"><a href="#bug">Bugs</a></li>
-</ul>
-<hr>
-<h4 id="synop">Synopsis</h4>
-<p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -b <i>modulus</i> ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA
- | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ]
- [ -C <i>cipher</i> ] [-i <i>group</i> ] [ -l <em>days</em>]
- [ -m <i>modulus</i> ] [ -p <i>passwd1</i> ] [ -q <i>passwd2</i> ]
- [ -S [ RSA | DSA ] ] [ -s <i>host</i> ] [ -V <i>nkeys</i> ]</tt></p>
-<h4 id="descrip">Description</h4>
-<p>This program generates cryptographic data files used by the NTPv4 authentication and identity schemes. It can generate message digest keys used in symmetric key cryptography and, if the OpenSSL software library has been installed, it can generate host keys, sign keys, certificates, and identity keys and parameters used by the Autokey public key cryptography. The message digest keys file is generated in a format compatible with NTPv3. All other files are in PEM-encoded printable ASCII format so they can be embedded as MIME attachments in mail to other sites.</p>
-<p>When used to generate message digest keys, the program produces a file containing
- ten pseudo-random printable ASCII strings suitable for the MD5 message digest algorithm included in the distribution. If the OpenSSL library is installed, it produces an additional ten hex-encoded random bit strings suitable for the SHA1 and other message digest algorithms. The message digest keys file must be distributed and stored using secure means beyond the scope of NTP itself. Besides the keys used for ordinary NTP associations, additional keys can be defined as passwords for the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.</p>
-<p>The remaining generated files are compatible with other OpenSSL applications and other Public Key Infrastructure (PKI) resources. Certificates generated by this program are compatible with extant industry practice, although some users might find the interpretation of X509v3 extension fields somewhat liberal. However, the identity keys are probably not compatible with anything other than Autokey.</p>
-<p>Some files used by this program are encrypted using a private password. The <tt>-p</tt> option specifies the password for local encrypted files and the <tt>-q</tt> option the password for encrypted files sent to remote sites. If no password is specified, the host name returned by the Unix <tt>gethostname()</tt> function, normally the DNS name of the host, is used.</p>
-<p>The <tt>pw</tt> option of the <tt>crypto</tt> configuration command specifies the read password for previously encrypted local files. This must match the local password used by this program. If not specified, the host name is used. Thus, if files are generated by this program without password, they can be read back by <tt>ntpd</tt> without password, but only on the same host.</p>
-<p>Normally, encrypted files for each host are generated by that host and used only by that host, although exceptions exist as noted later on this page. The symmetric keys file, normally called <tt>ntp.keys</tt>, is usually installed in <tt>/etc</tt>. Other files and links are usually installed in <tt>/usr/local/etc</tt>, which is normally in a shared filesystem in NFS-mounted networks and cannot be changed by shared clients. The location of the keys directory can be changed by the <tt>keysdir</tt> configuration command in such cases. Normally, this is in <tt>/etc</tt>.</p>
-<p>This program directs commentary and error messages to the standard error stream <tt>stderr</tt> and remote files to the standard output stream <tt>stdout</tt> where they can be piped to other applications or redirected to files. The names used for generated files and links all begin with the string <tt>ntpkey</tt> and include the file type, generating host and filestamp, as described in the <a href="#fmt">Cryptographic Data Files</a> section below</p>
-<h4 id="run">Running the Program</h4>
-<p>To test and gain experience with Autokey concepts, log in as root and change to the keys directory, usually <tt>/usr/local/etc</tt>. When run for the first time, or if all files with names beginning <tt>ntpkey</tt> have been removed, use the <tt>ntp-keygen </tt>command without arguments to generate a default RSA host key and matching RSA-MD5 certificate with expiration date one year hence. If run again without options, the program uses the existing keys and parameters and generates only a new certificate with new expiration date one year hence.</p>
-<p>Run the command on as many hosts as necessary. Designate one of them as the trusted host (TH) using <tt>ntp-keygen</tt> with the <tt>-T</tt> option and configure it to synchronize from reliable Internet servers. Then configure the other hosts to synchronize to the TH directly or indirectly. A certificate trail is created when Autokey asks the immediately ascendant host towards the TH to sign its certificate, which is then provided to the immediately descendant host on request. All group hosts should have acyclic certificate trails ending on the TH.</p>
-<p>The host key is used to encrypt the cookie when required and so must be RSA type. By default, the host key is also the sign key used to encrypt signatures. A different sign key can be assigned using the <tt>-S</tt> option and this can be either RSA or DSA type. By default, the signature message digest type is MD5, but any combination of sign key type and message digest type supported by the OpenSSL library can be specified using the <tt>-c</tt> option.</p>
-<dd>The rules say cryptographic media should be generated with proventic filestamps, which means the host should already be synchronized before this program is run. This of course creates a chicken-and-egg problem when the host is started for the first time. Accordingly, the host time should be set by some other means, such as eyeball-and-wristwatch, at least so that the certificate lifetime is within the current year. After that and when the host is synchronized to a proventic source, the certificate should be re-generated.</dd>
-<p>Additional information on trusted groups and identity schemes is on the <a href="autokey.html">Autokey Public-Key Authentication</a> page.</p>
-<h4 id="cmd">Command Line Options</h4>
-<dl>
- <dt><tt>-b <i>modulus</i></tt></dt>
- <dd>Set the modulus for generating identity keys to <i>modulus</i> bits. The modulus defaults to 256, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources and increases the size of authenticated packets.</dd>
- <dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ]</tt></dt>
- <dd>Select certificate digital signature and message digest scheme. Note that RSA schemes must be used with an RSA sign key and DSA schemes must be used with a DSA sign key. The default without this option is <tt>RSA-MD5</tt>. If compatibility with FIPS 140-2 is required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme must be used.</dd>
- <dt><tt>-C <i>cipher</i></tt></dt>
- <dd>Select the OpenSSL cipher to use for password-protected keys. The <tt>openssl -h</tt> command provided with OpenSSL displays available ciphers. The default without this option is <tt>des-ede3-cbc</tt>.</dd>
- <dt><tt>-d</tt></dt>
- <dd>Enable debugging. This option displays the cryptographic data produced for eye-friendly billboards.</dd>
- <dt><tt>-e</tt></dt>
- <dd>Extract the IFF or GQ public parameters from the <tt>IFFkey</tt> or <tt>GQkey</tt> keys file previously specified. Send the unencrypted data to the standard output stream <tt>stdout</tt>.</dd>
- <dt><tt>-G</tt></dt>
- <dd>Generate a new encrypted GQ key file for the Guillou-Quisquater (GQ) identity scheme. This option is mutually exclusive with the <tt>-I</tt> and <tt>-V</tt> options.</dd>
- <dt><tt>-H</tt></dt>
- <dd>Generate a new encrypted RSA public/private host key file.</dd>
- <dt><tt>-i <i>group</i></tt></dt>
- <dd>Set the optional Autokey group name to <tt><i>group</i></tt>. This is used in the identity scheme parameter file names. In that role, the default is the host name if no group is provided. The group name, if specified using <tt>-i</tt> or using <tt>-s</tt> following an <tt>@</tt> character, is also used in certificate subject and issuer names in the form <tt><i>host</i>@<i>group</i></tt> and should match the group specified via <tt>crypto ident</tt> or <tt>server ident</tt> in ntpd's configuration file.</dd>
- <dt><tt>-I</tt></dt>
- <dd>Generate a new encrypted IFF key file for the Schnorr (IFF) identity scheme. This option is mutually exclusive with the <tt>-G</tt> and <tt>-V</tt> options.</dd>
- <dt><tt>-l <i>days</i></tt></dt>
- <dd>Set the lifetime for certificates to <tt><i>days</i></tt>. The default lifetime is one year (365 d).</dd>
- <dt><tt>-m <i>modulus</i></tt></dt>
- <dd>Set the modulus for generating files to <i>modulus</i> bits. The modulus defaults to 512, but can be set from 256 (32 octets) to 2048 (256 octets). Use the larger moduli with caution, as this can consume considerable computing resources and increases the size of authenticated packets.</dd>
- <dt><tt>-M</tt></dt>
- <dd>Generate a new keys file containing 10 MD5 keys and 10 SHA keys. An MD5 key is a string of 20 random printable ASCII characters, while a SHA key is a string of 40 random hex digits. The file can be edited using a text editor to change the key type or key content. This option is mutually exclusive with all other option.</dd>
- <dt><tt>-P</tt></dt>
- <dd>Generate a new private certificate used by the PC identity scheme. By default, the program generates public certificates. Note: the PC identity scheme is not recommended for new installations.</dd>
- <dt><tt>-p <i>passwd</i></tt></dt>
- <dd>Set the password for reading and writing encrypted files to <tt><i>passwd.</i></tt> These include the host, sign and identify key files. By default, the password is the string returned by the Unix <tt>gethostname()</tt> routine.</dd>
- <dt><tt>-q <i>passwd</i></tt></dt>
- <dd>Set the password for writing encrypted IFF, GQ and MV identity files redirected to <tt>stdout</tt> to <tt><i>passwd.</i></tt> In effect, these files are decrypted with the <tt>-p</tt> password, then encrypted with the <tt>-q</tt> password. By default, the password is the string returned by the Unix <tt>gethostname()</tt> routine.</dd>
- <dt><tt>-S [ RSA | DSA ]</tt></dt>
- <dd>Generate a new encrypted public/private sign key file of the specified type. By default, the sign key is
- the host key and has the same type. If compatibly with FIPS 140-2 is required,
- the sign key type must be <tt>DSA</tt>.</dd>
- <dt><tt>-s <i>host</i>[@<i>group</i>]</tt></dt>
- <dd>Specify the Autokey host name, where <tt><i>host</i></tt> is the host name and <tt><i>group</i></tt> is the optional group name. The host name, and if provided, group name are used in <tt><i>host</i>@<i>group</i></tt> form as certificate subject and issuer. Specifying <tt>-s @<i>group</i></tt> is allowed, and results in leaving the host name unchanged, as with <tt>-i <i>group</i></tt>. The group name, or if no group is provided, the host name are also used in the file names of IFF, GQ, and MV identity scheme parameter files. If <tt><i>host</i></tt> is not specified, the default host name is the string returned by the <tt>gethostname()</tt> routine.</dd>
- <dt><tt>-T</tt></dt>
- <dd>Generate a trusted certificate. By default, the program generates nontrusted certificates.</dd>
- <dt><tt>-V <i>nkeys</i></tt></dt>
- <dd>Generate <tt>nkeys</tt> encrypted server keys for the Mu-Varadharajan (MV) identity scheme. This option is mutually exclusive with the <tt>-I</tt> and <tt>-G</tt> options. Note: support for this option should be considered a work in progress.</dd>
-</dl>
-<h4 id="rand">Random Seed File</h4>
-<p>All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize the internal pseudo-random number generator used by the OpenSSL library routines. If a site supports <tt>ssh</tt>, it is very likely that means to do this are already available. The entropy seed used by the OpenSSL library is contained in a file, usually called <tt>.rnd</tt>, which must be available when starting the <tt>ntp-keygen</tt> program or <tt>ntpd</tt> daemon.</p>
-<p>The OpenSSL library looks for the file using the path specified by the <tt>RANDFILE</tt> environment variable in the user home directory, whether root or some other user. If the <tt>RANDFILE</tt> environment variable is not present, the library looks for the <tt>.rnd</tt> file in the user home directory. Since both the <tt>ntp-keygen</tt> program and <tt>ntpd</tt> daemon must run as root, the logical place to put this file is in <tt>/.rnd</tt> or <tt>/root/.rnd</tt>. If the file is not available or cannot be written, the program exits with a message to the system log.</p>
-<h4 id="fmt">Cryptographic Data Files</h4>
-<p>File and link names are in the form <tt>ntpkey_<i>key</i>_<i>name</i>.<i>fstamp</i></tt>, where <tt><i>key</i></tt> is the key or parameter type, <tt><i>name</i></tt> is the host or group name and <tt><i>fstamp</i></tt> is the filestamp (NTP seconds) when the file was created). By convention, <em><tt>key</tt></em> names in generated file names include both upper and lower case characters, while <em><tt>key</tt></em> names in generated link names include only lower case characters. The filestamp is not used in generated link names.</p>
-<p>The <em><tt>key</tt></em> name is a string defining the cryptographic key type. Key types include public/private keys <tt>host</tt> and <tt>sign</tt>, certificate <tt>cert</tt> and several challenge/response key types. By convention, client files used for challenges have a <tt>par</tt> subtype, as in the IFF challenge <tt>IFFpar</tt>, while server files for responses have a <tt>key</tt> subtype, as in the GQ response <tt>GQkey</tt>.</p>
-<p>All files begin with two nonencrypted lines. The first line contains the file name in the format <tt>ntpkey_<i>key</i>_<i>host</i>.<i>fstamp</i></tt>. The second line contains the datestamp in conventional Unix <tt>date</tt> format. Lines beginning with <tt>#</tt> are ignored.</p>
-<p>The remainder of the file contains cryptographic data encoded first using ASN.1 rules, then encrypted using the DES-CBC algorithm with given password and finally written in PEM-encoded printable ASCII text preceded and followed by MIME content identifier lines.</p>
-<p>The format of the symmetric keys file, ordinarily named <tt>ntp.keys,</tt> is somewhat different than the other files in the interest of backward compatibility. Ordinarily, the file is generated by this program, but it can be constructed and edited using an ordinary text editor.</p>
-<div align="center">
- <p><img src="pic/sx5.gif" alt="gif"></p>
- <p>Figure 1. Typical Symmetric Key File</p>
-</div>
-<p>Figure 1 shows a typical symmetric keys file used by the reference implementation. Each line of the file contains three fields, first an integer between 1 and 65534, inclusive, representing the key identifier used in the <tt>server</tt> and <tt>peer</tt> configuration commands. Next is the key type for the message digest algorithm, which in the absence of the OpenSSL library must be <tt>MD5</tt> to designate the MD5 message digest algorithm. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by that library. However, if compatibility with FIPS 140-2 is required, the key type must be either <tt>SHA</tt> or <tt>SHA1</tt>. The key type can be changed using an ASCII text editor.</p>
-<p> An MD5 key consists of a printable ASCII string less than or equal to 16 characters and terminated by whitespace or a # character. An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which is truncated as necessary.</p>
-<p>Note that the keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt> programs are checked against passwords requested by the programs and entered by hand, so it is generally appropriate to specify these keys in human readable ASCII format.</p>
-<p>The <tt>ntp-keygen</tt> program generates a MD5 symmetric keys file <tt>ntpkey_MD5key_<i>hostname.filestamp</i></tt>. Since the file contains private shared keys, it should be visible only to root and distributed by secure means to other subnet hosts. The NTP daemon loads the file <tt>ntp.keys</tt>, so <tt>ntp-keygen</tt> installs a soft link from this name to the generated file. Subsequently, similar soft links must be installed by manual or automated means on the other subnet hosts. While this file is not used with the Autokey Version 2 protocol, it is needed to authenticate some remote configuration commands used by the <a href="ntpq.html"><tt>ntpq</tt></a> and <a href="ntpdc.html"><tt>ntpdc</tt></a> utilities.</p>
-<h4 id="bug">Bugs</h4>
-<p>It can take quite a while to generate some cryptographic values, from one to several minutes with modern architectures such as UltraSPARC and up to tens of minutes to an hour with older architectures such as SPARC IPC.</p>
-<hr>
-<script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
-</body>
+ <head>
+ <meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
+ <meta name="generator" content="HTML Tidy, see www.w3.org">
+ <title>ntp-keygen - generate public and private keys</title>
+ <link href="scripts/style.css" type="text/css" rel="stylesheet">
+ </head>
+ <body>
+ <h3><tt>ntp-keygen</tt> - generate public and private keys</h3>
+ <p><img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a></p>
+ <p>Alice holds the key.</p>
+ <p>Last update:
+ <!-- #BeginDate format:En2m -->11-Jan-2018 11:55<!-- #EndDate -->
+ UTC</p>
+ <br clear="left">
+ <h4>Related Links</h4>
+ <script type="text/javascript" language="javascript" src="scripts/manual.txt"></script>
+ <h4>Table of Contents</h4>
+ <ul>
+ <li class="inline"><a href="#synop">Synopsis</a></li>
+ <li class="inline"><a href="#descrip">Description</a></li>
+ <li class="inline"><a href="#run">Running the program</a></li>
+ <li class="inline"><a href="#cmd">Command Line Options</a></li>
+ <li class="inline"><a href="#rand">Random Seed File</a></li>
+ <li class="inline"><a href="#fmt">Cryptographic Data Files</a></li>
+ <li class="inline"><a href="#bug">Bugs</a></li>
+ </ul>
+ <hr>
+ <h4 id="synop">Synopsis</h4>
+ <p id="intro"><tt>ntp-keygen [ -deGHIMPT ] [ -b <i>modulus</i> ] [ -c [ RSA-MD2 | RSA-MD5 | RSA-SHA
+ | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ] ]
+ [ -C <i>cipher</i> ] [-i <i>group</i> ] [ -l <em>days</em>]
+ [ -m <i>modulus</i> ] [ -p <i>passwd1</i> ] [ -q <i>passwd2</i> ]
+ [ -S [ RSA | DSA ] ] [ -s <i>host</i> ] [ -V <i>nkeys</i> ]</tt></p>
+ <h4 id="descrip">Description</h4>
+ <p>This program generates cryptographic data files used by the NTPv4
+ authentication and identity schemes. It can generate message digest keys
+ used in symmetric key cryptography and, if the OpenSSL software library
+ has been installed, it can generate host keys, sign keys, certificates,
+ and identity keys and parameters used by the Autokey public key
+ cryptography. The message digest keys file is generated in a format
+ compatible with NTPv3. All other files are in PEM-encoded printable ASCII
+ format so they can be embedded as MIME attachments in mail to other
+ sites.</p>
+ <p>When used to generate message digest keys, the program produces a file
+ containing ten pseudo-random printable ASCII strings suitable for the MD5
+ message digest algorithm included in the distribution. If the OpenSSL
+ library is installed, it produces an additional ten hex-encoded random bit
+ strings suitable for the SHA1, AES-128 CMAC, and other message digest
+ algorithms. The message digest keys file must be distributed and stored
+ using secure means beyond the scope of NTP itself. Besides the keys used
+ for ordinary NTP associations, additional keys can be defined as passwords
+ for the <tt><a href="ntpq.html">ntpq</a></tt>
+ and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs.</p>
+ <p>The remaining generated files are compatible with other OpenSSL
+ applications and other Public Key Infrastructure (PKI)
+ resources. Certificates generated by this program are compatible with
+ extant industry practice, although some users might find the
+ interpretation of X509v3 extension fields somewhat liberal. However,
+ the identity keys are probably not compatible with anything other than
+ Autokey.</p>
+ <p>Some files used by this program are encrypted using a private
+ password. The <tt>-p</tt> option specifies the password for local
+ encrypted files and the <tt>-q</tt> option the password for encrypted
+ files sent to remote sites. If no password is specified, the host name
+ returned by the Unix <tt>gethostname()</tt> function, normally the DNS
+ name of the host, is used.</p>
+ <p>The <tt>pw</tt> option of the <tt>crypto</tt> configuration command
+ specifies the read password for previously encrypted local files.
+ This must match the local password used by this program. If not
+ specified, the host name is used. Thus, if files are generated by
+ this program without password, they can be read back by <tt>ntpd</tt>
+ without password, but only on the same host.</p>
+ <p>Normally, encrypted files for each host are generated by that host
+ and used only by that host, although exceptions exist as noted later
+ on this page. The symmetric keys file, normally
+ called <tt>ntp.keys</tt>, is usually installed in <tt>/etc</tt>.
+ Other files and links are usually installed
+ in <tt>/usr/local/etc</tt>, which is normally in a shared filesystem
+ in NFS-mounted networks and cannot be changed by shared clients. The
+ location of the keys directory can be changed by the <tt>keysdir</tt>
+ configuration command in such cases. Normally, this is
+ in <tt>/etc</tt>.</p>
+ <p>This program directs commentary and error messages to the standard
+ error stream <tt>stderr</tt> and remote files to the standard output
+ stream <tt>stdout</tt> where they can be piped to other applications
+ or redirected to files. The names used for generated files and links
+ all begin with the string <tt>ntpkey</tt> and include the file type,
+ generating host and filestamp, as described in
+ the <a href="#fmt">Cryptographic Data Files</a> section below</p>
+ <h4 id="run">Running the Program</h4>
+ <p>To test and gain experience with Autokey concepts, log in as root and
+ change to the keys directory, usually <tt>/usr/local/etc</tt>. When
+ run for the first time, or if all files with names
+ beginning <tt>ntpkey</tt> have been removed, use
+ the <tt>ntp-keygen</tt> command without arguments to generate a
+ default RSA host key and matching RSA-MD5 certificate with expiration
+ date one year hence. If run again without options, the program uses
+ the existing keys and parameters and generates only a new certificate
+ with new expiration date one year hence.</p>
+ <p>Run the command on as many hosts as necessary. Designate one of them
+ as the trusted host (TH) using <tt>ntp-keygen</tt> with
+ the <tt>-T</tt> option and configure it to synchronize from reliable
+ Internet servers. Then configure the other hosts to synchronize to
+ the TH directly or indirectly. A certificate trail is created when
+ Autokey asks the immediately ascendant host towards the TH to sign its
+ certificate, which is then provided to the immediately descendant host
+ on request. All group hosts should have acyclic certificate trails
+ ending on the TH.</p>
+ <p>The host key is used to encrypt the cookie when required and so must
+ be RSA type. By default, the host key is also the sign key used to
+ encrypt signatures. A different sign key can be assigned using
+ the <tt>-S</tt> option and this can be either RSA or DSA type. By
+ default, the signature message digest type is MD5, but any combination
+ of sign key type and message digest type supported by the OpenSSL
+ library can be specified using the <tt>-c</tt> option.</p>
+ <p>The rules say cryptographic media should be generated with proventic
+ filestamps, which means the host should already be synchronized before
+ this program is run. This of course creates a chicken-and-egg problem
+ when the host is started for the first time. Accordingly, the host
+ time should be set by some other means, such as
+ eyeball-and-wristwatch, at least so that the certificate lifetime is
+ within the current year. After that and when the host is synchronized
+ to a proventic source, the certificate should be re-generated.</p>
+ <p>Additional information on trusted groups and identity schemes is on
+ the <a href="autokey.html">Autokey Public-Key Authentication</a>
+ page.</p>
+ <h4 id="cmd">Command Line Options</h4>
+ <dl>
+ <dt><tt>-b <i>modulus</i></tt></dt>
+ <dd>Set the modulus for generating identity keys to <i>modulus</i>
+ bits. The modulus defaults to 256, but can be set from 256 (32
+ octets) to 2048 (256 octets). Use the larger moduli with caution,
+ as this can consume considerable computing resources and increases
+ the size of authenticated packets.</dd>
+ <dt><tt>-c [ RSA-MD2 | RSA-MD5 | RSA-SHA | RSA-SHA1 | RSA-MDC2 | RSA-RIPEMD160 | DSA-SHA | DSA-SHA1 ]</tt></dt>
+ <dd>Select certificate digital signature and message digest scheme.
+ Note that RSA schemes must be used with an RSA sign key and DSA
+ schemes must be used with a DSA sign key. The default without this
+ option is <tt>RSA-MD5</tt>. If compatibility with FIPS 140-2 is
+ required, either the <tt>DSA-SHA</tt> or <tt>DSA-SHA1</tt> scheme
+ must be used.</dd>
+ <dt><tt>-C <i>cipher</i></tt></dt>
+ <dd>Select the OpenSSL cipher to use for password-protected keys.
+ The <tt>openssl -h</tt> command provided with OpenSSL displays
+ available ciphers. The default without this option
+ is <tt>des-ede3-cbc</tt>.</dd>
+ <dt><tt>-d</tt></dt>
+ <dd>Enable debugging. This option displays the cryptographic data
+ produced for eye-friendly billboards.</dd>
+ <dt><tt>-e</tt></dt>
+ <dd>Extract the IFF or GQ public parameters from the <tt>IFFkey</tt>
+ or <tt>GQkey</tt> keys file previously specified. Send the
+ unencrypted data to the standard output stream <tt>stdout</tt>.</dd>
+ <dt><tt>-G</tt></dt>
+ <dd>Generate a new encrypted GQ key file for the Guillou-Quisquater
+ (GQ) identity scheme. This option is mutually exclusive with
+ the <tt>-I</tt> and <tt>-V</tt> options.</dd>
+ <dt><tt>-H</tt></dt>
+ <dd>Generate a new encrypted RSA public/private host key file.</dd>
+ <dt><tt>-i <i>group</i></tt></dt>
+ <dd>Set the optional Autokey group name to <tt><i>group</i></tt>. This
+ is used in the identity scheme parameter file names. In that role,
+ the default is the host name if no group is provided. The group
+ name, if specified using <tt>-i</tt> or using <tt>-s</tt> following
+ an <tt>@</tt> character, is also used in certificate subject and
+ issuer names in the form <tt><i>host</i>@<i>group</i></tt> and
+ should match the group specified via <tt>crypto ident</tt>
+ or <tt>server ident</tt> in ntpd's configuration file.</dd>
+ <dt><tt>-I</tt></dt>
+ <dd>Generate a new encrypted IFF key file for the Schnorr (IFF)
+ identity scheme. This option is mutually exclusive with
+ the <tt>-G</tt> and <tt>-V</tt> options.</dd>
+ <dt><tt>-l <i>days</i></tt></dt>
+ <dd>Set the lifetime for certificates to <tt><i>days</i></tt>. The
+ default lifetime is one year (365 d).</dd>
+ <dt><tt>-m <i>modulus</i></tt></dt>
+ <dd>Set the modulus for generating files to <i>modulus</i> bits. The
+ modulus defaults to 512, but can be set from 256 (32 octets) to 2048
+ (256 octets). Use the larger moduli with caution, as this can
+ consume considerable computing resources and increases the size of
+ authenticated packets.</dd>
+ <dt><tt>-M</tt></dt>
+ <dd>Generate a new keys file containing 10 MD5 keys and 10 SHA keys.
+ An MD5 key is a string of 20 random printable ASCII characters,
+ while a SHA key is a string of 40 random hex digits. The file can be
+ edited using a text editor to change the key type or key content.
+ This option is mutually exclusive with all other options.</dd>
+ <dt><tt>-P</tt></dt>
+ <dd>Generate a new private certificate used by the PC identity scheme.
+ By default, the program generates public certificates. Note: the PC
+ identity scheme is not recommended for new installations.</dd>
+ <dt><tt>-p <i>passwd</i></tt></dt>
+ <dd>Set the password for reading and writing encrypted files
+ to <tt><i>passwd</i></tt>. These include the host, sign and
+ identify key files. By default, the password is the string returned
+ by the Unix <tt>gethostname()</tt> routine.</dd>
+ <dt><tt>-q <i>passwd</i></tt></dt>
+ <dd>Set the password for writing encrypted IFF, GQ and MV identity
+ files redirected to <tt>stdout</tt> to <tt><i>passwd</i></tt>=. In
+ effect, these files are decrypted with the <tt>-p</tt> password,
+ then encrypted with the <tt>-q</tt> password. By default, the
+ password is the string returned by the Unix <tt>gethostname()</tt>
+ routine.</dd>
+ <dt><tt>-S [ RSA | DSA ]</tt></dt>
+ <dd>Generate a new encrypted public/private sign key file of the
+ specified type. By default, the sign key is the host key and has
+ the same type. If compatibly with FIPS 140-2 is required, the sign
+ key type must be <tt>DSA</tt>.</dd>
+ <dt><tt>-s <i>host</i>[@<i>group</i>]</tt></dt>
+ <dd>Specify the Autokey host name, where <tt><i>host</i></tt> is the
+ host name and <tt><i>group</i></tt> is the optional group name. The
+ host name, and if provided, group name are used
+ in <tt><i>host</i>@<i>group</i></tt> form as certificate subject and
+ issuer. Specifying <tt>-s @<i>group</i></tt> is allowed, and
+ results in leaving the host name unchanged, as
+ with <tt>-i <i>group</i></tt>. The group name, or if no group is
+ provided, the host name are also used in the file names of IFF, GQ,
+ and MV identity scheme parameter files. If <tt><i>host</i></tt> is
+ not specified, the default host name is the string returned by
+ the <tt>gethostname()</tt> routine.</dd>
+ <dt><tt>-T</tt></dt>
+ <dd>Generate a trusted certificate. By default, the program generates
+ nontrusted certificates.</dd>
+ <dt><tt>-V <i>nkeys</i></tt></dt>
+ <dd>Generate <tt>nkeys</tt> encrypted server keys for the
+ Mu-Varadharajan (MV) identity scheme. This option is mutually
+ exclusive with the <tt>-I</tt> and <tt>-G</tt> options. Note:
+ support for this option should be considered a work in
+ progress.</dd>
+ </dl>
+ <h4 id="rand">Random Seed File</h4>
+ <p>All cryptographically sound key generation schemes must have means to
+ randomize the entropy seed used to initialize the internal
+ pseudo-random number generator used by the OpenSSL library routines.
+ If a site supports <tt>ssh</tt>, it is very likely that means to do
+ this are already available. The entropy seed used by the OpenSSL
+ library is contained in a file, usually called <tt>.rnd</tt>, which
+ must be available when starting the <tt>ntp-keygen</tt> program
+ or <tt>ntpd</tt> daemon.</p>
+ <p>The OpenSSL library looks for the file using the path specified by
+ the <tt>RANDFILE</tt> environment variable in the user home directory,
+ whether root or some other user. If the <tt>RANDFILE</tt> environment
+ variable is not present, the library looks for the <tt>.rnd</tt> file
+ in the user home directory. Since both the <tt>ntp-keygen</tt>
+ program and <tt>ntpd</tt> daemon must run as root, the logical place
+ to put this file is in <tt>/.rnd</tt> or <tt>/root/.rnd</tt>. If the
+ file is not available or cannot be written, the program exits with a
+ message to the system log.</p>
+ <h4 id="fmt">Cryptographic Data Files</h4>
+ <p>File and link names are in the
+ form <tt>ntpkey_<i>key</i>_<i>name</i>.<i>fstamp</i></tt>,
+ where <tt><i>key</i></tt> is the key or parameter
+ type, <tt><i>name</i></tt> is the host or group name
+ and <tt><i>fstamp</i></tt> is the filestamp (NTP seconds) when the
+ file was created). By convention, <em><tt>key</tt></em> names in
+ generated file names include both upper and lower case characters,
+ while <em><tt>key</tt></em> names in generated link names include only
+ lower case characters. The filestamp is not used in generated link
+ names.</p>
+ <p>The <em><tt>key</tt></em> name is a string defining the cryptographic
+ key type. Key types include public/private keys <tt>host</tt>
+ and <tt>sign</tt>, certificate <tt>cert</tt> and several
+ challenge/response key types. By convention, client files used for
+ challenges have a <tt>par</tt> subtype, as in the IFF
+ challenge <tt>IFFpar</tt>, while server files for responses have
+ a <tt>key</tt> subtype, as in the GQ response <tt>GQkey</tt>.</p>
+ <p>All files begin with two nonencrypted lines. The first line contains
+ the file name in the
+ format <tt>ntpkey_<i>key</i>_<i>host</i>.<i>fstamp</i></tt>. The second
+ line contains the datestamp in conventional Unix <tt>date</tt> format.
+ Lines beginning with <tt>#</tt> are ignored.</p>
+ <p>The remainder of the file contains cryptographic data encoded first
+ using ASN.1 rules, then encrypted using the DES-CBC algorithm with
+ given password and finally written in PEM-encoded printable ASCII text
+ preceded and followed by MIME content identifier lines.</p>
+ <p>The format of the symmetric keys file, ordinarily
+ named <tt>ntp.keys,</tt> is somewhat different than the other files in
+ the interest of backward compatibility. Ordinarily, the file is
+ generated by this program, but it can be constructed and edited using
+ an ordinary text editor.</p>
+ <table>
+ <caption style="caption-side: bottom;">
+ Figure 1. Typical Symmetric Key File
+ </caption>
+ <tr><td style="border: 1px solid black; border-spacing: 0;">
+ <pre style="color:grey;">
+ # ntpkey_MD5key_bk.ntp.org.3595864945
+ # Thu Dec 12 19:22:25 2013
+
+ 1 MD5 L";Nw&lt;`.I&lt;f4U0)247"i # MD5 key
+ 2 MD5 &amp;&gt;l0%XXK9O'51VwV&lt;xq~ # MD5 key
+ 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+ 4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key
+ 5 MD5 B;fxlKgr/&amp;4ZTbL6=RxA # MD5 key
+ 6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key
+ 7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key
+ 8 MD5 45:V,r4]l6y^JH6.Sh?F # MD5 key
+ 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+ 10 MD5 2late4Me # MD5 key
+ 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+ 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+ 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+ 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+ 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+ 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+ 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+ 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+ 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+ 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+ 21 MD5 sampo 10.1.2.3/24
+ </pre></td></tr></table>
+ <p>Figure 1 shows a typical symmetric keys file used by the reference
+ implementation. Each line of the file contains three or four fields,
+ first an integer between 1 and 65534, inclusive, representing the key
+ identifier used in the <tt>server</tt> and <tt>peer</tt> configuration
+ commands. Second is the key type for the message digest algorithm,
+ which in the absence of the OpenSSL library must be <tt>MD5</tt> to
+ designate the MD5 message digest algorithm. If the OpenSSL library is
+ installed, the key type can be any message digest algorithm supported
+ by that library. However, if compatibility with FIPS 140-2 is
+ required, the key type must be either <tt>SHA</tt> or <tt>SHA1</tt>.
+ The key type can be changed using an ASCII text editor.</p>
+ <p>The third field is the key.</p>
+ <p>An MD5 key consists of a printable ASCII string less than or equal to
+ 16 characters and terminated by whitespace or a # character. An
+ OpenSSL key consists of a hex-encoded ASCII string of 40 characters,
+ which is truncated as necessary.</p>
+ <p>Note that the keys used by the <tt>ntpq</tt> and <tt>ntpdc</tt>
+ programs are checked against passwords requested by the programs and
+ entered by hand, so it is generally appropriate to specify these keys
+ in human readable ASCII format.</p>
+ <p>The optional fourth field is one or more IPs, with each IP separated
+ with a comma. An IP may end with an optional <tt>/subnetbits</tt>
+ suffix, which limits the acceptance of the key identifier to packets
+ claiming to be from the described IP space.</p>
+ <p>The <tt>ntp-keygen</tt> program generates a MD5 symmetric keys
+ file <tt>ntpkey_MD5key_<i>hostname.filestamp</i></tt>. Since the file
+ contains private shared keys, it should be visible only to root and
+ distributed by secure means to other subnet hosts. The NTP daemon
+ loads the file <tt>ntp.keys</tt>, so <tt>ntp-keygen</tt> installs a
+ soft link from this name to the generated file. Subsequently, similar
+ soft links must be installed by manual or automated means on the other
+ subnet hosts. While this file is not used with the Autokey Version 2
+ protocol, it is needed to authenticate some remote configuration
+ commands used by the <a href="ntpq.html"><tt>ntpq</tt></a>
+ and <a href="ntpdc.html"><tt>ntpdc</tt></a> utilities.</p>
+ <h4 id="bug">Bugs</h4>
+ <p>It can take quite a while to generate some cryptographic values.</p>
+ <hr>
+ <script type="text/javascript" language="javascript" src="scripts/footer.txt"></script>
+ </body>
</html>
Index: contrib/ntp/include/Makefile.in
===================================================================
--- contrib/ntp/include/Makefile.in (版本 330566)
+++ contrib/ntp/include/Makefile.in (版本 330908)
@@ -100,6 +100,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/include/ntp_config.h
===================================================================
--- contrib/ntp/include/ntp_config.h (版本 330566)
+++ contrib/ntp/include/ntp_config.h (版本 330908)
@@ -54,7 +54,15 @@
int last;
} int_range;
-/* Structure for storing an attribute-value pair */
+/* generic list node */
+typedef struct any_node_tag any_node;
+struct any_node_tag {
+ any_node * link;
+};
+
+typedef DECL_FIFO_ANCHOR(any_node) any_node_fifo;
+
+/* Structure for storing an attribute-value pair */
typedef struct attr_val_tag attr_val;
struct attr_val_tag {
attr_val * link;
@@ -102,8 +110,9 @@
restrict_node * link;
address_node * addr;
address_node * mask;
- int_fifo * flags;
+ int_fifo * flag_tok_fifo;
int line_no;
+ short ippeerlimit;
};
typedef DECL_FIFO_ANCHOR(restrict_node) restrict_fifo;
@@ -267,8 +276,12 @@
const char * token_name(int token);
/* generic fifo routines for structs linked by 1st member */
-void* append_gen_fifo(void *fifo, void *entry);
+typedef void (*fifo_deleter)(void*);
+void * destroy_gen_fifo(void *fifo, fifo_deleter func);
+void * append_gen_fifo(void *fifo, void *entry);
void * concat_gen_fifos(void *first, void *second);
+#define DESTROY_G_FIFO(pf, func) \
+ ((pf) = destroy_gen_fifo((pf), (fifo_deleter)(func)))
#define APPEND_G_FIFO(pf, pe) \
((pf) = append_gen_fifo((pf), (pe)))
#define CONCAT_G_FIFOS(first, second) \
@@ -288,11 +301,13 @@
attr_val *create_attr_uval(int attr, u_int value);
attr_val *create_attr_rangeval(int attr, int first, int last);
attr_val *create_attr_sval(int attr, const char *s);
+void destroy_attr_val(attr_val *node);
filegen_node *create_filegen_node(int filegen_token,
attr_val_fifo *options);
string_node *create_string_node(char *str);
restrict_node *create_restrict_node(address_node *addr,
address_node *mask,
+ short ippeerlimit,
int_fifo *flags, int line_no);
int_node *create_int_node(int val);
addr_opts_node *create_addr_opts_node(address_node *addr,
Index: contrib/file/magic/Makefile.in
===================================================================
--- contrib/file/magic/Makefile.in (版本 330566)
+++ contrib/file/magic/Makefile.in (版本 330908)
@@ -273,7 +273,7 @@
top_srcdir = @top_srcdir@
#
-# $File: Makefile.am,v 1.120 2016/10/17 19:52:29 christos Exp $
+# $File: Makefile.am,v 1.126 2017/08/10 11:01:38 christos Exp $
#
MAGIC_FRAGMENT_BASE = Magdir
MAGIC_DIR = $(top_srcdir)/magic
@@ -293,6 +293,7 @@
$(MAGIC_FRAGMENT_DIR)/android \
$(MAGIC_FRAGMENT_DIR)/animation \
$(MAGIC_FRAGMENT_DIR)/aout \
+$(MAGIC_FRAGMENT_DIR)/apache \
$(MAGIC_FRAGMENT_DIR)/apl \
$(MAGIC_FRAGMENT_DIR)/apple \
$(MAGIC_FRAGMENT_DIR)/application \
@@ -306,6 +307,7 @@
$(MAGIC_FRAGMENT_DIR)/basis \
$(MAGIC_FRAGMENT_DIR)/ber \
$(MAGIC_FRAGMENT_DIR)/bflt \
+$(MAGIC_FRAGMENT_DIR)/bhl \
$(MAGIC_FRAGMENT_DIR)/bioinformatics \
$(MAGIC_FRAGMENT_DIR)/blackberry \
$(MAGIC_FRAGMENT_DIR)/blcr \
@@ -369,6 +371,7 @@
$(MAGIC_FRAGMENT_DIR)/fusecompress \
$(MAGIC_FRAGMENT_DIR)/games \
$(MAGIC_FRAGMENT_DIR)/gcc \
+$(MAGIC_FRAGMENT_DIR)/gconv \
$(MAGIC_FRAGMENT_DIR)/geo \
$(MAGIC_FRAGMENT_DIR)/geos \
$(MAGIC_FRAGMENT_DIR)/gimp \
@@ -376,6 +379,7 @@
$(MAGIC_FRAGMENT_DIR)/gnu \
$(MAGIC_FRAGMENT_DIR)/gnumeric \
$(MAGIC_FRAGMENT_DIR)/gpt \
+$(MAGIC_FRAGMENT_DIR)/gpu \
$(MAGIC_FRAGMENT_DIR)/grace \
$(MAGIC_FRAGMENT_DIR)/graphviz \
$(MAGIC_FRAGMENT_DIR)/gringotts \
@@ -547,6 +551,7 @@
$(MAGIC_FRAGMENT_DIR)/vxl \
$(MAGIC_FRAGMENT_DIR)/warc \
$(MAGIC_FRAGMENT_DIR)/weak \
+$(MAGIC_FRAGMENT_DIR)/webassembly \
$(MAGIC_FRAGMENT_DIR)/windows \
$(MAGIC_FRAGMENT_DIR)/wireless \
$(MAGIC_FRAGMENT_DIR)/wordprocessors \
@@ -557,6 +562,7 @@
$(MAGIC_FRAGMENT_DIR)/xilinx \
$(MAGIC_FRAGMENT_DIR)/xo65 \
$(MAGIC_FRAGMENT_DIR)/xwindows \
+$(MAGIC_FRAGMENT_DIR)/yara \
$(MAGIC_FRAGMENT_DIR)/zfs \
$(MAGIC_FRAGMENT_DIR)/zilog \
$(MAGIC_FRAGMENT_DIR)/zyxel
Index: contrib/file/src/cdf.h
===================================================================
--- contrib/file/src/cdf.h (版本 330566)
+++ contrib/file/src/cdf.h (版本 330908)
@@ -127,9 +127,9 @@
typedef struct {
void *sst_tab;
- size_t sst_len;
- size_t sst_dirlen;
- size_t sst_ss;
+ size_t sst_len; /* Number of sectors */
+ size_t sst_dirlen; /* Directory sector size */
+ size_t sst_ss; /* Sector size */
} cdf_stream_t;
typedef struct {
Index: contrib/file/src/file.h
===================================================================
--- contrib/file/src/file.h (版本 330566)
+++ contrib/file/src/file.h (版本 330908)
@@ -27,7 +27,7 @@
*/
/*
* file.h - definitions for file(1) program
- * @(#)$File: file.h,v 1.180 2016/07/20 11:27:08 christos Exp $
+ * @(#)$File: file.h,v 1.183 2017/08/28 13:39:18 christos Exp $
*/
#ifndef __file_h__
@@ -36,6 +36,10 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#ifdef HAVE_STDINT_H
+#ifndef __STDC_LIMIT_MACROS
+#define __STDC_LIMIT_MACROS
+#endif
#ifdef WIN32
#ifdef _WIN64
@@ -50,16 +54,12 @@
#define INT64_T_FORMAT "ll"
#define INTMAX_T_FORMAT "j"
#endif
+#include <stdint.h>
+#endif
#include <stdio.h> /* Include that here, to make sure __P gets defined */
#include <errno.h>
#include <fcntl.h> /* For open and flags */
-#ifdef HAVE_STDINT_H
-#ifndef __STDC_LIMIT_MACROS
-#define __STDC_LIMIT_MACROS
-#endif
-#include <stdint.h>
-#endif
#ifdef HAVE_INTTYPES_H
#include <inttypes.h>
#endif
@@ -447,7 +447,7 @@
protected int file_replace(struct magic_set *, const char *, const char *);
protected int file_printf(struct magic_set *, const char *, ...)
__attribute__((__format__(__printf__, 2, 3)));
-protected int file_reset(struct magic_set *);
+protected int file_reset(struct magic_set *, int);
protected int file_tryelf(struct magic_set *, int, const unsigned char *,
size_t);
protected int file_trycdf(struct magic_set *, int, const unsigned char *,
Index: contrib/file/src/magic.c
===================================================================
--- contrib/file/src/magic.c (版本 330566)
+++ contrib/file/src/magic.c (版本 330908)
@@ -33,7 +33,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: magic.c,v 1.100 2016/07/18 11:43:05 christos Exp $")
+FILE_RCSID("@(#)$File: magic.c,v 1.102 2017/08/28 13:39:18 christos Exp $")
#endif /* lint */
#include "magic.h"
@@ -167,7 +167,7 @@
{
if (fdwReason == DLL_PROCESS_ATTACH)
_w32_dll_instance = hinstDLL;
- return TRUE;
+ return 1;
}
#endif
@@ -409,7 +409,7 @@
int ispipe = 0;
off_t pos = (off_t)-1;
- if (file_reset(ms) == -1)
+ if (file_reset(ms, 1) == -1)
goto out;
/*
@@ -538,7 +538,7 @@
{
if (ms == NULL)
return NULL;
- if (file_reset(ms) == -1)
+ if (file_reset(ms, 1) == -1)
return NULL;
/*
* The main work is done here!
@@ -568,6 +568,15 @@
}
public int
+magic_getflags(struct magic_set *ms)
+{
+ if (ms == NULL)
+ return -1;
+
+ return ms->flags;
+}
+
+public int
magic_setflags(struct magic_set *ms, int flags)
{
if (ms == NULL)
Index: contrib/file/src/readelf.c
===================================================================
--- contrib/file/src/readelf.c (版本 330566)
+++ contrib/file/src/readelf.c (版本 330908)
@@ -27,7 +27,7 @@
#include "file.h"
#ifndef lint
-FILE_RCSID("@(#)$File: readelf.c,v 1.128 2016/10/04 21:43:10 christos Exp $")
+FILE_RCSID("@(#)$File: readelf.c,v 1.138 2017/08/27 07:55:02 christos Exp $")
#endif
#ifdef BUILTIN_ELF
@@ -310,17 +310,19 @@
"NetBSD",
};
-#define FLAGS_DID_CORE 0x001
-#define FLAGS_DID_OS_NOTE 0x002
-#define FLAGS_DID_BUILD_ID 0x004
-#define FLAGS_DID_CORE_STYLE 0x008
-#define FLAGS_DID_NETBSD_PAX 0x010
-#define FLAGS_DID_NETBSD_MARCH 0x020
-#define FLAGS_DID_NETBSD_CMODEL 0x040
-#define FLAGS_DID_NETBSD_UNKNOWN 0x080
-#define FLAGS_IS_CORE 0x100
-#define FLAGS_DID_AUXV 0x200
+#define FLAGS_CORE_STYLE 0x003
+#define FLAGS_DID_CORE 0x004
+#define FLAGS_DID_OS_NOTE 0x008
+#define FLAGS_DID_BUILD_ID 0x010
+#define FLAGS_DID_CORE_STYLE 0x020
+#define FLAGS_DID_NETBSD_PAX 0x040
+#define FLAGS_DID_NETBSD_MARCH 0x080
+#define FLAGS_DID_NETBSD_CMODEL 0x100
+#define FLAGS_DID_NETBSD_UNKNOWN 0x200
+#define FLAGS_IS_CORE 0x400
+#define FLAGS_DID_AUXV 0x800
+
private int
dophn_core(struct magic_set *ms, int clazz, int swap, int fd, off_t off,
int num, size_t size, off_t fsize, int *flags, uint16_t *notecount)
@@ -709,6 +711,7 @@
== -1)
return 1;
*flags |= FLAGS_DID_CORE_STYLE;
+ *flags |= os_style;
}
switch (os_style) {
@@ -715,26 +718,23 @@
case OS_STYLE_NETBSD:
if (type == NT_NETBSD_CORE_PROCINFO) {
char sbuf[512];
- uint32_t signo;
- /*
- * Extract the program name. It is at
- * offset 0x7c, and is up to 32-bytes,
- * including the terminating NUL.
- */
- if (file_printf(ms, ", from '%.31s'",
+ struct NetBSD_elfcore_procinfo pi;
+ memset(&pi, 0, sizeof(pi));
+ memcpy(&pi, nbuf + doff, descsz);
+
+ if (file_printf(ms, ", from '%.31s', pid=%u, uid=%u, "
+ "gid=%u, nlwps=%u, lwp=%u (signal %u/code %u)",
file_printable(sbuf, sizeof(sbuf),
- (const char *)&nbuf[doff + 0x7c])) == -1)
+ CAST(char *, pi.cpi_name)),
+ elf_getu32(swap, pi.cpi_pid),
+ elf_getu32(swap, pi.cpi_euid),
+ elf_getu32(swap, pi.cpi_egid),
+ elf_getu32(swap, pi.cpi_nlwps),
+ elf_getu32(swap, pi.cpi_siglwp),
+ elf_getu32(swap, pi.cpi_signo),
+ elf_getu32(swap, pi.cpi_sigcode)) == -1)
return 1;
-
- /*
- * Extract the signal number. It is at
- * offset 0x08.
- */
- (void)memcpy(&signo, &nbuf[doff + 0x08],
- sizeof(signo));
- if (file_printf(ms, " (signal %u)",
- elf_getu32(swap, signo)) == -1)
- return 1;
+
*flags |= FLAGS_DID_CORE;
return 1;
}
@@ -890,7 +890,7 @@
offset = get_offset_from_virtaddr(ms, swap, clazz, fd, ph_off, ph_num,
fsize, virtaddr);
- if ((buflen = pread(fd, buf, buflen, offset)) <= 0) {
+ if ((buflen = pread(fd, buf, CAST(size_t, buflen), offset)) <= 0) {
file_badread(ms);
return 0;
}
@@ -924,9 +924,29 @@
int is_string;
size_t nval;
- if (type != NT_AUXV || (*flags & FLAGS_IS_CORE) == 0)
+ if ((*flags & (FLAGS_IS_CORE|FLAGS_DID_CORE_STYLE)) !=
+ (FLAGS_IS_CORE|FLAGS_DID_CORE_STYLE))
return 0;
+ switch (*flags & FLAGS_CORE_STYLE) {
+ case OS_STYLE_SVR4:
+ if (type != NT_AUXV)
+ return 0;
+ break;
+#ifdef notyet
+ case OS_STYLE_NETBSD:
+ if (type != NT_NETBSD_CORE_AUXV)
+ return 0;
+ break;
+ case OS_STYLE_FREEBSD:
+ if (type != NT_FREEBSD_PROCSTAT_AUXV)
+ return 0;
+ break;
+#endif
+ default:
+ return 0;
+ }
+
*flags |= FLAGS_DID_AUXV;
nval = 0;
@@ -1031,13 +1051,13 @@
}
if (namesz & 0x80000000) {
- (void)file_printf(ms, ", bad note name size 0x%lx",
+ (void)file_printf(ms, ", bad note name size %#lx",
(unsigned long)namesz);
return 0;
}
if (descsz & 0x80000000) {
- (void)file_printf(ms, ", bad note description size 0x%lx",
+ (void)file_printf(ms, ", bad note description size %#lx",
(unsigned long)descsz);
return 0;
}
@@ -1185,12 +1205,12 @@
{
Elf32_Shdr sh32;
Elf64_Shdr sh64;
- int stripped = 1;
+ int stripped = 1, has_debug_info = 0;
size_t nbadcap = 0;
void *nbuf;
off_t noff, coff, name_off;
- uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilites */
- uint64_t cap_sf1 = 0; /* SunOS 5.x software capabilites */
+ uint64_t cap_hw1 = 0; /* SunOS 5.x hardware capabilities */
+ uint64_t cap_sf1 = 0; /* SunOS 5.x software capabilities */
char name[50];
ssize_t namesize;
@@ -1203,8 +1223,9 @@
/* Read offset of name section to be able to read section names later */
if (pread(fd, xsh_addr, xsh_sizeof, CAST(off_t, (off + size * strtab)))
< (ssize_t)xsh_sizeof) {
- file_badread(ms);
- return -1;
+ if (file_printf(ms, ", missing section headers") == -1)
+ return -1;
+ return 0;
}
name_off = xsh_offset;
@@ -1215,8 +1236,10 @@
return -1;
}
name[namesize] = '\0';
- if (strcmp(name, ".debug_info") == 0)
+ if (strcmp(name, ".debug_info") == 0) {
+ has_debug_info = 1;
stripped = 0;
+ }
if (pread(fd, xsh_addr, xsh_sizeof, off) < (ssize_t)xsh_sizeof) {
file_badread(ms);
@@ -1247,9 +1270,9 @@
if ((uintmax_t)(xsh_size + xsh_offset) >
(uintmax_t)fsize) {
if (file_printf(ms,
- ", note offset/size 0x%" INTMAX_T_FORMAT
- "x+0x%" INTMAX_T_FORMAT "x exceeds"
- " file size 0x%" INTMAX_T_FORMAT "x",
+ ", note offset/size %#" INTMAX_T_FORMAT
+ "x+%#" INTMAX_T_FORMAT "x exceeds"
+ " file size %#" INTMAX_T_FORMAT "x",
(uintmax_t)xsh_offset, (uintmax_t)xsh_size,
(uintmax_t)fsize) == -1)
return -1;
@@ -1353,7 +1376,7 @@
default:
if (file_printf(ms,
", with unknown capability "
- "0x%" INT64_T_FORMAT "x = 0x%"
+ "%#" INT64_T_FORMAT "x = %#"
INT64_T_FORMAT "x",
(unsigned long long)xcap_tag,
(unsigned long long)xcap_val) == -1)
@@ -1370,6 +1393,10 @@
}
}
+ if (has_debug_info) {
+ if (file_printf(ms, ", with debug_info") == -1)
+ return -1;
+ }
if (file_printf(ms, ", %sstripped", stripped ? "" : "not ") == -1)
return -1;
if (cap_hw1) {
@@ -1403,13 +1430,13 @@
}
if (cap_hw1)
if (file_printf(ms,
- " unknown hardware capability 0x%"
+ " unknown hardware capability %#"
INT64_T_FORMAT "x",
(unsigned long long)cap_hw1) == -1)
return -1;
} else {
if (file_printf(ms,
- " hardware capability 0x%" INT64_T_FORMAT "x",
+ " hardware capability %#" INT64_T_FORMAT "x",
(unsigned long long)cap_hw1) == -1)
return -1;
}
@@ -1425,7 +1452,7 @@
cap_sf1 &= ~SF1_SUNW_MASK;
if (cap_sf1)
if (file_printf(ms,
- ", with unknown software capability 0x%"
+ ", with unknown software capability %#"
INT64_T_FORMAT "x",
(unsigned long long)cap_sf1) == -1)
return -1;
@@ -1479,7 +1506,7 @@
if (((align = xph_align) & 0x80000000UL) != 0 ||
align < 4) {
if (file_printf(ms,
- ", invalid note alignment 0x%lx",
+ ", invalid note alignment %#lx",
(unsigned long)align) == -1)
return -1;
align = 4;
Index: contrib/file/tests/Makefile.am
===================================================================
--- contrib/file/tests/Makefile.am (版本 330566)
+++ contrib/file/tests/Makefile.am (版本 330908)
@@ -1,6 +1,6 @@
check_PROGRAMS = test
test_LDADD = $(top_builddir)/src/libmagic.la
-test_CPPFLAGS = -I$(top_srcdir)/src
+test_CPPFLAGS = -I$(top_builddir)/src
EXTRA_DIST = \
escapevel.result \
@@ -7,6 +7,8 @@
escapevel.testfile \
gedcom.result \
gedcom.testfile \
+hddrawcopytool.result \
+hddrawcopytool.testfile \
issue311docx.result \
issue311docx.testfile
Index: contrib/tzdata/Makefile
===================================================================
--- contrib/tzdata/Makefile (版本 330566)
+++ contrib/tzdata/Makefile (版本 330908)
@@ -42,37 +42,64 @@
# Also see TZDEFRULESTRING below, which takes effect only
# if the time zone files cannot be accessed.
-# Everything gets put in subdirectories of. . .
-TOPDIR= /usr/local
+# Installation locations.
+#
+# The defaults are suitable for Debian, except that if REDO is
+# posix_right or right_posix then files that Debian puts under
+# /usr/share/zoneinfo/posix and /usr/share/zoneinfo/right are instead
+# put under /usr/share/zoneinfo-posix and /usr/share/zoneinfo-leaps,
+# respectively. Problems with the Debian approach are discussed in
+# the commentary for the right_posix rule (below).
+# Destination directory, which can be used for staging.
+# 'make DESTDIR=/stage install' installs under /stage (e.g., to
+# /stage/etc/localtime instead of to /etc/localtime). Files under
+# /stage are not intended to work as-is, but can be copied by hand to
+# the root directory later. If DESTDIR is empty, 'make install' does
+# not stage, but installs directly into production locations.
+DESTDIR =
+
+# Everything is installed into subdirectories of TOPDIR, and used there.
+# TOPDIR should be empty (meaning the root directory),
+# or a directory name that does not end in "/".
+# TOPDIR should be empty or an absolute name unless you're just testing.
+TOPDIR =
+
+# The default local time zone is taken from the file TZDEFAULT.
+TZDEFAULT = $(TOPDIR)/etc/localtime
+
+# The subdirectory containing installed program and data files, and
+# likewise for installed files that can be shared among architectures.
+# These should be relative file names.
+USRDIR = usr
+USRSHAREDIR = $(USRDIR)/share
+
# "Compiled" time zone information is placed in the "TZDIR" directory
# (and subdirectories).
-# Use an absolute path name for TZDIR unless you're just testing the software.
# TZDIR_BASENAME should not contain "/" and should not be ".", ".." or empty.
-
TZDIR_BASENAME= zoneinfo
-TZDIR= $(TOPDIR)/etc/$(TZDIR_BASENAME)
+TZDIR = $(TOPDIR)/$(USRSHAREDIR)/$(TZDIR_BASENAME)
-# Types to try, as an alternative to time_t. int64_t should be first.
-TIME_T_ALTERNATIVES= int64_t int32_t uint32_t uint64_t
+# The "tzselect" and (if you do "make INSTALL") "date" commands go in:
+BINDIR = $(TOPDIR)/$(USRDIR)/bin
-# The "tzselect", "zic", and "zdump" commands get installed in. . .
+# The "zdump" command goes in:
+ZDUMPDIR = $(BINDIR)
-ETCDIR= $(TOPDIR)/etc
+# The "zic" command goes in:
+ZICDIR = $(TOPDIR)/$(USRDIR)/sbin
-# If you "make INSTALL", the "date" command gets installed in. . .
-
-BINDIR= $(TOPDIR)/bin
-
# Manual pages go in subdirectories of. . .
+MANDIR = $(TOPDIR)/$(USRSHAREDIR)/man
-MANDIR= $(TOPDIR)/man
-
# Library functions are put in an archive in LIBDIR.
+LIBDIR = $(TOPDIR)/$(USRDIR)/lib
-LIBDIR= $(TOPDIR)/lib
+# Types to try, as an alternative to time_t. int64_t should be first.
+TIME_T_ALTERNATIVES = int64_t int32_t uint32_t uint64_t
+
# If you want only POSIX time, with time values interpreted as
# seconds since the epoch (not counting leap seconds), use
# REDO= posix_only
@@ -105,11 +132,14 @@
TZDATA_TEXT= leapseconds tzdata.zi
# For backward-compatibility links for old zone names, use
+# BACKWARD= backward
+# If you also want the link US/Pacific-New, even though it is confusing
+# and is planned to be removed from the database eventually, use
# BACKWARD= backward pacificnew
# To omit these links, use
# BACKWARD=
-BACKWARD= backward pacificnew
+BACKWARD= backward
# If you want out-of-scope and often-wrong data from the file 'backzone', use
# PACKRATDATA= backzone
@@ -313,7 +343,7 @@
# How to use zic to install tz binary files.
-ZIC_INSTALL= $(ZIC) -d $(DESTDIR)$(TZDIR) $(LEAPSECONDS)
+ZIC_INSTALL= $(ZIC) -d '$(DESTDIR)$(TZDIR)' $(LEAPSECONDS)
# The name of a Posix-compliant 'awk' on your system.
AWK= awk
@@ -341,8 +371,8 @@
VALIDATE = nsgmls
VALIDATE_FLAGS = -s -B -wall -wno-unused-param
VALIDATE_ENV = \
- SGML_CATALOG_FILES=$(SGML_CATALOG_FILES) \
- SGML_SEARCH_PATH=$(SGML_SEARCH_PATH) \
+ SGML_CATALOG_FILES='$(SGML_CATALOG_FILES)' \
+ SGML_SEARCH_PATH='$(SGML_SEARCH_PATH)' \
SP_CHARSET_FIXED=YES \
SP_ENCODING=UTF-8
@@ -396,7 +426,7 @@
#MAKE= make
cc= cc
-CC= $(cc) -DTZDIR=\"$(TZDIR)\"
+CC= $(cc) -DTZDIR='"$(TZDIR)"'
AR= ar
@@ -421,18 +451,19 @@
date.1.txt
COMMON= calendars CONTRIBUTING LICENSE Makefile \
NEWS README theory.html version
-WEB_PAGES= tz-art.htm tz-how-to.html tz-link.htm
+WEB_PAGES= tz-art.html tz-how-to.html tz-link.html
DOCS= $(MANS) date.1 $(MANTXTS) $(WEB_PAGES)
PRIMARY_YDATA= africa antarctica asia australasia \
europe northamerica southamerica
-YDATA= $(PRIMARY_YDATA) etcetera $(BACKWARD)
+YDATA= $(PRIMARY_YDATA) etcetera
NDATA= systemv factory
-TDATA= $(YDATA) $(NDATA)
+TDATA_TO_CHECK= $(YDATA) $(NDATA) backward pacificnew
+TDATA= $(YDATA) $(NDATA) $(BACKWARD)
ZONETABLES= zone1970.tab zone.tab
TABDATA= iso3166.tab $(TZDATA_TEXT) $(ZONETABLES)
LEAP_DEPS= leapseconds.awk leap-seconds.list
-TZDATA_ZI_DEPS= zishrink.awk $(TDATA) $(PACKRATDATA)
-DATA= $(YDATA) $(NDATA) backzone iso3166.tab leap-seconds.list \
+TZDATA_ZI_DEPS= zishrink.awk version $(TDATA) $(PACKRATDATA)
+DATA= $(TDATA_TO_CHECK) backzone iso3166.tab leap-seconds.list \
leapseconds yearistype.sh $(ZONETABLES)
AWK_SCRIPTS= checklinks.awk checktab.awk leapseconds.awk zishrink.awk
MISC= $(AWK_SCRIPTS) zoneinfo2tdf.pl
@@ -457,7 +488,7 @@
newctime.3 newstrftime.3 newtzset.3 northamerica \
pacificnew private.h \
southamerica strftime.c systemv theory.html \
- time2posix.3 tz-art.htm tz-how-to.html tz-link.htm \
+ time2posix.3 tz-art.html tz-how-to.html tz-link.html \
tzfile.5 tzfile.h tzselect.8 tzselect.ksh \
workman.sh yearistype.sh \
zdump.8 zdump.c zic.8 zic.c \
@@ -473,35 +504,41 @@
ALL: all date $(ENCHILADA)
install: all $(DATA) $(REDO) $(MANS)
- mkdir -p $(DESTDIR)$(ETCDIR) $(DESTDIR)$(TZDIR) \
- $(DESTDIR)$(LIBDIR) \
- $(DESTDIR)$(MANDIR)/man3 $(DESTDIR)$(MANDIR)/man5 \
- $(DESTDIR)$(MANDIR)/man8
- $(ZIC_INSTALL) -l $(LOCALTIME) -p $(POSIXRULES)
- cp -f $(TABDATA) $(DESTDIR)$(TZDIR)/.
- cp tzselect zic zdump $(DESTDIR)$(ETCDIR)/.
- cp libtz.a $(DESTDIR)$(LIBDIR)/.
- $(RANLIB) $(DESTDIR)$(LIBDIR)/libtz.a
- cp -f newctime.3 newtzset.3 $(DESTDIR)$(MANDIR)/man3/.
- cp -f tzfile.5 $(DESTDIR)$(MANDIR)/man5/.
- cp -f tzselect.8 zdump.8 zic.8 $(DESTDIR)$(MANDIR)/man8/.
+ mkdir -p '$(DESTDIR)$(BINDIR)' \
+ '$(DESTDIR)$(ZDUMPDIR)' '$(DESTDIR)$(ZICDIR)' \
+ '$(DESTDIR)$(LIBDIR)' \
+ '$(DESTDIR)$(MANDIR)/man3' '$(DESTDIR)$(MANDIR)/man5' \
+ '$(DESTDIR)$(MANDIR)/man8'
+ $(ZIC_INSTALL) -l $(LOCALTIME) -p $(POSIXRULES) \
+ -t '$(DESTDIR)$(TZDEFAULT)'
+ cp -f $(TABDATA) '$(DESTDIR)$(TZDIR)/.'
+ cp tzselect '$(DESTDIR)$(BINDIR)/.'
+ cp zdump '$(DESTDIR)$(ZDUMPDIR)/.'
+ cp zic '$(DESTDIR)$(ZICDIR)/.'
+ cp libtz.a '$(DESTDIR)$(LIBDIR)/.'
+ $(RANLIB) '$(DESTDIR)$(LIBDIR)/libtz.a'
+ cp -f newctime.3 newtzset.3 '$(DESTDIR)$(MANDIR)/man3/.'
+ cp -f tzfile.5 '$(DESTDIR)$(MANDIR)/man5/.'
+ cp -f tzselect.8 zdump.8 zic.8 '$(DESTDIR)$(MANDIR)/man8/.'
INSTALL: ALL install date.1
- mkdir -p $(DESTDIR)$(BINDIR) $(DESTDIR)$(MANDIR)/man1
- cp date $(DESTDIR)$(BINDIR)/.
- cp -f date.1 $(DESTDIR)$(MANDIR)/man1/.
+ mkdir -p '$(DESTDIR)$(BINDIR)' '$(DESTDIR)$(MANDIR)/man1'
+ cp date '$(DESTDIR)$(BINDIR)/.'
+ cp -f date.1 '$(DESTDIR)$(MANDIR)/man1/.'
version: $(VERSION_DEPS)
{ (type git) >/dev/null 2>&1 && \
V=`git describe --match '[0-9][0-9][0-9][0-9][a-z]*' \
--abbrev=7 --dirty` || \
- V=$(VERSION); } && \
+ V='$(VERSION)'; } && \
printf '%s\n' "$$V" >$@.out
mv $@.out $@
# This file can be tailored by setting BACKWARD, PACKRATDATA, etc.
tzdata.zi: $(TZDATA_ZI_DEPS)
- LC_ALL=C $(AWK) -f zishrink.awk $(TDATA) $(PACKRATDATA) >$@.out
+ version=`sed 1q version` && \
+ LC_ALL=C $(AWK) -v version="$$version" -f zishrink.awk \
+ $(TDATA) $(PACKRATDATA) >$@.out
mv $@.out $@
version.h: version
@@ -529,12 +566,13 @@
# Arguments to pass to submakes of install_data.
# They can be overridden by later submake arguments.
INSTALLARGS = \
- BACKWARD=$(BACKWARD) \
- DESTDIR=$(DESTDIR) \
+ BACKWARD='$(BACKWARD)' \
+ DESTDIR='$(DESTDIR)' \
LEAPSECONDS='$(LEAPSECONDS)' \
PACKRATDATA='$(PACKRATDATA)' \
- TZDIR=$(TZDIR) \
- YEARISTYPE=$(YEARISTYPE) \
+ TZDEFAULT='$(TZDEFAULT)' \
+ TZDIR='$(TZDIR)' \
+ YEARISTYPE='$(YEARISTYPE)' \
ZIC='$(ZIC)'
# 'make install_data' installs one set of tz binary files.
@@ -558,16 +596,16 @@
# You must replace all of $(TZDIR) to switch from not using leap seconds
# to using them, or vice versa.
right_posix: right_only
- rm -fr $(DESTDIR)$(TZDIR)-leaps
- ln -s $(TZDIR_BASENAME) $(DESTDIR)$(TZDIR)-leaps || \
- $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-leaps right_only
- $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-posix posix_only
+ rm -fr '$(DESTDIR)$(TZDIR)-leaps'
+ ln -s '$(TZDIR_BASENAME)' '$(DESTDIR)$(TZDIR)-leaps' || \
+ $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-leaps' right_only
+ $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-posix' posix_only
posix_right: posix_only
- rm -fr $(DESTDIR)$(TZDIR)-posix
- ln -s $(TZDIR_BASENAME) $(DESTDIR)$(TZDIR)-posix || \
- $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-posix posix_only
- $(MAKE) $(INSTALLARGS) TZDIR=$(TZDIR)-leaps right_only
+ rm -fr '$(DESTDIR)$(TZDIR)-posix'
+ ln -s '$(TZDIR_BASENAME)' '$(DESTDIR)$(TZDIR)-posix' || \
+ $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-posix' posix_only
+ $(MAKE) $(INSTALLARGS) TZDIR='$(TZDIR)-leaps' right_only
# This obsolescent rule is present for backwards compatibility with
# tz releases 2014g through 2015g. It should go away eventually.
@@ -633,7 +671,7 @@
$(MISC) $(SOURCES) $(WEB_PAGES) \
CONTRIBUTING LICENSE Makefile README \
version tzdata.zi && \
- ! grep -Env $(SAFE_SHARP_LINE) $(TDATA) backzone \
+ ! grep -Env $(SAFE_SHARP_LINE) $(TDATA_TO_CHECK) backzone \
leapseconds yearistype.sh zone.tab && \
! grep -Env $(OK_LINE) $(ENCHILADA); \
}
@@ -641,14 +679,16 @@
check_white_space: $(ENCHILADA)
patfmt=' \t|[\f\r\v]' && pat=`printf "$$patfmt\\n"` && \
! grep -En "$$pat" $(ENCHILADA)
- ! grep -n '[[:space:]]$$' $(ENCHILADA)
+ ! grep -n '[[:space:]]$$' \
+ $$(ls $(ENCHILADA) | grep -Fvx leap-seconds.list)
PRECEDES_FILE_NAME = ^(Zone|Link[[:space:]]+[^[:space:]]+)[[:space:]]+
FILE_NAME_COMPONENT_TOO_LONG = \
$(PRECEDES_FILE_NAME)[^[:space:]]*[^/[:space:]]{15}
-check_name_lengths: $(TDATA) backzone
- ! grep -En '$(FILE_NAME_COMPONENT_TOO_LONG)' $(TDATA) backzone
+check_name_lengths: $(TDATA_TO_CHECK) backzone
+ ! grep -En '$(FILE_NAME_COMPONENT_TOO_LONG)' \
+ $(TDATA_TO_CHECK) backzone
CHECK_CC_LIST = { n = split($$1,a,/,/); for (i=2; i<=n; i++) print a[1], a[i]; }
@@ -662,8 +702,8 @@
$(AWK) '/^[^#]/ $(CHECK_CC_LIST)' zone1970.tab | \
LC_ALL=C sort -cu
-check_links: checklinks.awk $(TDATA)
- $(AWK) -f checklinks.awk $(TDATA)
+check_links: checklinks.awk $(TDATA_TO_CHECK)
+ $(AWK) -f checklinks.awk $(TDATA_TO_CHECK)
$(AWK) -f checklinks.awk tzdata.zi
check_tables: checktab.awk $(PRIMARY_YDATA) $(ZONETABLES)
@@ -764,12 +804,12 @@
check_public:
$(MAKE) maintainer-clean
- $(MAKE) "CFLAGS=$(GCC_DEBUG_FLAGS)" ALL
+ $(MAKE) CFLAGS='$(GCC_DEBUG_FLAGS)' ALL
mkdir -p public.dir
- for i in $(TDATA) tzdata.zi; do \
+ for i in $(TDATA_TO_CHECK) tzdata.zi; do \
$(zic) -v -d public.dir $$i 2>&1 || exit; \
done
- $(zic) -v -d public.dir $(TDATA)
+ $(zic) -v -d public.dir $(TDATA_TO_CHECK)
rm -fr public.dir
# Check that the code works under various alternative
@@ -790,8 +830,11 @@
REDO='$(REDO)' \
install && \
diff $$quiet_option -r \
- time_t.dir/int64_t/etc/zoneinfo \
- time_t.dir/$$type/etc/zoneinfo && \
+ time_t.dir/int64_t/etc \
+ time_t.dir/$$type/etc && \
+ diff $$quiet_option -r \
+ time_t.dir/int64_t/usr/share \
+ time_t.dir/$$type/usr/share && \
case $$type in \
int32_t) range=-2147483648,2147483647;; \
uint32_t) range=0,4294967296;; \
@@ -800,9 +843,9 @@
*) range=-10000000000,10000000000;; \
esac && \
echo checking $$type zones ... && \
- time_t.dir/int64_t/etc/zdump -V -t $$range $$zones \
+ time_t.dir/int64_t/usr/bin/zdump -V -t $$range $$zones \
>time_t.dir/int64_t.out && \
- time_t.dir/$$type/etc/zdump -V -t $$range $$zones \
+ time_t.dir/$$type/usr/bin/zdump -V -t $$range $$zones \
>time_t.dir/$$type.out && \
diff -u time_t.dir/int64_t.out time_t.dir/$$type.out \
|| exit; \
Index: contrib/tzdata/asia
===================================================================
--- contrib/tzdata/asia (版本 330566)
+++ contrib/tzdata/asia (版本 330908)
@@ -50,7 +50,7 @@
# 9:00 KST KDT Korea when at +09
# 9:30 ACST Australian Central Standard Time
# Otherwise, these tables typically use numeric abbreviations like +03
-# and +0330 for integer hour and minute UTC offsets. Although earlier
+# and +0330 for integer hour and minute UT offsets. Although earlier
# editions invented alphabetic time zone abbreviations for every
# offset, this did not reflect common practice.
#
@@ -647,17 +647,17 @@
# time", in which abolished the adoption of Western Standard Time in
# western islands (listed above), which means the whole Japan
# territory, including later occupations, adopt Japan Central Time
-# (UTC+9). The adoption began on Oct 1, 1937. The original text can
+# (UT+9). The adoption began on Oct 1, 1937. The original text can
# be found on Wikisource:
# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
#
-# That is, the time zone of Taipei switched to UTC+9 on Oct 1, 1937.
+# That is, the time zone of Taipei switched to UT+9 on Oct 1, 1937.
# From Yu-Cheng Chuang (2014-07-02):
-# I've found more evidence about when the time zone was switched from UTC+9
-# back to UTC+8 after WW2. I believe it was on Sep 21, 1945. In a document
+# I've found more evidence about when the time zone was switched from UT+9
+# back to UT+8 after WW2. I believe it was on Sep 21, 1945. In a document
# during Japanese era [1] in which the officer told the staff to change time
-# zone back to Western Standard Time (UTC+8) on Sep 21. And in another
+# zone back to Western Standard Time (UT+8) on Sep 21. And in another
# history page of National Cheng Kung University [2], on Sep 21 there is a
# note "from today, switch back to Western Standard Time". From these two
# materials, I believe that the time zone change happened on Sep 21. And
@@ -1464,17 +1464,17 @@
# of the Japanese wanted to scrap daylight-saving time, as opposed to 30% who
# wanted to keep it.)
-# From Paul Eggert (2006-03-22):
-# Shanks & Pottenger write that DST in Japan during those years was as follows:
+# From Takayuki Nikai (2018-01-19):
+# The source of information is Japanese law.
+# http://www.shugiin.go.jp/internet/itdb_housei.nsf/html/houritsu/00219480428029.htm
+# http://www.shugiin.go.jp/internet/itdb_housei.nsf/html/houritsu/00719500331039.htm
+# ... In summary, it is written as follows. From 24:00 on the first Saturday
+# in May, until 0:00 on the day after the second Saturday in September.
# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S
-Rule Japan 1948 only - May Sun>=1 2:00 1:00 D
-Rule Japan 1948 1951 - Sep Sat>=8 2:00 0 S
-Rule Japan 1949 only - Apr Sun>=1 2:00 1:00 D
-Rule Japan 1950 1951 - May Sun>=1 2:00 1:00 D
-# but the only locations using it (for birth certificates, presumably, since
-# their audience is astrologers) were US military bases. For now, assume
-# that for most purposes daylight-saving time was observed; otherwise, what
-# would have been the point of the 1951 poll?
+Rule Japan 1948 only - May Sat>=1 24:00 1:00 D
+Rule Japan 1948 1951 - Sep Sun>=9 0:00 0 S
+Rule Japan 1949 only - Apr Sat>=1 24:00 1:00 D
+Rule Japan 1950 1951 - May Sat>=1 24:00 1:00 D
# From Hideyuki Suzuki (1998-11-09):
# 'Tokyo' usually stands for the former location of Tokyo Astronomical
@@ -1505,7 +1505,7 @@
#
# ...the Showa Emperor announced Ordinance No. 529 of Showa Year 12 ... which
# means the whole Japan territory, including later occupations, adopt Japan
-# Central Time (UTC+9). The adoption began on Oct 1, 1937.
+# Central Time (UT+9). The adoption began on Oct 1, 1937.
# https://ja.wikisource.org/wiki/明治二十八年勅令第百六十七號標準時ニ關スル件中改正ノ件
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
@@ -2066,8 +2066,8 @@
# Maldives
# Zone NAME GMTOFF RULES FORMAT [UNTIL]
-Zone Indian/Maldives 4:54:00 - LMT 1880 # Male
- 4:54:00 - MMT 1960 # Male Mean Time
+Zone Indian/Maldives 4:54:00 - LMT 1880 # Malé
+ 4:54:00 - MMT 1960 # Malé Mean Time
5:00 - +05
# Mongolia
Index: contrib/tzdata/leap-seconds.list
===================================================================
--- contrib/tzdata/leap-seconds.list (版本 330566)
+++ contrib/tzdata/leap-seconds.list (版本 330908)
@@ -61,7 +61,12 @@
# or
# Terry Quinn, "The BIPM and the Accurate Measurement
# of Time," Proc. of the IEEE, Vol. 79, pp. 894-905,
-# July, 1991.
+# July, 1991. <http://dx.doi.org/10.1109/5.84965>
+# reprinted in:
+# Christine Hackman and Donald B Sullivan (eds.)
+# Time and Frequency Measurement
+# American Association of Physics Teachers (1996)
+# <http://tf.nist.gov/general/pdf/1168.pdf>, pp. 75-86
#
# 4. The decision to insert a leap second into UTC is currently
# the responsibility of the International Earth Rotation and
@@ -199,10 +204,10 @@
# current -- the update time stamp, the data and the name of the file
# will not change.
#
-# Updated through IERS Bulletin C54
-# File expires on: 28 June 2018
+# Updated through IERS Bulletin C55
+# File expires on: 28 December 2018
#
-#@ 3739132800
+#@ 3754944000
#
2272060800 10 # 1 Jan 1972
2287785600 11 # 1 Jul 1972
@@ -247,4 +252,4 @@
# the hash line is also ignored in the
# computation.
#
-#h 5101445a 69948b51 9153e2b 2086e3d8 d54561a3
+#h 44dcf58c e28d25aa b36612c8 f3d3e8b5 a8fdf478
Index: contrib/tzdata/theory.html
===================================================================
--- contrib/tzdata/theory.html (版本 330566)
+++ contrib/tzdata/theory.html (版本 330908)
@@ -52,6 +52,10 @@
applications requiring accurate handling of all past times everywhere,
as it would take far too much effort and guesswork to record all
details of pre-1970 civil timekeeping.
+Athough some information outside the scope of the database is
+collected in a file <code>backzone</code> that is distributed along
+with the database proper, this file is less reliable and does not
+necessarily follow database guidelines.
</p>
<p>
@@ -240,7 +244,7 @@
zone rules. It is intended to be an exhaustive list of names for
geographic regions as described above; this is a subset of the names
in the data. Although a '<code>zone1970.tab</code>' location's longitude
-corresponds to its LMT offset with one hour for every 15 degrees east
+corresponds to its LMT offset with one hour for every 15&deg; east
longitude, this relationship is not exact.
</p>
@@ -279,7 +283,7 @@
in decreasing order of importance:
<ul>
<li>
- Use three or more characters that are ASCII alphanumerics or
+ Use three to six characters that are ASCII alphanumerics or
'<code>+</code>' or '<code>-</code>'.
Previous editions of this database also used characters like
'<code> </code>' and '<code>?</code>', but these
@@ -297,7 +301,7 @@
'<code>+</code>' and '<code>-</code>' are safe in all locales.
In other words, in the C locale the POSIX extended regular
- expression <code>[-+[:alnum:]]{3,}</code> should match
+ expression <code>[-+[:alnum:]]{3,6}</code> should match
the abbreviation.
This guarantees that all abbreviations could have been
specified by a POSIX TZ string.
@@ -308,12 +312,96 @@
We assume that applications translate them to other languages
as part of the normal localization process; for example,
a French application might translate 'EST' to 'HNE'.
+
+<p><small>These abbreviations (for standard/daylight/etc. time) are:
+ACST/ACDT Australian Central,
+AST/ADT/APT/AWT/ADDT Atlantic,
+AEST/AEDT Australian Eastern,
+AHST/AHDT Alaska-Hawaii,
+AKST/AKDT Alaska,
+AWST/AWDT Australian Western,
+BST/BDT Bering,
+CAT/CAST Central Africa,
+CET/CEST/CEMT Central European,
+ChST Chamorro,
+CST/CDT/CWT/CPT/CDDT Central [North America],
+CST/CDT China,
+GMT/BST/IST/BDST Greenwich,
+EAT East Africa,
+EST/EDT/EWT/EPT/EDDT Eastern [North America],
+EET/EEST Eastern European,
+GST Guam,
+HST/HDT Hawaii,
+HKT/HKST Hong Kong,
+IST India,
+IST/GMT Irish,
+IST/IDT/IDDT Israel,
+JST/JDT Japan,
+KST/KDT Korea,
+MET/MEST Middle European (a backward-compatibility alias for Central European),
+MSK/MSD Moscow,
+MST/MDT/MWT/MPT/MDDT Mountain,
+NST/NDT/NWT/NPT/NDDT Newfoundland,
+NST/NDT/NWT/NPT Nome,
+NZMT/NZST New Zealand through 1945,
+NZST/NZDT New Zealand 1946&ndash;present,
+PKT/PKST Pakistan,
+PST/PDT/PWT/PPT/PDDT Pacific,
+SAST South Africa,
+SST Samoa,
+WAT/WAST West Africa,
+WET/WEST/WEMT Western European,
+WIB Waktu Indonesia Barat,
+WIT Waktu Indonesia Timur,
+WITA Waktu Indonesia Tengah,
+YST/YDT/YWT/YPT/YDDT Yukon</small>.</p>
</li>
<li>
For zones whose times are taken from a city's longitude, use the
- traditional <var>x</var>MT notation, e.g. 'PMT' for
- Paris Mean Time.
- The only name like this in current use is 'GMT'.
+traditional <var>x</var>MT notation. The only abbreviation like this
+in current use is 'GMT'. The others are for timestamps before 1960,
+except that Monrovia Mean Time persisted until 1972. Typically,
+numeric abbreviations (e.g., '<code>-</code>004430' for MMT) would
+cause trouble here, as the numeric strings would exceed the POSIX length limit.
+
+<p><small>These abbreviations are:
+AMT Amsterdam, Asunción, Athens;
+BMT Baghdad, Bangkok, Batavia, Bern, Bogotá, Bridgetown, Brussels, Bucharest;
+CMT Calamarca, Caracas, Chisinau, Colón, Copenhagen, Córdoba;
+DMT Dublin/Dunsink;
+EMT Easter;
+FFMT Fort-de-France;
+FMT Funchal;
+GMT Greenwich;
+HMT Havana, Helsinki, Horta, Howrah;
+IMT Irkutsk, Istanbul;
+JMT Jerusalem;
+KMT Kaunas, Kiev, Kingston;
+LMT Lima, Lisbon, local, Luanda;
+MMT Macassar, Madras, Malé, Managua, Minsk, Monrovia, Montevideo, Moratuwa,
+ Moscow;
+PLMT Phù Liễn;
+PMT Paramaribo, Paris, Perm, Pontianak, Prague;
+PMMT Port Moresby;
+QMT Quito;
+RMT Rangoon, Riga, Rome;
+SDMT Santo Domingo;
+SJMT San José;
+SMT Santiago, Simferopol, Singapore, Stanley;
+TBMT Tbilisi;
+TMT Tallinn, Tehran;
+WMT Warsaw</small>.</p>
+
+<p><small>A few abbreviations also follow the pattern that
+GMT/BST established for time in the UK. They are:
+
+CMT/BST for Calamarca Mean Time and Bolivian Summer Time
+1890&ndash;1932, DMT/IST for Dublin/Dunsink Mean Time and Irish Summer Time
+1880&ndash;1916, MMT/MST/MDST for Moscow 1880&ndash;1919, and RMT/LST
+for Riga Mean Time and Latvian Summer time 1880&ndash;1926.
+An extra-special case is SET for Swedish Time (<em>svensk
+normaltid</em>) 1879&ndash;1899, 3&deg; west of the Stockholm
+Observatory.</small></p>
</li>
<li>
Use 'LMT' for local mean time of locations before the introduction
@@ -340,33 +428,7 @@
history tends to use numeric abbreviations and a particular
entry could go either way, use a numeric abbreviation.
</li>
-</ul>
- [The remaining guidelines predate the introduction of <code>%z</code>.
- They are problematic as they mean tz data entries invent
- notation rather than record it. These guidelines are now
- deprecated and the plan is to gradually move to <code>%z</code> for
- inhabited locations and to "<code>-</code>00" for uninhabited locations.]
-<ul>
<li>
- If there is no common English abbreviation, abbreviate the English
- translation of the usual phrase used by native speakers.
- If this is not available or is a phrase mentioning the country
- (e.g. "Cape Verde Time"), then:
- <ul>
- <li>
- When a country is identified with a single or principal zone,
- append 'T' to the country's ISO code, e.g. 'CVT' for
- Cape Verde Time. For summer time append 'ST';
- for double summer time append 'DST'; etc.
- </li>
- <li>
- Otherwise, take the first three letters of an English place
- name identifying each zone and append 'T', 'ST', etc.
- as before; e.g. 'CHAST' for CHAtham Summer Time.
- </li>
- </ul>
- </li>
- <li>
Use UT (with time zone abbreviation '<code>-</code>00') for
locations while uninhabited. The leading
'<code>-</code>' is a flag that the time
@@ -376,10 +438,10 @@
</ul>
<p>
Application writers should note that these abbreviations are ambiguous
-in practice: e.g. 'CST' has a different meaning in China than
-it does in the United States. In new applications, it's often better
-to use numeric UT offsets like '<code>-</code>0600' instead of time zone
-abbreviations like 'CST'; this avoids the ambiguity.
+in practice: e.g., 'CST' means one thing in China and something else
+in North America, and 'IST' can refer to time in India, Ireland or
+Israel. To avoid ambiguity, use numeric UT offsets like
+'<code>-</code>0600' instead of time zone abbreviations like 'CST'.
</p>
</section>
@@ -388,7 +450,7 @@
<h2 id="accuracy">Accuracy of the tz database</h2>
<p>
The tz database is not authoritative, and it surely has errors.
-Corrections are welcome and encouraged; see the file CONTRIBUTING.
+Corrections are welcome and encouraged; see the file <code>CONTRIBUTING</code>.
Users requiring authoritative data should consult national standards
bodies and the references cited in the database's comments.
</p>
@@ -598,7 +660,7 @@
and daylight saving time (DST) zone names.
Starting with POSIX.1-2001, <var>std</var>
and <var>dst</var> may also be
- in a quoted form like '<code>&lt;UTC+10&gt;</code>'; this allows
+ in a quoted form like '<code>&lt;+09&gt;</code>'; this allows
"<code>+</code>" and "<code>-</code>" in the names.
</dd>
<dt><var>offset</var></dt><dd>
@@ -646,7 +708,7 @@
</dd>
</dl>
Here is an example POSIX TZ string for New Zealand after 2007.
- It says that standard time (NZST) is 12 hours ahead of UTC,
+ It says that standard time (NZST) is 12 hours ahead of UT,
and that daylight saving time (NZDT) is observed from September's
last Sunday at 02:00 until April's first Sunday at 03:00:
@@ -678,7 +740,7 @@
applications that an administrator wants used only at certain
times &ndash;
without regard to whether the user has fiddled the TZ environment
- variable. While an administrator can "do everything in UTC" to get
+ variable. While an administrator can "do everything in UT" to get
around the problem, doing so is inconvenient and precludes handling
daylight saving time shifts - as might be required to limit phone
calls to off-peak hours.)
@@ -902,7 +964,7 @@
recent releases. For example, tz data files typically do not rely on
recently-added <code>zic</code> features, so that users can run
older <code>zic</code> versions to process newer data
-files. <a href="tz-link.htm">Sources for time zone and daylight
+files. <a href="tz-link.html">Sources for time zone and daylight
saving time data</a> describes how
releases are tagged and distributed.
</p>
@@ -1003,7 +1065,7 @@
Michael Allison and Robert Schmunk,
"<a href="https://www.giss.nasa.gov/tools/mars24/help/notes.html">Technical
Notes on Mars Solar Time as Adopted by the Mars24 Sunclock</a>"
-(2012-08-08).
+(2015-06-30).
</li>
<li>
Jia-Rui Chong,
Index: contrib/ntp/include/ntp_stdlib.h
===================================================================
--- contrib/ntp/include/ntp_stdlib.h (版本 330566)
+++ contrib/ntp/include/ntp_stdlib.h (版本 330908)
@@ -97,8 +97,8 @@
extern int ymd2yd (int, int, int);
/* a_md5encrypt.c */
-extern int MD5authdecrypt (int, const u_char *, u_int32 *, size_t, size_t);
-extern size_t MD5authencrypt (int, const u_char *, u_int32 *, size_t);
+extern int MD5authdecrypt (int, const u_char *, size_t, u_int32 *, size_t, size_t);
+extern size_t MD5authencrypt (int, const u_char *, size_t, u_int32 *, size_t);
extern void MD5auth_setkey (keyid_t, int, const u_char *, size_t, KeyAccT *c);
extern u_int32 addr2refid (sockaddr_u *);
Index: contrib/ntp/kernel/Makefile.in
===================================================================
--- contrib/ntp/kernel/Makefile.in (版本 330566)
+++ contrib/ntp/kernel/Makefile.in (版本 330908)
@@ -99,6 +99,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/html/drivers/driver40.html
===================================================================
--- contrib/ntp/html/drivers/driver40.html (版本 330566)
+++ contrib/ntp/html/drivers/driver40.html (版本 330908)
@@ -16,7 +16,7 @@
<body>
<h3>JJY Receivers</h3>
<p>Last update:
- <!-- #BeginDate format:En2m -->08-May-2016 00:00<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->12-Oct-2017 09:05<!-- #EndDate -->
UTC &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;<a href="driver40.html">ENGLISH</a> &nbsp; <a href="driver40-ja.html">JAPANESE</a></p>
<hr>
<h4>Synopsis</h4>
@@ -145,7 +145,8 @@
</li>
<li>
- <p><a name="mode-3">Echo Keisokuki Co.,Ltd. &nbsp; LT-2000</a> &nbsp; <a href="http://www.clock.co.jp/">http://www.clock.co.jp/</a> (Japanese only)</p><br>
+ <p><a name="mode-3">Echo Keisokuki Co.,Ltd. &nbsp; LT-2000</a> &nbsp; <!-- a href="http://www.clock.co.jp/" --></p><br>
+ <p>Echo Keisokuki was dissolved. Some business of the company was taken over by FreqTime Co., Ltd. in July, 2015.</p><br>
<dl>
<dt>NTP configuration ( ntp.conf )</dt>
<dd><br>
Index: contrib/ntp/html/ntpq.html
===================================================================
--- contrib/ntp/html/ntpq.html (版本 330566)
+++ contrib/ntp/html/ntpq.html (版本 330908)
@@ -11,7 +11,7 @@
<img src="pic/bustardfly.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>A typical NTP monitoring packet</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->31-Jan-2014 06:54<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->24-Jan-2018 08:35<!-- #EndDate -->
UTC</p>
<br clear="left">
<h4>More Help</h4>
@@ -71,7 +71,7 @@
<dt id="keyid"><tt>keyid <i>keyid</i></tt></dt>
<dd>This command specifies the key number to be used to authenticate configuration requests. This must correspond to a key ID configured in <tt>ntp.conf</tt> for this purpose.</dd>
<dt id="keytype"><tt>keytype</tt></dt>
- <dd>Specify the digest algorithm to use for authenticated requests, with default <tt>MD5</tt>. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. The current selections are: <tt>MD2</tt>, <tt>MD4</tt>, <tt>MD5</tt>, <tt>MDC2</tt>, <tt>RIPEMD160</tt>, <tt>SHA</tt> and <tt>SHA1</tt>.</dd>
+ <dd>Specify the digest algorithm to use for authenticated requests, with default <tt>MD5</tt>. If the OpenSSL library is installed, digest can be be any message digest algorithm supported by the library. The current selections are: <tt>MD2</tt>, <tt>MD4</tt>, <tt>MD5</tt>, <tt>MDC2</tt>, <tt>RIPEMD160</tt>, <tt>SHA</tt>, <tt>SHA1</tt>, and <tt>AES128CMAC</tt>.</dd>
<dt id="ntpversion"><tt>ntpversion 1 | 2 | 3 | 4</tt></dt>
<dd>Sets the NTP version number which <tt>ntpq</tt> claims in packets. Defaults to 2, Note that mode-6 control messages (and modes, for that matter) didn't exist in NTP version 1.</dd>
<dt id="passwd"><tt>passwd</tt></dt>
@@ -232,9 +232,16 @@
</tr>
<tr>
<td><tt>t</tt></td>
- <td><tt>u</tt>: unicast or manycast client, <tt>b</tt>:
- broadcast or multicast client, <tt>l</tt>: local (reference clock), <tt>s</tt>: symmetric (peer), <tt>A</tt>: manycast server, <tt>B</tt>:
- broadcast server, <tt>M</tt>: multicast server</td>
+ <td>
+ <tt>u</tt>: unicast or manycast client,
+ <tt>b</tt>: broadcast or multicast client,
+ <tt>p</tt>: pool source,
+ <tt>l</tt>: local (reference clock),
+ <tt>s</tt>: symmetric (peer),
+ <tt>A</tt>: manycast server,
+ <tt>B</tt>: broadcast server,
+ <tt>M</tt>: multicast server
+ </td>
</tr>
<tr>
<td><tt>when</tt></td>
Index: contrib/ntp/include/ntp_calendar.h
===================================================================
--- contrib/ntp/include/ntp_calendar.h (版本 330566)
+++ contrib/ntp/include/ntp_calendar.h (版本 330908)
@@ -382,7 +382,30 @@
extern int32_t
ntpcal_weekday_lt(int32_t /* rdn */, int32_t /* dow */);
+
/*
+ * handling of base date spec
+ */
+extern int32_t
+basedate_eval_buildstamp(void);
+
+extern int32_t
+basedate_eval_string(const char *str);
+
+extern int32_t
+basedate_set_day(int32_t dayno);
+
+extern uint32_t
+basedate_get_day(void);
+
+extern time_t
+basedate_get_eracenter(void);
+
+extern time_t
+basedate_get_erabase(void);
+
+
+/*
* Additional support stuff for Ed Rheingold's calendrical calculations
*/
Index: contrib/ntp/include/ntp_request.h
===================================================================
--- contrib/ntp/include/ntp_request.h (版本 330566)
+++ contrib/ntp/include/ntp_request.h (版本 330908)
@@ -141,7 +141,7 @@
req_data_u u; /* data area */
l_fp tstamp; /* time stamp, for authentication */
keyid_t keyid; /* (optional) encryption key */
- char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */
+ char mac[MAX_MDG_LEN]; /* (optional) auth code */
};
/*
@@ -151,7 +151,7 @@
struct req_pkt_tail {
l_fp tstamp; /* time stamp, for authentication */
keyid_t keyid; /* (optional) encryption key */
- char mac[MAX_MAC_LEN-sizeof(keyid_t)]; /* (optional) auth code */
+ char mac[MAX_MDG_LEN]; /* (optional) auth code */
};
/* MODE_PRIVATE request packet header length before optional items. */
@@ -513,6 +513,8 @@
u_int32 badauth; /* bad authentication */
u_int32 received; /* packets received */
u_int32 limitrejected; /* rate exceeded */
+ u_int32 lamport; /* Lamport violations */
+ u_int32 tsrounding; /* Timestamp rounding errors */
};
@@ -652,7 +654,7 @@
u_int32 addr; /* match address */
u_int32 mask; /* match mask */
u_int32 count; /* number of packets matched */
- u_short flags; /* restrict flags */
+ u_short rflags; /* restrict flags */
u_short mflags; /* match flags */
u_int v6_flag; /* is this v6 or not */
u_int unused1; /* unused, padding for addr6 */
@@ -667,6 +669,7 @@
struct conf_restrict {
u_int32 addr; /* match address */
u_int32 mask; /* match mask */
+ short ippeerlimit; /* ip peer limit */
u_short flags; /* restrict flags */
u_short mflags; /* match flags */
u_int v6_flag; /* is this v6 or not */
Index: contrib/ntp/include/ssl_applink.c
===================================================================
--- contrib/ntp/include/ssl_applink.c (版本 330566)
+++ contrib/ntp/include/ssl_applink.c (版本 330908)
@@ -27,10 +27,10 @@
#endif
#ifdef WRAP_DBG_MALLOC
-void *wrap_dbg_malloc(size_t s, const char *f, int l);
-void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l);
-void wrap_dbg_free(void *p);
-void wrap_dbg_free_ex(void *p, const char *f, int l);
+static void *wrap_dbg_malloc(size_t s, const char *f, int l);
+static void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l);
+static void wrap_dbg_free(void *p);
+static void wrap_dbg_free_ex(void *p, const char *f, int l);
#endif
@@ -42,17 +42,21 @@
ssl_applink(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+
# ifdef WRAP_DBG_MALLOC
CRYPTO_set_mem_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free_ex);
# else
OPENSSL_malloc_init();
# endif
-#else
+
+# else
+
# ifdef WRAP_DBG_MALLOC
CRYPTO_set_mem_ex_functions(wrap_dbg_malloc, wrap_dbg_realloc, wrap_dbg_free);
# else
CRYPTO_malloc_init();
# endif
+
#endif /* OpenSSL version cascade */
}
#else /* !OPENSSL || !SYS_WINNT */
@@ -66,7 +70,7 @@
* for DEBUG malloc/realloc/free (lacking block type).
* Simple wrappers convert.
*/
-void *wrap_dbg_malloc(size_t s, const char *f, int l)
+static void *wrap_dbg_malloc(size_t s, const char *f, int l)
{
void *ret;
@@ -74,7 +78,7 @@
return ret;
}
-void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l)
+static void *wrap_dbg_realloc(void *p, size_t s, const char *f, int l)
{
void *ret;
@@ -82,12 +86,12 @@
return ret;
}
-void wrap_dbg_free(void *p)
+static void wrap_dbg_free(void *p)
{
_free_dbg(p, _NORMAL_BLOCK);
}
-void wrap_dbg_free_ex(void *p, const char *f, int l)
+static void wrap_dbg_free_ex(void *p, const char *f, int l)
{
(void)f;
(void)l;
Index: contrib/tzdata/NEWS
===================================================================
--- contrib/tzdata/NEWS (版本 330566)
+++ contrib/tzdata/NEWS (版本 330908)
@@ -1,5 +1,147 @@
News for the tz database
+Release 2018c - 2018-01-22 23:00:44 -0800
+
+ Briefly:
+ Revert Irish changes that relied on negative DST offsets.
+
+ Changes to tm_isdst
+
+ Revert the 2018a change to Europe/Dublin. As before, this change
+ does not affect UT offsets or abbreviations; it affects only
+ whether timestamps are considered to be standard time or
+ daylight-saving time, as expressed in the tm_isdst flag of C's
+ struct tm type. This reversion is intended to be a temporary
+ workaround for problems discovered with downstream uses of
+ releases 2018a and 2018b, which implemented Irish time by using
+ negative DST offsets in the Eire rules of the 'europe' file.
+ Although negative DST offsets have been part of tzcode for many
+ years and are supported by many platforms, they were not
+ documented before 2018a and ICU and OpenJDK do not currently
+ support them. A mechanism to export data to platforms lacking
+ support for negative DST is planned to be developed before the
+ change is reapplied. (Problems reported by Deborah Goldsmith and
+ Stephen Colebourne.)
+
+ Changes to past time stamps
+
+ Japanese DST transitions (1948-1951) were Sundays at 00:00, not
+ Saturdays or Sundays at 02:00. (Thanks to Takayuki Nikai.)
+
+ Changes to build procedure
+
+ The build procedure now works around mawk 1.3.3's lack of support
+ for character class expressions. (Problem reported by Ohyama.)
+
+
+Release 2018b - 2018-01-17 23:24:48 -0800
+
+ Briefly:
+ Fix a packaging problem in tz2018a, which was missing 'pacificnew'.
+
+ Changes to build procedure
+
+ The distribution now contains the file 'pacificnew' again.
+ This file was inadvertantly omitted in the 2018a distribution.
+ (Problem reported by Matias Fonzo.)
+
+
+Release 2018a - 2018-01-12 22:29:21 -0800
+
+ Briefly:
+ São Tomé and Príncipe switched from +00 to +01.
+ Brazil's DST will now start on November's first Sunday.
+ Ireland's standard time is now in the summer, not the winter.
+ Use Debian-style installation locations, instead of 4.3BSD-style.
+ New zic option -t.
+
+ Changes to past and future time stamps
+
+ São Tomé and Príncipe switched from +00 to +01 on 2018-01-01 at
+ 01:00. (Thanks to Steffen Thorsen and Michael Deckers.)
+
+ Changes to future time stamps
+
+ Starting in 2018 southern Brazil will begin DST on November's
+ first Sunday instead of October's third Sunday. (Thanks to
+ Steffen Thorsen.)
+
+ Changes to past time stamps
+
+ A discrepancy of 4 s in timestamps before 1931 in South Sudan has
+ been corrected. The 'backzone' and 'zone.tab' files did not agree
+ with the 'africa' and 'zone1970.tab' files. (Problem reported by
+ Michael Deckers.)
+
+ The abbreviation invented for Bolivia Summer Time (1931-2) is now
+ BST instead of BOST, to be more consistent with the convention
+ used for Latvian Summer Time (1918-9) and for British Summer Time.
+
+ Changes to tm_isdst
+
+ Change Europe/Dublin so that it observes Irish Standard Time (UT
+ +01) in summer and GMT (as negative daylight-saving) in winter,
+ instead of observing standard time (GMT) in winter and Irish
+ Summer Time (UT +01) in summer. This change does not affect UT
+ offsets or abbreviations; it affects only whether timestamps are
+ considered to be standard time or daylight-saving time, as
+ expressed in the tm_isdst flag of C's struct tm type.
+ (Discrepancy noted by Derick Rethans.)
+
+ Changes to build procedure
+
+ The default installation locations have been changed to mostly
+ match Debian circa 2017, instead of being designed as an add-on to
+ 4.3BSD circa 1986. This affects the Makefile macros TOPDIR,
+ TZDIR, MANDIR, and LIBDIR. New Makefile macros TZDEFAULT, USRDIR,
+ USRSHAREDIR, BINDIR, ZDUMPDIR, and ZICDIR let installers tailor
+ locations more precisely. (This responds to suggestions from
+ Brian Inglis and from Steve Summit.)
+
+ The default installation procedure no longer creates the
+ backward-compatibility link US/Pacific-New, which causes
+ confusion during user setup (e.g., see Debian bug 815200).
+ Use 'make BACKWARD="backward pacificnew"' to create the link
+ anyway, for now. Eventually we plan to remove the link entirely.
+
+ tzdata.zi now contains a version-number comment.
+ (Suggested by Tom Lane.)
+
+ The Makefile now quotes values like BACKWARD more carefully when
+ passing them to the shell. (Problem reported by Zefram.)
+
+ Builders no longer need to specify -DHAVE_SNPRINTF on platforms
+ that have snprintf and use pre-C99 compilers. (Problem reported
+ by Jon Skeet.)
+
+ Changes to code
+
+ zic has a new option -t FILE that specifies the location of the
+ file that determines local time when TZ is unset. The default for
+ this location can be configured via the new TZDEFAULT makefile
+ macro, which defaults to /etc/localtime.
+
+ Diagnostics and commentary now distinguish UT from UTC more
+ carefully; see theory.html for more information about UT vs UTC.
+
+ zic has been ported to GCC 8's -Wstringop-truncation option.
+ (Problem reported by Martin Sebor.)
+
+ Changes to documentation and commentary
+
+ The zic man page now documents the longstanding behavior that
+ times and years can be out of the usual range, with negative times
+ counting backwards from midnight and with year 0 preceding year 1.
+ (Problem reported by Michael Deckers.)
+
+ The theory.html file now mentions the POSIX limit of six chars
+ per abbreviation, and lists alphabetic abbreviations used.
+
+ The files tz-art.htm and tz-link.htm have been renamed to
+ tz-art.html and tz-link.html, respectively, for consistency with
+ other file names and to simplify web server configuration.
+
+
Release 2017c - 2017-10-20 14:49:34 -0700
Briefly:
@@ -895,8 +1037,8 @@
(Thanks to Jon Skeet and Arthur David Olson.) Constraints on
simultaneity are now documented.
- The two characters '%z' in a zone format now stand for the UTC
- offset, e.g., '-07' for seven hours behind UTC and '+0530' for
+ The two characters '%z' in a zone format now stand for the UT
+ offset, e.g., '-07' for seven hours behind UT and '+0530' for
five hours and thirty minutes ahead. This better supports time
zone abbreviations conforming to POSIX.1-2001 and later.
@@ -1019,13 +1161,13 @@
The spring 1988 transition was 1988-10-09, not 1988-10-02.
The fall 1990 transition was 1990-03-11, not 1990-03-18.
- Assume no UTC offset change for Pacific/Easter on 1890-01-01,
+ Assume no UT offset change for Pacific/Easter on 1890-01-01,
and omit all transitions on Pacific/Easter from 1942 through 1946
since we have no data suggesting that they existed.
One more zone has been turned into a link, as it differed
from an existing zone only for older time stamps. As usual,
- this change affects UTC offsets in pre-1970 time stamps only.
+ this change affects UT offsets in pre-1970 time stamps only.
The zone's old contents have been moved to the 'backzone' file.
The affected zone is America/Montreal.
@@ -1055,7 +1197,7 @@
Some more zones have been turned into links, when they differed
from existing zones only for older time stamps. As usual,
- these changes affect UTC offsets in pre-1970 time stamps only.
+ these changes affect UT offsets in pre-1970 time stamps only.
Their old contents have been moved to the 'backzone' file.
The affected zones are: America/Antigua, America/Cayman,
Pacific/Midway, and Pacific/Saipan.
@@ -1107,7 +1249,7 @@
Some more zones have been turned into links, when they differed
from existing zones only for older time stamps. As usual,
- these changes affect UTC offsets in pre-1970 time stamps only.
+ these changes affect UT offsets in pre-1970 time stamps only.
Their old contents have been moved to the 'backzone' file.
The affected zones are: Asia/Aden, Asia/Bahrain, Asia/Kuwait,
and Asia/Muscat.
@@ -1154,7 +1296,7 @@
Some more zones have been turned into links, when they differed
from existing zones only for older time stamps. As usual,
- these changes affect UTC offsets in pre-1970 time stamps only.
+ these changes affect UT offsets in pre-1970 time stamps only.
Their old contents have been moved to the 'backzone' file.
The affected zones are: Africa/Addis_Ababa, Africa/Asmara,
Africa/Dar_es_Salaam, Africa/Djibouti, Africa/Kampala,
@@ -1244,7 +1386,7 @@
Some more zones have been turned into links, when they differed
from existing zones only for older timestamps. As usual,
- these changes affect UTC offsets in pre-1970 timestamps only.
+ these changes affect UT offsets in pre-1970 timestamps only.
Their old contents have been moved to the 'backzone' file.
The affected zones are: Africa/Blantyre, Africa/Bujumbura,
Africa/Gaborone, Africa/Harare, Africa/Kigali, Africa/Lubumbashi,
@@ -1329,7 +1471,7 @@
Some more zones have been turned into links, when they differed
from existing zones only for older timestamps. As usual,
- these changes affect UTC offsets in pre-1970 timestamps only.
+ these changes affect UT offsets in pre-1970 timestamps only.
Their old contents have been moved to the 'backzone' file.
The affected zones are: Africa/Bangui, Africa/Brazzaville,
Africa/Douala, Africa/Kinshasa, Africa/Libreville, Africa/Luanda,
@@ -1479,7 +1621,7 @@
standard and daylight saving time the abbreviations are AEST and AEDT
instead of the former EST for both; similarly, ACST/ACDT, ACWST/ACWDT,
and AWST/AWDT are now used instead of the former CST, CWST, and WST.
- This change does not affect UTC offsets, only time zone abbreviations.
+ This change does not affect UT offsets, only time zone abbreviations.
(Thanks to Rich Tibbett and many others.)
Asia/Novokuznetsk shifts from NOVT to KRAT (remaining on UT +07)
@@ -1516,8 +1658,8 @@
Treindl sent helpful translations of two papers by Guo Qingsheng.)
Some zones have been turned into links, when they differed from existing
- zones only for older UTC offsets where data entries were likely invented.
- These changes affect UTC offsets in pre-1970 timestamps only. This is
+ zones only for older UT offsets where data entries were likely invented.
+ These changes affect UT offsets in pre-1970 timestamps only. This is
similar to the change in release 2013e, except this time for western
Africa. The affected zones are: Africa/Bamako, Africa/Banjul,
Africa/Conakry, Africa/Dakar, Africa/Freetown, Africa/Lome,
Index: contrib/tzdata/australasia
===================================================================
--- contrib/tzdata/australasia (版本 330566)
+++ contrib/tzdata/australasia (版本 330908)
@@ -683,8 +683,8 @@
# From Steffen Thorsen (2012-07-25)
# ... we double checked by calling hotels and offices based in Tokelau asking
# about the time there, and they all told a time that agrees with UTC+13....
-# Shanks says UTC-10 from 1901 [but] ... there is a good chance the change
-# actually was to UTC-11 back then.
+# Shanks says UT-10 from 1901 [but] ... there is a good chance the change
+# actually was to UT-11 back then.
#
# From Paul Eggert (2012-07-25)
# A Google Books snippet of Appendix to the Journals of the House of
@@ -1450,7 +1450,7 @@
#
# From Paul Eggert (2006-03-22):
# The Department of Internal Affairs (DIA) maintains a brief history,
-# as does Carol Squires; see tz-link.htm for the full references.
+# as does Carol Squires; see tz-link.html for the full references.
# Use these sources in preference to Shanks & Pottenger.
#
# For Chatham, IATA SSIM (1991/1999) gives the NZ rules but with
Index: contrib/tzdata/leapseconds
===================================================================
--- contrib/tzdata/leapseconds (版本 330566)
+++ contrib/tzdata/leapseconds (版本 330908)
@@ -57,5 +57,5 @@
Leap 2015 Jun 30 23:59:60 + S
Leap 2016 Dec 31 23:59:60 + S
-# Updated through IERS Bulletin C54
-# File expires on: 28 June 2018
+# Updated through IERS Bulletin C55
+# File expires on: 28 December 2018
Index: contrib/tzdata/version
===================================================================
--- contrib/tzdata/version (版本 330566)
+++ contrib/tzdata/version (版本 330908)
@@ -1 +1 @@
-2017c
+2018c
Index: contrib/ntp/ChangeLog
===================================================================
--- contrib/ntp/ChangeLog (版本 330566)
+++ contrib/ntp/ChangeLog (版本 330908)
@@ -1,7 +1,108 @@
---
-(4.2.8p10-win-beta1) 2017/03/21 Released by Harlan Stenn <stenn@ntp.org>
-(4.2.8p10)
+* [Sec 3454] Unauthenticated packet can reset authenticated interleave
+ associations. HStenn.
+* [Sec 3453] Interleaved symmetric mode cannot recover from bad state. HStenn.
+* [Sec 3415] Permit blocking authenticated symmetric/passive associations.
+ Implement ippeerlimit. HStenn, JPerlinger.
+* [Sec 3414] ntpq: decodearr() can write beyond its 'buf' limits
+ - initial patch by <stenn@ntp.org>, extended by <perlinger@ntp.org>
+* [Sec 3412] ctl_getitem(): Don't compare names past NUL. <perlinger@ntp.org>
+* [Sec 3012] Sybil vulnerability: noepeer support. HStenn, JPerlinger.
+* [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
+* [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
+ - applied patch by Sean Haugh
+* [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
+* [Bug 3450] Dubious error messages from plausibility checks in get_systime()
+ - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
+* [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
+ - refactoring the MAC code, too
+* [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org
+* [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
+ - applied patch by ggarvey
+* [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
+ - applied patch by ggarvey (with minor mods)
+* [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
+ - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
+* [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
+* [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org>
+* [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
+ - fixed several issues with hash algos in ntpd, sntp, ntpq,
+ ntpdc and the test suites <perlinger@ntp.org>
+* [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
+ - initial patch by Daniel Pouzzner
+* [Bug 3423] QNX adjtime() implementation error checking is
+ wrong <perlinger@ntp.org>
+* [Bug 3417] ntpq ifstats packet counters can be negative
+ made IFSTATS counter quantities unsigned <perlinger@ntp.org>
+* [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
+ - raised receive buffer size to 1200 <perlinger@ntp.org>
+* [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
+ analysis tool. <abe@ntp.org>
+* [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath.
+* [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
+ - fix/drop assumptions on OpenSSL libs directory layout
+* [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
+ - initial patch by timeflies@mail2tor.com <perlinger@ntp.org>
+* [Bug 3398] tests fail with core dump <perlinger@ntp.org>
+ - patch contributed by Alexander Bluhm
+* [Bug 3397] ctl_putstr() asserts that data fits in its buffer
+ rework of formatting & data transfer stuff in 'ntp_control.c'
+ avoids unecessary buffers and size limitations. <perlinger@ntp.org>
+* [Bug 3394] Leap second deletion does not work on ntpd clients
+ - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
+* [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
+ - increased mimimum stack size to 32kB <perlinger@ntp.org>
+* [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
+ - reverted handling of PPS kernel consumer to 4.2.6 behavior
+* [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
+* [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn.
+* [Bug 3016] wrong error position reported for bad ":config pool"
+ - fixed location counter & ntpq output <perlinger@ntp.org>
+* [Bug 2900] libntp build order problem. HStenn.
+* [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
+* [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
+ perlinger@ntp.org
+* [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
+* [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
+* Use strlcpy() to copy strings, not memcpy(). HStenn.
+* Typos. HStenn.
+* test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn.
+* refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn.
+* Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org
+* Fix trivial warnings from 'make check'. perlinger@ntp.org
+* Fix bug in the override portion of the compiler hardening macro. HStenn.
+* record_raw_stats(): Log entire packet. Log writes. HStenn.
+* AES-128-CMAC support. BInglis, HStenn, JPerlinger.
+* sntp: tweak key file logging. HStenn.
+* sntp: pkt_output(): Improve debug output. HStenn.
+* update-leap: updates from Paul McMath.
+* When using pkg-config, report --modversion. HStenn.
+* Clean up libevent configure checks. HStenn.
+* sntp: show the IP of who sent us a crypto-NAK. HStenn.
+* Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger.
+* authistrustedip() - use it in more places. HStenn, JPerlinger.
+* New sysstats: sys_lamport, sys_tsrounding. HStenn.
+* Update ntp.keys .../N documentation. HStenn.
+* Distribute testconf.yml. HStenn.
+* Add DPRINTF(2,...) lines to receive() for packet drops. HStenn.
+* Rename the configuration flag fifo variables. HStenn.
+* Improve saveconfig output. HStenn.
+* Decode restrict flags on receive() debug output. HStenn.
+* Decode interface flags on receive() debug output. HStenn.
+* Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn.
+* Update the documentation in ntp.conf.def . HStenn.
+* restrictions() must return restrict flags and ippeerlimit. HStenn.
+* Update ntpq peer documentation to describe the 'p' type. HStenn.
+* Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn.
+* Provide dump_restricts() for debugging. HStenn.
+* Use consistent 4th arg type for [gs]etsockopt. JPerlinger.
+* Some tests might need LIBM. HStenn.
+* update-leap: Allow -h/--help early. HStenn.
+
+---
+(4.2.8p10) 2017/03/21 Released by Harlan Stenn <stenn@ntp.org>
+
* [Sec 3389] NTP-01-016: Denial of Service via Malformed Config
(Pentest report 01.2017) <perlinger@ntp.org>
* [Sec 3388] NTP-01-014: Buffer Overflow in DPTS Clock
Index: contrib/ntp/aclocal.m4
===================================================================
--- contrib/ntp/aclocal.m4 (版本 330566)
+++ contrib/ntp/aclocal.m4 (版本 330908)
@@ -1339,6 +1339,7 @@
m4_include([sntp/m4/ltsugar.m4])
m4_include([sntp/m4/ltversion.m4])
m4_include([sntp/m4/lt~obsolete.m4])
+m4_include([sntp/m4/ntp_af_unspec.m4])
m4_include([sntp/m4/ntp_cacheversion.m4])
m4_include([sntp/m4/ntp_compiler.m4])
m4_include([sntp/m4/ntp_crosscompile.m4])
Index: contrib/ntp/configure.ac
===================================================================
--- contrib/ntp/configure.ac (版本 330566)
+++ contrib/ntp/configure.ac (版本 330908)
@@ -528,6 +528,8 @@
#endif
])
+NTP_AF_UNSPEC
+
AC_TYPE_SIGNAL
AC_TYPE_OFF_T
AC_STRUCT_TM dnl defines TM_IN_SYS_TIME used by refclock_parse.c
Index: contrib/ntp/html/drivers/driver18.html
===================================================================
--- contrib/ntp/html/drivers/driver18.html (版本 330566)
+++ contrib/ntp/html/drivers/driver18.html (版本 330908)
@@ -10,7 +10,7 @@
<h3>NIST/USNO/PTB Modem Time Services</h3>
<p>Author: David L. Mills (mills@udel.edu)<br>
Last update:
- <!-- #BeginDate format:En2m -->1-Dec-2012 10:44<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->12-Oct-2017 08:13<!-- #EndDate -->
UTC</p>
<hr>
<h4>Synopsis</h4>
@@ -43,7 +43,7 @@
...</tt></p>
<p><tt>MJD</tt>, <tt>YR</tt>, <tt>ST</tt>, <tt>UT1</tt> and <tt>UTC(NIST)</tt> are not used by this driver. The <tt>&lt;OTM&gt;</tt> on-time character &quot;<tt>*</tt>&quot; changes to &quot;<tt>#</tt>&quot;&nbsp;when the delay correction is valid.</p>
<p><a href="http://tycho.usno.navy.mil">US Naval Observatory (USNO)</a></p>
-<p>Phone: (202) 762-1594 (Washington, DC); (719) 567-6742 (Boulder, CO)</p>
+<p>Phone: (202) 762-1594 (Washington, DC); (719) 567-6743 (Colorado Springs, CO)</p>
<p><a href="http://tycho.usno.navy.mil/modem_time.html">Data Format</a> (two lines, repeating at one-second intervals)</p>
<p><tt>jjjjj nnn hhmmss UTC</tt></p>
<p>* on-time character for previous timecode message<br>
Index: contrib/ntp/html/monopt.html
===================================================================
--- contrib/ntp/html/monopt.html (版本 330566)
+++ contrib/ntp/html/monopt.html (版本 330908)
@@ -11,7 +11,7 @@
<img src="pic/pogo8.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html"></a> from <i>Pogo</i>, Walt Kelly</a>
<p>Pig was hired to watch the logs.</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->14-Feb-2016 09:38<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->7-Dec-2017 10:17<!-- #EndDate -->
UTC</p>
<br clear="left">
<h4>Related Links</h4>
@@ -341,8 +341,10 @@
the <a href="decode.html">Event Messages and Status Words</a> page.</dd>
<dt><tt>rawstats</tt></dt>
<dd>Record timestamp statistics. Each NTP packet received appends one line to
- the <tt>rawstats</tt> file set:</dd>
+the <tt>rawstats</tt> file set. As of ntp-4.2.8p11, each NTP packet written appends one line to the <tt>rawstats</tt> file set, as well. The format of this line is:</dd>
<dd><tt>56285 54575.160 128.4.1.1 192.168.1.5 3565350574.400229473 3565350574.442385200 3565350574.442436000 3565350575.154505763 0 4 4 1 8 -21 0.000000 0.000320 .PPS.</tt></dd>
+ <dd><tt>56285 54575.160 128.4.1.1 192.168.1.5 3565350574.400229473 3565350574.442385200 3565350574.442436000 3565350575.154505763 0 4 4 1 8 -21 0.000000 0.000320 .PPS. 4: 0000</tt></dd>
+ </tt></dd>
<dd>
<table width="100%" border="1" cellspacing="2" cellpadding="2">
<tr>
@@ -431,10 +433,24 @@
<td>total dispersion to the primary reference clock</td>
</tr>
<tr>
- <td><tt>PPS.</tt></td>
- <td>IP or text</td>
- <td>refid, association ID</td>
+ <td><tt>.PPS.</tt></td>
+ <td>REFID</td>
+ <td>system peer, association ID</td>
</tr>
+ <tr>
+ <td></td>
+ <td></td>
+ <td>If there is data beyond the base packet:</td>
+ </tr>
+ <tr>
+ <td><tt>4:</tt></td>
+ <td>Integer</td>
+ <td>Length, in bytes</td>
+ </tr>
+ <tr>
+ <td><tt>0000</tt></td>
+ <td>Hex data</td>
+ </tr>
</table>
</dd>
<dt><tt>sysstats</tt></dt>
@@ -516,7 +532,7 @@
</table>
</dd>
<dt><tt>timingstats</tt></dt>
- <dd>(Only available when the deamon is compiled with process time debugging
+ <dd>(Only available when the daemon is compiled with process time debugging
support (--enable-debug-timing - costs performance). Record processing time
statistics for various selected code paths.</dd>
<dd><tt>53876 36.920 10.0.3.5 1 0.000014592 input processing delay</tt></dd>
Index: contrib/ntp/include/ntp.h
===================================================================
--- contrib/ntp/include/ntp.h (版本 330566)
+++ contrib/ntp/include/ntp.h (版本 330908)
@@ -553,11 +553,13 @@
l_fp rec; /* receive time stamp */
l_fp xmt; /* transmit time stamp */
-#define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */
-#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */
-#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */
-#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */
+#define MIN_V4_PKT_LEN (12 * sizeof(u_int32)) /* min header length */
+#define LEN_PKT_NOMAC (12 * sizeof(u_int32)) /* min header length */
+#define MIN_MAC_LEN (1 * sizeof(u_int32)) /* crypto_NAK */
+#define MAX_MD5_LEN (5 * sizeof(u_int32)) /* MD5 */
#define MAX_MAC_LEN (6 * sizeof(u_int32)) /* SHA */
+#define KEY_MAC_LEN sizeof(u_int32) /* key ID in MAC */
+#define MAX_MDG_LEN (MAX_MAC_LEN-KEY_MAC_LEN) /* max. digest len */
/*
* The length of the packet less MAC must be a multiple of 64
@@ -822,11 +824,12 @@
typedef struct restrict_u_tag restrict_u;
struct restrict_u_tag {
- restrict_u * link; /* link to next entry */
- u_int32 count; /* number of packets matched */
- u_short flags; /* accesslist flags */
- u_short mflags; /* match flags */
- u_long expire; /* valid until time */
+ restrict_u * link; /* link to next entry */
+ u_int32 count; /* number of packets matched */
+ u_short rflags; /* restrict (accesslist) flags */
+ u_short mflags; /* match flags */
+ short ippeerlimit; /* IP peer limit */
+ u_long expire; /* valid until time */
union { /* variant starting here */
res_addr4 v4;
res_addr6 v6;
@@ -837,8 +840,18 @@
#define V6_SIZEOF_RESTRICT_U (offsetof(restrict_u, u) \
+ sizeof(res_addr6))
+typedef struct r4addr_tag r4addr;
+struct r4addr_tag {
+ u_short rflags; /* match flags */
+ short ippeerlimit; /* IP peer limit */
+};
+
+char *build_iflags(u_int32 flags);
+char *build_mflags(u_short mflags);
+char *build_rflags(u_short rflags);
+
/*
- * Access flags
+ * Restrict (Access) flags (rflags)
*/
#define RES_IGNORE 0x0001 /* ignore packet */
#define RES_DONTSERVE 0x0002 /* access denied */
@@ -845,20 +858,22 @@
#define RES_DONTTRUST 0x0004 /* authentication required */
#define RES_VERSION 0x0008 /* version mismatch */
#define RES_NOPEER 0x0010 /* new association denied */
-#define RES_LIMITED 0x0020 /* packet rate exceeded */
+#define RES_NOEPEER 0x0020 /* new ephemeral association denied */
+#define RES_LIMITED 0x0040 /* packet rate exceeded */
#define RES_FLAGS (RES_IGNORE | RES_DONTSERVE |\
RES_DONTTRUST | RES_VERSION |\
- RES_NOPEER | RES_LIMITED)
+ RES_NOPEER | RES_NOEPEER | RES_LIMITED)
-#define RES_NOQUERY 0x0040 /* mode 6/7 packet denied */
-#define RES_NOMODIFY 0x0080 /* mode 6/7 modify denied */
-#define RES_NOTRAP 0x0100 /* mode 6/7 set trap denied */
-#define RES_LPTRAP 0x0200 /* mode 6/7 low priority trap */
+#define RES_NOQUERY 0x0080 /* mode 6/7 packet denied */
+#define RES_NOMODIFY 0x0100 /* mode 6/7 modify denied */
+#define RES_NOTRAP 0x0200 /* mode 6/7 set trap denied */
+#define RES_LPTRAP 0x0400 /* mode 6/7 low priority trap */
-#define RES_KOD 0x0400 /* send kiss of death packet */
-#define RES_MSSNTP 0x0800 /* enable MS-SNTP authentication */
-#define RES_FLAKE 0x1000 /* flakeway - drop 10% */
-#define RES_NOMRULIST 0x2000 /* mode 6 mrulist denied */
+#define RES_KOD 0x0800 /* send kiss of death packet */
+#define RES_MSSNTP 0x1000 /* enable MS-SNTP authentication */
+#define RES_FLAKE 0x2000 /* flakeway - drop 10% */
+#define RES_NOMRULIST 0x4000 /* mode 6 mrulist denied */
+#define RES_UNUSED 0x8000 /* Unused flag bits */
#define RES_ALLFLAGS (RES_FLAGS | RES_NOQUERY | \
RES_NOMODIFY | RES_NOTRAP | \
@@ -867,7 +882,7 @@
RES_NOMRULIST)
/*
- * Match flags
+ * Match flags (mflags)
*/
#define RESM_INTERFACE 0x1000 /* this is an interface */
#define RESM_NTPONLY 0x2000 /* match source port 123 */
@@ -876,10 +891,13 @@
/*
* Restriction configuration ops
*/
-#define RESTRICT_FLAGS 1 /* add flags to restrict entry */
-#define RESTRICT_UNFLAG 2 /* remove flags from restrict entry */
-#define RESTRICT_REMOVE 3 /* remove a restrict entry */
-#define RESTRICT_REMOVEIF 4 /* remove an interface restrict entry */
+typedef enum
+restrict_ops {
+ RESTRICT_FLAGS = 1, /* add rflags to restrict entry */
+ RESTRICT_UNFLAG, /* remove rflags from restrict entry */
+ RESTRICT_REMOVE, /* remove a restrict entry */
+ RESTRICT_REMOVEIF, /* remove an interface restrict entry */
+} restrict_op;
/*
* Endpoint structure for the select algorithm
Index: contrib/ntp/include/ntp_keyacc.h
===================================================================
--- contrib/ntp/include/ntp_keyacc.h (版本 330566)
+++ contrib/ntp/include/ntp_keyacc.h (版本 330908)
@@ -8,12 +8,18 @@
struct keyaccess {
KeyAccT * next;
sockaddr_u addr;
+ unsigned int subnetbits;
};
-extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr);
+extern KeyAccT* keyacc_new_push(KeyAccT *head, const sockaddr_u *addr,
+ unsigned int subnetbits);
extern KeyAccT* keyacc_pop_free(KeyAccT *head);
extern KeyAccT* keyacc_all_free(KeyAccT *head);
extern int keyacc_contains(const KeyAccT *head, const sockaddr_u *addr,
int res_on_empty_list);
+/* public for testability: */
+extern int keyacc_amatch(const sockaddr_u *,const sockaddr_u *,
+ unsigned int mbits);
+
#endif /* NTP_KEYACC_H */
Index: contrib/ntp/include/recvbuff.h
===================================================================
--- contrib/ntp/include/recvbuff.h (版本 330566)
+++ contrib/ntp/include/recvbuff.h (版本 330908)
@@ -39,9 +39,10 @@
/*
* the maximum length NTP packet contains the NTP header, one Autokey
* request, one Autokey response and the MAC. Assuming certificates don't
- * get too big, the maximum packet length is set arbitrarily at 1000.
+ * get too big, the maximum packet length is set arbitrarily at 1200.
+ * (was 1000, but that bumps on 2048 RSA keys)
*/
-#define RX_BUFF_SIZE 1000 /* hail Mary */
+#define RX_BUFF_SIZE 1200 /* hail Mary */
typedef struct recvbuf recvbuf_t;
Index: contrib/tzdata/zone1970.tab
===================================================================
--- contrib/tzdata/zone1970.tab (版本 330566)
+++ contrib/tzdata/zone1970.tab (版本 330908)
@@ -133,7 +133,7 @@
CA +6404-13925 America/Dawson Pacific - Yukon (north)
CC -1210+09655 Indian/Cocos
CH,DE,LI +4723+00832 Europe/Zurich Swiss time
-CI,BF,GM,GN,ML,MR,SH,SL,SN,ST,TG +0519-00402 Africa/Abidjan
+CI,BF,GM,GN,ML,MR,SH,SL,SN,TG +0519-00402 Africa/Abidjan
CK -2114-15946 Pacific/Rarotonga
CL -3327-07040 America/Santiago Chile (most areas)
CL -5309-07055 America/Punta_Arenas Region of Magallanes
@@ -322,6 +322,7 @@
SG +0117+10351 Asia/Singapore
SR +0550-05510 America/Paramaribo
SS +0451+03137 Africa/Juba
+ST +0020+00644 Africa/Sao_Tome
SV +1342-08912 America/El_Salvador
SY +3330+03618 Asia/Damascus
TC +2128-07108 America/Grand_Turk
Index: contrib/ntp/libntp/Makefile.in
===================================================================
--- contrib/ntp/libntp/Makefile.in (版本 330566)
+++ contrib/ntp/libntp/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/libntp/authreadkeys.c
===================================================================
--- contrib/ntp/libntp/authreadkeys.c (版本 330566)
+++ contrib/ntp/libntp/authreadkeys.c (版本 330908)
@@ -5,8 +5,8 @@
#include <stdio.h>
#include <ctype.h>
-#include "ntpd.h" /* Only for DPRINTF */
-#include "ntp_fp.h"
+//#include "ntpd.h" /* Only for DPRINTF */
+//#include "ntp_fp.h"
#include "ntp.h"
#include "ntp_syslog.h"
#include "ntp_stdlib.h"
@@ -148,6 +148,7 @@
u_int nerr;
KeyDataT *list = NULL;
KeyDataT *next = NULL;
+
/*
* Open file. Complain and return if it can't be opened.
*/
@@ -220,7 +221,8 @@
log_maybe(NULL,
"authreadkeys: invalid type for key %d",
keyno);
- } else if (EVP_get_digestbynid(keytype) == NULL) {
+ } else if (NID_cmac != keytype &&
+ EVP_get_digestbynid(keytype) == NULL) {
log_maybe(NULL,
"authreadkeys: no algorithm for key %d",
keyno);
@@ -295,22 +297,55 @@
}
token = nexttok(&line);
- DPRINTF(0, ("authreadkeys: full access list <%s>\n", (token) ? token : "NULL"));
if (token != NULL) { /* A comma-separated IP access list */
char *tp = token;
while (tp) {
char *i;
+ char *snp; /* subnet text pointer */
+ unsigned int snbits;
sockaddr_u addr;
i = strchr(tp, (int)',');
- if (i)
+ if (i) {
*i = '\0';
- DPRINTF(0, ("authreadkeys: access list: <%s>\n", tp));
+ }
+ snp = strchr(tp, (int)'/');
+ if (snp) {
+ char *sp;
+ *snp++ = '\0';
+ snbits = 0;
+ sp = snp;
+
+ while (*sp != '\0') {
+ if (!isdigit((unsigned char)*sp))
+ break;
+ if (snbits > 1000)
+ break; /* overflow */
+ snbits = 10 * snbits + (*sp++ - '0'); /* ascii dependent */
+ }
+ if (*sp != '\0') {
+ log_maybe(&nerr,
+ "authreadkeys: Invalid character in subnet specification for <%s/%s> in key %d",
+ sp, snp, keyno);
+ goto nextip;
+ }
+ } else {
+ snbits = UINT_MAX;
+ }
+
if (is_ip_address(tp, AF_UNSPEC, &addr)) {
- next->keyacclist = keyacc_new_push(
- next->keyacclist, &addr);
+ /* Make sure that snbits is valid for addr */
+ if ((snbits < UINT_MAX) &&
+ ( (IS_IPV4(&addr) && snbits > 32) ||
+ (IS_IPV6(&addr) && snbits > 128))) {
+ log_maybe(NULL,
+ "authreadkeys: excessive subnet mask <%s/%s> for key %d",
+ tp, snp, keyno);
+ }
+ next->keyacclist = keyacc_new_push(
+ next->keyacclist, &addr, snbits);
} else {
log_maybe(&nerr,
"authreadkeys: invalid IP address <%s> for key %d",
@@ -317,6 +352,7 @@
tp, keyno);
}
+ nextip:
if (i) {
tp = i + 1;
} else {
Index: contrib/ntp/libntp/statestr.c
===================================================================
--- contrib/ntp/libntp/statestr.c (版本 330566)
+++ contrib/ntp/libntp/statestr.c (版本 330908)
@@ -22,7 +22,8 @@
*/
struct codestring {
int code;
- const char * const string;
+ const char * const string1;
+ const char * const string0;
};
/*
@@ -29,11 +30,11 @@
* Leap status (leap)
*/
static const struct codestring leap_codes[] = {
- { LEAP_NOWARNING, "leap_none" },
- { LEAP_ADDSECOND, "leap_add_sec" },
- { LEAP_DELSECOND, "leap_del_sec" },
- { LEAP_NOTINSYNC, "leap_alarm" },
- { -1, "leap" }
+ { LEAP_NOWARNING, "leap_none", 0 },
+ { LEAP_ADDSECOND, "leap_add_sec", 0 },
+ { LEAP_DELSECOND, "leap_del_sec", 0 },
+ { LEAP_NOTINSYNC, "leap_alarm", 0 },
+ { -1, "leap", 0 }
};
/*
@@ -40,17 +41,17 @@
* Clock source status (sync)
*/
static const struct codestring sync_codes[] = {
- { CTL_SST_TS_UNSPEC, "sync_unspec" },
- { CTL_SST_TS_ATOM, "sync_pps" },
- { CTL_SST_TS_LF, "sync_lf_radio" },
- { CTL_SST_TS_HF, "sync_hf_radio" },
- { CTL_SST_TS_UHF, "sync_uhf_radio" },
- { CTL_SST_TS_LOCAL, "sync_local" },
- { CTL_SST_TS_NTP, "sync_ntp" },
- { CTL_SST_TS_UDPTIME, "sync_other" },
- { CTL_SST_TS_WRSTWTCH, "sync_wristwatch" },
- { CTL_SST_TS_TELEPHONE, "sync_telephone" },
- { -1, "sync" }
+ { CTL_SST_TS_UNSPEC, "sync_unspec", 0 },
+ { CTL_SST_TS_ATOM, "sync_pps", 0 },
+ { CTL_SST_TS_LF, "sync_lf_radio", 0 },
+ { CTL_SST_TS_HF, "sync_hf_radio", 0 },
+ { CTL_SST_TS_UHF, "sync_uhf_radio", 0 },
+ { CTL_SST_TS_LOCAL, "sync_local", 0 },
+ { CTL_SST_TS_NTP, "sync_ntp", 0 },
+ { CTL_SST_TS_UDPTIME, "sync_other", 0 },
+ { CTL_SST_TS_WRSTWTCH, "sync_wristwatch", 0 },
+ { CTL_SST_TS_TELEPHONE, "sync_telephone", 0 },
+ { -1, "sync", 0 }
};
/*
@@ -57,15 +58,15 @@
* Peer selection status (sel)
*/
static const struct codestring select_codes[] = {
- { CTL_PST_SEL_REJECT, "sel_reject" },
- { CTL_PST_SEL_SANE, "sel_falsetick" },
- { CTL_PST_SEL_CORRECT, "sel_excess" },
- { CTL_PST_SEL_SELCAND, "sel_outlier" },
- { CTL_PST_SEL_SYNCCAND, "sel_candidate" },
- { CTL_PST_SEL_EXCESS, "sel_backup" },
- { CTL_PST_SEL_SYSPEER, "sel_sys.peer" },
- { CTL_PST_SEL_PPS, "sel_pps.peer" },
- { -1, "sel" }
+ { CTL_PST_SEL_REJECT, "sel_reject", 0 },
+ { CTL_PST_SEL_SANE, "sel_falsetick", 0 },
+ { CTL_PST_SEL_CORRECT, "sel_excess", 0 },
+ { CTL_PST_SEL_SELCAND, "sel_outlier", 0 },
+ { CTL_PST_SEL_SYNCCAND, "sel_candidate", 0 },
+ { CTL_PST_SEL_EXCESS, "sel_backup", 0 },
+ { CTL_PST_SEL_SYSPEER, "sel_sys.peer", 0 },
+ { CTL_PST_SEL_PPS, "sel_pps.peer", 0 },
+ { -1, "sel", 0 }
};
/*
@@ -72,14 +73,14 @@
* Clock status (clk)
*/
static const struct codestring clock_codes[] = {
- { CTL_CLK_OKAY, "clk_unspec" },
- { CTL_CLK_NOREPLY, "clk_no_reply" },
- { CTL_CLK_BADFORMAT, "clk_bad_format" },
- { CTL_CLK_FAULT, "clk_fault" },
- { CTL_CLK_PROPAGATION, "clk_bad_signal" },
- { CTL_CLK_BADDATE, "clk_bad_date" },
- { CTL_CLK_BADTIME, "clk_bad_time" },
- { -1, "clk" }
+ { CTL_CLK_OKAY, "clk_unspec", 0 },
+ { CTL_CLK_NOREPLY, "clk_no_reply", 0 },
+ { CTL_CLK_BADFORMAT, "clk_bad_format", 0 },
+ { CTL_CLK_FAULT, "clk_fault", 0 },
+ { CTL_CLK_PROPAGATION, "clk_bad_signal", 0 },
+ { CTL_CLK_BADDATE, "clk_bad_date", 0 },
+ { CTL_CLK_BADTIME, "clk_bad_time", 0 },
+ { -1, "clk", 0 }
};
@@ -88,20 +89,20 @@
* Flash bits -- see ntpq.c tstflags & tstflagnames
*/
static const struct codestring flash_codes[] = {
- { TEST1, "pkt_dup" },
- { TEST2, "pkt_bogus" },
- { TEST3, "pkt_unsync" },
- { TEST4, "pkt_denied" },
- { TEST5, "pkt_auth" },
- { TEST6, "pkt_stratum" },
- { TEST7, "pkt_header" },
- { TEST8, "pkt_autokey" },
- { TEST9, "pkt_crypto" },
- { TEST10, "peer_stratum" },
- { TEST11, "peer_dist" },
- { TEST12, "peer_loop" },
- { TEST13, "peer_unreach" },
- { -1, "flash" }
+ { TEST1, "pkt_dup", 0 },
+ { TEST2, "pkt_bogus", 0 },
+ { TEST3, "pkt_unsync", 0 },
+ { TEST4, "pkt_denied", 0 },
+ { TEST5, "pkt_auth", 0 },
+ { TEST6, "pkt_stratum", 0 },
+ { TEST7, "pkt_header", 0 },
+ { TEST8, "pkt_autokey", 0 },
+ { TEST9, "pkt_crypto", 0 },
+ { TEST10, "peer_stratum", 0 },
+ { TEST11, "peer_dist", 0 },
+ { TEST12, "peer_loop", 0 },
+ { TEST13, "peer_unreach", 0 },
+ { -1, "flash", 0 }
};
#endif
@@ -110,23 +111,23 @@
* System events (sys)
*/
static const struct codestring sys_codes[] = {
- { EVNT_UNSPEC, "unspecified" },
- { EVNT_NSET, "freq_not_set" },
- { EVNT_FSET, "freq_set" },
- { EVNT_SPIK, "spike_detect" },
- { EVNT_FREQ, "freq_mode" },
- { EVNT_SYNC, "clock_sync" },
- { EVNT_SYSRESTART, "restart" },
- { EVNT_SYSFAULT, "panic_stop" },
- { EVNT_NOPEER, "no_sys_peer" },
- { EVNT_ARMED, "leap_armed" },
- { EVNT_DISARMED, "leap_disarmed" },
- { EVNT_LEAP, "leap_event" },
- { EVNT_CLOCKRESET, "clock_step" },
- { EVNT_KERN, "kern" },
- { EVNT_TAI, "TAI" },
- { EVNT_LEAPVAL, "stale_leapsecond_values" },
- { -1, "" }
+ { EVNT_UNSPEC, "unspecified", 0 },
+ { EVNT_NSET, "freq_not_set", 0 },
+ { EVNT_FSET, "freq_set", 0 },
+ { EVNT_SPIK, "spike_detect", 0 },
+ { EVNT_FREQ, "freq_mode", 0 },
+ { EVNT_SYNC, "clock_sync", 0 },
+ { EVNT_SYSRESTART, "restart", 0 },
+ { EVNT_SYSFAULT, "panic_stop", 0 },
+ { EVNT_NOPEER, "no_sys_peer", 0 },
+ { EVNT_ARMED, "leap_armed", 0 },
+ { EVNT_DISARMED, "leap_disarmed", 0 },
+ { EVNT_LEAP, "leap_event", 0 },
+ { EVNT_CLOCKRESET, "clock_step", 0 },
+ { EVNT_KERN, "kern", 0 },
+ { EVNT_TAI, "TAI", 0 },
+ { EVNT_LEAPVAL, "stale_leapsecond_values", 0 },
+ { -1, "", 0 }
};
/*
@@ -133,22 +134,22 @@
* Peer events (peer)
*/
static const struct codestring peer_codes[] = {
- { PEVNT_MOBIL & ~PEER_EVENT, "mobilize" },
- { PEVNT_DEMOBIL & ~PEER_EVENT, "demobilize" },
- { PEVNT_UNREACH & ~PEER_EVENT, "unreachable" },
- { PEVNT_REACH & ~PEER_EVENT, "reachable" },
- { PEVNT_RESTART & ~PEER_EVENT, "restart" },
- { PEVNT_REPLY & ~PEER_EVENT, "no_reply" },
- { PEVNT_RATE & ~PEER_EVENT, "rate_exceeded" },
- { PEVNT_DENY & ~PEER_EVENT, "access_denied" },
- { PEVNT_ARMED & ~PEER_EVENT, "leap_armed" },
- { PEVNT_NEWPEER & ~PEER_EVENT, "sys_peer" },
- { PEVNT_CLOCK & ~PEER_EVENT, "clock_event" },
- { PEVNT_AUTH & ~PEER_EVENT, "bad_auth" },
- { PEVNT_POPCORN & ~PEER_EVENT, "popcorn" },
- { PEVNT_XLEAVE & ~PEER_EVENT, "interleave_mode" },
- { PEVNT_XERR & ~PEER_EVENT, "interleave_error" },
- { -1, "" }
+ { PEVNT_MOBIL & ~PEER_EVENT, "mobilize", 0 },
+ { PEVNT_DEMOBIL & ~PEER_EVENT, "demobilize", 0 },
+ { PEVNT_UNREACH & ~PEER_EVENT, "unreachable", 0 },
+ { PEVNT_REACH & ~PEER_EVENT, "reachable", 0 },
+ { PEVNT_RESTART & ~PEER_EVENT, "restart", 0 },
+ { PEVNT_REPLY & ~PEER_EVENT, "no_reply", 0 },
+ { PEVNT_RATE & ~PEER_EVENT, "rate_exceeded", 0 },
+ { PEVNT_DENY & ~PEER_EVENT, "access_denied", 0 },
+ { PEVNT_ARMED & ~PEER_EVENT, "leap_armed", 0 },
+ { PEVNT_NEWPEER & ~PEER_EVENT, "sys_peer", 0 },
+ { PEVNT_CLOCK & ~PEER_EVENT, "clock_event", 0 },
+ { PEVNT_AUTH & ~PEER_EVENT, "bad_auth", 0 },
+ { PEVNT_POPCORN & ~PEER_EVENT, "popcorn", 0 },
+ { PEVNT_XLEAVE & ~PEER_EVENT, "interleave_mode", 0 },
+ { PEVNT_XERR & ~PEER_EVENT, "interleave_error", 0 },
+ { -1, "", 0 }
};
/*
@@ -155,11 +156,11 @@
* Peer status bits
*/
static const struct codestring peer_st_bits[] = {
- { CTL_PST_CONFIG, "conf" },
- { CTL_PST_AUTHENABLE, "authenb" },
- { CTL_PST_AUTHENTIC, "auth" },
- { CTL_PST_REACH, "reach" },
- { CTL_PST_BCAST, "bcast" },
+ { CTL_PST_CONFIG, "conf", 0 },
+ { CTL_PST_AUTHENABLE, "authenb", 0 },
+ { CTL_PST_AUTHENTIC, "auth", 0 },
+ { CTL_PST_REACH, "reach", 0 },
+ { CTL_PST_BCAST, "bcast", 0 },
/* not used with getcode(), no terminating entry needed */
};
@@ -167,9 +168,9 @@
* Restriction match bits
*/
static const struct codestring res_match_bits[] = {
- { RESM_NTPONLY, "ntpport" },
- { RESM_INTERFACE, "interface" },
- { RESM_SOURCE, "source" },
+ { RESM_NTPONLY, "ntpport", 0 },
+ { RESM_INTERFACE, "interface", 0 },
+ { RESM_SOURCE, "source", 0 },
/* not used with getcode(), no terminating entry needed */
};
@@ -177,18 +178,19 @@
* Restriction access bits
*/
static const struct codestring res_access_bits[] = {
- { RES_IGNORE, "ignore" },
- { RES_DONTSERVE, "noserve" },
- { RES_DONTTRUST, "notrust" },
- { RES_NOQUERY, "noquery" },
- { RES_NOMODIFY, "nomodify" },
- { RES_NOPEER, "nopeer" },
- { RES_NOTRAP, "notrap" },
- { RES_LPTRAP, "lptrap" },
- { RES_LIMITED, "limited" },
- { RES_VERSION, "version" },
- { RES_KOD, "kod" },
- { RES_FLAKE, "flake" },
+ { RES_IGNORE, "ignore", 0 },
+ { RES_DONTSERVE, "noserve", "serve" },
+ { RES_DONTTRUST, "notrust", "trust" },
+ { RES_NOQUERY, "noquery", "query" },
+ { RES_NOMODIFY, "nomodify", 0 },
+ { RES_NOPEER, "nopeer", "peer" },
+ { RES_NOEPEER, "noepeer", "epeer" },
+ { RES_NOTRAP, "notrap", "trap" },
+ { RES_LPTRAP, "lptrap", 0 },
+ { RES_LIMITED, "limited", 0 },
+ { RES_VERSION, "version", 0 },
+ { RES_KOD, "kod", 0 },
+ { RES_FLAKE, "flake", 0 },
/* not used with getcode(), no terminating entry needed */
};
@@ -197,23 +199,23 @@
* Crypto events (cryp)
*/
static const struct codestring crypto_codes[] = {
- { XEVNT_OK & ~CRPT_EVENT, "success" },
- { XEVNT_LEN & ~CRPT_EVENT, "bad_field_format_or_length" },
- { XEVNT_TSP & ~CRPT_EVENT, "bad_timestamp" },
- { XEVNT_FSP & ~CRPT_EVENT, "bad_filestamp" },
- { XEVNT_PUB & ~CRPT_EVENT, "bad_or_missing_public_key" },
- { XEVNT_MD & ~CRPT_EVENT, "unsupported_digest_type" },
- { XEVNT_KEY & ~CRPT_EVENT, "unsupported_identity_type" },
- { XEVNT_SGL & ~CRPT_EVENT, "bad_signature_length" },
- { XEVNT_SIG & ~CRPT_EVENT, "signature_not_verified" },
- { XEVNT_VFY & ~CRPT_EVENT, "certificate_not_verified" },
- { XEVNT_PER & ~CRPT_EVENT, "host_certificate_expired" },
- { XEVNT_CKY & ~CRPT_EVENT, "bad_or_missing_cookie" },
- { XEVNT_DAT & ~CRPT_EVENT, "bad_or_missing_leapseconds" },
- { XEVNT_CRT & ~CRPT_EVENT, "bad_or_missing_certificate" },
- { XEVNT_ID & ~CRPT_EVENT, "bad_or_missing_group key" },
- { XEVNT_ERR & ~CRPT_EVENT, "protocol_error" },
- { -1, "" }
+ { XEVNT_OK & ~CRPT_EVENT, "success", 0 },
+ { XEVNT_LEN & ~CRPT_EVENT, "bad_field_format_or_length", 0 },
+ { XEVNT_TSP & ~CRPT_EVENT, "bad_timestamp", 0 },
+ { XEVNT_FSP & ~CRPT_EVENT, "bad_filestamp", 0 },
+ { XEVNT_PUB & ~CRPT_EVENT, "bad_or_missing_public_key", 0 },
+ { XEVNT_MD & ~CRPT_EVENT, "unsupported_digest_type", 0 },
+ { XEVNT_KEY & ~CRPT_EVENT, "unsupported_identity_type", 0 },
+ { XEVNT_SGL & ~CRPT_EVENT, "bad_signature_length", 0 },
+ { XEVNT_SIG & ~CRPT_EVENT, "signature_not_verified", 0 },
+ { XEVNT_VFY & ~CRPT_EVENT, "certificate_not_verified", 0 },
+ { XEVNT_PER & ~CRPT_EVENT, "host_certificate_expired", 0 },
+ { XEVNT_CKY & ~CRPT_EVENT, "bad_or_missing_cookie", 0 },
+ { XEVNT_DAT & ~CRPT_EVENT, "bad_or_missing_leapseconds", 0 },
+ { XEVNT_CRT & ~CRPT_EVENT, "bad_or_missing_certificate", 0 },
+ { XEVNT_ID & ~CRPT_EVENT, "bad_or_missing_group key", 0 },
+ { XEVNT_ERR & ~CRPT_EVENT, "protocol_error", 0 },
+ { -1, "", 0 }
};
#endif /* AUTOKEY */
@@ -223,52 +225,52 @@
*/
static const struct codestring k_st_bits[] = {
# ifdef STA_PLL
- { STA_PLL, "pll" },
+ { STA_PLL, "pll", 0 },
# endif
# ifdef STA_PPSFREQ
- { STA_PPSFREQ, "ppsfreq" },
+ { STA_PPSFREQ, "ppsfreq", 0 },
# endif
# ifdef STA_PPSTIME
- { STA_PPSTIME, "ppstime" },
+ { STA_PPSTIME, "ppstime", 0 },
# endif
# ifdef STA_FLL
- { STA_FLL, "fll" },
+ { STA_FLL, "fll", 0 },
# endif
# ifdef STA_INS
- { STA_INS, "ins" },
+ { STA_INS, "ins", 0 },
# endif
# ifdef STA_DEL
- { STA_DEL, "del" },
+ { STA_DEL, "del", 0 },
# endif
# ifdef STA_UNSYNC
- { STA_UNSYNC, "unsync" },
+ { STA_UNSYNC, "unsync", 0 },
# endif
# ifdef STA_FREQHOLD
- { STA_FREQHOLD, "freqhold" },
+ { STA_FREQHOLD, "freqhold", 0 },
# endif
# ifdef STA_PPSSIGNAL
- { STA_PPSSIGNAL, "ppssignal" },
+ { STA_PPSSIGNAL, "ppssignal", 0 },
# endif
# ifdef STA_PPSJITTER
- { STA_PPSJITTER, "ppsjitter" },
+ { STA_PPSJITTER, "ppsjitter", 0 },
# endif
# ifdef STA_PPSWANDER
- { STA_PPSWANDER, "ppswander" },
+ { STA_PPSWANDER, "ppswander", 0 },
# endif
# ifdef STA_PPSERROR
- { STA_PPSERROR, "ppserror" },
+ { STA_PPSERROR, "ppserror", 0 },
# endif
# ifdef STA_CLOCKERR
- { STA_CLOCKERR, "clockerr" },
+ { STA_CLOCKERR, "clockerr", 0 },
# endif
# ifdef STA_NANO
- { STA_NANO, "nano" },
+ { STA_NANO, "nano", 0 },
# endif
# ifdef STA_MODE
- { STA_MODE, "mode=fll" },
+ { STA_MODE, "mode=fll", 0 },
# endif
# ifdef STA_CLK
- { STA_CLK, "src=B" },
+ { STA_CLK, "src=B", 0 },
# endif
/* not used with getcode(), no terminating entry needed */
};
@@ -292,12 +294,12 @@
while (codetab->code != -1) {
if (codetab->code == code)
- return codetab->string;
+ return codetab->string1;
codetab++;
}
LIB_GETBUF(buf);
- snprintf(buf, LIB_BUFLENGTH, "%s_%d", codetab->string, code);
+ snprintf(buf, LIB_BUFLENGTH, "%s_%d", codetab->string1, code);
return buf;
}
@@ -354,10 +356,18 @@
sep = "";
for (b = 0; b < tab_ct; b++) {
+ const char * flagstr;
+
if (tab[b].code & bits) {
+ flagstr = tab[b].string1;
+ } else {
+ flagstr = tab[b].string0;
+ }
+
+ if (flagstr) {
size_t avail = lim - pch;
rc = snprintf(pch, avail, "%s%s", sep,
- tab[b].string);
+ flagstr);
if ((size_t)rc >= avail)
goto toosmall;
pch += rc;
Index: contrib/ntp/ntpd/Makefile.in
===================================================================
--- contrib/ntp/ntpd/Makefile.in (版本 330566)
+++ contrib/ntp/ntpd/Makefile.in (版本 330908)
@@ -109,6 +109,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -1856,7 +1857,6 @@
-cd ../sntp/libopts && $(MAKE) $(AM_MAKEFLAGS) libopts.la
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/ntpd/invoke-ntpd.texi
===================================================================
--- contrib/ntp/ntpd/invoke-ntpd.texi (版本 330566)
+++ contrib/ntp/ntpd/invoke-ntpd.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntpd.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:44:20 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:14:39 PM by AutoGen 5.18.5
# From the definitions ntpd-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -142,7 +142,7 @@
@exampleindent 0
@example
-ntpd - NTP daemon program - Ver. 4.2.8p10-beta
+ntpd - NTP daemon program - Ver. 4.2.8p11
Usage: ntpd [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \
[ <server1> ... <serverN> ]
Flg Arg Option-Name Description
Index: contrib/ntp/ntpd/ntp.conf.5mdoc
===================================================================
--- contrib/ntp/ntpd/ntp.conf.5mdoc (版本 330566)
+++ contrib/ntp/ntpd/ntp.conf.5mdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_CONF 5mdoc File Formats
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:31:09 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -1532,6 +1532,7 @@
for packets that overflow the rate\-control window.
.It Xo Ic restrict address
.Op Cm mask Ar mask
+.Op Cm ippeerlimit Ar int
.Op Ar flag ...
.Xc
The
@@ -1557,6 +1558,15 @@
.Cm default ,
with no mask option, may
be used to indicate the default entry.
+The
+.Cm ippeerlimit
+directive limits the number of peer requests for each IP to
+.Ar int ,
+where a value of \-1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
.Cm flag
always
@@ -1607,6 +1617,18 @@
This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
+.It Cm noepeer
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+.Pa ntp.keys
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+.Cm noepeer
+to become the default in ntp\-4.4.
.It Cm nomodify
Deny
.Xr ntpq 1ntpqmdoc
@@ -1624,10 +1646,10 @@
queries.
Time service is not affected.
.It Cm nopeer
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
.Cm pool
associations, so if you want to use servers from a
@@ -1635,8 +1657,9 @@
directive and also want to use
.Cm nopeer
by default, you'll want a
-.Cm "restrict source ..." line as well that does
-.It not
+.Cm "restrict source ..."
+line as well that does
+.Em not
include the
.Cm nopeer
directive.
@@ -2011,9 +2034,10 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+.El
.Ss Manycast Options
.Bl -tag -width indent
.It Xo Ic tos
@@ -2359,7 +2383,7 @@
page
(available as part of the HTML documentation
provided in
-.Pa /usr/share/doc/ntp ) .
+.Pa /usr/share/doc/ntp ).
.It Cm stratum Ar int
Specifies the stratum number assigned to the driver, an integer
between 0 and 15.
@@ -2637,6 +2661,79 @@
.Xr ntpd 1ntpdmdoc
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
+.It Xo Ic interface
+.Oo
+.Cm listen | Cm ignore | Cm drop
+.Oc
+.Oo
+.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard
+.Ar name | Ar address
+.Oo Cm / Ar prefixlen
+.Oc
+.Oc
+.Xc
+The
+.Cm interface
+directive controls which network addresses
+.Xr ntpd 1ntpdmdoc
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+.Ar prefixlen
+determines how many bits must match for this rule to apply.
+.Cm ignore
+prevents opening matching addresses,
+.Cm drop
+causes
+.Xr ntpd 1ntpdmdoc
+to open the address and drop all received packets without examination.
+Multiple
+.Cm interface
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+.Cm interface
+directives are disabled if any
+.Fl I ,
+.Fl \-interface ,
+.Fl L ,
+or
+.Fl \-novirtualips
+command\-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+.Cm nic
+directive is an alias for
+.Cm interface .
+.It Ic leapfile Ar leapfile
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list
+or
+.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list .
+The
+.Cm leapfile
+is scanned when
+.Xr ntpd 1ntpdmdoc
+processes the
+.Cm leapfile directive or when
+.Cm ntpd detects that the
+.Ar leapfile
+has changed.
+.Cm ntpd
+checks once a day to see if the
+.Ar leapfile
+has changed.
+The
+.Xr update\-leap 1update_leapmdoc
+script can be run to see if the
+.Ar leapfile
+should be updated.
.It Ic leapsmearinterval Ar seconds
This EXPERIMENTAL option is only available if
.Xr ntpd 1ntpdmdoc
@@ -2741,6 +2838,181 @@
This is the same operation as the
.Fl l
command line option.
+.It Xo Ic mru
+.Oo
+.Cm maxdepth Ar count | Cm maxmem Ar kilobytes |
+.Cm mindepth Ar count | Cm maxage Ar seconds |
+.Cm initialloc Ar count | Cm initmem Ar kilobytes |
+.Cm incalloc Ar count | Cm incmem Ar kilobytes
+.Oc
+.Xc
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+.Bl -tag -width indent
+.It Ic maxdepth Ar count
+.It Ic maxmem Ar kilobytes
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+.Cm incalloc
+entries or
+.Cm incmem
+kilobytes larger.
+As with all of the
+.Cm mru
+options offered in units of entries or kilobytes, if both
+.Cm maxdepth
+and
+.Cm maxmem are used, the last one used controls.
+The default is 1024 kilobytes.
+.It Cm mindepth Ar count
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+.Cm mindepth
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+.It Cm maxage Ar seconds
+Once the MRU list has
+.Cm mindepth
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+.Cm maxage
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+.Cm maxdepth / moxmem .
+The default is 64 seconds.
+.It Cm initalloc Ar count
+.It Cm initmem Ar kilobytes
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+.It Cm incalloc Ar count
+.It Cm incmem Ar kilobytes
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+.El
+.It Ic nonvolatile Ar threshold
+Specify the
+.Ar threshold
+delta in seconds before an hourly change to the
+.Cm driftfile
+(frequency file) will be written, with a default value of 1e\-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+.Cm threshold
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+.It Ic phone Ar dial ...
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 \- 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 \- 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+.It Xo Ic reset
+.Oo
+.Ic allpeers
+.Oc
+.Oo
+.Ic auth
+.Oc
+.Oo
+.Ic ctl
+.Oc
+.Oo
+.Ic io
+.Oc
+.Oo
+.Ic mem
+.Oc
+.Oo
+.Ic sys
+.Oc
+.Oo
+.Ic timer
+.Oc
+.Xc
+Reset one or more groups of counters maintained by
+.Cm ntpd
+and exposed by
+.Cm ntpq
+and
+.Cm ntpdc .
+.It Xo Ic rlimit
+.Oo
+.Cm memlock Ar Nmegabytes |
+.Cm stacksize Ar N4kPages
+.Cm filenum Ar Nfiledescriptors
+.Oc
+.Xc
+.Bl -tag -width indent
+.It Cm memlock Ar Nmegabytes
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+.Fl i
+option).
+The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+.It Cm stacksize Ar N4kPages
+Specifies the maximum size of the process stack on systems with the
+.Fn mlockall
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+.It Cm filenum Ar Nfiledescriptors
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+.El
+.It Ic saveconfigdir Ar directory_path
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+.Cm saveconfig
+command.
+If
+.Cm saveconfigdir
+does not appear in the configuration file,
+.Cm saveconfig
+requests are rejected by
+.Cm ntpd .
+.It Ic saveconfig Ar filename
+Write the current configuration, including any runtime
+modifications given with
+.Cm :config
+or
+.Cm config\-from\-file
+to the
+.Cm ntpd
+host's
+.Ar filename
+in the
+.Cm saveconfigdir .
+This command will be rejected unless the
+.Cm saveconfigdir
+directive appears in
+.Cm ntpd 's
+configuration file.
+.Ar filename
+can use
+.Xr strftime 3
+format directives to substitute the current date and time,
+for example,
+.Cm saveconfig\ ntp\-%Y%m%d\-%H%M%S.conf .
+The filename used is stored in the system variable
+.Cm savedconfig .
+Authentication is required.
.It Ic setvar Ar variable Op Cm default
This command adds an additional system variable.
These
@@ -2779,6 +3051,10 @@
the names of all peer variables and the
.Va clock_var_list
holds the names of the reference clock variables.
+.It Cm sysinfo
+Display operational summary.
+.It Cm sysstats
+Show statistics counters maintained in the protocol module.
.It Xo Ic tinker
.Oo
.Cm allan Ar allan |
@@ -2868,33 +3144,18 @@
If set to zero, the stepout
pulses will not be suppressed.
.El
-.It Xo Ic rlimit
-.Oo
-.Cm memlock Ar Nmegabytes |
-.Cm stacksize Ar N4kPages
-.Cm filenum Ar Nfiledescriptors
-.Oc
-.Xc
-.Bl -tag -width indent
-.It Cm memlock Ar Nmegabytes
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-.Fl i
-option).
-The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-.It Cm stacksize Ar N4kPages
-Specifies the maximum size of the process stack on systems with the
-.Fn mlockall
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-.It Cm filenum Ar Nfiledescriptors
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-.El
+.It Cm writevar Ar assocID\ name = value [,...]
+Write (create or update) the specified variables.
+If the
+.Cm assocID
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+.Cm assocID
+is required, as the same name can occur in both name spaces.
.It Xo Ic trap Ar host_address
.Op Cm port Ar port_number
.Op Cm interface Ar interface_address
@@ -2909,6 +3170,13 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+.It Cm ttl Ar hop ...
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+.Cm manycast
+mode these values are used in\-turn in an expanding\-ring search.
+The default is eight multiples of 32 starting at 31.
.Pp
The trap receiver will generally log event messages and other
information from the server in a log file.
Index: contrib/ntp/ntpd/ntp.conf.mdoc.in
===================================================================
--- contrib/ntp/ntpd/ntp.conf.mdoc.in (版本 330566)
+++ contrib/ntp/ntpd/ntp.conf.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_CONF 5 File Formats
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:31:09 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:42 PM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -1532,6 +1532,7 @@
for packets that overflow the rate\-control window.
.It Xo Ic restrict address
.Op Cm mask Ar mask
+.Op Cm ippeerlimit Ar int
.Op Ar flag ...
.Xc
The
@@ -1557,6 +1558,15 @@
.Cm default ,
with no mask option, may
be used to indicate the default entry.
+The
+.Cm ippeerlimit
+directive limits the number of peer requests for each IP to
+.Ar int ,
+where a value of \-1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
.Cm flag
always
@@ -1607,6 +1617,18 @@
This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
+.It Cm noepeer
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+.Pa ntp.keys
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+.Cm noepeer
+to become the default in ntp\-4.4.
.It Cm nomodify
Deny
.Xr ntpq @NTPQ_MS@
@@ -1624,10 +1646,10 @@
queries.
Time service is not affected.
.It Cm nopeer
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
.Cm pool
associations, so if you want to use servers from a
@@ -1635,8 +1657,9 @@
directive and also want to use
.Cm nopeer
by default, you'll want a
-.Cm "restrict source ..." line as well that does
-.It not
+.Cm "restrict source ..."
+line as well that does
+.Em not
include the
.Cm nopeer
directive.
@@ -2011,9 +2034,10 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+.El
.Ss Manycast Options
.Bl -tag -width indent
.It Xo Ic tos
@@ -2359,7 +2383,7 @@
page
(available as part of the HTML documentation
provided in
-.Pa /usr/share/doc/ntp ) .
+.Pa /usr/share/doc/ntp ).
.It Cm stratum Ar int
Specifies the stratum number assigned to the driver, an integer
between 0 and 15.
@@ -2637,6 +2661,79 @@
.Xr ntpd @NTPD_MS@
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
+.It Xo Ic interface
+.Oo
+.Cm listen | Cm ignore | Cm drop
+.Oc
+.Oo
+.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard
+.Ar name | Ar address
+.Oo Cm / Ar prefixlen
+.Oc
+.Oc
+.Xc
+The
+.Cm interface
+directive controls which network addresses
+.Xr ntpd @NTPD_MS@
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+.Ar prefixlen
+determines how many bits must match for this rule to apply.
+.Cm ignore
+prevents opening matching addresses,
+.Cm drop
+causes
+.Xr ntpd @NTPD_MS@
+to open the address and drop all received packets without examination.
+Multiple
+.Cm interface
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+.Cm interface
+directives are disabled if any
+.Fl I ,
+.Fl \-interface ,
+.Fl L ,
+or
+.Fl \-novirtualips
+command\-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+.Cm nic
+directive is an alias for
+.Cm interface .
+.It Ic leapfile Ar leapfile
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list
+or
+.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap\-seconds.list .
+The
+.Cm leapfile
+is scanned when
+.Xr ntpd @NTPD_MS@
+processes the
+.Cm leapfile directive or when
+.Cm ntpd detects that the
+.Ar leapfile
+has changed.
+.Cm ntpd
+checks once a day to see if the
+.Ar leapfile
+has changed.
+The
+.Xr update\-leap 1update_leapmdoc
+script can be run to see if the
+.Ar leapfile
+should be updated.
.It Ic leapsmearinterval Ar seconds
This EXPERIMENTAL option is only available if
.Xr ntpd @NTPD_MS@
@@ -2741,6 +2838,181 @@
This is the same operation as the
.Fl l
command line option.
+.It Xo Ic mru
+.Oo
+.Cm maxdepth Ar count | Cm maxmem Ar kilobytes |
+.Cm mindepth Ar count | Cm maxage Ar seconds |
+.Cm initialloc Ar count | Cm initmem Ar kilobytes |
+.Cm incalloc Ar count | Cm incmem Ar kilobytes
+.Oc
+.Xc
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+.Bl -tag -width indent
+.It Ic maxdepth Ar count
+.It Ic maxmem Ar kilobytes
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+.Cm incalloc
+entries or
+.Cm incmem
+kilobytes larger.
+As with all of the
+.Cm mru
+options offered in units of entries or kilobytes, if both
+.Cm maxdepth
+and
+.Cm maxmem are used, the last one used controls.
+The default is 1024 kilobytes.
+.It Cm mindepth Ar count
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+.Cm mindepth
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+.It Cm maxage Ar seconds
+Once the MRU list has
+.Cm mindepth
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+.Cm maxage
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+.Cm maxdepth / moxmem .
+The default is 64 seconds.
+.It Cm initalloc Ar count
+.It Cm initmem Ar kilobytes
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+.It Cm incalloc Ar count
+.It Cm incmem Ar kilobytes
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+.El
+.It Ic nonvolatile Ar threshold
+Specify the
+.Ar threshold
+delta in seconds before an hourly change to the
+.Cm driftfile
+(frequency file) will be written, with a default value of 1e\-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+.Cm threshold
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+.It Ic phone Ar dial ...
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 \- 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 \- 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+.It Xo Ic reset
+.Oo
+.Ic allpeers
+.Oc
+.Oo
+.Ic auth
+.Oc
+.Oo
+.Ic ctl
+.Oc
+.Oo
+.Ic io
+.Oc
+.Oo
+.Ic mem
+.Oc
+.Oo
+.Ic sys
+.Oc
+.Oo
+.Ic timer
+.Oc
+.Xc
+Reset one or more groups of counters maintained by
+.Cm ntpd
+and exposed by
+.Cm ntpq
+and
+.Cm ntpdc .
+.It Xo Ic rlimit
+.Oo
+.Cm memlock Ar Nmegabytes |
+.Cm stacksize Ar N4kPages
+.Cm filenum Ar Nfiledescriptors
+.Oc
+.Xc
+.Bl -tag -width indent
+.It Cm memlock Ar Nmegabytes
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+.Fl i
+option).
+The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+.It Cm stacksize Ar N4kPages
+Specifies the maximum size of the process stack on systems with the
+.Fn mlockall
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+.It Cm filenum Ar Nfiledescriptors
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+.El
+.It Ic saveconfigdir Ar directory_path
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+.Cm saveconfig
+command.
+If
+.Cm saveconfigdir
+does not appear in the configuration file,
+.Cm saveconfig
+requests are rejected by
+.Cm ntpd .
+.It Ic saveconfig Ar filename
+Write the current configuration, including any runtime
+modifications given with
+.Cm :config
+or
+.Cm config\-from\-file
+to the
+.Cm ntpd
+host's
+.Ar filename
+in the
+.Cm saveconfigdir .
+This command will be rejected unless the
+.Cm saveconfigdir
+directive appears in
+.Cm ntpd 's
+configuration file.
+.Ar filename
+can use
+.Xr strftime 3
+format directives to substitute the current date and time,
+for example,
+.Cm saveconfig\ ntp\-%Y%m%d\-%H%M%S.conf .
+The filename used is stored in the system variable
+.Cm savedconfig .
+Authentication is required.
.It Ic setvar Ar variable Op Cm default
This command adds an additional system variable.
These
@@ -2779,6 +3051,10 @@
the names of all peer variables and the
.Va clock_var_list
holds the names of the reference clock variables.
+.It Cm sysinfo
+Display operational summary.
+.It Cm sysstats
+Show statistics counters maintained in the protocol module.
.It Xo Ic tinker
.Oo
.Cm allan Ar allan |
@@ -2868,33 +3144,18 @@
If set to zero, the stepout
pulses will not be suppressed.
.El
-.It Xo Ic rlimit
-.Oo
-.Cm memlock Ar Nmegabytes |
-.Cm stacksize Ar N4kPages
-.Cm filenum Ar Nfiledescriptors
-.Oc
-.Xc
-.Bl -tag -width indent
-.It Cm memlock Ar Nmegabytes
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-.Fl i
-option).
-The default is 32 megabytes on non\-Linux machines, and \-1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-.It Cm stacksize Ar N4kPages
-Specifies the maximum size of the process stack on systems with the
-.Fn mlockall
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-.It Cm filenum Ar Nfiledescriptors
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-.El
+.It Cm writevar Ar assocID\ name = value [,...]
+Write (create or update) the specified variables.
+If the
+.Cm assocID
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+.Cm assocID
+is required, as the same name can occur in both name spaces.
.It Xo Ic trap Ar host_address
.Op Cm port Ar port_number
.Op Cm interface Ar interface_address
@@ -2909,6 +3170,13 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+.It Cm ttl Ar hop ...
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+.Cm manycast
+mode these values are used in\-turn in an expanding\-ring search.
+The default is eight multiples of 32 starting at 31.
.Pp
The trap receiver will generally log event messages and other
information from the server in a log file.
Index: contrib/ntp/ntpd/ntp.keys.html
===================================================================
--- contrib/ntp/ntpd/ntp.keys.html (版本 330566)
+++ contrib/ntp/ntpd/ntp.keys.html (版本 330908)
@@ -33,7 +33,7 @@
<p>This document describes the symmetric key file for the NTP Project's
<code>ntpd</code> program.
- <p>This document applies to version 4.2.8p10 of <code>ntp.keys</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntp.keys</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -100,16 +100,24 @@
is a positive integer (between 1 and 65534),
<kbd>type</kbd>
is the message digest algorithm,
-and
<kbd>key</kbd>
is the key itself, and
<kbd>opt_IP_list</kbd>
is an optional comma-separated list of IPs
+where the
+<kbd>keyno</kbd>
+should be trusted.
that are allowed to serve time.
+Each IP in
+<kbd>opt_IP_list</kbd>
+may contain an optional
+<code>/subnetbits</code>
+specification which identifies the number of bits for
+the desired subnet of trust.
If
<kbd>opt_IP_list</kbd>
is empty,
-any properly-authenticated server message will be
+any properly-authenticated message will be
accepted.
<p>The
Index: contrib/ntp/libntp/a_md5encrypt.c
===================================================================
--- contrib/ntp/libntp/a_md5encrypt.c (版本 330566)
+++ contrib/ntp/libntp/a_md5encrypt.c (版本 330908)
@@ -11,6 +11,177 @@
#include "ntp.h"
#include "ntp_md5.h" /* provides OpenSSL digest API */
#include "isc/string.h"
+
+#ifdef OPENSSL
+# include "openssl/cmac.h"
+# define CMAC "AES128CMAC"
+# define AES_128_KEY_SIZE 16
+#endif
+
+typedef struct {
+ const void * buf;
+ size_t len;
+} robuffT;
+
+typedef struct {
+ void * buf;
+ size_t len;
+} rwbuffT;
+
+#ifdef OPENSSL
+static size_t
+cmac_ctx_size(
+ CMAC_CTX * ctx)
+{
+ size_t mlen = 0;
+
+ if (ctx) {
+ EVP_CIPHER_CTX * cctx;
+ if (NULL != (cctx = CMAC_CTX_get0_cipher_ctx (ctx)))
+ mlen = EVP_CIPHER_CTX_block_size(cctx);
+ }
+ return mlen;
+}
+#endif /*OPENSSL*/
+
+static size_t
+make_mac(
+ const rwbuffT * digest,
+ int ktype,
+ const robuffT * key,
+ const robuffT * msg)
+{
+ /*
+ * Compute digest of key concatenated with packet. Note: the
+ * key type and digest type have been verified when the key
+ * was created.
+ */
+ size_t retlen = 0;
+
+#ifdef OPENSSL
+
+ INIT_SSL();
+
+ /* Check if CMAC key type specific code required */
+ if (ktype == NID_cmac) {
+ CMAC_CTX * ctx = NULL;
+ void const * keyptr = key->buf;
+ u_char keybuf[AES_128_KEY_SIZE];
+
+ /* adjust key size (zero padded buffer) if necessary */
+ if (AES_128_KEY_SIZE > key->len) {
+ memcpy(keybuf, keyptr, key->len);
+ memset((keybuf + key->len), 0,
+ (AES_128_KEY_SIZE - key->len));
+ keyptr = keybuf;
+ }
+
+ if (NULL == (ctx = CMAC_CTX_new())) {
+ msyslog(LOG_ERR, "MAC encrypt: CMAC %s CTX new failed.", CMAC);
+ goto cmac_fail;
+ }
+ if (!CMAC_Init(ctx, keyptr, AES_128_KEY_SIZE, EVP_aes_128_cbc(), NULL)) {
+ msyslog(LOG_ERR, "MAC encrypt: CMAC %s Init failed.", CMAC);
+ goto cmac_fail;
+ }
+ if (cmac_ctx_size(ctx) > digest->len) {
+ msyslog(LOG_ERR, "MAC encrypt: CMAC %s buf too small.", CMAC);
+ goto cmac_fail;
+ }
+ if (!CMAC_Update(ctx, msg->buf, msg->len)) {
+ msyslog(LOG_ERR, "MAC encrypt: CMAC %s Update failed.", CMAC);
+ goto cmac_fail;
+ }
+ if (!CMAC_Final(ctx, digest->buf, &retlen)) {
+ msyslog(LOG_ERR, "MAC encrypt: CMAC %s Final failed.", CMAC);
+ retlen = 0;
+ }
+ cmac_fail:
+ if (ctx)
+ CMAC_CTX_cleanup(ctx);
+ }
+ else { /* generic MAC handling */
+ EVP_MD_CTX * ctx = EVP_MD_CTX_new();
+ u_int uilen = 0;
+
+ if ( ! ctx) {
+ msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest CTX new failed.",
+ OBJ_nid2sn(ktype));
+ goto mac_fail;
+ }
+
+ #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ /* make sure MD5 is allowd */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ #endif
+ /* [Bug 3457] DON'T use plain EVP_DigestInit! It would
+ * kill the flags! */
+ if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(ktype), NULL)) {
+ msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Init failed.",
+ OBJ_nid2sn(ktype));
+ goto mac_fail;
+ }
+ if ((size_t)EVP_MD_CTX_size(ctx) > digest->len) {
+ msyslog(LOG_ERR, "MAC encrypt: MAC %s buf too small.",
+ OBJ_nid2sn(ktype));
+ goto mac_fail;
+ }
+ if (!EVP_DigestUpdate(ctx, key->buf, (u_int)key->len)) {
+ msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Update key failed.",
+ OBJ_nid2sn(ktype));
+ goto mac_fail;
+ }
+ if (!EVP_DigestUpdate(ctx, msg->buf, (u_int)msg->len)) {
+ msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Update data failed.",
+ OBJ_nid2sn(ktype));
+ goto mac_fail;
+ }
+ if (!EVP_DigestFinal(ctx, digest->buf, &uilen)) {
+ msyslog(LOG_ERR, "MAC encrypt: MAC %s Digest Final failed.",
+ OBJ_nid2sn(ktype));
+ uilen = 0;
+ }
+ mac_fail:
+ retlen = (size_t)uilen;
+
+ if (ctx)
+ EVP_MD_CTX_free(ctx);
+ }
+
+#else /* !OPENSSL follows */
+
+ if (ktype == NID_md5)
+ {
+ EVP_MD_CTX * ctx = EVP_MD_CTX_new();
+ uint uilen = 0;
+
+ if (digest->len < 16) {
+ msyslog(LOG_ERR, "%s", "MAC encrypt: MAC md5 buf too small.");
+ }
+ else if ( ! ctx) {
+ msyslog(LOG_ERR, "%s", "MAC encrypt: MAC md5 Digest CTX new failed.");
+ }
+ else {
+ EVP_DigestInit(ctx, EVP_get_digestbynid(ktype));
+ EVP_DigestUpdate(ctx, key->buf, key->len);
+ EVP_DigestUpdate(ctx, msg->buf, msg->len);
+ EVP_DigestFinal(ctx, digest->buf, &uilen);
+ }
+ if (ctx)
+ EVP_MD_CTX_free(ctx);
+ retlen = (size_t)uilen;
+ }
+ else
+ {
+ msyslog(LOG_ERR, "MAC encrypt: invalid key type %d" , ktype);
+ }
+
+#endif /* !OPENSSL */
+
+ return retlen;
+}
+
+
/*
* MD5authencrypt - generate message digest
*
@@ -20,36 +191,23 @@
MD5authencrypt(
int type, /* hash algorithm */
const u_char * key, /* key pointer */
+ size_t klen, /* key length */
u_int32 * pkt, /* packet pointer */
size_t length /* packet length */
)
{
u_char digest[EVP_MAX_MD_SIZE];
- u_int len;
- EVP_MD_CTX *ctx;
+ rwbuffT digb = { digest, sizeof(digest) };
+ robuffT keyb = { key, klen };
+ robuffT msgb = { pkt, length };
+ size_t dlen = 0;
- /*
- * Compute digest of key concatenated with packet. Note: the
- * key type and digest type have been verified when the key
- * was creaded.
- */
- INIT_SSL();
- ctx = EVP_MD_CTX_new();
- if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) {
- msyslog(LOG_ERR,
- "MAC encrypt: digest init failed");
- EVP_MD_CTX_free(ctx);
- return (0);
- }
- EVP_DigestUpdate(ctx, key, cache_secretsize);
- EVP_DigestUpdate(ctx, (u_char *)pkt, length);
- EVP_DigestFinal(ctx, digest, &len);
- EVP_MD_CTX_free(ctx);
+ dlen = make_mac(&digb, type, &keyb, &msgb);
/* If the MAC is longer than the MAX then truncate it. */
- if (len > MAX_MAC_LEN - 4)
- len = MAX_MAC_LEN - 4;
- memmove((u_char *)pkt + length + 4, digest, len);
- return (len + 4);
+ if (dlen > MAX_MDG_LEN)
+ dlen = MAX_MDG_LEN;
+ memcpy((u_char *)pkt + length + KEY_MAC_LEN, digest, dlen);
+ return (dlen + KEY_MAC_LEN);
}
@@ -62,6 +220,7 @@
MD5authdecrypt(
int type, /* hash algorithm */
const u_char * key, /* key pointer */
+ size_t klen, /* key length */
u_int32 * pkt, /* packet pointer */
size_t length, /* packet length */
size_t size /* MAC size */
@@ -68,35 +227,23 @@
)
{
u_char digest[EVP_MAX_MD_SIZE];
- u_int len;
- EVP_MD_CTX *ctx;
+ rwbuffT digb = { digest, sizeof(digest) };
+ robuffT keyb = { key, klen };
+ robuffT msgb = { pkt, length };
+ size_t dlen = 0;
- /*
- * Compute digest of key concatenated with packet. Note: the
- * key type and digest type have been verified when the key
- * was created.
- */
- INIT_SSL();
- ctx = EVP_MD_CTX_new();
- if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) {
- msyslog(LOG_ERR,
- "MAC decrypt: digest init failed");
- EVP_MD_CTX_free(ctx);
- return (0);
- }
- EVP_DigestUpdate(ctx, key, cache_secretsize);
- EVP_DigestUpdate(ctx, (u_char *)pkt, length);
- EVP_DigestFinal(ctx, digest, &len);
- EVP_MD_CTX_free(ctx);
+ dlen = make_mac(&digb, type, &keyb, &msgb);
+
/* If the MAC is longer than the MAX then truncate it. */
- if (len > MAX_MAC_LEN - 4)
- len = MAX_MAC_LEN - 4;
- if (size != (size_t)len + 4) {
+ if (dlen > MAX_MDG_LEN)
+ dlen = MAX_MDG_LEN;
+ if (size != (size_t)dlen + KEY_MAC_LEN) {
msyslog(LOG_ERR,
"MAC decrypt: MAC length error");
return (0);
}
- return !isc_tsmemcmp(digest, (u_char *)pkt + length + 4, len);
+ return !isc_tsmemcmp(digest,
+ (u_char *)pkt + length + KEY_MAC_LEN, dlen);
}
/*
@@ -108,7 +255,7 @@
u_int32
addr2refid(sockaddr_u *addr)
{
- u_char digest[20];
+ u_char digest[EVP_MAX_MD_SIZE];
u_int32 addr_refid;
EVP_MD_CTX *ctx;
u_int len;
@@ -119,11 +266,12 @@
INIT_SSL();
ctx = EVP_MD_CTX_new();
- EVP_MD_CTX_init(ctx);
-#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* MD5 is not used as a crypto hash here. */
EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-#endif
+# endif
+ /* [Bug 3457] DON'T use plain EVP_DigestInit! It would kill the
+ * flags! */
if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) {
msyslog(LOG_ERR,
"MD5 init failed");
Index: contrib/ntp/libntp/libssl_compat.c
===================================================================
--- contrib/ntp/libntp/libssl_compat.c (版本 330566)
+++ contrib/ntp/libntp/libssl_compat.c (版本 330908)
@@ -74,7 +74,10 @@
EVP_MD_CTX*
sslshim_EVP_MD_CTX_new(void)
{
- return calloc(1, sizeof(EVP_MD_CTX));
+ EVP_MD_CTX * ctx;
+ if (NULL != (ctx = calloc(1, sizeof(EVP_MD_CTX))))
+ EVP_MD_CTX_init(ctx);
+ return ctx;
}
void
Index: contrib/ntp/libntp/systime.c
===================================================================
--- contrib/ntp/libntp/systime.c (版本 330566)
+++ contrib/ntp/libntp/systime.c (版本 330908)
@@ -5,8 +5,10 @@
*
*/
#include <config.h>
+#include <math.h>
#include "ntp.h"
+#include "ntpd.h"
#include "ntp_syslog.h"
#include "ntp_stdlib.h"
#include "ntp_random.h"
@@ -14,6 +16,7 @@
#include "timevalops.h"
#include "timespecops.h"
#include "ntp_calendar.h"
+#include "lib_strbuf.h"
#ifdef HAVE_SYS_PARAM_H
# include <sys/param.h>
@@ -28,6 +31,9 @@
int allow_panic = FALSE; /* allow panic correction (-g) */
int enable_panic_check = TRUE; /* Can we check allow_panic's state? */
+u_long sys_lamport; /* Lamport violation */
+u_long sys_tsrounding; /* timestamp rounding errors */
+
#ifndef USE_COMPILETIME_PIVOT
# define USE_COMPILETIME_PIVOT 1
#endif
@@ -110,7 +116,10 @@
sys_fuzz = fuzz_val;
INSIST(sys_fuzz >= 0);
INSIST(sys_fuzz <= 1.0);
- sys_fuzz_nsec = (long)(sys_fuzz * 1e9 + 0.5);
+ /* [Bug 3450] ensure nsec fuzz >= sys_fuzz to reduce chance of
+ * short-falling fuzz advance
+ */
+ sys_fuzz_nsec = (long)ceil(sys_fuzz * 1e9);
}
@@ -168,13 +177,10 @@
static struct timespec ts_last; /* last sampled os time */
static struct timespec ts_prev; /* prior os time */
static l_fp lfp_prev; /* prior result */
- static double dfuzz_prev; /* prior fuzz */
struct timespec ts; /* seconds and nanoseconds */
struct timespec ts_min; /* earliest permissible */
struct timespec ts_lam; /* lamport fictional increment */
- struct timespec ts_prev_log; /* for msyslog only */
double dfuzz;
- double ddelta;
l_fp result;
l_fp lfpfuzz;
l_fp lfpdelta;
@@ -191,8 +197,10 @@
* introduce small steps backward. It should not be an issue on
* systems where get_ostime() results in a true syscall.)
*/
- if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0)
+ if (cmp_tspec(add_tspec_ns(ts, 50000000), ts_last) < 0) {
lamport_violated = 1;
+ sys_lamport++;
+ }
ts_last = ts;
/*
@@ -216,14 +224,7 @@
if (!lamport_violated)
ts = ts_min;
}
- ts_prev_log = ts_prev;
ts_prev = ts;
- } else {
- /*
- * Quiet "ts_prev_log.tv_sec may be used uninitialized"
- * warning from x86 gcc 4.5.2.
- */
- ZERO(ts_prev_log);
}
/* convert from timespec to l_fp fixed-point */
@@ -230,7 +231,9 @@
result = tspec_stamp_to_lfp(ts);
/*
- * Add in the fuzz.
+ * Add in the fuzz. 'ntp_random()' returns [0..2**31-1] so we
+ * must scale up the result by 2.0 to cover the full fractional
+ * range.
*/
dfuzz = ntp_random() * 2. / FRAC * sys_fuzz;
DTOLFP(dfuzz, &lfpfuzz);
@@ -240,30 +243,34 @@
* Ensure result is strictly greater than prior result (ignoring
* sys_residual's effect for now) once sys_fuzz has been
* determined.
+ *
+ * [Bug 3450] Rounding errors and time slew can lead to a
+ * violation of the expected postcondition. This is bound to
+ * happen from time to time (depending on state of the random
+ * generator, the current slew and the closeness of system time
+ * stamps drawn) and does not warrant a syslog entry. Instead it
+ * makes much more sense to ensure the postcondition and hop
+ * along silently.
*/
if (!USING_SIGIO()) {
- if (!L_ISZERO(&lfp_prev) && !lamport_violated) {
- if (!L_ISGTU(&result, &lfp_prev) &&
- sys_fuzz > 0.) {
- msyslog(LOG_ERR, "ts_prev %s ts_min %s",
- tspectoa(ts_prev_log),
- tspectoa(ts_min));
- msyslog(LOG_ERR, "ts %s", tspectoa(ts));
- msyslog(LOG_ERR, "sys_fuzz %ld nsec, prior fuzz %.9f",
- sys_fuzz_nsec, dfuzz_prev);
- msyslog(LOG_ERR, "this fuzz %.9f",
- dfuzz);
- lfpdelta = lfp_prev;
- L_SUB(&lfpdelta, &result);
- LFPTOD(&lfpdelta, ddelta);
- msyslog(LOG_ERR,
- "prev get_systime 0x%x.%08x is %.9f later than 0x%x.%08x",
- lfp_prev.l_ui, lfp_prev.l_uf,
- ddelta, result.l_ui, result.l_uf);
+ if ( !L_ISZERO(&lfp_prev)
+ && !lamport_violated
+ && (sys_fuzz > 0.0)
+ ) {
+ lfpdelta = result;
+ L_SUB(&lfpdelta, &lfp_prev);
+ L_SUBUF(&lfpdelta, 1);
+ if (lfpdelta.l_i < 0)
+ {
+ L_NEG(&lfpdelta);
+ DPRINTF(1, ("get_systime: postcond failed by %s secs, fixed\n",
+ lfptoa(&lfpdelta, 9)));
+ result = lfp_prev;
+ L_ADDUF(&result, 1);
+ sys_tsrounding++;
}
}
lfp_prev = result;
- dfuzz_prev = dfuzz;
if (lamport_violated)
lamport_violated = FALSE;
}
@@ -362,106 +369,17 @@
}
#endif
-
/*
- * step_systime - step the system clock.
+ * helper to keep utmp/wtmp up to date
*/
-
-int
-step_systime(
- double step
+static void
+update_uwtmp(
+ struct timeval timetv,
+ struct timeval tvlast
)
{
- time_t pivot; /* for ntp era unfolding */
- struct timeval timetv, tvlast, tvdiff;
- struct timespec timets;
- struct calendar jd;
- l_fp fp_ofs, fp_sys; /* offset and target system time in FP */
-
+ struct timeval tvdiff;
/*
- * Get pivot time for NTP era unfolding. Since we don't step
- * very often, we can afford to do the whole calculation from
- * scratch. And we're not in the time-critical path yet.
- */
-#if SIZEOF_TIME_T > 4
- /*
- * This code makes sure the resulting time stamp for the new
- * system time is in the 2^32 seconds starting at 1970-01-01,
- * 00:00:00 UTC.
- */
- pivot = 0x80000000;
-#if USE_COMPILETIME_PIVOT
- /*
- * Add the compile time minus 10 years to get a possible target
- * area of (compile time - 10 years) to (compile time + 126
- * years). This should be sufficient for a given binary of
- * NTPD.
- */
- if (ntpcal_get_build_date(&jd)) {
- jd.year -= 10;
- pivot += ntpcal_date_to_time(&jd);
- } else {
- msyslog(LOG_ERR,
- "step-systime: assume 1970-01-01 as build date");
- }
-#else
- UNUSED_LOCAL(jd);
-#endif /* USE_COMPILETIME_PIVOT */
-#else
- UNUSED_LOCAL(jd);
- /* This makes sure the resulting time stamp is on or after
- * 1969-12-31/23:59:59 UTC and gives us additional two years,
- * from the change of NTP era in 2036 to the UNIX rollover in
- * 2038. (Minus one second, but that won't hurt.) We *really*
- * need a longer 'time_t' after that! Or a different baseline,
- * but that would cause other serious trouble, too.
- */
- pivot = 0x7FFFFFFF;
-#endif
-
- /* get the complete jump distance as l_fp */
- DTOLFP(sys_residual, &fp_sys);
- DTOLFP(step, &fp_ofs);
- L_ADD(&fp_ofs, &fp_sys);
-
- /* ---> time-critical path starts ---> */
-
- /* get the current time as l_fp (without fuzz) and as struct timeval */
- get_ostime(&timets);
- fp_sys = tspec_stamp_to_lfp(timets);
- tvlast.tv_sec = timets.tv_sec;
- tvlast.tv_usec = (timets.tv_nsec + 500) / 1000;
-
- /* get the target time as l_fp */
- L_ADD(&fp_sys, &fp_ofs);
-
- /* unfold the new system time */
- timetv = lfp_stamp_to_tval(fp_sys, &pivot);
-
- /* now set new system time */
- if (ntp_set_tod(&timetv, NULL) != 0) {
- msyslog(LOG_ERR, "step-systime: %m");
- if (enable_panic_check && allow_panic) {
- msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
- }
- return FALSE;
- }
-
- /* <--- time-critical path ended with 'ntp_set_tod()' <--- */
-
- sys_residual = 0;
- lamport_violated = (step < 0);
- if (step_callback)
- (*step_callback)();
-
-#ifdef NEED_HPUX_ADJTIME
- /*
- * CHECKME: is this correct when called by ntpdate?????
- */
- _clear_adjtime();
-#endif
-
- /*
* FreeBSD, for example, has:
* struct utmp {
* char ut_line[UT_LINESIZE];
@@ -589,6 +507,83 @@
#endif /* UPDATE_WTMPX */
}
+}
+
+/*
+ * step_systime - step the system clock.
+ */
+
+int
+step_systime(
+ double step
+ )
+{
+ time_t pivot; /* for ntp era unfolding */
+ struct timeval timetv, tvlast;
+ struct timespec timets;
+ l_fp fp_ofs, fp_sys; /* offset and target system time in FP */
+
+ /*
+ * Get pivot time for NTP era unfolding. Since we don't step
+ * very often, we can afford to do the whole calculation from
+ * scratch. And we're not in the time-critical path yet.
+ */
+#if SIZEOF_TIME_T > 4
+ pivot = basedate_get_eracenter();
+#else
+ /* This makes sure the resulting time stamp is on or after
+ * 1969-12-31/23:59:59 UTC and gives us additional two years,
+ * from the change of NTP era in 2036 to the UNIX rollover in
+ * 2038. (Minus one second, but that won't hurt.) We *really*
+ * need a longer 'time_t' after that! Or a different baseline,
+ * but that would cause other serious trouble, too.
+ */
+ pivot = 0x7FFFFFFF;
+#endif
+
+ /* get the complete jump distance as l_fp */
+ DTOLFP(sys_residual, &fp_sys);
+ DTOLFP(step, &fp_ofs);
+ L_ADD(&fp_ofs, &fp_sys);
+
+ /* ---> time-critical path starts ---> */
+
+ /* get the current time as l_fp (without fuzz) and as struct timeval */
+ get_ostime(&timets);
+ fp_sys = tspec_stamp_to_lfp(timets);
+ tvlast.tv_sec = timets.tv_sec;
+ tvlast.tv_usec = (timets.tv_nsec + 500) / 1000;
+
+ /* get the target time as l_fp */
+ L_ADD(&fp_sys, &fp_ofs);
+
+ /* unfold the new system time */
+ timetv = lfp_stamp_to_tval(fp_sys, &pivot);
+
+ /* now set new system time */
+ if (ntp_set_tod(&timetv, NULL) != 0) {
+ msyslog(LOG_ERR, "step-systime: %m");
+ if (enable_panic_check && allow_panic) {
+ msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
+ }
+ return FALSE;
+ }
+
+ /* <--- time-critical path ended with 'ntp_set_tod()' <--- */
+
+ sys_residual = 0;
+ lamport_violated = (step < 0);
+ if (step_callback)
+ (*step_callback)();
+
+#ifdef NEED_HPUX_ADJTIME
+ /*
+ * CHECKME: is this correct when called by ntpdate?????
+ */
+ _clear_adjtime();
+#endif
+
+ update_uwtmp(timetv, tvlast);
if (enable_panic_check && allow_panic) {
msyslog(LOG_ERR, "step_systime: allow_panic is TRUE!");
INSIST(!allow_panic);
@@ -596,4 +591,93 @@
return TRUE;
}
+static const char *
+tv_fmt_libbuf(
+ const struct timeval * ptv
+ )
+{
+ char * retv;
+ vint64 secs;
+ ntpcal_split dds;
+ struct calendar jd;
+
+ secs = time_to_vint64(&ptv->tv_sec);
+ dds = ntpcal_daysplit(&secs);
+ ntpcal_daysplit_to_date(&jd, &dds, DAY_UNIX_STARTS);
+ LIB_GETBUF(retv);
+ snprintf(retv, LIB_BUFLENGTH,
+ "%04hu-%02hu-%02hu/%02hu:%02hu:%02hu.%06u",
+ jd.year, (u_short)jd.month, (u_short)jd.monthday,
+ (u_short)jd.hour, (u_short)jd.minute, (u_short)jd.second,
+ (u_int)ptv->tv_usec);
+ return retv;
+}
+
+
+int /*BOOL*/
+clamp_systime(void)
+{
+#if SIZEOF_TIME_T > 4
+
+ struct timeval timetv, tvlast;
+ struct timespec timets;
+ uint32_t tdiff;
+
+
+ timetv.tv_sec = basedate_get_erabase();
+
+ /* ---> time-critical path starts ---> */
+
+ /* get the current time as l_fp (without fuzz) and as struct timeval */
+ get_ostime(&timets);
+ tvlast.tv_sec = timets.tv_sec;
+ tvlast.tv_usec = (timets.tv_nsec + 500) / 1000;
+ if (tvlast.tv_usec >= 1000000) {
+ tvlast.tv_usec -= 1000000;
+ tvlast.tv_sec += 1;
+ }
+ timetv.tv_usec = tvlast.tv_usec;
+
+ tdiff = (uint32_t)(tvlast.tv_sec & UINT32_MAX) -
+ (uint32_t)(timetv.tv_sec & UINT32_MAX);
+ timetv.tv_sec += tdiff;
+ if (timetv.tv_sec != tvlast.tv_sec) {
+ /* now set new system time */
+ if (ntp_set_tod(&timetv, NULL) != 0) {
+ msyslog(LOG_ERR, "clamp-systime: %m");
+ return FALSE;
+ }
+ } else {
+ msyslog(LOG_INFO,
+ "clamp-systime: clock (%s) in allowed range",
+ tv_fmt_libbuf(&timetv));
+ return FALSE;
+ }
+
+ /* <--- time-critical path ended with 'ntp_set_tod()' <--- */
+
+ sys_residual = 0;
+ lamport_violated = (timetv.tv_sec < tvlast.tv_sec);
+ if (step_callback)
+ (*step_callback)();
+
+# ifdef NEED_HPUX_ADJTIME
+ /*
+ * CHECKME: is this correct when called by ntpdate?????
+ */
+ _clear_adjtime();
+# endif
+
+ update_uwtmp(timetv, tvlast);
+ msyslog(LOG_WARNING,
+ "clamp-systime: clock stepped from %s to %s!",
+ tv_fmt_libbuf(&tvlast), tv_fmt_libbuf(&timetv));
+ return TRUE;
+
+#else
+
+ return 0;
+#endif
+}
+
#endif /* !SIM */
Index: contrib/ntp/ntpd/complete.conf.in
===================================================================
--- contrib/ntp/ntpd/complete.conf.in (版本 330566)
+++ contrib/ntp/ntpd/complete.conf.in (版本 330908)
@@ -46,14 +46,14 @@
multicastclient 224.0.1.1 ff05::101
mru maxage 64 mindepth 600 initalloc 600 initmem 16 incalloc 99 incmem 4 maxdepth 1024 maxmem 4096
discard minimum 1 average 3 monitor 3000
-restrict default
-restrict default nomodify limited kod noserve nomrulist
-restrict source
-restrict source nomodify limited kod
-restrict trusted.host.name.example.com. nomodify
-restrict [fe80::1] mask [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]
-restrict 127.0.0.1 mask 255.255.255.255
-restrict ::1
+restrict default ippeerlimit -1
+restrict default ippeerlimit 0 nomodify limited kod noserve nomrulist
+restrict source ippeerlimit 1
+restrict source ippeerlimit 2 nomodify limited kod
+restrict trusted.host.name.example.com. ippeerlimit -1 nomodify
+restrict [fe80::1] mask [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] ippeerlimit -1
+restrict 127.0.0.1 mask 255.255.255.255 ippeerlimit -1
+restrict ::1 ippeerlimit -1
interface drop ipv6
interface ignore ipv4
interface drop wildcard
Index: contrib/ntp/ntpd/keyword-gen-utd
===================================================================
--- contrib/ntp/ntpd/keyword-gen-utd (版本 330566)
+++ contrib/ntp/ntpd/keyword-gen-utd (版本 330908)
@@ -1 +1 @@
- * Generated 2016-11-09 11:39:28 UTC diff_ignore_line
+ * Generated 2018-01-14 03:53:33 UTC diff_ignore_line
Index: contrib/ntp/NEWS
===================================================================
--- contrib/ntp/NEWS (版本 330566)
+++ contrib/ntp/NEWS (版本 330908)
@@ -1,4 +1,331 @@
--
+NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
+
+NOTE: this NEWS file will be undergoing more revisions.
+
+Focus: Security, Bug fixes, enhancements.
+
+Severity: MEDIUM
+
+This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
+vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
+provides 65 other non-security fixes and improvements:
+
+* NTP Bug 3454: Unauthenticated packet can reset authenticated interleaved
+ association (LOW/MED)
+ Date Resolved: Stable (4.2.8p11) 27 Feb 2018
+ References: Sec 3454 / CVE-2018-7185 / VU#961909
+ Affects: ntp-4.2.6, up to but not including ntp-4.2.8p11.
+ CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) This could score between
+ 2.9 and 6.8.
+ CVSS3: LOW 3.1 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L This could
+ score between 2.6 and 3.1
+ Summary:
+ The NTP Protocol allows for both non-authenticated and
+ authenticated associations, in client/server, symmetric (peer),
+ and several broadcast modes. In addition to the basic NTP
+ operational modes, symmetric mode and broadcast servers can
+ support an interleaved mode of operation. In ntp-4.2.8p4 a bug
+ was inadvertently introduced into the protocol engine that
+ allows a non-authenticated zero-origin (reset) packet to reset
+ an authenticated interleaved peer association. If an attacker
+ can send a packet with a zero-origin timestamp and the source
+ IP address of the "other side" of an interleaved association,
+ the 'victim' ntpd will reset its association. The attacker must
+ continue sending these packets in order to maintain the
+ disruption of the association. In ntp-4.0.0 thru ntp-4.2.8p6,
+ interleave mode could be entered dynamically. As of ntp-4.2.8p7,
+ interleaved mode must be explicitly configured/enabled.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to 4.2.8p11, or later, from the NTP Project Download Page
+ or the NTP Public Services Project Download Page.
+ If you are unable to upgrade to 4.2.8p11 or later and have
+ 'peer HOST xleave' lines in your ntp.conf file, remove the
+ 'xleave' option.
+ Have enough sources of time.
+ Properly monitor your ntpd instances.
+ If ntpd stops running, auto-restart it without -g .
+ Credit:
+ This weakness was discovered by Miroslav Lichvar of Red Hat.
+
+* NTP Bug 3453: Interleaved symmetric mode cannot recover from bad
+ state (LOW/MED)
+ Date Resolved: Stable (4.2.8p11) 27 Feb 2018
+ References: Sec 3453 / CVE-2018-7184 / VU#961909
+ Affects: ntpd in ntp-4.2.8p4, up to but not including ntp-4.2.8p11.
+ CVSS2: MED 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
+ Could score between 2.9 and 6.8.
+ CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L
+ Could score between 2.6 and 6.0.
+ Summary:
+ The fix for NtpBug2952 was incomplete, and while it fixed one
+ problem it created another. Specifically, it drops bad packets
+ before updating the "received" timestamp. This means a
+ third-party can inject a packet with a zero-origin timestamp,
+ meaning the sender wants to reset the association, and the
+ transmit timestamp in this bogus packet will be saved as the
+ most recent "received" timestamp. The real remote peer does
+ not know this value and this will disrupt the association until
+ the association resets.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
+ or the NTP Public Services Project Download Page.
+ Use authentication with 'peer' mode.
+ Have enough sources of time.
+ Properly monitor your ntpd instances.
+ If ntpd stops running, auto-restart it without -g .
+ Credit:
+ This weakness was discovered by Miroslav Lichvar of Red Hat.
+
+* NTP Bug 3415: Provide a way to prevent authenticated symmetric passive
+ peering (LOW)
+ Date Resolved: Stable (4.2.8p11) 27 Feb 2018
+ References: Sec 3415 / CVE-2018-7170 / VU#961909
+ Sec 3012 / CVE-2016-1549 / VU#718152
+ Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
+ 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11.
+ CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
+ CVSS3: LOW 3.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
+ Summary:
+ ntpd can be vulnerable to Sybil attacks. If a system is set up to
+ use a trustedkey and if one is not using the feature introduced in
+ ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to
+ specify which IPs can serve time, a malicious authenticated peer
+ -- i.e. one where the attacker knows the private symmetric key --
+ can create arbitrarily-many ephemeral associations in order to win
+ the clock selection of ntpd and modify a victim's clock. Three
+ additional protections are offered in ntp-4.2.8p11. One is the
+ new 'noepeer' directive, which disables symmetric passive
+ ephemeral peering. Another is the new 'ippeerlimit' directive,
+ which limits the number of peers that can be created from an IP.
+ The third extends the functionality of the 4th field in the
+ ntp.keys file to include specifying a subnet range.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
+ or the NTP Public Services Project Download Page.
+ Use the 'noepeer' directive to prohibit symmetric passive
+ ephemeral associations.
+ Use the 'ippeerlimit' directive to limit the number of peers
+ that can be created from an IP.
+ Use the 4th argument in the ntp.keys file to limit the IPs and
+ subnets that can be time servers.
+ Have enough sources of time.
+ Properly monitor your ntpd instances.
+ If ntpd stops running, auto-restart it without -g .
+ Credit:
+ This weakness was reported as Bug 3012 by Matthew Van Gundy of
+ Cisco ASIG, and separately by Stefan Moser as Bug 3415.
+
+* ntpq Bug 3414: decodearr() can write beyond its 'buf' limits (Medium)
+ Date Resolved: 27 Feb 2018
+ References: Sec 3414 / CVE-2018-7183 / VU#961909
+ Affects: ntpq in ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
+ CVSS2: MED 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
+ CVSS3: MED 5.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L
+ Summary:
+ ntpq is a monitoring and control program for ntpd. decodearr()
+ is an internal function of ntpq that is used to -- wait for it --
+ decode an array in a response string when formatted data is being
+ displayed. This is a problem in affected versions of ntpq if a
+ maliciously-altered ntpd returns an array result that will trip this
+ bug, or if a bad actor is able to read an ntpq request on its way to
+ a remote ntpd server and forge and send a response before the remote
+ ntpd sends its response. It's potentially possible that the
+ malicious data could become injectable/executable code.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
+ or the NTP Public Services Project Download Page.
+ Credit:
+ This weakness was discovered by Michael Macnair of Thales e-Security.
+
+* NTP Bug 3412: ctl_getitem(): buffer read overrun leads to undefined
+ behavior and information leak (Info/Medium)
+ Date Resolved: 27 Feb 2018
+ References: Sec 3412 / CVE-2018-7182 / VU#961909
+ Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p11.
+ CVSS2: INFO 0.0 - MED 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 0.0 if C:N
+ CVSS3: NONE 0.0 - MED 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
+ 0.0 if C:N
+ Summary:
+ ctl_getitem() is used by ntpd to process incoming mode 6 packets.
+ A malicious mode 6 packet can be sent to an ntpd instance, and
+ if the ntpd instance is from 4.2.8p6 thru 4.2.8p10, that will
+ cause ctl_getitem() to read past the end of its buffer.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to ntp-4.2.8p11 or later from the NTP Project Download Page
+ or the NTP Public Services Project Download Page.
+ Have enough sources of time.
+ Properly monitor your ntpd instances.
+ If ntpd stops running, auto-restart it without -g .
+ Credit:
+ This weakness was discovered by Yihan Lian of Qihoo 360.
+
+* NTP Bug 3012: Sybil vulnerability: ephemeral association attack
+ Also see Bug 3415, above.
+ Date Mitigated: Stable (4.2.8p7) 26 Apr 2016; Dev (4.3.92) 26 Apr 2016
+ Date Resolved: Stable (4.2.8p11) 27 Feb 2018
+ References: Sec 3012 / CVE-2016-1549 / VU#718152
+ Affects: All ntp-4 releases up to, but not including 4.2.8p7, and
+ 4.3.0 up to, but not including 4.3.92. Resolved in 4.2.8p11.
+ CVSS2: LOW 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N)
+ CVSS3: MED 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N
+ Summary:
+ ntpd can be vulnerable to Sybil attacks. If a system is set up
+ to use a trustedkey and if one is not using the feature
+ introduced in ntp-4.2.8p6 allowing an optional 4th field in the
+ ntp.keys file to specify which IPs can serve time, a malicious
+ authenticated peer -- i.e. one where the attacker knows the
+ private symmetric key -- can create arbitrarily-many ephemeral
+ associations in order to win the clock selection of ntpd and
+ modify a victim's clock. Two additional protections are
+ offered in ntp-4.2.8p11. One is the 'noepeer' directive, which
+ disables symmetric passive ephemeral peering. The other extends
+ the functionality of the 4th field in the ntp.keys file to
+ include specifying a subnet range.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to 4.2.8p11, or later, from the NTP Project Download Page or
+ the NTP Public Services Project Download Page.
+ Use the 'noepeer' directive to prohibit symmetric passive
+ ephemeral associations.
+ Use the 'ippeerlimit' directive to limit the number of peer
+ associations from an IP.
+ Use the 4th argument in the ntp.keys file to limit the IPs
+ and subnets that can be time servers.
+ Properly monitor your ntpd instances.
+ Credit:
+ This weakness was discovered by Matthew Van Gundy of Cisco ASIG.
+
+* Bug fixes:
+ [Bug 3457] OpenSSL FIPS mode regression <perlinger@ntp.org>
+ [Bug 3455] ntpd doesn't use scope id when binding multicast <perlinger@ntp.org>
+ - applied patch by Sean Haugh
+ [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
+ [Bug 3450] Dubious error messages from plausibility checks in get_systime()
+ - removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
+ [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
+ - refactoring the MAC code, too
+ [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org
+ [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
+ - applied patch by ggarvey
+ [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
+ - applied patch by ggarvey (with minor mods)
+ [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
+ - applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
+ [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
+ [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org>
+ [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
+ - fixed several issues with hash algos in ntpd, sntp, ntpq,
+ ntpdc and the test suites <perlinger@ntp.org>
+ [Bug 3424] Trimble Thunderbolt 1024 week millenium bug <perlinger@ntp.org>
+ - initial patch by Daniel Pouzzner
+ [Bug 3423] QNX adjtime() implementation error checking is
+ wrong <perlinger@ntp.org>
+ [Bug 3417] ntpq ifstats packet counters can be negative
+ made IFSTATS counter quantities unsigned <perlinger@ntp.org>
+ [Bug 3411] problem about SIGN(6) packet handling for ntp-4.2.8p10
+ - raised receive buffer size to 1200 <perlinger@ntp.org>
+ [Bug 3408] refclock_jjy.c: Avoid a wrong report of the coverity static
+ analysis tool. <abe@ntp.org>
+ [Bug 3405] update-leap.in: general cleanup, HTTPS support. Paul McMath.
+ [Bug 3404] Fix openSSL DLL usage under Windows <perlinger@ntp.org>
+ - fix/drop assumptions on OpenSSL libs directory layout
+ [Bug 3399] NTP: linker error in 4.2.8p10 during Linux cross-compilation
+ - initial patch by timeflies@mail2tor.com <perlinger@ntp.org>
+ [Bug 3398] tests fail with core dump <perlinger@ntp.org>
+ - patch contributed by Alexander Bluhm
+ [Bug 3397] ctl_putstr() asserts that data fits in its buffer
+ rework of formatting & data transfer stuff in 'ntp_control.c'
+ avoids unecessary buffers and size limitations. <perlinger@ntp.org>
+ [Bug 3394] Leap second deletion does not work on ntpd clients
+ - fixed handling of dynamic deletion w/o leap file <perlinger@ntp.org>
+ [Bug 3391] ntpd segfaults on startup due to small warmup thread stack size
+ - increased mimimum stack size to 32kB <perlinger@ntp.org>
+ [Bug 3367] Faulty LinuxPPS NMEA clock support in 4.2.8 <perlinger@ntp.org>
+ - reverted handling of PPS kernel consumer to 4.2.6 behavior
+ [Bug 3365] Updates driver40(-ja).html and miscopt.html <abe@ntp.org>
+ [Bug 3358] Spurious KoD log messages in .INIT. phase. HStenn.
+ [Bug 3016] wrong error position reported for bad ":config pool"
+ - fixed location counter & ntpq output <perlinger@ntp.org>
+ [Bug 2900] libntp build order problem. HStenn.
+ [Bug 2878] Tests are cluttering up syslog <perlinger@ntp.org>
+ [Bug 2737] Wrong phone number listed for USNO. ntp-bugs@bodosom.net,
+ perlinger@ntp.org
+ [Bug 2557] Fix Thunderbolt init. ntp-bugs@bodosom.net, perlinger@ntp.
+ [Bug 948] Trustedkey config directive leaks memory. <perlinger@ntp.org>
+ Use strlcpy() to copy strings, not memcpy(). HStenn.
+ Typos. HStenn.
+ test_ntp_scanner_LDADD needs ntpd/ntp_io.o. HStenn.
+ refclock_jjy.c: Add missing "%s" to an msyslog() call. HStenn.
+ Build ntpq and libntpq.a with NTP_HARD_*FLAGS. perlinger@ntp.org
+ Fix trivial warnings from 'make check'. perlinger@ntp.org
+ Fix bug in the override portion of the compiler hardening macro. HStenn.
+ record_raw_stats(): Log entire packet. Log writes. HStenn.
+ AES-128-CMAC support. BInglis, HStenn, JPerlinger.
+ sntp: tweak key file logging. HStenn.
+ sntp: pkt_output(): Improve debug output. HStenn.
+ update-leap: updates from Paul McMath.
+ When using pkg-config, report --modversion. HStenn.
+ Clean up libevent configure checks. HStenn.
+ sntp: show the IP of who sent us a crypto-NAK. HStenn.
+ Allow .../N to specify subnet bits for IPs in ntp.keys. HStenn, JPerlinger.
+ authistrustedip() - use it in more places. HStenn, JPerlinger.
+ New sysstats: sys_lamport, sys_tsrounding. HStenn.
+ Update ntp.keys .../N documentation. HStenn.
+ Distribute testconf.yml. HStenn.
+ Add DPRINTF(2,...) lines to receive() for packet drops. HStenn.
+ Rename the configuration flag fifo variables. HStenn.
+ Improve saveconfig output. HStenn.
+ Decode restrict flags on receive() debug output. HStenn.
+ Decode interface flags on receive() debug output. HStenn.
+ Warn the user if deprecated "driftfile name WanderThreshold" is used. HStenn.
+ Update the documentation in ntp.conf.def . HStenn.
+ restrictions() must return restrict flags and ippeerlimit. HStenn.
+ Update ntpq peer documentation to describe the 'p' type. HStenn.
+ Rename restrict 'flags' to 'rflags. Use an enum for the values. HStenn.
+ Provide dump_restricts() for debugging. HStenn.
+ Use consistent 4th arg type for [gs]etsockopt. JPerlinger.
+
+* Other items:
+
+* update-leap needs the following perl modules:
+ Net::SSLeay
+ IO::Socket::SSL
+
+* New sysstats variables: sys_lamport, sys_tsrounding
+See them with: ntpq -c "rv 0 ss_lamport,ss_tsrounding"
+sys_lamport counts the number of observed Lamport violations, while
+sys_tsrounding counts observed timestamp rounding events.
+
+* New ntp.conf items:
+
+- restrict ... noepeer
+- restrict ... ippeerlimit N
+
+The 'noepeer' directive will disallow all ephemeral/passive peer
+requests.
+
+The 'ippeerlimit' directive limits the number of time associations
+for each IP in the designated set of addresses. This limit does not
+apply to explicitly-configured associations. A value of -1, the current
+default, means an unlimited number of associations may connect from a
+single IP. 0 means "none", etc. Ordinarily the only way multiple
+associations would come from the same IP would be if the remote side
+was using a proxy. But a trusted machine might become compromised,
+in which case an attacker might spin up multiple authenticated sessions
+from different ports. This directive should be helpful in this case.
+
+* New ntp.keys feature: Each IP in the optional list of IPs in the 4th
+field may contain a /subnetbits specification, which identifies the
+scope of IPs that may use this key. This IP/subnet restriction can be
+used to limit the IPs that may use the key in most all situations where
+a key is used.
+--
NTP 4.2.8p10 (Harlan Stenn <stenn@ntp.org>, 2017/03/21)
Focus: Security, Bug fixes, enhancements.
@@ -960,7 +1287,7 @@
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
- Properly monitor your =ntpd= instances
+ Properly monitor your ntpd instances
Credit: This weakness was discovered by Stephen Gray and
Matthew Van Gundy of Cisco ASIG.
@@ -1029,7 +1356,7 @@
Implement BCP-38.
Upgrade to 4.2.8p7, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
- Properly monitor your =ntpd= instances
+ Properly monitor your ntpd instances
Credit: This weakness was discovered by Yihan Lian of the Cloud
Security Team, Qihoo 360.
@@ -1266,7 +1593,7 @@
Configure 'ntpd' to get time from multiple sources.
Upgrade to 4.2.8p6, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page.
- Monitor your 'ntpd= instances.
+ Monitor your 'ntpd' instances.
Credit: This weakness was discovered by Matthey Van Gundy and
Jonathan Gardner of Cisco ASIG.
Index: contrib/ntp/configure
===================================================================
--- contrib/ntp/configure (版本 330566)
+++ contrib/ntp/configure (版本 330908)
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for ntp 4.2.8p10.
+# Generated by GNU Autoconf 2.69 for ntp 4.2.8p11.
#
# Report bugs to <http://bugs.ntp.org./>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='ntp'
PACKAGE_TARNAME='ntp'
-PACKAGE_VERSION='4.2.8p10'
-PACKAGE_STRING='ntp 4.2.8p10'
+PACKAGE_VERSION='4.2.8p11'
+PACKAGE_STRING='ntp 4.2.8p11'
PACKAGE_BUGREPORT='http://bugs.ntp.org./'
PACKAGE_URL='http://www.ntp.org./'
@@ -944,6 +944,7 @@
enable_option_checking
enable_silent_rules
enable_dependency_tracking
+with_hardenfile
with_locfile
enable_shared
enable_static
@@ -1613,7 +1614,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures ntp 4.2.8p10 to adapt to many kinds of systems.
+\`configure' configures ntp 4.2.8p11 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1683,7 +1684,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of ntp 4.2.8p10:";;
+ short | recursive ) echo "Configuration of ntp 4.2.8p11:";;
esac
cat <<\_ACEOF
@@ -1699,6 +1700,7 @@
do not reject slow dependency extractors
--disable-dependency-tracking
speeds up one-time build
+ --with-hardenfile=XXX os-specific or "/dev/null"
--with-locfile=XXX os-specific or "legacy"
--enable-shared[=PKGS] build shared libraries [default=no]
--enable-static[=PKGS] build static libraries [default=yes]
@@ -1921,7 +1923,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-ntp configure 4.2.8p10
+ntp configure 4.2.8p11
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2630,7 +2632,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by ntp $as_me 4.2.8p10, which was
+It was created by ntp $as_me 4.2.8p11, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3631,7 +3633,7 @@
# Define the identity of the package.
PACKAGE='ntp'
- VERSION='4.2.8p10'
+ VERSION='4.2.8p11'
cat >>confdefs.h <<_ACEOF
@@ -6581,11 +6583,11 @@
$as_echo_n "checking for compile/link hardening flags... " >&6; }
-# Check whether --with-locfile was given.
-if test "${with_locfile+set}" = set; then :
- withval=$with_locfile;
+# Check whether --with-hardenfile was given.
+if test "${with_hardenfile+set}" = set; then :
+ withval=$with_hardenfile;
else
- with_locfile=no
+ with_hardenfile=no
fi
@@ -6593,12 +6595,12 @@
( \
SENTINEL_DIR="$PWD" && \
cd $srcdir/sntp && \
- case "$with_locfile" in \
+ case "$with_hardenfile" in \
yes|no|'') \
scripts/genHardFlags -d "$SENTINEL_DIR" \
;; \
*) \
- scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \
+ scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \
;; \
esac \
) > genHardFlags.i 2> genHardFlags.err
@@ -15937,8 +15939,13 @@
if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent
then
ntp_use_local_libevent=no
- { $as_echo "$as_me:${as_lineno-$LINENO}: Using the installed libevent" >&5
-$as_echo "$as_me: Using the installed libevent" >&6;}
+ ntp_libevent_version="`$PKG_CONFIG --modversion libevent`"
+ case "$ntp_libevent_version" in
+ *.*) ;;
+ *) ntp_libevent_version='(unknown)' ;;
+ esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_libevent_version" >&5
+$as_echo "yes, version $ntp_libevent_version" >&6; }
CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads`
CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent`
# HMS: I hope the following is accurate.
@@ -15966,8 +15973,6 @@
LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads"
esac
LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
else
ntp_use_local_libevent=yes
# HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS
@@ -26468,6 +26473,36 @@
done
+
+
+# We could do a cv check here, but is it worth it?
+
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <sys/socket.h>
+ #ifndef AF_UNSPEC
+ #include "Bletch: AF_UNSPEC is undefined!"
+ #endif
+ #if AF_UNSPEC != 0
+ #include "Bletch: AF_UNSPEC != 0"
+ #endif
+
+int
+main ()
+{
+{ $as_echo "$as_me:${as_lineno-$LINENO}: AF_UNSPEC is zero, as expected." >&5
+$as_echo "$as_me: AF_UNSPEC is zero, as expected." >&6;}
+ ;
+ return 0;
+}
+
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5
$as_echo_n "checking return type of signal handlers... " >&6; }
if ${ac_cv_type_signal+:} false; then :
@@ -30114,8 +30149,13 @@
VER_SUFFIX=o
ntp_openssl=yes
ntp_openssl_from_pkg_config=yes
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`"
+ case "$ntp_openssl_version" in
+ *.*) ;;
+ *) ntp_openssl_version='(unknown)' ;;
+ esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_openssl_version" >&5
+$as_echo "yes, version $ntp_openssl_version" >&6; }
break
fi
@@ -33924,7 +33964,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by ntp $as_me 4.2.8p10, which was
+This file was extended by ntp $as_me 4.2.8p11, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -33991,7 +34031,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-ntp config.status 4.2.8p10
+ntp config.status 4.2.8p11
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Index: contrib/ntp/html/authentic.html
===================================================================
--- contrib/ntp/html/authentic.html (版本 330566)
+++ contrib/ntp/html/authentic.html (版本 330908)
@@ -46,14 +46,40 @@
<p>By default, the client sends non-authenticated packets and the server responds with non-authenticated packets. If the client sends authenticated packets, the server responds with authenticated packets if correct, or a crypto-NAK packet if not. In the case of unsolicited packets which might consume significant resources, such as broadcast or symmetric mode packets, authentication is required, unless overridden by a <tt>disable auth</tt> command. In the current climate of targeted broadcast or &quot;letterbomb&quot; attacks, defeating this requirement would be decidedly dangerous. In any case, the <tt>notrust </tt>flag, described on the <a href="authopt.html">Access Control Options</a> page, can be used to disable access to all but correctly authenticated clients.</p>
<h4 id="symm">Symmetric Key Cryptography</h4>
<p>The original NTPv3 specification (RFC-1305), as well as the current NTPv4 specification (RFC-5905), allows any one of possibly 65,534 message digest keys (excluding zero), each distinguished by a 32-bit key ID, to authenticate an association. The servers and clients involved must agree on the key ID, key type and key to authenticate NTP packets.</p>
-<p>The message digest is a cryptographic hash computed by an algorithm such as MD5 or SHA. When authentication is specified, a message authentication code (MAC) is appended to the NTP packet header. The MAC consists of a 32-bit key identifier (key ID) followed by a 128- or 160-bit message digest. The algorithm computes the digest as the hash of a 128- or 160- bit message digest key concatenated with the NTP packet header fields with the exception of the MAC. On transmit, the message digest is computed and inserted in the MAC. On receive, the message digest is computed and compared with the MAC. The packet is accepted only if the two MACs are identical. If a discrepancy is found by the client, the client ignores the packet, but raises an alarm. If this happens at the server, the server returns a special message called a <em>crypto-NAK</em>. Since the crypto-NAK is protected by the loopback test, an intruder cannot disrupt the protocol by sending a bogus crypto-NAK.</p>
+<p>The message digest is a cryptographic hash computed by an algorithm such as MD5, SHA, or AES-128 CMAC. When authentication is specified, a message authentication code (MAC) is appended to the NTP packet header. The MAC consists of a 32-bit key identifier (key ID) followed by a 128- or 160-bit message digest. The algorithm computes the digest as the hash of a 128- or 160- bit message digest key concatenated with the NTP packet header fields with the exception of the MAC. On transmit, the message digest is computed and inserted in the MAC. On receive, the message digest is computed and compared with the MAC. The packet is accepted only if the two MACs are identical. If a discrepancy is found by the client, the client ignores the packet, but raises an alarm. If this happens at the server, the server returns a special message called a <em>crypto-NAK</em>. Since the crypto-NAK is protected by the loopback test, an intruder cannot disrupt the protocol by sending a bogus crypto-NAK.</p>
<p>Keys and related information are specified in a keys file, which must be distributed and stored using secure means beyond the scope of the NTP protocol itself. Besides the keys used for ordinary NTP associations, additional keys can be used as passwords for the <tt><a href="ntpq.html">ntpq</a></tt> and <tt><a href="ntpdc.html">ntpdc</a></tt> utility programs. Ordinarily, the <tt>ntp.keys</tt> file is generated by the <tt><a href="keygen.html">ntp-keygen</a></tt> program, but it can be constructed and edited using an ordinary text editor.</p>
<p> Each line of the keys file consists of three or four fields: a key ID in the range 1 to 65,534, inclusive, a key type, a message digest key consisting of a printable ASCII string less than 40 characters or a 40-character hex digit string, and an optional comma-separated list of IPs that are allowed to serve time. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by the library. If the OpenSSL library is not installed, the only permitted key type is MD5.</p>
-<div align="center">
- <p><img src="pic/sx5.gif" alt="gif"></p>
- <p>Figure 1. Typical Symmetric Key File</p>
-</div>
-<p>Figure 1 shows a typical keys file used by the reference implementation when the OpenSSL library is installed. In this figure, for key IDs in he range 1-10, the key is interpreted as a printable ASCII string. For key IDs in the range 11-20, the key is a 40-character hex digit string. The key is truncated or zero-filled internally to either 128 or 160 bits, depending on the key type. The line can be edited later or new lines can be added to change any field. The key can be change to a password, such as <tt>2late4Me</tt> for key ID 10. Note that two or more keys files can be combined in any order as long as the key IDs are distinct.</p>
+<table>
+ <caption style="caption-side: bottom;">
+ Figure 1. Typical Symmetric Key File
+ </caption>
+ <tr><td style="border: 1px solid black; border-spacing: 0;">
+ <pre style="color:grey;">
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+
+1 MD5 L";Nw&lt;`.I&lt;f4U0)247"i # MD5 key
+2 MD5 &amp;&gt;l0%XXK9O'51VwV&lt;xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key
+5 MD5 B;fxlKgr/&amp;4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key
+7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+ </pre></td></tr></table>
+<p>Figure 1 shows a typical keys file used by the reference implementation when the OpenSSL library is installed. In this figure, for key IDs in he range 1-10, the key is interpreted as a printable ASCII string. For key IDs in the range 11-20, the key is a 40-character hex digit string. The key is truncated or zero-filled internally to either 128 or 160 bits, depending on the key type. The line can be edited later or new lines can be added to change any field. The key can be changed to a password, such as <tt>2late4Me</tt> for key ID 10. Note that two or more keys files can be combined in any order as long as the key IDs are distinct.</p>
<p>When <tt>ntpd</tt> is started, it reads the keys file specified by the <tt>keys</tt> command and installs the keys in the key cache. However, individual keys must be activated with the <tt>trustedkey</tt> configuration command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using <tt>ntpq</tt> or <tt>ntpdc</tt>. The <tt>requestkey</tt> command selects the key ID used as the password for the <tt>ntpdc</tt> utility, while the <tt>controlkey</tt> command selects the key ID used as the password for the <tt>ntpq</tt> utility.</p>
<h4 id="windows">Microsoft Windows Authentication</h4>
<p>In addition to the above means, <tt>ntpd</tt> now supports Microsoft Windows MS-SNTP authentication using Active Directory services. This support was contributed by the Samba Team and is still in development. It is enabled using the <tt>mssntp</tt> flag of the <tt>restrict</tt> command described on the <a href="accopt.html#restrict">Access Control Options</a> page. <span class="style1">Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.</span></p>
Index: contrib/ntp/html/miscopt.html
===================================================================
--- contrib/ntp/html/miscopt.html (版本 330566)
+++ contrib/ntp/html/miscopt.html (版本 330908)
@@ -3,7 +3,6 @@
<head>
<meta http-equiv="content-type" content="text/html;charset=iso-8859-1">
<title>Miscellaneous Commands and Options</title>
-<!-- Changed by: Harlan Stenn, 17-Nov-2015 -->
<link href="scripts/style.css" type="text/css" rel="stylesheet">
</head>
<body>
@@ -11,7 +10,7 @@
<img src="pic/boom3.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Pogo</i>, Walt Kelly</a>
<p>We have three, now looking for more.</p>
<p>Last update:
- <!-- #BeginDate format:En2m -->9-Nov-2016 12:26<!-- #EndDate -->
+ <!-- #BeginDate format:En2m -->14-Oct-2017 08:34<!-- #EndDate -->
UTC</p>
<br clear="left">
<h4>Related Links</h4>
@@ -105,7 +104,10 @@
<dt id="nonvolatile"><tt>nonvolatile <i>threshold</i></tt></dt>
<dd>Specify the <i><tt>threshold</tt></i> in seconds to write the frequency file, with default of 1e-7 (0.1 PPM). The frequency file is inspected each hour. If the difference between the current frequency and the last value written exceeds the threshold, the file is written and the <tt><em>threshold</em></tt> becomes the new threshold value. If the threshold is not exceeded, it is reduced by half. This is intended to reduce the frequency of unnecessary file writes for embedded systems with nonvolatile memory.</dd>
<dt id="phone"><tt>phone <i>dial</i> ...</tt></dt>
- <dd>This command is used in conjunction with the ACTS modem driver (type 18). The arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services. The Hayes command ATDT&nbsp;is normally prepended to the number, which can contain other modem control codes as well.</dd>
+ <dd>This command is used in conjunction with the ACTS modem driver (type 18) or the JJY driver (type 40 mode 100 - 180).
+ For the ACTS modem driver (type 18), the arguments consist of a maximum of 10 telephone numbers used to dial USNO, NIST or European time services.
+ For the JJY driver (type 40 mode 100 - 180), the argument is one telephone number used to dial the telephone JJY service.
+ The Hayes command ATDT&nbsp;is normally prepended to the number, which can contain other modem control codes as well.</dd>
<dt id="reset"><tt>reset [allpeers] [auth] [ctl] [io] [mem] [sys] [timer]</tt></dt>
<dd>Reset one or more groups of counters maintained by ntpd and exposed by <tt>ntpq</tt> and <tt>ntpdc</tt>.</dd>
<dt id="rlimit"><tt>rlimit [memlock <i>Nmegabytes</i> | stacksize <i>N4kPages</i> | filenum <i>Nfiledescriptors</i>]</tt></dt>
@@ -145,10 +147,12 @@
<dd>Specifies the stepout threshold in seconds. The default without this command is 300 s. Since this option also affects the training and startup intervals, it should not be set less than the default. Further details are on the <a href="clock.html">Clock State Machine</a> page.</dd>
</dl>
</dd>
- <dt id="tos"><tt>tos [bcpollbstep <i>poll-gate</i> | beacon <i>beacon</i> | ceiling <i>ceiling</i> | cohort {0 | 1} | floor <i>floor</i> | maxclock <i>maxclock </i>| maxdist <i>maxdist</i> | minclock <i>minclock</i> | mindist <i>mindist </i>| minsane <i>minsane</i> | orphan <i>stratum</i> | orphanwait <em>delay</em>]</tt></dt>
+ <dt id="tos"><tt>tos [basedate <i>date<i> | bcpollbstep <i>poll-gate</i> | beacon <i>beacon</i> | ceiling <i>ceiling</i> | cohort {0 | 1} | floor <i>floor</i> | maxclock <i>maxclock </i>| maxdist <i>maxdist</i> | minclock <i>minclock</i> | mindist <i>mindist </i>| minsane <i>minsane</i> | orphan <i>stratum</i> | orphanwait <em>delay</em>]</tt></dt>
<dd>This command alters certain system variables used by the the clock selection and clustering algorithms. The default values of these variables have been carefully optimized for a wide range of network speeds and reliability expectations. Very rarely is it necessary to change the default values; but, some folks can't resist twisting the knobs. It can be used to select the quality and quantity of peers used to synchronize the system clock and is most useful in dynamic server discovery schemes. The options are as follows:</dd>
<dd>
<dl>
+ <dt><tt>basedate <i>date</i></tt></dt>
+ <dd>Set NTP era anchor. <tt><i>date</i></tt> is either a date in ISO8601 format (<i>YYYY-MM-DD<i>) or an integer giving the days since 1900-01-01, the start of the NTP epoch. <tt>ntpd</tt> will clamp the system time to an era starting with the begin of this this day (00:00:00Z), covering a range of 2<sup>32</sup> seconds or roughly 136 years. The default is the begin of the UNIX epoch, 1970-01-01.</dd>
<dt><tt>bcpollbstep <i>poll-gate</i></tt></dt>
<dd>This option will cause the client to delay believing backward time steps from a broadcast server for <tt>bcpollbstep</tt> poll intervals. NTP Broadcast networks are expected to be trusted, and if the server's time gets stepped backwards then it's desireable that the clients follow this change as soon as possible. However, in spite of various protections built-in to the broadcast protocol, it is possible that an attacker could perform a carefully-constructed replay attack and cause clients to erroneously step their clocks backward. If the risk of a successful broadcast replay attack is greater than the risk of the clients being out of sync in the event that there is a backward step on the broadcast time servers, this option may be used to cause the clients to delay beliveving backward time steps until <i>poll-gate</i> consecutive polls have been received. The default is 0, which means the client will accept these steps upon receipt. Any value from 0 to 4 can be specified.</dd>
<dt><tt>beacon <i>beacon</i></tt></dt>
Index: contrib/ntp/include/isc/Makefile.in
===================================================================
--- contrib/ntp/include/isc/Makefile.in (版本 330566)
+++ contrib/ntp/include/isc/Makefile.in (版本 330908)
@@ -100,6 +100,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/include/ntp_fp.h
===================================================================
--- contrib/ntp/include/ntp_fp.h (版本 330566)
+++ contrib/ntp/include/ntp_fp.h (版本 330908)
@@ -364,6 +364,7 @@
extern void get_systime (l_fp *);
extern int step_systime (double);
extern int adj_systime (double);
+extern int clamp_systime (void);
extern struct tm * ntp2unix_tm (u_int32 ntp, int local);
Index: contrib/ntp/include/ntpd.h
===================================================================
--- contrib/ntp/include/ntpd.h (版本 330566)
+++ contrib/ntp/include/ntpd.h (版本 330908)
@@ -168,19 +168,19 @@
/* ntp_peer.c */
extern void init_peer (void);
extern struct peer *findexistingpeer(sockaddr_u *, const char *,
- struct peer *, int, u_char);
+ struct peer *, int, u_char, int *);
extern struct peer *findpeer (struct recvbuf *, int, int *);
extern struct peer *findpeerbyassoc(associd_t);
extern void set_peerdstadr (struct peer *, endpt *);
-extern struct peer *newpeer (sockaddr_u *, const char *,
- endpt *, u_char, u_char,
- u_char, u_char, u_int, u_char, u_int32,
+extern struct peer *newpeer (sockaddr_u *, const char *, endpt *,
+ int, u_char, u_char, u_char, u_char,
+ u_int, u_char, u_int32,
keyid_t, const char *);
extern void peer_all_reset (void);
extern void peer_clr_stats (void);
-extern struct peer *peer_config(sockaddr_u *, const char *,
- endpt *, u_char, u_char,
- u_char, u_char, u_int, u_int32,
+extern struct peer *peer_config(sockaddr_u *, const char *, endpt *,
+ int, u_char, u_char, u_char, u_char,
+ u_int, u_int32,
keyid_t, const char *);
extern void peer_reset (struct peer *);
extern void refresh_all_peerinterfaces(void);
@@ -257,10 +257,11 @@
/* ntp_restrict.c */
extern void init_restrict (void);
-extern u_short restrictions (sockaddr_u *);
-extern void hack_restrict (int, sockaddr_u *, sockaddr_u *,
- u_short, u_short, u_long);
+extern void restrictions (sockaddr_u *, r4addr *);
+extern void hack_restrict (restrict_op, sockaddr_u *, sockaddr_u *,
+ short, u_short, u_short, u_long);
extern void restrict_source (sockaddr_u *, int, u_long);
+extern void dump_restricts (void);
/* ntp_timer.c */
extern void init_timer (void);
@@ -288,7 +289,7 @@
extern void record_clock_stats (sockaddr_u *, const char *);
extern int mprintf_clock_stats(sockaddr_u *, const char *, ...)
NTP_PRINTF(2, 3);
-extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int ppoll, int precision, double root_delay, double root_dispersion, u_int32 refid);
+extern void record_raw_stats (sockaddr_u *srcadr, sockaddr_u *dstadr, l_fp *t1, l_fp *t2, l_fp *t3, l_fp *t4, int leap, int version, int mode, int stratum, int ppoll, int precision, double root_delay, double root_dispersion, u_int32 refid, int len, u_char *extra);
extern void check_leap_file (int is_daily_check, u_int32 ntptime, const time_t * systime);
extern void record_crypto_stats (sockaddr_u *, const char *);
#ifdef DEBUG
@@ -500,18 +501,19 @@
/*
* Statistics counters
*/
-extern u_long sys_stattime; /* time since reset */
-extern u_long sys_received; /* packets received */
-extern u_long sys_processed; /* packets for this host */
-extern u_long sys_restricted; /* restricted packets */
+extern u_long sys_badauth; /* bad authentication */
+extern u_long sys_badlength; /* bad length or format */
+extern u_long sys_declined; /* declined */
+extern u_long sys_kodsent; /* KoD sent */
+extern u_long sys_lamport; /* Lamport violation */
+extern u_long sys_limitrejected; /* rate exceeded */
extern u_long sys_newversion; /* current version */
extern u_long sys_oldversion; /* old version */
+extern u_long sys_processed; /* packets for this host */
+extern u_long sys_received; /* packets received */
extern u_long sys_restricted; /* access denied */
-extern u_long sys_badlength; /* bad length or format */
-extern u_long sys_badauth; /* bad authentication */
-extern u_long sys_declined; /* declined */
-extern u_long sys_limitrejected; /* rate exceeded */
-extern u_long sys_kodsent; /* KoD sent */
+extern u_long sys_stattime; /* time since reset */
+extern u_long sys_tsrounding; /* timestamp rounding errors */
/* ntp_request.c */
extern keyid_t info_auth_keyid; /* keyid used to authenticate requests */
Index: contrib/ntp/kernel/sys/Makefile.in
===================================================================
--- contrib/ntp/kernel/sys/Makefile.in (版本 330566)
+++ contrib/ntp/kernel/sys/Makefile.in (版本 330908)
@@ -100,6 +100,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/libntp/authkeys.c
===================================================================
--- contrib/ntp/libntp/authkeys.c (版本 330566)
+++ contrib/ntp/libntp/authkeys.c (版本 330908)
@@ -114,13 +114,16 @@
KeyAccT*
keyacc_new_push(
KeyAccT * head,
- const sockaddr_u * addr
+ const sockaddr_u * addr,
+ unsigned int subnetbits
)
{
KeyAccT * node = emalloc(sizeof(KeyAccT));
memcpy(&node->addr, addr, sizeof(sockaddr_u));
+ node->subnetbits = subnetbits;
node->next = head;
+
return node;
}
@@ -165,7 +168,8 @@
{
if (head) {
do {
- if (SOCK_EQ(&head->addr, addr))
+ if (keyacc_amatch(&head->addr, addr,
+ head->subnetbits))
return TRUE;
} while (NULL != (head = head->next));
return FALSE;
@@ -174,7 +178,99 @@
}
}
+#if CHAR_BIT != 8
+# error "don't know how to handle bytes with that bit size"
+#endif
+/* ----------------------------------------------------------------- */
+/* check two addresses for a match, taking a prefix length into account
+ * when doing the compare.
+ *
+ * The ISC lib contains a similar function with not entirely specified
+ * semantics, so it seemed somewhat cleaner to do this from scratch.
+ *
+ * Note 1: It *is* assumed that the addresses are stored in network byte
+ * order, that is, most significant byte first!
+ *
+ * Note 2: "no address" compares unequal to all other addresses, even to
+ * itself. This has the same semantics as NaNs have for floats: *any*
+ * relational or equality operation involving a NaN returns FALSE, even
+ * equality with itself. "no address" is either a NULL pointer argument
+ * or an address of type AF_UNSPEC.
+ */
+int/*BOOL*/
+keyacc_amatch(
+ const sockaddr_u * a1,
+ const sockaddr_u * a2,
+ unsigned int mbits
+ )
+{
+ const uint8_t * pm1;
+ const uint8_t * pm2;
+ uint8_t msk;
+ unsigned int len;
+
+ /* 1st check: If any address is not an address, it's inequal. */
+ if ( !a1 || (AF_UNSPEC == AF(a1)) ||
+ !a2 || (AF_UNSPEC == AF(a2)) )
+ return FALSE;
+
+ /* We could check pointers for equality here and shortcut the
+ * other checks if we find object identity. But that use case is
+ * too rare to care for it.
+ */
+
+ /* 2nd check: Address families must be the same. */
+ if (AF(a1) != AF(a2))
+ return FALSE;
+
+ /* type check: address family determines buffer & size */
+ switch (AF(a1)) {
+ case AF_INET:
+ /* IPv4 is easy: clamp size, get byte pointers */
+ if (mbits > sizeof(NSRCADR(a1)) * 8)
+ mbits = sizeof(NSRCADR(a1)) * 8;
+ pm1 = (const void*)&NSRCADR(a1);
+ pm2 = (const void*)&NSRCADR(a2);
+ break;
+
+ case AF_INET6:
+ /* IPv6 is slightly different: Both scopes must match,
+ * too, before we even consider doing a match!
+ */
+ if ( ! SCOPE_EQ(a1, a2))
+ return FALSE;
+ if (mbits > sizeof(NSRCADR6(a1)) * 8)
+ mbits = sizeof(NSRCADR6(a1)) * 8;
+ pm1 = (const void*)&NSRCADR6(a1);
+ pm2 = (const void*)&NSRCADR6(a2);
+ break;
+
+ default:
+ /* don't know how to compare that!?! */
+ return FALSE;
+ }
+
+ /* Split bit length into byte length and partial byte mask.
+ * Note that the byte mask extends from the MSB of a byte down,
+ * and that zero shift (--> mbits % 8 == 0) results in an
+ * all-zero mask.
+ */
+ msk = 0xFFu ^ (0xFFu >> (mbits & 7));
+ len = mbits >> 3;
+
+ /* 3rd check: Do memcmp() over full bytes, if any */
+ if (len && memcmp(pm1, pm2, len))
+ return FALSE;
+
+ /* 4th check: compare last incomplete byte, if any */
+ if (msk && ((pm1[len] ^ pm2[len]) & msk))
+ return FALSE;
+
+ /* If none of the above failed, we're successfully through. */
+ return TRUE;
+}
+
/*
* init_auth - initialize internal data
*/
@@ -316,6 +412,10 @@
return (u_short)r;
}
+int/*BOOL*/
+ipaddr_match_masked(const sockaddr_u *,const sockaddr_u *,
+ unsigned int mbits);
+
static void
authcache_flush_id(
keyid_t id
@@ -617,20 +717,19 @@
{
symkey * sk;
- /* That specific key was already used to authenticate the
- * packet. Therefore, the key *must* exist... There's a chance
- * that is not trusted, though.
- */
if (keyno == cache_keyid) {
return (KEY_TRUSTED & cache_flags) &&
keyacc_contains(cache_keyacclist, sau, TRUE);
- } else {
+ }
+
+ if (NULL != (sk = auth_findkey(keyno))) {
authkeyuncached++;
- sk = auth_findkey(keyno);
- INSIST(NULL != sk);
return (KEY_TRUSTED & sk->flags) &&
keyacc_contains(sk->keyacclist, sau, TRUE);
}
+
+ authkeynotfound++;
+ return FALSE;
}
/* Note: There are two locations below where 'strncpy()' is used. While
@@ -795,7 +894,9 @@
return 0;
}
- return MD5authencrypt(cache_type, cache_secret, pkt, length);
+ return MD5authencrypt(cache_type,
+ cache_secret, cache_secretsize,
+ pkt, length);
}
@@ -822,6 +923,7 @@
return FALSE;
}
- return MD5authdecrypt(cache_type, cache_secret, pkt, length,
- size);
+ return MD5authdecrypt(cache_type,
+ cache_secret, cache_secretsize,
+ pkt, length, size);
}
Index: contrib/ntp/libntp/ssl_init.c
===================================================================
--- contrib/ntp/libntp/ssl_init.c (版本 330566)
+++ contrib/ntp/libntp/ssl_init.c (版本 330908)
@@ -5,7 +5,7 @@
* Moved from ntpd/ntp_crypto.c crypto_setup()
*/
#ifdef HAVE_CONFIG_H
-#include <config.h>
+# include <config.h>
#endif
#include <ctype.h>
#include <ntp.h>
@@ -13,12 +13,16 @@
#include <lib_strbuf.h>
#ifdef OPENSSL
-#include "openssl/crypto.h"
-#include "openssl/err.h"
-#include "openssl/evp.h"
-#include "openssl/opensslv.h"
-#include "libssl_compat.h"
+# include "openssl/cmac.h"
+# include "openssl/crypto.h"
+# include "openssl/err.h"
+# include "openssl/evp.h"
+# include "openssl/opensslv.h"
+# include "libssl_compat.h"
+# define CMAC_LENGTH 16
+# define CMAC "AES128CMAC"
+
int ssl_init_done;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
@@ -26,8 +30,9 @@
static void
atexit_ssl_cleanup(void)
{
- if (!ssl_init_done)
+ if (!ssl_init_done) {
return;
+ }
ssl_init_done = FALSE;
EVP_cleanup();
@@ -63,7 +68,7 @@
ssl_check_version(void)
{
u_long v;
-
+
v = OpenSSL_version_num();
if ((v ^ OPENSSL_VERSION_NUMBER) & ~0xff0L) {
msyslog(LOG_WARNING,
@@ -77,6 +82,8 @@
INIT_SSL();
}
+#else /* !OPENSSL */
+# define MD5_LENGTH 16
#endif /* OPENSSL */
@@ -88,61 +95,95 @@
*/
int
keytype_from_text(
- const char *text,
- size_t *pdigest_len
+ const char * text,
+ size_t * pdigest_len
)
{
int key_type;
u_int digest_len;
-#ifdef OPENSSL
+#ifdef OPENSSL /* --*-- OpenSSL code --*-- */
const u_long max_digest_len = MAX_MAC_LEN - sizeof(keyid_t);
- u_char digest[EVP_MAX_MD_SIZE];
char * upcased;
char * pch;
+ EVP_MD const * md;
/*
* OpenSSL digest short names are capitalized, so uppercase the
* digest name before passing to OBJ_sn2nid(). If it is not
- * recognized but begins with 'M' use NID_md5 to be consistent
- * with past behavior.
+ * recognized but matches our CMAC string use NID_cmac, or if
+ * it begins with 'M' or 'm' use NID_md5 to be consistent with
+ * past behavior.
*/
INIT_SSL();
+
+ /* get name in uppercase */
LIB_GETBUF(upcased);
strlcpy(upcased, text, LIB_BUFLENGTH);
- for (pch = upcased; '\0' != *pch; pch++)
+
+ for (pch = upcased; '\0' != *pch; pch++) {
*pch = (char)toupper((unsigned char)*pch);
+ }
+
key_type = OBJ_sn2nid(upcased);
+
+ if (!key_type && !strncmp(CMAC, upcased, strlen(CMAC) + 1)) {
+ key_type = NID_cmac;
+
+ if (debug) {
+ fprintf(stderr, "%s:%d:%s():%s:key\n",
+ __FILE__, __LINE__, __func__, CMAC);
+ }
+ }
#else
+
key_type = 0;
#endif
- if (!key_type && 'm' == tolower((unsigned char)text[0]))
+ if (!key_type && 'm' == tolower((unsigned char)text[0])) {
key_type = NID_md5;
+ }
- if (!key_type)
+ if (!key_type) {
return 0;
+ }
if (NULL != pdigest_len) {
#ifdef OPENSSL
- EVP_MD_CTX *ctx;
+ md = EVP_get_digestbynid(key_type);
+ digest_len = (md) ? EVP_MD_size(md) : 0;
- ctx = EVP_MD_CTX_new();
- EVP_DigestInit(ctx, EVP_get_digestbynid(key_type));
- EVP_DigestFinal(ctx, digest, &digest_len);
- EVP_MD_CTX_free(ctx);
- if (digest_len > max_digest_len) {
+ if (!md || digest_len <= 0) {
+ if (key_type == NID_cmac) {
+ digest_len = CMAC_LENGTH;
+
+ if (debug) {
+ fprintf(stderr, "%s:%d:%s():%s:len\n",
+ __FILE__, __LINE__, __func__, CMAC);
+ }
+ } else {
fprintf(stderr,
- "key type %s %u octet digests are too big, max %lu\n",
- keytype_name(key_type), digest_len,
- max_digest_len);
+ "key type %s is not supported by OpenSSL\n",
+ keytype_name(key_type));
msyslog(LOG_ERR,
- "key type %s %u octet digests are too big, max %lu",
- keytype_name(key_type), digest_len,
- max_digest_len);
+ "key type %s is not supported by OpenSSL\n",
+ keytype_name(key_type));
return 0;
+ }
}
+
+ if (digest_len > max_digest_len) {
+ fprintf(stderr,
+ "key type %s %u octet digests are too big, max %lu\n",
+ keytype_name(key_type), digest_len,
+ max_digest_len);
+ msyslog(LOG_ERR,
+ "key type %s %u octet digests are too big, max %lu",
+ keytype_name(key_type), digest_len,
+ max_digest_len);
+ return 0;
+ }
#else
- digest_len = 16;
+ digest_len = MD5_LENGTH;
#endif
*pdigest_len = digest_len;
}
@@ -167,8 +208,18 @@
#ifdef OPENSSL
INIT_SSL();
name = OBJ_nid2sn(nid);
- if (NULL == name)
+
+ if (NID_cmac == nid) {
+ name = CMAC;
+
+ if (debug) {
+ fprintf(stderr, "%s:%d:%s():%s:nid\n",
+ __FILE__, __LINE__, __func__, CMAC);
+ }
+ } else
+ if (NULL == name) {
name = unknown_type;
+ }
#else /* !OPENSSL follows */
if (NID_md5 == nid)
name = "MD5";
@@ -203,3 +254,4 @@
return getpass(pass_prompt);
}
+
Index: contrib/ntp/ntpd/ntp.conf.def
===================================================================
--- contrib/ntp/ntpd/ntp.conf.def (版本 330566)
+++ contrib/ntp/ntpd/ntp.conf.def (版本 330908)
@@ -1534,6 +1534,7 @@
for packets that overflow the rate-control window.
.It Xo Ic restrict address
.Op Cm mask Ar mask
+.Op Cm ippeerlimit Ar int
.Op Ar flag ...
.Xc
The
@@ -1559,6 +1560,15 @@
.Cm default ,
with no mask option, may
be used to indicate the default entry.
+The
+.Cm ippeerlimit
+directive limits the number of peer requests for each IP to
+.Ar int ,
+where a value of -1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
.Cm flag
always
@@ -1609,6 +1619,18 @@
This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
+.It Cm noepeer
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+.Pa ntp.keys
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+.Cm noepeer
+to become the default in ntp-4.4.
.It Cm nomodify
Deny
.Xr ntpq 1ntpqmdoc
@@ -1626,10 +1648,10 @@
queries.
Time service is not affected.
.It Cm nopeer
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
.Cm pool
associations, so if you want to use servers from a
@@ -1637,8 +1659,9 @@
directive and also want to use
.Cm nopeer
by default, you'll want a
-.Cm "restrict source ..." line as well that does
-.It not
+.Cm "restrict source ..."
+line as well that does
+.Em not
include the
.Cm nopeer
directive.
@@ -2013,9 +2036,10 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+.El
.Ss Manycast Options
.Bl -tag -width indent
.It Xo Ic tos
@@ -2361,7 +2385,7 @@
page
(available as part of the HTML documentation
provided in
-.Pa /usr/share/doc/ntp ) .
+.Pa /usr/share/doc/ntp ).
.It Cm stratum Ar int
Specifies the stratum number assigned to the driver, an integer
between 0 and 15.
@@ -2639,6 +2663,79 @@
.Xr ntpd 1ntpdmdoc
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
+.It Xo Ic interface
+.Oo
+.Cm listen | Cm ignore | Cm drop
+.Oc
+.Oo
+.Cm all | Cm ipv4 | Cm ipv6 | Cm wildcard
+.Ar name | Ar address
+.Oo Cm / Ar prefixlen
+.Oc
+.Oc
+.Xc
+The
+.Cm interface
+directive controls which network addresses
+.Xr ntpd 1ntpdmdoc
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+.Ar prefixlen
+determines how many bits must match for this rule to apply.
+.Cm ignore
+prevents opening matching addresses,
+.Cm drop
+causes
+.Xr ntpd 1ntpdmdoc
+to open the address and drop all received packets without examination.
+Multiple
+.Cm interface
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+.Cm interface
+directives are disabled if any
+.Fl I ,
+.Fl -interface ,
+.Fl L ,
+or
+.Fl -novirtualips
+command-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+.Cm nic
+directive is an alias for
+.Cm interface .
+.It Ic leapfile Ar leapfile
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+.Li https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list
+or
+.Li ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list .
+The
+.Cm leapfile
+is scanned when
+.Xr ntpd 1ntpdmdoc
+processes the
+.Cm leapfile directive or when
+.Cm ntpd detects that the
+.Ar leapfile
+has changed.
+.Cm ntpd
+checks once a day to see if the
+.Ar leapfile
+has changed.
+The
+.Xr update-leap 1update_leapmdoc
+script can be run to see if the
+.Ar leapfile
+should be updated.
.It Ic leapsmearinterval Ar seconds
This EXPERIMENTAL option is only available if
.Xr ntpd 1ntpdmdoc
@@ -2743,6 +2840,181 @@
This is the same operation as the
.Fl l
command line option.
+.It Xo Ic mru
+.Oo
+.Cm maxdepth Ar count | Cm maxmem Ar kilobytes |
+.Cm mindepth Ar count | Cm maxage Ar seconds |
+.Cm initialloc Ar count | Cm initmem Ar kilobytes |
+.Cm incalloc Ar count | Cm incmem Ar kilobytes
+.Oc
+.Xc
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+.Bl -tag -width indent
+.It Ic maxdepth Ar count
+.It Ic maxmem Ar kilobytes
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+.Cm incalloc
+entries or
+.Cm incmem
+kilobytes larger.
+As with all of the
+.Cm mru
+options offered in units of entries or kilobytes, if both
+.Cm maxdepth
+and
+.Cm maxmem are used, the last one used controls.
+The default is 1024 kilobytes.
+.It Cm mindepth Ar count
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+.Cm mindepth
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+.It Cm maxage Ar seconds
+Once the MRU list has
+.Cm mindepth
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+.Cm maxage
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+.Cm maxdepth / moxmem .
+The default is 64 seconds.
+.It Cm initalloc Ar count
+.It Cm initmem Ar kilobytes
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+.It Cm incalloc Ar count
+.It Cm incmem Ar kilobytes
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+.El
+.It Ic nonvolatile Ar threshold
+Specify the
+.Ar threshold
+delta in seconds before an hourly change to the
+.Cm driftfile
+(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+.Cm threshold
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+.It Ic phone Ar dial ...
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 - 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 - 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+.It Xo Ic reset
+.Oo
+.Ic allpeers
+.Oc
+.Oo
+.Ic auth
+.Oc
+.Oo
+.Ic ctl
+.Oc
+.Oo
+.Ic io
+.Oc
+.Oo
+.Ic mem
+.Oc
+.Oo
+.Ic sys
+.Oc
+.Oo
+.Ic timer
+.Oc
+.Xc
+Reset one or more groups of counters maintained by
+.Cm ntpd
+and exposed by
+.Cm ntpq
+and
+.Cm ntpdc .
+.It Xo Ic rlimit
+.Oo
+.Cm memlock Ar Nmegabytes |
+.Cm stacksize Ar N4kPages
+.Cm filenum Ar Nfiledescriptors
+.Oc
+.Xc
+.Bl -tag -width indent
+.It Cm memlock Ar Nmegabytes
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+.Fl i
+option).
+The default is 32 megabytes on non-Linux machines, and -1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+.It Cm stacksize Ar N4kPages
+Specifies the maximum size of the process stack on systems with the
+.Fn mlockall
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+.It Cm filenum Ar Nfiledescriptors
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+.El
+.It Ic saveconfigdir Ar directory_path
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+.Cm saveconfig
+command.
+If
+.Cm saveconfigdir
+does not appear in the configuration file,
+.Cm saveconfig
+requests are rejected by
+.Cm ntpd .
+.It Ic saveconfig Ar filename
+Write the current configuration, including any runtime
+modifications given with
+.Cm :config
+or
+.Cm config-from-file
+to the
+.Cm ntpd
+host's
+.Ar filename
+in the
+.Cm saveconfigdir .
+This command will be rejected unless the
+.Cm saveconfigdir
+directive appears in
+.Cm ntpd 's
+configuration file.
+.Ar filename
+can use
+.Xr strftime 3
+format directives to substitute the current date and time,
+for example,
+.Cm saveconfig\ ntp-%Y%m%d-%H%M%S.conf .
+The filename used is stored in the system variable
+.Cm savedconfig .
+Authentication is required.
.It Ic setvar Ar variable Op Cm default
This command adds an additional system variable.
These
@@ -2781,6 +3053,10 @@
the names of all peer variables and the
.Va clock_var_list
holds the names of the reference clock variables.
+.It Cm sysinfo
+Display operational summary.
+.It Cm sysstats
+Show statistics counters maintained in the protocol module.
.It Xo Ic tinker
.Oo
.Cm allan Ar allan |
@@ -2870,33 +3146,18 @@
If set to zero, the stepout
pulses will not be suppressed.
.El
-.It Xo Ic rlimit
-.Oo
-.Cm memlock Ar Nmegabytes |
-.Cm stacksize Ar N4kPages
-.Cm filenum Ar Nfiledescriptors
-.Oc
-.Xc
-.Bl -tag -width indent
-.It Cm memlock Ar Nmegabytes
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-.Fl i
-option).
-The default is 32 megabytes on non-Linux machines, and -1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-.It Cm stacksize Ar N4kPages
-Specifies the maximum size of the process stack on systems with the
-.Fn mlockall
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-.It Cm filenum Ar Nfiledescriptors
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-.El
+.It Cm writevar Ar assocID\ name = value [,...]
+Write (create or update) the specified variables.
+If the
+.Cm assocID
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+.Cm assocID
+is required, as the same name can occur in both name spaces.
.It Xo Ic trap Ar host_address
.Op Cm port Ar port_number
.Op Cm interface Ar interface_address
@@ -2911,6 +3172,13 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+.It Cm ttl Ar hop ...
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+.Cm manycast
+mode these values are used in-turn in an expanding-ring search.
+The default is eight multiples of 32 starting at 31.
.Pp
The trap receiver will generally log event messages and other
information from the server in a log file.
Index: contrib/ntp/ntpd/ntp_control.c
===================================================================
--- contrib/ntp/ntpd/ntp_control.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_control.c (版本 330908)
@@ -176,56 +176,58 @@
#define CS_SS_LIMITED 41
#define CS_SS_KODSENT 42
#define CS_SS_PROCESSED 43
-#define CS_PEERADR 44
-#define CS_PEERMODE 45
-#define CS_BCASTDELAY 46
-#define CS_AUTHDELAY 47
-#define CS_AUTHKEYS 48
-#define CS_AUTHFREEK 49
-#define CS_AUTHKLOOKUPS 50
-#define CS_AUTHKNOTFOUND 51
-#define CS_AUTHKUNCACHED 52
-#define CS_AUTHKEXPIRED 53
-#define CS_AUTHENCRYPTS 54
-#define CS_AUTHDECRYPTS 55
-#define CS_AUTHRESET 56
-#define CS_K_OFFSET 57
-#define CS_K_FREQ 58
-#define CS_K_MAXERR 59
-#define CS_K_ESTERR 60
-#define CS_K_STFLAGS 61
-#define CS_K_TIMECONST 62
-#define CS_K_PRECISION 63
-#define CS_K_FREQTOL 64
-#define CS_K_PPS_FREQ 65
-#define CS_K_PPS_STABIL 66
-#define CS_K_PPS_JITTER 67
-#define CS_K_PPS_CALIBDUR 68
-#define CS_K_PPS_CALIBS 69
-#define CS_K_PPS_CALIBERRS 70
-#define CS_K_PPS_JITEXC 71
-#define CS_K_PPS_STBEXC 72
+#define CS_SS_LAMPORT 44
+#define CS_SS_TSROUNDING 45
+#define CS_PEERADR 46
+#define CS_PEERMODE 47
+#define CS_BCASTDELAY 48
+#define CS_AUTHDELAY 49
+#define CS_AUTHKEYS 50
+#define CS_AUTHFREEK 51
+#define CS_AUTHKLOOKUPS 52
+#define CS_AUTHKNOTFOUND 53
+#define CS_AUTHKUNCACHED 54
+#define CS_AUTHKEXPIRED 55
+#define CS_AUTHENCRYPTS 56
+#define CS_AUTHDECRYPTS 57
+#define CS_AUTHRESET 58
+#define CS_K_OFFSET 59
+#define CS_K_FREQ 60
+#define CS_K_MAXERR 61
+#define CS_K_ESTERR 62
+#define CS_K_STFLAGS 63
+#define CS_K_TIMECONST 64
+#define CS_K_PRECISION 65
+#define CS_K_FREQTOL 66
+#define CS_K_PPS_FREQ 67
+#define CS_K_PPS_STABIL 68
+#define CS_K_PPS_JITTER 69
+#define CS_K_PPS_CALIBDUR 70
+#define CS_K_PPS_CALIBS 71
+#define CS_K_PPS_CALIBERRS 72
+#define CS_K_PPS_JITEXC 73
+#define CS_K_PPS_STBEXC 74
#define CS_KERN_FIRST CS_K_OFFSET
#define CS_KERN_LAST CS_K_PPS_STBEXC
-#define CS_IOSTATS_RESET 73
-#define CS_TOTAL_RBUF 74
-#define CS_FREE_RBUF 75
-#define CS_USED_RBUF 76
-#define CS_RBUF_LOWATER 77
-#define CS_IO_DROPPED 78
-#define CS_IO_IGNORED 79
-#define CS_IO_RECEIVED 80
-#define CS_IO_SENT 81
-#define CS_IO_SENDFAILED 82
-#define CS_IO_WAKEUPS 83
-#define CS_IO_GOODWAKEUPS 84
-#define CS_TIMERSTATS_RESET 85
-#define CS_TIMER_OVERRUNS 86
-#define CS_TIMER_XMTS 87
-#define CS_FUZZ 88
-#define CS_WANDER_THRESH 89
-#define CS_LEAPSMEARINTV 90
-#define CS_LEAPSMEAROFFS 91
+#define CS_IOSTATS_RESET 75
+#define CS_TOTAL_RBUF 76
+#define CS_FREE_RBUF 77
+#define CS_USED_RBUF 78
+#define CS_RBUF_LOWATER 79
+#define CS_IO_DROPPED 80
+#define CS_IO_IGNORED 81
+#define CS_IO_RECEIVED 82
+#define CS_IO_SENT 83
+#define CS_IO_SENDFAILED 84
+#define CS_IO_WAKEUPS 85
+#define CS_IO_GOODWAKEUPS 86
+#define CS_TIMERSTATS_RESET 87
+#define CS_TIMER_OVERRUNS 88
+#define CS_TIMER_XMTS 89
+#define CS_FUZZ 90
+#define CS_WANDER_THRESH 91
+#define CS_LEAPSMEARINTV 92
+#define CS_LEAPSMEAROFFS 93
#define CS_MAX_NOAUTOKEY CS_LEAPSMEAROFFS
#ifdef AUTOKEY
#define CS_FLAGS (1 + CS_MAX_NOAUTOKEY)
@@ -376,55 +378,57 @@
{ CS_SS_LIMITED, RO, "ss_limited" }, /* 41 */
{ CS_SS_KODSENT, RO, "ss_kodsent" }, /* 42 */
{ CS_SS_PROCESSED, RO, "ss_processed" }, /* 43 */
- { CS_PEERADR, RO, "peeradr" }, /* 44 */
- { CS_PEERMODE, RO, "peermode" }, /* 45 */
- { CS_BCASTDELAY, RO, "bcastdelay" }, /* 46 */
- { CS_AUTHDELAY, RO, "authdelay" }, /* 47 */
- { CS_AUTHKEYS, RO, "authkeys" }, /* 48 */
- { CS_AUTHFREEK, RO, "authfreek" }, /* 49 */
- { CS_AUTHKLOOKUPS, RO, "authklookups" }, /* 50 */
- { CS_AUTHKNOTFOUND, RO, "authknotfound" }, /* 51 */
- { CS_AUTHKUNCACHED, RO, "authkuncached" }, /* 52 */
- { CS_AUTHKEXPIRED, RO, "authkexpired" }, /* 53 */
- { CS_AUTHENCRYPTS, RO, "authencrypts" }, /* 54 */
- { CS_AUTHDECRYPTS, RO, "authdecrypts" }, /* 55 */
- { CS_AUTHRESET, RO, "authreset" }, /* 56 */
- { CS_K_OFFSET, RO, "koffset" }, /* 57 */
- { CS_K_FREQ, RO, "kfreq" }, /* 58 */
- { CS_K_MAXERR, RO, "kmaxerr" }, /* 59 */
- { CS_K_ESTERR, RO, "kesterr" }, /* 60 */
- { CS_K_STFLAGS, RO, "kstflags" }, /* 61 */
- { CS_K_TIMECONST, RO, "ktimeconst" }, /* 62 */
- { CS_K_PRECISION, RO, "kprecis" }, /* 63 */
- { CS_K_FREQTOL, RO, "kfreqtol" }, /* 64 */
- { CS_K_PPS_FREQ, RO, "kppsfreq" }, /* 65 */
- { CS_K_PPS_STABIL, RO, "kppsstab" }, /* 66 */
- { CS_K_PPS_JITTER, RO, "kppsjitter" }, /* 67 */
- { CS_K_PPS_CALIBDUR, RO, "kppscalibdur" }, /* 68 */
- { CS_K_PPS_CALIBS, RO, "kppscalibs" }, /* 69 */
- { CS_K_PPS_CALIBERRS, RO, "kppscaliberrs" }, /* 70 */
- { CS_K_PPS_JITEXC, RO, "kppsjitexc" }, /* 71 */
- { CS_K_PPS_STBEXC, RO, "kppsstbexc" }, /* 72 */
- { CS_IOSTATS_RESET, RO, "iostats_reset" }, /* 73 */
- { CS_TOTAL_RBUF, RO, "total_rbuf" }, /* 74 */
- { CS_FREE_RBUF, RO, "free_rbuf" }, /* 75 */
- { CS_USED_RBUF, RO, "used_rbuf" }, /* 76 */
- { CS_RBUF_LOWATER, RO, "rbuf_lowater" }, /* 77 */
- { CS_IO_DROPPED, RO, "io_dropped" }, /* 78 */
- { CS_IO_IGNORED, RO, "io_ignored" }, /* 79 */
- { CS_IO_RECEIVED, RO, "io_received" }, /* 80 */
- { CS_IO_SENT, RO, "io_sent" }, /* 81 */
- { CS_IO_SENDFAILED, RO, "io_sendfailed" }, /* 82 */
- { CS_IO_WAKEUPS, RO, "io_wakeups" }, /* 83 */
- { CS_IO_GOODWAKEUPS, RO, "io_goodwakeups" }, /* 84 */
- { CS_TIMERSTATS_RESET, RO, "timerstats_reset" },/* 85 */
- { CS_TIMER_OVERRUNS, RO, "timer_overruns" }, /* 86 */
- { CS_TIMER_XMTS, RO, "timer_xmts" }, /* 87 */
- { CS_FUZZ, RO, "fuzz" }, /* 88 */
- { CS_WANDER_THRESH, RO, "clk_wander_threshold" }, /* 89 */
+ { CS_SS_LAMPORT, RO, "ss_lamport" }, /* 44 */
+ { CS_SS_TSROUNDING, RO, "ss_tsrounding" }, /* 45 */
+ { CS_PEERADR, RO, "peeradr" }, /* 46 */
+ { CS_PEERMODE, RO, "peermode" }, /* 47 */
+ { CS_BCASTDELAY, RO, "bcastdelay" }, /* 48 */
+ { CS_AUTHDELAY, RO, "authdelay" }, /* 49 */
+ { CS_AUTHKEYS, RO, "authkeys" }, /* 50 */
+ { CS_AUTHFREEK, RO, "authfreek" }, /* 51 */
+ { CS_AUTHKLOOKUPS, RO, "authklookups" }, /* 52 */
+ { CS_AUTHKNOTFOUND, RO, "authknotfound" }, /* 53 */
+ { CS_AUTHKUNCACHED, RO, "authkuncached" }, /* 54 */
+ { CS_AUTHKEXPIRED, RO, "authkexpired" }, /* 55 */
+ { CS_AUTHENCRYPTS, RO, "authencrypts" }, /* 56 */
+ { CS_AUTHDECRYPTS, RO, "authdecrypts" }, /* 57 */
+ { CS_AUTHRESET, RO, "authreset" }, /* 58 */
+ { CS_K_OFFSET, RO, "koffset" }, /* 59 */
+ { CS_K_FREQ, RO, "kfreq" }, /* 60 */
+ { CS_K_MAXERR, RO, "kmaxerr" }, /* 61 */
+ { CS_K_ESTERR, RO, "kesterr" }, /* 62 */
+ { CS_K_STFLAGS, RO, "kstflags" }, /* 63 */
+ { CS_K_TIMECONST, RO, "ktimeconst" }, /* 64 */
+ { CS_K_PRECISION, RO, "kprecis" }, /* 65 */
+ { CS_K_FREQTOL, RO, "kfreqtol" }, /* 66 */
+ { CS_K_PPS_FREQ, RO, "kppsfreq" }, /* 67 */
+ { CS_K_PPS_STABIL, RO, "kppsstab" }, /* 68 */
+ { CS_K_PPS_JITTER, RO, "kppsjitter" }, /* 69 */
+ { CS_K_PPS_CALIBDUR, RO, "kppscalibdur" }, /* 70 */
+ { CS_K_PPS_CALIBS, RO, "kppscalibs" }, /* 71 */
+ { CS_K_PPS_CALIBERRS, RO, "kppscaliberrs" }, /* 72 */
+ { CS_K_PPS_JITEXC, RO, "kppsjitexc" }, /* 73 */
+ { CS_K_PPS_STBEXC, RO, "kppsstbexc" }, /* 74 */
+ { CS_IOSTATS_RESET, RO, "iostats_reset" }, /* 75 */
+ { CS_TOTAL_RBUF, RO, "total_rbuf" }, /* 76 */
+ { CS_FREE_RBUF, RO, "free_rbuf" }, /* 77 */
+ { CS_USED_RBUF, RO, "used_rbuf" }, /* 78 */
+ { CS_RBUF_LOWATER, RO, "rbuf_lowater" }, /* 79 */
+ { CS_IO_DROPPED, RO, "io_dropped" }, /* 80 */
+ { CS_IO_IGNORED, RO, "io_ignored" }, /* 81 */
+ { CS_IO_RECEIVED, RO, "io_received" }, /* 82 */
+ { CS_IO_SENT, RO, "io_sent" }, /* 83 */
+ { CS_IO_SENDFAILED, RO, "io_sendfailed" }, /* 84 */
+ { CS_IO_WAKEUPS, RO, "io_wakeups" }, /* 85 */
+ { CS_IO_GOODWAKEUPS, RO, "io_goodwakeups" }, /* 86 */
+ { CS_TIMERSTATS_RESET, RO, "timerstats_reset" },/* 87 */
+ { CS_TIMER_OVERRUNS, RO, "timer_overruns" }, /* 88 */
+ { CS_TIMER_XMTS, RO, "timer_xmts" }, /* 89 */
+ { CS_FUZZ, RO, "fuzz" }, /* 90 */
+ { CS_WANDER_THRESH, RO, "clk_wander_threshold" }, /* 91 */
- { CS_LEAPSMEARINTV, RO, "leapsmearinterval" }, /* 90 */
- { CS_LEAPSMEAROFFS, RO, "leapsmearoffset" }, /* 91 */
+ { CS_LEAPSMEARINTV, RO, "leapsmearinterval" }, /* 92 */
+ { CS_LEAPSMEAROFFS, RO, "leapsmearoffset" }, /* 93 */
#ifdef AUTOKEY
{ CS_FLAGS, RO, "flags" }, /* 1 + CS_MAX_NOAUTOKEY */
@@ -436,7 +440,7 @@
{ CS_IDENT, RO, "ident" }, /* 7 + CS_MAX_NOAUTOKEY */
{ CS_DIGEST, RO, "digest" }, /* 8 + CS_MAX_NOAUTOKEY */
#endif /* AUTOKEY */
- { 0, EOV, "" } /* 87/95 */
+ { 0, EOV, "" } /* 94/102 */
};
static struct ctl_var *ext_sys_var = NULL;
@@ -1264,7 +1268,7 @@
rbufp->recv_length, properlen, res_keyid,
maclen));
- if (!authistrusted(res_keyid))
+ if (!authistrustedip(res_keyid, &rbufp->recv_srcadr))
DPRINTF(3, ("invalid keyid %08x\n", res_keyid));
else if (authdecrypt(res_keyid, (u_int32 *)pkt,
rbufp->recv_length - maclen,
@@ -1472,28 +1476,46 @@
}
-/*
- * ctl_putdata - write data into the packet, fragmenting and starting
- * another if this one is full.
+/* --------------------------------------------------------------------
+ * block transfer API -- stream string/data fragments into xmit buffer
+ * without additional copying
*/
+
+/* buffer descriptor: address & size of fragment
+ * 'buf' may only be NULL when 'len' is zero!
+ */
+typedef struct {
+ const void *buf;
+ size_t len;
+} CtlMemBufT;
+
+/* put ctl data in a gather-style operation */
static void
-ctl_putdata(
- const char *dp,
- unsigned int dlen,
- int bin /* set to 1 when data is binary */
+ctl_putdata_ex(
+ const CtlMemBufT * argv,
+ size_t argc,
+ int/*BOOL*/ bin /* set to 1 when data is binary */
)
{
- int overhead;
- unsigned int currentlen;
+ const char * src_ptr;
+ size_t src_len, cur_len, add_len, argi;
- overhead = 0;
- if (!bin) {
+ /* text / binary preprocessing, possibly create new linefeed */
+ if (bin) {
+ add_len = 0;
+ } else {
datanotbinflag = TRUE;
- overhead = 3;
+ add_len = 3;
+
if (datasent) {
*datapt++ = ',';
datalinelen++;
- if ((dlen + datalinelen + 1) >= MAXDATALINELEN) {
+
+ /* sum up total length */
+ for (argi = 0, src_len = 0; argi < argc; ++argi)
+ src_len += argv[argi].len;
+ /* possibly start a new line, assume no size_t overflow */
+ if ((src_len + datalinelen + 1) >= MAXDATALINELEN) {
*datapt++ = '\r';
*datapt++ = '\n';
datalinelen = 0;
@@ -1504,32 +1526,57 @@
}
}
- /*
- * Save room for trailing junk
- */
- while (dlen + overhead + datapt > dataend) {
- /*
- * Not enough room in this one, flush it out.
- */
- currentlen = MIN(dlen, (unsigned int)(dataend - datapt));
+ /* now stream out all buffers */
+ for (argi = 0; argi < argc; ++argi) {
+ src_ptr = argv[argi].buf;
+ src_len = argv[argi].len;
- memcpy(datapt, dp, currentlen);
+ if ( ! (src_ptr && src_len))
+ continue;
- datapt += currentlen;
- dp += currentlen;
- dlen -= currentlen;
- datalinelen += currentlen;
+ cur_len = (size_t)(dataend - datapt);
+ while ((src_len + add_len) > cur_len) {
+ /* Not enough room in this one, flush it out. */
+ if (src_len < cur_len)
+ cur_len = src_len;
+
+ memcpy(datapt, src_ptr, cur_len);
+ datapt += cur_len;
+ datalinelen += cur_len;
- ctl_flushpkt(CTL_MORE);
+ src_ptr += cur_len;
+ src_len -= cur_len;
+
+ ctl_flushpkt(CTL_MORE);
+ cur_len = (size_t)(dataend - datapt);
+ }
+
+ memcpy(datapt, src_ptr, src_len);
+ datapt += src_len;
+ datalinelen += src_len;
+
+ datasent = TRUE;
}
+}
- memcpy(datapt, dp, dlen);
- datapt += dlen;
- datalinelen += dlen;
- datasent = TRUE;
+/*
+ * ctl_putdata - write data into the packet, fragmenting and starting
+ * another if this one is full.
+ */
+static void
+ctl_putdata(
+ const char *dp,
+ unsigned int dlen,
+ int bin /* set to 1 when data is binary */
+ )
+{
+ CtlMemBufT args[1];
+
+ args[0].buf = dp;
+ args[0].len = dlen;
+ ctl_putdata_ex(args, 1, bin);
}
-
/*
* ctl_putstr - write a tagged string into the response packet
* in the form:
@@ -1546,16 +1593,21 @@
size_t len
)
{
- char buffer[512];
- int rc;
-
- INSIST(len < sizeof(buffer));
- if (len)
- rc = snprintf(buffer, sizeof(buffer), "%s=\"%.*s\"", tag, (int)len, data);
- else
- rc = snprintf(buffer, sizeof(buffer), "%s", tag);
- INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ CtlMemBufT args[4];
+
+ args[0].buf = tag;
+ args[0].len = strlen(tag);
+ if (data && len) {
+ args[1].buf = "=\"";
+ args[1].len = 2;
+ args[2].buf = data;
+ args[2].len = len;
+ args[3].buf = "\"";
+ args[3].len = 1;
+ ctl_putdata_ex(args, 4, FALSE);
+ } else {
+ ctl_putdata_ex(args, 1, FALSE);
+ }
}
@@ -1575,16 +1627,19 @@
size_t len
)
{
- char buffer[512];
- int rc;
-
- INSIST(len < sizeof(buffer));
- if (len)
- rc = snprintf(buffer, sizeof(buffer), "%s=%.*s", tag, (int)len, data);
- else
- rc = snprintf(buffer, sizeof(buffer), "%s", tag);
- INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ CtlMemBufT args[3];
+
+ args[0].buf = tag;
+ args[0].len = strlen(tag);
+ if (data && len) {
+ args[1].buf = "=";
+ args[1].len = 1;
+ args[2].buf = data;
+ args[2].len = len;
+ ctl_putdata_ex(args, 3, FALSE);
+ } else {
+ ctl_putdata_ex(args, 1, FALSE);
+ }
}
@@ -1599,14 +1654,14 @@
double d
)
{
- char buffer[200];
+ char buffer[40];
int rc;
rc = snprintf(buffer, sizeof(buffer),
- (use_f ? "%s=%.*f" : "%s=%.*g"),
- tag, precision, d);
+ (use_f ? "%.*f" : "%.*g"),
+ precision, d);
INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
/*
@@ -1618,12 +1673,12 @@
u_long uval
)
{
- char buffer[200];
+ char buffer[24]; /* needs to fit for 64 bits! */
int rc;
- rc = snprintf(buffer, sizeof(buffer), "%s=%lu", tag, uval);
+ rc = snprintf(buffer, sizeof(buffer), "%lu", uval);
INSIST(rc >= 0 && rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
/*
@@ -1637,17 +1692,16 @@
const struct calendar *pcal
)
{
- char buffer[100];
+ char buffer[16];
int rc;
rc = snprintf(buffer, sizeof(buffer),
- "%s=%04d%02d%02d%02d%02d",
- tag,
+ "%04d%02d%02d%02d%02d",
pcal->year, pcal->month, pcal->monthday,
pcal->hour, pcal->minute
);
INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
#endif
@@ -1660,23 +1714,21 @@
tstamp_t uval
)
{
- char buffer[200];
- struct tm *tm = NULL;
- time_t fstamp;
- int rc;
+ char buffer[16];
+ int rc;
- fstamp = (time_t)uval - JAN_1970;
- tm = gmtime(&fstamp);
+ time_t fstamp = (time_t)uval - JAN_1970;
+ struct tm *tm = gmtime(&fstamp);
+
if (NULL == tm)
return;
rc = snprintf(buffer, sizeof(buffer),
- "%s=%04d%02d%02d%02d%02d",
- tag,
+ "%04d%02d%02d%02d%02d",
tm->tm_year + 1900, tm->tm_mon + 1, tm->tm_mday,
tm->tm_hour, tm->tm_min);
INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
@@ -1690,12 +1742,12 @@
u_long uval
)
{
- char buffer[200];
+ char buffer[24]; /* must fit 64bit int! */
int rc;
- rc = snprintf(buffer, sizeof(buffer), "%s=0x%lx", tag, uval);
+ rc = snprintf(buffer, sizeof(buffer), "0x%lx", uval);
INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
@@ -1708,12 +1760,12 @@
long ival
)
{
- char buffer[200];
+ char buffer[24]; /*must fit 64bit int */
int rc;
- rc = snprintf(buffer, sizeof(buffer), "%s=%ld", tag, ival);
+ rc = snprintf(buffer, sizeof(buffer), "%ld", ival);
INSIST(rc >= 0 && rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
@@ -1726,14 +1778,14 @@
l_fp *ts
)
{
- char buffer[200];
+ char buffer[24];
int rc;
rc = snprintf(buffer, sizeof(buffer),
- "%s=0x%08lx.%08lx",
- tag, (u_long)ts->l_ui, (u_long)ts->l_uf);
+ "0x%08lx.%08lx",
+ (u_long)ts->l_ui, (u_long)ts->l_uf);
INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, buffer, rc);
}
@@ -1748,16 +1800,12 @@
)
{
const char *cq;
- char buffer[200];
- int rc;
if (NULL == addr)
cq = numtoa(addr32);
else
cq = stoa(addr);
- rc = snprintf(buffer, sizeof(buffer), "%s=%s", tag, cq);
- INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, 0);
+ ctl_putunqstr(tag, cq, strlen(cq));
}
@@ -1770,8 +1818,7 @@
u_int32 refid
)
{
- char buffer[128];
- int rc, i;
+ size_t nc;
union {
uint32_t w;
@@ -1779,13 +1826,10 @@
} bytes;
bytes.w = refid;
- for (i = 0; i < sizeof(bytes.b); ++i)
- if (bytes.b[i] && !isprint(bytes.b[i]))
- bytes.b[i] = '.';
- rc = snprintf(buffer, sizeof(buffer), "%s=%.*s",
- tag, (int)sizeof(bytes.b), bytes.b);
- INSIST(rc >= 0 && (size_t)rc < sizeof(buffer));
- ctl_putdata(buffer, (u_int)rc, FALSE);
+ for (nc = 0; nc < sizeof(bytes.b) && bytes.b[nc]; ++nc)
+ if (!isprint(bytes.b[nc]))
+ bytes.b[nc] = '.';
+ ctl_putunqstr(tag, (const char*)bytes.b, nc);
}
@@ -1805,21 +1849,16 @@
cp = buffer;
ep = buffer + sizeof(buffer);
-
- rc = snprintf(cp, (size_t)(ep - cp), "%s=", tag);
- INSIST(rc >= 0 && rc < (ep - cp));
- cp += rc;
-
- i = start;
+ i = start;
do {
if (i == 0)
i = NTP_SHIFT;
i--;
rc = snprintf(cp, (size_t)(ep - cp), " %.2f", arr[i] * 1e3);
- INSIST(rc >= 0 && rc < (ep - cp));
+ INSIST(rc >= 0 && (size_t)rc < (size_t)(ep - cp));
cp += rc;
} while (i != start);
- ctl_putdata(buffer, (u_int)(cp - buffer), 0);
+ ctl_putunqstr(tag, buffer, (size_t)(cp - buffer));
}
/*
@@ -2183,6 +2222,14 @@
ctl_putuint(sys_var[varid].text, sys_limitrejected);
break;
+ case CS_SS_LAMPORT:
+ ctl_putuint(sys_var[varid].text, sys_lamport);
+ break;
+
+ case CS_SS_TSROUNDING:
+ ctl_putuint(sys_var[varid].text, sys_tsrounding);
+ break;
+
case CS_SS_KODSENT:
ctl_putuint(sys_var[varid].text, sys_kodsent);
break;
@@ -3095,7 +3142,9 @@
const char *sp1 = reqpt;
const char *sp2 = v->text;
- while ((sp1 != tp) && (*sp1 == *sp2)) {
+ /* [Bug 3412] do not compare past NUL byte in name */
+ while ( (sp1 != tp)
+ && ('\0' != *sp2) && (*sp1 == *sp2)) {
++sp1;
++sp2;
}
@@ -3594,7 +3643,13 @@
}
ctx = EVP_MD_CTX_new();
+# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ /* [Bug 3457] set flags and don't kill them again */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(ctx, EVP_get_digestbynid(NID_md5), NULL);
+# else
EVP_DigestInit(ctx, EVP_get_digestbynid(NID_md5));
+# endif
EVP_DigestUpdate(ctx, salt, sizeof(salt));
EVP_DigestUpdate(ctx, &ts_i, sizeof(ts_i));
EVP_DigestUpdate(ctx, &ts_f, sizeof(ts_f));
@@ -4373,6 +4428,7 @@
while (sent[which])
which = (which + 1) % COUNTOF(sent);
+ /* XXX: Numbers? Really? */
switch (which) {
case 0:
@@ -4395,7 +4451,7 @@
case 3:
snprintf(tag, sizeof(tag), flags_fmt, idx);
match_str = res_match_flags(pres->mflags);
- access_str = res_access_flags(pres->flags);
+ access_str = res_access_flags(pres->rflags);
if ('\0' == match_str[0]) {
pch = access_str;
} else {
Index: contrib/ntp/libntp/adjtime.c
===================================================================
--- contrib/ntp/libntp/adjtime.c (版本 330566)
+++ contrib/ntp/libntp/adjtime.c (版本 330908)
@@ -314,7 +314,7 @@
/*
* Get the current clock period (nanoseconds)
*/
- if (ClockPeriod (CLOCK_REALTIME, 0, &period, 0) < 0)
+ if (ClockPeriod (CLOCK_REALTIME, 0, &period, 0) == -1)
return -1;
/*
@@ -354,7 +354,7 @@
adj.tick_count = 0;
}
- if (ClockAdjust (CLOCK_REALTIME, &adj, &oldadj) < 0)
+ if (ClockAdjust (CLOCK_REALTIME, &adj, &oldadj) == -1)
return -1;
/*
Index: contrib/ntp/libntp/ntp_calendar.c
===================================================================
--- contrib/ntp/libntp/ntp_calendar.c (版本 330566)
+++ contrib/ntp/libntp/ntp_calendar.c (版本 330908)
@@ -1825,4 +1825,113 @@
return isocal_date_to_ntp64(id).d_s.lo;
}
+/*
+ * ====================================================================
+ * 'basedate' support functions
+ * ====================================================================
+ */
+
+static int32_t s_baseday = NTP_TO_UNIX_DAYS;
+
+int32_t
+basedate_eval_buildstamp(void)
+{
+ struct calendar jd;
+ int32_t ed;
+
+ if (!ntpcal_get_build_date(&jd))
+ return NTP_TO_UNIX_DAYS;
+
+ /* The time zone of the build stamp is unspecified; we remove
+ * one day to provide a certain slack. And in case somebody
+ * fiddled with the system clock, we make sure we do not go
+ * before the UNIX epoch (1970-01-01). It's probably not possible
+ * to do this to the clock on most systems, but there are other
+ * ways to tweak the build stamp.
+ */
+ jd.monthday -= 1;
+ ed = ntpcal_date_to_rd(&jd) - DAY_NTP_STARTS;
+ return (ed < NTP_TO_UNIX_DAYS) ? NTP_TO_UNIX_DAYS : ed;
+}
+
+int32_t
+basedate_eval_string(
+ const char * str
+ )
+{
+ u_short y,m,d;
+ u_long ned;
+ int rc, nc;
+ size_t sl;
+
+ sl = strlen(str);
+ rc = sscanf(str, "%4hu-%2hu-%2hu%n", &y, &m, &d, &nc);
+ if (rc == 3 && (size_t)nc == sl) {
+ if (m >= 1 && m <= 12 && d >= 1 && d <= 31)
+ return ntpcal_edate_to_eradays(y-1, m-1, d)
+ - DAY_NTP_STARTS;
+ goto buildstamp;
+ }
+
+ rc = scanf(str, "%lu%n", &ned, &nc);
+ if (rc == 1 && (size_t)nc == sl) {
+ if (ned <= INT32_MAX)
+ return (int32_t)ned;
+ goto buildstamp;
+ }
+
+ buildstamp:
+ msyslog(LOG_WARNING,
+ "basedate string \"%s\" invalid, build date substituted!",
+ str);
+ return basedate_eval_buildstamp();
+}
+
+uint32_t
+basedate_get_day(void)
+{
+ return s_baseday;
+}
+
+int32_t
+basedate_set_day(
+ int32_t day
+ )
+{
+ struct calendar jd;
+ int32_t retv;
+
+ if (day < NTP_TO_UNIX_DAYS) {
+ msyslog(LOG_WARNING,
+ "baseday_set_day: invalid day (%lu), UNIX epoch substituted",
+ (unsigned long)day);
+ day = NTP_TO_UNIX_DAYS;
+ }
+ retv = s_baseday;
+ s_baseday = day;
+ ntpcal_rd_to_date(&jd, day + DAY_NTP_STARTS);
+ msyslog(LOG_INFO, "basedate set to %04hu-%02hu-%02hu",
+ jd.year, (u_short)jd.month, (u_short)jd.monthday);
+ return retv;
+}
+
+time_t
+basedate_get_eracenter(void)
+{
+ time_t retv;
+ retv = (time_t)(s_baseday - NTP_TO_UNIX_DAYS);
+ retv *= SECSPERDAY;
+ retv += (UINT32_C(1) << 31);
+ return retv;
+}
+
+time_t
+basedate_get_erabase(void)
+{
+ time_t retv;
+ retv = (time_t)(s_baseday - NTP_TO_UNIX_DAYS);
+ retv *= SECSPERDAY;
+ return retv;
+}
+
/* -*-EOF-*- */
Index: contrib/ntp/libntp/work_thread.c
===================================================================
--- contrib/ntp/libntp/work_thread.c (版本 330566)
+++ contrib/ntp/libntp/work_thread.c (版本 330908)
@@ -27,7 +27,7 @@
#define CHILD_GONE_RESP CHILD_EXIT_REQ
/* Queue size increments:
* The request queue grows a bit faster than the response queue -- the
- * deamon can push requests and pull results faster on avarage than the
+ * daemon can push requests and pull results faster on avarage than the
* worker can process requests and push results... If this really pays
* off is debatable.
*/
Index: contrib/ntp/ntpd/invoke-ntp.conf.texi
===================================================================
--- contrib/ntp/ntpd/invoke-ntp.conf.texi (版本 330566)
+++ contrib/ntp/ntpd/invoke-ntp.conf.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp.conf.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:44:16 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:14:34 PM by AutoGen 5.18.5
# From the definitions ntp.conf.def
# and the template file agtexi-file.tpl
@end ignore
@@ -1462,7 +1462,7 @@
@code{monitor}
subcommand specifies the probability of discard
for packets that overflow the rate-control window.
-@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@kbd{flag} @kbd{...}]}
+@item @code{restrict} @code{address} @code{[@code{mask} @kbd{mask}]} @code{[@code{ippeerlimit} @kbd{int}]} @code{[@kbd{flag} @kbd{...}]}
The
@kbd{address}
argument expressed in
@@ -1486,6 +1486,15 @@
@code{default},
with no mask option, may
be used to indicate the default entry.
+The
+@code{ippeerlimit}
+directive limits the number of peer requests for each IP to
+@kbd{int},
+where a value of -1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
@code{flag}
always
@@ -1536,6 +1545,18 @@
This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
+@item @code{noepeer}
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+@file{ntp.keys}
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+@code{noepeer}
+to become the default in ntp-4.4.
@item @code{nomodify}
Deny
@code{ntpq(1ntpqmdoc)}
@@ -1553,10 +1574,10 @@
queries.
Time service is not affected.
@item @code{nopeer}
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
@code{pool}
associations, so if you want to use servers from a
@@ -1564,8 +1585,9 @@
directive and also want to use
@code{nopeer}
by default, you'll want a
-@code{restrict source ...} @code{line} @code{as} @code{well} @code{that} @code{does}
-@item not
+@code{restrict source ...}
+line as well that does
+@emph{not}
include the
@code{nopeer}
directive.
@@ -1937,9 +1959,10 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+@end table
@subsubsection Manycast Options
@table @asis
@item @code{tos} @code{[@code{ceiling} @kbd{ceiling} | @code{cohort} @code{@{} @code{0} | @code{1} @code{@}} | @code{floor} @kbd{floor} | @code{minclock} @kbd{minclock} | @code{minsane} @kbd{minsane}]}
@@ -2255,7 +2278,7 @@
page
(available as part of the HTML documentation
provided in
-@file{/usr/share/doc/ntp}).
+@file{/usr/share/doc/ntp} @file{).}
@item @code{stratum} @kbd{int}
Specifies the stratum number assigned to the driver, an integer
between 0 and 15.
@@ -2516,6 +2539,69 @@
@code{ntpd(1ntpdmdoc)}
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
+@item @code{interface} @code{[@code{listen} | @code{ignore} | @code{drop}]} @code{[@code{all} | @code{ipv4} | @code{ipv6} | @code{wildcard} @kbd{name} | @kbd{address} @code{[@code{/} @kbd{prefixlen}]}]}
+The
+@code{interface}
+directive controls which network addresses
+@code{ntpd(1ntpdmdoc)}
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+@kbd{prefixlen}
+determines how many bits must match for this rule to apply.
+@code{ignore}
+prevents opening matching addresses,
+@code{drop}
+causes
+@code{ntpd(1ntpdmdoc)}
+to open the address and drop all received packets without examination.
+Multiple
+@code{interface}
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+@code{interface}
+directives are disabled if any
+@code{-I},
+@code{--interface},
+@code{-L},
+or
+@code{--novirtualips}
+command-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+@code{nic}
+directive is an alias for
+@code{interface}.
+@item @code{leapfile} @kbd{leapfile}
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+@code{https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list}
+or
+@code{ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list}.
+The
+@code{leapfile}
+is scanned when
+@code{ntpd(1ntpdmdoc)}
+processes the
+@code{leapfile} @code{directive} @code{or} @code{when}
+@code{ntpd} @code{detects} @code{that} @code{the}
+@kbd{leapfile}
+has changed.
+@code{ntpd}
+checks once a day to see if the
+@kbd{leapfile}
+has changed.
+The
+@code{update-leap(1update_leapmdoc)}
+script can be run to see if the
+@kbd{leapfile}
+should be updated.
@item @code{leapsmearinterval} @kbd{seconds}
This EXPERIMENTAL option is only available if
@code{ntpd(1ntpdmdoc)}
@@ -2606,6 +2692,146 @@
This is the same operation as the
@code{-l}
command line option.
+@item @code{mru} @code{[@code{maxdepth} @kbd{count} | @code{maxmem} @kbd{kilobytes} | @code{mindepth} @kbd{count} | @code{maxage} @kbd{seconds} | @code{initialloc} @kbd{count} | @code{initmem} @kbd{kilobytes} | @code{incalloc} @kbd{count} | @code{incmem} @kbd{kilobytes}]}
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+@table @asis
+@item @code{maxdepth} @kbd{count}
+@item @code{maxmem} @kbd{kilobytes}
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+@code{incalloc}
+entries or
+@code{incmem}
+kilobytes larger.
+As with all of the
+@code{mru}
+options offered in units of entries or kilobytes, if both
+@code{maxdepth}
+and
+@code{maxmem} @code{are} @code{used,} @code{the} @code{last} @code{one} @code{used} @code{controls.}
+The default is 1024 kilobytes.
+@item @code{mindepth} @kbd{count}
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+@code{mindepth}
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+@item @code{maxage} @kbd{seconds}
+Once the MRU list has
+@code{mindepth}
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+@code{maxage}
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+@code{maxdepth} @code{/} @code{moxmem}.
+The default is 64 seconds.
+@item @code{initalloc} @kbd{count}
+@item @code{initmem} @kbd{kilobytes}
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+@item @code{incalloc} @kbd{count}
+@item @code{incmem} @kbd{kilobytes}
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+@end table
+@item @code{nonvolatile} @kbd{threshold}
+Specify the
+@kbd{threshold}
+delta in seconds before an hourly change to the
+@code{driftfile}
+(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+@code{threshold}
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+@item @code{phone} @kbd{dial} @kbd{...}
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 - 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 - 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+@item @code{reset} @code{[@code{allpeers}]} @code{[@code{auth}]} @code{[@code{ctl}]} @code{[@code{io}]} @code{[@code{mem}]} @code{[@code{sys}]} @code{[@code{timer}]}
+Reset one or more groups of counters maintained by
+@code{ntpd}
+and exposed by
+@code{ntpq}
+and
+@code{ntpdc}.
+@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]}
+@table @asis
+@item @code{memlock} @kbd{Nmegabytes}
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+@code{-i}
+option).
+The default is 32 megabytes on non-Linux machines, and -1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+@item @code{stacksize} @kbd{N4kPages}
+Specifies the maximum size of the process stack on systems with the
+@code{mlockall()}
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+@item @code{filenum} @kbd{Nfiledescriptors}
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+@end table
+@item @code{saveconfigdir} @kbd{directory_path}
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+@code{saveconfig}
+command.
+If
+@code{saveconfigdir}
+does not appear in the configuration file,
+@code{saveconfig}
+requests are rejected by
+@code{ntpd}.
+@item @code{saveconfig} @kbd{filename}
+Write the current configuration, including any runtime
+modifications given with
+@code{:config}
+or
+@code{config-from-file}
+to the
+@code{ntpd}
+host's
+@kbd{filename}
+in the
+@code{saveconfigdir}.
+This command will be rejected unless the
+@code{saveconfigdir}
+directive appears in
+.Cm ntpd 's
+configuration file.
+@kbd{filename}
+can use
+@code{strftime(3)}
+format directives to substitute the current date and time,
+for example,
+@code{saveconfig\ ntp-%Y%m%d-%H%M%S.conf}.
+The filename used is stored in the system variable
+@code{savedconfig}.
+Authentication is required.
@item @code{setvar} @kbd{variable} @code{[@code{default}]}
This command adds an additional system variable.
These
@@ -2638,6 +2864,10 @@
the names of all peer variables and the
@code{clock_var_list}
holds the names of the reference clock variables.
+@item @code{sysinfo}
+Display operational summary.
+@item @code{sysstats}
+Show statistics counters maintained in the protocol module.
@item @code{tinker} @code{[@code{allan} @kbd{allan} | @code{dispersion} @kbd{dispersion} | @code{freq} @kbd{freq} | @code{huffpuff} @kbd{huffpuff} | @code{panic} @kbd{panic} | @code{step} @kbd{step} | @code{stepback} @kbd{stepback} | @code{stepfwd} @kbd{stepfwd} | @code{stepout} @kbd{stepout}]}
This command can be used to alter several system variables in
very exceptional circumstances.
@@ -2715,27 +2945,18 @@
If set to zero, the stepout
pulses will not be suppressed.
@end table
-@item @code{rlimit} @code{[@code{memlock} @kbd{Nmegabytes} | @code{stacksize} @kbd{N4kPages} @code{filenum} @kbd{Nfiledescriptors}]}
-@table @asis
-@item @code{memlock} @kbd{Nmegabytes}
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-@code{-i}
-option).
-The default is 32 megabytes on non-Linux machines, and -1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-@item @code{stacksize} @kbd{N4kPages}
-Specifies the maximum size of the process stack on systems with the
-@code{mlockall()}
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-@item @code{filenum} @kbd{Nfiledescriptors}
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-@end table
+@item @code{writevar} @kbd{assocID\ name} @kbd{=} @kbd{value} @kbd{[,...]}
+Write (create or update) the specified variables.
+If the
+@code{assocID}
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+@code{assocID}
+is required, as the same name can occur in both name spaces.
@item @code{trap} @kbd{host_address} @code{[@code{port} @kbd{port_number}]} @code{[@code{interface} @kbd{interface_address}]}
This command configures a trap receiver at the given host
address and port number for sending messages with the specified
@@ -2747,6 +2968,13 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+@item @code{ttl} @kbd{hop} @kbd{...}
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+@code{manycast}
+mode these values are used in-turn in an expanding-ring search.
+The default is eight multiples of 32 starting at 31.
The trap receiver will generally log event messages and other
information from the server in a log file.
Index: contrib/ntp/ntpd/keyword-gen.c
===================================================================
--- contrib/ntp/ntpd/keyword-gen.c (版本 330566)
+++ contrib/ntp/ntpd/keyword-gen.c (版本 330908)
@@ -153,11 +153,15 @@
{ "orphan", T_Orphan, FOLLBY_TOKEN },
{ "orphanwait", T_Orphanwait, FOLLBY_TOKEN },
{ "nonvolatile", T_Nonvolatile, FOLLBY_TOKEN },
+{ "basedate", T_Basedate, FOLLBY_STRING },
/* access_control_flag */
{ "default", T_Default, FOLLBY_TOKEN },
{ "source", T_Source, FOLLBY_TOKEN },
+{ "epeer", T_Epeer, FOLLBY_TOKEN },
+{ "noepeer", T_Noepeer, FOLLBY_TOKEN },
{ "flake", T_Flake, FOLLBY_TOKEN },
{ "ignore", T_Ignore, FOLLBY_TOKEN },
+{ "ippeerlimit", T_Ippeerlimit, FOLLBY_TOKEN },
{ "limited", T_Limited, FOLLBY_TOKEN },
{ "mssntp", T_Mssntp, FOLLBY_TOKEN },
{ "kod", T_Kod, FOLLBY_TOKEN },
Index: contrib/ntp/ntpd/ntp.conf.html
===================================================================
--- contrib/ntp/ntpd/ntp.conf.html (版本 330566)
+++ contrib/ntp/ntpd/ntp.conf.html (版本 330908)
@@ -33,9 +33,9 @@
<p>This document describes the configuration file for the NTP Project's
<code>ntpd</code> program.
- <p>This document applies to version 4.2.8p10 of <code>ntp.conf</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntp.conf</code>.
- <div class="shortcontents">
+ <div class="shortcontents">
<h2>Short Contents</h2>
<ul>
<a href="#Top">NTP's Configuration File User Manual</a>
@@ -1467,7 +1467,7 @@
<code>monitor</code>
subcommand specifies the probability of discard
for packets that overflow the rate-control window.
-<br><dt><code>restrict</code> <code>address</code> <code>[mask </code><kbd>mask</kbd><code>]</code> <code>[</code><kbd>flag</kbd> <kbd>...</kbd><code>]</code><dd>The
+<br><dt><code>restrict</code> <code>address</code> <code>[mask </code><kbd>mask</kbd><code>]</code> <code>[ippeerlimit </code><kbd>int</kbd><code>]</code> <code>[</code><kbd>flag</kbd> <kbd>...</kbd><code>]</code><dd>The
<kbd>address</kbd>
argument expressed in
dotted-quad form is the address of a host or network.
@@ -1490,6 +1490,15 @@
<code>default</code>,
with no mask option, may
be used to indicate the default entry.
+The
+<code>ippeerlimit</code>
+directive limits the number of peer requests for each IP to
+<kbd>int</kbd>,
+where a value of -1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
<code>flag</code>
always
@@ -1536,6 +1545,17 @@
This flag
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
+<br><dt><code>noepeer</code><dd>Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+<span class="file">ntp.keys</span>
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+<code>noepeer</code>
+to become the default in ntp-4.4.
<br><dt><code>nomodify</code><dd>Deny
<code>ntpq(1ntpqmdoc)</code>
and
@@ -1550,10 +1570,10 @@
<code>ntpdc(1ntpdcmdoc)</code>
queries.
Time service is not affected.
-<br><dt><code>nopeer</code><dd>Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+<br><dt><code>nopeer</code><dd>Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
<code>pool</code>
associations, so if you want to use servers from a
@@ -1561,8 +1581,10 @@
directive and also want to use
<code>nopeer</code>
by default, you'll want a
-<code>restrict source ...</code> <code>line</code> <code>as</code> <code>well</code> <code>that</code> <code>does</code>
-<br><dt>not<dd>include the
+<code>restrict source ...</code>
+line as well that does
+<em>not</em>
+include the
<code>nopeer</code>
directive.
<br><dt><code>noserve</code><dd>Deny all packets except
@@ -1938,13 +1960,14 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
-to any number of poll intervals between 0 and 4.
+to any number of poll intervals between 0 and 4.
+</dl>
<h5 class="subsubsection">Manycast Options</h5>
- <dl>
+ <dl>
<dt><code>tos</code> <code>[ceiling </code><kbd>ceiling</kbd><code> | cohort { 0 | 1 } | floor </code><kbd>floor</kbd><code> | minclock </code><kbd>minclock</kbd><code> | minsane </code><kbd>minsane</kbd><code>]</code><dd>This command affects the clock selection and clustering
algorithms.
It can be used to select the quality and
@@ -1952,7 +1975,7 @@
and is most useful in manycast mode.
The variables operate
as follows:
- <dl>
+ <dl>
<dt><code>ceiling</code> <kbd>ceiling</kbd><dd>Peers with strata above
<code>ceiling</code>
will be discarded if there are at least
@@ -1994,7 +2017,7 @@
should be at least 4 in order to detect and discard
a single falseticker.
</dl>
- <br><dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd><dd>This command specifies a list of TTL values in increasing
+ <br><dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd><dd>This command specifies a list of TTL values in increasing
order, up to 8 values can be specified.
In manycast mode these values are used in turn
in an expanding-ring search.
@@ -2001,7 +2024,7 @@
The default is eight
multiples of 32 starting at 31.
</dl>
- <div class="node">
+<div class="node">
<p><hr>
<a name="Reference-Clock-Support"></a>
<br>
@@ -2009,7 +2032,7 @@
<h4 class="subsection">Reference Clock Support</h4>
- <p>The NTP Version 4 daemon supports some three dozen different radio,
+<p>The NTP Version 4 daemon supports some three dozen different radio,
satellite and modem reference clocks plus a special pseudo-clock
used for backup or when no other clock source is available.
Detailed descriptions of individual device drivers and options can
@@ -2046,7 +2069,7 @@
provided in
<span class="file">/usr/share/doc/ntp</span>).
- <p>A reference clock will generally (though not always) be a radio
+ <p>A reference clock will generally (though not always) be a radio
timecode receiver which is synchronized to a source of standard
time such as the services offered by the NRC in Canada and NIST and
USNO in the US.
@@ -2062,7 +2085,7 @@
in a scalding remark to the system log file, but is otherwise non
hazardous.
- <p>For the purposes of configuration,
+ <p>For the purposes of configuration,
<code>ntpd(1ntpdmdoc)</code>
treats
reference clocks in a manner analogous to normal NTP peers as much
@@ -2083,7 +2106,7 @@
sometimes useful to configure multiple reference clocks of the same
type, in which case the unit numbers must be unique.
- <p>The
+ <p>The
<code>server</code>
command is used to configure a reference
clock, where the
@@ -2121,7 +2144,7 @@
See the individual clock
driver document pages for additional information.
- <p>The
+ <p>The
<code>fudge</code>
command is used to provide additional
information for individual clock drivers and normally follows
@@ -2143,7 +2166,7 @@
<code>fudge</code>
command as well.
- <p>The stratum number of a reference clock is by default zero.
+ <p>The stratum number of a reference clock is by default zero.
Since the
<code>ntpd(1ntpdmdoc)</code>
daemon adds one to the stratum of each
@@ -2166,11 +2189,11 @@
<h5 class="subsubsection">Reference Clock Commands</h5>
- <dl>
+ <dl>
<dt><code>server</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[prefer]</code> <code>[mode </code><kbd>int</kbd><code>]</code> <code>[minpoll </code><kbd>int</kbd><code>]</code> <code>[maxpoll </code><kbd>int</kbd><code>]</code><dd>This command can be used to configure reference clocks in
special ways.
The options are interpreted as follows:
- <dl>
+ <dl>
<dt><code>prefer</code><dd>Marks the reference clock as preferred.
All other things being
equal, this host will be chosen for synchronization among a set of
@@ -2203,7 +2226,7 @@
defaults to 14 (4.5 h).
The allowable range is 4 (16 s) to 17 (36.4 h) inclusive.
</dl>
- <br><dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[time1 </code><kbd>sec</kbd><code>]</code> <code>[time2 </code><kbd>sec</kbd><code>]</code> <code>[stratum </code><kbd>int</kbd><code>]</code> <code>[refid </code><kbd>string</kbd><code>]</code> <code>[mode </code><kbd>int</kbd><code>]</code> <code>[flag1 0 | 1]</code> <code>[flag2 0 | 1]</code> <code>[flag3 0 | 1]</code> <code>[flag4 0 | 1]</code><dd>This command can be used to configure reference clocks in
+ <br><dt><code>fudge</code> <code>127.127.</code><kbd>t</kbd>.<kbd>u</kbd> <code>[time1 </code><kbd>sec</kbd><code>]</code> <code>[time2 </code><kbd>sec</kbd><code>]</code> <code>[stratum </code><kbd>int</kbd><code>]</code> <code>[refid </code><kbd>string</kbd><code>]</code> <code>[mode </code><kbd>int</kbd><code>]</code> <code>[flag1 0 | 1]</code> <code>[flag2 0 | 1]</code> <code>[flag3 0 | 1]</code> <code>[flag4 0 | 1]</code><dd>This command can be used to configure reference clocks in
special ways.
It must immediately follow the
<code>server</code>
@@ -2214,7 +2237,7 @@
program.
The options are interpreted as
follows:
- <dl>
+ <dl>
<dt><code>time1</code> <kbd>sec</kbd><dd>Specifies a constant to be added to the time offset produced by
the driver, a fixed-point decimal number in seconds.
This is used
@@ -2251,7 +2274,7 @@
page
(available as part of the HTML documentation
provided in
-<span class="file">/usr/share/doc/ntp</span>).
+<span class="file">/usr/share/doc/ntp</span> <span class="file">).</span>
<br><dt><code>stratum</code> <kbd>int</kbd><dd>Specifies the stratum number assigned to the driver, an integer
between 0 and 15.
This number overrides the default stratum number
@@ -2285,8 +2308,8 @@
command can be found in
<a href="#Monitoring-Options">Monitoring Options</a>.
</dl>
- </dl>
- <div class="node">
+ </dl>
+<div class="node">
<p><hr>
<a name="Miscellaneous-Options"></a>
<br>
@@ -2294,7 +2317,7 @@
<h4 class="subsection">Miscellaneous Options</h4>
- <dl>
+ <dl>
<dt><code>broadcastdelay</code> <kbd>seconds</kbd><dd>The broadcast and multicast modes require a special calibration
to determine the network delay between the local and remote
servers.
@@ -2327,7 +2350,7 @@
If this command is not given, the daemon will always start with an initial
frequency of zero.
- <p>The file format consists of a single line containing a single
+ <p>The file format consists of a single line containing a single
floating point number, which records the frequency offset measured
in parts-per-million (PPM).
The file is updated by first writing
@@ -2347,7 +2370,7 @@
can be controlled remotely using the
<code>ntpdc(1ntpdcmdoc)</code>
utility program.
- <dl>
+ <dl>
<dt><code>auth</code><dd>Enables the server to synchronize with unconfigured peers only if the
peer has been correctly authenticated using either public key or
private key cryptography.
@@ -2482,7 +2505,7 @@
default for this flag is
<code>enable</code>.
</dl>
- <br><dt><code>includefile</code> <kbd>includefile</kbd><dd>This command allows additional configuration commands
+ <br><dt><code>includefile</code> <kbd>includefile</kbd><dd>This command allows additional configuration commands
to be included from a separate file.
Include files may
be nested to a depth of five; upon reaching the end of any
@@ -2492,6 +2515,67 @@
<code>ntpd(1ntpdmdoc)</code>
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
+<br><dt><code>interface</code> <code>[listen | ignore | drop]</code> <code>[all | ipv4 | ipv6 | wildcard </code><kbd>name</kbd><code> | </code><kbd>address</kbd><code> [/ </code><kbd>prefixlen</kbd><code>]]</code><dd>The
+<code>interface</code>
+directive controls which network addresses
+<code>ntpd(1ntpdmdoc)</code>
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+<kbd>prefixlen</kbd>
+determines how many bits must match for this rule to apply.
+<code>ignore</code>
+prevents opening matching addresses,
+<code>drop</code>
+causes
+<code>ntpd(1ntpdmdoc)</code>
+to open the address and drop all received packets without examination.
+Multiple
+<code>interface</code>
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+<code>interface</code>
+directives are disabled if any
+<code>-I</code>,
+<code>--interface</code>,
+<code>-L</code>,
+or
+<code>--novirtualips</code>
+command-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+<code>nic</code>
+directive is an alias for
+<code>interface</code>.
+<br><dt><code>leapfile</code> <kbd>leapfile</kbd><dd>This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+<code>https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>
+or
+<code>ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list</code>.
+The
+<code>leapfile</code>
+is scanned when
+<code>ntpd(1ntpdmdoc)</code>
+processes the
+<code>leapfile</code> <code>directive</code> <code>or</code> <code>when</code>
+<code>ntpd</code> <code>detects</code> <code>that</code> <code>the</code>
+<kbd>leapfile</kbd>
+has changed.
+<code>ntpd</code>
+checks once a day to see if the
+<kbd>leapfile</kbd>
+has changed.
+The
+<code>update-leap(1update_leapmdoc)</code>
+script can be run to see if the
+<kbd>leapfile</kbd>
+should be updated.
<br><dt><code>leapsmearinterval</code> <kbd>seconds</kbd><dd>This EXPERIMENTAL option is only available if
<code>ntpd(1ntpdmdoc)</code>
was built with the
@@ -2543,7 +2627,7 @@
status messages
(<code>status</code>).
- <p>Configuration keywords are formed by concatenating the message class with
+ <p>Configuration keywords are formed by concatenating the message class with
the event class.
The
<code>all</code>
@@ -2555,20 +2639,20 @@
messages of the respective message class.
Thus, a minimal log configuration
could look like this:
-<pre class="verbatim">
- logconfig =syncstatus +sysevents
- </pre>
+<pre class="verbatim">
+ logconfig =syncstatus +sysevents
+</pre>
- <p>This would just list the synchronizations state of
+ <p>This would just list the synchronizations state of
<code>ntpd(1ntpdmdoc)</code>
and the major system events.
For a simple reference server, the
following minimum message configuration could be useful:
-<pre class="verbatim">
- logconfig =syncall +clockall
- </pre>
+<pre class="verbatim">
+ logconfig =syncall +clockall
+</pre>
- <p>This configuration will list all clock information and
+ <p>This configuration will list all clock information and
synchronization information.
All other events and messages about
peers, system events and so on is suppressed.
@@ -2579,6 +2663,129 @@
This is the same operation as the
<code>-l</code>
command line option.
+<br><dt><code>mru</code> <code>[maxdepth </code><kbd>count</kbd><code> | maxmem </code><kbd>kilobytes</kbd><code> | mindepth </code><kbd>count</kbd><code> | maxage </code><kbd>seconds</kbd><code> | initialloc </code><kbd>count</kbd><code> | initmem </code><kbd>kilobytes</kbd><code> | incalloc </code><kbd>count</kbd><code> | incmem </code><kbd>kilobytes</kbd><code>]</code><dd>Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+ <dl>
+<dt><code>maxdepth</code> <kbd>count</kbd><br><dt><code>maxmem</code> <kbd>kilobytes</kbd><dd>Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+<code>incalloc</code>
+entries or
+<code>incmem</code>
+kilobytes larger.
+As with all of the
+<code>mru</code>
+options offered in units of entries or kilobytes, if both
+<code>maxdepth</code>
+and
+<code>maxmem</code> <code>are</code> <code>used,</code> <code>the</code> <code>last</code> <code>one</code> <code>used</code> <code>controls.</code>
+The default is 1024 kilobytes.
+<br><dt><code>mindepth</code> <kbd>count</kbd><dd>Lower limit on the MRU list size.
+When the MRU list has fewer than
+<code>mindepth</code>
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+<br><dt><code>maxage</code> <kbd>seconds</kbd><dd>Once the MRU list has
+<code>mindepth</code>
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+<code>maxage</code>
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+<code>maxdepth</code> <code>/</code> <code>moxmem</code>.
+The default is 64 seconds.
+<br><dt><code>initalloc</code> <kbd>count</kbd><br><dt><code>initmem</code> <kbd>kilobytes</kbd><dd>Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+<br><dt><code>incalloc</code> <kbd>count</kbd><br><dt><code>incmem</code> <kbd>kilobytes</kbd><dd>Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+</dl>
+ <br><dt><code>nonvolatile</code> <kbd>threshold</kbd><dd>Specify the
+<kbd>threshold</kbd>
+delta in seconds before an hourly change to the
+<code>driftfile</code>
+(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+<code>threshold</code>
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+<br><dt><code>phone</code> <kbd>dial</kbd> <kbd>...</kbd><dd>This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 - 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 - 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+<br><dt><code>reset</code> <code>[allpeers]</code> <code>[auth]</code> <code>[ctl]</code> <code>[io]</code> <code>[mem]</code> <code>[sys]</code> <code>[timer]</code><dd>Reset one or more groups of counters maintained by
+<code>ntpd</code>
+and exposed by
+<code>ntpq</code>
+and
+<code>ntpdc</code>.
+<br><dt><code>rlimit</code> <code>[memlock </code><kbd>Nmegabytes</kbd><code> | stacksize </code><kbd>N4kPages</kbd><code> filenum </code><kbd>Nfiledescriptors</kbd><code>]</code><dd>
+ <dl>
+<dt><code>memlock</code> <kbd>Nmegabytes</kbd><dd>Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+<code>-i</code>
+option).
+The default is 32 megabytes on non-Linux machines, and -1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+<br><dt><code>stacksize</code> <kbd>N4kPages</kbd><dd>Specifies the maximum size of the process stack on systems with the
+<code>mlockall()</code>
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+<br><dt><code>filenum</code> <kbd>Nfiledescriptors</kbd><dd>Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+</dl>
+ <br><dt><code>saveconfigdir</code> <kbd>directory_path</kbd><dd>Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+<code>saveconfig</code>
+command.
+If
+<code>saveconfigdir</code>
+does not appear in the configuration file,
+<code>saveconfig</code>
+requests are rejected by
+<code>ntpd</code>.
+<br><dt><code>saveconfig</code> <kbd>filename</kbd><dd>Write the current configuration, including any runtime
+modifications given with
+<code>:config</code>
+or
+<code>config-from-file</code>
+to the
+<code>ntpd</code>
+host's
+<kbd>filename</kbd>
+in the
+<code>saveconfigdir</code>.
+This command will be rejected unless the
+<code>saveconfigdir</code>
+directive appears in
+.Cm ntpd 's
+configuration file.
+<kbd>filename</kbd>
+can use
+<code>strftime(3)</code>
+format directives to substitute the current date and time,
+for example,
+<code>saveconfig\ ntp-%Y%m%d-%H%M%S.conf</code>.
+The filename used is stored in the system variable
+<code>savedconfig</code>.
+Authentication is required.
<br><dt><code>setvar</code> <kbd>variable</kbd> <code>[default]</code><dd>This command adds an additional system variable.
These
variables can be used to distribute additional information such as
@@ -2610,6 +2817,8 @@
the names of all peer variables and the
<code>clock_var_list</code>
holds the names of the reference clock variables.
+<br><dt><code>sysinfo</code><dd>Display operational summary.
+<br><dt><code>sysstats</code><dd>Show statistics counters maintained in the protocol module.
<br><dt><code>tinker</code> <code>[allan </code><kbd>allan</kbd><code> | dispersion </code><kbd>dispersion</kbd><code> | freq </code><kbd>freq</kbd><code> | huffpuff </code><kbd>huffpuff</kbd><code> | panic </code><kbd>panic</kbd><code> | step </code><kbd>step</kbd><code> | stepback </code><kbd>stepback</kbd><code> | stepfwd </code><kbd>stepfwd</kbd><code> | stepout </code><kbd>stepout</kbd><code>]</code><dd>This command can be used to alter several system variables in
very exceptional circumstances.
It should occur in the
@@ -2627,8 +2836,8 @@
Emphasis added: twisters are on their own and can expect
no help from the support group.
- <p>The variables operate as follows:
- <dl>
+ <p>The variables operate as follows:
+ <dl>
<dt><code>allan</code> <kbd>allan</kbd><dd>The argument becomes the new value for the minimum Allan
intercept, which is a parameter of the PLL/FLL clock discipline
algorithm.
@@ -2677,25 +2886,18 @@
If set to zero, the stepout
pulses will not be suppressed.
</dl>
- <br><dt><code>rlimit</code> <code>[memlock </code><kbd>Nmegabytes</kbd><code> | stacksize </code><kbd>N4kPages</kbd><code> filenum </code><kbd>Nfiledescriptors</kbd><code>]</code><dd>
- <dl>
-<dt><code>memlock</code> <kbd>Nmegabytes</kbd><dd>Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-<code>-i</code>
-option).
-The default is 32 megabytes on non-Linux machines, and -1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-<br><dt><code>stacksize</code> <kbd>N4kPages</kbd><dd>Specifies the maximum size of the process stack on systems with the
-<code>mlockall()</code>
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-<br><dt><code>filenum</code> <kbd>Nfiledescriptors</kbd><dd>Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-</dl>
- <br><dt><code>trap</code> <kbd>host_address</kbd> <code>[port </code><kbd>port_number</kbd><code>]</code> <code>[interface </code><kbd>interface_address</kbd><code>]</code><dd>This command configures a trap receiver at the given host
+ <br><dt><code>writevar</code> <kbd>assocID\ name</kbd> <kbd>=</kbd> <kbd>value</kbd> <kbd>[,...]</kbd><dd>Write (create or update) the specified variables.
+If the
+<code>assocID</code>
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+<code>assocID</code>
+is required, as the same name can occur in both name spaces.
+<br><dt><code>trap</code> <kbd>host_address</kbd> <code>[port </code><kbd>port_number</kbd><code>]</code> <code>[interface </code><kbd>interface_address</kbd><code>]</code><dd>This command configures a trap receiver at the given host
address and port number for sending messages with the specified
local interface address.
If the port number is unspecified, a value
@@ -2704,9 +2906,15 @@
message is sent with a source address of the local interface the
message is sent through.
Note that on a multihomed host the
-interface used may vary from time to time with routing changes.
+interface used may vary from time to time with routing changes.
+<br><dt><code>ttl</code> <kbd>hop</kbd> <kbd>...</kbd><dd>This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+<code>manycast</code>
+mode these values are used in-turn in an expanding-ring search.
+The default is eight multiples of 32 starting at 31.
- <p>The trap receiver will generally log event messages and other
+ <p>The trap receiver will generally log event messages and other
information from the server in a log file.
While such monitor
programs may also request their own trap dynamically, configuring a
@@ -2720,11 +2928,11 @@
31.
</dl>
- <p>This section was generated by <strong>AutoGen</strong>,
+ <p>This section was generated by <strong>AutoGen</strong>,
using the <code>agtexi-cmd</code> template and the option descriptions for the <code>ntp.conf</code> program.
This software is released under the NTP license, &lt;http://ntp.org/license&gt;.
- <ul class="menu">
+<ul class="menu">
<li><a accesskey="1" href="#ntp_002econf-Files">ntp.conf Files</a>: Files
<li><a accesskey="2" href="#ntp_002econf-See-Also">ntp.conf See Also</a>: See Also
<li><a accesskey="3" href="#ntp_002econf-Bugs">ntp.conf Bugs</a>: Bugs
@@ -2739,7 +2947,7 @@
<h4 class="subsection">ntp.conf Files</h4>
- <dl>
+ <dl>
<dt><span class="file">/etc/ntp.conf</span><dd>the default name of the configuration file
<br><dt><span class="file">ntp.keys</span><dd>private MD5 keys
<br><dt><span class="file">ntpkey</span><dd>RSA private key
@@ -2746,7 +2954,7 @@
<br><dt><span class="file">ntpkey_</span><kbd>host</kbd><dd>RSA public key
<br><dt><span class="file">ntp_dh</span><dd>Diffie-Hellman agreement parameters
</dl>
- <div class="node">
+<div class="node">
<p><hr>
<a name="ntp_002econf-See-Also"></a>
<br>
@@ -2754,11 +2962,11 @@
<h4 class="subsection">ntp.conf See Also</h4>
- <p><code>ntpd(1ntpdmdoc)</code>,
+<p><code>ntpd(1ntpdmdoc)</code>,
<code>ntpdc(1ntpdcmdoc)</code>,
<code>ntpq(1ntpqmdoc)</code>
- <p>In addition to the manual pages provided,
+ <p>In addition to the manual pages provided,
comprehensive documentation is available on the world wide web
at
<code>http://www.ntp.org/</code>.
@@ -2766,7 +2974,7 @@
<span class="file">/usr/share/doc/ntp</span>.
<br>
- <p><br>
+ <p><br>
David L. Mills, <em>Network Time Protocol (Version 4)</em>, RFC5905
<div class="node">
<p><hr>
@@ -2776,11 +2984,11 @@
<h4 class="subsection">ntp.conf Bugs</h4>
- <p>The syntax checking is not picky; some combinations of
+<p>The syntax checking is not picky; some combinations of
ridiculous and even hilarious options and modes may not be
detected.
- <p>The
+ <p>The
<span class="file">ntpkey_</span><kbd>host</kbd>
files are really digital
certificates.
@@ -2794,7 +3002,7 @@
<h4 class="subsection">ntp.conf Notes</h4>
- <p>This document was derived from FreeBSD.
+<p>This document was derived from FreeBSD.
</body></html>
Index: contrib/ntp/ntpd/ntp.keys.5mdoc
===================================================================
--- contrib/ntp/ntpd/ntp.keys.5mdoc (版本 330566)
+++ contrib/ntp/ntpd/ntp.keys.5mdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_KEYS 5mdoc File Formats
.Os SunOS 5.10
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:22 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agmdoc-file.tpl
.Sh NAME
@@ -51,16 +51,24 @@
is a positive integer (between 1 and 65534),
.Ar type
is the message digest algorithm,
-and
.Ar key
is the key itself, and
.Ar opt_IP_list
is an optional comma\-separated list of IPs
+where the
+.Ar keyno
+should be trusted.
that are allowed to serve time.
+Each IP in
+.Ar opt_IP_list
+may contain an optional
+.Cm /subnetbits
+specification which identifies the number of bits for
+the desired subnet of trust.
If
.Ar opt_IP_list
is empty,
-any properly\-authenticated server message will be
+any properly\-authenticated message will be
accepted.
.Pp
The
Index: contrib/ntp/ntpd/ntp.keys.mdoc.in
===================================================================
--- contrib/ntp/ntpd/ntp.keys.mdoc.in (版本 330566)
+++ contrib/ntp/ntpd/ntp.keys.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_KEYS 5 File Formats
.Os SunOS 5.10
.\" EDIT THIS FILE WITH CAUTION (ntp.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:22 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:46 PM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agmdoc-file.tpl
.Sh NAME
@@ -51,16 +51,24 @@
is a positive integer (between 1 and 65534),
.Ar type
is the message digest algorithm,
-and
.Ar key
is the key itself, and
.Ar opt_IP_list
is an optional comma\-separated list of IPs
+where the
+.Ar keyno
+should be trusted.
that are allowed to serve time.
+Each IP in
+.Ar opt_IP_list
+may contain an optional
+.Cm /subnetbits
+specification which identifies the number of bits for
+the desired subnet of trust.
If
.Ar opt_IP_list
is empty,
-any properly\-authenticated server message will be
+any properly\-authenticated message will be
accepted.
.Pp
The
Index: contrib/ntp/ntpd/ntp_io.c
===================================================================
--- contrib/ntp/ntpd/ntp_io.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_io.c (版本 330908)
@@ -1043,7 +1043,7 @@
/* remove restrict interface entry */
SET_HOSTMASK(&resmask, AF(&ep->sin));
hack_restrict(RESTRICT_REMOVEIF, &ep->sin, &resmask,
- RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0);
+ -3, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0);
}
@@ -1600,7 +1600,7 @@
if (fd != INVALID_SOCKET) {
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
- (char *)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_ERR,
"set_wildcard_reuse: setsockopt(SO_REUSEADDR, %s) failed: %m",
on ? "on" : "off");
@@ -2093,7 +2093,7 @@
*/
SET_HOSTMASK(&resmask, AF(&iface->sin));
hack_restrict(RESTRICT_FLAGS, &iface->sin, &resmask,
- RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0);
+ -4, RESM_NTPONLY | RESM_INTERFACE, RES_IGNORE, 0);
/*
* set globals with the first found
@@ -2156,7 +2156,7 @@
#endif
failed = setsockopt(fd, SOL_SOCKET, SO_EXCLUSIVEADDRUSE,
- (char *)&one, sizeof(one));
+ (void *)&one, sizeof(one));
if (!failed)
return;
@@ -2210,7 +2210,7 @@
if (ep->fd != INVALID_SOCKET) {
if (setsockopt(ep->fd, SOL_SOCKET, SO_REUSEADDR,
- (char *)&flag, sizeof(flag))) {
+ (void *)&flag, sizeof(flag))) {
msyslog(LOG_ERR, "set_reuseaddr: setsockopt(%s, SO_REUSEADDR, %s) failed: %m",
stoa(&ep->sin), flag ? "on" : "off");
}
@@ -2253,7 +2253,7 @@
if (IS_IPV4(baddr)) {
/* if this interface can support broadcast, set SO_BROADCAST */
if (setsockopt(fd, SOL_SOCKET, SO_BROADCAST,
- (char *)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_ERR,
"setsockopt(SO_BROADCAST) enable failure on address %s: %m",
stoa(baddr));
@@ -2284,7 +2284,7 @@
int off = 0; /* This seems to be OK as an int */
if (IS_IPV4(baddr) && setsockopt(iface->fd, SOL_SOCKET,
- SO_BROADCAST, (char *)&off, sizeof(off)))
+ SO_BROADCAST, (void *)&off, sizeof(off)))
msyslog(LOG_ERR,
"setsockopt(SO_BROADCAST) disable failure on address %s: %m",
stoa(baddr));
@@ -2365,7 +2365,7 @@
*/
if (setsockopt(iface->fd, IPPROTO_IP,
IP_MULTICAST_LOOP,
- SETSOCKOPT_ARG_CAST &off,
+ (void *)&off,
sizeof(off))) {
msyslog(LOG_ERR,
@@ -2384,7 +2384,7 @@
*/
if (setsockopt(iface->fd, IPPROTO_IPV6,
IPV6_MULTICAST_LOOP,
- (char *) &off6, sizeof(off6))) {
+ (void *) &off6, sizeof(off6))) {
msyslog(LOG_ERR,
"setsockopt IPV6_MULTICAST_LOOP failed: %m on socket %d, addr %s for multicast address %s",
@@ -2426,7 +2426,7 @@
if (setsockopt(iface->fd,
IPPROTO_IP,
IP_ADD_MEMBERSHIP,
- (char *)&mreq,
+ (void *)&mreq,
sizeof(mreq))) {
DPRINTF(2, (
"setsockopt IP_ADD_MEMBERSHIP failed: %m on socket %d, addr %s for %x / %x (%s)",
@@ -2456,7 +2456,7 @@
mreq6.ipv6mr_interface = iface->ifindex;
if (setsockopt(iface->fd, IPPROTO_IPV6,
- IPV6_JOIN_GROUP, (char *)&mreq6,
+ IPV6_JOIN_GROUP, (void *)&mreq6,
sizeof(mreq6))) {
DPRINTF(2, (
"setsockopt IPV6_JOIN_GROUP failed: %m on socket %d, addr %s for interface %u (%s)",
@@ -2510,7 +2510,7 @@
mreq.imr_multiaddr = SOCK_ADDR4(maddr);
mreq.imr_interface = SOCK_ADDR4(&iface->sin);
if (setsockopt(iface->fd, IPPROTO_IP,
- IP_DROP_MEMBERSHIP, (char *)&mreq,
+ IP_DROP_MEMBERSHIP, (void *)&mreq,
sizeof(mreq))) {
msyslog(LOG_ERR,
@@ -2534,7 +2534,7 @@
mreq6.ipv6mr_interface = iface->ifindex;
if (setsockopt(iface->fd, IPPROTO_IPV6,
- IPV6_LEAVE_GROUP, (char *)&mreq6,
+ IPV6_LEAVE_GROUP, (void *)&mreq6,
sizeof(mreq6))) {
msyslog(LOG_ERR,
@@ -2730,6 +2730,7 @@
if (ep->fd != INVALID_SOCKET) {
ep->ignore_packets = ISC_FALSE;
ep->flags |= INT_MCASTIF;
+ ep->ifindex = SCOPE(addr);
strlcpy(ep->name, "multicast", sizeof(ep->name));
DPRINT_INTERFACE(2, (ep, "multicast add ", "\n"));
@@ -2895,7 +2896,7 @@
if (isc_win32os_versioncheck(5, 1, 0, 0) < 0) /* before 5.1 */
#endif
if (setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
- (char *)((turn_off_reuse)
+ (void *)((turn_off_reuse)
? &off
: &on),
sizeof(on))) {
@@ -2923,7 +2924,7 @@
*/
if (IS_IPV4(addr)) {
#if defined(IPPROTO_IP) && defined(IP_TOS)
- if (setsockopt(fd, IPPROTO_IP, IP_TOS, (char*)&qos,
+ if (setsockopt(fd, IPPROTO_IP, IP_TOS, (void *)&qos,
sizeof(qos)))
msyslog(LOG_ERR,
"setsockopt IP_TOS (%02x) fails on address %s: %m",
@@ -2938,7 +2939,7 @@
*/
if (IS_IPV6(addr)) {
#if defined(IPPROTO_IPV6) && defined(IPV6_TCLASS)
- if (setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, (char*)&qos,
+ if (setsockopt(fd, IPPROTO_IPV6, IPV6_TCLASS, (void *)&qos,
sizeof(qos)))
msyslog(LOG_ERR,
"setsockopt IPV6_TCLASS (%02x) fails on address %s: %m",
@@ -2947,7 +2948,7 @@
#ifdef IPV6_V6ONLY
if (isc_net_probe_ipv6only() == ISC_R_SUCCESS
&& setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
- (char*)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_ERR,
"setsockopt IPV6_V6ONLY on fails on address %s: %m",
stoa(addr));
@@ -2954,7 +2955,7 @@
#endif
#ifdef IPV6_BINDV6ONLY
if (setsockopt(fd, IPPROTO_IPV6, IPV6_BINDV6ONLY,
- (char*)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_ERR,
"setsockopt IPV6_BINDV6ONLY on fails on address %s: %m",
stoa(addr));
@@ -3006,7 +3007,7 @@
#ifdef HAVE_TIMESTAMP
{
if (setsockopt(fd, SOL_SOCKET, SO_TIMESTAMP,
- (char*)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_DEBUG,
"setsockopt SO_TIMESTAMP on fails on address %s: %m",
stoa(addr));
@@ -3018,7 +3019,7 @@
#ifdef HAVE_TIMESTAMPNS
{
if (setsockopt(fd, SOL_SOCKET, SO_TIMESTAMPNS,
- (char*)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_DEBUG,
"setsockopt SO_TIMESTAMPNS on fails on address %s: %m",
stoa(addr));
@@ -3030,7 +3031,7 @@
#ifdef HAVE_BINTIME
{
if (setsockopt(fd, SOL_SOCKET, SO_BINTIME,
- (char*)&on, sizeof(on)))
+ (void *)&on, sizeof(on)))
msyslog(LOG_DEBUG,
"setsockopt SO_BINTIME on fails on address %s: %m",
stoa(addr));
@@ -3091,6 +3092,7 @@
int cc;
int rc;
u_char cttl;
+ l_fp fp_zero = { 0, 0 };
ismcast = IS_MCAST(dest);
if (!ismcast)
@@ -3174,6 +3176,19 @@
if (ismcast)
src = src->mclink;
} while (ismcast && src != NULL);
+
+ /* HMS: pkt->rootdisp is usually random here */
+ record_raw_stats(src ? &src->sin : NULL, dest,
+ &pkt->org, &pkt->rec, &pkt->xmt, &fp_zero,
+ PKT_MODE(pkt->li_vn_mode),
+ PKT_VERSION(pkt->li_vn_mode),
+ PKT_LEAP(pkt->li_vn_mode),
+ pkt->stratum,
+ pkt->ppoll, pkt->precision,
+ pkt->rootdelay, pkt->rootdisp, pkt->refid,
+ len - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
+
+ return;
}
@@ -3960,6 +3975,17 @@
DPRINTF(4, ("Finding interface for addr %s in list of addresses\n",
stoa(addr)));
+ /* [Bug 3437] The dummy POOL peer comes in with an AF of
+ * zero. This is bound to fail, but on the way to nowhere it
+ * triggers a security incident on SELinux.
+ *
+ * Checking the condition and failing early is probably a good
+ * advice, and even saves us some syscalls in that case.
+ * Thanks to Miroslav Lichvar for finding this.
+ */
+ if (AF_UNSPEC == AF(addr))
+ return NULL;
+
s = socket(AF(addr), SOCK_DGRAM, 0);
if (INVALID_SOCKET == s)
return NULL;
@@ -3972,7 +3998,7 @@
on = 1;
if (SOCKET_ERROR == setsockopt(s, SOL_SOCKET,
SO_BROADCAST,
- (char *)&on,
+ (void *)&on,
sizeof(on))) {
closesocket(s);
return NULL;
Index: contrib/ntp/ntpd/ntp_parser.h
===================================================================
--- contrib/ntp/ntpd/ntp_parser.h (版本 330566)
+++ contrib/ntp/ntpd/ntp_parser.h (版本 330908)
@@ -30,8 +30,8 @@
This special exception was added by the Free Software Foundation in
version 2.2 of Bison. */
-#ifndef YY_YY_Y_TAB_H_INCLUDED
-# define YY_YY_Y_TAB_H_INCLUDED
+#ifndef YY_YY_NTP_PARSER_H_INCLUDED
+# define YY_YY_NTP_PARSER_H_INCLUDED
/* Debug traces. */
#ifndef YYDEBUG
# define YYDEBUG 1
@@ -54,193 +54,197 @@
T_Autokey = 264,
T_Automax = 265,
T_Average = 266,
- T_Bclient = 267,
- T_Bcpollbstep = 268,
- T_Beacon = 269,
- T_Broadcast = 270,
- T_Broadcastclient = 271,
- T_Broadcastdelay = 272,
- T_Burst = 273,
- T_Calibrate = 274,
- T_Ceiling = 275,
- T_Clockstats = 276,
- T_Cohort = 277,
- T_ControlKey = 278,
- T_Crypto = 279,
- T_Cryptostats = 280,
- T_Ctl = 281,
- T_Day = 282,
- T_Default = 283,
- T_Digest = 284,
- T_Disable = 285,
- T_Discard = 286,
- T_Dispersion = 287,
- T_Double = 288,
- T_Driftfile = 289,
- T_Drop = 290,
- T_Dscp = 291,
- T_Ellipsis = 292,
- T_Enable = 293,
- T_End = 294,
- T_False = 295,
- T_File = 296,
- T_Filegen = 297,
- T_Filenum = 298,
- T_Flag1 = 299,
- T_Flag2 = 300,
- T_Flag3 = 301,
- T_Flag4 = 302,
- T_Flake = 303,
- T_Floor = 304,
- T_Freq = 305,
- T_Fudge = 306,
- T_Host = 307,
- T_Huffpuff = 308,
- T_Iburst = 309,
- T_Ident = 310,
- T_Ignore = 311,
- T_Incalloc = 312,
- T_Incmem = 313,
- T_Initalloc = 314,
- T_Initmem = 315,
- T_Includefile = 316,
- T_Integer = 317,
- T_Interface = 318,
- T_Intrange = 319,
- T_Io = 320,
- T_Ipv4 = 321,
- T_Ipv4_flag = 322,
- T_Ipv6 = 323,
- T_Ipv6_flag = 324,
- T_Kernel = 325,
- T_Key = 326,
- T_Keys = 327,
- T_Keysdir = 328,
- T_Kod = 329,
- T_Mssntp = 330,
- T_Leapfile = 331,
- T_Leapsmearinterval = 332,
- T_Limited = 333,
- T_Link = 334,
- T_Listen = 335,
- T_Logconfig = 336,
- T_Logfile = 337,
- T_Loopstats = 338,
- T_Lowpriotrap = 339,
- T_Manycastclient = 340,
- T_Manycastserver = 341,
- T_Mask = 342,
- T_Maxage = 343,
- T_Maxclock = 344,
- T_Maxdepth = 345,
- T_Maxdist = 346,
- T_Maxmem = 347,
- T_Maxpoll = 348,
- T_Mdnstries = 349,
- T_Mem = 350,
- T_Memlock = 351,
- T_Minclock = 352,
- T_Mindepth = 353,
- T_Mindist = 354,
- T_Minimum = 355,
- T_Minpoll = 356,
- T_Minsane = 357,
- T_Mode = 358,
- T_Mode7 = 359,
- T_Monitor = 360,
- T_Month = 361,
- T_Mru = 362,
- T_Multicastclient = 363,
- T_Nic = 364,
- T_Nolink = 365,
- T_Nomodify = 366,
- T_Nomrulist = 367,
- T_None = 368,
- T_Nonvolatile = 369,
- T_Nopeer = 370,
- T_Noquery = 371,
- T_Noselect = 372,
- T_Noserve = 373,
- T_Notrap = 374,
- T_Notrust = 375,
- T_Ntp = 376,
- T_Ntpport = 377,
- T_NtpSignDsocket = 378,
- T_Orphan = 379,
- T_Orphanwait = 380,
- T_PCEdigest = 381,
- T_Panic = 382,
- T_Peer = 383,
- T_Peerstats = 384,
- T_Phone = 385,
- T_Pid = 386,
- T_Pidfile = 387,
- T_Pool = 388,
- T_Port = 389,
- T_Preempt = 390,
- T_Prefer = 391,
- T_Protostats = 392,
- T_Pw = 393,
- T_Randfile = 394,
- T_Rawstats = 395,
- T_Refid = 396,
- T_Requestkey = 397,
- T_Reset = 398,
- T_Restrict = 399,
- T_Revoke = 400,
- T_Rlimit = 401,
- T_Saveconfigdir = 402,
- T_Server = 403,
- T_Setvar = 404,
- T_Source = 405,
- T_Stacksize = 406,
- T_Statistics = 407,
- T_Stats = 408,
- T_Statsdir = 409,
- T_Step = 410,
- T_Stepback = 411,
- T_Stepfwd = 412,
- T_Stepout = 413,
- T_Stratum = 414,
- T_String = 415,
- T_Sys = 416,
- T_Sysstats = 417,
- T_Tick = 418,
- T_Time1 = 419,
- T_Time2 = 420,
- T_Timer = 421,
- T_Timingstats = 422,
- T_Tinker = 423,
- T_Tos = 424,
- T_Trap = 425,
- T_True = 426,
- T_Trustedkey = 427,
- T_Ttl = 428,
- T_Type = 429,
- T_U_int = 430,
- T_UEcrypto = 431,
- T_UEcryptonak = 432,
- T_UEdigest = 433,
- T_Unconfig = 434,
- T_Unpeer = 435,
- T_Version = 436,
- T_WanderThreshold = 437,
- T_Week = 438,
- T_Wildcard = 439,
- T_Xleave = 440,
- T_Year = 441,
- T_Flag = 442,
- T_EOC = 443,
- T_Simulate = 444,
- T_Beep_Delay = 445,
- T_Sim_Duration = 446,
- T_Server_Offset = 447,
- T_Duration = 448,
- T_Freq_Offset = 449,
- T_Wander = 450,
- T_Jitter = 451,
- T_Prop_Delay = 452,
- T_Proc_Delay = 453
+ T_Basedate = 267,
+ T_Bclient = 268,
+ T_Bcpollbstep = 269,
+ T_Beacon = 270,
+ T_Broadcast = 271,
+ T_Broadcastclient = 272,
+ T_Broadcastdelay = 273,
+ T_Burst = 274,
+ T_Calibrate = 275,
+ T_Ceiling = 276,
+ T_Clockstats = 277,
+ T_Cohort = 278,
+ T_ControlKey = 279,
+ T_Crypto = 280,
+ T_Cryptostats = 281,
+ T_Ctl = 282,
+ T_Day = 283,
+ T_Default = 284,
+ T_Digest = 285,
+ T_Disable = 286,
+ T_Discard = 287,
+ T_Dispersion = 288,
+ T_Double = 289,
+ T_Driftfile = 290,
+ T_Drop = 291,
+ T_Dscp = 292,
+ T_Ellipsis = 293,
+ T_Enable = 294,
+ T_End = 295,
+ T_Epeer = 296,
+ T_False = 297,
+ T_File = 298,
+ T_Filegen = 299,
+ T_Filenum = 300,
+ T_Flag1 = 301,
+ T_Flag2 = 302,
+ T_Flag3 = 303,
+ T_Flag4 = 304,
+ T_Flake = 305,
+ T_Floor = 306,
+ T_Freq = 307,
+ T_Fudge = 308,
+ T_Host = 309,
+ T_Huffpuff = 310,
+ T_Iburst = 311,
+ T_Ident = 312,
+ T_Ignore = 313,
+ T_Incalloc = 314,
+ T_Incmem = 315,
+ T_Initalloc = 316,
+ T_Initmem = 317,
+ T_Includefile = 318,
+ T_Integer = 319,
+ T_Interface = 320,
+ T_Intrange = 321,
+ T_Io = 322,
+ T_Ippeerlimit = 323,
+ T_Ipv4 = 324,
+ T_Ipv4_flag = 325,
+ T_Ipv6 = 326,
+ T_Ipv6_flag = 327,
+ T_Kernel = 328,
+ T_Key = 329,
+ T_Keys = 330,
+ T_Keysdir = 331,
+ T_Kod = 332,
+ T_Mssntp = 333,
+ T_Leapfile = 334,
+ T_Leapsmearinterval = 335,
+ T_Limited = 336,
+ T_Link = 337,
+ T_Listen = 338,
+ T_Logconfig = 339,
+ T_Logfile = 340,
+ T_Loopstats = 341,
+ T_Lowpriotrap = 342,
+ T_Manycastclient = 343,
+ T_Manycastserver = 344,
+ T_Mask = 345,
+ T_Maxage = 346,
+ T_Maxclock = 347,
+ T_Maxdepth = 348,
+ T_Maxdist = 349,
+ T_Maxmem = 350,
+ T_Maxpoll = 351,
+ T_Mdnstries = 352,
+ T_Mem = 353,
+ T_Memlock = 354,
+ T_Minclock = 355,
+ T_Mindepth = 356,
+ T_Mindist = 357,
+ T_Minimum = 358,
+ T_Minpoll = 359,
+ T_Minsane = 360,
+ T_Mode = 361,
+ T_Mode7 = 362,
+ T_Monitor = 363,
+ T_Month = 364,
+ T_Mru = 365,
+ T_Multicastclient = 366,
+ T_Nic = 367,
+ T_Nolink = 368,
+ T_Nomodify = 369,
+ T_Nomrulist = 370,
+ T_None = 371,
+ T_Nonvolatile = 372,
+ T_Noepeer = 373,
+ T_Nopeer = 374,
+ T_Noquery = 375,
+ T_Noselect = 376,
+ T_Noserve = 377,
+ T_Notrap = 378,
+ T_Notrust = 379,
+ T_Ntp = 380,
+ T_Ntpport = 381,
+ T_NtpSignDsocket = 382,
+ T_Orphan = 383,
+ T_Orphanwait = 384,
+ T_PCEdigest = 385,
+ T_Panic = 386,
+ T_Peer = 387,
+ T_Peerstats = 388,
+ T_Phone = 389,
+ T_Pid = 390,
+ T_Pidfile = 391,
+ T_Pool = 392,
+ T_Port = 393,
+ T_Preempt = 394,
+ T_Prefer = 395,
+ T_Protostats = 396,
+ T_Pw = 397,
+ T_Randfile = 398,
+ T_Rawstats = 399,
+ T_Refid = 400,
+ T_Requestkey = 401,
+ T_Reset = 402,
+ T_Restrict = 403,
+ T_Revoke = 404,
+ T_Rlimit = 405,
+ T_Saveconfigdir = 406,
+ T_Server = 407,
+ T_Setvar = 408,
+ T_Source = 409,
+ T_Stacksize = 410,
+ T_Statistics = 411,
+ T_Stats = 412,
+ T_Statsdir = 413,
+ T_Step = 414,
+ T_Stepback = 415,
+ T_Stepfwd = 416,
+ T_Stepout = 417,
+ T_Stratum = 418,
+ T_String = 419,
+ T_Sys = 420,
+ T_Sysstats = 421,
+ T_Tick = 422,
+ T_Time1 = 423,
+ T_Time2 = 424,
+ T_Timer = 425,
+ T_Timingstats = 426,
+ T_Tinker = 427,
+ T_Tos = 428,
+ T_Trap = 429,
+ T_True = 430,
+ T_Trustedkey = 431,
+ T_Ttl = 432,
+ T_Type = 433,
+ T_U_int = 434,
+ T_UEcrypto = 435,
+ T_UEcryptonak = 436,
+ T_UEdigest = 437,
+ T_Unconfig = 438,
+ T_Unpeer = 439,
+ T_Version = 440,
+ T_WanderThreshold = 441,
+ T_Week = 442,
+ T_Wildcard = 443,
+ T_Xleave = 444,
+ T_Year = 445,
+ T_Flag = 446,
+ T_EOC = 447,
+ T_Simulate = 448,
+ T_Beep_Delay = 449,
+ T_Sim_Duration = 450,
+ T_Server_Offset = 451,
+ T_Duration = 452,
+ T_Freq_Offset = 453,
+ T_Wander = 454,
+ T_Jitter = 455,
+ T_Prop_Delay = 456,
+ T_Proc_Delay = 457
};
#endif
/* Tokens. */
@@ -253,193 +257,197 @@
#define T_Autokey 264
#define T_Automax 265
#define T_Average 266
-#define T_Bclient 267
-#define T_Bcpollbstep 268
-#define T_Beacon 269
-#define T_Broadcast 270
-#define T_Broadcastclient 271
-#define T_Broadcastdelay 272
-#define T_Burst 273
-#define T_Calibrate 274
-#define T_Ceiling 275
-#define T_Clockstats 276
-#define T_Cohort 277
-#define T_ControlKey 278
-#define T_Crypto 279
-#define T_Cryptostats 280
-#define T_Ctl 281
-#define T_Day 282
-#define T_Default 283
-#define T_Digest 284
-#define T_Disable 285
-#define T_Discard 286
-#define T_Dispersion 287
-#define T_Double 288
-#define T_Driftfile 289
-#define T_Drop 290
-#define T_Dscp 291
-#define T_Ellipsis 292
-#define T_Enable 293
-#define T_End 294
-#define T_False 295
-#define T_File 296
-#define T_Filegen 297
-#define T_Filenum 298
-#define T_Flag1 299
-#define T_Flag2 300
-#define T_Flag3 301
-#define T_Flag4 302
-#define T_Flake 303
-#define T_Floor 304
-#define T_Freq 305
-#define T_Fudge 306
-#define T_Host 307
-#define T_Huffpuff 308
-#define T_Iburst 309
-#define T_Ident 310
-#define T_Ignore 311
-#define T_Incalloc 312
-#define T_Incmem 313
-#define T_Initalloc 314
-#define T_Initmem 315
-#define T_Includefile 316
-#define T_Integer 317
-#define T_Interface 318
-#define T_Intrange 319
-#define T_Io 320
-#define T_Ipv4 321
-#define T_Ipv4_flag 322
-#define T_Ipv6 323
-#define T_Ipv6_flag 324
-#define T_Kernel 325
-#define T_Key 326
-#define T_Keys 327
-#define T_Keysdir 328
-#define T_Kod 329
-#define T_Mssntp 330
-#define T_Leapfile 331
-#define T_Leapsmearinterval 332
-#define T_Limited 333
-#define T_Link 334
-#define T_Listen 335
-#define T_Logconfig 336
-#define T_Logfile 337
-#define T_Loopstats 338
-#define T_Lowpriotrap 339
-#define T_Manycastclient 340
-#define T_Manycastserver 341
-#define T_Mask 342
-#define T_Maxage 343
-#define T_Maxclock 344
-#define T_Maxdepth 345
-#define T_Maxdist 346
-#define T_Maxmem 347
-#define T_Maxpoll 348
-#define T_Mdnstries 349
-#define T_Mem 350
-#define T_Memlock 351
-#define T_Minclock 352
-#define T_Mindepth 353
-#define T_Mindist 354
-#define T_Minimum 355
-#define T_Minpoll 356
-#define T_Minsane 357
-#define T_Mode 358
-#define T_Mode7 359
-#define T_Monitor 360
-#define T_Month 361
-#define T_Mru 362
-#define T_Multicastclient 363
-#define T_Nic 364
-#define T_Nolink 365
-#define T_Nomodify 366
-#define T_Nomrulist 367
-#define T_None 368
-#define T_Nonvolatile 369
-#define T_Nopeer 370
-#define T_Noquery 371
-#define T_Noselect 372
-#define T_Noserve 373
-#define T_Notrap 374
-#define T_Notrust 375
-#define T_Ntp 376
-#define T_Ntpport 377
-#define T_NtpSignDsocket 378
-#define T_Orphan 379
-#define T_Orphanwait 380
-#define T_PCEdigest 381
-#define T_Panic 382
-#define T_Peer 383
-#define T_Peerstats 384
-#define T_Phone 385
-#define T_Pid 386
-#define T_Pidfile 387
-#define T_Pool 388
-#define T_Port 389
-#define T_Preempt 390
-#define T_Prefer 391
-#define T_Protostats 392
-#define T_Pw 393
-#define T_Randfile 394
-#define T_Rawstats 395
-#define T_Refid 396
-#define T_Requestkey 397
-#define T_Reset 398
-#define T_Restrict 399
-#define T_Revoke 400
-#define T_Rlimit 401
-#define T_Saveconfigdir 402
-#define T_Server 403
-#define T_Setvar 404
-#define T_Source 405
-#define T_Stacksize 406
-#define T_Statistics 407
-#define T_Stats 408
-#define T_Statsdir 409
-#define T_Step 410
-#define T_Stepback 411
-#define T_Stepfwd 412
-#define T_Stepout 413
-#define T_Stratum 414
-#define T_String 415
-#define T_Sys 416
-#define T_Sysstats 417
-#define T_Tick 418
-#define T_Time1 419
-#define T_Time2 420
-#define T_Timer 421
-#define T_Timingstats 422
-#define T_Tinker 423
-#define T_Tos 424
-#define T_Trap 425
-#define T_True 426
-#define T_Trustedkey 427
-#define T_Ttl 428
-#define T_Type 429
-#define T_U_int 430
-#define T_UEcrypto 431
-#define T_UEcryptonak 432
-#define T_UEdigest 433
-#define T_Unconfig 434
-#define T_Unpeer 435
-#define T_Version 436
-#define T_WanderThreshold 437
-#define T_Week 438
-#define T_Wildcard 439
-#define T_Xleave 440
-#define T_Year 441
-#define T_Flag 442
-#define T_EOC 443
-#define T_Simulate 444
-#define T_Beep_Delay 445
-#define T_Sim_Duration 446
-#define T_Server_Offset 447
-#define T_Duration 448
-#define T_Freq_Offset 449
-#define T_Wander 450
-#define T_Jitter 451
-#define T_Prop_Delay 452
-#define T_Proc_Delay 453
+#define T_Basedate 267
+#define T_Bclient 268
+#define T_Bcpollbstep 269
+#define T_Beacon 270
+#define T_Broadcast 271
+#define T_Broadcastclient 272
+#define T_Broadcastdelay 273
+#define T_Burst 274
+#define T_Calibrate 275
+#define T_Ceiling 276
+#define T_Clockstats 277
+#define T_Cohort 278
+#define T_ControlKey 279
+#define T_Crypto 280
+#define T_Cryptostats 281
+#define T_Ctl 282
+#define T_Day 283
+#define T_Default 284
+#define T_Digest 285
+#define T_Disable 286
+#define T_Discard 287
+#define T_Dispersion 288
+#define T_Double 289
+#define T_Driftfile 290
+#define T_Drop 291
+#define T_Dscp 292
+#define T_Ellipsis 293
+#define T_Enable 294
+#define T_End 295
+#define T_Epeer 296
+#define T_False 297
+#define T_File 298
+#define T_Filegen 299
+#define T_Filenum 300
+#define T_Flag1 301
+#define T_Flag2 302
+#define T_Flag3 303
+#define T_Flag4 304
+#define T_Flake 305
+#define T_Floor 306
+#define T_Freq 307
+#define T_Fudge 308
+#define T_Host 309
+#define T_Huffpuff 310
+#define T_Iburst 311
+#define T_Ident 312
+#define T_Ignore 313
+#define T_Incalloc 314
+#define T_Incmem 315
+#define T_Initalloc 316
+#define T_Initmem 317
+#define T_Includefile 318
+#define T_Integer 319
+#define T_Interface 320
+#define T_Intrange 321
+#define T_Io 322
+#define T_Ippeerlimit 323
+#define T_Ipv4 324
+#define T_Ipv4_flag 325
+#define T_Ipv6 326
+#define T_Ipv6_flag 327
+#define T_Kernel 328
+#define T_Key 329
+#define T_Keys 330
+#define T_Keysdir 331
+#define T_Kod 332
+#define T_Mssntp 333
+#define T_Leapfile 334
+#define T_Leapsmearinterval 335
+#define T_Limited 336
+#define T_Link 337
+#define T_Listen 338
+#define T_Logconfig 339
+#define T_Logfile 340
+#define T_Loopstats 341
+#define T_Lowpriotrap 342
+#define T_Manycastclient 343
+#define T_Manycastserver 344
+#define T_Mask 345
+#define T_Maxage 346
+#define T_Maxclock 347
+#define T_Maxdepth 348
+#define T_Maxdist 349
+#define T_Maxmem 350
+#define T_Maxpoll 351
+#define T_Mdnstries 352
+#define T_Mem 353
+#define T_Memlock 354
+#define T_Minclock 355
+#define T_Mindepth 356
+#define T_Mindist 357
+#define T_Minimum 358
+#define T_Minpoll 359
+#define T_Minsane 360
+#define T_Mode 361
+#define T_Mode7 362
+#define T_Monitor 363
+#define T_Month 364
+#define T_Mru 365
+#define T_Multicastclient 366
+#define T_Nic 367
+#define T_Nolink 368
+#define T_Nomodify 369
+#define T_Nomrulist 370
+#define T_None 371
+#define T_Nonvolatile 372
+#define T_Noepeer 373
+#define T_Nopeer 374
+#define T_Noquery 375
+#define T_Noselect 376
+#define T_Noserve 377
+#define T_Notrap 378
+#define T_Notrust 379
+#define T_Ntp 380
+#define T_Ntpport 381
+#define T_NtpSignDsocket 382
+#define T_Orphan 383
+#define T_Orphanwait 384
+#define T_PCEdigest 385
+#define T_Panic 386
+#define T_Peer 387
+#define T_Peerstats 388
+#define T_Phone 389
+#define T_Pid 390
+#define T_Pidfile 391
+#define T_Pool 392
+#define T_Port 393
+#define T_Preempt 394
+#define T_Prefer 395
+#define T_Protostats 396
+#define T_Pw 397
+#define T_Randfile 398
+#define T_Rawstats 399
+#define T_Refid 400
+#define T_Requestkey 401
+#define T_Reset 402
+#define T_Restrict 403
+#define T_Revoke 404
+#define T_Rlimit 405
+#define T_Saveconfigdir 406
+#define T_Server 407
+#define T_Setvar 408
+#define T_Source 409
+#define T_Stacksize 410
+#define T_Statistics 411
+#define T_Stats 412
+#define T_Statsdir 413
+#define T_Step 414
+#define T_Stepback 415
+#define T_Stepfwd 416
+#define T_Stepout 417
+#define T_Stratum 418
+#define T_String 419
+#define T_Sys 420
+#define T_Sysstats 421
+#define T_Tick 422
+#define T_Time1 423
+#define T_Time2 424
+#define T_Timer 425
+#define T_Timingstats 426
+#define T_Tinker 427
+#define T_Tos 428
+#define T_Trap 429
+#define T_True 430
+#define T_Trustedkey 431
+#define T_Ttl 432
+#define T_Type 433
+#define T_U_int 434
+#define T_UEcrypto 435
+#define T_UEcryptonak 436
+#define T_UEdigest 437
+#define T_Unconfig 438
+#define T_Unpeer 439
+#define T_Version 440
+#define T_WanderThreshold 441
+#define T_Week 442
+#define T_Wildcard 443
+#define T_Xleave 444
+#define T_Year 445
+#define T_Flag 446
+#define T_EOC 447
+#define T_Simulate 448
+#define T_Beep_Delay 449
+#define T_Sim_Duration 450
+#define T_Server_Offset 451
+#define T_Duration 452
+#define T_Freq_Offset 453
+#define T_Wander 454
+#define T_Jitter 455
+#define T_Prop_Delay 456
+#define T_Proc_Delay 457
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -446,7 +454,7 @@
union YYSTYPE
{
-#line 51 "ntp_parser.y" /* yacc.c:1909 */
+#line 51 "../../ntpd/ntp_parser.y" /* yacc.c:1909 */
char * String;
double Double;
@@ -465,7 +473,7 @@
script_info * Sim_script;
script_info_fifo * Sim_script_fifo;
-#line 469 "ntp_parser.h" /* yacc.c:1909 */
+#line 477 "ntp_parser.h" /* yacc.c:1909 */
};
typedef union YYSTYPE YYSTYPE;
@@ -478,4 +486,4 @@
int yyparse (void);
-#endif /* !YY_YY_Y_TAB_H_INCLUDED */
+#endif /* !YY_YY_NTP_PARSER_H_INCLUDED */
Index: contrib/ntp/ntpd/ntp_request.c
===================================================================
--- contrib/ntp/ntpd/ntp_request.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_request.c (版本 330908)
@@ -87,7 +87,7 @@
static void do_resaddflags (sockaddr_u *, endpt *, struct req_pkt *);
static void do_ressubflags (sockaddr_u *, endpt *, struct req_pkt *);
static void do_unrestrict (sockaddr_u *, endpt *, struct req_pkt *);
-static void do_restrict (sockaddr_u *, endpt *, struct req_pkt *, int);
+static void do_restrict (sockaddr_u *, endpt *, struct req_pkt *, restrict_op);
static void mon_getlist (sockaddr_u *, endpt *, struct req_pkt *);
static void reset_stats (sockaddr_u *, endpt *, struct req_pkt *);
static void reset_peer (sockaddr_u *, endpt *, struct req_pkt *);
@@ -582,6 +582,7 @@
* him. If the wrong key was used, or packet doesn't
* have mac, return.
*/
+ /* XXX: Use authistrustedip(), or equivalent. */
if (!INFO_IS_AUTH(inpkt->auth_seq) || !info_auth_keyid
|| ntohl(tailinpkt->keyid) != info_auth_keyid) {
DPRINTF(5, ("failed auth %d info_auth_keyid %u pkt keyid %u maclen %lu\n",
@@ -837,7 +838,7 @@
#endif
datap += item_sz;
- pp = findexistingpeer(&addr, NULL, NULL, -1, 0);
+ pp = findexistingpeer(&addr, NULL, NULL, -1, 0, NULL);
if (NULL == pp)
continue;
if (IS_IPV6(srcadr)) {
@@ -981,7 +982,7 @@
datap += item_sz;
- pp = findexistingpeer(&addr, NULL, NULL, -1, 0);
+ pp = findexistingpeer(&addr, NULL, NULL, -1, 0, NULL);
if (NULL == pp)
continue;
@@ -1150,6 +1151,8 @@
ss->badauth = htonl((u_int32)sys_badauth);
ss->limitrejected = htonl((u_int32)sys_limitrejected);
ss->received = htonl((u_int32)sys_received);
+ ss->lamport = htonl((u_int32)sys_lamport);
+ ss->tsrounding = htonl((u_int32)sys_tsrounding);
(void) more_pkt();
flush_pkt();
}
@@ -1366,10 +1369,13 @@
*
* - minpoll/maxpoll, but they are treated properly
* for all cases internally. Checking not necessary.
+ *
+ * Note that we ignore any previously-specified ippeerlimit.
+ * If we're told to create the peer, we create the peer.
*/
/* finally create the peer */
- if (peer_config(&peeraddr, NULL, NULL,
+ if (peer_config(&peeraddr, NULL, NULL, -1,
temp_cp.hmode, temp_cp.version, temp_cp.minpoll,
temp_cp.maxpoll, fl, temp_cp.ttl, temp_cp.keyid,
NULL) == 0)
@@ -1449,7 +1455,7 @@
p = NULL;
do {
p = findexistingpeer(
- &peeraddr, NULL, p, -1, 0);
+ &peeraddr, NULL, p, -1, 0, NULL);
} while (p && !(FLAG_CONFIG & p->flags));
if (!loops && !p) {
@@ -1653,7 +1659,7 @@
pir->v6_flag = 0;
pir->mask = htonl(res->u.v4.mask);
pir->count = htonl(res->count);
- pir->flags = htons(res->flags);
+ pir->rflags = htons(res->rflags);
pir->mflags = htons(res->mflags);
pir = (struct info_restrict *)more_pkt();
}
@@ -1684,7 +1690,7 @@
pir->mask6 = res->u.v6.mask;
pir->v6_flag = 1;
pir->count = htonl(res->count);
- pir->flags = htons(res->flags);
+ pir->rflags = htons(res->rflags);
pir->mflags = htons(res->mflags);
pir = (struct info_restrict *)more_pkt();
}
@@ -1773,7 +1779,7 @@
sockaddr_u *srcadr,
endpt *inter,
struct req_pkt *inpkt,
- int op
+ restrict_op op
)
{
char * datap;
@@ -1784,6 +1790,18 @@
sockaddr_u matchmask;
int bad;
+ switch(op) {
+ case RESTRICT_FLAGS:
+ case RESTRICT_UNFLAG:
+ case RESTRICT_REMOVE:
+ case RESTRICT_REMOVEIF:
+ break;
+
+ default:
+ req_ack(srcadr, inter, inpkt, INFO_ERR_FMT);
+ return;
+ }
+
/*
* Do a check of the flags to make sure that only
* the NTPPORT flag is set, if any. If not, complain
@@ -1797,7 +1815,7 @@
return;
}
- bad = FALSE;
+ bad = 0;
while (items-- > 0 && !bad) {
memcpy(&cr, datap, item_sz);
cr.flags = ntohs(cr.flags);
@@ -1837,6 +1855,7 @@
memcpy(&cr, datap, item_sz);
cr.flags = ntohs(cr.flags);
cr.mflags = ntohs(cr.mflags);
+ cr.ippeerlimit = ntohs(cr.ippeerlimit);
if (client_v6_capable && cr.v6_flag) {
AF(&matchaddr) = AF_INET6;
AF(&matchmask) = AF_INET6;
@@ -1849,7 +1868,7 @@
NSRCADR(&matchmask) = cr.mask;
}
hack_restrict(op, &matchaddr, &matchmask, cr.mflags,
- cr.flags, 0);
+ cr.ippeerlimit, cr.flags, 0);
datap += item_sz;
}
@@ -1975,7 +1994,7 @@
#ifdef ISC_PLATFORM_HAVESALEN
peeraddr.sa.sa_len = SOCKLEN(&peeraddr);
#endif
- p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0);
+ p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL);
if (NULL == p)
bad++;
datap += item_sz;
@@ -2008,10 +2027,10 @@
#ifdef ISC_PLATFORM_HAVESALEN
peeraddr.sa.sa_len = SOCKLEN(&peeraddr);
#endif
- p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0);
+ p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL);
while (p != NULL) {
peer_reset(p);
- p = findexistingpeer(&peeraddr, NULL, p, -1, 0);
+ p = findexistingpeer(&peeraddr, NULL, p, -1, 0, NULL);
}
datap += item_sz;
}
@@ -2492,7 +2511,7 @@
while (items-- > 0 && ic) {
NSRCADR(&addr) = *clkaddr++;
if (!ISREFCLOCKADR(&addr) || NULL ==
- findexistingpeer(&addr, NULL, NULL, -1, 0)) {
+ findexistingpeer(&addr, NULL, NULL, -1, 0, NULL)) {
req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
return;
}
@@ -2556,7 +2575,7 @@
#endif
SET_PORT(&addr, NTP_PORT);
if (!ISREFCLOCKADR(&addr) || NULL ==
- findexistingpeer(&addr, NULL, NULL, -1, 0)) {
+ findexistingpeer(&addr, NULL, NULL, -1, 0, NULL)) {
req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
return;
}
@@ -2631,7 +2650,7 @@
while (items-- > 0 && ic) {
NSRCADR(&addr) = *clkaddr++;
if (!ISREFCLOCKADR(&addr) || NULL ==
- findexistingpeer(&addr, NULL, NULL, -1, 0)) {
+ findexistingpeer(&addr, NULL, NULL, -1, 0, NULL)) {
req_ack(srcadr, inter, inpkt, INFO_ERR_NODATA);
return;
}
Index: contrib/ntp/ntpd/ntpd-opts.c
===================================================================
--- contrib/ntp/ntpd/ntpd-opts.c (版本 330566)
+++ contrib/ntp/ntpd/ntpd-opts.c (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpd-opts.c)
*
- * It has been AutoGen-ed March 21, 2017 at 10:42:12 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:13:19 PM by AutoGen 5.18.5
* From the definitions ntpd-opts.def
* and the template file options
*
@@ -75,7 +75,7 @@
* static const strings for ntpd options
*/
static char const ntpd_opt_strs[3132] =
-/* 0 */ "ntpd 4.2.8p10\n"
+/* 0 */ "ntpd 4.2.8p11\n"
"Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n"
"This is free software. It is licensed for use, modification and\n"
"redistribution under the terms of the NTP License, copies of which\n"
@@ -205,12 +205,12 @@
/* 2901 */ "output version information and exit\0"
/* 2937 */ "version\0"
/* 2945 */ "NTPD\0"
-/* 2950 */ "ntpd - NTP daemon program - Ver. 4.2.8p10\n"
+/* 2950 */ "ntpd - NTP daemon program - Ver. 4.2.8p11\n"
"Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n"
"\t\t[ <server1> ... <serverN> ]\n\0"
/* 3082 */ "http://bugs.ntp.org, bugs@ntp.org\0"
/* 3116 */ "\n\0"
-/* 3118 */ "ntpd 4.2.8p10";
+/* 3118 */ "ntpd 4.2.8p11";
/**
* ipv4 option description with
@@ -1529,7 +1529,7 @@
translate option names.
*/
/* referenced via ntpdOptions.pzCopyright */
- puts(_("ntpd 4.2.8p10\n\
+ puts(_("ntpd 4.2.8p11\n\
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\
This is free software. It is licensed for use, modification and\n\
redistribution under the terms of the NTP License, copies of which\n\
@@ -1670,7 +1670,7 @@
puts(_("output version information and exit"));
/* referenced via ntpdOptions.pzUsageTitle */
- puts(_("ntpd - NTP daemon program - Ver. 4.2.8p10\n\
+ puts(_("ntpd - NTP daemon program - Ver. 4.2.8p11\n\
Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\
\t\t[ <server1> ... <serverN> ]\n"));
@@ -1678,7 +1678,7 @@
puts(_("\n"));
/* referenced via ntpdOptions.pzFullVersion */
- puts(_("ntpd 4.2.8p10"));
+ puts(_("ntpd 4.2.8p11"));
/* referenced via ntpdOptions.pzFullUsage */
puts(_("<<<NOT-FOUND>>>"));
Index: contrib/ntp/ntpd/ntpd.c
===================================================================
--- contrib/ntp/ntpd/ntpd.c (版本 330566)
+++ contrib/ntp/ntpd/ntpd.c (版本 330908)
@@ -313,11 +313,16 @@
#if defined(HAVE_PTHREAD_ATTR_GETSTACKSIZE) && \
defined(HAVE_PTHREAD_ATTR_SETSTACKSIZE) && \
defined(PTHREAD_STACK_MIN)
- rc = pthread_attr_setstacksize(&thr_attr, PTHREAD_STACK_MIN);
- if (0 != rc)
- msyslog(LOG_ERR,
- "my_pthread_warmup: pthread_attr_setstacksize() -> %s",
- strerror(rc));
+ {
+ size_t ssmin = 32*1024; /* 32kB should be minimum */
+ if (ssmin < PTHREAD_STACK_MIN)
+ ssmin = PTHREAD_STACK_MIN;
+ rc = pthread_attr_setstacksize(&thr_attr, ssmin);
+ if (0 != rc)
+ msyslog(LOG_ERR,
+ "my_pthread_warmup: pthread_attr_setstacksize() -> %s",
+ strerror(rc));
+ }
#endif
rc = pthread_create(
&thread, &thr_attr, my_pthread_warmup_worker, NULL);
Index: contrib/ntp/ntpd/ntpsim.c
===================================================================
--- contrib/ntp/ntpd/ntpsim.c (版本 330566)
+++ contrib/ntp/ntpd/ntpsim.c (版本 330908)
@@ -79,6 +79,7 @@
NULL,
loopback_interface,
MODE_CLIENT,
+ -1,
NTP_VERSION,
NTP_MINDPOLL,
NTP_MAXDPOLL,
Index: contrib/ntp/ntpd/ntp.keys.5man
===================================================================
--- contrib/ntp/ntpd/ntp.keys.5man (版本 330566)
+++ contrib/ntp/ntpd/ntp.keys.5man (版本 330908)
@@ -1,8 +1,8 @@
-.TH ntp.keys 5man "21 Mar 2017" "4.2.8p10" "File Formats"
+.TH ntp.keys 5man "27 Feb 2018" "4.2.8p11" "File Formats"
.\"
.\" EDIT THIS FILE WITH CAUTION (ntp.man)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:10 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:26 PM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agman-file.tpl
.Sh NAME
@@ -76,16 +76,24 @@
is a positive integer (between 1 and 65534),
\f\*[I-Font]type\f[]
is the message digest algorithm,
-and
\f\*[I-Font]key\f[]
is the key itself, and
\f\*[I-Font]opt_IP_list\f[]
is an optional comma-separated list of IPs
+where the
+\f\*[I-Font]keyno\f[]
+should be trusted.
that are allowed to serve time.
+Each IP in
+\f\*[I-Font]opt_IP_list\f[]
+may contain an optional
+\f\*[B-Font]/subnetbits\f[]
+specification which identifies the number of bits for
+the desired subnet of trust.
If
\f\*[I-Font]opt_IP_list\f[]
is empty,
-any properly-authenticated server message will be
+any properly-authenticated message will be
accepted.
.sp \n(Ppu
.ne 2
Index: contrib/ntp/ntpd/ntp.keys.man.in
===================================================================
--- contrib/ntp/ntpd/ntp.keys.man.in (版本 330566)
+++ contrib/ntp/ntpd/ntp.keys.man.in (版本 330908)
@@ -1,8 +1,8 @@
-.TH ntp.keys 5 "21 Mar 2017" "4.2.8p10" "File Formats"
+.TH ntp.keys 5 "27 Feb 2018" "4.2.8p11" "File Formats"
.\"
.\" EDIT THIS FILE WITH CAUTION (ntp.man)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:10 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:26 PM by AutoGen 5.18.5
.\" From the definitions ntp.keys.def
.\" and the template file agman-file.tpl
.Sh NAME
@@ -76,16 +76,24 @@
is a positive integer (between 1 and 65534),
\f\*[I-Font]type\f[]
is the message digest algorithm,
-and
\f\*[I-Font]key\f[]
is the key itself, and
\f\*[I-Font]opt_IP_list\f[]
is an optional comma-separated list of IPs
+where the
+\f\*[I-Font]keyno\f[]
+should be trusted.
that are allowed to serve time.
+Each IP in
+\f\*[I-Font]opt_IP_list\f[]
+may contain an optional
+\f\*[B-Font]/subnetbits\f[]
+specification which identifies the number of bits for
+the desired subnet of trust.
If
\f\*[I-Font]opt_IP_list\f[]
is empty,
-any properly-authenticated server message will be
+any properly-authenticated message will be
accepted.
.sp \n(Ppu
.ne 2
Index: contrib/ntp/ntpd/ntp_crypto.c
===================================================================
--- contrib/ntp/ntpd/ntp_crypto.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_crypto.c (版本 330908)
@@ -268,7 +268,13 @@
break;
}
ctx = EVP_MD_CTX_new();
+# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ /* [Bug 3457] set flags and don't kill them again */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(ctx, EVP_get_digestbynid(crypto_nid), NULL);
+# else
EVP_DigestInit(ctx, EVP_get_digestbynid(crypto_nid));
+# endif
EVP_DigestUpdate(ctx, (u_char *)header, hdlen);
EVP_DigestFinal(ctx, dgst, &len);
EVP_MD_CTX_free(ctx);
@@ -2087,7 +2093,13 @@
ptr = emalloc(len);
BN_bn2bin(bn, ptr);
ctx = EVP_MD_CTX_new();
+# if defined(OPENSSL) && defined(EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)
+ /* [Bug 3457] set flags and don't kill them again */
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_DigestInit_ex(ctx, EVP_md5(), NULL);
+# else
EVP_DigestInit(ctx, EVP_md5());
+# endif
EVP_DigestUpdate(ctx, ptr, len);
EVP_DigestFinal(ctx, dgst, &len);
EVP_MD_CTX_free(ctx);
Index: contrib/ntp/libparse/Makefile.in
===================================================================
--- contrib/ntp/libparse/Makefile.in (版本 330566)
+++ contrib/ntp/libparse/Makefile.in (版本 330908)
@@ -102,6 +102,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -1007,7 +1008,6 @@
@: do-nothing action to avoid default SCCS get
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/ntpd/invoke-ntp.keys.texi
===================================================================
--- contrib/ntp/ntpd/invoke-ntp.keys.texi (版本 330566)
+++ contrib/ntp/ntpd/invoke-ntp.keys.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp.keys.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:31:04 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:14:37 PM by AutoGen 5.18.5
# From the definitions ntp.keys.def
# and the template file agtexi-file.tpl
@end ignore
@@ -45,16 +45,24 @@
is a positive integer (between 1 and 65534),
@kbd{type}
is the message digest algorithm,
-and
@kbd{key}
is the key itself, and
@kbd{opt_IP_list}
is an optional comma-separated list of IPs
+where the
+@kbd{keyno}
+should be trusted.
that are allowed to serve time.
+Each IP in
+@kbd{opt_IP_list}
+may contain an optional
+@code{/subnetbits}
+specification which identifies the number of bits for
+the desired subnet of trust.
If
@kbd{opt_IP_list}
is empty,
-any properly-authenticated server message will be
+any properly-authenticated message will be
accepted.
The
Index: contrib/ntp/ntpd/ntp.conf.5man
===================================================================
--- contrib/ntp/ntpd/ntp.conf.5man (版本 330566)
+++ contrib/ntp/ntpd/ntp.conf.5man (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntp.conf 5man "21 Mar 2017" "4.2.8p10-beta" "File Formats"
+.TH ntp.conf 5man "27 Feb 2018" "4.2.8p11" "File Formats"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-UAaqtC/ag-6AaisC)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LkaqTP/ag-XkaiSP)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:30:48 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:22 PM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -1665,7 +1665,7 @@
subcommand specifies the probability of discard
for packets that overflow the rate-control window.
.TP 7
-.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]]
+.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[B-Font]ippeerlimit\f[] \f\*[I-Font]int\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]]
The
\f\*[I-Font]address\f[]
argument expressed in
@@ -1689,6 +1689,15 @@
\f\*[B-Font]default\f[],
with no mask option, may
be used to indicate the default entry.
+The
+\f\*[B-Font]ippeerlimit\f[]
+directive limits the number of peer requests for each IP to
+\f\*[I-Font]int\f[],
+where a value of \-1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
\f\*[B-Font]flag\f[]
always
@@ -1744,6 +1753,19 @@
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
.TP 7
+.NOP \f\*[B-Font]noepeer\f[]
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+\fIntp.keys\f[]
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+\f\*[B-Font]noepeer\f[]
+to become the default in ntp-4.4.
+.TP 7
.NOP \f\*[B-Font]nomodify\f[]
Deny
\fCntpq\f[]\fR(1ntpqmdoc)\f[]
@@ -1763,10 +1785,10 @@
Time service is not affected.
.TP 7
.NOP \f\*[B-Font]nopeer\f[]
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
\f\*[B-Font]pool\f[]
associations, so if you want to use servers from a
@@ -1774,9 +1796,9 @@
directive and also want to use
\f\*[B-Font]nopeer\f[]
by default, you'll want a
-\f\*[B-Font]restrict source ...\f[] \f\*[B-Font]line\f[] \f\*[B-Font]as\f[] \f\*[B-Font]well\f[] \f\*[B-Font]that\f[] \f\*[B-Font]does\f[]
-.TP 7
-.NOP not
+\f\*[B-Font]restrict source ...\f[]
+line as well that does
+\fInot\f[]
include the
\f\*[B-Font]nopeer\f[]
directive.
@@ -2186,11 +2208,11 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+.PP
.SS Manycast Options
-.RS
.TP 7
.NOP \f\*[B-Font]tos\f[] [\f\*[B-Font]ceiling\f[] \f\*[I-Font]ceiling\f[] | \f\*[B-Font]cohort\f[] { \f\*[B-Font]0\f[] | \f\*[B-Font]1\f[] } | \f\*[B-Font]floor\f[] \f\*[I-Font]floor\f[] | \f\*[B-Font]minclock\f[] \f\*[I-Font]minclock\f[] | \f\*[B-Font]minsane\f[] \f\*[I-Font]minsane\f[]]
This command affects the clock selection and clustering
@@ -2260,7 +2282,7 @@
in an expanding-ring search.
The default is eight
multiples of 32 starting at 31.
-.RE
+.PP
.SH Reference Clock Support
The NTP Version 4 daemon supports some three dozen different radio,
satellite and modem reference clocks plus a special pseudo-clock
@@ -2427,7 +2449,6 @@
Except where noted,
these options apply to all clock drivers.
.SS Reference Clock Commands
-.RS
.TP 7
.NOP \f\*[B-Font]server\f[] \f[C]127.127.\f[]\f\*[I-Font]t\f[].\f\*[I-Font]u\f[] [\f\*[B-Font]prefer\f[]] [\f\*[B-Font]mode\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]minpoll\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]maxpoll\f[] \f\*[I-Font]int\f[]]
This command can be used to configure reference clocks in
@@ -2528,7 +2549,7 @@
page
(available as part of the HTML documentation
provided in
-\fI/usr/share/doc/ntp\f[]).
+\fI/usr/share/doc/ntp\f[] \fI).\f[]
.TP 7
.NOP \f\*[B-Font]stratum\f[] \f\*[I-Font]int\f[]
Specifies the stratum number assigned to the driver, an integer
@@ -2576,9 +2597,8 @@
command can be found in
\fIMonitoring\f[] \fIOptions\f[].
.RE
-.RE
+.PP
.SH Miscellaneous Options
-.RS
.TP 7
.NOP \f\*[B-Font]broadcastdelay\f[] \f\*[I-Font]seconds\f[]
The broadcast and multicast modes require a special calibration
@@ -2817,6 +2837,71 @@
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
.TP 7
+.NOP \f\*[B-Font]interface\f[] [\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] [\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]]]
+The
+\f\*[B-Font]interface\f[]
+directive controls which network addresses
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+\f\*[I-Font]prefixlen\f[]
+determines how many bits must match for this rule to apply.
+\f\*[B-Font]ignore\f[]
+prevents opening matching addresses,
+\f\*[B-Font]drop\f[]
+causes
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+to open the address and drop all received packets without examination.
+Multiple
+\f\*[B-Font]interface\f[]
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+\f\*[B-Font]interface\f[]
+directives are disabled if any
+\f\*[B-Font]\-I\f[],
+\f\*[B-Font]\-\-interface\f[],
+\f\*[B-Font]\-L\f[],
+or
+\f\*[B-Font]\-\-novirtualips\f[]
+command-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+\f\*[B-Font]nic\f[]
+directive is an alias for
+\f\*[B-Font]interface\f[].
+.TP 7
+.NOP \f\*[B-Font]leapfile\f[] \f\*[I-Font]leapfile\f[]
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+\f[C]https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[]
+or
+\f[C]ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[].
+The
+\f\*[B-Font]leapfile\f[]
+is scanned when
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+processes the
+\f\*[B-Font]leapfile\f[] \f\*[B-Font]directive\f[] \f\*[B-Font]or\f[] \f\*[B-Font]when\f[]
+\f\*[B-Font]ntpd\f[] \f\*[B-Font]detects\f[] \f\*[B-Font]that\f[] \f\*[B-Font]the\f[]
+\f\*[I-Font]leapfile\f[]
+has changed.
+\f\*[B-Font]ntpd\f[]
+checks once a day to see if the
+\f\*[I-Font]leapfile\f[]
+has changed.
+The
+\fCupdate-leap\f[]\fR(1update_leapmdoc)\f[]
+script can be run to see if the
+\f\*[I-Font]leapfile\f[]
+should be updated.
+.TP 7
.NOP \f\*[B-Font]leapsmearinterval\f[] \f\*[I-Font]seconds\f[]
This EXPERIMENTAL option is only available if
\fCntpd\f[]\fR(1ntpdmdoc)\f[]
@@ -2922,6 +3007,164 @@
\f\*[B-Font]\-l\f[]
command line option.
.TP 7
+.NOP \f\*[B-Font]mru\f[] [\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]]
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+.RS
+.TP 7
+.NOP \f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[]
+.TP 7
+.NOP \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[]
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+\f\*[B-Font]incalloc\f[]
+entries or
+\f\*[B-Font]incmem\f[]
+kilobytes larger.
+As with all of the
+\f\*[B-Font]mru\f[]
+options offered in units of entries or kilobytes, if both
+\f\*[B-Font]maxdepth\f[]
+and
+\f\*[B-Font]maxmem\f[] \f\*[B-Font]are\f[] \f\*[B-Font]used,\f[] \f\*[B-Font]the\f[] \f\*[B-Font]last\f[] \f\*[B-Font]one\f[] \f\*[B-Font]used\f[] \f\*[B-Font]controls.\f[]
+The default is 1024 kilobytes.
+.TP 7
+.NOP \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[]
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+\f\*[B-Font]mindepth\f[]
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+.TP 7
+.NOP \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[]
+Once the MRU list has
+\f\*[B-Font]mindepth\f[]
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+\f\*[B-Font]maxage\f[]
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+\f\*[B-Font]maxdepth\f[] \f\*[B-Font]/\f[] \f\*[B-Font]moxmem\f[].
+The default is 64 seconds.
+.TP 7
+.NOP \f\*[B-Font]initalloc\f[] \f\*[I-Font]count\f[]
+.TP 7
+.NOP \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[]
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+.TP 7
+.NOP \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[]
+.TP 7
+.NOP \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+.RE
+.TP 7
+.NOP \f\*[B-Font]nonvolatile\f[] \f\*[I-Font]threshold\f[]
+Specify the
+\f\*[I-Font]threshold\f[]
+delta in seconds before an hourly change to the
+\f\*[B-Font]driftfile\f[]
+(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+\f\*[B-Font]threshold\f[]
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+.TP 7
+.NOP \f\*[B-Font]phone\f[] \f\*[I-Font]dial\f[] \f\*[I-Font]...\f[]
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 \- 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 \- 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+.TP 7
+.NOP \f\*[B-Font]reset\f[] [\f\*[B-Font]allpeers\f[]] [\f\*[B-Font]auth\f[]] [\f\*[B-Font]ctl\f[]] [\f\*[B-Font]io\f[]] [\f\*[B-Font]mem\f[]] [\f\*[B-Font]sys\f[]] [\f\*[B-Font]timer\f[]]
+Reset one or more groups of counters maintained by
+\f\*[B-Font]ntpd\f[]
+and exposed by
+\f\*[B-Font]ntpq\f[]
+and
+\f\*[B-Font]ntpdc\f[].
+.TP 7
+.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]]
+.RS
+.TP 7
+.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[]
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+\f\*[B-Font]\-i\f[]
+option).
+The default is 32 megabytes on non-Linux machines, and \-1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+.TP 7
+.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[]
+Specifies the maximum size of the process stack on systems with the
+\fBmlockall\f[]\fR()\f[]
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+.TP 7
+.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+.RE
+.TP 7
+.NOP \f\*[B-Font]saveconfigdir\f[] \f\*[I-Font]directory_path\f[]
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+\f\*[B-Font]saveconfig\f[]
+command.
+If
+\f\*[B-Font]saveconfigdir\f[]
+does not appear in the configuration file,
+\f\*[B-Font]saveconfig\f[]
+requests are rejected by
+\f\*[B-Font]ntpd\f[].
+.TP 7
+.NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[]
+Write the current configuration, including any runtime
+modifications given with
+\f\*[B-Font]:config\f[]
+or
+\f\*[B-Font]config-from-file\f[]
+to the
+\f\*[B-Font]ntpd\f[]
+host's
+\f\*[I-Font]filename\f[]
+in the
+\f\*[B-Font]saveconfigdir\f[].
+This command will be rejected unless the
+\f\*[B-Font]saveconfigdir\f[]
+directive appears in
+.Cm ntpd 's
+configuration file.
+\f\*[I-Font]filename\f[]
+can use
+\fCstrftime\f[]\fR(3)\f[]
+format directives to substitute the current date and time,
+for example,
+\f\*[B-Font]saveconfig\ ntp-%Y%m%d-%H%M%S.conf\f[].
+The filename used is stored in the system variable
+\f\*[B-Font]savedconfig\f[].
+Authentication is required.
+.TP 7
.NOP \f\*[B-Font]setvar\f[] \f\*[I-Font]variable\f[] [\f\*[B-Font]default\f[]]
This command adds an additional system variable.
These
@@ -2955,6 +3198,12 @@
\fIclock_var_list\f[]
holds the names of the reference clock variables.
.TP 7
+.NOP \f\*[B-Font]sysinfo\f[]
+Display operational summary.
+.TP 7
+.NOP \f\*[B-Font]sysstats\f[]
+Show statistics counters maintained in the protocol module.
+.TP 7
.NOP \f\*[B-Font]tinker\f[] [\f\*[B-Font]allan\f[] \f\*[I-Font]allan\f[] | \f\*[B-Font]dispersion\f[] \f\*[I-Font]dispersion\f[] | \f\*[B-Font]freq\f[] \f\*[I-Font]freq\f[] | \f\*[B-Font]huffpuff\f[] \f\*[I-Font]huffpuff\f[] | \f\*[B-Font]panic\f[] \f\*[I-Font]panic\f[] | \f\*[B-Font]step\f[] \f\*[I-Font]step\f[] | \f\*[B-Font]stepback\f[] \f\*[I-Font]stepback\f[] | \f\*[B-Font]stepfwd\f[] \f\*[I-Font]stepfwd\f[] | \f\*[B-Font]stepout\f[] \f\*[I-Font]stepout\f[]]
This command can be used to alter several system variables in
very exceptional circumstances.
@@ -3044,31 +3293,19 @@
pulses will not be suppressed.
.RE
.TP 7
-.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]]
-.RS
+.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\ name\f[] \f\*[I-Font]=\f[] \f\*[I-Font]value\f[] \f\*[I-Font][,...]\f[]
+Write (create or update) the specified variables.
+If the
+\f\*[B-Font]assocID\f[]
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+\f\*[B-Font]assocID\f[]
+is required, as the same name can occur in both name spaces.
.TP 7
-.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[]
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-\f\*[B-Font]\-i\f[]
-option).
-The default is 32 megabytes on non-Linux machines, and \-1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-.TP 7
-.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[]
-Specifies the maximum size of the process stack on systems with the
-\fBmlockall\f[]\fR()\f[]
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-.TP 7
-.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-.RE
-.TP 7
.NOP \f\*[B-Font]trap\f[] \f\*[I-Font]host_address\f[] [\f\*[B-Font]port\f[] \f\*[I-Font]port_number\f[]] [\f\*[B-Font]interface\f[] \f\*[I-Font]interface_address\f[]]
This command configures a trap receiver at the given host
address and port number for sending messages with the specified
@@ -3080,6 +3317,14 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+.TP 7
+.NOP \f\*[B-Font]ttl\f[] \f\*[I-Font]hop\f[] \f\*[I-Font]...\f[]
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+\f\*[B-Font]manycast\f[]
+mode these values are used in-turn in an expanding-ring search.
+The default is eight multiples of 32 starting at 31.
.sp \n(Ppu
.ne 2
@@ -3097,9 +3342,8 @@
an expanding-ring search.
The default is eight multiples of 32 starting at
31.
-.RE
+.PP
.SH "OPTIONS"
-.RS
.TP
.NOP \f\*[B-Font]\-\-help\f[]
Display usage information and exit.
@@ -3111,7 +3355,7 @@
Output version of program and exit. The default mode is `v', a simple
version. The `c' mode will print copyright information and `n' will
print the full copyright notice.
-.RE
+.PP
.SH "OPTION PRESETS"
Any option that is not marked as \fInot presettable\fP may be preset
by loading values from environment variables named:
@@ -3122,7 +3366,6 @@
.SH "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.SH FILES
-.RS
.TP 15
.NOP \fI/etc/ntp.conf\f[]
the default name of the configuration file
@@ -3146,10 +3389,9 @@
.TP 15
.NOP \fIntp_dh\f[]
Diffie-Hellman agreement parameters
-.RE
+.PP
.SH "EXIT STATUS"
One of the following exit values will be returned:
-.RS
.TP
.NOP 0 " (EXIT_SUCCESS)"
Successful program execution.
@@ -3160,7 +3402,7 @@
.NOP 70 " (EX_SOFTWARE)"
libopts had an internal operational error. Please report
it to autogen-users@lists.sourceforge.net. Thank you.
-.RE
+.PP
.SH "SEE ALSO"
\fCntpd\f[]\fR(1ntpdmdoc)\f[],
\fCntpdc\f[]\fR(1ntpdcmdoc)\f[],
Index: contrib/ntp/ntpd/ntp.conf.man.in
===================================================================
--- contrib/ntp/ntpd/ntp.conf.man.in (版本 330566)
+++ contrib/ntp/ntpd/ntp.conf.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntp.conf 5 "21 Mar 2017" "4.2.8p10-beta" "File Formats"
+.TH ntp.conf 5 "27 Feb 2018" "4.2.8p11" "File Formats"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-UAaqtC/ag-6AaisC)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-LkaqTP/ag-XkaiSP)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:30:48 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:22 PM by AutoGen 5.18.5
.\" From the definitions ntp.conf.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -1665,7 +1665,7 @@
subcommand specifies the probability of discard
for packets that overflow the rate-control window.
.TP 7
-.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]]
+.NOP \f\*[B-Font]restrict\f[] \f\*[B-Font]address\f[] [\f\*[B-Font]mask\f[] \f\*[I-Font]mask\f[]] [\f\*[B-Font]ippeerlimit\f[] \f\*[I-Font]int\f[]] [\f\*[I-Font]flag\f[] \f\*[I-Font]...\f[]]
The
\f\*[I-Font]address\f[]
argument expressed in
@@ -1689,6 +1689,15 @@
\f\*[B-Font]default\f[],
with no mask option, may
be used to indicate the default entry.
+The
+\f\*[B-Font]ippeerlimit\f[]
+directive limits the number of peer requests for each IP to
+\f\*[I-Font]int\f[],
+where a value of \-1 means "unlimited", the current default.
+A value of 0 means "none".
+There would usually be at most 1 peering request per IP,
+but if the remote peering requests are behind a proxy
+there could well be more than 1 per IP.
In the current implementation,
\f\*[B-Font]flag\f[]
always
@@ -1744,6 +1753,19 @@
modifies the assignment algorithm by allowing low priority traps to
be overridden by later requests for normal priority traps.
.TP 7
+.NOP \f\*[B-Font]noepeer\f[]
+Deny ephemeral peer requests,
+even if they come from an authenticated source.
+Note that the ability to use a symmetric key for authentication may be restricted to
+one or more IPs or subnets via the third field of the
+\fIntp.keys\f[]
+file.
+This restriction is not enabled by default,
+to maintain backward compatability.
+Expect
+\f\*[B-Font]noepeer\f[]
+to become the default in ntp-4.4.
+.TP 7
.NOP \f\*[B-Font]nomodify\f[]
Deny
\fCntpq\f[]\fR(@NTPQ_MS@)\f[]
@@ -1763,10 +1785,10 @@
Time service is not affected.
.TP 7
.NOP \f\*[B-Font]nopeer\f[]
-Deny packets which would result in mobilizing a new association.
-This
-includes broadcast and symmetric active packets when a configured
-association does not exist.
+Deny unauthenticated packets which would result in mobilizing a new association.
+This includes
+broadcast and symmetric active packets
+when a configured association does not exist.
It also includes
\f\*[B-Font]pool\f[]
associations, so if you want to use servers from a
@@ -1774,9 +1796,9 @@
directive and also want to use
\f\*[B-Font]nopeer\f[]
by default, you'll want a
-\f\*[B-Font]restrict source ...\f[] \f\*[B-Font]line\f[] \f\*[B-Font]as\f[] \f\*[B-Font]well\f[] \f\*[B-Font]that\f[] \f\*[B-Font]does\f[]
-.TP 7
-.NOP not
+\f\*[B-Font]restrict source ...\f[]
+line as well that does
+\fInot\f[]
include the
\f\*[B-Font]nopeer\f[]
directive.
@@ -2186,11 +2208,11 @@
as soon as possible.
Attacks such as replay attacks can happen, however,
and even though there are a number of protections built in to
-broadcast mode, attempts to perform a replay attack are possible.
+broadcast mode, attempts to perform a replay attack are possible.
This value defaults to 0, but can be changed
to any number of poll intervals between 0 and 4.
+.PP
.SS Manycast Options
-.RS
.TP 7
.NOP \f\*[B-Font]tos\f[] [\f\*[B-Font]ceiling\f[] \f\*[I-Font]ceiling\f[] | \f\*[B-Font]cohort\f[] { \f\*[B-Font]0\f[] | \f\*[B-Font]1\f[] } | \f\*[B-Font]floor\f[] \f\*[I-Font]floor\f[] | \f\*[B-Font]minclock\f[] \f\*[I-Font]minclock\f[] | \f\*[B-Font]minsane\f[] \f\*[I-Font]minsane\f[]]
This command affects the clock selection and clustering
@@ -2260,7 +2282,7 @@
in an expanding-ring search.
The default is eight
multiples of 32 starting at 31.
-.RE
+.PP
.SH Reference Clock Support
The NTP Version 4 daemon supports some three dozen different radio,
satellite and modem reference clocks plus a special pseudo-clock
@@ -2427,7 +2449,6 @@
Except where noted,
these options apply to all clock drivers.
.SS Reference Clock Commands
-.RS
.TP 7
.NOP \f\*[B-Font]server\f[] \f[C]127.127.\f[]\f\*[I-Font]t\f[].\f\*[I-Font]u\f[] [\f\*[B-Font]prefer\f[]] [\f\*[B-Font]mode\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]minpoll\f[] \f\*[I-Font]int\f[]] [\f\*[B-Font]maxpoll\f[] \f\*[I-Font]int\f[]]
This command can be used to configure reference clocks in
@@ -2528,7 +2549,7 @@
page
(available as part of the HTML documentation
provided in
-\fI/usr/share/doc/ntp\f[]).
+\fI/usr/share/doc/ntp\f[] \fI).\f[]
.TP 7
.NOP \f\*[B-Font]stratum\f[] \f\*[I-Font]int\f[]
Specifies the stratum number assigned to the driver, an integer
@@ -2576,9 +2597,8 @@
command can be found in
\fIMonitoring\f[] \fIOptions\f[].
.RE
-.RE
+.PP
.SH Miscellaneous Options
-.RS
.TP 7
.NOP \f\*[B-Font]broadcastdelay\f[] \f\*[I-Font]seconds\f[]
The broadcast and multicast modes require a special calibration
@@ -2817,6 +2837,71 @@
on multiple hosts, with (mostly) common options (e.g., a
restriction list).
.TP 7
+.NOP \f\*[B-Font]interface\f[] [\f\*[B-Font]listen\f[] | \f\*[B-Font]ignore\f[] | \f\*[B-Font]drop\f[]] [\f\*[B-Font]all\f[] | \f\*[B-Font]ipv4\f[] | \f\*[B-Font]ipv6\f[] | \f\*[B-Font]wildcard\f[] \f\*[I-Font]name\f[] | \f\*[I-Font]address\f[] [\f\*[B-Font]/\f[] \f\*[I-Font]prefixlen\f[]]]
+The
+\f\*[B-Font]interface\f[]
+directive controls which network addresses
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+opens, and whether input is dropped without processing.
+The first parameter determines the action for addresses
+which match the second parameter.
+The second parameter specifies a class of addresses,
+or a specific interface name,
+or an address.
+In the address case,
+\f\*[I-Font]prefixlen\f[]
+determines how many bits must match for this rule to apply.
+\f\*[B-Font]ignore\f[]
+prevents opening matching addresses,
+\f\*[B-Font]drop\f[]
+causes
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+to open the address and drop all received packets without examination.
+Multiple
+\f\*[B-Font]interface\f[]
+directives can be used.
+The last rule which matches a particular address determines the action for it.
+\f\*[B-Font]interface\f[]
+directives are disabled if any
+\f\*[B-Font]\-I\f[],
+\f\*[B-Font]\-\-interface\f[],
+\f\*[B-Font]\-L\f[],
+or
+\f\*[B-Font]\-\-novirtualips\f[]
+command-line options are specified in the configuration file,
+all available network addresses are opened.
+The
+\f\*[B-Font]nic\f[]
+directive is an alias for
+\f\*[B-Font]interface\f[].
+.TP 7
+.NOP \f\*[B-Font]leapfile\f[] \f\*[I-Font]leapfile\f[]
+This command loads the IERS leapseconds file and initializes the
+leapsecond values for the next leapsecond event, leapfile expiration
+time, and TAI offset.
+The file can be obtained directly from the IERS at
+\f[C]https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[]
+or
+\f[C]ftp://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list\f[].
+The
+\f\*[B-Font]leapfile\f[]
+is scanned when
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+processes the
+\f\*[B-Font]leapfile\f[] \f\*[B-Font]directive\f[] \f\*[B-Font]or\f[] \f\*[B-Font]when\f[]
+\f\*[B-Font]ntpd\f[] \f\*[B-Font]detects\f[] \f\*[B-Font]that\f[] \f\*[B-Font]the\f[]
+\f\*[I-Font]leapfile\f[]
+has changed.
+\f\*[B-Font]ntpd\f[]
+checks once a day to see if the
+\f\*[I-Font]leapfile\f[]
+has changed.
+The
+\fCupdate-leap\f[]\fR(1update_leapmdoc)\f[]
+script can be run to see if the
+\f\*[I-Font]leapfile\f[]
+should be updated.
+.TP 7
.NOP \f\*[B-Font]leapsmearinterval\f[] \f\*[I-Font]seconds\f[]
This EXPERIMENTAL option is only available if
\fCntpd\f[]\fR(@NTPD_MS@)\f[]
@@ -2922,6 +3007,164 @@
\f\*[B-Font]\-l\f[]
command line option.
.TP 7
+.NOP \f\*[B-Font]mru\f[] [\f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[] | \f\*[B-Font]initialloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[] | \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[] | \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]]
+Controls size limite of the monitoring facility's Most Recently Used
+(MRU) list
+of client addresses, which is also used by the
+rate control facility.
+.RS
+.TP 7
+.NOP \f\*[B-Font]maxdepth\f[] \f\*[I-Font]count\f[]
+.TP 7
+.NOP \f\*[B-Font]maxmem\f[] \f\*[I-Font]kilobytes\f[]
+Equivalent upper limits on the size of the MRU list, in terms of entries or kilobytes.
+The acutal limit will be up to
+\f\*[B-Font]incalloc\f[]
+entries or
+\f\*[B-Font]incmem\f[]
+kilobytes larger.
+As with all of the
+\f\*[B-Font]mru\f[]
+options offered in units of entries or kilobytes, if both
+\f\*[B-Font]maxdepth\f[]
+and
+\f\*[B-Font]maxmem\f[] \f\*[B-Font]are\f[] \f\*[B-Font]used,\f[] \f\*[B-Font]the\f[] \f\*[B-Font]last\f[] \f\*[B-Font]one\f[] \f\*[B-Font]used\f[] \f\*[B-Font]controls.\f[]
+The default is 1024 kilobytes.
+.TP 7
+.NOP \f\*[B-Font]mindepth\f[] \f\*[I-Font]count\f[]
+Lower limit on the MRU list size.
+When the MRU list has fewer than
+\f\*[B-Font]mindepth\f[]
+entries, existing entries are never removed to make room for newer ones,
+regardless of their age.
+The default is 600 entries.
+.TP 7
+.NOP \f\*[B-Font]maxage\f[] \f\*[I-Font]seconds\f[]
+Once the MRU list has
+\f\*[B-Font]mindepth\f[]
+entries and an additional client is to ba added to the list,
+if the oldest entry was updated more than
+\f\*[B-Font]maxage\f[]
+seconds ago, that entry is removed and its storage is reused.
+If the oldest entry was updated more recently the MRU list is grown,
+subject to
+\f\*[B-Font]maxdepth\f[] \f\*[B-Font]/\f[] \f\*[B-Font]moxmem\f[].
+The default is 64 seconds.
+.TP 7
+.NOP \f\*[B-Font]initalloc\f[] \f\*[I-Font]count\f[]
+.TP 7
+.NOP \f\*[B-Font]initmem\f[] \f\*[I-Font]kilobytes\f[]
+Initial memory allocation at the time the monitoringfacility is first enabled,
+in terms of the number of entries or kilobytes.
+The default is 4 kilobytes.
+.TP 7
+.NOP \f\*[B-Font]incalloc\f[] \f\*[I-Font]count\f[]
+.TP 7
+.NOP \f\*[B-Font]incmem\f[] \f\*[I-Font]kilobytes\f[]
+Size of additional memory allocations when growing the MRU list, in entries or kilobytes.
+The default is 4 kilobytes.
+.RE
+.TP 7
+.NOP \f\*[B-Font]nonvolatile\f[] \f\*[I-Font]threshold\f[]
+Specify the
+\f\*[I-Font]threshold\f[]
+delta in seconds before an hourly change to the
+\f\*[B-Font]driftfile\f[]
+(frequency file) will be written, with a default value of 1e-7 (0.1 PPM).
+The frequency file is inspected each hour.
+If the difference between the current frequency and the last value written
+exceeds the threshold, the file is written and the
+\f\*[B-Font]threshold\f[]
+becomes the new threshold value.
+If the threshold is not exceeeded, it is reduced by half.
+This is intended to reduce the number of file writes
+for embedded systems with nonvolatile memory.
+.TP 7
+.NOP \f\*[B-Font]phone\f[] \f\*[I-Font]dial\f[] \f\*[I-Font]...\f[]
+This command is used in conjunction with
+the ACTS modem driver (type 18)
+or the JJY driver (type 40, mode 100 \- 180).
+For the ACTS modem driver (type 18), the arguments consist of
+a maximum of 10 telephone numbers used to dial USNO, NIST, or European
+time service.
+For the JJY driver (type 40 mode 100 \- 180), the argument is
+one telephone number used to dial the telephone JJY service.
+The Hayes command ATDT is normally prepended to the number.
+The number can contain other modem control codes as well.
+.TP 7
+.NOP \f\*[B-Font]reset\f[] [\f\*[B-Font]allpeers\f[]] [\f\*[B-Font]auth\f[]] [\f\*[B-Font]ctl\f[]] [\f\*[B-Font]io\f[]] [\f\*[B-Font]mem\f[]] [\f\*[B-Font]sys\f[]] [\f\*[B-Font]timer\f[]]
+Reset one or more groups of counters maintained by
+\f\*[B-Font]ntpd\f[]
+and exposed by
+\f\*[B-Font]ntpq\f[]
+and
+\f\*[B-Font]ntpdc\f[].
+.TP 7
+.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]]
+.RS
+.TP 7
+.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[]
+Specify the number of megabytes of memory that should be
+allocated and locked.
+Probably only available under Linux, this option may be useful
+when dropping root (the
+\f\*[B-Font]\-i\f[]
+option).
+The default is 32 megabytes on non-Linux machines, and \-1 under Linux.
+-1 means "do not lock the process into memory".
+0 means "lock whatever memory the process wants into memory".
+.TP 7
+.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[]
+Specifies the maximum size of the process stack on systems with the
+\fBmlockall\f[]\fR()\f[]
+function.
+Defaults to 50 4k pages (200 4k pages in OpenBSD).
+.TP 7
+.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]
+Specifies the maximum number of file descriptors ntpd may have open at once.
+Defaults to the system default.
+.RE
+.TP 7
+.NOP \f\*[B-Font]saveconfigdir\f[] \f\*[I-Font]directory_path\f[]
+Specify the directory in which to write configuration snapshots
+requested with
+.Cm ntpq 's
+\f\*[B-Font]saveconfig\f[]
+command.
+If
+\f\*[B-Font]saveconfigdir\f[]
+does not appear in the configuration file,
+\f\*[B-Font]saveconfig\f[]
+requests are rejected by
+\f\*[B-Font]ntpd\f[].
+.TP 7
+.NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[]
+Write the current configuration, including any runtime
+modifications given with
+\f\*[B-Font]:config\f[]
+or
+\f\*[B-Font]config-from-file\f[]
+to the
+\f\*[B-Font]ntpd\f[]
+host's
+\f\*[I-Font]filename\f[]
+in the
+\f\*[B-Font]saveconfigdir\f[].
+This command will be rejected unless the
+\f\*[B-Font]saveconfigdir\f[]
+directive appears in
+.Cm ntpd 's
+configuration file.
+\f\*[I-Font]filename\f[]
+can use
+\fCstrftime\f[]\fR(3)\f[]
+format directives to substitute the current date and time,
+for example,
+\f\*[B-Font]saveconfig\ ntp-%Y%m%d-%H%M%S.conf\f[].
+The filename used is stored in the system variable
+\f\*[B-Font]savedconfig\f[].
+Authentication is required.
+.TP 7
.NOP \f\*[B-Font]setvar\f[] \f\*[I-Font]variable\f[] [\f\*[B-Font]default\f[]]
This command adds an additional system variable.
These
@@ -2955,6 +3198,12 @@
\fIclock_var_list\f[]
holds the names of the reference clock variables.
.TP 7
+.NOP \f\*[B-Font]sysinfo\f[]
+Display operational summary.
+.TP 7
+.NOP \f\*[B-Font]sysstats\f[]
+Show statistics counters maintained in the protocol module.
+.TP 7
.NOP \f\*[B-Font]tinker\f[] [\f\*[B-Font]allan\f[] \f\*[I-Font]allan\f[] | \f\*[B-Font]dispersion\f[] \f\*[I-Font]dispersion\f[] | \f\*[B-Font]freq\f[] \f\*[I-Font]freq\f[] | \f\*[B-Font]huffpuff\f[] \f\*[I-Font]huffpuff\f[] | \f\*[B-Font]panic\f[] \f\*[I-Font]panic\f[] | \f\*[B-Font]step\f[] \f\*[I-Font]step\f[] | \f\*[B-Font]stepback\f[] \f\*[I-Font]stepback\f[] | \f\*[B-Font]stepfwd\f[] \f\*[I-Font]stepfwd\f[] | \f\*[B-Font]stepout\f[] \f\*[I-Font]stepout\f[]]
This command can be used to alter several system variables in
very exceptional circumstances.
@@ -3044,31 +3293,19 @@
pulses will not be suppressed.
.RE
.TP 7
-.NOP \f\*[B-Font]rlimit\f[] [\f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[] | \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[] \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]]
-.RS
+.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\ name\f[] \f\*[I-Font]=\f[] \f\*[I-Font]value\f[] \f\*[I-Font][,...]\f[]
+Write (create or update) the specified variables.
+If the
+\f\*[B-Font]assocID\f[]
+is zero, the variablea re from the
+system variables
+name space, otherwise they are from the
+peer variables
+name space.
+The
+\f\*[B-Font]assocID\f[]
+is required, as the same name can occur in both name spaces.
.TP 7
-.NOP \f\*[B-Font]memlock\f[] \f\*[I-Font]Nmegabytes\f[]
-Specify the number of megabytes of memory that should be
-allocated and locked.
-Probably only available under Linux, this option may be useful
-when dropping root (the
-\f\*[B-Font]\-i\f[]
-option).
-The default is 32 megabytes on non-Linux machines, and \-1 under Linux.
--1 means "do not lock the process into memory".
-0 means "lock whatever memory the process wants into memory".
-.TP 7
-.NOP \f\*[B-Font]stacksize\f[] \f\*[I-Font]N4kPages\f[]
-Specifies the maximum size of the process stack on systems with the
-\fBmlockall\f[]\fR()\f[]
-function.
-Defaults to 50 4k pages (200 4k pages in OpenBSD).
-.TP 7
-.NOP \f\*[B-Font]filenum\f[] \f\*[I-Font]Nfiledescriptors\f[]
-Specifies the maximum number of file descriptors ntpd may have open at once.
-Defaults to the system default.
-.RE
-.TP 7
.NOP \f\*[B-Font]trap\f[] \f\*[I-Font]host_address\f[] [\f\*[B-Font]port\f[] \f\*[I-Font]port_number\f[]] [\f\*[B-Font]interface\f[] \f\*[I-Font]interface_address\f[]]
This command configures a trap receiver at the given host
address and port number for sending messages with the specified
@@ -3080,6 +3317,14 @@
message is sent through.
Note that on a multihomed host the
interface used may vary from time to time with routing changes.
+.TP 7
+.NOP \f\*[B-Font]ttl\f[] \f\*[I-Font]hop\f[] \f\*[I-Font]...\f[]
+This command specifies a list of TTL values in increasing order.
+Up to 8 values can be specified.
+In
+\f\*[B-Font]manycast\f[]
+mode these values are used in-turn in an expanding-ring search.
+The default is eight multiples of 32 starting at 31.
.sp \n(Ppu
.ne 2
@@ -3097,9 +3342,8 @@
an expanding-ring search.
The default is eight multiples of 32 starting at
31.
-.RE
+.PP
.SH "OPTIONS"
-.RS
.TP
.NOP \f\*[B-Font]\-\-help\f[]
Display usage information and exit.
@@ -3111,7 +3355,7 @@
Output version of program and exit. The default mode is `v', a simple
version. The `c' mode will print copyright information and `n' will
print the full copyright notice.
-.RE
+.PP
.SH "OPTION PRESETS"
Any option that is not marked as \fInot presettable\fP may be preset
by loading values from environment variables named:
@@ -3122,7 +3366,6 @@
.SH "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.SH FILES
-.RS
.TP 15
.NOP \fI/etc/ntp.conf\f[]
the default name of the configuration file
@@ -3146,10 +3389,9 @@
.TP 15
.NOP \fIntp_dh\f[]
Diffie-Hellman agreement parameters
-.RE
+.PP
.SH "EXIT STATUS"
One of the following exit values will be returned:
-.RS
.TP
.NOP 0 " (EXIT_SUCCESS)"
Successful program execution.
@@ -3160,7 +3402,7 @@
.NOP 70 " (EX_SOFTWARE)"
libopts had an internal operational error. Please report
it to autogen-users@lists.sourceforge.net. Thank you.
-.RE
+.PP
.SH "SEE ALSO"
\fCntpd\f[]\fR(@NTPD_MS@)\f[],
\fCntpdc\f[]\fR(@NTPDC_MS@)\f[],
Index: contrib/ntp/ntpd/ntp.keys.def
===================================================================
--- contrib/ntp/ntpd/ntp.keys.def (版本 330566)
+++ contrib/ntp/ntpd/ntp.keys.def (版本 330908)
@@ -50,16 +50,24 @@
is a positive integer (between 1 and 65534),
.Ar type
is the message digest algorithm,
-and
.Ar key
is the key itself, and
.Ar opt_IP_list
is an optional comma-separated list of IPs
+where the
+.Ar keyno
+should be trusted.
that are allowed to serve time.
+Each IP in
+.Ar opt_IP_list
+may contain an optional
+.Cm /subnetbits
+specification which identifies the number of bits for
+the desired subnet of trust.
If
.Ar opt_IP_list
is empty,
-any properly-authenticated server message will be
+any properly-authenticated message will be
accepted.
.Pp
The
Index: contrib/ntp/ntpd/ntp_config.c
===================================================================
--- contrib/ntp/ntpd/ntp_config.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_config.c (版本 330908)
@@ -149,9 +149,9 @@
extern int yydebug; /* ntp_parser.c (.y) */
config_tree cfgt; /* Parser output stored here */
struct config_tree_tag *cfg_tree_history; /* History of configs */
-char *sys_phone[MAXPHONE] = {NULL}; /* ACTS phone numbers */
+char * sys_phone[MAXPHONE] = {NULL}; /* ACTS phone numbers */
char default_keysdir[] = NTP_KEYSDIR;
-char *keysdir = default_keysdir; /* crypto keys directory */
+char * keysdir = default_keysdir; /* crypto keys directory */
char * saveconfigdir;
#if defined(HAVE_SCHED_SETSCHEDULER)
int config_priority_override = 0;
@@ -312,6 +312,7 @@
static void config_rlimit(config_tree *);
static void config_system_opts(config_tree *);
static void config_tinker(config_tree *);
+static int config_tos_clock(config_tree *);
static void config_tos(config_tree *);
static void config_vars(config_tree *);
@@ -363,7 +364,9 @@
static u_int32 get_logmask(const char *);
static int/*BOOL*/ is_refclk_addr(const address_node * addr);
+static void appendstr(char *, size_t, char *);
+
#ifndef SIM
static int getnetnum(const char *num, sockaddr_u *addr, int complain,
enum gnn_type a_type);
@@ -528,7 +531,7 @@
setvar_node *setv_node;
nic_rule_node *rule_node;
int_node *i_n;
- int_node *flags;
+ int_node *flag_tok_fifo;
int_node *counter_set;
string_node *str_node;
@@ -554,7 +557,10 @@
ptree->source.value.s);
}
- /* For options I didn't find documentation I'll just output its name and the cor. value */
+ /*
+ * For options without documentation we just output the name
+ * and its data value
+ */
atrv = HEAD_PFIFO(ptree->vars);
for ( ; atrv != NULL; atrv = atrv->link) {
switch (atrv->type) {
@@ -722,6 +728,21 @@
token_name(atrv->type));
break;
#endif
+ case T_Integer:
+ if (atrv->attr == T_Basedate) {
+ struct calendar jd;
+ ntpcal_rd_to_date(&jd, atrv->value.i + DAY_NTP_STARTS);
+ fprintf(df, " %s \"%04hu-%02hu-%02hu\"",
+ keyword(atrv->attr), jd.year,
+ (u_short)jd.month,
+ (u_short)jd.monthday);
+ } else {
+ fprintf(df, " %s %d",
+ keyword(atrv->attr),
+ atrv->value.i);
+ }
+ break;
+
case T_Double:
fprintf(df, " %s %s",
keyword(atrv->attr),
@@ -904,30 +925,52 @@
fprintf(df, "\n");
}
-
for (rest_node = HEAD_PFIFO(ptree->restrict_opts);
rest_node != NULL;
rest_node = rest_node->link) {
+ int is_default = 0;
if (NULL == rest_node->addr) {
s = "default";
- flags = HEAD_PFIFO(rest_node->flags);
- for ( ; flags != NULL; flags = flags->link)
- if (T_Source == flags->i) {
+ /* Don't need to set is_default=1 here */
+ flag_tok_fifo = HEAD_PFIFO(rest_node->flag_tok_fifo);
+ for ( ; flag_tok_fifo != NULL; flag_tok_fifo = flag_tok_fifo->link) {
+ if (T_Source == flag_tok_fifo->i) {
s = "source";
break;
- }
+ }
+ }
} else {
- s = rest_node->addr->address;
+ const char *ap = rest_node->addr->address;
+ const char *mp = "";
+
+ if (rest_node->mask)
+ mp = rest_node->mask->address;
+
+ if ( rest_node->addr->type == AF_INET
+ && !strcmp(ap, "0.0.0.0")
+ && !strcmp(mp, "0.0.0.0")) {
+ is_default = 1;
+ s = "-4 default";
+ } else if ( rest_node->mask
+ && rest_node->mask->type == AF_INET6
+ && !strcmp(ap, "::")
+ && !strcmp(mp, "::")) {
+ is_default = 1;
+ s = "-6 default";
+ } else {
+ s = ap;
+ }
}
fprintf(df, "restrict %s", s);
- if (rest_node->mask != NULL)
+ if (rest_node->mask != NULL && !is_default)
fprintf(df, " mask %s",
rest_node->mask->address);
- flags = HEAD_PFIFO(rest_node->flags);
- for ( ; flags != NULL; flags = flags->link)
- if (T_Source != flags->i)
- fprintf(df, " %s", keyword(flags->i));
+ fprintf(df, " ippeerlimit %d", rest_node->ippeerlimit);
+ flag_tok_fifo = HEAD_PFIFO(rest_node->flag_tok_fifo);
+ for ( ; flag_tok_fifo != NULL; flag_tok_fifo = flag_tok_fifo->link)
+ if (T_Source != flag_tok_fifo->i)
+ fprintf(df, " %s", keyword(flag_tok_fifo->i));
fprintf(df, "\n");
}
@@ -1057,11 +1100,45 @@
return pf1;
}
+void*
+destroy_gen_fifo(
+ void *fifo,
+ fifo_deleter func
+ )
+{
+ any_node * np = NULL;
+ any_node_fifo * pf1 = fifo;
+ if (pf1 != NULL) {
+ if (!func)
+ func = free;
+ for (;;) {
+ UNLINK_FIFO(np, *pf1, link);
+ if (np == NULL)
+ break;
+ (*func)(np);
+ }
+ free(pf1);
+ }
+ return NULL;
+}
+
/* FUNCTIONS FOR CREATING NODES ON THE SYNTAX TREE
* -----------------------------------------------
*/
+void
+destroy_attr_val(
+ attr_val * av
+ )
+{
+ if (av) {
+ if (T_String == av->type)
+ free(av->value.s);
+ free(av);
+ }
+}
+
attr_val *
create_attr_dval(
int attr,
@@ -1402,7 +1479,8 @@
create_restrict_node(
address_node * addr,
address_node * mask,
- int_fifo * flags,
+ short ippeerlimit,
+ int_fifo * flag_tok_fifo,
int line_no
)
{
@@ -1411,7 +1489,8 @@
my_node = emalloc_zero(sizeof(*my_node));
my_node->addr = addr;
my_node->mask = mask;
- my_node->flags = flags;
+ my_node->ippeerlimit = ippeerlimit;
+ my_node->flag_tok_fifo = flag_tok_fifo;
my_node->line_no = line_no;
return my_node;
@@ -1428,7 +1507,7 @@
*/
destroy_address_node(my_node->addr);
destroy_address_node(my_node->mask);
- destroy_int_fifo(my_node->flags);
+ destroy_int_fifo(my_node->flag_tok_fifo);
free(my_node);
}
@@ -1484,9 +1563,7 @@
UNLINK_FIFO(av, *av_fifo, link);
if (av == NULL)
break;
- if (T_String == av->type)
- free(av->value.s);
- free(av);
+ destroy_attr_val(av);
}
free(av_fifo);
}
@@ -2009,6 +2086,35 @@
#endif /* FREE_CFG_T */
+/* Configure low-level clock-related parameters. Return TRUE if the
+ * clock might need adjustment like era-checking after the call, FALSE
+ * otherwise.
+ */
+static int/*BOOL*/
+config_tos_clock(
+ config_tree *ptree
+ )
+{
+ int ret;
+ attr_val * tos;
+
+ ret = FALSE;
+ tos = HEAD_PFIFO(ptree->orphan_cmds);
+ for (; tos != NULL; tos = tos->link) {
+ switch(tos->attr) {
+
+ default:
+ break;
+
+ case T_Basedate:
+ basedate_set_day(tos->value.i);
+ ret = TRUE;
+ break;
+ }
+ }
+ return ret;
+}
+
static void
config_tos(
config_tree *ptree
@@ -2034,12 +2140,16 @@
/* -*- phase one: inspect / sanitize the values */
tos = HEAD_PFIFO(ptree->orphan_cmds);
for (; tos != NULL; tos = tos->link) {
- val = tos->value.d;
+ /* not all attributes are doubles (any more), so loading
+ * 'val' in all cases is not a good idea: It should be
+ * done as needed in every case processed here.
+ */
switch(tos->attr) {
default:
break;
case T_Bcpollbstep:
+ val = tos->value.d;
if (val > 4) {
msyslog(LOG_WARNING,
"Using maximum bcpollbstep ceiling %d, %d requested",
@@ -2054,6 +2164,7 @@
break;
case T_Ceiling:
+ val = tos->value.d;
if (val > STRATUM_UNSPEC - 1) {
msyslog(LOG_WARNING,
"Using maximum tos ceiling %d, %d requested",
@@ -2068,6 +2179,7 @@
break;
case T_Minclock:
+ val = tos->value.d;
if ((int)tos->value.d < 1)
tos->value.d = 1;
l_minclock = (int)tos->value.d;
@@ -2074,6 +2186,7 @@
break;
case T_Maxclock:
+ val = tos->value.d;
if ((int)tos->value.d < 1)
tos->value.d = 1;
l_maxclock = (int)tos->value.d;
@@ -2080,6 +2193,7 @@
break;
case T_Minsane:
+ val = tos->value.d;
if ((int)tos->value.d < 1)
tos->value.d = 1;
l_minsane = (int)tos->value.d;
@@ -2097,7 +2211,6 @@
/* -*- phase two: forward the values to the protocol machinery */
tos = HEAD_PFIFO(ptree->orphan_cmds);
for (; tos != NULL; tos = tos->link) {
- val = tos->value.d;
switch(tos->attr) {
default:
@@ -2150,8 +2263,11 @@
case T_Beacon:
item = PROTO_BEACON;
break;
+
+ case T_Basedate:
+ continue; /* SKIP proto-config for this! */
}
- proto_config(item, 0, val, NULL);
+ proto_config(item, 0, tos->value.d, NULL);
}
}
@@ -2348,7 +2464,7 @@
static int warned_signd;
attr_val * my_opt;
restrict_node * my_node;
- int_node * curr_flag;
+ int_node * curr_tok_fifo;
sockaddr_u addr;
sockaddr_u mask;
struct addrinfo hints;
@@ -2356,8 +2472,9 @@
struct addrinfo * pai;
int rc;
int restrict_default;
- u_short flags;
+ u_short rflags;
u_short mflags;
+ short ippeerlimit;
int range_err;
const char * signd_warning =
#ifdef HAVE_NTP_SIGND
@@ -2476,17 +2593,23 @@
/* Configure the restrict options */
my_node = HEAD_PFIFO(ptree->restrict_opts);
+
for (; my_node != NULL; my_node = my_node->link) {
+ /* Grab the ippeerlmit */
+ ippeerlimit = my_node->ippeerlimit;
+
+DPRINTF(1, ("config_access: top-level node %p: ippeerlimit %d\n", my_node, ippeerlimit));
+
/* Parse the flags */
- flags = 0;
+ rflags = 0;
mflags = 0;
- curr_flag = HEAD_PFIFO(my_node->flags);
- for (; curr_flag != NULL; curr_flag = curr_flag->link) {
- switch (curr_flag->i) {
+ curr_tok_fifo = HEAD_PFIFO(my_node->flag_tok_fifo);
+ for (; curr_tok_fifo != NULL; curr_tok_fifo = curr_tok_fifo->link) {
+ switch (curr_tok_fifo->i) {
default:
- fatal_error("config-access: flag-type-token=%d", curr_flag->i);
+ fatal_error("config_access: flag-type-token=%d", curr_tok_fifo->i);
case T_Ntpport:
mflags |= RESM_NTPONLY;
@@ -2497,64 +2620,68 @@
break;
case T_Flake:
- flags |= RES_FLAKE;
+ rflags |= RES_FLAKE;
break;
case T_Ignore:
- flags |= RES_IGNORE;
+ rflags |= RES_IGNORE;
break;
case T_Kod:
- flags |= RES_KOD;
+ rflags |= RES_KOD;
break;
case T_Mssntp:
- flags |= RES_MSSNTP;
+ rflags |= RES_MSSNTP;
break;
case T_Limited:
- flags |= RES_LIMITED;
+ rflags |= RES_LIMITED;
break;
case T_Lowpriotrap:
- flags |= RES_LPTRAP;
+ rflags |= RES_LPTRAP;
break;
case T_Nomodify:
- flags |= RES_NOMODIFY;
+ rflags |= RES_NOMODIFY;
break;
case T_Nomrulist:
- flags |= RES_NOMRULIST;
+ rflags |= RES_NOMRULIST;
break;
+ case T_Noepeer:
+ rflags |= RES_NOEPEER;
+ break;
+
case T_Nopeer:
- flags |= RES_NOPEER;
+ rflags |= RES_NOPEER;
break;
case T_Noquery:
- flags |= RES_NOQUERY;
+ rflags |= RES_NOQUERY;
break;
case T_Noserve:
- flags |= RES_DONTSERVE;
+ rflags |= RES_DONTSERVE;
break;
case T_Notrap:
- flags |= RES_NOTRAP;
+ rflags |= RES_NOTRAP;
break;
case T_Notrust:
- flags |= RES_DONTTRUST;
+ rflags |= RES_DONTTRUST;
break;
case T_Version:
- flags |= RES_VERSION;
+ rflags |= RES_VERSION;
break;
}
}
- if ((RES_MSSNTP & flags) && !warned_signd) {
+ if ((RES_MSSNTP & rflags) && !warned_signd) {
warned_signd = 1;
fprintf(stderr, "%s\n", signd_warning);
msyslog(LOG_WARNING, "%s", signd_warning);
@@ -2561,7 +2688,7 @@
}
/* It would be swell if we could identify the line number */
- if ((RES_KOD & flags) && !(RES_LIMITED & flags)) {
+ if ((RES_KOD & rflags) && !(RES_LIMITED & rflags)) {
const char *kod_where = (my_node->addr)
? my_node->addr->address
: (mflags & RESM_SOURCE)
@@ -2589,10 +2716,10 @@
restrict_default = 1;
} else {
/* apply "restrict source ..." */
- DPRINTF(1, ("restrict source template mflags %x flags %x\n",
- mflags, flags));
- hack_restrict(RESTRICT_FLAGS, NULL,
- NULL, mflags, flags, 0);
+ DPRINTF(1, ("restrict source template ippeerlimit %d mflags %x rflags %x\n",
+ ippeerlimit, mflags, rflags));
+ hack_restrict(RESTRICT_FLAGS, NULL, NULL,
+ ippeerlimit, mflags, rflags, 0);
continue;
}
} else {
@@ -2661,15 +2788,15 @@
if (restrict_default) {
AF(&addr) = AF_INET;
AF(&mask) = AF_INET;
- hack_restrict(RESTRICT_FLAGS, &addr,
- &mask, mflags, flags, 0);
+ hack_restrict(RESTRICT_FLAGS, &addr, &mask,
+ ippeerlimit, mflags, rflags, 0);
AF(&addr) = AF_INET6;
AF(&mask) = AF_INET6;
}
do {
- hack_restrict(RESTRICT_FLAGS, &addr,
- &mask, mflags, flags, 0);
+ hack_restrict(RESTRICT_FLAGS, &addr, &mask,
+ ippeerlimit, mflags, rflags, 0);
if (pai != NULL &&
NULL != (pai = pai->ai_next)) {
INSIST(pai->ai_addr != NULL);
@@ -2720,6 +2847,9 @@
case T_Memlock:
/* What if we HAVE_OPT(SAVECONFIGQUIT) ? */
+ if (HAVE_OPT( SAVECONFIGQUIT )) {
+ break;
+ }
if (rlimit_av->value.i == -1) {
# if defined(HAVE_MLOCKALL)
if (cur_memlock != 0) {
@@ -3006,17 +3136,17 @@
int enable
)
{
- attr_val *curr_flag;
+ attr_val *curr_tok_fifo;
int option;
#ifdef BC_LIST_FRAMEWORK_NOT_YET_USED
bc_entry *pentry;
#endif
- for (curr_flag = HEAD_PFIFO(fifo);
- curr_flag != NULL;
- curr_flag = curr_flag->link) {
+ for (curr_tok_fifo = HEAD_PFIFO(fifo);
+ curr_tok_fifo != NULL;
+ curr_tok_fifo = curr_tok_fifo->link) {
- option = curr_flag->value.i;
+ option = curr_tok_fifo->value.i;
switch (option) {
default:
@@ -3851,6 +3981,9 @@
* If we have a numeric address, we can safely
* proceed in the mainline with it. Otherwise, hand
* the hostname off to the blocking child.
+ *
+ * Note that if we're told to add the peer here, we
+ * do that regardless of ippeerlimit.
*/
if (is_ip_address(*cmdline_servers, AF_UNSPEC,
&peeraddr)) {
@@ -3862,6 +3995,7 @@
&peeraddr,
NULL,
NULL,
+ -1,
MODE_CLIENT,
NTP_VERSION,
0,
@@ -3912,6 +4046,7 @@
&peeraddr,
curr_peer->addr->address,
NULL,
+ -1,
hmode,
curr_peer->peerversion,
curr_peer->minpoll,
@@ -3935,6 +4070,7 @@
&peeraddr,
NULL,
NULL,
+ -1,
hmode,
curr_peer->peerversion,
curr_peer->minpoll,
@@ -4035,6 +4171,7 @@
&peeraddr,
NULL,
NULL,
+ -1,
ctx->hmode,
ctx->version,
ctx->minpoll,
@@ -4113,7 +4250,7 @@
if (rc > 0) {
DPRINTF(1, ("unpeer: searching for %s\n",
stoa(&peeraddr)));
- p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0);
+ p = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL);
if (p != NULL) {
msyslog(LOG_NOTICE, "unpeered %s",
stoa(&peeraddr));
@@ -4193,7 +4330,7 @@
memcpy(&peeraddr, res->ai_addr, res->ai_addrlen);
DPRINTF(1, ("unpeer: searching for peer %s\n",
stoa(&peeraddr)));
- peer = findexistingpeer(&peeraddr, NULL, NULL, -1, 0);
+ peer = findexistingpeer(&peeraddr, NULL, NULL, -1, 0, NULL);
if (peer != NULL) {
af = AF(&peeraddr);
fam_spec = (AF_INET6 == af)
@@ -4420,6 +4557,15 @@
int/*BOOL*/ input_from_files
)
{
+ /* [Bug 3435] check and esure clock sanity if configured from
+ * file and clock sanity parameters (-> basedate) are given. Do
+ * this ASAP, so we don't disturb the closed loop controller.
+ */
+ if (input_from_files) {
+ if (config_tos_clock(ptree))
+ clamp_systime();
+ }
+
config_nic_rules(ptree, input_from_files);
config_monitor(ptree);
config_auth(ptree);
@@ -4444,6 +4590,12 @@
config_fudge(ptree);
config_reset_counters(ptree);
+#ifdef DEBUG
+ if (debug > 1) {
+ dump_restricts();
+ }
+#endif
+
#ifdef TEST_BLOCKING_WORKER
{
struct addrinfo hints;
@@ -5043,6 +5195,9 @@
switch (rl_what) {
# ifdef RLIMIT_MEMLOCK
case RLIMIT_MEMLOCK:
+ if (HAVE_OPT( SAVECONFIGQUIT )) {
+ break;
+ }
/*
* The default RLIMIT_MEMLOCK is very low on Linux systems.
* Unless we increase this limit malloc calls are likely to
@@ -5104,3 +5259,217 @@
}
}
#endif /* HAVE_SETRLIMIT */
+
+
+char *
+build_iflags(u_int32 iflags)
+{
+ static char ifs[1024];
+
+ ifs[0] = '\0';
+
+ if (iflags & INT_UP) {
+ iflags &= ~INT_UP;
+ appendstr(ifs, sizeof ifs, "up");
+ }
+
+ if (iflags & INT_PPP) {
+ iflags &= ~INT_PPP;
+ appendstr(ifs, sizeof ifs, "ppp");
+ }
+
+ if (iflags & INT_LOOPBACK) {
+ iflags &= ~INT_LOOPBACK;
+ appendstr(ifs, sizeof ifs, "loopback");
+ }
+
+ if (iflags & INT_BROADCAST) {
+ iflags &= ~INT_BROADCAST;
+ appendstr(ifs, sizeof ifs, "broadcast");
+ }
+
+ if (iflags & INT_MULTICAST) {
+ iflags &= ~INT_MULTICAST;
+ appendstr(ifs, sizeof ifs, "multicast");
+ }
+
+ if (iflags & INT_BCASTOPEN) {
+ iflags &= ~INT_BCASTOPEN;
+ appendstr(ifs, sizeof ifs, "bcastopen");
+ }
+
+ if (iflags & INT_MCASTOPEN) {
+ iflags &= ~INT_MCASTOPEN;
+ appendstr(ifs, sizeof ifs, "mcastopen");
+ }
+
+ if (iflags & INT_WILDCARD) {
+ iflags &= ~INT_WILDCARD;
+ appendstr(ifs, sizeof ifs, "wildcard");
+ }
+
+ if (iflags & INT_MCASTIF) {
+ iflags &= ~INT_MCASTIF;
+ appendstr(ifs, sizeof ifs, "MCASTif");
+ }
+
+ if (iflags & INT_PRIVACY) {
+ iflags &= ~INT_PRIVACY;
+ appendstr(ifs, sizeof ifs, "IPv6privacy");
+ }
+
+ if (iflags & INT_BCASTXMIT) {
+ iflags &= ~INT_BCASTXMIT;
+ appendstr(ifs, sizeof ifs, "bcastxmit");
+ }
+
+ if (iflags) {
+ char string[10];
+
+ snprintf(string, sizeof string, "%0x", iflags);
+ appendstr(ifs, sizeof ifs, string);
+ }
+
+ return ifs;
+}
+
+
+char *
+build_mflags(u_short mflags)
+{
+ static char mfs[1024];
+
+ mfs[0] = '\0';
+
+ if (mflags & RESM_NTPONLY) {
+ mflags &= ~RESM_NTPONLY;
+ appendstr(mfs, sizeof mfs, "ntponly");
+ }
+
+ if (mflags & RESM_SOURCE) {
+ mflags &= ~RESM_SOURCE;
+ appendstr(mfs, sizeof mfs, "source");
+ }
+
+ if (mflags) {
+ char string[10];
+
+ snprintf(string, sizeof string, "%0x", mflags);
+ appendstr(mfs, sizeof mfs, string);
+ }
+
+ return mfs;
+}
+
+
+char *
+build_rflags(u_short rflags)
+{
+ static char rfs[1024];
+
+ rfs[0] = '\0';
+
+ if (rflags & RES_FLAKE) {
+ rflags &= ~RES_FLAKE;
+ appendstr(rfs, sizeof rfs, "flake");
+ }
+
+ if (rflags & RES_IGNORE) {
+ rflags &= ~RES_IGNORE;
+ appendstr(rfs, sizeof rfs, "ignore");
+ }
+
+ if (rflags & RES_KOD) {
+ rflags &= ~RES_KOD;
+ appendstr(rfs, sizeof rfs, "kod");
+ }
+
+ if (rflags & RES_MSSNTP) {
+ rflags &= ~RES_MSSNTP;
+ appendstr(rfs, sizeof rfs, "mssntp");
+ }
+
+ if (rflags & RES_LIMITED) {
+ rflags &= ~RES_LIMITED;
+ appendstr(rfs, sizeof rfs, "limited");
+ }
+
+ if (rflags & RES_LPTRAP) {
+ rflags &= ~RES_LPTRAP;
+ appendstr(rfs, sizeof rfs, "lptrap");
+ }
+
+ if (rflags & RES_NOMODIFY) {
+ rflags &= ~RES_NOMODIFY;
+ appendstr(rfs, sizeof rfs, "nomodify");
+ }
+
+ if (rflags & RES_NOMRULIST) {
+ rflags &= ~RES_NOMRULIST;
+ appendstr(rfs, sizeof rfs, "nomrulist");
+ }
+
+ if (rflags & RES_NOEPEER) {
+ rflags &= ~RES_NOEPEER;
+ appendstr(rfs, sizeof rfs, "noepeer");
+ }
+
+ if (rflags & RES_NOPEER) {
+ rflags &= ~RES_NOPEER;
+ appendstr(rfs, sizeof rfs, "nopeer");
+ }
+
+ if (rflags & RES_NOQUERY) {
+ rflags &= ~RES_NOQUERY;
+ appendstr(rfs, sizeof rfs, "noquery");
+ }
+
+ if (rflags & RES_DONTSERVE) {
+ rflags &= ~RES_DONTSERVE;
+ appendstr(rfs, sizeof rfs, "dontserve");
+ }
+
+ if (rflags & RES_NOTRAP) {
+ rflags &= ~RES_NOTRAP;
+ appendstr(rfs, sizeof rfs, "notrap");
+ }
+
+ if (rflags & RES_DONTTRUST) {
+ rflags &= ~RES_DONTTRUST;
+ appendstr(rfs, sizeof rfs, "notrust");
+ }
+
+ if (rflags & RES_VERSION) {
+ rflags &= ~RES_VERSION;
+ appendstr(rfs, sizeof rfs, "version");
+ }
+
+ if (rflags) {
+ char string[10];
+
+ snprintf(string, sizeof string, "%0x", rflags);
+ appendstr(rfs, sizeof rfs, string);
+ }
+
+ if ('\0' == rfs[0]) {
+ appendstr(rfs, sizeof rfs, "(none)");
+ }
+
+ return rfs;
+}
+
+
+static void
+appendstr(
+ char *string,
+ size_t s,
+ char *new
+ )
+{
+ if (*string != '\0') {
+ (void)strlcat(string, ",", s);
+ }
+ (void)strlcat(string, new, s);
+
+ return;
+}
Index: contrib/ntp/ntpd/ntp_keyword.h
===================================================================
--- contrib/ntp/ntpd/ntp_keyword.h (版本 330566)
+++ contrib/ntp/ntpd/ntp_keyword.h (版本 330908)
@@ -2,7 +2,7 @@
* ntp_keyword.h
*
* NOTE: edit this file with caution, it is generated by keyword-gen.c
- * Generated 2016-11-09 11:39:28 UTC diff_ignore_line
+ * Generated 2018-01-14 03:53:33 UTC diff_ignore_line
*
*/
#include "ntp_scanner.h"
@@ -10,7 +10,7 @@
#define LOWEST_KEYWORD_ID 258
-const char * const keyword_text[196] = {
+const char * const keyword_text[200] = {
/* 0 258 T_Abbrev */ "abbrev",
/* 1 259 T_Age */ "age",
/* 2 260 T_All */ "all",
@@ -20,203 +20,207 @@
/* 6 264 T_Autokey */ "autokey",
/* 7 265 T_Automax */ "automax",
/* 8 266 T_Average */ "average",
- /* 9 267 T_Bclient */ "bclient",
- /* 10 268 T_Bcpollbstep */ "bcpollbstep",
- /* 11 269 T_Beacon */ "beacon",
- /* 12 270 T_Broadcast */ "broadcast",
- /* 13 271 T_Broadcastclient */ "broadcastclient",
- /* 14 272 T_Broadcastdelay */ "broadcastdelay",
- /* 15 273 T_Burst */ "burst",
- /* 16 274 T_Calibrate */ "calibrate",
- /* 17 275 T_Ceiling */ "ceiling",
- /* 18 276 T_Clockstats */ "clockstats",
- /* 19 277 T_Cohort */ "cohort",
- /* 20 278 T_ControlKey */ "controlkey",
- /* 21 279 T_Crypto */ "crypto",
- /* 22 280 T_Cryptostats */ "cryptostats",
- /* 23 281 T_Ctl */ "ctl",
- /* 24 282 T_Day */ "day",
- /* 25 283 T_Default */ "default",
- /* 26 284 T_Digest */ "digest",
- /* 27 285 T_Disable */ "disable",
- /* 28 286 T_Discard */ "discard",
- /* 29 287 T_Dispersion */ "dispersion",
- /* 30 288 T_Double */ NULL,
- /* 31 289 T_Driftfile */ "driftfile",
- /* 32 290 T_Drop */ "drop",
- /* 33 291 T_Dscp */ "dscp",
- /* 34 292 T_Ellipsis */ "...",
- /* 35 293 T_Enable */ "enable",
- /* 36 294 T_End */ "end",
- /* 37 295 T_False */ NULL,
- /* 38 296 T_File */ "file",
- /* 39 297 T_Filegen */ "filegen",
- /* 40 298 T_Filenum */ "filenum",
- /* 41 299 T_Flag1 */ "flag1",
- /* 42 300 T_Flag2 */ "flag2",
- /* 43 301 T_Flag3 */ "flag3",
- /* 44 302 T_Flag4 */ "flag4",
- /* 45 303 T_Flake */ "flake",
- /* 46 304 T_Floor */ "floor",
- /* 47 305 T_Freq */ "freq",
- /* 48 306 T_Fudge */ "fudge",
- /* 49 307 T_Host */ "host",
- /* 50 308 T_Huffpuff */ "huffpuff",
- /* 51 309 T_Iburst */ "iburst",
- /* 52 310 T_Ident */ "ident",
- /* 53 311 T_Ignore */ "ignore",
- /* 54 312 T_Incalloc */ "incalloc",
- /* 55 313 T_Incmem */ "incmem",
- /* 56 314 T_Initalloc */ "initalloc",
- /* 57 315 T_Initmem */ "initmem",
- /* 58 316 T_Includefile */ "includefile",
- /* 59 317 T_Integer */ NULL,
- /* 60 318 T_Interface */ "interface",
- /* 61 319 T_Intrange */ NULL,
- /* 62 320 T_Io */ "io",
- /* 63 321 T_Ipv4 */ "ipv4",
- /* 64 322 T_Ipv4_flag */ "-4",
- /* 65 323 T_Ipv6 */ "ipv6",
- /* 66 324 T_Ipv6_flag */ "-6",
- /* 67 325 T_Kernel */ "kernel",
- /* 68 326 T_Key */ "key",
- /* 69 327 T_Keys */ "keys",
- /* 70 328 T_Keysdir */ "keysdir",
- /* 71 329 T_Kod */ "kod",
- /* 72 330 T_Mssntp */ "mssntp",
- /* 73 331 T_Leapfile */ "leapfile",
- /* 74 332 T_Leapsmearinterval */ "leapsmearinterval",
- /* 75 333 T_Limited */ "limited",
- /* 76 334 T_Link */ "link",
- /* 77 335 T_Listen */ "listen",
- /* 78 336 T_Logconfig */ "logconfig",
- /* 79 337 T_Logfile */ "logfile",
- /* 80 338 T_Loopstats */ "loopstats",
- /* 81 339 T_Lowpriotrap */ "lowpriotrap",
- /* 82 340 T_Manycastclient */ "manycastclient",
- /* 83 341 T_Manycastserver */ "manycastserver",
- /* 84 342 T_Mask */ "mask",
- /* 85 343 T_Maxage */ "maxage",
- /* 86 344 T_Maxclock */ "maxclock",
- /* 87 345 T_Maxdepth */ "maxdepth",
- /* 88 346 T_Maxdist */ "maxdist",
- /* 89 347 T_Maxmem */ "maxmem",
- /* 90 348 T_Maxpoll */ "maxpoll",
- /* 91 349 T_Mdnstries */ "mdnstries",
- /* 92 350 T_Mem */ "mem",
- /* 93 351 T_Memlock */ "memlock",
- /* 94 352 T_Minclock */ "minclock",
- /* 95 353 T_Mindepth */ "mindepth",
- /* 96 354 T_Mindist */ "mindist",
- /* 97 355 T_Minimum */ "minimum",
- /* 98 356 T_Minpoll */ "minpoll",
- /* 99 357 T_Minsane */ "minsane",
- /* 100 358 T_Mode */ "mode",
- /* 101 359 T_Mode7 */ "mode7",
- /* 102 360 T_Monitor */ "monitor",
- /* 103 361 T_Month */ "month",
- /* 104 362 T_Mru */ "mru",
- /* 105 363 T_Multicastclient */ "multicastclient",
- /* 106 364 T_Nic */ "nic",
- /* 107 365 T_Nolink */ "nolink",
- /* 108 366 T_Nomodify */ "nomodify",
- /* 109 367 T_Nomrulist */ "nomrulist",
- /* 110 368 T_None */ "none",
- /* 111 369 T_Nonvolatile */ "nonvolatile",
- /* 112 370 T_Nopeer */ "nopeer",
- /* 113 371 T_Noquery */ "noquery",
- /* 114 372 T_Noselect */ "noselect",
- /* 115 373 T_Noserve */ "noserve",
- /* 116 374 T_Notrap */ "notrap",
- /* 117 375 T_Notrust */ "notrust",
- /* 118 376 T_Ntp */ "ntp",
- /* 119 377 T_Ntpport */ "ntpport",
- /* 120 378 T_NtpSignDsocket */ "ntpsigndsocket",
- /* 121 379 T_Orphan */ "orphan",
- /* 122 380 T_Orphanwait */ "orphanwait",
- /* 123 381 T_PCEdigest */ "peer_clear_digest_early",
- /* 124 382 T_Panic */ "panic",
- /* 125 383 T_Peer */ "peer",
- /* 126 384 T_Peerstats */ "peerstats",
- /* 127 385 T_Phone */ "phone",
- /* 128 386 T_Pid */ "pid",
- /* 129 387 T_Pidfile */ "pidfile",
- /* 130 388 T_Pool */ "pool",
- /* 131 389 T_Port */ "port",
- /* 132 390 T_Preempt */ "preempt",
- /* 133 391 T_Prefer */ "prefer",
- /* 134 392 T_Protostats */ "protostats",
- /* 135 393 T_Pw */ "pw",
- /* 136 394 T_Randfile */ "randfile",
- /* 137 395 T_Rawstats */ "rawstats",
- /* 138 396 T_Refid */ "refid",
- /* 139 397 T_Requestkey */ "requestkey",
- /* 140 398 T_Reset */ "reset",
- /* 141 399 T_Restrict */ "restrict",
- /* 142 400 T_Revoke */ "revoke",
- /* 143 401 T_Rlimit */ "rlimit",
- /* 144 402 T_Saveconfigdir */ "saveconfigdir",
- /* 145 403 T_Server */ "server",
- /* 146 404 T_Setvar */ "setvar",
- /* 147 405 T_Source */ "source",
- /* 148 406 T_Stacksize */ "stacksize",
- /* 149 407 T_Statistics */ "statistics",
- /* 150 408 T_Stats */ "stats",
- /* 151 409 T_Statsdir */ "statsdir",
- /* 152 410 T_Step */ "step",
- /* 153 411 T_Stepback */ "stepback",
- /* 154 412 T_Stepfwd */ "stepfwd",
- /* 155 413 T_Stepout */ "stepout",
- /* 156 414 T_Stratum */ "stratum",
- /* 157 415 T_String */ NULL,
- /* 158 416 T_Sys */ "sys",
- /* 159 417 T_Sysstats */ "sysstats",
- /* 160 418 T_Tick */ "tick",
- /* 161 419 T_Time1 */ "time1",
- /* 162 420 T_Time2 */ "time2",
- /* 163 421 T_Timer */ "timer",
- /* 164 422 T_Timingstats */ "timingstats",
- /* 165 423 T_Tinker */ "tinker",
- /* 166 424 T_Tos */ "tos",
- /* 167 425 T_Trap */ "trap",
- /* 168 426 T_True */ "true",
- /* 169 427 T_Trustedkey */ "trustedkey",
- /* 170 428 T_Ttl */ "ttl",
- /* 171 429 T_Type */ "type",
- /* 172 430 T_U_int */ NULL,
- /* 173 431 T_UEcrypto */ "unpeer_crypto_early",
- /* 174 432 T_UEcryptonak */ "unpeer_crypto_nak_early",
- /* 175 433 T_UEdigest */ "unpeer_digest_early",
- /* 176 434 T_Unconfig */ "unconfig",
- /* 177 435 T_Unpeer */ "unpeer",
- /* 178 436 T_Version */ "version",
- /* 179 437 T_WanderThreshold */ NULL,
- /* 180 438 T_Week */ "week",
- /* 181 439 T_Wildcard */ "wildcard",
- /* 182 440 T_Xleave */ "xleave",
- /* 183 441 T_Year */ "year",
- /* 184 442 T_Flag */ NULL,
- /* 185 443 T_EOC */ NULL,
- /* 186 444 T_Simulate */ "simulate",
- /* 187 445 T_Beep_Delay */ "beep_delay",
- /* 188 446 T_Sim_Duration */ "simulation_duration",
- /* 189 447 T_Server_Offset */ "server_offset",
- /* 190 448 T_Duration */ "duration",
- /* 191 449 T_Freq_Offset */ "freq_offset",
- /* 192 450 T_Wander */ "wander",
- /* 193 451 T_Jitter */ "jitter",
- /* 194 452 T_Prop_Delay */ "prop_delay",
- /* 195 453 T_Proc_Delay */ "proc_delay"
+ /* 9 267 T_Basedate */ "basedate",
+ /* 10 268 T_Bclient */ "bclient",
+ /* 11 269 T_Bcpollbstep */ "bcpollbstep",
+ /* 12 270 T_Beacon */ "beacon",
+ /* 13 271 T_Broadcast */ "broadcast",
+ /* 14 272 T_Broadcastclient */ "broadcastclient",
+ /* 15 273 T_Broadcastdelay */ "broadcastdelay",
+ /* 16 274 T_Burst */ "burst",
+ /* 17 275 T_Calibrate */ "calibrate",
+ /* 18 276 T_Ceiling */ "ceiling",
+ /* 19 277 T_Clockstats */ "clockstats",
+ /* 20 278 T_Cohort */ "cohort",
+ /* 21 279 T_ControlKey */ "controlkey",
+ /* 22 280 T_Crypto */ "crypto",
+ /* 23 281 T_Cryptostats */ "cryptostats",
+ /* 24 282 T_Ctl */ "ctl",
+ /* 25 283 T_Day */ "day",
+ /* 26 284 T_Default */ "default",
+ /* 27 285 T_Digest */ "digest",
+ /* 28 286 T_Disable */ "disable",
+ /* 29 287 T_Discard */ "discard",
+ /* 30 288 T_Dispersion */ "dispersion",
+ /* 31 289 T_Double */ NULL,
+ /* 32 290 T_Driftfile */ "driftfile",
+ /* 33 291 T_Drop */ "drop",
+ /* 34 292 T_Dscp */ "dscp",
+ /* 35 293 T_Ellipsis */ "...",
+ /* 36 294 T_Enable */ "enable",
+ /* 37 295 T_End */ "end",
+ /* 38 296 T_Epeer */ "epeer",
+ /* 39 297 T_False */ NULL,
+ /* 40 298 T_File */ "file",
+ /* 41 299 T_Filegen */ "filegen",
+ /* 42 300 T_Filenum */ "filenum",
+ /* 43 301 T_Flag1 */ "flag1",
+ /* 44 302 T_Flag2 */ "flag2",
+ /* 45 303 T_Flag3 */ "flag3",
+ /* 46 304 T_Flag4 */ "flag4",
+ /* 47 305 T_Flake */ "flake",
+ /* 48 306 T_Floor */ "floor",
+ /* 49 307 T_Freq */ "freq",
+ /* 50 308 T_Fudge */ "fudge",
+ /* 51 309 T_Host */ "host",
+ /* 52 310 T_Huffpuff */ "huffpuff",
+ /* 53 311 T_Iburst */ "iburst",
+ /* 54 312 T_Ident */ "ident",
+ /* 55 313 T_Ignore */ "ignore",
+ /* 56 314 T_Incalloc */ "incalloc",
+ /* 57 315 T_Incmem */ "incmem",
+ /* 58 316 T_Initalloc */ "initalloc",
+ /* 59 317 T_Initmem */ "initmem",
+ /* 60 318 T_Includefile */ "includefile",
+ /* 61 319 T_Integer */ NULL,
+ /* 62 320 T_Interface */ "interface",
+ /* 63 321 T_Intrange */ NULL,
+ /* 64 322 T_Io */ "io",
+ /* 65 323 T_Ippeerlimit */ "ippeerlimit",
+ /* 66 324 T_Ipv4 */ "ipv4",
+ /* 67 325 T_Ipv4_flag */ "-4",
+ /* 68 326 T_Ipv6 */ "ipv6",
+ /* 69 327 T_Ipv6_flag */ "-6",
+ /* 70 328 T_Kernel */ "kernel",
+ /* 71 329 T_Key */ "key",
+ /* 72 330 T_Keys */ "keys",
+ /* 73 331 T_Keysdir */ "keysdir",
+ /* 74 332 T_Kod */ "kod",
+ /* 75 333 T_Mssntp */ "mssntp",
+ /* 76 334 T_Leapfile */ "leapfile",
+ /* 77 335 T_Leapsmearinterval */ "leapsmearinterval",
+ /* 78 336 T_Limited */ "limited",
+ /* 79 337 T_Link */ "link",
+ /* 80 338 T_Listen */ "listen",
+ /* 81 339 T_Logconfig */ "logconfig",
+ /* 82 340 T_Logfile */ "logfile",
+ /* 83 341 T_Loopstats */ "loopstats",
+ /* 84 342 T_Lowpriotrap */ "lowpriotrap",
+ /* 85 343 T_Manycastclient */ "manycastclient",
+ /* 86 344 T_Manycastserver */ "manycastserver",
+ /* 87 345 T_Mask */ "mask",
+ /* 88 346 T_Maxage */ "maxage",
+ /* 89 347 T_Maxclock */ "maxclock",
+ /* 90 348 T_Maxdepth */ "maxdepth",
+ /* 91 349 T_Maxdist */ "maxdist",
+ /* 92 350 T_Maxmem */ "maxmem",
+ /* 93 351 T_Maxpoll */ "maxpoll",
+ /* 94 352 T_Mdnstries */ "mdnstries",
+ /* 95 353 T_Mem */ "mem",
+ /* 96 354 T_Memlock */ "memlock",
+ /* 97 355 T_Minclock */ "minclock",
+ /* 98 356 T_Mindepth */ "mindepth",
+ /* 99 357 T_Mindist */ "mindist",
+ /* 100 358 T_Minimum */ "minimum",
+ /* 101 359 T_Minpoll */ "minpoll",
+ /* 102 360 T_Minsane */ "minsane",
+ /* 103 361 T_Mode */ "mode",
+ /* 104 362 T_Mode7 */ "mode7",
+ /* 105 363 T_Monitor */ "monitor",
+ /* 106 364 T_Month */ "month",
+ /* 107 365 T_Mru */ "mru",
+ /* 108 366 T_Multicastclient */ "multicastclient",
+ /* 109 367 T_Nic */ "nic",
+ /* 110 368 T_Nolink */ "nolink",
+ /* 111 369 T_Nomodify */ "nomodify",
+ /* 112 370 T_Nomrulist */ "nomrulist",
+ /* 113 371 T_None */ "none",
+ /* 114 372 T_Nonvolatile */ "nonvolatile",
+ /* 115 373 T_Noepeer */ "noepeer",
+ /* 116 374 T_Nopeer */ "nopeer",
+ /* 117 375 T_Noquery */ "noquery",
+ /* 118 376 T_Noselect */ "noselect",
+ /* 119 377 T_Noserve */ "noserve",
+ /* 120 378 T_Notrap */ "notrap",
+ /* 121 379 T_Notrust */ "notrust",
+ /* 122 380 T_Ntp */ "ntp",
+ /* 123 381 T_Ntpport */ "ntpport",
+ /* 124 382 T_NtpSignDsocket */ "ntpsigndsocket",
+ /* 125 383 T_Orphan */ "orphan",
+ /* 126 384 T_Orphanwait */ "orphanwait",
+ /* 127 385 T_PCEdigest */ "peer_clear_digest_early",
+ /* 128 386 T_Panic */ "panic",
+ /* 129 387 T_Peer */ "peer",
+ /* 130 388 T_Peerstats */ "peerstats",
+ /* 131 389 T_Phone */ "phone",
+ /* 132 390 T_Pid */ "pid",
+ /* 133 391 T_Pidfile */ "pidfile",
+ /* 134 392 T_Pool */ "pool",
+ /* 135 393 T_Port */ "port",
+ /* 136 394 T_Preempt */ "preempt",
+ /* 137 395 T_Prefer */ "prefer",
+ /* 138 396 T_Protostats */ "protostats",
+ /* 139 397 T_Pw */ "pw",
+ /* 140 398 T_Randfile */ "randfile",
+ /* 141 399 T_Rawstats */ "rawstats",
+ /* 142 400 T_Refid */ "refid",
+ /* 143 401 T_Requestkey */ "requestkey",
+ /* 144 402 T_Reset */ "reset",
+ /* 145 403 T_Restrict */ "restrict",
+ /* 146 404 T_Revoke */ "revoke",
+ /* 147 405 T_Rlimit */ "rlimit",
+ /* 148 406 T_Saveconfigdir */ "saveconfigdir",
+ /* 149 407 T_Server */ "server",
+ /* 150 408 T_Setvar */ "setvar",
+ /* 151 409 T_Source */ "source",
+ /* 152 410 T_Stacksize */ "stacksize",
+ /* 153 411 T_Statistics */ "statistics",
+ /* 154 412 T_Stats */ "stats",
+ /* 155 413 T_Statsdir */ "statsdir",
+ /* 156 414 T_Step */ "step",
+ /* 157 415 T_Stepback */ "stepback",
+ /* 158 416 T_Stepfwd */ "stepfwd",
+ /* 159 417 T_Stepout */ "stepout",
+ /* 160 418 T_Stratum */ "stratum",
+ /* 161 419 T_String */ NULL,
+ /* 162 420 T_Sys */ "sys",
+ /* 163 421 T_Sysstats */ "sysstats",
+ /* 164 422 T_Tick */ "tick",
+ /* 165 423 T_Time1 */ "time1",
+ /* 166 424 T_Time2 */ "time2",
+ /* 167 425 T_Timer */ "timer",
+ /* 168 426 T_Timingstats */ "timingstats",
+ /* 169 427 T_Tinker */ "tinker",
+ /* 170 428 T_Tos */ "tos",
+ /* 171 429 T_Trap */ "trap",
+ /* 172 430 T_True */ "true",
+ /* 173 431 T_Trustedkey */ "trustedkey",
+ /* 174 432 T_Ttl */ "ttl",
+ /* 175 433 T_Type */ "type",
+ /* 176 434 T_U_int */ NULL,
+ /* 177 435 T_UEcrypto */ "unpeer_crypto_early",
+ /* 178 436 T_UEcryptonak */ "unpeer_crypto_nak_early",
+ /* 179 437 T_UEdigest */ "unpeer_digest_early",
+ /* 180 438 T_Unconfig */ "unconfig",
+ /* 181 439 T_Unpeer */ "unpeer",
+ /* 182 440 T_Version */ "version",
+ /* 183 441 T_WanderThreshold */ NULL,
+ /* 184 442 T_Week */ "week",
+ /* 185 443 T_Wildcard */ "wildcard",
+ /* 186 444 T_Xleave */ "xleave",
+ /* 187 445 T_Year */ "year",
+ /* 188 446 T_Flag */ NULL,
+ /* 189 447 T_EOC */ NULL,
+ /* 190 448 T_Simulate */ "simulate",
+ /* 191 449 T_Beep_Delay */ "beep_delay",
+ /* 192 450 T_Sim_Duration */ "simulation_duration",
+ /* 193 451 T_Server_Offset */ "server_offset",
+ /* 194 452 T_Duration */ "duration",
+ /* 195 453 T_Freq_Offset */ "freq_offset",
+ /* 196 454 T_Wander */ "wander",
+ /* 197 455 T_Jitter */ "jitter",
+ /* 198 456 T_Prop_Delay */ "prop_delay",
+ /* 199 457 T_Proc_Delay */ "proc_delay"
};
-#define SCANNER_INIT_S 915
+#define SCANNER_INIT_S 940
-const scan_state sst[918] = {
+const scan_state sst[943] = {
/*SS_T( ch, f-by, match, other ), */
0, /* 0 */
- S_ST( '-', 3, 324, 0 ), /* 1 */
+ S_ST( '-', 3, 327, 0 ), /* 1 */
S_ST( '.', 3, 3, 1 ), /* 2 */
- S_ST( '.', 3, 292, 0 ), /* 3 . */
+ S_ST( '.', 3, 293, 0 ), /* 3 . */
S_ST( 'a', 3, 23, 2 ), /* 4 */
S_ST( 'b', 3, 6, 0 ), /* 5 a */
S_ST( 'b', 3, 7, 0 ), /* 6 ab */
@@ -241,236 +245,236 @@
S_ST( 'r', 3, 26, 0 ), /* 25 ave */
S_ST( 'a', 3, 27, 0 ), /* 26 aver */
S_ST( 'g', 3, 266, 0 ), /* 27 avera */
- S_ST( 'b', 3, 69, 4 ), /* 28 */
- S_ST( 'c', 3, 34, 0 ), /* 29 b */
- S_ST( 'l', 3, 31, 0 ), /* 30 bc */
- S_ST( 'i', 3, 32, 0 ), /* 31 bcl */
- S_ST( 'e', 3, 33, 0 ), /* 32 bcli */
- S_ST( 'n', 3, 267, 0 ), /* 33 bclie */
- S_ST( 'p', 3, 35, 30 ), /* 34 bc */
- S_ST( 'o', 3, 36, 0 ), /* 35 bcp */
- S_ST( 'l', 3, 37, 0 ), /* 36 bcpo */
- S_ST( 'l', 3, 38, 0 ), /* 37 bcpol */
- S_ST( 'b', 3, 39, 0 ), /* 38 bcpoll */
- S_ST( 's', 3, 40, 0 ), /* 39 bcpollb */
- S_ST( 't', 3, 41, 0 ), /* 40 bcpollbs */
- S_ST( 'e', 3, 268, 0 ), /* 41 bcpollbst */
- S_ST( 'e', 3, 46, 29 ), /* 42 b */
- S_ST( 'a', 3, 44, 0 ), /* 43 be */
- S_ST( 'c', 3, 45, 0 ), /* 44 bea */
- S_ST( 'o', 3, 269, 0 ), /* 45 beac */
- S_ST( 'e', 3, 47, 43 ), /* 46 be */
- S_ST( 'p', 3, 48, 0 ), /* 47 bee */
- S_ST( '_', 3, 49, 0 ), /* 48 beep */
- S_ST( 'd', 3, 50, 0 ), /* 49 beep_ */
- S_ST( 'e', 3, 51, 0 ), /* 50 beep_d */
- S_ST( 'l', 3, 52, 0 ), /* 51 beep_de */
- S_ST( 'a', 3, 445, 0 ), /* 52 beep_del */
- S_ST( 'r', 3, 54, 42 ), /* 53 b */
- S_ST( 'o', 3, 55, 0 ), /* 54 br */
- S_ST( 'a', 3, 56, 0 ), /* 55 bro */
- S_ST( 'd', 3, 57, 0 ), /* 56 broa */
- S_ST( 'c', 3, 58, 0 ), /* 57 broad */
- S_ST( 'a', 3, 59, 0 ), /* 58 broadc */
- S_ST( 's', 3, 270, 0 ), /* 59 broadca */
- S_ST( 'c', 3, 61, 0 ), /* 60 broadcast */
- S_ST( 'l', 3, 62, 0 ), /* 61 broadcastc */
- S_ST( 'i', 3, 63, 0 ), /* 62 broadcastcl */
- S_ST( 'e', 3, 64, 0 ), /* 63 broadcastcli */
- S_ST( 'n', 3, 271, 0 ), /* 64 broadcastclie */
- S_ST( 'd', 3, 66, 60 ), /* 65 broadcast */
- S_ST( 'e', 3, 67, 0 ), /* 66 broadcastd */
- S_ST( 'l', 3, 68, 0 ), /* 67 broadcastde */
- S_ST( 'a', 3, 272, 0 ), /* 68 broadcastdel */
- S_ST( 'u', 3, 70, 53 ), /* 69 b */
- S_ST( 'r', 3, 71, 0 ), /* 70 bu */
- S_ST( 's', 3, 273, 0 ), /* 71 bur */
- S_ST( 'c', 3, 112, 28 ), /* 72 */
- S_ST( 'a', 3, 74, 0 ), /* 73 c */
- S_ST( 'l', 3, 75, 0 ), /* 74 ca */
- S_ST( 'i', 3, 76, 0 ), /* 75 cal */
- S_ST( 'b', 3, 77, 0 ), /* 76 cali */
- S_ST( 'r', 3, 78, 0 ), /* 77 calib */
- S_ST( 'a', 3, 79, 0 ), /* 78 calibr */
- S_ST( 't', 3, 274, 0 ), /* 79 calibra */
- S_ST( 'e', 3, 81, 73 ), /* 80 c */
- S_ST( 'i', 3, 82, 0 ), /* 81 ce */
- S_ST( 'l', 3, 83, 0 ), /* 82 cei */
- S_ST( 'i', 3, 84, 0 ), /* 83 ceil */
- S_ST( 'n', 3, 275, 0 ), /* 84 ceili */
- S_ST( 'l', 3, 86, 80 ), /* 85 c */
- S_ST( 'o', 3, 87, 0 ), /* 86 cl */
- S_ST( 'c', 3, 88, 0 ), /* 87 clo */
- S_ST( 'k', 3, 89, 0 ), /* 88 cloc */
- S_ST( 's', 3, 90, 0 ), /* 89 clock */
- S_ST( 't', 3, 91, 0 ), /* 90 clocks */
- S_ST( 'a', 3, 92, 0 ), /* 91 clockst */
- S_ST( 't', 3, 276, 0 ), /* 92 clocksta */
- S_ST( 'o', 3, 97, 85 ), /* 93 c */
- S_ST( 'h', 3, 95, 0 ), /* 94 co */
- S_ST( 'o', 3, 96, 0 ), /* 95 coh */
- S_ST( 'r', 3, 277, 0 ), /* 96 coho */
- S_ST( 'n', 3, 98, 94 ), /* 97 co */
- S_ST( 't', 3, 99, 0 ), /* 98 con */
- S_ST( 'r', 3, 100, 0 ), /* 99 cont */
- S_ST( 'o', 3, 101, 0 ), /* 100 contr */
- S_ST( 'l', 3, 102, 0 ), /* 101 contro */
- S_ST( 'k', 3, 103, 0 ), /* 102 control */
- S_ST( 'e', 3, 278, 0 ), /* 103 controlk */
- S_ST( 'r', 3, 105, 93 ), /* 104 c */
- S_ST( 'y', 3, 106, 0 ), /* 105 cr */
- S_ST( 'p', 3, 107, 0 ), /* 106 cry */
- S_ST( 't', 3, 279, 0 ), /* 107 cryp */
- S_ST( 's', 3, 109, 0 ), /* 108 crypto */
- S_ST( 't', 3, 110, 0 ), /* 109 cryptos */
- S_ST( 'a', 3, 111, 0 ), /* 110 cryptost */
- S_ST( 't', 3, 280, 0 ), /* 111 cryptosta */
- S_ST( 't', 3, 281, 104 ), /* 112 c */
- S_ST( 'd', 3, 147, 72 ), /* 113 */
- S_ST( 'a', 3, 282, 0 ), /* 114 d */
- S_ST( 'e', 3, 116, 114 ), /* 115 d */
- S_ST( 'f', 3, 117, 0 ), /* 116 de */
- S_ST( 'a', 3, 118, 0 ), /* 117 def */
- S_ST( 'u', 3, 119, 0 ), /* 118 defa */
- S_ST( 'l', 3, 283, 0 ), /* 119 defau */
- S_ST( 'i', 3, 124, 115 ), /* 120 d */
- S_ST( 'g', 3, 122, 0 ), /* 121 di */
- S_ST( 'e', 3, 123, 0 ), /* 122 dig */
- S_ST( 's', 3, 284, 0 ), /* 123 dige */
- S_ST( 's', 3, 131, 121 ), /* 124 di */
- S_ST( 'a', 3, 126, 0 ), /* 125 dis */
- S_ST( 'b', 3, 127, 0 ), /* 126 disa */
- S_ST( 'l', 3, 285, 0 ), /* 127 disab */
- S_ST( 'c', 3, 129, 125 ), /* 128 dis */
- S_ST( 'a', 3, 130, 0 ), /* 129 disc */
- S_ST( 'r', 3, 286, 0 ), /* 130 disca */
- S_ST( 'p', 3, 132, 128 ), /* 131 dis */
- S_ST( 'e', 3, 133, 0 ), /* 132 disp */
- S_ST( 'r', 3, 134, 0 ), /* 133 dispe */
- S_ST( 's', 3, 135, 0 ), /* 134 disper */
- S_ST( 'i', 3, 136, 0 ), /* 135 dispers */
- S_ST( 'o', 3, 287, 0 ), /* 136 dispersi */
- S_ST( 'r', 3, 144, 120 ), /* 137 d */
- S_ST( 'i', 3, 139, 0 ), /* 138 dr */
- S_ST( 'f', 3, 140, 0 ), /* 139 dri */
- S_ST( 't', 3, 141, 0 ), /* 140 drif */
- S_ST( 'f', 3, 142, 0 ), /* 141 drift */
- S_ST( 'i', 3, 143, 0 ), /* 142 driftf */
- S_ST( 'l', 3, 289, 0 ), /* 143 driftfi */
- S_ST( 'o', 3, 290, 138 ), /* 144 dr */
- S_ST( 's', 3, 146, 137 ), /* 145 d */
- S_ST( 'c', 3, 291, 0 ), /* 146 ds */
- S_ST( 'u', 3, 148, 145 ), /* 147 d */
- S_ST( 'r', 3, 149, 0 ), /* 148 du */
- S_ST( 'a', 3, 150, 0 ), /* 149 dur */
- S_ST( 't', 3, 151, 0 ), /* 150 dura */
- S_ST( 'i', 3, 152, 0 ), /* 151 durat */
- S_ST( 'o', 3, 448, 0 ), /* 152 durati */
- S_ST( 'e', 3, 154, 113 ), /* 153 */
- S_ST( 'n', 3, 294, 0 ), /* 154 e */
- S_ST( 'a', 3, 156, 0 ), /* 155 en */
- S_ST( 'b', 3, 157, 0 ), /* 156 ena */
- S_ST( 'l', 3, 293, 0 ), /* 157 enab */
- S_ST( 'f', 3, 179, 153 ), /* 158 */
- S_ST( 'i', 3, 160, 0 ), /* 159 f */
- S_ST( 'l', 3, 296, 0 ), /* 160 fi */
- S_ST( 'g', 3, 162, 0 ), /* 161 file */
- S_ST( 'e', 3, 297, 0 ), /* 162 fileg */
- S_ST( 'n', 3, 164, 161 ), /* 163 file */
- S_ST( 'u', 3, 298, 0 ), /* 164 filen */
- S_ST( 'l', 3, 169, 159 ), /* 165 f */
- S_ST( 'a', 3, 168, 0 ), /* 166 fl */
- S_ST( 'g', 3, 302, 0 ), /* 167 fla */
- S_ST( 'k', 3, 303, 167 ), /* 168 fla */
- S_ST( 'o', 3, 170, 166 ), /* 169 fl */
- S_ST( 'o', 3, 304, 0 ), /* 170 flo */
- S_ST( 'r', 3, 172, 165 ), /* 171 f */
- S_ST( 'e', 3, 305, 0 ), /* 172 fr */
- S_ST( '_', 3, 174, 0 ), /* 173 freq */
- S_ST( 'o', 3, 175, 0 ), /* 174 freq_ */
- S_ST( 'f', 3, 176, 0 ), /* 175 freq_o */
- S_ST( 'f', 3, 177, 0 ), /* 176 freq_of */
- S_ST( 's', 3, 178, 0 ), /* 177 freq_off */
- S_ST( 'e', 3, 449, 0 ), /* 178 freq_offs */
- S_ST( 'u', 3, 180, 171 ), /* 179 f */
- S_ST( 'd', 3, 181, 0 ), /* 180 fu */
- S_ST( 'g', 3, 306, 0 ), /* 181 fud */
- S_ST( 'h', 3, 185, 158 ), /* 182 */
- S_ST( 'o', 3, 184, 0 ), /* 183 h */
- S_ST( 's', 3, 307, 0 ), /* 184 ho */
- S_ST( 'u', 3, 186, 183 ), /* 185 h */
- S_ST( 'f', 3, 187, 0 ), /* 186 hu */
- S_ST( 'f', 3, 188, 0 ), /* 187 huf */
- S_ST( 'p', 3, 189, 0 ), /* 188 huff */
- S_ST( 'u', 3, 190, 0 ), /* 189 huffp */
- S_ST( 'f', 3, 308, 0 ), /* 190 huffpu */
- S_ST( 'i', 3, 232, 182 ), /* 191 */
- S_ST( 'b', 3, 193, 0 ), /* 192 i */
- S_ST( 'u', 3, 194, 0 ), /* 193 ib */
- S_ST( 'r', 3, 195, 0 ), /* 194 ibu */
- S_ST( 's', 3, 309, 0 ), /* 195 ibur */
- S_ST( 'd', 3, 197, 192 ), /* 196 i */
- S_ST( 'e', 3, 198, 0 ), /* 197 id */
- S_ST( 'n', 3, 310, 0 ), /* 198 ide */
- S_ST( 'g', 3, 200, 196 ), /* 199 i */
- S_ST( 'n', 3, 201, 0 ), /* 200 ig */
- S_ST( 'o', 3, 202, 0 ), /* 201 ign */
- S_ST( 'r', 3, 311, 0 ), /* 202 igno */
- S_ST( 'n', 3, 226, 199 ), /* 203 i */
- S_ST( 'c', 3, 216, 0 ), /* 204 in */
- S_ST( 'a', 3, 206, 0 ), /* 205 inc */
- S_ST( 'l', 3, 207, 0 ), /* 206 inca */
- S_ST( 'l', 3, 208, 0 ), /* 207 incal */
- S_ST( 'o', 3, 312, 0 ), /* 208 incall */
- S_ST( 'l', 3, 210, 205 ), /* 209 inc */
- S_ST( 'u', 3, 211, 0 ), /* 210 incl */
- S_ST( 'd', 3, 212, 0 ), /* 211 inclu */
- S_ST( 'e', 3, 213, 0 ), /* 212 includ */
- S_ST( 'f', 3, 214, 0 ), /* 213 include */
- S_ST( 'i', 3, 215, 0 ), /* 214 includef */
- S_ST( 'l', 3, 316, 0 ), /* 215 includefi */
- S_ST( 'm', 3, 217, 209 ), /* 216 inc */
- S_ST( 'e', 3, 313, 0 ), /* 217 incm */
- S_ST( 'i', 3, 219, 204 ), /* 218 in */
- S_ST( 't', 3, 224, 0 ), /* 219 ini */
- S_ST( 'a', 3, 221, 0 ), /* 220 init */
- S_ST( 'l', 3, 222, 0 ), /* 221 inita */
- S_ST( 'l', 3, 223, 0 ), /* 222 inital */
- S_ST( 'o', 3, 314, 0 ), /* 223 initall */
- S_ST( 'm', 3, 225, 220 ), /* 224 init */
- S_ST( 'e', 3, 315, 0 ), /* 225 initm */
- S_ST( 't', 3, 227, 218 ), /* 226 in */
- S_ST( 'e', 3, 228, 0 ), /* 227 int */
- S_ST( 'r', 3, 229, 0 ), /* 228 inte */
- S_ST( 'f', 3, 230, 0 ), /* 229 inter */
- S_ST( 'a', 3, 231, 0 ), /* 230 interf */
- S_ST( 'c', 3, 318, 0 ), /* 231 interfa */
- S_ST( 'p', 3, 233, 320 ), /* 232 i */
- S_ST( 'v', 3, 323, 0 ), /* 233 ip */
- S_ST( 'j', 3, 235, 191 ), /* 234 */
- S_ST( 'i', 3, 236, 0 ), /* 235 j */
- S_ST( 't', 3, 237, 0 ), /* 236 ji */
- S_ST( 't', 3, 238, 0 ), /* 237 jit */
- S_ST( 'e', 3, 451, 0 ), /* 238 jitt */
- S_ST( 'k', 3, 246, 234 ), /* 239 */
- S_ST( 'e', 3, 326, 0 ), /* 240 k */
- S_ST( 'r', 3, 242, 0 ), /* 241 ke */
- S_ST( 'n', 3, 243, 0 ), /* 242 ker */
- S_ST( 'e', 3, 325, 0 ), /* 243 kern */
- S_ST( 'd', 3, 245, 0 ), /* 244 keys */
- S_ST( 'i', 3, 328, 0 ), /* 245 keysd */
- S_ST( 'o', 3, 329, 240 ), /* 246 k */
- S_ST( 'l', 3, 462, 239 ), /* 247 */
- S_ST( 'e', 3, 249, 0 ), /* 248 l */
- S_ST( 'a', 3, 250, 0 ), /* 249 le */
- S_ST( 'p', 3, 254, 0 ), /* 250 lea */
- S_ST( 'f', 3, 252, 0 ), /* 251 leap */
- S_ST( 'i', 3, 253, 0 ), /* 252 leapf */
- S_ST( 'l', 3, 331, 0 ), /* 253 leapfi */
- S_ST( 's', 3, 255, 251 ), /* 254 leap */
- S_ST( 'm', 3, 256, 0 ), /* 255 leaps */
- S_ST( 'e', 3, 257, 0 ), /* 256 leapsm */
- S_ST( 'a', 3, 288, 0 ), /* 257 leapsme */
+ S_ST( 'b', 3, 75, 4 ), /* 28 */
+ S_ST( 'a', 3, 30, 0 ), /* 29 b */
+ S_ST( 's', 3, 31, 0 ), /* 30 ba */
+ S_ST( 'e', 3, 32, 0 ), /* 31 bas */
+ S_ST( 'd', 3, 33, 0 ), /* 32 base */
+ S_ST( 'a', 3, 34, 0 ), /* 33 based */
+ S_ST( 't', 3, 267, 0 ), /* 34 baseda */
+ S_ST( 'c', 3, 40, 29 ), /* 35 b */
+ S_ST( 'l', 3, 37, 0 ), /* 36 bc */
+ S_ST( 'i', 3, 38, 0 ), /* 37 bcl */
+ S_ST( 'e', 3, 39, 0 ), /* 38 bcli */
+ S_ST( 'n', 3, 268, 0 ), /* 39 bclie */
+ S_ST( 'p', 3, 41, 36 ), /* 40 bc */
+ S_ST( 'o', 3, 42, 0 ), /* 41 bcp */
+ S_ST( 'l', 3, 43, 0 ), /* 42 bcpo */
+ S_ST( 'l', 3, 44, 0 ), /* 43 bcpol */
+ S_ST( 'b', 3, 45, 0 ), /* 44 bcpoll */
+ S_ST( 's', 3, 46, 0 ), /* 45 bcpollb */
+ S_ST( 't', 3, 47, 0 ), /* 46 bcpollbs */
+ S_ST( 'e', 3, 269, 0 ), /* 47 bcpollbst */
+ S_ST( 'e', 3, 52, 35 ), /* 48 b */
+ S_ST( 'a', 3, 50, 0 ), /* 49 be */
+ S_ST( 'c', 3, 51, 0 ), /* 50 bea */
+ S_ST( 'o', 3, 270, 0 ), /* 51 beac */
+ S_ST( 'e', 3, 53, 49 ), /* 52 be */
+ S_ST( 'p', 3, 54, 0 ), /* 53 bee */
+ S_ST( '_', 3, 55, 0 ), /* 54 beep */
+ S_ST( 'd', 3, 56, 0 ), /* 55 beep_ */
+ S_ST( 'e', 3, 57, 0 ), /* 56 beep_d */
+ S_ST( 'l', 3, 58, 0 ), /* 57 beep_de */
+ S_ST( 'a', 3, 449, 0 ), /* 58 beep_del */
+ S_ST( 'r', 3, 60, 48 ), /* 59 b */
+ S_ST( 'o', 3, 61, 0 ), /* 60 br */
+ S_ST( 'a', 3, 62, 0 ), /* 61 bro */
+ S_ST( 'd', 3, 63, 0 ), /* 62 broa */
+ S_ST( 'c', 3, 64, 0 ), /* 63 broad */
+ S_ST( 'a', 3, 65, 0 ), /* 64 broadc */
+ S_ST( 's', 3, 271, 0 ), /* 65 broadca */
+ S_ST( 'c', 3, 67, 0 ), /* 66 broadcast */
+ S_ST( 'l', 3, 68, 0 ), /* 67 broadcastc */
+ S_ST( 'i', 3, 69, 0 ), /* 68 broadcastcl */
+ S_ST( 'e', 3, 70, 0 ), /* 69 broadcastcli */
+ S_ST( 'n', 3, 272, 0 ), /* 70 broadcastclie */
+ S_ST( 'd', 3, 72, 66 ), /* 71 broadcast */
+ S_ST( 'e', 3, 73, 0 ), /* 72 broadcastd */
+ S_ST( 'l', 3, 74, 0 ), /* 73 broadcastde */
+ S_ST( 'a', 3, 273, 0 ), /* 74 broadcastdel */
+ S_ST( 'u', 3, 76, 59 ), /* 75 b */
+ S_ST( 'r', 3, 77, 0 ), /* 76 bu */
+ S_ST( 's', 3, 274, 0 ), /* 77 bur */
+ S_ST( 'c', 3, 118, 28 ), /* 78 */
+ S_ST( 'a', 3, 80, 0 ), /* 79 c */
+ S_ST( 'l', 3, 81, 0 ), /* 80 ca */
+ S_ST( 'i', 3, 82, 0 ), /* 81 cal */
+ S_ST( 'b', 3, 83, 0 ), /* 82 cali */
+ S_ST( 'r', 3, 84, 0 ), /* 83 calib */
+ S_ST( 'a', 3, 85, 0 ), /* 84 calibr */
+ S_ST( 't', 3, 275, 0 ), /* 85 calibra */
+ S_ST( 'e', 3, 87, 79 ), /* 86 c */
+ S_ST( 'i', 3, 88, 0 ), /* 87 ce */
+ S_ST( 'l', 3, 89, 0 ), /* 88 cei */
+ S_ST( 'i', 3, 90, 0 ), /* 89 ceil */
+ S_ST( 'n', 3, 276, 0 ), /* 90 ceili */
+ S_ST( 'l', 3, 92, 86 ), /* 91 c */
+ S_ST( 'o', 3, 93, 0 ), /* 92 cl */
+ S_ST( 'c', 3, 94, 0 ), /* 93 clo */
+ S_ST( 'k', 3, 95, 0 ), /* 94 cloc */
+ S_ST( 's', 3, 96, 0 ), /* 95 clock */
+ S_ST( 't', 3, 97, 0 ), /* 96 clocks */
+ S_ST( 'a', 3, 98, 0 ), /* 97 clockst */
+ S_ST( 't', 3, 277, 0 ), /* 98 clocksta */
+ S_ST( 'o', 3, 103, 91 ), /* 99 c */
+ S_ST( 'h', 3, 101, 0 ), /* 100 co */
+ S_ST( 'o', 3, 102, 0 ), /* 101 coh */
+ S_ST( 'r', 3, 278, 0 ), /* 102 coho */
+ S_ST( 'n', 3, 104, 100 ), /* 103 co */
+ S_ST( 't', 3, 105, 0 ), /* 104 con */
+ S_ST( 'r', 3, 106, 0 ), /* 105 cont */
+ S_ST( 'o', 3, 107, 0 ), /* 106 contr */
+ S_ST( 'l', 3, 108, 0 ), /* 107 contro */
+ S_ST( 'k', 3, 109, 0 ), /* 108 control */
+ S_ST( 'e', 3, 279, 0 ), /* 109 controlk */
+ S_ST( 'r', 3, 111, 99 ), /* 110 c */
+ S_ST( 'y', 3, 112, 0 ), /* 111 cr */
+ S_ST( 'p', 3, 113, 0 ), /* 112 cry */
+ S_ST( 't', 3, 280, 0 ), /* 113 cryp */
+ S_ST( 's', 3, 115, 0 ), /* 114 crypto */
+ S_ST( 't', 3, 116, 0 ), /* 115 cryptos */
+ S_ST( 'a', 3, 117, 0 ), /* 116 cryptost */
+ S_ST( 't', 3, 281, 0 ), /* 117 cryptosta */
+ S_ST( 't', 3, 282, 110 ), /* 118 c */
+ S_ST( 'd', 3, 153, 78 ), /* 119 */
+ S_ST( 'a', 3, 283, 0 ), /* 120 d */
+ S_ST( 'e', 3, 122, 120 ), /* 121 d */
+ S_ST( 'f', 3, 123, 0 ), /* 122 de */
+ S_ST( 'a', 3, 124, 0 ), /* 123 def */
+ S_ST( 'u', 3, 125, 0 ), /* 124 defa */
+ S_ST( 'l', 3, 284, 0 ), /* 125 defau */
+ S_ST( 'i', 3, 130, 121 ), /* 126 d */
+ S_ST( 'g', 3, 128, 0 ), /* 127 di */
+ S_ST( 'e', 3, 129, 0 ), /* 128 dig */
+ S_ST( 's', 3, 285, 0 ), /* 129 dige */
+ S_ST( 's', 3, 137, 127 ), /* 130 di */
+ S_ST( 'a', 3, 132, 0 ), /* 131 dis */
+ S_ST( 'b', 3, 133, 0 ), /* 132 disa */
+ S_ST( 'l', 3, 286, 0 ), /* 133 disab */
+ S_ST( 'c', 3, 135, 131 ), /* 134 dis */
+ S_ST( 'a', 3, 136, 0 ), /* 135 disc */
+ S_ST( 'r', 3, 287, 0 ), /* 136 disca */
+ S_ST( 'p', 3, 138, 134 ), /* 137 dis */
+ S_ST( 'e', 3, 139, 0 ), /* 138 disp */
+ S_ST( 'r', 3, 140, 0 ), /* 139 dispe */
+ S_ST( 's', 3, 141, 0 ), /* 140 disper */
+ S_ST( 'i', 3, 142, 0 ), /* 141 dispers */
+ S_ST( 'o', 3, 288, 0 ), /* 142 dispersi */
+ S_ST( 'r', 3, 150, 126 ), /* 143 d */
+ S_ST( 'i', 3, 145, 0 ), /* 144 dr */
+ S_ST( 'f', 3, 146, 0 ), /* 145 dri */
+ S_ST( 't', 3, 147, 0 ), /* 146 drif */
+ S_ST( 'f', 3, 148, 0 ), /* 147 drift */
+ S_ST( 'i', 3, 149, 0 ), /* 148 driftf */
+ S_ST( 'l', 3, 290, 0 ), /* 149 driftfi */
+ S_ST( 'o', 3, 291, 144 ), /* 150 dr */
+ S_ST( 's', 3, 152, 143 ), /* 151 d */
+ S_ST( 'c', 3, 292, 0 ), /* 152 ds */
+ S_ST( 'u', 3, 154, 151 ), /* 153 d */
+ S_ST( 'r', 3, 155, 0 ), /* 154 du */
+ S_ST( 'a', 3, 156, 0 ), /* 155 dur */
+ S_ST( 't', 3, 157, 0 ), /* 156 dura */
+ S_ST( 'i', 3, 158, 0 ), /* 157 durat */
+ S_ST( 'o', 3, 452, 0 ), /* 158 durati */
+ S_ST( 'e', 3, 164, 119 ), /* 159 */
+ S_ST( 'n', 3, 295, 0 ), /* 160 e */
+ S_ST( 'a', 3, 162, 0 ), /* 161 en */
+ S_ST( 'b', 3, 163, 0 ), /* 162 ena */
+ S_ST( 'l', 3, 294, 0 ), /* 163 enab */
+ S_ST( 'p', 3, 165, 160 ), /* 164 e */
+ S_ST( 'e', 3, 166, 0 ), /* 165 ep */
+ S_ST( 'e', 3, 296, 0 ), /* 166 epe */
+ S_ST( 'f', 3, 188, 159 ), /* 167 */
+ S_ST( 'i', 3, 169, 0 ), /* 168 f */
+ S_ST( 'l', 3, 298, 0 ), /* 169 fi */
+ S_ST( 'g', 3, 171, 0 ), /* 170 file */
+ S_ST( 'e', 3, 299, 0 ), /* 171 fileg */
+ S_ST( 'n', 3, 173, 170 ), /* 172 file */
+ S_ST( 'u', 3, 300, 0 ), /* 173 filen */
+ S_ST( 'l', 3, 178, 168 ), /* 174 f */
+ S_ST( 'a', 3, 177, 0 ), /* 175 fl */
+ S_ST( 'g', 3, 304, 0 ), /* 176 fla */
+ S_ST( 'k', 3, 305, 176 ), /* 177 fla */
+ S_ST( 'o', 3, 179, 175 ), /* 178 fl */
+ S_ST( 'o', 3, 306, 0 ), /* 179 flo */
+ S_ST( 'r', 3, 181, 174 ), /* 180 f */
+ S_ST( 'e', 3, 307, 0 ), /* 181 fr */
+ S_ST( '_', 3, 183, 0 ), /* 182 freq */
+ S_ST( 'o', 3, 184, 0 ), /* 183 freq_ */
+ S_ST( 'f', 3, 185, 0 ), /* 184 freq_o */
+ S_ST( 'f', 3, 186, 0 ), /* 185 freq_of */
+ S_ST( 's', 3, 187, 0 ), /* 186 freq_off */
+ S_ST( 'e', 3, 453, 0 ), /* 187 freq_offs */
+ S_ST( 'u', 3, 189, 180 ), /* 188 f */
+ S_ST( 'd', 3, 190, 0 ), /* 189 fu */
+ S_ST( 'g', 3, 308, 0 ), /* 190 fud */
+ S_ST( 'h', 3, 194, 167 ), /* 191 */
+ S_ST( 'o', 3, 193, 0 ), /* 192 h */
+ S_ST( 's', 3, 309, 0 ), /* 193 ho */
+ S_ST( 'u', 3, 195, 192 ), /* 194 h */
+ S_ST( 'f', 3, 196, 0 ), /* 195 hu */
+ S_ST( 'f', 3, 197, 0 ), /* 196 huf */
+ S_ST( 'p', 3, 198, 0 ), /* 197 huff */
+ S_ST( 'u', 3, 199, 0 ), /* 198 huffp */
+ S_ST( 'f', 3, 310, 0 ), /* 199 huffpu */
+ S_ST( 'i', 3, 241, 191 ), /* 200 */
+ S_ST( 'b', 3, 202, 0 ), /* 201 i */
+ S_ST( 'u', 3, 203, 0 ), /* 202 ib */
+ S_ST( 'r', 3, 204, 0 ), /* 203 ibu */
+ S_ST( 's', 3, 311, 0 ), /* 204 ibur */
+ S_ST( 'd', 3, 206, 201 ), /* 205 i */
+ S_ST( 'e', 3, 207, 0 ), /* 206 id */
+ S_ST( 'n', 3, 312, 0 ), /* 207 ide */
+ S_ST( 'g', 3, 209, 205 ), /* 208 i */
+ S_ST( 'n', 3, 210, 0 ), /* 209 ig */
+ S_ST( 'o', 3, 211, 0 ), /* 210 ign */
+ S_ST( 'r', 3, 313, 0 ), /* 211 igno */
+ S_ST( 'n', 3, 235, 208 ), /* 212 i */
+ S_ST( 'c', 3, 225, 0 ), /* 213 in */
+ S_ST( 'a', 3, 215, 0 ), /* 214 inc */
+ S_ST( 'l', 3, 216, 0 ), /* 215 inca */
+ S_ST( 'l', 3, 217, 0 ), /* 216 incal */
+ S_ST( 'o', 3, 314, 0 ), /* 217 incall */
+ S_ST( 'l', 3, 219, 214 ), /* 218 inc */
+ S_ST( 'u', 3, 220, 0 ), /* 219 incl */
+ S_ST( 'd', 3, 221, 0 ), /* 220 inclu */
+ S_ST( 'e', 3, 222, 0 ), /* 221 includ */
+ S_ST( 'f', 3, 223, 0 ), /* 222 include */
+ S_ST( 'i', 3, 224, 0 ), /* 223 includef */
+ S_ST( 'l', 3, 318, 0 ), /* 224 includefi */
+ S_ST( 'm', 3, 226, 218 ), /* 225 inc */
+ S_ST( 'e', 3, 315, 0 ), /* 226 incm */
+ S_ST( 'i', 3, 228, 213 ), /* 227 in */
+ S_ST( 't', 3, 233, 0 ), /* 228 ini */
+ S_ST( 'a', 3, 230, 0 ), /* 229 init */
+ S_ST( 'l', 3, 231, 0 ), /* 230 inita */
+ S_ST( 'l', 3, 232, 0 ), /* 231 inital */
+ S_ST( 'o', 3, 316, 0 ), /* 232 initall */
+ S_ST( 'm', 3, 234, 229 ), /* 233 init */
+ S_ST( 'e', 3, 317, 0 ), /* 234 initm */
+ S_ST( 't', 3, 236, 227 ), /* 235 in */
+ S_ST( 'e', 3, 237, 0 ), /* 236 int */
+ S_ST( 'r', 3, 238, 0 ), /* 237 inte */
+ S_ST( 'f', 3, 239, 0 ), /* 238 inter */
+ S_ST( 'a', 3, 240, 0 ), /* 239 interf */
+ S_ST( 'c', 3, 320, 0 ), /* 240 interfa */
+ S_ST( 'p', 3, 250, 322 ), /* 241 i */
+ S_ST( 'p', 3, 243, 0 ), /* 242 ip */
+ S_ST( 'e', 3, 244, 0 ), /* 243 ipp */
+ S_ST( 'e', 3, 245, 0 ), /* 244 ippe */
+ S_ST( 'r', 3, 246, 0 ), /* 245 ippee */
+ S_ST( 'l', 3, 247, 0 ), /* 246 ippeer */
+ S_ST( 'i', 3, 248, 0 ), /* 247 ippeerl */
+ S_ST( 'm', 3, 249, 0 ), /* 248 ippeerli */
+ S_ST( 'i', 3, 323, 0 ), /* 249 ippeerlim */
+ S_ST( 'v', 3, 326, 242 ), /* 250 ip */
+ S_ST( 'j', 3, 252, 200 ), /* 251 */
+ S_ST( 'i', 3, 253, 0 ), /* 252 j */
+ S_ST( 't', 3, 254, 0 ), /* 253 ji */
+ S_ST( 't', 3, 255, 0 ), /* 254 jit */
+ S_ST( 'e', 3, 455, 0 ), /* 255 jitt */
+ S_ST( 'k', 3, 434, 251 ), /* 256 */
+ S_ST( 'e', 3, 329, 0 ), /* 257 k */
S_ST( 'v', 1, 0, 0 ), /* 258 T_Abbrev */
S_ST( 'e', 0, 0, 0 ), /* 259 T_Age */
S_ST( 'l', 0, 12, 0 ), /* 260 T_All */
@@ -480,656 +484,681 @@
S_ST( 'y', 0, 0, 0 ), /* 264 T_Autokey */
S_ST( 'x', 0, 0, 0 ), /* 265 T_Automax */
S_ST( 'e', 0, 0, 0 ), /* 266 T_Average */
- S_ST( 't', 0, 0, 0 ), /* 267 T_Bclient */
- S_ST( 'p', 0, 0, 0 ), /* 268 T_Bcpollbstep */
- S_ST( 'n', 0, 0, 0 ), /* 269 T_Beacon */
- S_ST( 't', 1, 65, 0 ), /* 270 T_Broadcast */
- S_ST( 't', 0, 0, 0 ), /* 271 T_Broadcastclient */
- S_ST( 'y', 0, 0, 0 ), /* 272 T_Broadcastdelay */
- S_ST( 't', 0, 0, 0 ), /* 273 T_Burst */
- S_ST( 'e', 0, 0, 0 ), /* 274 T_Calibrate */
- S_ST( 'g', 0, 0, 0 ), /* 275 T_Ceiling */
- S_ST( 's', 0, 0, 0 ), /* 276 T_Clockstats */
- S_ST( 't', 0, 0, 0 ), /* 277 T_Cohort */
- S_ST( 'y', 0, 0, 0 ), /* 278 T_ControlKey */
- S_ST( 'o', 0, 108, 0 ), /* 279 T_Crypto */
- S_ST( 's', 0, 0, 0 ), /* 280 T_Cryptostats */
- S_ST( 'l', 0, 0, 0 ), /* 281 T_Ctl */
- S_ST( 'y', 0, 0, 0 ), /* 282 T_Day */
- S_ST( 't', 0, 0, 0 ), /* 283 T_Default */
- S_ST( 't', 1, 0, 0 ), /* 284 T_Digest */
- S_ST( 'e', 0, 0, 0 ), /* 285 T_Disable */
- S_ST( 'd', 0, 0, 0 ), /* 286 T_Discard */
- S_ST( 'n', 0, 0, 0 ), /* 287 T_Dispersion */
- S_ST( 'r', 3, 295, 0 ), /* 288 leapsmea */
- S_ST( 'e', 1, 0, 0 ), /* 289 T_Driftfile */
- S_ST( 'p', 0, 0, 0 ), /* 290 T_Drop */
- S_ST( 'p', 0, 0, 0 ), /* 291 T_Dscp */
- S_ST( '.', 0, 0, 0 ), /* 292 T_Ellipsis */
- S_ST( 'e', 0, 0, 0 ), /* 293 T_Enable */
- S_ST( 'd', 0, 0, 155 ), /* 294 T_End */
- S_ST( 'i', 3, 317, 0 ), /* 295 leapsmear */
- S_ST( 'e', 1, 163, 0 ), /* 296 T_File */
- S_ST( 'n', 0, 0, 0 ), /* 297 T_Filegen */
- S_ST( 'm', 0, 0, 0 ), /* 298 T_Filenum */
- S_ST( '1', 0, 0, 0 ), /* 299 T_Flag1 */
- S_ST( '2', 0, 0, 299 ), /* 300 T_Flag2 */
- S_ST( '3', 0, 0, 300 ), /* 301 T_Flag3 */
- S_ST( '4', 0, 0, 301 ), /* 302 T_Flag4 */
- S_ST( 'e', 0, 0, 0 ), /* 303 T_Flake */
- S_ST( 'r', 0, 0, 0 ), /* 304 T_Floor */
- S_ST( 'q', 0, 173, 0 ), /* 305 T_Freq */
- S_ST( 'e', 1, 0, 0 ), /* 306 T_Fudge */
- S_ST( 't', 1, 0, 0 ), /* 307 T_Host */
- S_ST( 'f', 0, 0, 0 ), /* 308 T_Huffpuff */
- S_ST( 't', 0, 0, 0 ), /* 309 T_Iburst */
- S_ST( 't', 1, 0, 0 ), /* 310 T_Ident */
- S_ST( 'e', 0, 0, 0 ), /* 311 T_Ignore */
- S_ST( 'c', 0, 0, 0 ), /* 312 T_Incalloc */
- S_ST( 'm', 0, 0, 0 ), /* 313 T_Incmem */
- S_ST( 'c', 0, 0, 0 ), /* 314 T_Initalloc */
- S_ST( 'm', 0, 0, 0 ), /* 315 T_Initmem */
- S_ST( 'e', 1, 0, 0 ), /* 316 T_Includefile */
- S_ST( 'n', 3, 319, 0 ), /* 317 leapsmeari */
- S_ST( 'e', 0, 0, 0 ), /* 318 T_Interface */
- S_ST( 't', 3, 415, 0 ), /* 319 leapsmearin */
- S_ST( 'o', 0, 0, 203 ), /* 320 T_Io */
- S_ST( '4', 0, 0, 0 ), /* 321 T_Ipv4 */
- S_ST( '4', 0, 0, 0 ), /* 322 T_Ipv4_flag */
- S_ST( '6', 0, 0, 321 ), /* 323 T_Ipv6 */
- S_ST( '6', 0, 0, 322 ), /* 324 T_Ipv6_flag */
- S_ST( 'l', 0, 0, 0 ), /* 325 T_Kernel */
- S_ST( 'y', 0, 327, 241 ), /* 326 T_Key */
- S_ST( 's', 1, 244, 0 ), /* 327 T_Keys */
- S_ST( 'r', 1, 0, 0 ), /* 328 T_Keysdir */
- S_ST( 'd', 0, 0, 0 ), /* 329 T_Kod */
- S_ST( 'p', 0, 0, 0 ), /* 330 T_Mssntp */
- S_ST( 'e', 1, 0, 0 ), /* 331 T_Leapfile */
- S_ST( 'l', 0, 0, 0 ), /* 332 T_Leapsmearinterval */
- S_ST( 'd', 0, 0, 0 ), /* 333 T_Limited */
- S_ST( 'k', 0, 0, 0 ), /* 334 T_Link */
- S_ST( 'n', 0, 0, 0 ), /* 335 T_Listen */
- S_ST( 'g', 2, 0, 0 ), /* 336 T_Logconfig */
- S_ST( 'e', 1, 0, 0 ), /* 337 T_Logfile */
- S_ST( 's', 0, 0, 0 ), /* 338 T_Loopstats */
- S_ST( 'p', 0, 0, 0 ), /* 339 T_Lowpriotrap */
- S_ST( 't', 1, 0, 0 ), /* 340 T_Manycastclient */
- S_ST( 'r', 2, 0, 0 ), /* 341 T_Manycastserver */
- S_ST( 'k', 0, 0, 0 ), /* 342 T_Mask */
- S_ST( 'e', 0, 0, 0 ), /* 343 T_Maxage */
- S_ST( 'k', 0, 0, 0 ), /* 344 T_Maxclock */
- S_ST( 'h', 0, 0, 0 ), /* 345 T_Maxdepth */
- S_ST( 't', 0, 0, 0 ), /* 346 T_Maxdist */
- S_ST( 'm', 0, 0, 0 ), /* 347 T_Maxmem */
- S_ST( 'l', 0, 0, 0 ), /* 348 T_Maxpoll */
- S_ST( 's', 0, 0, 0 ), /* 349 T_Mdnstries */
- S_ST( 'm', 0, 531, 0 ), /* 350 T_Mem */
- S_ST( 'k', 0, 0, 0 ), /* 351 T_Memlock */
- S_ST( 'k', 0, 0, 0 ), /* 352 T_Minclock */
- S_ST( 'h', 0, 0, 0 ), /* 353 T_Mindepth */
- S_ST( 't', 0, 0, 0 ), /* 354 T_Mindist */
- S_ST( 'm', 0, 0, 0 ), /* 355 T_Minimum */
- S_ST( 'l', 0, 0, 0 ), /* 356 T_Minpoll */
- S_ST( 'e', 0, 0, 0 ), /* 357 T_Minsane */
- S_ST( 'e', 0, 359, 0 ), /* 358 T_Mode */
- S_ST( '7', 0, 0, 0 ), /* 359 T_Mode7 */
- S_ST( 'r', 0, 0, 0 ), /* 360 T_Monitor */
- S_ST( 'h', 0, 0, 0 ), /* 361 T_Month */
- S_ST( 'u', 0, 0, 0 ), /* 362 T_Mru */
- S_ST( 't', 2, 0, 0 ), /* 363 T_Multicastclient */
- S_ST( 'c', 0, 0, 0 ), /* 364 T_Nic */
- S_ST( 'k', 0, 0, 0 ), /* 365 T_Nolink */
- S_ST( 'y', 0, 0, 0 ), /* 366 T_Nomodify */
- S_ST( 't', 0, 0, 0 ), /* 367 T_Nomrulist */
- S_ST( 'e', 0, 0, 0 ), /* 368 T_None */
- S_ST( 'e', 0, 0, 0 ), /* 369 T_Nonvolatile */
- S_ST( 'r', 0, 0, 0 ), /* 370 T_Nopeer */
- S_ST( 'y', 0, 0, 0 ), /* 371 T_Noquery */
- S_ST( 't', 0, 0, 0 ), /* 372 T_Noselect */
- S_ST( 'e', 0, 0, 0 ), /* 373 T_Noserve */
- S_ST( 'p', 0, 0, 0 ), /* 374 T_Notrap */
- S_ST( 't', 0, 0, 0 ), /* 375 T_Notrust */
- S_ST( 'p', 0, 627, 0 ), /* 376 T_Ntp */
- S_ST( 't', 0, 0, 0 ), /* 377 T_Ntpport */
- S_ST( 't', 1, 0, 0 ), /* 378 T_NtpSignDsocket */
- S_ST( 'n', 0, 642, 0 ), /* 379 T_Orphan */
- S_ST( 't', 0, 0, 0 ), /* 380 T_Orphanwait */
- S_ST( 'y', 0, 0, 0 ), /* 381 T_PCEdigest */
- S_ST( 'c', 0, 0, 0 ), /* 382 T_Panic */
- S_ST( 'r', 1, 669, 0 ), /* 383 T_Peer */
- S_ST( 's', 0, 0, 0 ), /* 384 T_Peerstats */
- S_ST( 'e', 2, 0, 0 ), /* 385 T_Phone */
- S_ST( 'd', 0, 677, 0 ), /* 386 T_Pid */
- S_ST( 'e', 1, 0, 0 ), /* 387 T_Pidfile */
- S_ST( 'l', 1, 0, 0 ), /* 388 T_Pool */
- S_ST( 't', 0, 0, 0 ), /* 389 T_Port */
- S_ST( 't', 0, 0, 0 ), /* 390 T_Preempt */
- S_ST( 'r', 0, 0, 0 ), /* 391 T_Prefer */
- S_ST( 's', 0, 0, 0 ), /* 392 T_Protostats */
- S_ST( 'w', 1, 0, 683 ), /* 393 T_Pw */
- S_ST( 'e', 1, 0, 0 ), /* 394 T_Randfile */
- S_ST( 's', 0, 0, 0 ), /* 395 T_Rawstats */
- S_ST( 'd', 1, 0, 0 ), /* 396 T_Refid */
- S_ST( 'y', 0, 0, 0 ), /* 397 T_Requestkey */
- S_ST( 't', 0, 0, 0 ), /* 398 T_Reset */
- S_ST( 't', 0, 0, 0 ), /* 399 T_Restrict */
- S_ST( 'e', 0, 0, 0 ), /* 400 T_Revoke */
- S_ST( 't', 0, 0, 0 ), /* 401 T_Rlimit */
- S_ST( 'r', 1, 0, 0 ), /* 402 T_Saveconfigdir */
- S_ST( 'r', 1, 760, 0 ), /* 403 T_Server */
- S_ST( 'r', 1, 0, 0 ), /* 404 T_Setvar */
- S_ST( 'e', 0, 0, 0 ), /* 405 T_Source */
- S_ST( 'e', 0, 0, 0 ), /* 406 T_Stacksize */
- S_ST( 's', 0, 0, 0 ), /* 407 T_Statistics */
- S_ST( 's', 0, 803, 798 ), /* 408 T_Stats */
- S_ST( 'r', 1, 0, 0 ), /* 409 T_Statsdir */
- S_ST( 'p', 0, 811, 0 ), /* 410 T_Step */
- S_ST( 'k', 0, 0, 0 ), /* 411 T_Stepback */
- S_ST( 'd', 0, 0, 0 ), /* 412 T_Stepfwd */
- S_ST( 't', 0, 0, 0 ), /* 413 T_Stepout */
- S_ST( 'm', 0, 0, 0 ), /* 414 T_Stratum */
- S_ST( 'e', 3, 430, 0 ), /* 415 leapsmearint */
- S_ST( 's', 0, 818, 0 ), /* 416 T_Sys */
- S_ST( 's', 0, 0, 0 ), /* 417 T_Sysstats */
- S_ST( 'k', 0, 0, 0 ), /* 418 T_Tick */
- S_ST( '1', 0, 0, 0 ), /* 419 T_Time1 */
- S_ST( '2', 0, 0, 419 ), /* 420 T_Time2 */
- S_ST( 'r', 0, 0, 420 ), /* 421 T_Timer */
- S_ST( 's', 0, 0, 0 ), /* 422 T_Timingstats */
- S_ST( 'r', 0, 0, 0 ), /* 423 T_Tinker */
- S_ST( 's', 0, 0, 0 ), /* 424 T_Tos */
- S_ST( 'p', 1, 0, 0 ), /* 425 T_Trap */
- S_ST( 'e', 0, 0, 0 ), /* 426 T_True */
- S_ST( 'y', 0, 0, 0 ), /* 427 T_Trustedkey */
- S_ST( 'l', 0, 0, 0 ), /* 428 T_Ttl */
- S_ST( 'e', 0, 0, 0 ), /* 429 T_Type */
- S_ST( 'r', 3, 437, 0 ), /* 430 leapsmearinte */
- S_ST( 'y', 0, 0, 0 ), /* 431 T_UEcrypto */
- S_ST( 'y', 0, 0, 0 ), /* 432 T_UEcryptonak */
- S_ST( 'y', 0, 0, 0 ), /* 433 T_UEdigest */
- S_ST( 'g', 1, 0, 0 ), /* 434 T_Unconfig */
- S_ST( 'r', 1, 860, 0 ), /* 435 T_Unpeer */
- S_ST( 'n', 0, 0, 0 ), /* 436 T_Version */
- S_ST( 'v', 3, 442, 0 ), /* 437 leapsmearinter */
- S_ST( 'k', 0, 0, 0 ), /* 438 T_Week */
- S_ST( 'd', 0, 0, 0 ), /* 439 T_Wildcard */
- S_ST( 'e', 0, 0, 0 ), /* 440 T_Xleave */
- S_ST( 'r', 0, 0, 0 ), /* 441 T_Year */
- S_ST( 'a', 3, 332, 0 ), /* 442 leapsmearinterv */
- S_ST( 'i', 3, 459, 248 ), /* 443 l */
- S_ST( 'e', 0, 0, 0 ), /* 444 T_Simulate */
- S_ST( 'y', 0, 0, 0 ), /* 445 T_Beep_Delay */
- S_ST( 'n', 0, 0, 0 ), /* 446 T_Sim_Duration */
- S_ST( 't', 0, 0, 0 ), /* 447 T_Server_Offset */
- S_ST( 'n', 0, 0, 0 ), /* 448 T_Duration */
- S_ST( 't', 0, 0, 0 ), /* 449 T_Freq_Offset */
- S_ST( 'r', 0, 0, 0 ), /* 450 T_Wander */
- S_ST( 'r', 0, 0, 0 ), /* 451 T_Jitter */
- S_ST( 'y', 0, 0, 0 ), /* 452 T_Prop_Delay */
- S_ST( 'y', 0, 0, 0 ), /* 453 T_Proc_Delay */
- S_ST( 'm', 3, 455, 0 ), /* 454 li */
- S_ST( 'i', 3, 456, 0 ), /* 455 lim */
- S_ST( 't', 3, 457, 0 ), /* 456 limi */
- S_ST( 'e', 3, 333, 0 ), /* 457 limit */
- S_ST( 'n', 3, 334, 454 ), /* 458 li */
- S_ST( 's', 3, 460, 458 ), /* 459 li */
- S_ST( 't', 3, 461, 0 ), /* 460 lis */
- S_ST( 'e', 3, 335, 0 ), /* 461 list */
- S_ST( 'o', 3, 478, 443 ), /* 462 l */
- S_ST( 'g', 3, 469, 0 ), /* 463 lo */
- S_ST( 'c', 3, 465, 0 ), /* 464 log */
- S_ST( 'o', 3, 466, 0 ), /* 465 logc */
- S_ST( 'n', 3, 467, 0 ), /* 466 logco */
- S_ST( 'f', 3, 468, 0 ), /* 467 logcon */
- S_ST( 'i', 3, 336, 0 ), /* 468 logconf */
- S_ST( 'f', 3, 470, 464 ), /* 469 log */
- S_ST( 'i', 3, 471, 0 ), /* 470 logf */
- S_ST( 'l', 3, 337, 0 ), /* 471 logfi */
- S_ST( 'o', 3, 473, 463 ), /* 472 lo */
- S_ST( 'p', 3, 474, 0 ), /* 473 loo */
- S_ST( 's', 3, 475, 0 ), /* 474 loop */
- S_ST( 't', 3, 476, 0 ), /* 475 loops */
- S_ST( 'a', 3, 477, 0 ), /* 476 loopst */
- S_ST( 't', 3, 338, 0 ), /* 477 loopsta */
- S_ST( 'w', 3, 479, 472 ), /* 478 lo */
- S_ST( 'p', 3, 480, 0 ), /* 479 low */
- S_ST( 'r', 3, 481, 0 ), /* 480 lowp */
- S_ST( 'i', 3, 482, 0 ), /* 481 lowpr */
- S_ST( 'o', 3, 483, 0 ), /* 482 lowpri */
- S_ST( 't', 3, 484, 0 ), /* 483 lowprio */
- S_ST( 'r', 3, 485, 0 ), /* 484 lowpriot */
- S_ST( 'a', 3, 339, 0 ), /* 485 lowpriotr */
- S_ST( 'm', 3, 567, 247 ), /* 486 */
- S_ST( 'a', 3, 505, 0 ), /* 487 m */
- S_ST( 'n', 3, 489, 0 ), /* 488 ma */
- S_ST( 'y', 3, 490, 0 ), /* 489 man */
- S_ST( 'c', 3, 491, 0 ), /* 490 many */
- S_ST( 'a', 3, 492, 0 ), /* 491 manyc */
- S_ST( 's', 3, 493, 0 ), /* 492 manyca */
- S_ST( 't', 3, 499, 0 ), /* 493 manycas */
- S_ST( 'c', 3, 495, 0 ), /* 494 manycast */
- S_ST( 'l', 3, 496, 0 ), /* 495 manycastc */
- S_ST( 'i', 3, 497, 0 ), /* 496 manycastcl */
- S_ST( 'e', 3, 498, 0 ), /* 497 manycastcli */
- S_ST( 'n', 3, 340, 0 ), /* 498 manycastclie */
- S_ST( 's', 3, 500, 494 ), /* 499 manycast */
- S_ST( 'e', 3, 501, 0 ), /* 500 manycasts */
- S_ST( 'r', 3, 502, 0 ), /* 501 manycastse */
- S_ST( 'v', 3, 503, 0 ), /* 502 manycastser */
- S_ST( 'e', 3, 341, 0 ), /* 503 manycastserv */
- S_ST( 's', 3, 342, 488 ), /* 504 ma */
- S_ST( 'x', 3, 520, 504 ), /* 505 ma */
- S_ST( 'a', 3, 507, 0 ), /* 506 max */
- S_ST( 'g', 3, 343, 0 ), /* 507 maxa */
- S_ST( 'c', 3, 509, 506 ), /* 508 max */
- S_ST( 'l', 3, 510, 0 ), /* 509 maxc */
- S_ST( 'o', 3, 511, 0 ), /* 510 maxcl */
- S_ST( 'c', 3, 344, 0 ), /* 511 maxclo */
- S_ST( 'd', 3, 516, 508 ), /* 512 max */
- S_ST( 'e', 3, 514, 0 ), /* 513 maxd */
- S_ST( 'p', 3, 515, 0 ), /* 514 maxde */
- S_ST( 't', 3, 345, 0 ), /* 515 maxdep */
- S_ST( 'i', 3, 517, 513 ), /* 516 maxd */
- S_ST( 's', 3, 346, 0 ), /* 517 maxdi */
- S_ST( 'm', 3, 519, 512 ), /* 518 max */
- S_ST( 'e', 3, 347, 0 ), /* 519 maxm */
- S_ST( 'p', 3, 521, 518 ), /* 520 max */
- S_ST( 'o', 3, 522, 0 ), /* 521 maxp */
- S_ST( 'l', 3, 348, 0 ), /* 522 maxpo */
- S_ST( 'd', 3, 524, 487 ), /* 523 m */
- S_ST( 'n', 3, 525, 0 ), /* 524 md */
- S_ST( 's', 3, 526, 0 ), /* 525 mdn */
- S_ST( 't', 3, 527, 0 ), /* 526 mdns */
- S_ST( 'r', 3, 528, 0 ), /* 527 mdnst */
- S_ST( 'i', 3, 529, 0 ), /* 528 mdnstr */
- S_ST( 'e', 3, 349, 0 ), /* 529 mdnstri */
- S_ST( 'e', 3, 350, 523 ), /* 530 m */
- S_ST( 'l', 3, 532, 0 ), /* 531 mem */
- S_ST( 'o', 3, 533, 0 ), /* 532 meml */
- S_ST( 'c', 3, 351, 0 ), /* 533 memlo */
- S_ST( 'i', 3, 535, 530 ), /* 534 m */
- S_ST( 'n', 3, 552, 0 ), /* 535 mi */
- S_ST( 'c', 3, 537, 0 ), /* 536 min */
- S_ST( 'l', 3, 538, 0 ), /* 537 minc */
- S_ST( 'o', 3, 539, 0 ), /* 538 mincl */
- S_ST( 'c', 3, 352, 0 ), /* 539 minclo */
- S_ST( 'd', 3, 544, 536 ), /* 540 min */
- S_ST( 'e', 3, 542, 0 ), /* 541 mind */
- S_ST( 'p', 3, 543, 0 ), /* 542 minde */
- S_ST( 't', 3, 353, 0 ), /* 543 mindep */
- S_ST( 'i', 3, 545, 541 ), /* 544 mind */
- S_ST( 's', 3, 354, 0 ), /* 545 mindi */
- S_ST( 'i', 3, 547, 540 ), /* 546 min */
- S_ST( 'm', 3, 548, 0 ), /* 547 mini */
- S_ST( 'u', 3, 355, 0 ), /* 548 minim */
- S_ST( 'p', 3, 550, 546 ), /* 549 min */
- S_ST( 'o', 3, 551, 0 ), /* 550 minp */
- S_ST( 'l', 3, 356, 0 ), /* 551 minpo */
- S_ST( 's', 3, 553, 549 ), /* 552 min */
- S_ST( 'a', 3, 554, 0 ), /* 553 mins */
- S_ST( 'n', 3, 357, 0 ), /* 554 minsa */
- S_ST( 'o', 3, 557, 534 ), /* 555 m */
- S_ST( 'd', 3, 358, 0 ), /* 556 mo */
- S_ST( 'n', 3, 561, 556 ), /* 557 mo */
- S_ST( 'i', 3, 559, 0 ), /* 558 mon */
- S_ST( 't', 3, 560, 0 ), /* 559 moni */
- S_ST( 'o', 3, 360, 0 ), /* 560 monit */
- S_ST( 't', 3, 361, 558 ), /* 561 mon */
- S_ST( 'r', 3, 362, 555 ), /* 562 m */
- S_ST( 's', 3, 564, 562 ), /* 563 m */
- S_ST( 's', 3, 565, 0 ), /* 564 ms */
- S_ST( 'n', 3, 566, 0 ), /* 565 mss */
- S_ST( 't', 3, 330, 0 ), /* 566 mssn */
- S_ST( 'u', 3, 568, 563 ), /* 567 m */
- S_ST( 'l', 3, 569, 0 ), /* 568 mu */
- S_ST( 't', 3, 570, 0 ), /* 569 mul */
- S_ST( 'i', 3, 571, 0 ), /* 570 mult */
- S_ST( 'c', 3, 572, 0 ), /* 571 multi */
- S_ST( 'a', 3, 573, 0 ), /* 572 multic */
- S_ST( 's', 3, 574, 0 ), /* 573 multica */
- S_ST( 't', 3, 575, 0 ), /* 574 multicas */
- S_ST( 'c', 3, 576, 0 ), /* 575 multicast */
- S_ST( 'l', 3, 577, 0 ), /* 576 multicastc */
- S_ST( 'i', 3, 578, 0 ), /* 577 multicastcl */
- S_ST( 'e', 3, 579, 0 ), /* 578 multicastcli */
- S_ST( 'n', 3, 363, 0 ), /* 579 multicastclie */
- S_ST( 'n', 3, 623, 486 ), /* 580 */
- S_ST( 'i', 3, 364, 0 ), /* 581 n */
- S_ST( 'o', 3, 618, 581 ), /* 582 n */
- S_ST( 'l', 3, 584, 0 ), /* 583 no */
- S_ST( 'i', 3, 585, 0 ), /* 584 nol */
- S_ST( 'n', 3, 365, 0 ), /* 585 noli */
- S_ST( 'm', 3, 591, 583 ), /* 586 no */
- S_ST( 'o', 3, 588, 0 ), /* 587 nom */
- S_ST( 'd', 3, 589, 0 ), /* 588 nomo */
- S_ST( 'i', 3, 590, 0 ), /* 589 nomod */
- S_ST( 'f', 3, 366, 0 ), /* 590 nomodi */
- S_ST( 'r', 3, 592, 587 ), /* 591 nom */
- S_ST( 'u', 3, 593, 0 ), /* 592 nomr */
- S_ST( 'l', 3, 594, 0 ), /* 593 nomru */
- S_ST( 'i', 3, 595, 0 ), /* 594 nomrul */
- S_ST( 's', 3, 367, 0 ), /* 595 nomruli */
- S_ST( 'n', 3, 597, 586 ), /* 596 no */
- S_ST( 'v', 3, 598, 368 ), /* 597 non */
- S_ST( 'o', 3, 599, 0 ), /* 598 nonv */
- S_ST( 'l', 3, 600, 0 ), /* 599 nonvo */
- S_ST( 'a', 3, 601, 0 ), /* 600 nonvol */
- S_ST( 't', 3, 602, 0 ), /* 601 nonvola */
- S_ST( 'i', 3, 603, 0 ), /* 602 nonvolat */
- S_ST( 'l', 3, 369, 0 ), /* 603 nonvolati */
- S_ST( 'p', 3, 605, 596 ), /* 604 no */
- S_ST( 'e', 3, 606, 0 ), /* 605 nop */
- S_ST( 'e', 3, 370, 0 ), /* 606 nope */
- S_ST( 'q', 3, 608, 604 ), /* 607 no */
- S_ST( 'u', 3, 609, 0 ), /* 608 noq */
- S_ST( 'e', 3, 610, 0 ), /* 609 noqu */
- S_ST( 'r', 3, 371, 0 ), /* 610 noque */
- S_ST( 's', 3, 612, 607 ), /* 611 no */
- S_ST( 'e', 3, 616, 0 ), /* 612 nos */
- S_ST( 'l', 3, 614, 0 ), /* 613 nose */
- S_ST( 'e', 3, 615, 0 ), /* 614 nosel */
- S_ST( 'c', 3, 372, 0 ), /* 615 nosele */
- S_ST( 'r', 3, 617, 613 ), /* 616 nose */
- S_ST( 'v', 3, 373, 0 ), /* 617 noser */
- S_ST( 't', 3, 619, 611 ), /* 618 no */
- S_ST( 'r', 3, 621, 0 ), /* 619 not */
- S_ST( 'a', 3, 374, 0 ), /* 620 notr */
- S_ST( 'u', 3, 622, 620 ), /* 621 notr */
- S_ST( 's', 3, 375, 0 ), /* 622 notru */
- S_ST( 't', 3, 376, 582 ), /* 623 n */
- S_ST( 'p', 3, 625, 0 ), /* 624 ntp */
- S_ST( 'o', 3, 626, 0 ), /* 625 ntpp */
- S_ST( 'r', 3, 377, 0 ), /* 626 ntppo */
- S_ST( 's', 3, 628, 624 ), /* 627 ntp */
- S_ST( 'i', 3, 629, 0 ), /* 628 ntps */
- S_ST( 'g', 3, 630, 0 ), /* 629 ntpsi */
- S_ST( 'n', 3, 631, 0 ), /* 630 ntpsig */
- S_ST( 'd', 3, 632, 0 ), /* 631 ntpsign */
- S_ST( 's', 3, 633, 0 ), /* 632 ntpsignd */
- S_ST( 'o', 3, 634, 0 ), /* 633 ntpsignds */
- S_ST( 'c', 3, 635, 0 ), /* 634 ntpsigndso */
- S_ST( 'k', 3, 636, 0 ), /* 635 ntpsigndsoc */
- S_ST( 'e', 3, 378, 0 ), /* 636 ntpsigndsock */
- S_ST( 'o', 3, 638, 580 ), /* 637 */
- S_ST( 'r', 3, 639, 0 ), /* 638 o */
- S_ST( 'p', 3, 640, 0 ), /* 639 or */
- S_ST( 'h', 3, 641, 0 ), /* 640 orp */
- S_ST( 'a', 3, 379, 0 ), /* 641 orph */
- S_ST( 'w', 3, 643, 0 ), /* 642 orphan */
- S_ST( 'a', 3, 644, 0 ), /* 643 orphanw */
- S_ST( 'i', 3, 380, 0 ), /* 644 orphanwa */
- S_ST( 'p', 3, 393, 637 ), /* 645 */
- S_ST( 'a', 3, 647, 0 ), /* 646 p */
- S_ST( 'n', 3, 648, 0 ), /* 647 pa */
- S_ST( 'i', 3, 382, 0 ), /* 648 pan */
- S_ST( 'e', 3, 650, 646 ), /* 649 p */
- S_ST( 'e', 3, 383, 0 ), /* 650 pe */
- S_ST( '_', 3, 652, 0 ), /* 651 peer */
- S_ST( 'c', 3, 653, 0 ), /* 652 peer_ */
- S_ST( 'l', 3, 654, 0 ), /* 653 peer_c */
- S_ST( 'e', 3, 655, 0 ), /* 654 peer_cl */
- S_ST( 'a', 3, 656, 0 ), /* 655 peer_cle */
- S_ST( 'r', 3, 657, 0 ), /* 656 peer_clea */
- S_ST( '_', 3, 658, 0 ), /* 657 peer_clear */
- S_ST( 'd', 3, 659, 0 ), /* 658 peer_clear_ */
- S_ST( 'i', 3, 660, 0 ), /* 659 peer_clear_d */
- S_ST( 'g', 3, 661, 0 ), /* 660 peer_clear_di */
- S_ST( 'e', 3, 662, 0 ), /* 661 peer_clear_dig */
- S_ST( 's', 3, 663, 0 ), /* 662 peer_clear_dige */
- S_ST( 't', 3, 664, 0 ), /* 663 peer_clear_diges */
- S_ST( '_', 3, 665, 0 ), /* 664 peer_clear_digest */
- S_ST( 'e', 3, 666, 0 ), /* 665 peer_clear_digest_ */
- S_ST( 'a', 3, 667, 0 ), /* 666 peer_clear_digest_e */
- S_ST( 'r', 3, 668, 0 ), /* 667 peer_clear_digest_ea */
- S_ST( 'l', 3, 381, 0 ), /* 668 peer_clear_digest_ear */
- S_ST( 's', 3, 670, 651 ), /* 669 peer */
- S_ST( 't', 3, 671, 0 ), /* 670 peers */
- S_ST( 'a', 3, 672, 0 ), /* 671 peerst */
- S_ST( 't', 3, 384, 0 ), /* 672 peersta */
- S_ST( 'h', 3, 674, 649 ), /* 673 p */
- S_ST( 'o', 3, 675, 0 ), /* 674 ph */
- S_ST( 'n', 3, 385, 0 ), /* 675 pho */
- S_ST( 'i', 3, 386, 673 ), /* 676 p */
- S_ST( 'f', 3, 678, 0 ), /* 677 pid */
- S_ST( 'i', 3, 679, 0 ), /* 678 pidf */
- S_ST( 'l', 3, 387, 0 ), /* 679 pidfi */
- S_ST( 'o', 3, 682, 676 ), /* 680 p */
- S_ST( 'o', 3, 388, 0 ), /* 681 po */
- S_ST( 'r', 3, 389, 681 ), /* 682 po */
- S_ST( 'r', 3, 690, 680 ), /* 683 p */
- S_ST( 'e', 3, 688, 0 ), /* 684 pr */
- S_ST( 'e', 3, 686, 0 ), /* 685 pre */
- S_ST( 'm', 3, 687, 0 ), /* 686 pree */
- S_ST( 'p', 3, 390, 0 ), /* 687 preem */
- S_ST( 'f', 3, 689, 685 ), /* 688 pre */
- S_ST( 'e', 3, 391, 0 ), /* 689 pref */
- S_ST( 'o', 3, 703, 684 ), /* 690 pr */
- S_ST( 'c', 3, 692, 0 ), /* 691 pro */
- S_ST( '_', 3, 693, 0 ), /* 692 proc */
- S_ST( 'd', 3, 694, 0 ), /* 693 proc_ */
- S_ST( 'e', 3, 695, 0 ), /* 694 proc_d */
- S_ST( 'l', 3, 696, 0 ), /* 695 proc_de */
- S_ST( 'a', 3, 453, 0 ), /* 696 proc_del */
- S_ST( 'p', 3, 698, 691 ), /* 697 pro */
- S_ST( '_', 3, 699, 0 ), /* 698 prop */
- S_ST( 'd', 3, 700, 0 ), /* 699 prop_ */
- S_ST( 'e', 3, 701, 0 ), /* 700 prop_d */
- S_ST( 'l', 3, 702, 0 ), /* 701 prop_de */
- S_ST( 'a', 3, 452, 0 ), /* 702 prop_del */
- S_ST( 't', 3, 704, 697 ), /* 703 pro */
- S_ST( 'o', 3, 705, 0 ), /* 704 prot */
- S_ST( 's', 3, 706, 0 ), /* 705 proto */
- S_ST( 't', 3, 707, 0 ), /* 706 protos */
- S_ST( 'a', 3, 708, 0 ), /* 707 protost */
- S_ST( 't', 3, 392, 0 ), /* 708 protosta */
- S_ST( 'r', 3, 740, 645 ), /* 709 */
- S_ST( 'a', 3, 716, 0 ), /* 710 r */
- S_ST( 'n', 3, 712, 0 ), /* 711 ra */
- S_ST( 'd', 3, 713, 0 ), /* 712 ran */
- S_ST( 'f', 3, 714, 0 ), /* 713 rand */
- S_ST( 'i', 3, 715, 0 ), /* 714 randf */
- S_ST( 'l', 3, 394, 0 ), /* 715 randfi */
- S_ST( 'w', 3, 717, 711 ), /* 716 ra */
- S_ST( 's', 3, 718, 0 ), /* 717 raw */
- S_ST( 't', 3, 719, 0 ), /* 718 raws */
- S_ST( 'a', 3, 720, 0 ), /* 719 rawst */
- S_ST( 't', 3, 395, 0 ), /* 720 rawsta */
- S_ST( 'e', 3, 737, 710 ), /* 721 r */
- S_ST( 'f', 3, 723, 0 ), /* 722 re */
- S_ST( 'i', 3, 396, 0 ), /* 723 ref */
- S_ST( 'q', 3, 725, 722 ), /* 724 re */
- S_ST( 'u', 3, 726, 0 ), /* 725 req */
- S_ST( 'e', 3, 727, 0 ), /* 726 requ */
- S_ST( 's', 3, 728, 0 ), /* 727 reque */
- S_ST( 't', 3, 729, 0 ), /* 728 reques */
- S_ST( 'k', 3, 730, 0 ), /* 729 request */
- S_ST( 'e', 3, 397, 0 ), /* 730 requestk */
- S_ST( 's', 3, 733, 724 ), /* 731 re */
- S_ST( 'e', 3, 398, 0 ), /* 732 res */
- S_ST( 't', 3, 734, 732 ), /* 733 res */
- S_ST( 'r', 3, 735, 0 ), /* 734 rest */
- S_ST( 'i', 3, 736, 0 ), /* 735 restr */
- S_ST( 'c', 3, 399, 0 ), /* 736 restri */
- S_ST( 'v', 3, 738, 731 ), /* 737 re */
- S_ST( 'o', 3, 739, 0 ), /* 738 rev */
- S_ST( 'k', 3, 400, 0 ), /* 739 revo */
- S_ST( 'l', 3, 741, 721 ), /* 740 r */
- S_ST( 'i', 3, 742, 0 ), /* 741 rl */
- S_ST( 'm', 3, 743, 0 ), /* 742 rli */
- S_ST( 'i', 3, 401, 0 ), /* 743 rlim */
- S_ST( 's', 3, 817, 709 ), /* 744 */
- S_ST( 'a', 3, 746, 0 ), /* 745 s */
- S_ST( 'v', 3, 747, 0 ), /* 746 sa */
- S_ST( 'e', 3, 748, 0 ), /* 747 sav */
- S_ST( 'c', 3, 749, 0 ), /* 748 save */
- S_ST( 'o', 3, 750, 0 ), /* 749 savec */
- S_ST( 'n', 3, 751, 0 ), /* 750 saveco */
- S_ST( 'f', 3, 752, 0 ), /* 751 savecon */
- S_ST( 'i', 3, 753, 0 ), /* 752 saveconf */
- S_ST( 'g', 3, 754, 0 ), /* 753 saveconfi */
- S_ST( 'd', 3, 755, 0 ), /* 754 saveconfig */
- S_ST( 'i', 3, 402, 0 ), /* 755 saveconfigd */
- S_ST( 'e', 3, 766, 745 ), /* 756 s */
- S_ST( 'r', 3, 758, 0 ), /* 757 se */
- S_ST( 'v', 3, 759, 0 ), /* 758 ser */
- S_ST( 'e', 3, 403, 0 ), /* 759 serv */
- S_ST( '_', 3, 761, 0 ), /* 760 server */
- S_ST( 'o', 3, 762, 0 ), /* 761 server_ */
- S_ST( 'f', 3, 763, 0 ), /* 762 server_o */
- S_ST( 'f', 3, 764, 0 ), /* 763 server_of */
- S_ST( 's', 3, 765, 0 ), /* 764 server_off */
- S_ST( 'e', 3, 447, 0 ), /* 765 server_offs */
- S_ST( 't', 3, 767, 757 ), /* 766 se */
- S_ST( 'v', 3, 768, 0 ), /* 767 set */
- S_ST( 'a', 3, 404, 0 ), /* 768 setv */
- S_ST( 'i', 3, 770, 756 ), /* 769 s */
- S_ST( 'm', 3, 771, 0 ), /* 770 si */
- S_ST( 'u', 3, 772, 0 ), /* 771 sim */
- S_ST( 'l', 3, 773, 0 ), /* 772 simu */
- S_ST( 'a', 3, 774, 0 ), /* 773 simul */
- S_ST( 't', 3, 775, 0 ), /* 774 simula */
- S_ST( 'i', 3, 776, 444 ), /* 775 simulat */
- S_ST( 'o', 3, 777, 0 ), /* 776 simulati */
- S_ST( 'n', 3, 778, 0 ), /* 777 simulatio */
- S_ST( '_', 3, 779, 0 ), /* 778 simulation */
- S_ST( 'd', 3, 780, 0 ), /* 779 simulation_ */
- S_ST( 'u', 3, 781, 0 ), /* 780 simulation_d */
- S_ST( 'r', 3, 782, 0 ), /* 781 simulation_du */
- S_ST( 'a', 3, 783, 0 ), /* 782 simulation_dur */
- S_ST( 't', 3, 784, 0 ), /* 783 simulation_dura */
- S_ST( 'i', 3, 785, 0 ), /* 784 simulation_durat */
- S_ST( 'o', 3, 446, 0 ), /* 785 simulation_durati */
- S_ST( 'o', 3, 787, 769 ), /* 786 s */
- S_ST( 'u', 3, 788, 0 ), /* 787 so */
- S_ST( 'r', 3, 789, 0 ), /* 788 sou */
- S_ST( 'c', 3, 405, 0 ), /* 789 sour */
- S_ST( 't', 3, 813, 786 ), /* 790 s */
- S_ST( 'a', 3, 797, 0 ), /* 791 st */
- S_ST( 'c', 3, 793, 0 ), /* 792 sta */
- S_ST( 'k', 3, 794, 0 ), /* 793 stac */
- S_ST( 's', 3, 795, 0 ), /* 794 stack */
- S_ST( 'i', 3, 796, 0 ), /* 795 stacks */
- S_ST( 'z', 3, 406, 0 ), /* 796 stacksi */
- S_ST( 't', 3, 408, 792 ), /* 797 sta */
- S_ST( 'i', 3, 799, 0 ), /* 798 stat */
- S_ST( 's', 3, 800, 0 ), /* 799 stati */
- S_ST( 't', 3, 801, 0 ), /* 800 statis */
- S_ST( 'i', 3, 802, 0 ), /* 801 statist */
- S_ST( 'c', 3, 407, 0 ), /* 802 statisti */
- S_ST( 'd', 3, 804, 0 ), /* 803 stats */
- S_ST( 'i', 3, 409, 0 ), /* 804 statsd */
- S_ST( 'e', 3, 410, 791 ), /* 805 st */
- S_ST( 'b', 3, 807, 0 ), /* 806 step */
- S_ST( 'a', 3, 808, 0 ), /* 807 stepb */
- S_ST( 'c', 3, 411, 0 ), /* 808 stepba */
- S_ST( 'f', 3, 810, 806 ), /* 809 step */
- S_ST( 'w', 3, 412, 0 ), /* 810 stepf */
- S_ST( 'o', 3, 812, 809 ), /* 811 step */
- S_ST( 'u', 3, 413, 0 ), /* 812 stepo */
- S_ST( 'r', 3, 814, 805 ), /* 813 st */
- S_ST( 'a', 3, 815, 0 ), /* 814 str */
- S_ST( 't', 3, 816, 0 ), /* 815 stra */
- S_ST( 'u', 3, 414, 0 ), /* 816 strat */
- S_ST( 'y', 3, 416, 790 ), /* 817 s */
- S_ST( 's', 3, 819, 0 ), /* 818 sys */
- S_ST( 't', 3, 820, 0 ), /* 819 syss */
- S_ST( 'a', 3, 821, 0 ), /* 820 sysst */
- S_ST( 't', 3, 417, 0 ), /* 821 syssta */
- S_ST( 't', 3, 848, 744 ), /* 822 */
- S_ST( 'i', 3, 834, 0 ), /* 823 t */
- S_ST( 'c', 3, 418, 0 ), /* 824 ti */
- S_ST( 'm', 3, 827, 824 ), /* 825 ti */
- S_ST( 'e', 3, 421, 0 ), /* 826 tim */
- S_ST( 'i', 3, 828, 826 ), /* 827 tim */
- S_ST( 'n', 3, 829, 0 ), /* 828 timi */
- S_ST( 'g', 3, 830, 0 ), /* 829 timin */
- S_ST( 's', 3, 831, 0 ), /* 830 timing */
- S_ST( 't', 3, 832, 0 ), /* 831 timings */
- S_ST( 'a', 3, 833, 0 ), /* 832 timingst */
- S_ST( 't', 3, 422, 0 ), /* 833 timingsta */
- S_ST( 'n', 3, 835, 825 ), /* 834 ti */
- S_ST( 'k', 3, 836, 0 ), /* 835 tin */
- S_ST( 'e', 3, 423, 0 ), /* 836 tink */
- S_ST( 'o', 3, 424, 823 ), /* 837 t */
- S_ST( 'r', 3, 840, 837 ), /* 838 t */
- S_ST( 'a', 3, 425, 0 ), /* 839 tr */
- S_ST( 'u', 3, 841, 839 ), /* 840 tr */
- S_ST( 's', 3, 842, 426 ), /* 841 tru */
- S_ST( 't', 3, 843, 0 ), /* 842 trus */
- S_ST( 'e', 3, 844, 0 ), /* 843 trust */
- S_ST( 'd', 3, 845, 0 ), /* 844 truste */
- S_ST( 'k', 3, 846, 0 ), /* 845 trusted */
- S_ST( 'e', 3, 427, 0 ), /* 846 trustedk */
- S_ST( 't', 3, 428, 838 ), /* 847 t */
- S_ST( 'y', 3, 849, 847 ), /* 848 t */
- S_ST( 'p', 3, 429, 0 ), /* 849 ty */
- S_ST( 'u', 3, 851, 822 ), /* 850 */
- S_ST( 'n', 3, 857, 0 ), /* 851 u */
- S_ST( 'c', 3, 853, 0 ), /* 852 un */
- S_ST( 'o', 3, 854, 0 ), /* 853 unc */
- S_ST( 'n', 3, 855, 0 ), /* 854 unco */
- S_ST( 'f', 3, 856, 0 ), /* 855 uncon */
- S_ST( 'i', 3, 434, 0 ), /* 856 unconf */
- S_ST( 'p', 3, 858, 852 ), /* 857 un */
- S_ST( 'e', 3, 859, 0 ), /* 858 unp */
- S_ST( 'e', 3, 435, 0 ), /* 859 unpe */
- S_ST( '_', 3, 880, 0 ), /* 860 unpeer */
- S_ST( 'c', 3, 862, 0 ), /* 861 unpeer_ */
- S_ST( 'r', 3, 863, 0 ), /* 862 unpeer_c */
- S_ST( 'y', 3, 864, 0 ), /* 863 unpeer_cr */
- S_ST( 'p', 3, 865, 0 ), /* 864 unpeer_cry */
- S_ST( 't', 3, 866, 0 ), /* 865 unpeer_cryp */
- S_ST( 'o', 3, 867, 0 ), /* 866 unpeer_crypt */
- S_ST( '_', 3, 872, 0 ), /* 867 unpeer_crypto */
- S_ST( 'e', 3, 869, 0 ), /* 868 unpeer_crypto_ */
- S_ST( 'a', 3, 870, 0 ), /* 869 unpeer_crypto_e */
- S_ST( 'r', 3, 871, 0 ), /* 870 unpeer_crypto_ea */
- S_ST( 'l', 3, 431, 0 ), /* 871 unpeer_crypto_ear */
- S_ST( 'n', 3, 873, 868 ), /* 872 unpeer_crypto_ */
- S_ST( 'a', 3, 874, 0 ), /* 873 unpeer_crypto_n */
- S_ST( 'k', 3, 875, 0 ), /* 874 unpeer_crypto_na */
- S_ST( '_', 3, 876, 0 ), /* 875 unpeer_crypto_nak */
- S_ST( 'e', 3, 877, 0 ), /* 876 unpeer_crypto_nak_ */
- S_ST( 'a', 3, 878, 0 ), /* 877 unpeer_crypto_nak_e */
- S_ST( 'r', 3, 879, 0 ), /* 878 unpeer_crypto_nak_ea */
- S_ST( 'l', 3, 432, 0 ), /* 879 unpeer_crypto_nak_ear */
- S_ST( 'd', 3, 881, 861 ), /* 880 unpeer_ */
- S_ST( 'i', 3, 882, 0 ), /* 881 unpeer_d */
- S_ST( 'g', 3, 883, 0 ), /* 882 unpeer_di */
- S_ST( 'e', 3, 884, 0 ), /* 883 unpeer_dig */
- S_ST( 's', 3, 885, 0 ), /* 884 unpeer_dige */
- S_ST( 't', 3, 886, 0 ), /* 885 unpeer_diges */
- S_ST( '_', 3, 887, 0 ), /* 886 unpeer_digest */
- S_ST( 'e', 3, 888, 0 ), /* 887 unpeer_digest_ */
- S_ST( 'a', 3, 889, 0 ), /* 888 unpeer_digest_e */
- S_ST( 'r', 3, 890, 0 ), /* 889 unpeer_digest_ea */
- S_ST( 'l', 3, 433, 0 ), /* 890 unpeer_digest_ear */
- S_ST( 'v', 3, 892, 850 ), /* 891 */
- S_ST( 'e', 3, 893, 0 ), /* 892 v */
- S_ST( 'r', 3, 894, 0 ), /* 893 ve */
- S_ST( 's', 3, 895, 0 ), /* 894 ver */
- S_ST( 'i', 3, 896, 0 ), /* 895 vers */
- S_ST( 'o', 3, 436, 0 ), /* 896 versi */
- S_ST( 'w', 3, 904, 891 ), /* 897 */
- S_ST( 'a', 3, 899, 0 ), /* 898 w */
- S_ST( 'n', 3, 900, 0 ), /* 899 wa */
- S_ST( 'd', 3, 901, 0 ), /* 900 wan */
- S_ST( 'e', 3, 450, 0 ), /* 901 wand */
- S_ST( 'e', 3, 903, 898 ), /* 902 w */
- S_ST( 'e', 3, 438, 0 ), /* 903 we */
- S_ST( 'i', 3, 905, 902 ), /* 904 w */
- S_ST( 'l', 3, 906, 0 ), /* 905 wi */
- S_ST( 'd', 3, 907, 0 ), /* 906 wil */
- S_ST( 'c', 3, 908, 0 ), /* 907 wild */
- S_ST( 'a', 3, 909, 0 ), /* 908 wildc */
- S_ST( 'r', 3, 439, 0 ), /* 909 wildca */
- S_ST( 'x', 3, 911, 897 ), /* 910 */
- S_ST( 'l', 3, 912, 0 ), /* 911 x */
- S_ST( 'e', 3, 913, 0 ), /* 912 xl */
- S_ST( 'a', 3, 914, 0 ), /* 913 xle */
- S_ST( 'v', 3, 440, 0 ), /* 914 xlea */
- S_ST( 'y', 3, 916, 910 ), /* 915 [initial state] */
- S_ST( 'e', 3, 917, 0 ), /* 916 y */
- S_ST( 'a', 3, 441, 0 ) /* 917 ye */
+ S_ST( 'e', 1, 0, 0 ), /* 267 T_Basedate */
+ S_ST( 't', 0, 0, 0 ), /* 268 T_Bclient */
+ S_ST( 'p', 0, 0, 0 ), /* 269 T_Bcpollbstep */
+ S_ST( 'n', 0, 0, 0 ), /* 270 T_Beacon */
+ S_ST( 't', 1, 71, 0 ), /* 271 T_Broadcast */
+ S_ST( 't', 0, 0, 0 ), /* 272 T_Broadcastclient */
+ S_ST( 'y', 0, 0, 0 ), /* 273 T_Broadcastdelay */
+ S_ST( 't', 0, 0, 0 ), /* 274 T_Burst */
+ S_ST( 'e', 0, 0, 0 ), /* 275 T_Calibrate */
+ S_ST( 'g', 0, 0, 0 ), /* 276 T_Ceiling */
+ S_ST( 's', 0, 0, 0 ), /* 277 T_Clockstats */
+ S_ST( 't', 0, 0, 0 ), /* 278 T_Cohort */
+ S_ST( 'y', 0, 0, 0 ), /* 279 T_ControlKey */
+ S_ST( 'o', 0, 114, 0 ), /* 280 T_Crypto */
+ S_ST( 's', 0, 0, 0 ), /* 281 T_Cryptostats */
+ S_ST( 'l', 0, 0, 0 ), /* 282 T_Ctl */
+ S_ST( 'y', 0, 0, 0 ), /* 283 T_Day */
+ S_ST( 't', 0, 0, 0 ), /* 284 T_Default */
+ S_ST( 't', 1, 0, 0 ), /* 285 T_Digest */
+ S_ST( 'e', 0, 0, 0 ), /* 286 T_Disable */
+ S_ST( 'd', 0, 0, 0 ), /* 287 T_Discard */
+ S_ST( 'n', 0, 0, 0 ), /* 288 T_Dispersion */
+ S_ST( 'r', 3, 297, 0 ), /* 289 ke */
+ S_ST( 'e', 1, 0, 0 ), /* 290 T_Driftfile */
+ S_ST( 'p', 0, 0, 0 ), /* 291 T_Drop */
+ S_ST( 'p', 0, 0, 0 ), /* 292 T_Dscp */
+ S_ST( '.', 0, 0, 0 ), /* 293 T_Ellipsis */
+ S_ST( 'e', 0, 0, 0 ), /* 294 T_Enable */
+ S_ST( 'd', 0, 0, 161 ), /* 295 T_End */
+ S_ST( 'r', 0, 0, 0 ), /* 296 T_Epeer */
+ S_ST( 'n', 3, 319, 0 ), /* 297 ker */
+ S_ST( 'e', 1, 172, 0 ), /* 298 T_File */
+ S_ST( 'n', 0, 0, 0 ), /* 299 T_Filegen */
+ S_ST( 'm', 0, 0, 0 ), /* 300 T_Filenum */
+ S_ST( '1', 0, 0, 0 ), /* 301 T_Flag1 */
+ S_ST( '2', 0, 0, 301 ), /* 302 T_Flag2 */
+ S_ST( '3', 0, 0, 302 ), /* 303 T_Flag3 */
+ S_ST( '4', 0, 0, 303 ), /* 304 T_Flag4 */
+ S_ST( 'e', 0, 0, 0 ), /* 305 T_Flake */
+ S_ST( 'r', 0, 0, 0 ), /* 306 T_Floor */
+ S_ST( 'q', 0, 182, 0 ), /* 307 T_Freq */
+ S_ST( 'e', 1, 0, 0 ), /* 308 T_Fudge */
+ S_ST( 't', 1, 0, 0 ), /* 309 T_Host */
+ S_ST( 'f', 0, 0, 0 ), /* 310 T_Huffpuff */
+ S_ST( 't', 0, 0, 0 ), /* 311 T_Iburst */
+ S_ST( 't', 1, 0, 0 ), /* 312 T_Ident */
+ S_ST( 'e', 0, 0, 0 ), /* 313 T_Ignore */
+ S_ST( 'c', 0, 0, 0 ), /* 314 T_Incalloc */
+ S_ST( 'm', 0, 0, 0 ), /* 315 T_Incmem */
+ S_ST( 'c', 0, 0, 0 ), /* 316 T_Initalloc */
+ S_ST( 'm', 0, 0, 0 ), /* 317 T_Initmem */
+ S_ST( 'e', 1, 0, 0 ), /* 318 T_Includefile */
+ S_ST( 'e', 3, 328, 0 ), /* 319 kern */
+ S_ST( 'e', 0, 0, 0 ), /* 320 T_Interface */
+ S_ST( 'd', 3, 419, 0 ), /* 321 keys */
+ S_ST( 'o', 0, 0, 212 ), /* 322 T_Io */
+ S_ST( 't', 0, 0, 0 ), /* 323 T_Ippeerlimit */
+ S_ST( '4', 0, 0, 0 ), /* 324 T_Ipv4 */
+ S_ST( '4', 0, 0, 0 ), /* 325 T_Ipv4_flag */
+ S_ST( '6', 0, 0, 324 ), /* 326 T_Ipv6 */
+ S_ST( '6', 0, 0, 325 ), /* 327 T_Ipv6_flag */
+ S_ST( 'l', 0, 0, 0 ), /* 328 T_Kernel */
+ S_ST( 'y', 0, 330, 289 ), /* 329 T_Key */
+ S_ST( 's', 1, 321, 0 ), /* 330 T_Keys */
+ S_ST( 'r', 1, 0, 0 ), /* 331 T_Keysdir */
+ S_ST( 'd', 0, 0, 0 ), /* 332 T_Kod */
+ S_ST( 'p', 0, 0, 0 ), /* 333 T_Mssntp */
+ S_ST( 'e', 1, 0, 0 ), /* 334 T_Leapfile */
+ S_ST( 'l', 0, 0, 0 ), /* 335 T_Leapsmearinterval */
+ S_ST( 'd', 0, 0, 0 ), /* 336 T_Limited */
+ S_ST( 'k', 0, 0, 0 ), /* 337 T_Link */
+ S_ST( 'n', 0, 0, 0 ), /* 338 T_Listen */
+ S_ST( 'g', 2, 0, 0 ), /* 339 T_Logconfig */
+ S_ST( 'e', 1, 0, 0 ), /* 340 T_Logfile */
+ S_ST( 's', 0, 0, 0 ), /* 341 T_Loopstats */
+ S_ST( 'p', 0, 0, 0 ), /* 342 T_Lowpriotrap */
+ S_ST( 't', 1, 0, 0 ), /* 343 T_Manycastclient */
+ S_ST( 'r', 2, 0, 0 ), /* 344 T_Manycastserver */
+ S_ST( 'k', 0, 0, 0 ), /* 345 T_Mask */
+ S_ST( 'e', 0, 0, 0 ), /* 346 T_Maxage */
+ S_ST( 'k', 0, 0, 0 ), /* 347 T_Maxclock */
+ S_ST( 'h', 0, 0, 0 ), /* 348 T_Maxdepth */
+ S_ST( 't', 0, 0, 0 ), /* 349 T_Maxdist */
+ S_ST( 'm', 0, 0, 0 ), /* 350 T_Maxmem */
+ S_ST( 'l', 0, 0, 0 ), /* 351 T_Maxpoll */
+ S_ST( 's', 0, 0, 0 ), /* 352 T_Mdnstries */
+ S_ST( 'm', 0, 552, 0 ), /* 353 T_Mem */
+ S_ST( 'k', 0, 0, 0 ), /* 354 T_Memlock */
+ S_ST( 'k', 0, 0, 0 ), /* 355 T_Minclock */
+ S_ST( 'h', 0, 0, 0 ), /* 356 T_Mindepth */
+ S_ST( 't', 0, 0, 0 ), /* 357 T_Mindist */
+ S_ST( 'm', 0, 0, 0 ), /* 358 T_Minimum */
+ S_ST( 'l', 0, 0, 0 ), /* 359 T_Minpoll */
+ S_ST( 'e', 0, 0, 0 ), /* 360 T_Minsane */
+ S_ST( 'e', 0, 362, 0 ), /* 361 T_Mode */
+ S_ST( '7', 0, 0, 0 ), /* 362 T_Mode7 */
+ S_ST( 'r', 0, 0, 0 ), /* 363 T_Monitor */
+ S_ST( 'h', 0, 0, 0 ), /* 364 T_Month */
+ S_ST( 'u', 0, 0, 0 ), /* 365 T_Mru */
+ S_ST( 't', 2, 0, 0 ), /* 366 T_Multicastclient */
+ S_ST( 'c', 0, 0, 0 ), /* 367 T_Nic */
+ S_ST( 'k', 0, 0, 0 ), /* 368 T_Nolink */
+ S_ST( 'y', 0, 0, 0 ), /* 369 T_Nomodify */
+ S_ST( 't', 0, 0, 0 ), /* 370 T_Nomrulist */
+ S_ST( 'e', 0, 0, 0 ), /* 371 T_None */
+ S_ST( 'e', 0, 0, 0 ), /* 372 T_Nonvolatile */
+ S_ST( 'r', 0, 0, 0 ), /* 373 T_Noepeer */
+ S_ST( 'r', 0, 0, 0 ), /* 374 T_Nopeer */
+ S_ST( 'y', 0, 0, 0 ), /* 375 T_Noquery */
+ S_ST( 't', 0, 0, 0 ), /* 376 T_Noselect */
+ S_ST( 'e', 0, 0, 0 ), /* 377 T_Noserve */
+ S_ST( 'p', 0, 0, 0 ), /* 378 T_Notrap */
+ S_ST( 't', 0, 0, 0 ), /* 379 T_Notrust */
+ S_ST( 'p', 0, 652, 0 ), /* 380 T_Ntp */
+ S_ST( 't', 0, 0, 0 ), /* 381 T_Ntpport */
+ S_ST( 't', 1, 0, 0 ), /* 382 T_NtpSignDsocket */
+ S_ST( 'n', 0, 667, 0 ), /* 383 T_Orphan */
+ S_ST( 't', 0, 0, 0 ), /* 384 T_Orphanwait */
+ S_ST( 'y', 0, 0, 0 ), /* 385 T_PCEdigest */
+ S_ST( 'c', 0, 0, 0 ), /* 386 T_Panic */
+ S_ST( 'r', 1, 694, 0 ), /* 387 T_Peer */
+ S_ST( 's', 0, 0, 0 ), /* 388 T_Peerstats */
+ S_ST( 'e', 2, 0, 0 ), /* 389 T_Phone */
+ S_ST( 'd', 0, 702, 0 ), /* 390 T_Pid */
+ S_ST( 'e', 1, 0, 0 ), /* 391 T_Pidfile */
+ S_ST( 'l', 1, 0, 0 ), /* 392 T_Pool */
+ S_ST( 't', 0, 0, 0 ), /* 393 T_Port */
+ S_ST( 't', 0, 0, 0 ), /* 394 T_Preempt */
+ S_ST( 'r', 0, 0, 0 ), /* 395 T_Prefer */
+ S_ST( 's', 0, 0, 0 ), /* 396 T_Protostats */
+ S_ST( 'w', 1, 0, 708 ), /* 397 T_Pw */
+ S_ST( 'e', 1, 0, 0 ), /* 398 T_Randfile */
+ S_ST( 's', 0, 0, 0 ), /* 399 T_Rawstats */
+ S_ST( 'd', 1, 0, 0 ), /* 400 T_Refid */
+ S_ST( 'y', 0, 0, 0 ), /* 401 T_Requestkey */
+ S_ST( 't', 0, 0, 0 ), /* 402 T_Reset */
+ S_ST( 't', 0, 0, 0 ), /* 403 T_Restrict */
+ S_ST( 'e', 0, 0, 0 ), /* 404 T_Revoke */
+ S_ST( 't', 0, 0, 0 ), /* 405 T_Rlimit */
+ S_ST( 'r', 1, 0, 0 ), /* 406 T_Saveconfigdir */
+ S_ST( 'r', 1, 785, 0 ), /* 407 T_Server */
+ S_ST( 'r', 1, 0, 0 ), /* 408 T_Setvar */
+ S_ST( 'e', 0, 0, 0 ), /* 409 T_Source */
+ S_ST( 'e', 0, 0, 0 ), /* 410 T_Stacksize */
+ S_ST( 's', 0, 0, 0 ), /* 411 T_Statistics */
+ S_ST( 's', 0, 828, 823 ), /* 412 T_Stats */
+ S_ST( 'r', 1, 0, 0 ), /* 413 T_Statsdir */
+ S_ST( 'p', 0, 836, 0 ), /* 414 T_Step */
+ S_ST( 'k', 0, 0, 0 ), /* 415 T_Stepback */
+ S_ST( 'd', 0, 0, 0 ), /* 416 T_Stepfwd */
+ S_ST( 't', 0, 0, 0 ), /* 417 T_Stepout */
+ S_ST( 'm', 0, 0, 0 ), /* 418 T_Stratum */
+ S_ST( 'i', 3, 331, 0 ), /* 419 keysd */
+ S_ST( 's', 0, 843, 0 ), /* 420 T_Sys */
+ S_ST( 's', 0, 0, 0 ), /* 421 T_Sysstats */
+ S_ST( 'k', 0, 0, 0 ), /* 422 T_Tick */
+ S_ST( '1', 0, 0, 0 ), /* 423 T_Time1 */
+ S_ST( '2', 0, 0, 423 ), /* 424 T_Time2 */
+ S_ST( 'r', 0, 0, 424 ), /* 425 T_Timer */
+ S_ST( 's', 0, 0, 0 ), /* 426 T_Timingstats */
+ S_ST( 'r', 0, 0, 0 ), /* 427 T_Tinker */
+ S_ST( 's', 0, 0, 0 ), /* 428 T_Tos */
+ S_ST( 'p', 1, 0, 0 ), /* 429 T_Trap */
+ S_ST( 'e', 0, 0, 0 ), /* 430 T_True */
+ S_ST( 'y', 0, 0, 0 ), /* 431 T_Trustedkey */
+ S_ST( 'l', 0, 0, 0 ), /* 432 T_Ttl */
+ S_ST( 'e', 0, 0, 0 ), /* 433 T_Type */
+ S_ST( 'o', 3, 332, 257 ), /* 434 k */
+ S_ST( 'y', 0, 0, 0 ), /* 435 T_UEcrypto */
+ S_ST( 'y', 0, 0, 0 ), /* 436 T_UEcryptonak */
+ S_ST( 'y', 0, 0, 0 ), /* 437 T_UEdigest */
+ S_ST( 'g', 1, 0, 0 ), /* 438 T_Unconfig */
+ S_ST( 'r', 1, 885, 0 ), /* 439 T_Unpeer */
+ S_ST( 'n', 0, 0, 0 ), /* 440 T_Version */
+ S_ST( 'l', 3, 483, 256 ), /* 441 */
+ S_ST( 'k', 0, 0, 0 ), /* 442 T_Week */
+ S_ST( 'd', 0, 0, 0 ), /* 443 T_Wildcard */
+ S_ST( 'e', 0, 0, 0 ), /* 444 T_Xleave */
+ S_ST( 'r', 0, 0, 0 ), /* 445 T_Year */
+ S_ST( 'e', 3, 447, 0 ), /* 446 l */
+ S_ST( 'a', 3, 458, 0 ), /* 447 le */
+ S_ST( 'e', 0, 0, 0 ), /* 448 T_Simulate */
+ S_ST( 'y', 0, 0, 0 ), /* 449 T_Beep_Delay */
+ S_ST( 'n', 0, 0, 0 ), /* 450 T_Sim_Duration */
+ S_ST( 't', 0, 0, 0 ), /* 451 T_Server_Offset */
+ S_ST( 'n', 0, 0, 0 ), /* 452 T_Duration */
+ S_ST( 't', 0, 0, 0 ), /* 453 T_Freq_Offset */
+ S_ST( 'r', 0, 0, 0 ), /* 454 T_Wander */
+ S_ST( 'r', 0, 0, 0 ), /* 455 T_Jitter */
+ S_ST( 'y', 0, 0, 0 ), /* 456 T_Prop_Delay */
+ S_ST( 'y', 0, 0, 0 ), /* 457 T_Proc_Delay */
+ S_ST( 'p', 3, 462, 0 ), /* 458 lea */
+ S_ST( 'f', 3, 460, 0 ), /* 459 leap */
+ S_ST( 'i', 3, 461, 0 ), /* 460 leapf */
+ S_ST( 'l', 3, 334, 0 ), /* 461 leapfi */
+ S_ST( 's', 3, 463, 459 ), /* 462 leap */
+ S_ST( 'm', 3, 464, 0 ), /* 463 leaps */
+ S_ST( 'e', 3, 465, 0 ), /* 464 leapsm */
+ S_ST( 'a', 3, 466, 0 ), /* 465 leapsme */
+ S_ST( 'r', 3, 467, 0 ), /* 466 leapsmea */
+ S_ST( 'i', 3, 468, 0 ), /* 467 leapsmear */
+ S_ST( 'n', 3, 469, 0 ), /* 468 leapsmeari */
+ S_ST( 't', 3, 470, 0 ), /* 469 leapsmearin */
+ S_ST( 'e', 3, 471, 0 ), /* 470 leapsmearint */
+ S_ST( 'r', 3, 472, 0 ), /* 471 leapsmearinte */
+ S_ST( 'v', 3, 473, 0 ), /* 472 leapsmearinter */
+ S_ST( 'a', 3, 335, 0 ), /* 473 leapsmearinterv */
+ S_ST( 'i', 3, 480, 446 ), /* 474 l */
+ S_ST( 'm', 3, 476, 0 ), /* 475 li */
+ S_ST( 'i', 3, 477, 0 ), /* 476 lim */
+ S_ST( 't', 3, 478, 0 ), /* 477 limi */
+ S_ST( 'e', 3, 336, 0 ), /* 478 limit */
+ S_ST( 'n', 3, 337, 475 ), /* 479 li */
+ S_ST( 's', 3, 481, 479 ), /* 480 li */
+ S_ST( 't', 3, 482, 0 ), /* 481 lis */
+ S_ST( 'e', 3, 338, 0 ), /* 482 list */
+ S_ST( 'o', 3, 499, 474 ), /* 483 l */
+ S_ST( 'g', 3, 490, 0 ), /* 484 lo */
+ S_ST( 'c', 3, 486, 0 ), /* 485 log */
+ S_ST( 'o', 3, 487, 0 ), /* 486 logc */
+ S_ST( 'n', 3, 488, 0 ), /* 487 logco */
+ S_ST( 'f', 3, 489, 0 ), /* 488 logcon */
+ S_ST( 'i', 3, 339, 0 ), /* 489 logconf */
+ S_ST( 'f', 3, 491, 485 ), /* 490 log */
+ S_ST( 'i', 3, 492, 0 ), /* 491 logf */
+ S_ST( 'l', 3, 340, 0 ), /* 492 logfi */
+ S_ST( 'o', 3, 494, 484 ), /* 493 lo */
+ S_ST( 'p', 3, 495, 0 ), /* 494 loo */
+ S_ST( 's', 3, 496, 0 ), /* 495 loop */
+ S_ST( 't', 3, 497, 0 ), /* 496 loops */
+ S_ST( 'a', 3, 498, 0 ), /* 497 loopst */
+ S_ST( 't', 3, 341, 0 ), /* 498 loopsta */
+ S_ST( 'w', 3, 500, 493 ), /* 499 lo */
+ S_ST( 'p', 3, 501, 0 ), /* 500 low */
+ S_ST( 'r', 3, 502, 0 ), /* 501 lowp */
+ S_ST( 'i', 3, 503, 0 ), /* 502 lowpr */
+ S_ST( 'o', 3, 504, 0 ), /* 503 lowpri */
+ S_ST( 't', 3, 505, 0 ), /* 504 lowprio */
+ S_ST( 'r', 3, 506, 0 ), /* 505 lowpriot */
+ S_ST( 'a', 3, 342, 0 ), /* 506 lowpriotr */
+ S_ST( 'm', 3, 588, 441 ), /* 507 */
+ S_ST( 'a', 3, 526, 0 ), /* 508 m */
+ S_ST( 'n', 3, 510, 0 ), /* 509 ma */
+ S_ST( 'y', 3, 511, 0 ), /* 510 man */
+ S_ST( 'c', 3, 512, 0 ), /* 511 many */
+ S_ST( 'a', 3, 513, 0 ), /* 512 manyc */
+ S_ST( 's', 3, 514, 0 ), /* 513 manyca */
+ S_ST( 't', 3, 520, 0 ), /* 514 manycas */
+ S_ST( 'c', 3, 516, 0 ), /* 515 manycast */
+ S_ST( 'l', 3, 517, 0 ), /* 516 manycastc */
+ S_ST( 'i', 3, 518, 0 ), /* 517 manycastcl */
+ S_ST( 'e', 3, 519, 0 ), /* 518 manycastcli */
+ S_ST( 'n', 3, 343, 0 ), /* 519 manycastclie */
+ S_ST( 's', 3, 521, 515 ), /* 520 manycast */
+ S_ST( 'e', 3, 522, 0 ), /* 521 manycasts */
+ S_ST( 'r', 3, 523, 0 ), /* 522 manycastse */
+ S_ST( 'v', 3, 524, 0 ), /* 523 manycastser */
+ S_ST( 'e', 3, 344, 0 ), /* 524 manycastserv */
+ S_ST( 's', 3, 345, 509 ), /* 525 ma */
+ S_ST( 'x', 3, 541, 525 ), /* 526 ma */
+ S_ST( 'a', 3, 528, 0 ), /* 527 max */
+ S_ST( 'g', 3, 346, 0 ), /* 528 maxa */
+ S_ST( 'c', 3, 530, 527 ), /* 529 max */
+ S_ST( 'l', 3, 531, 0 ), /* 530 maxc */
+ S_ST( 'o', 3, 532, 0 ), /* 531 maxcl */
+ S_ST( 'c', 3, 347, 0 ), /* 532 maxclo */
+ S_ST( 'd', 3, 537, 529 ), /* 533 max */
+ S_ST( 'e', 3, 535, 0 ), /* 534 maxd */
+ S_ST( 'p', 3, 536, 0 ), /* 535 maxde */
+ S_ST( 't', 3, 348, 0 ), /* 536 maxdep */
+ S_ST( 'i', 3, 538, 534 ), /* 537 maxd */
+ S_ST( 's', 3, 349, 0 ), /* 538 maxdi */
+ S_ST( 'm', 3, 540, 533 ), /* 539 max */
+ S_ST( 'e', 3, 350, 0 ), /* 540 maxm */
+ S_ST( 'p', 3, 542, 539 ), /* 541 max */
+ S_ST( 'o', 3, 543, 0 ), /* 542 maxp */
+ S_ST( 'l', 3, 351, 0 ), /* 543 maxpo */
+ S_ST( 'd', 3, 545, 508 ), /* 544 m */
+ S_ST( 'n', 3, 546, 0 ), /* 545 md */
+ S_ST( 's', 3, 547, 0 ), /* 546 mdn */
+ S_ST( 't', 3, 548, 0 ), /* 547 mdns */
+ S_ST( 'r', 3, 549, 0 ), /* 548 mdnst */
+ S_ST( 'i', 3, 550, 0 ), /* 549 mdnstr */
+ S_ST( 'e', 3, 352, 0 ), /* 550 mdnstri */
+ S_ST( 'e', 3, 353, 544 ), /* 551 m */
+ S_ST( 'l', 3, 553, 0 ), /* 552 mem */
+ S_ST( 'o', 3, 554, 0 ), /* 553 meml */
+ S_ST( 'c', 3, 354, 0 ), /* 554 memlo */
+ S_ST( 'i', 3, 556, 551 ), /* 555 m */
+ S_ST( 'n', 3, 573, 0 ), /* 556 mi */
+ S_ST( 'c', 3, 558, 0 ), /* 557 min */
+ S_ST( 'l', 3, 559, 0 ), /* 558 minc */
+ S_ST( 'o', 3, 560, 0 ), /* 559 mincl */
+ S_ST( 'c', 3, 355, 0 ), /* 560 minclo */
+ S_ST( 'd', 3, 565, 557 ), /* 561 min */
+ S_ST( 'e', 3, 563, 0 ), /* 562 mind */
+ S_ST( 'p', 3, 564, 0 ), /* 563 minde */
+ S_ST( 't', 3, 356, 0 ), /* 564 mindep */
+ S_ST( 'i', 3, 566, 562 ), /* 565 mind */
+ S_ST( 's', 3, 357, 0 ), /* 566 mindi */
+ S_ST( 'i', 3, 568, 561 ), /* 567 min */
+ S_ST( 'm', 3, 569, 0 ), /* 568 mini */
+ S_ST( 'u', 3, 358, 0 ), /* 569 minim */
+ S_ST( 'p', 3, 571, 567 ), /* 570 min */
+ S_ST( 'o', 3, 572, 0 ), /* 571 minp */
+ S_ST( 'l', 3, 359, 0 ), /* 572 minpo */
+ S_ST( 's', 3, 574, 570 ), /* 573 min */
+ S_ST( 'a', 3, 575, 0 ), /* 574 mins */
+ S_ST( 'n', 3, 360, 0 ), /* 575 minsa */
+ S_ST( 'o', 3, 578, 555 ), /* 576 m */
+ S_ST( 'd', 3, 361, 0 ), /* 577 mo */
+ S_ST( 'n', 3, 582, 577 ), /* 578 mo */
+ S_ST( 'i', 3, 580, 0 ), /* 579 mon */
+ S_ST( 't', 3, 581, 0 ), /* 580 moni */
+ S_ST( 'o', 3, 363, 0 ), /* 581 monit */
+ S_ST( 't', 3, 364, 579 ), /* 582 mon */
+ S_ST( 'r', 3, 365, 576 ), /* 583 m */
+ S_ST( 's', 3, 585, 583 ), /* 584 m */
+ S_ST( 's', 3, 586, 0 ), /* 585 ms */
+ S_ST( 'n', 3, 587, 0 ), /* 586 mss */
+ S_ST( 't', 3, 333, 0 ), /* 587 mssn */
+ S_ST( 'u', 3, 589, 584 ), /* 588 m */
+ S_ST( 'l', 3, 590, 0 ), /* 589 mu */
+ S_ST( 't', 3, 591, 0 ), /* 590 mul */
+ S_ST( 'i', 3, 592, 0 ), /* 591 mult */
+ S_ST( 'c', 3, 593, 0 ), /* 592 multi */
+ S_ST( 'a', 3, 594, 0 ), /* 593 multic */
+ S_ST( 's', 3, 595, 0 ), /* 594 multica */
+ S_ST( 't', 3, 596, 0 ), /* 595 multicas */
+ S_ST( 'c', 3, 597, 0 ), /* 596 multicast */
+ S_ST( 'l', 3, 598, 0 ), /* 597 multicastc */
+ S_ST( 'i', 3, 599, 0 ), /* 598 multicastcl */
+ S_ST( 'e', 3, 600, 0 ), /* 599 multicastcli */
+ S_ST( 'n', 3, 366, 0 ), /* 600 multicastclie */
+ S_ST( 'n', 3, 648, 507 ), /* 601 */
+ S_ST( 'i', 3, 367, 0 ), /* 602 n */
+ S_ST( 'o', 3, 643, 602 ), /* 603 n */
+ S_ST( 'e', 3, 605, 0 ), /* 604 no */
+ S_ST( 'p', 3, 606, 0 ), /* 605 noe */
+ S_ST( 'e', 3, 607, 0 ), /* 606 noep */
+ S_ST( 'e', 3, 373, 0 ), /* 607 noepe */
+ S_ST( 'l', 3, 609, 604 ), /* 608 no */
+ S_ST( 'i', 3, 610, 0 ), /* 609 nol */
+ S_ST( 'n', 3, 368, 0 ), /* 610 noli */
+ S_ST( 'm', 3, 616, 608 ), /* 611 no */
+ S_ST( 'o', 3, 613, 0 ), /* 612 nom */
+ S_ST( 'd', 3, 614, 0 ), /* 613 nomo */
+ S_ST( 'i', 3, 615, 0 ), /* 614 nomod */
+ S_ST( 'f', 3, 369, 0 ), /* 615 nomodi */
+ S_ST( 'r', 3, 617, 612 ), /* 616 nom */
+ S_ST( 'u', 3, 618, 0 ), /* 617 nomr */
+ S_ST( 'l', 3, 619, 0 ), /* 618 nomru */
+ S_ST( 'i', 3, 620, 0 ), /* 619 nomrul */
+ S_ST( 's', 3, 370, 0 ), /* 620 nomruli */
+ S_ST( 'n', 3, 622, 611 ), /* 621 no */
+ S_ST( 'v', 3, 623, 371 ), /* 622 non */
+ S_ST( 'o', 3, 624, 0 ), /* 623 nonv */
+ S_ST( 'l', 3, 625, 0 ), /* 624 nonvo */
+ S_ST( 'a', 3, 626, 0 ), /* 625 nonvol */
+ S_ST( 't', 3, 627, 0 ), /* 626 nonvola */
+ S_ST( 'i', 3, 628, 0 ), /* 627 nonvolat */
+ S_ST( 'l', 3, 372, 0 ), /* 628 nonvolati */
+ S_ST( 'p', 3, 630, 621 ), /* 629 no */
+ S_ST( 'e', 3, 631, 0 ), /* 630 nop */
+ S_ST( 'e', 3, 374, 0 ), /* 631 nope */
+ S_ST( 'q', 3, 633, 629 ), /* 632 no */
+ S_ST( 'u', 3, 634, 0 ), /* 633 noq */
+ S_ST( 'e', 3, 635, 0 ), /* 634 noqu */
+ S_ST( 'r', 3, 375, 0 ), /* 635 noque */
+ S_ST( 's', 3, 637, 632 ), /* 636 no */
+ S_ST( 'e', 3, 641, 0 ), /* 637 nos */
+ S_ST( 'l', 3, 639, 0 ), /* 638 nose */
+ S_ST( 'e', 3, 640, 0 ), /* 639 nosel */
+ S_ST( 'c', 3, 376, 0 ), /* 640 nosele */
+ S_ST( 'r', 3, 642, 638 ), /* 641 nose */
+ S_ST( 'v', 3, 377, 0 ), /* 642 noser */
+ S_ST( 't', 3, 644, 636 ), /* 643 no */
+ S_ST( 'r', 3, 646, 0 ), /* 644 not */
+ S_ST( 'a', 3, 378, 0 ), /* 645 notr */
+ S_ST( 'u', 3, 647, 645 ), /* 646 notr */
+ S_ST( 's', 3, 379, 0 ), /* 647 notru */
+ S_ST( 't', 3, 380, 603 ), /* 648 n */
+ S_ST( 'p', 3, 650, 0 ), /* 649 ntp */
+ S_ST( 'o', 3, 651, 0 ), /* 650 ntpp */
+ S_ST( 'r', 3, 381, 0 ), /* 651 ntppo */
+ S_ST( 's', 3, 653, 649 ), /* 652 ntp */
+ S_ST( 'i', 3, 654, 0 ), /* 653 ntps */
+ S_ST( 'g', 3, 655, 0 ), /* 654 ntpsi */
+ S_ST( 'n', 3, 656, 0 ), /* 655 ntpsig */
+ S_ST( 'd', 3, 657, 0 ), /* 656 ntpsign */
+ S_ST( 's', 3, 658, 0 ), /* 657 ntpsignd */
+ S_ST( 'o', 3, 659, 0 ), /* 658 ntpsignds */
+ S_ST( 'c', 3, 660, 0 ), /* 659 ntpsigndso */
+ S_ST( 'k', 3, 661, 0 ), /* 660 ntpsigndsoc */
+ S_ST( 'e', 3, 382, 0 ), /* 661 ntpsigndsock */
+ S_ST( 'o', 3, 663, 601 ), /* 662 */
+ S_ST( 'r', 3, 664, 0 ), /* 663 o */
+ S_ST( 'p', 3, 665, 0 ), /* 664 or */
+ S_ST( 'h', 3, 666, 0 ), /* 665 orp */
+ S_ST( 'a', 3, 383, 0 ), /* 666 orph */
+ S_ST( 'w', 3, 668, 0 ), /* 667 orphan */
+ S_ST( 'a', 3, 669, 0 ), /* 668 orphanw */
+ S_ST( 'i', 3, 384, 0 ), /* 669 orphanwa */
+ S_ST( 'p', 3, 397, 662 ), /* 670 */
+ S_ST( 'a', 3, 672, 0 ), /* 671 p */
+ S_ST( 'n', 3, 673, 0 ), /* 672 pa */
+ S_ST( 'i', 3, 386, 0 ), /* 673 pan */
+ S_ST( 'e', 3, 675, 671 ), /* 674 p */
+ S_ST( 'e', 3, 387, 0 ), /* 675 pe */
+ S_ST( '_', 3, 677, 0 ), /* 676 peer */
+ S_ST( 'c', 3, 678, 0 ), /* 677 peer_ */
+ S_ST( 'l', 3, 679, 0 ), /* 678 peer_c */
+ S_ST( 'e', 3, 680, 0 ), /* 679 peer_cl */
+ S_ST( 'a', 3, 681, 0 ), /* 680 peer_cle */
+ S_ST( 'r', 3, 682, 0 ), /* 681 peer_clea */
+ S_ST( '_', 3, 683, 0 ), /* 682 peer_clear */
+ S_ST( 'd', 3, 684, 0 ), /* 683 peer_clear_ */
+ S_ST( 'i', 3, 685, 0 ), /* 684 peer_clear_d */
+ S_ST( 'g', 3, 686, 0 ), /* 685 peer_clear_di */
+ S_ST( 'e', 3, 687, 0 ), /* 686 peer_clear_dig */
+ S_ST( 's', 3, 688, 0 ), /* 687 peer_clear_dige */
+ S_ST( 't', 3, 689, 0 ), /* 688 peer_clear_diges */
+ S_ST( '_', 3, 690, 0 ), /* 689 peer_clear_digest */
+ S_ST( 'e', 3, 691, 0 ), /* 690 peer_clear_digest_ */
+ S_ST( 'a', 3, 692, 0 ), /* 691 peer_clear_digest_e */
+ S_ST( 'r', 3, 693, 0 ), /* 692 peer_clear_digest_ea */
+ S_ST( 'l', 3, 385, 0 ), /* 693 peer_clear_digest_ear */
+ S_ST( 's', 3, 695, 676 ), /* 694 peer */
+ S_ST( 't', 3, 696, 0 ), /* 695 peers */
+ S_ST( 'a', 3, 697, 0 ), /* 696 peerst */
+ S_ST( 't', 3, 388, 0 ), /* 697 peersta */
+ S_ST( 'h', 3, 699, 674 ), /* 698 p */
+ S_ST( 'o', 3, 700, 0 ), /* 699 ph */
+ S_ST( 'n', 3, 389, 0 ), /* 700 pho */
+ S_ST( 'i', 3, 390, 698 ), /* 701 p */
+ S_ST( 'f', 3, 703, 0 ), /* 702 pid */
+ S_ST( 'i', 3, 704, 0 ), /* 703 pidf */
+ S_ST( 'l', 3, 391, 0 ), /* 704 pidfi */
+ S_ST( 'o', 3, 707, 701 ), /* 705 p */
+ S_ST( 'o', 3, 392, 0 ), /* 706 po */
+ S_ST( 'r', 3, 393, 706 ), /* 707 po */
+ S_ST( 'r', 3, 715, 705 ), /* 708 p */
+ S_ST( 'e', 3, 713, 0 ), /* 709 pr */
+ S_ST( 'e', 3, 711, 0 ), /* 710 pre */
+ S_ST( 'm', 3, 712, 0 ), /* 711 pree */
+ S_ST( 'p', 3, 394, 0 ), /* 712 preem */
+ S_ST( 'f', 3, 714, 710 ), /* 713 pre */
+ S_ST( 'e', 3, 395, 0 ), /* 714 pref */
+ S_ST( 'o', 3, 728, 709 ), /* 715 pr */
+ S_ST( 'c', 3, 717, 0 ), /* 716 pro */
+ S_ST( '_', 3, 718, 0 ), /* 717 proc */
+ S_ST( 'd', 3, 719, 0 ), /* 718 proc_ */
+ S_ST( 'e', 3, 720, 0 ), /* 719 proc_d */
+ S_ST( 'l', 3, 721, 0 ), /* 720 proc_de */
+ S_ST( 'a', 3, 457, 0 ), /* 721 proc_del */
+ S_ST( 'p', 3, 723, 716 ), /* 722 pro */
+ S_ST( '_', 3, 724, 0 ), /* 723 prop */
+ S_ST( 'd', 3, 725, 0 ), /* 724 prop_ */
+ S_ST( 'e', 3, 726, 0 ), /* 725 prop_d */
+ S_ST( 'l', 3, 727, 0 ), /* 726 prop_de */
+ S_ST( 'a', 3, 456, 0 ), /* 727 prop_del */
+ S_ST( 't', 3, 729, 722 ), /* 728 pro */
+ S_ST( 'o', 3, 730, 0 ), /* 729 prot */
+ S_ST( 's', 3, 731, 0 ), /* 730 proto */
+ S_ST( 't', 3, 732, 0 ), /* 731 protos */
+ S_ST( 'a', 3, 733, 0 ), /* 732 protost */
+ S_ST( 't', 3, 396, 0 ), /* 733 protosta */
+ S_ST( 'r', 3, 765, 670 ), /* 734 */
+ S_ST( 'a', 3, 741, 0 ), /* 735 r */
+ S_ST( 'n', 3, 737, 0 ), /* 736 ra */
+ S_ST( 'd', 3, 738, 0 ), /* 737 ran */
+ S_ST( 'f', 3, 739, 0 ), /* 738 rand */
+ S_ST( 'i', 3, 740, 0 ), /* 739 randf */
+ S_ST( 'l', 3, 398, 0 ), /* 740 randfi */
+ S_ST( 'w', 3, 742, 736 ), /* 741 ra */
+ S_ST( 's', 3, 743, 0 ), /* 742 raw */
+ S_ST( 't', 3, 744, 0 ), /* 743 raws */
+ S_ST( 'a', 3, 745, 0 ), /* 744 rawst */
+ S_ST( 't', 3, 399, 0 ), /* 745 rawsta */
+ S_ST( 'e', 3, 762, 735 ), /* 746 r */
+ S_ST( 'f', 3, 748, 0 ), /* 747 re */
+ S_ST( 'i', 3, 400, 0 ), /* 748 ref */
+ S_ST( 'q', 3, 750, 747 ), /* 749 re */
+ S_ST( 'u', 3, 751, 0 ), /* 750 req */
+ S_ST( 'e', 3, 752, 0 ), /* 751 requ */
+ S_ST( 's', 3, 753, 0 ), /* 752 reque */
+ S_ST( 't', 3, 754, 0 ), /* 753 reques */
+ S_ST( 'k', 3, 755, 0 ), /* 754 request */
+ S_ST( 'e', 3, 401, 0 ), /* 755 requestk */
+ S_ST( 's', 3, 758, 749 ), /* 756 re */
+ S_ST( 'e', 3, 402, 0 ), /* 757 res */
+ S_ST( 't', 3, 759, 757 ), /* 758 res */
+ S_ST( 'r', 3, 760, 0 ), /* 759 rest */
+ S_ST( 'i', 3, 761, 0 ), /* 760 restr */
+ S_ST( 'c', 3, 403, 0 ), /* 761 restri */
+ S_ST( 'v', 3, 763, 756 ), /* 762 re */
+ S_ST( 'o', 3, 764, 0 ), /* 763 rev */
+ S_ST( 'k', 3, 404, 0 ), /* 764 revo */
+ S_ST( 'l', 3, 766, 746 ), /* 765 r */
+ S_ST( 'i', 3, 767, 0 ), /* 766 rl */
+ S_ST( 'm', 3, 768, 0 ), /* 767 rli */
+ S_ST( 'i', 3, 405, 0 ), /* 768 rlim */
+ S_ST( 's', 3, 842, 734 ), /* 769 */
+ S_ST( 'a', 3, 771, 0 ), /* 770 s */
+ S_ST( 'v', 3, 772, 0 ), /* 771 sa */
+ S_ST( 'e', 3, 773, 0 ), /* 772 sav */
+ S_ST( 'c', 3, 774, 0 ), /* 773 save */
+ S_ST( 'o', 3, 775, 0 ), /* 774 savec */
+ S_ST( 'n', 3, 776, 0 ), /* 775 saveco */
+ S_ST( 'f', 3, 777, 0 ), /* 776 savecon */
+ S_ST( 'i', 3, 778, 0 ), /* 777 saveconf */
+ S_ST( 'g', 3, 779, 0 ), /* 778 saveconfi */
+ S_ST( 'd', 3, 780, 0 ), /* 779 saveconfig */
+ S_ST( 'i', 3, 406, 0 ), /* 780 saveconfigd */
+ S_ST( 'e', 3, 791, 770 ), /* 781 s */
+ S_ST( 'r', 3, 783, 0 ), /* 782 se */
+ S_ST( 'v', 3, 784, 0 ), /* 783 ser */
+ S_ST( 'e', 3, 407, 0 ), /* 784 serv */
+ S_ST( '_', 3, 786, 0 ), /* 785 server */
+ S_ST( 'o', 3, 787, 0 ), /* 786 server_ */
+ S_ST( 'f', 3, 788, 0 ), /* 787 server_o */
+ S_ST( 'f', 3, 789, 0 ), /* 788 server_of */
+ S_ST( 's', 3, 790, 0 ), /* 789 server_off */
+ S_ST( 'e', 3, 451, 0 ), /* 790 server_offs */
+ S_ST( 't', 3, 792, 782 ), /* 791 se */
+ S_ST( 'v', 3, 793, 0 ), /* 792 set */
+ S_ST( 'a', 3, 408, 0 ), /* 793 setv */
+ S_ST( 'i', 3, 795, 781 ), /* 794 s */
+ S_ST( 'm', 3, 796, 0 ), /* 795 si */
+ S_ST( 'u', 3, 797, 0 ), /* 796 sim */
+ S_ST( 'l', 3, 798, 0 ), /* 797 simu */
+ S_ST( 'a', 3, 799, 0 ), /* 798 simul */
+ S_ST( 't', 3, 800, 0 ), /* 799 simula */
+ S_ST( 'i', 3, 801, 448 ), /* 800 simulat */
+ S_ST( 'o', 3, 802, 0 ), /* 801 simulati */
+ S_ST( 'n', 3, 803, 0 ), /* 802 simulatio */
+ S_ST( '_', 3, 804, 0 ), /* 803 simulation */
+ S_ST( 'd', 3, 805, 0 ), /* 804 simulation_ */
+ S_ST( 'u', 3, 806, 0 ), /* 805 simulation_d */
+ S_ST( 'r', 3, 807, 0 ), /* 806 simulation_du */
+ S_ST( 'a', 3, 808, 0 ), /* 807 simulation_dur */
+ S_ST( 't', 3, 809, 0 ), /* 808 simulation_dura */
+ S_ST( 'i', 3, 810, 0 ), /* 809 simulation_durat */
+ S_ST( 'o', 3, 450, 0 ), /* 810 simulation_durati */
+ S_ST( 'o', 3, 812, 794 ), /* 811 s */
+ S_ST( 'u', 3, 813, 0 ), /* 812 so */
+ S_ST( 'r', 3, 814, 0 ), /* 813 sou */
+ S_ST( 'c', 3, 409, 0 ), /* 814 sour */
+ S_ST( 't', 3, 838, 811 ), /* 815 s */
+ S_ST( 'a', 3, 822, 0 ), /* 816 st */
+ S_ST( 'c', 3, 818, 0 ), /* 817 sta */
+ S_ST( 'k', 3, 819, 0 ), /* 818 stac */
+ S_ST( 's', 3, 820, 0 ), /* 819 stack */
+ S_ST( 'i', 3, 821, 0 ), /* 820 stacks */
+ S_ST( 'z', 3, 410, 0 ), /* 821 stacksi */
+ S_ST( 't', 3, 412, 817 ), /* 822 sta */
+ S_ST( 'i', 3, 824, 0 ), /* 823 stat */
+ S_ST( 's', 3, 825, 0 ), /* 824 stati */
+ S_ST( 't', 3, 826, 0 ), /* 825 statis */
+ S_ST( 'i', 3, 827, 0 ), /* 826 statist */
+ S_ST( 'c', 3, 411, 0 ), /* 827 statisti */
+ S_ST( 'd', 3, 829, 0 ), /* 828 stats */
+ S_ST( 'i', 3, 413, 0 ), /* 829 statsd */
+ S_ST( 'e', 3, 414, 816 ), /* 830 st */
+ S_ST( 'b', 3, 832, 0 ), /* 831 step */
+ S_ST( 'a', 3, 833, 0 ), /* 832 stepb */
+ S_ST( 'c', 3, 415, 0 ), /* 833 stepba */
+ S_ST( 'f', 3, 835, 831 ), /* 834 step */
+ S_ST( 'w', 3, 416, 0 ), /* 835 stepf */
+ S_ST( 'o', 3, 837, 834 ), /* 836 step */
+ S_ST( 'u', 3, 417, 0 ), /* 837 stepo */
+ S_ST( 'r', 3, 839, 830 ), /* 838 st */
+ S_ST( 'a', 3, 840, 0 ), /* 839 str */
+ S_ST( 't', 3, 841, 0 ), /* 840 stra */
+ S_ST( 'u', 3, 418, 0 ), /* 841 strat */
+ S_ST( 'y', 3, 420, 815 ), /* 842 s */
+ S_ST( 's', 3, 844, 0 ), /* 843 sys */
+ S_ST( 't', 3, 845, 0 ), /* 844 syss */
+ S_ST( 'a', 3, 846, 0 ), /* 845 sysst */
+ S_ST( 't', 3, 421, 0 ), /* 846 syssta */
+ S_ST( 't', 3, 873, 769 ), /* 847 */
+ S_ST( 'i', 3, 859, 0 ), /* 848 t */
+ S_ST( 'c', 3, 422, 0 ), /* 849 ti */
+ S_ST( 'm', 3, 852, 849 ), /* 850 ti */
+ S_ST( 'e', 3, 425, 0 ), /* 851 tim */
+ S_ST( 'i', 3, 853, 851 ), /* 852 tim */
+ S_ST( 'n', 3, 854, 0 ), /* 853 timi */
+ S_ST( 'g', 3, 855, 0 ), /* 854 timin */
+ S_ST( 's', 3, 856, 0 ), /* 855 timing */
+ S_ST( 't', 3, 857, 0 ), /* 856 timings */
+ S_ST( 'a', 3, 858, 0 ), /* 857 timingst */
+ S_ST( 't', 3, 426, 0 ), /* 858 timingsta */
+ S_ST( 'n', 3, 860, 850 ), /* 859 ti */
+ S_ST( 'k', 3, 861, 0 ), /* 860 tin */
+ S_ST( 'e', 3, 427, 0 ), /* 861 tink */
+ S_ST( 'o', 3, 428, 848 ), /* 862 t */
+ S_ST( 'r', 3, 865, 862 ), /* 863 t */
+ S_ST( 'a', 3, 429, 0 ), /* 864 tr */
+ S_ST( 'u', 3, 866, 864 ), /* 865 tr */
+ S_ST( 's', 3, 867, 430 ), /* 866 tru */
+ S_ST( 't', 3, 868, 0 ), /* 867 trus */
+ S_ST( 'e', 3, 869, 0 ), /* 868 trust */
+ S_ST( 'd', 3, 870, 0 ), /* 869 truste */
+ S_ST( 'k', 3, 871, 0 ), /* 870 trusted */
+ S_ST( 'e', 3, 431, 0 ), /* 871 trustedk */
+ S_ST( 't', 3, 432, 863 ), /* 872 t */
+ S_ST( 'y', 3, 874, 872 ), /* 873 t */
+ S_ST( 'p', 3, 433, 0 ), /* 874 ty */
+ S_ST( 'u', 3, 876, 847 ), /* 875 */
+ S_ST( 'n', 3, 882, 0 ), /* 876 u */
+ S_ST( 'c', 3, 878, 0 ), /* 877 un */
+ S_ST( 'o', 3, 879, 0 ), /* 878 unc */
+ S_ST( 'n', 3, 880, 0 ), /* 879 unco */
+ S_ST( 'f', 3, 881, 0 ), /* 880 uncon */
+ S_ST( 'i', 3, 438, 0 ), /* 881 unconf */
+ S_ST( 'p', 3, 883, 877 ), /* 882 un */
+ S_ST( 'e', 3, 884, 0 ), /* 883 unp */
+ S_ST( 'e', 3, 439, 0 ), /* 884 unpe */
+ S_ST( '_', 3, 905, 0 ), /* 885 unpeer */
+ S_ST( 'c', 3, 887, 0 ), /* 886 unpeer_ */
+ S_ST( 'r', 3, 888, 0 ), /* 887 unpeer_c */
+ S_ST( 'y', 3, 889, 0 ), /* 888 unpeer_cr */
+ S_ST( 'p', 3, 890, 0 ), /* 889 unpeer_cry */
+ S_ST( 't', 3, 891, 0 ), /* 890 unpeer_cryp */
+ S_ST( 'o', 3, 892, 0 ), /* 891 unpeer_crypt */
+ S_ST( '_', 3, 897, 0 ), /* 892 unpeer_crypto */
+ S_ST( 'e', 3, 894, 0 ), /* 893 unpeer_crypto_ */
+ S_ST( 'a', 3, 895, 0 ), /* 894 unpeer_crypto_e */
+ S_ST( 'r', 3, 896, 0 ), /* 895 unpeer_crypto_ea */
+ S_ST( 'l', 3, 435, 0 ), /* 896 unpeer_crypto_ear */
+ S_ST( 'n', 3, 898, 893 ), /* 897 unpeer_crypto_ */
+ S_ST( 'a', 3, 899, 0 ), /* 898 unpeer_crypto_n */
+ S_ST( 'k', 3, 900, 0 ), /* 899 unpeer_crypto_na */
+ S_ST( '_', 3, 901, 0 ), /* 900 unpeer_crypto_nak */
+ S_ST( 'e', 3, 902, 0 ), /* 901 unpeer_crypto_nak_ */
+ S_ST( 'a', 3, 903, 0 ), /* 902 unpeer_crypto_nak_e */
+ S_ST( 'r', 3, 904, 0 ), /* 903 unpeer_crypto_nak_ea */
+ S_ST( 'l', 3, 436, 0 ), /* 904 unpeer_crypto_nak_ear */
+ S_ST( 'd', 3, 906, 886 ), /* 905 unpeer_ */
+ S_ST( 'i', 3, 907, 0 ), /* 906 unpeer_d */
+ S_ST( 'g', 3, 908, 0 ), /* 907 unpeer_di */
+ S_ST( 'e', 3, 909, 0 ), /* 908 unpeer_dig */
+ S_ST( 's', 3, 910, 0 ), /* 909 unpeer_dige */
+ S_ST( 't', 3, 911, 0 ), /* 910 unpeer_diges */
+ S_ST( '_', 3, 912, 0 ), /* 911 unpeer_digest */
+ S_ST( 'e', 3, 913, 0 ), /* 912 unpeer_digest_ */
+ S_ST( 'a', 3, 914, 0 ), /* 913 unpeer_digest_e */
+ S_ST( 'r', 3, 915, 0 ), /* 914 unpeer_digest_ea */
+ S_ST( 'l', 3, 437, 0 ), /* 915 unpeer_digest_ear */
+ S_ST( 'v', 3, 917, 875 ), /* 916 */
+ S_ST( 'e', 3, 918, 0 ), /* 917 v */
+ S_ST( 'r', 3, 919, 0 ), /* 918 ve */
+ S_ST( 's', 3, 920, 0 ), /* 919 ver */
+ S_ST( 'i', 3, 921, 0 ), /* 920 vers */
+ S_ST( 'o', 3, 440, 0 ), /* 921 versi */
+ S_ST( 'w', 3, 929, 916 ), /* 922 */
+ S_ST( 'a', 3, 924, 0 ), /* 923 w */
+ S_ST( 'n', 3, 925, 0 ), /* 924 wa */
+ S_ST( 'd', 3, 926, 0 ), /* 925 wan */
+ S_ST( 'e', 3, 454, 0 ), /* 926 wand */
+ S_ST( 'e', 3, 928, 923 ), /* 927 w */
+ S_ST( 'e', 3, 442, 0 ), /* 928 we */
+ S_ST( 'i', 3, 930, 927 ), /* 929 w */
+ S_ST( 'l', 3, 931, 0 ), /* 930 wi */
+ S_ST( 'd', 3, 932, 0 ), /* 931 wil */
+ S_ST( 'c', 3, 933, 0 ), /* 932 wild */
+ S_ST( 'a', 3, 934, 0 ), /* 933 wildc */
+ S_ST( 'r', 3, 443, 0 ), /* 934 wildca */
+ S_ST( 'x', 3, 936, 922 ), /* 935 */
+ S_ST( 'l', 3, 937, 0 ), /* 936 x */
+ S_ST( 'e', 3, 938, 0 ), /* 937 xl */
+ S_ST( 'a', 3, 939, 0 ), /* 938 xle */
+ S_ST( 'v', 3, 444, 0 ), /* 939 xlea */
+ S_ST( 'y', 3, 941, 935 ), /* 940 [initial state] */
+ S_ST( 'e', 3, 942, 0 ), /* 941 y */
+ S_ST( 'a', 3, 445, 0 ) /* 942 ye */
};
Index: contrib/ntp/ntpd/ntp_peer.c
===================================================================
--- contrib/ntp/ntpd/ntp_peer.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_peer.c (版本 330908)
@@ -117,7 +117,7 @@
struct peer *, int);
static struct peer * findexistingpeer_addr(sockaddr_u *,
struct peer *, int,
- u_char);
+ u_char, int *);
static void free_peer(struct peer *, int);
static void getmorepeermem(void);
static int score(struct peer *);
@@ -203,17 +203,18 @@
sockaddr_u * addr,
struct peer * start_peer,
int mode,
- u_char cast_flags
+ u_char cast_flags,
+ int * ip_count
)
{
struct peer *peer;
- DPRINTF(2, ("findexistingpeer_addr(%s, %s, %d, 0x%x)\n",
+ DPRINTF(2, ("findexistingpeer_addr(%s, %s, %d, 0x%x, %p)\n",
sptoa(addr),
(start_peer)
? sptoa(&start_peer->srcadr)
: "NULL",
- mode, (u_int)cast_flags));
+ mode, (u_int)cast_flags, ip_count));
/*
* start_peer is included so we can locate instances of the
@@ -234,6 +235,11 @@
DPRINTF(3, ("%s %s %d %d 0x%x 0x%x ", sptoa(addr),
sptoa(&peer->srcadr), mode, peer->hmode,
(u_int)cast_flags, (u_int)peer->cast_flags));
+ if (ip_count) {
+ if (SOCK_EQ(addr, &peer->srcadr)) {
+ (*ip_count)++;
+ }
+ }
if ((-1 == mode || peer->hmode == mode ||
((MDF_BCLNT & peer->cast_flags) &&
(MDF_BCLNT & cast_flags))) &&
@@ -258,7 +264,8 @@
const char * hostname,
struct peer * start_peer,
int mode,
- u_char cast_flags
+ u_char cast_flags,
+ int * ip_count
)
{
if (hostname != NULL)
@@ -266,7 +273,7 @@
start_peer, mode);
else
return findexistingpeer_addr(addr, start_peer, mode,
- cast_flags);
+ cast_flags, ip_count);
}
@@ -561,6 +568,7 @@
sockaddr_u * srcadr,
const char * hostname,
endpt * dstadr,
+ int ippeerlimit,
u_char hmode,
u_char version,
u_char minpoll,
@@ -611,7 +619,7 @@
flags |= FLAG_IBURST;
if ((MDF_ACAST | MDF_POOL) & cast_flags)
flags &= ~FLAG_PREEMPT;
- return newpeer(srcadr, hostname, dstadr, hmode, version,
+ return newpeer(srcadr, hostname, dstadr, ippeerlimit, hmode, version,
minpoll, maxpoll, flags, cast_flags, ttl, key, ident);
}
@@ -753,6 +761,7 @@
sockaddr_u * srcadr,
const char * hostname,
endpt * dstadr,
+ int ippeerlimit,
u_char hmode,
u_char version,
u_char minpoll,
@@ -766,7 +775,9 @@
{
struct peer * peer;
u_int hash;
+ int ip_count = 0;
+
DEBUG_REQUIRE(srcadr);
#ifdef AUTOKEY
@@ -799,11 +810,11 @@
*/
if (dstadr != NULL) {
peer = findexistingpeer(srcadr, hostname, NULL, hmode,
- cast_flags);
+ cast_flags, &ip_count);
while (peer != NULL) {
- if (peer->dstadr == dstadr ||
- ((MDF_BCLNT & cast_flags) &&
- (MDF_BCLNT & peer->cast_flags)))
+ if ( peer->dstadr == dstadr
+ || ( (MDF_BCLNT & cast_flags)
+ && (MDF_BCLNT & peer->cast_flags)))
break;
if (dstadr == ANY_INTERFACE_CHOOSE(srcadr) &&
@@ -811,12 +822,12 @@
break;
peer = findexistingpeer(srcadr, hostname, peer,
- hmode, cast_flags);
+ hmode, cast_flags, &ip_count);
}
} else {
/* no endpt address given */
peer = findexistingpeer(srcadr, hostname, NULL, hmode,
- cast_flags);
+ cast_flags, &ip_count);
}
/*
@@ -833,6 +844,30 @@
return NULL;
}
+DPRINTF(1, ("newpeer(%s) found no existing and %d other associations\n",
+ (hostname)
+ ? hostname
+ : stoa(srcadr),
+ ip_count));
+
+ /* Check ippeerlimit wrt ip_count */
+ if (ippeerlimit > -1) {
+ if (ip_count + 1 > ippeerlimit) {
+ DPRINTF(2, ("newpeer(%s) denied - ippeerlimit %d\n",
+ (hostname)
+ ? hostname
+ : stoa(srcadr),
+ ippeerlimit));
+ return NULL;
+ }
+ } else {
+ DPRINTF(1, ("newpeer(%s) - ippeerlimit %d ignored\n",
+ (hostname)
+ ? hostname
+ : stoa(srcadr),
+ ippeerlimit));
+ }
+
/*
* Allocate a new peer structure. Some dirt here, since some of
* the initialization requires knowlege of our system state.
Index: contrib/ntp/ntpd/ntp_restrict.c
===================================================================
--- contrib/ntp/ntpd/ntp_restrict.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_restrict.c (版本 330908)
@@ -86,6 +86,8 @@
/*
* Our default entries.
+ *
+ * We can make this cleaner with c99 support: see init_restrict().
*/
static restrict_u restrict_def4;
static restrict_u restrict_def6;
@@ -94,8 +96,9 @@
* "restrict source ..." enabled knob and restriction bits.
*/
static int restrict_source_enabled;
-static u_short restrict_source_flags;
+static u_short restrict_source_rflags;
static u_short restrict_source_mflags;
+static short restrict_source_ippeerlimit;
/*
* private functions
@@ -111,9 +114,82 @@
static restrict_u * match_restrict_entry(const restrict_u *, int);
static int res_sorts_before4(restrict_u *, restrict_u *);
static int res_sorts_before6(restrict_u *, restrict_u *);
+static char * roptoa(restrict_op op);
+void dump_restricts(void);
+
/*
+ * dump_restrict - spit out a restrict_u
+ */
+static void
+dump_restrict(
+ restrict_u * res,
+ int is_ipv6
+ )
+{
+ char as[INET6_ADDRSTRLEN];
+ char ms[INET6_ADDRSTRLEN];
+
+ if (is_ipv6) {
+ inet_ntop(AF_INET6, &res->u.v6.addr, as, sizeof as);
+ inet_ntop(AF_INET6, &res->u.v6.mask, ms, sizeof ms);
+ } else {
+ struct in_addr sia = { htonl(res->u.v4.addr) };
+ struct in_addr sim = { htonl(res->u.v4.mask) };
+
+ inet_ntop(AF_INET, &sia, as, sizeof as);
+ inet_ntop(AF_INET, &sim, ms, sizeof ms);
+ }
+ mprintf("restrict node at %p: %s/%s count %d, rflags %05x, mflags %05x, ippeerlimit %d, expire %lu, next %p\n",
+ res, as, ms, res->count, res->rflags, res->mflags,
+ res->ippeerlimit, res->expire, res->link);
+ return;
+}
+
+
+/*
+ * dump_restricts - spit out the 'restrict' lines
+ */
+void
+dump_restricts(void)
+{
+ int defaultv4_done = 0;
+ int defaultv6_done = 0;
+ restrict_u * res;
+ restrict_u * next;
+
+ mprintf("dump_restrict: restrict_def4: %p\n", &restrict_def4);
+ /* Spit out 'restrict {,-4,-6} default ...' lines, if needed */
+ for (res = &restrict_def4; res != NULL; res = next) {
+ dump_restrict(res, 0);
+ next = res->link;
+ }
+
+ mprintf("dump_restrict: restrict_def6: %p\n", &restrict_def6);
+ for (res = &restrict_def6; res != NULL; res = next) {
+ dump_restrict(res, 1);
+ next = res->link;
+ }
+
+ /* Spit out the IPv4 list */
+ mprintf("dump_restrict: restrictlist4: %p\n", &restrictlist4);
+ for (res = restrictlist4; res != NULL; res = next) {
+ dump_restrict(res, 0);
+ next = res->link;
+ }
+
+ /* Spit out the IPv6 list */
+ mprintf("dump_restrict: restrictlist6: %p\n", &restrictlist6);
+ for (res = restrictlist6; res != NULL; res = next) {
+ dump_restrict(res, 1);
+ next = res->link;
+ }
+
+ return;
+}
+
+/*
* init_restrict - initialize the restriction data structures
*/
void
@@ -147,6 +223,10 @@
* behavior as but reversed implementation compared to the docs.
*
*/
+
+ restrict_def4.ippeerlimit = -1; /* Cleaner if we have C99 */
+ restrict_def6.ippeerlimit = -1; /* Cleaner if we have C99 */
+
LINK_SLIST(restrictlist4, &restrict_def4, link);
LINK_SLIST(restrictlist6, &restrict_def6, link);
restrictcount = 2;
@@ -215,7 +295,7 @@
restrict_u * unlinked;
restrictcount--;
- if (RES_LIMITED & res->flags)
+ if (RES_LIMITED & res->rflags)
dec_res_limited();
if (v6)
@@ -265,14 +345,21 @@
restrict_u * next;
for (res = restrictlist4; res != NULL; res = next) {
+ struct in_addr sia = { htonl(res->u.v4.addr) };
+
next = res->link;
- if (res->expire &&
- res->expire <= current_time)
- free_res(res, v6);
- if (res->u.v4.addr == (addr & res->u.v4.mask)
- && (!(RESM_NTPONLY & res->mflags)
- || NTP_PORT == port))
+ DPRINTF(2, ("match_restrict4_addr: Checking %s, port %d ... ",
+ inet_ntoa(sia), port));
+ if ( res->expire
+ && res->expire <= current_time)
+ free_res(res, v6); /* zeroes the contents */
+ if ( res->u.v4.addr == (addr & res->u.v4.mask)
+ && ( !(RESM_NTPONLY & res->mflags)
+ || NTP_PORT == port)) {
+ DPRINTF(2, ("MATCH: ippeerlimit %d\n", res->ippeerlimit));
break;
+ }
+ DPRINTF(2, ("doesn't match: ippeerlimit %d\n", res->ippeerlimit));
}
return res;
}
@@ -410,19 +497,25 @@
/*
- * restrictions - return restrictions for this host
+ * restrictions - return restrictions for this host in *r4a
*/
-u_short
+void
restrictions(
- sockaddr_u *srcadr
+ sockaddr_u *srcadr,
+ r4addr *r4a
)
{
restrict_u *match;
struct in6_addr *pin6;
- u_short flags;
+ REQUIRE(NULL != r4a);
+
res_calls++;
- flags = 0;
+ r4a->rflags = RES_IGNORE;
+ r4a->ippeerlimit = 0;
+
+ DPRINTF(1, ("restrictions: looking up %s\n", stoa(srcadr)));
+
/* IPv4 source address */
if (IS_IPV4(srcadr)) {
/*
@@ -430,8 +523,11 @@
* (this should be done early in the receive process,
* not later!)
*/
- if (IN_CLASSD(SRCADR(srcadr)))
- return (int)RES_IGNORE;
+ if (IN_CLASSD(SRCADR(srcadr))) {
+ DPRINTF(1, ("restrictions: srcadr %s is multicast\n", stoa(srcadr)));
+ r4a->ippeerlimit = 2; /* XXX: we should use a better value */
+ return;
+ }
match = match_restrict4_addr(SRCADR(srcadr),
SRCPORT(srcadr));
@@ -448,7 +544,8 @@
res_not_found++;
else
res_found++;
- flags = match->flags;
+ r4a->rflags = match->rflags;
+ r4a->ippeerlimit = match->ippeerlimit;
}
/* IPv6 source address */
@@ -461,7 +558,7 @@
* not later!)
*/
if (IN6_IS_ADDR_MULTICAST(pin6))
- return (int)RES_IGNORE;
+ return;
match = match_restrict6_addr(pin6, SRCPORT(srcadr));
INSIST(match != NULL);
@@ -470,22 +567,43 @@
res_not_found++;
else
res_found++;
- flags = match->flags;
+ r4a->rflags = match->rflags;
+ r4a->ippeerlimit = match->ippeerlimit;
}
- return (flags);
+ return;
}
/*
+ * roptoa - convert a restrict_op to a string
+ */
+char *
+roptoa(restrict_op op) {
+ static char sb[30];
+
+ switch(op) {
+ case RESTRICT_FLAGS: return "RESTRICT_FLAGS";
+ case RESTRICT_UNFLAG: return "RESTRICT_UNFLAGS";
+ case RESTRICT_REMOVE: return "RESTRICT_REMOVE";
+ case RESTRICT_REMOVEIF: return "RESTRICT_REMOVEIF";
+ default:
+ snprintf(sb, sizeof sb, "**RESTRICT_#%d**", op);
+ return sb;
+ }
+}
+
+
+/*
* hack_restrict - add/subtract/manipulate entries on the restrict list
*/
void
hack_restrict(
- int op,
+ restrict_op op,
sockaddr_u * resaddr,
sockaddr_u * resmask,
+ short ippeerlimit,
u_short mflags,
- u_short flags,
+ u_short rflags,
u_long expire
)
{
@@ -494,14 +612,15 @@
restrict_u * res;
restrict_u ** plisthead;
- DPRINTF(1, ("restrict: op %d addr %s mask %s mflags %08x flags %08x\n",
- op, stoa(resaddr), stoa(resmask), mflags, flags));
+ DPRINTF(1, ("hack_restrict: op %s addr %s mask %s ippeerlimit %d mflags %08x rflags %08x\n",
+ roptoa(op), stoa(resaddr), stoa(resmask), ippeerlimit, mflags, rflags));
if (NULL == resaddr) {
REQUIRE(NULL == resmask);
REQUIRE(RESTRICT_FLAGS == op);
- restrict_source_flags = flags;
+ restrict_source_rflags = rflags;
restrict_source_mflags = mflags;
+ restrict_source_ippeerlimit = ippeerlimit;
restrict_source_enabled = 1;
return;
}
@@ -538,8 +657,9 @@
} else /* not IPv4 nor IPv6 */
REQUIRE(0);
- match.flags = flags;
+ match.rflags = rflags;
match.mflags = mflags;
+ match.ippeerlimit = ippeerlimit;
match.expire = expire;
res = match_restrict_entry(&match, v6);
@@ -547,7 +667,7 @@
case RESTRICT_FLAGS:
/*
- * Here we add bits to the flags. If this is a
+ * Here we add bits to the rflags. If this is a
* new restriction add it.
*/
if (NULL == res) {
@@ -569,26 +689,29 @@
: res_sorts_before4(res, L_S_S_CUR()),
link, restrict_u);
restrictcount++;
- if (RES_LIMITED & flags)
+ if (RES_LIMITED & rflags)
inc_res_limited();
} else {
- if ((RES_LIMITED & flags) &&
- !(RES_LIMITED & res->flags))
+ if ( (RES_LIMITED & rflags)
+ && !(RES_LIMITED & res->rflags))
inc_res_limited();
- res->flags |= flags;
+ res->rflags |= rflags;
}
+
+ res->ippeerlimit = match.ippeerlimit;
+
break;
case RESTRICT_UNFLAG:
/*
- * Remove some bits from the flags. If we didn't
+ * Remove some bits from the rflags. If we didn't
* find this one, just return.
*/
if (res != NULL) {
- if ((RES_LIMITED & res->flags)
- && (RES_LIMITED & flags))
+ if ( (RES_LIMITED & res->rflags)
+ && (RES_LIMITED & rflags))
dec_res_limited();
- res->flags &= ~flags;
+ res->rflags &= ~rflags;
}
break;
@@ -639,7 +762,7 @@
SET_HOSTMASK(&onesmask, AF(addr));
if (farewell) {
hack_restrict(RESTRICT_REMOVE, addr, &onesmask,
- 0, 0, 0);
+ -2, 0, 0, 0);
DPRINTF(1, ("restrict_source: %s removed", stoa(addr)));
return;
}
@@ -672,8 +795,8 @@
return;
hack_restrict(RESTRICT_FLAGS, addr, &onesmask,
- restrict_source_mflags, restrict_source_flags,
- expire);
+ restrict_source_ippeerlimit, restrict_source_mflags,
+ restrict_source_rflags, expire);
DPRINTF(1, ("restrict_source: %s host restriction added\n",
stoa(addr)));
}
Index: contrib/ntp/ntpd/ntpd-opts.h
===================================================================
--- contrib/ntp/ntpd/ntpd-opts.h (版本 330566)
+++ contrib/ntp/ntpd/ntpd-opts.h (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpd-opts.h)
*
- * It has been AutoGen-ed March 21, 2017 at 10:42:11 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:13:17 PM by AutoGen 5.18.5
* From the definitions ntpd-opts.def
* and the template file options
*
@@ -106,9 +106,9 @@
/** count of all options for ntpd */
#define OPTION_CT 38
/** ntpd version */
-#define NTPD_VERSION "4.2.8p10"
+#define NTPD_VERSION "4.2.8p11"
/** Full ntpd version text */
-#define NTPD_FULL_VERSION "ntpd 4.2.8p10"
+#define NTPD_FULL_VERSION "ntpd 4.2.8p11"
/**
* Interface defines for all options. Replace "n" with the UPPER_CASED
Index: contrib/ntp/ntpd/ntpd.html
===================================================================
--- contrib/ntp/ntpd/ntpd.html (版本 330566)
+++ contrib/ntp/ntpd/ntpd.html (版本 330908)
@@ -39,7 +39,7 @@
symmetric and broadcast modes, and with both symmetric-key and public-key
cryptography.
- <p>This document applies to version 4.2.8p10 of <code>ntpd</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntpd</code>.
<ul class="menu">
<li><a accesskey="1" href="#ntpd-Description">ntpd Description</a>: Description
@@ -220,7 +220,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntpd - NTP daemon program - Ver. 4.2.8p10-beta
+<pre class="example">ntpd - NTP daemon program - Ver. 4.2.8p10
Usage: ntpd [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... \
[ &lt;server1&gt; ... &lt;serverN&gt; ]
Flg Arg Option-Name Description
Index: contrib/ntp/ntpd/refclock_gpsdjson.c
===================================================================
--- contrib/ntp/ntpd/refclock_gpsdjson.c (版本 330566)
+++ contrib/ntp/ntpd/refclock_gpsdjson.c (版本 330908)
@@ -1891,7 +1891,7 @@
*/
ov = 1;
rc = setsockopt(up->fdt, IPPROTO_TCP, TCP_NODELAY,
- (char*)&ov, sizeof(ov));
+ (void *)&ov, sizeof(ov));
if (-1 == rc) {
if (syslogok(pp, up))
msyslog(LOG_INFO,
@@ -1999,7 +1999,7 @@
/* check for socket error */
ec = 0;
lc = sizeof(ec);
- rc = getsockopt(up->fdt, SOL_SOCKET, SO_ERROR, &ec, &lc);
+ rc = getsockopt(up->fdt, SOL_SOCKET, SO_ERROR, (void *)&ec, &lc);
if (-1 == rc || 0 != ec) {
const char *errtxt;
if (0 == ec)
Index: contrib/ntp/ntpd/ntp_parser.c
===================================================================
--- contrib/ntp/ntpd/ntp_parser.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_parser.c (版本 330908)
@@ -62,7 +62,7 @@
/* Copy the first part of user declarations. */
-#line 11 "ntp_parser.y" /* yacc.c:339 */
+#line 11 "../../ntpd/ntp_parser.y" /* yacc.c:339 */
#ifdef HAVE_CONFIG_H
# include <config.h>
@@ -116,8 +116,8 @@
/* In a future release of Bison, this section will be replaced
by #include "y.tab.h". */
-#ifndef YY_YY_Y_TAB_H_INCLUDED
-# define YY_YY_Y_TAB_H_INCLUDED
+#ifndef YY_YY_NTP_PARSER_H_INCLUDED
+# define YY_YY_NTP_PARSER_H_INCLUDED
/* Debug traces. */
#ifndef YYDEBUG
# define YYDEBUG 1
@@ -140,193 +140,197 @@
T_Autokey = 264,
T_Automax = 265,
T_Average = 266,
- T_Bclient = 267,
- T_Bcpollbstep = 268,
- T_Beacon = 269,
- T_Broadcast = 270,
- T_Broadcastclient = 271,
- T_Broadcastdelay = 272,
- T_Burst = 273,
- T_Calibrate = 274,
- T_Ceiling = 275,
- T_Clockstats = 276,
- T_Cohort = 277,
- T_ControlKey = 278,
- T_Crypto = 279,
- T_Cryptostats = 280,
- T_Ctl = 281,
- T_Day = 282,
- T_Default = 283,
- T_Digest = 284,
- T_Disable = 285,
- T_Discard = 286,
- T_Dispersion = 287,
- T_Double = 288,
- T_Driftfile = 289,
- T_Drop = 290,
- T_Dscp = 291,
- T_Ellipsis = 292,
- T_Enable = 293,
- T_End = 294,
- T_False = 295,
- T_File = 296,
- T_Filegen = 297,
- T_Filenum = 298,
- T_Flag1 = 299,
- T_Flag2 = 300,
- T_Flag3 = 301,
- T_Flag4 = 302,
- T_Flake = 303,
- T_Floor = 304,
- T_Freq = 305,
- T_Fudge = 306,
- T_Host = 307,
- T_Huffpuff = 308,
- T_Iburst = 309,
- T_Ident = 310,
- T_Ignore = 311,
- T_Incalloc = 312,
- T_Incmem = 313,
- T_Initalloc = 314,
- T_Initmem = 315,
- T_Includefile = 316,
- T_Integer = 317,
- T_Interface = 318,
- T_Intrange = 319,
- T_Io = 320,
- T_Ipv4 = 321,
- T_Ipv4_flag = 322,
- T_Ipv6 = 323,
- T_Ipv6_flag = 324,
- T_Kernel = 325,
- T_Key = 326,
- T_Keys = 327,
- T_Keysdir = 328,
- T_Kod = 329,
- T_Mssntp = 330,
- T_Leapfile = 331,
- T_Leapsmearinterval = 332,
- T_Limited = 333,
- T_Link = 334,
- T_Listen = 335,
- T_Logconfig = 336,
- T_Logfile = 337,
- T_Loopstats = 338,
- T_Lowpriotrap = 339,
- T_Manycastclient = 340,
- T_Manycastserver = 341,
- T_Mask = 342,
- T_Maxage = 343,
- T_Maxclock = 344,
- T_Maxdepth = 345,
- T_Maxdist = 346,
- T_Maxmem = 347,
- T_Maxpoll = 348,
- T_Mdnstries = 349,
- T_Mem = 350,
- T_Memlock = 351,
- T_Minclock = 352,
- T_Mindepth = 353,
- T_Mindist = 354,
- T_Minimum = 355,
- T_Minpoll = 356,
- T_Minsane = 357,
- T_Mode = 358,
- T_Mode7 = 359,
- T_Monitor = 360,
- T_Month = 361,
- T_Mru = 362,
- T_Multicastclient = 363,
- T_Nic = 364,
- T_Nolink = 365,
- T_Nomodify = 366,
- T_Nomrulist = 367,
- T_None = 368,
- T_Nonvolatile = 369,
- T_Nopeer = 370,
- T_Noquery = 371,
- T_Noselect = 372,
- T_Noserve = 373,
- T_Notrap = 374,
- T_Notrust = 375,
- T_Ntp = 376,
- T_Ntpport = 377,
- T_NtpSignDsocket = 378,
- T_Orphan = 379,
- T_Orphanwait = 380,
- T_PCEdigest = 381,
- T_Panic = 382,
- T_Peer = 383,
- T_Peerstats = 384,
- T_Phone = 385,
- T_Pid = 386,
- T_Pidfile = 387,
- T_Pool = 388,
- T_Port = 389,
- T_Preempt = 390,
- T_Prefer = 391,
- T_Protostats = 392,
- T_Pw = 393,
- T_Randfile = 394,
- T_Rawstats = 395,
- T_Refid = 396,
- T_Requestkey = 397,
- T_Reset = 398,
- T_Restrict = 399,
- T_Revoke = 400,
- T_Rlimit = 401,
- T_Saveconfigdir = 402,
- T_Server = 403,
- T_Setvar = 404,
- T_Source = 405,
- T_Stacksize = 406,
- T_Statistics = 407,
- T_Stats = 408,
- T_Statsdir = 409,
- T_Step = 410,
- T_Stepback = 411,
- T_Stepfwd = 412,
- T_Stepout = 413,
- T_Stratum = 414,
- T_String = 415,
- T_Sys = 416,
- T_Sysstats = 417,
- T_Tick = 418,
- T_Time1 = 419,
- T_Time2 = 420,
- T_Timer = 421,
- T_Timingstats = 422,
- T_Tinker = 423,
- T_Tos = 424,
- T_Trap = 425,
- T_True = 426,
- T_Trustedkey = 427,
- T_Ttl = 428,
- T_Type = 429,
- T_U_int = 430,
- T_UEcrypto = 431,
- T_UEcryptonak = 432,
- T_UEdigest = 433,
- T_Unconfig = 434,
- T_Unpeer = 435,
- T_Version = 436,
- T_WanderThreshold = 437,
- T_Week = 438,
- T_Wildcard = 439,
- T_Xleave = 440,
- T_Year = 441,
- T_Flag = 442,
- T_EOC = 443,
- T_Simulate = 444,
- T_Beep_Delay = 445,
- T_Sim_Duration = 446,
- T_Server_Offset = 447,
- T_Duration = 448,
- T_Freq_Offset = 449,
- T_Wander = 450,
- T_Jitter = 451,
- T_Prop_Delay = 452,
- T_Proc_Delay = 453
+ T_Basedate = 267,
+ T_Bclient = 268,
+ T_Bcpollbstep = 269,
+ T_Beacon = 270,
+ T_Broadcast = 271,
+ T_Broadcastclient = 272,
+ T_Broadcastdelay = 273,
+ T_Burst = 274,
+ T_Calibrate = 275,
+ T_Ceiling = 276,
+ T_Clockstats = 277,
+ T_Cohort = 278,
+ T_ControlKey = 279,
+ T_Crypto = 280,
+ T_Cryptostats = 281,
+ T_Ctl = 282,
+ T_Day = 283,
+ T_Default = 284,
+ T_Digest = 285,
+ T_Disable = 286,
+ T_Discard = 287,
+ T_Dispersion = 288,
+ T_Double = 289,
+ T_Driftfile = 290,
+ T_Drop = 291,
+ T_Dscp = 292,
+ T_Ellipsis = 293,
+ T_Enable = 294,
+ T_End = 295,
+ T_Epeer = 296,
+ T_False = 297,
+ T_File = 298,
+ T_Filegen = 299,
+ T_Filenum = 300,
+ T_Flag1 = 301,
+ T_Flag2 = 302,
+ T_Flag3 = 303,
+ T_Flag4 = 304,
+ T_Flake = 305,
+ T_Floor = 306,
+ T_Freq = 307,
+ T_Fudge = 308,
+ T_Host = 309,
+ T_Huffpuff = 310,
+ T_Iburst = 311,
+ T_Ident = 312,
+ T_Ignore = 313,
+ T_Incalloc = 314,
+ T_Incmem = 315,
+ T_Initalloc = 316,
+ T_Initmem = 317,
+ T_Includefile = 318,
+ T_Integer = 319,
+ T_Interface = 320,
+ T_Intrange = 321,
+ T_Io = 322,
+ T_Ippeerlimit = 323,
+ T_Ipv4 = 324,
+ T_Ipv4_flag = 325,
+ T_Ipv6 = 326,
+ T_Ipv6_flag = 327,
+ T_Kernel = 328,
+ T_Key = 329,
+ T_Keys = 330,
+ T_Keysdir = 331,
+ T_Kod = 332,
+ T_Mssntp = 333,
+ T_Leapfile = 334,
+ T_Leapsmearinterval = 335,
+ T_Limited = 336,
+ T_Link = 337,
+ T_Listen = 338,
+ T_Logconfig = 339,
+ T_Logfile = 340,
+ T_Loopstats = 341,
+ T_Lowpriotrap = 342,
+ T_Manycastclient = 343,
+ T_Manycastserver = 344,
+ T_Mask = 345,
+ T_Maxage = 346,
+ T_Maxclock = 347,
+ T_Maxdepth = 348,
+ T_Maxdist = 349,
+ T_Maxmem = 350,
+ T_Maxpoll = 351,
+ T_Mdnstries = 352,
+ T_Mem = 353,
+ T_Memlock = 354,
+ T_Minclock = 355,
+ T_Mindepth = 356,
+ T_Mindist = 357,
+ T_Minimum = 358,
+ T_Minpoll = 359,
+ T_Minsane = 360,
+ T_Mode = 361,
+ T_Mode7 = 362,
+ T_Monitor = 363,
+ T_Month = 364,
+ T_Mru = 365,
+ T_Multicastclient = 366,
+ T_Nic = 367,
+ T_Nolink = 368,
+ T_Nomodify = 369,
+ T_Nomrulist = 370,
+ T_None = 371,
+ T_Nonvolatile = 372,
+ T_Noepeer = 373,
+ T_Nopeer = 374,
+ T_Noquery = 375,
+ T_Noselect = 376,
+ T_Noserve = 377,
+ T_Notrap = 378,
+ T_Notrust = 379,
+ T_Ntp = 380,
+ T_Ntpport = 381,
+ T_NtpSignDsocket = 382,
+ T_Orphan = 383,
+ T_Orphanwait = 384,
+ T_PCEdigest = 385,
+ T_Panic = 386,
+ T_Peer = 387,
+ T_Peerstats = 388,
+ T_Phone = 389,
+ T_Pid = 390,
+ T_Pidfile = 391,
+ T_Pool = 392,
+ T_Port = 393,
+ T_Preempt = 394,
+ T_Prefer = 395,
+ T_Protostats = 396,
+ T_Pw = 397,
+ T_Randfile = 398,
+ T_Rawstats = 399,
+ T_Refid = 400,
+ T_Requestkey = 401,
+ T_Reset = 402,
+ T_Restrict = 403,
+ T_Revoke = 404,
+ T_Rlimit = 405,
+ T_Saveconfigdir = 406,
+ T_Server = 407,
+ T_Setvar = 408,
+ T_Source = 409,
+ T_Stacksize = 410,
+ T_Statistics = 411,
+ T_Stats = 412,
+ T_Statsdir = 413,
+ T_Step = 414,
+ T_Stepback = 415,
+ T_Stepfwd = 416,
+ T_Stepout = 417,
+ T_Stratum = 418,
+ T_String = 419,
+ T_Sys = 420,
+ T_Sysstats = 421,
+ T_Tick = 422,
+ T_Time1 = 423,
+ T_Time2 = 424,
+ T_Timer = 425,
+ T_Timingstats = 426,
+ T_Tinker = 427,
+ T_Tos = 428,
+ T_Trap = 429,
+ T_True = 430,
+ T_Trustedkey = 431,
+ T_Ttl = 432,
+ T_Type = 433,
+ T_U_int = 434,
+ T_UEcrypto = 435,
+ T_UEcryptonak = 436,
+ T_UEdigest = 437,
+ T_Unconfig = 438,
+ T_Unpeer = 439,
+ T_Version = 440,
+ T_WanderThreshold = 441,
+ T_Week = 442,
+ T_Wildcard = 443,
+ T_Xleave = 444,
+ T_Year = 445,
+ T_Flag = 446,
+ T_EOC = 447,
+ T_Simulate = 448,
+ T_Beep_Delay = 449,
+ T_Sim_Duration = 450,
+ T_Server_Offset = 451,
+ T_Duration = 452,
+ T_Freq_Offset = 453,
+ T_Wander = 454,
+ T_Jitter = 455,
+ T_Prop_Delay = 456,
+ T_Proc_Delay = 457
};
#endif
/* Tokens. */
@@ -339,193 +343,197 @@
#define T_Autokey 264
#define T_Automax 265
#define T_Average 266
-#define T_Bclient 267
-#define T_Bcpollbstep 268
-#define T_Beacon 269
-#define T_Broadcast 270
-#define T_Broadcastclient 271
-#define T_Broadcastdelay 272
-#define T_Burst 273
-#define T_Calibrate 274
-#define T_Ceiling 275
-#define T_Clockstats 276
-#define T_Cohort 277
-#define T_ControlKey 278
-#define T_Crypto 279
-#define T_Cryptostats 280
-#define T_Ctl 281
-#define T_Day 282
-#define T_Default 283
-#define T_Digest 284
-#define T_Disable 285
-#define T_Discard 286
-#define T_Dispersion 287
-#define T_Double 288
-#define T_Driftfile 289
-#define T_Drop 290
-#define T_Dscp 291
-#define T_Ellipsis 292
-#define T_Enable 293
-#define T_End 294
-#define T_False 295
-#define T_File 296
-#define T_Filegen 297
-#define T_Filenum 298
-#define T_Flag1 299
-#define T_Flag2 300
-#define T_Flag3 301
-#define T_Flag4 302
-#define T_Flake 303
-#define T_Floor 304
-#define T_Freq 305
-#define T_Fudge 306
-#define T_Host 307
-#define T_Huffpuff 308
-#define T_Iburst 309
-#define T_Ident 310
-#define T_Ignore 311
-#define T_Incalloc 312
-#define T_Incmem 313
-#define T_Initalloc 314
-#define T_Initmem 315
-#define T_Includefile 316
-#define T_Integer 317
-#define T_Interface 318
-#define T_Intrange 319
-#define T_Io 320
-#define T_Ipv4 321
-#define T_Ipv4_flag 322
-#define T_Ipv6 323
-#define T_Ipv6_flag 324
-#define T_Kernel 325
-#define T_Key 326
-#define T_Keys 327
-#define T_Keysdir 328
-#define T_Kod 329
-#define T_Mssntp 330
-#define T_Leapfile 331
-#define T_Leapsmearinterval 332
-#define T_Limited 333
-#define T_Link 334
-#define T_Listen 335
-#define T_Logconfig 336
-#define T_Logfile 337
-#define T_Loopstats 338
-#define T_Lowpriotrap 339
-#define T_Manycastclient 340
-#define T_Manycastserver 341
-#define T_Mask 342
-#define T_Maxage 343
-#define T_Maxclock 344
-#define T_Maxdepth 345
-#define T_Maxdist 346
-#define T_Maxmem 347
-#define T_Maxpoll 348
-#define T_Mdnstries 349
-#define T_Mem 350
-#define T_Memlock 351
-#define T_Minclock 352
-#define T_Mindepth 353
-#define T_Mindist 354
-#define T_Minimum 355
-#define T_Minpoll 356
-#define T_Minsane 357
-#define T_Mode 358
-#define T_Mode7 359
-#define T_Monitor 360
-#define T_Month 361
-#define T_Mru 362
-#define T_Multicastclient 363
-#define T_Nic 364
-#define T_Nolink 365
-#define T_Nomodify 366
-#define T_Nomrulist 367
-#define T_None 368
-#define T_Nonvolatile 369
-#define T_Nopeer 370
-#define T_Noquery 371
-#define T_Noselect 372
-#define T_Noserve 373
-#define T_Notrap 374
-#define T_Notrust 375
-#define T_Ntp 376
-#define T_Ntpport 377
-#define T_NtpSignDsocket 378
-#define T_Orphan 379
-#define T_Orphanwait 380
-#define T_PCEdigest 381
-#define T_Panic 382
-#define T_Peer 383
-#define T_Peerstats 384
-#define T_Phone 385
-#define T_Pid 386
-#define T_Pidfile 387
-#define T_Pool 388
-#define T_Port 389
-#define T_Preempt 390
-#define T_Prefer 391
-#define T_Protostats 392
-#define T_Pw 393
-#define T_Randfile 394
-#define T_Rawstats 395
-#define T_Refid 396
-#define T_Requestkey 397
-#define T_Reset 398
-#define T_Restrict 399
-#define T_Revoke 400
-#define T_Rlimit 401
-#define T_Saveconfigdir 402
-#define T_Server 403
-#define T_Setvar 404
-#define T_Source 405
-#define T_Stacksize 406
-#define T_Statistics 407
-#define T_Stats 408
-#define T_Statsdir 409
-#define T_Step 410
-#define T_Stepback 411
-#define T_Stepfwd 412
-#define T_Stepout 413
-#define T_Stratum 414
-#define T_String 415
-#define T_Sys 416
-#define T_Sysstats 417
-#define T_Tick 418
-#define T_Time1 419
-#define T_Time2 420
-#define T_Timer 421
-#define T_Timingstats 422
-#define T_Tinker 423
-#define T_Tos 424
-#define T_Trap 425
-#define T_True 426
-#define T_Trustedkey 427
-#define T_Ttl 428
-#define T_Type 429
-#define T_U_int 430
-#define T_UEcrypto 431
-#define T_UEcryptonak 432
-#define T_UEdigest 433
-#define T_Unconfig 434
-#define T_Unpeer 435
-#define T_Version 436
-#define T_WanderThreshold 437
-#define T_Week 438
-#define T_Wildcard 439
-#define T_Xleave 440
-#define T_Year 441
-#define T_Flag 442
-#define T_EOC 443
-#define T_Simulate 444
-#define T_Beep_Delay 445
-#define T_Sim_Duration 446
-#define T_Server_Offset 447
-#define T_Duration 448
-#define T_Freq_Offset 449
-#define T_Wander 450
-#define T_Jitter 451
-#define T_Prop_Delay 452
-#define T_Proc_Delay 453
+#define T_Basedate 267
+#define T_Bclient 268
+#define T_Bcpollbstep 269
+#define T_Beacon 270
+#define T_Broadcast 271
+#define T_Broadcastclient 272
+#define T_Broadcastdelay 273
+#define T_Burst 274
+#define T_Calibrate 275
+#define T_Ceiling 276
+#define T_Clockstats 277
+#define T_Cohort 278
+#define T_ControlKey 279
+#define T_Crypto 280
+#define T_Cryptostats 281
+#define T_Ctl 282
+#define T_Day 283
+#define T_Default 284
+#define T_Digest 285
+#define T_Disable 286
+#define T_Discard 287
+#define T_Dispersion 288
+#define T_Double 289
+#define T_Driftfile 290
+#define T_Drop 291
+#define T_Dscp 292
+#define T_Ellipsis 293
+#define T_Enable 294
+#define T_End 295
+#define T_Epeer 296
+#define T_False 297
+#define T_File 298
+#define T_Filegen 299
+#define T_Filenum 300
+#define T_Flag1 301
+#define T_Flag2 302
+#define T_Flag3 303
+#define T_Flag4 304
+#define T_Flake 305
+#define T_Floor 306
+#define T_Freq 307
+#define T_Fudge 308
+#define T_Host 309
+#define T_Huffpuff 310
+#define T_Iburst 311
+#define T_Ident 312
+#define T_Ignore 313
+#define T_Incalloc 314
+#define T_Incmem 315
+#define T_Initalloc 316
+#define T_Initmem 317
+#define T_Includefile 318
+#define T_Integer 319
+#define T_Interface 320
+#define T_Intrange 321
+#define T_Io 322
+#define T_Ippeerlimit 323
+#define T_Ipv4 324
+#define T_Ipv4_flag 325
+#define T_Ipv6 326
+#define T_Ipv6_flag 327
+#define T_Kernel 328
+#define T_Key 329
+#define T_Keys 330
+#define T_Keysdir 331
+#define T_Kod 332
+#define T_Mssntp 333
+#define T_Leapfile 334
+#define T_Leapsmearinterval 335
+#define T_Limited 336
+#define T_Link 337
+#define T_Listen 338
+#define T_Logconfig 339
+#define T_Logfile 340
+#define T_Loopstats 341
+#define T_Lowpriotrap 342
+#define T_Manycastclient 343
+#define T_Manycastserver 344
+#define T_Mask 345
+#define T_Maxage 346
+#define T_Maxclock 347
+#define T_Maxdepth 348
+#define T_Maxdist 349
+#define T_Maxmem 350
+#define T_Maxpoll 351
+#define T_Mdnstries 352
+#define T_Mem 353
+#define T_Memlock 354
+#define T_Minclock 355
+#define T_Mindepth 356
+#define T_Mindist 357
+#define T_Minimum 358
+#define T_Minpoll 359
+#define T_Minsane 360
+#define T_Mode 361
+#define T_Mode7 362
+#define T_Monitor 363
+#define T_Month 364
+#define T_Mru 365
+#define T_Multicastclient 366
+#define T_Nic 367
+#define T_Nolink 368
+#define T_Nomodify 369
+#define T_Nomrulist 370
+#define T_None 371
+#define T_Nonvolatile 372
+#define T_Noepeer 373
+#define T_Nopeer 374
+#define T_Noquery 375
+#define T_Noselect 376
+#define T_Noserve 377
+#define T_Notrap 378
+#define T_Notrust 379
+#define T_Ntp 380
+#define T_Ntpport 381
+#define T_NtpSignDsocket 382
+#define T_Orphan 383
+#define T_Orphanwait 384
+#define T_PCEdigest 385
+#define T_Panic 386
+#define T_Peer 387
+#define T_Peerstats 388
+#define T_Phone 389
+#define T_Pid 390
+#define T_Pidfile 391
+#define T_Pool 392
+#define T_Port 393
+#define T_Preempt 394
+#define T_Prefer 395
+#define T_Protostats 396
+#define T_Pw 397
+#define T_Randfile 398
+#define T_Rawstats 399
+#define T_Refid 400
+#define T_Requestkey 401
+#define T_Reset 402
+#define T_Restrict 403
+#define T_Revoke 404
+#define T_Rlimit 405
+#define T_Saveconfigdir 406
+#define T_Server 407
+#define T_Setvar 408
+#define T_Source 409
+#define T_Stacksize 410
+#define T_Statistics 411
+#define T_Stats 412
+#define T_Statsdir 413
+#define T_Step 414
+#define T_Stepback 415
+#define T_Stepfwd 416
+#define T_Stepout 417
+#define T_Stratum 418
+#define T_String 419
+#define T_Sys 420
+#define T_Sysstats 421
+#define T_Tick 422
+#define T_Time1 423
+#define T_Time2 424
+#define T_Timer 425
+#define T_Timingstats 426
+#define T_Tinker 427
+#define T_Tos 428
+#define T_Trap 429
+#define T_True 430
+#define T_Trustedkey 431
+#define T_Ttl 432
+#define T_Type 433
+#define T_U_int 434
+#define T_UEcrypto 435
+#define T_UEcryptonak 436
+#define T_UEdigest 437
+#define T_Unconfig 438
+#define T_Unpeer 439
+#define T_Version 440
+#define T_WanderThreshold 441
+#define T_Week 442
+#define T_Wildcard 443
+#define T_Xleave 444
+#define T_Year 445
+#define T_Flag 446
+#define T_EOC 447
+#define T_Simulate 448
+#define T_Beep_Delay 449
+#define T_Sim_Duration 450
+#define T_Server_Offset 451
+#define T_Duration 452
+#define T_Freq_Offset 453
+#define T_Wander 454
+#define T_Jitter 455
+#define T_Prop_Delay 456
+#define T_Proc_Delay 457
/* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -532,7 +540,7 @@
union YYSTYPE
{
-#line 51 "ntp_parser.y" /* yacc.c:355 */
+#line 51 "../../ntpd/ntp_parser.y" /* yacc.c:355 */
char * String;
double Double;
@@ -551,7 +559,7 @@
script_info * Sim_script;
script_info_fifo * Sim_script_fifo;
-#line 555 "ntp_parser.c" /* yacc.c:355 */
+#line 563 "ntp_parser.c" /* yacc.c:355 */
};
typedef union YYSTYPE YYSTYPE;
@@ -564,11 +572,11 @@
int yyparse (void);
-#endif /* !YY_YY_Y_TAB_H_INCLUDED */
+#endif /* !YY_YY_NTP_PARSER_H_INCLUDED */
/* Copy the second part of user declarations. */
-#line 572 "ntp_parser.c" /* yacc.c:358 */
+#line 580 "ntp_parser.c" /* yacc.c:358 */
#ifdef short
# undef short
@@ -808,23 +816,23 @@
#endif /* !YYCOPY_NEEDED */
/* YYFINAL -- State number of the termination state. */
-#define YYFINAL 215
+#define YYFINAL 216
/* YYLAST -- Last index in YYTABLE. */
-#define YYLAST 654
+#define YYLAST 662
/* YYNTOKENS -- Number of terminals. */
-#define YYNTOKENS 204
+#define YYNTOKENS 208
/* YYNNTS -- Number of nonterminals. */
-#define YYNNTS 105
+#define YYNNTS 107
/* YYNRULES -- Number of rules. */
-#define YYNRULES 318
+#define YYNRULES 324
/* YYNSTATES -- Number of states. */
-#define YYNSTATES 424
+#define YYNSTATES 436
/* YYTRANSLATE[YYX] -- Symbol number corresponding to YYX as returned
by yylex, with out-of-bounds checking. */
#define YYUNDEFTOK 2
-#define YYMAXUTOK 453
+#define YYMAXUTOK 457
#define YYTRANSLATE(YYX) \
((unsigned int) (YYX) <= YYMAXUTOK ? yytranslate[YYX] : YYUNDEFTOK)
@@ -837,15 +845,15 @@
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 200, 201, 2, 2, 2, 2, 2, 2, 2, 2,
+ 204, 205, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 199, 2, 2, 2, 2, 2, 2, 2, 2,
+ 2, 203, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
- 2, 2, 2, 202, 2, 203, 2, 2, 2, 2,
+ 2, 2, 2, 206, 2, 207, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
@@ -878,7 +886,7 @@
165, 166, 167, 168, 169, 170, 171, 172, 173, 174,
175, 176, 177, 178, 179, 180, 181, 182, 183, 184,
185, 186, 187, 188, 189, 190, 191, 192, 193, 194,
- 195, 196, 197, 198
+ 195, 196, 197, 198, 199, 200, 201, 202
};
#if YYDEBUG
@@ -885,38 +893,39 @@
/* YYRLINE[YYN] -- Source line where rule number YYN was defined. */
static const yytype_uint16 yyrline[] =
{
- 0, 371, 371, 375, 376, 377, 392, 393, 394, 395,
- 396, 397, 398, 399, 400, 401, 402, 403, 404, 405,
- 413, 423, 424, 425, 426, 427, 431, 432, 437, 442,
- 444, 450, 451, 459, 460, 461, 465, 470, 471, 472,
- 473, 474, 475, 476, 477, 481, 483, 488, 489, 490,
- 491, 492, 493, 497, 502, 511, 521, 522, 532, 534,
- 536, 538, 549, 556, 558, 563, 565, 567, 569, 571,
- 580, 586, 587, 595, 597, 609, 610, 611, 612, 613,
- 622, 627, 632, 640, 642, 644, 649, 650, 651, 652,
- 653, 654, 655, 656, 657, 661, 662, 671, 673, 682,
- 692, 697, 705, 706, 707, 708, 709, 710, 711, 712,
- 717, 718, 726, 736, 745, 760, 765, 766, 770, 771,
- 775, 776, 777, 778, 779, 780, 781, 790, 794, 798,
- 806, 814, 822, 837, 852, 865, 866, 874, 875, 876,
- 877, 878, 879, 880, 881, 882, 883, 884, 885, 886,
- 887, 888, 892, 897, 905, 910, 911, 912, 916, 921,
- 929, 934, 935, 936, 937, 938, 939, 940, 941, 949,
- 959, 964, 972, 974, 976, 985, 987, 992, 993, 997,
- 998, 999, 1000, 1008, 1013, 1018, 1026, 1031, 1032, 1033,
- 1042, 1044, 1049, 1054, 1062, 1064, 1081, 1082, 1083, 1084,
- 1085, 1086, 1090, 1091, 1092, 1093, 1094, 1095, 1103, 1108,
- 1113, 1121, 1126, 1127, 1128, 1129, 1130, 1131, 1132, 1133,
- 1134, 1135, 1144, 1145, 1146, 1153, 1160, 1167, 1183, 1202,
- 1204, 1206, 1208, 1210, 1212, 1219, 1224, 1225, 1226, 1230,
- 1234, 1243, 1244, 1248, 1249, 1250, 1254, 1265, 1279, 1291,
- 1296, 1298, 1303, 1304, 1312, 1314, 1322, 1327, 1335, 1360,
- 1367, 1377, 1378, 1382, 1383, 1384, 1385, 1389, 1390, 1391,
- 1395, 1400, 1405, 1413, 1414, 1415, 1416, 1417, 1418, 1419,
- 1429, 1434, 1442, 1447, 1455, 1457, 1461, 1466, 1471, 1479,
- 1484, 1492, 1501, 1502, 1506, 1507, 1516, 1534, 1538, 1543,
- 1551, 1556, 1557, 1561, 1566, 1574, 1579, 1584, 1589, 1594,
- 1602, 1607, 1612, 1620, 1625, 1626, 1627, 1628, 1629
+ 0, 377, 377, 381, 382, 383, 398, 399, 400, 401,
+ 402, 403, 404, 405, 406, 407, 408, 409, 410, 411,
+ 419, 429, 430, 431, 432, 433, 437, 438, 443, 448,
+ 450, 456, 457, 465, 466, 467, 471, 476, 477, 478,
+ 479, 480, 481, 482, 483, 487, 489, 494, 495, 496,
+ 497, 498, 499, 503, 508, 517, 527, 528, 538, 540,
+ 542, 544, 555, 562, 564, 569, 571, 573, 575, 577,
+ 587, 593, 594, 602, 604, 616, 617, 618, 619, 620,
+ 629, 634, 639, 647, 649, 651, 653, 658, 659, 660,
+ 661, 662, 663, 664, 665, 666, 670, 671, 680, 682,
+ 691, 701, 706, 714, 715, 716, 717, 718, 719, 720,
+ 721, 726, 727, 735, 745, 754, 769, 774, 775, 779,
+ 780, 784, 785, 786, 787, 788, 789, 790, 799, 803,
+ 807, 815, 823, 831, 846, 861, 874, 875, 895, 896,
+ 904, 905, 906, 907, 908, 909, 910, 911, 912, 913,
+ 914, 915, 916, 917, 918, 919, 920, 924, 929, 937,
+ 942, 943, 944, 948, 953, 961, 966, 967, 968, 969,
+ 970, 971, 972, 973, 981, 991, 996, 1004, 1006, 1008,
+ 1017, 1019, 1024, 1025, 1029, 1030, 1031, 1032, 1040, 1045,
+ 1050, 1058, 1063, 1064, 1065, 1074, 1076, 1081, 1086, 1094,
+ 1096, 1113, 1114, 1115, 1116, 1117, 1118, 1122, 1123, 1124,
+ 1125, 1126, 1127, 1135, 1140, 1145, 1153, 1158, 1159, 1160,
+ 1161, 1162, 1163, 1164, 1165, 1166, 1167, 1176, 1177, 1178,
+ 1185, 1192, 1199, 1215, 1234, 1236, 1238, 1240, 1242, 1244,
+ 1251, 1256, 1257, 1258, 1262, 1266, 1275, 1276, 1280, 1281,
+ 1282, 1286, 1297, 1315, 1327, 1332, 1334, 1339, 1340, 1348,
+ 1350, 1358, 1363, 1371, 1396, 1403, 1413, 1414, 1418, 1419,
+ 1420, 1421, 1425, 1426, 1427, 1431, 1436, 1441, 1449, 1450,
+ 1451, 1452, 1453, 1454, 1455, 1465, 1470, 1478, 1483, 1491,
+ 1493, 1497, 1502, 1507, 1515, 1520, 1528, 1537, 1538, 1542,
+ 1543, 1547, 1555, 1573, 1577, 1582, 1590, 1595, 1596, 1600,
+ 1605, 1613, 1618, 1623, 1628, 1633, 1641, 1646, 1651, 1659,
+ 1664, 1665, 1666, 1667, 1668
};
#endif
@@ -927,53 +936,54 @@
{
"$end", "error", "$undefined", "T_Abbrev", "T_Age", "T_All", "T_Allan",
"T_Allpeers", "T_Auth", "T_Autokey", "T_Automax", "T_Average",
- "T_Bclient", "T_Bcpollbstep", "T_Beacon", "T_Broadcast",
+ "T_Basedate", "T_Bclient", "T_Bcpollbstep", "T_Beacon", "T_Broadcast",
"T_Broadcastclient", "T_Broadcastdelay", "T_Burst", "T_Calibrate",
"T_Ceiling", "T_Clockstats", "T_Cohort", "T_ControlKey", "T_Crypto",
"T_Cryptostats", "T_Ctl", "T_Day", "T_Default", "T_Digest", "T_Disable",
"T_Discard", "T_Dispersion", "T_Double", "T_Driftfile", "T_Drop",
- "T_Dscp", "T_Ellipsis", "T_Enable", "T_End", "T_False", "T_File",
- "T_Filegen", "T_Filenum", "T_Flag1", "T_Flag2", "T_Flag3", "T_Flag4",
- "T_Flake", "T_Floor", "T_Freq", "T_Fudge", "T_Host", "T_Huffpuff",
- "T_Iburst", "T_Ident", "T_Ignore", "T_Incalloc", "T_Incmem",
- "T_Initalloc", "T_Initmem", "T_Includefile", "T_Integer", "T_Interface",
- "T_Intrange", "T_Io", "T_Ipv4", "T_Ipv4_flag", "T_Ipv6", "T_Ipv6_flag",
- "T_Kernel", "T_Key", "T_Keys", "T_Keysdir", "T_Kod", "T_Mssntp",
- "T_Leapfile", "T_Leapsmearinterval", "T_Limited", "T_Link", "T_Listen",
- "T_Logconfig", "T_Logfile", "T_Loopstats", "T_Lowpriotrap",
- "T_Manycastclient", "T_Manycastserver", "T_Mask", "T_Maxage",
- "T_Maxclock", "T_Maxdepth", "T_Maxdist", "T_Maxmem", "T_Maxpoll",
- "T_Mdnstries", "T_Mem", "T_Memlock", "T_Minclock", "T_Mindepth",
- "T_Mindist", "T_Minimum", "T_Minpoll", "T_Minsane", "T_Mode", "T_Mode7",
- "T_Monitor", "T_Month", "T_Mru", "T_Multicastclient", "T_Nic",
- "T_Nolink", "T_Nomodify", "T_Nomrulist", "T_None", "T_Nonvolatile",
- "T_Nopeer", "T_Noquery", "T_Noselect", "T_Noserve", "T_Notrap",
- "T_Notrust", "T_Ntp", "T_Ntpport", "T_NtpSignDsocket", "T_Orphan",
- "T_Orphanwait", "T_PCEdigest", "T_Panic", "T_Peer", "T_Peerstats",
- "T_Phone", "T_Pid", "T_Pidfile", "T_Pool", "T_Port", "T_Preempt",
- "T_Prefer", "T_Protostats", "T_Pw", "T_Randfile", "T_Rawstats",
- "T_Refid", "T_Requestkey", "T_Reset", "T_Restrict", "T_Revoke",
- "T_Rlimit", "T_Saveconfigdir", "T_Server", "T_Setvar", "T_Source",
- "T_Stacksize", "T_Statistics", "T_Stats", "T_Statsdir", "T_Step",
- "T_Stepback", "T_Stepfwd", "T_Stepout", "T_Stratum", "T_String", "T_Sys",
- "T_Sysstats", "T_Tick", "T_Time1", "T_Time2", "T_Timer", "T_Timingstats",
- "T_Tinker", "T_Tos", "T_Trap", "T_True", "T_Trustedkey", "T_Ttl",
- "T_Type", "T_U_int", "T_UEcrypto", "T_UEcryptonak", "T_UEdigest",
- "T_Unconfig", "T_Unpeer", "T_Version", "T_WanderThreshold", "T_Week",
- "T_Wildcard", "T_Xleave", "T_Year", "T_Flag", "T_EOC", "T_Simulate",
- "T_Beep_Delay", "T_Sim_Duration", "T_Server_Offset", "T_Duration",
- "T_Freq_Offset", "T_Wander", "T_Jitter", "T_Prop_Delay", "T_Proc_Delay",
- "'='", "'('", "')'", "'{'", "'}'", "$accept", "configuration",
- "command_list", "command", "server_command", "client_type", "address",
- "ip_address", "address_fam", "option_list", "option", "option_flag",
- "option_flag_keyword", "option_int", "option_int_keyword", "option_str",
- "option_str_keyword", "unpeer_command", "unpeer_keyword",
- "other_mode_command", "authentication_command", "crypto_command_list",
- "crypto_command", "crypto_str_keyword", "orphan_mode_command",
- "tos_option_list", "tos_option", "tos_option_int_keyword",
- "tos_option_dbl_keyword", "monitoring_command", "stats_list", "stat",
- "filegen_option_list", "filegen_option", "link_nolink", "enable_disable",
- "filegen_type", "access_control_command", "ac_flag_list",
+ "T_Dscp", "T_Ellipsis", "T_Enable", "T_End", "T_Epeer", "T_False",
+ "T_File", "T_Filegen", "T_Filenum", "T_Flag1", "T_Flag2", "T_Flag3",
+ "T_Flag4", "T_Flake", "T_Floor", "T_Freq", "T_Fudge", "T_Host",
+ "T_Huffpuff", "T_Iburst", "T_Ident", "T_Ignore", "T_Incalloc",
+ "T_Incmem", "T_Initalloc", "T_Initmem", "T_Includefile", "T_Integer",
+ "T_Interface", "T_Intrange", "T_Io", "T_Ippeerlimit", "T_Ipv4",
+ "T_Ipv4_flag", "T_Ipv6", "T_Ipv6_flag", "T_Kernel", "T_Key", "T_Keys",
+ "T_Keysdir", "T_Kod", "T_Mssntp", "T_Leapfile", "T_Leapsmearinterval",
+ "T_Limited", "T_Link", "T_Listen", "T_Logconfig", "T_Logfile",
+ "T_Loopstats", "T_Lowpriotrap", "T_Manycastclient", "T_Manycastserver",
+ "T_Mask", "T_Maxage", "T_Maxclock", "T_Maxdepth", "T_Maxdist",
+ "T_Maxmem", "T_Maxpoll", "T_Mdnstries", "T_Mem", "T_Memlock",
+ "T_Minclock", "T_Mindepth", "T_Mindist", "T_Minimum", "T_Minpoll",
+ "T_Minsane", "T_Mode", "T_Mode7", "T_Monitor", "T_Month", "T_Mru",
+ "T_Multicastclient", "T_Nic", "T_Nolink", "T_Nomodify", "T_Nomrulist",
+ "T_None", "T_Nonvolatile", "T_Noepeer", "T_Nopeer", "T_Noquery",
+ "T_Noselect", "T_Noserve", "T_Notrap", "T_Notrust", "T_Ntp", "T_Ntpport",
+ "T_NtpSignDsocket", "T_Orphan", "T_Orphanwait", "T_PCEdigest", "T_Panic",
+ "T_Peer", "T_Peerstats", "T_Phone", "T_Pid", "T_Pidfile", "T_Pool",
+ "T_Port", "T_Preempt", "T_Prefer", "T_Protostats", "T_Pw", "T_Randfile",
+ "T_Rawstats", "T_Refid", "T_Requestkey", "T_Reset", "T_Restrict",
+ "T_Revoke", "T_Rlimit", "T_Saveconfigdir", "T_Server", "T_Setvar",
+ "T_Source", "T_Stacksize", "T_Statistics", "T_Stats", "T_Statsdir",
+ "T_Step", "T_Stepback", "T_Stepfwd", "T_Stepout", "T_Stratum",
+ "T_String", "T_Sys", "T_Sysstats", "T_Tick", "T_Time1", "T_Time2",
+ "T_Timer", "T_Timingstats", "T_Tinker", "T_Tos", "T_Trap", "T_True",
+ "T_Trustedkey", "T_Ttl", "T_Type", "T_U_int", "T_UEcrypto",
+ "T_UEcryptonak", "T_UEdigest", "T_Unconfig", "T_Unpeer", "T_Version",
+ "T_WanderThreshold", "T_Week", "T_Wildcard", "T_Xleave", "T_Year",
+ "T_Flag", "T_EOC", "T_Simulate", "T_Beep_Delay", "T_Sim_Duration",
+ "T_Server_Offset", "T_Duration", "T_Freq_Offset", "T_Wander", "T_Jitter",
+ "T_Prop_Delay", "T_Proc_Delay", "'='", "'('", "')'", "'{'", "'}'",
+ "$accept", "configuration", "command_list", "command", "server_command",
+ "client_type", "address", "ip_address", "address_fam", "option_list",
+ "option", "option_flag", "option_flag_keyword", "option_int",
+ "option_int_keyword", "option_str", "option_str_keyword",
+ "unpeer_command", "unpeer_keyword", "other_mode_command",
+ "authentication_command", "crypto_command_list", "crypto_command",
+ "crypto_str_keyword", "orphan_mode_command", "tos_option_list",
+ "tos_option", "tos_option_int_keyword", "tos_option_dbl_keyword",
+ "monitoring_command", "stats_list", "stat", "filegen_option_list",
+ "filegen_option", "link_nolink", "enable_disable", "filegen_type",
+ "access_control_command", "res_ippeerlimit", "ac_flag_list",
"access_control_flag", "discard_option_list", "discard_option",
"discard_option_keyword", "mru_option_list", "mru_option",
"mru_option_keyword", "fudge_command", "fudge_factor_list",
@@ -991,7 +1001,7 @@
"nic_rule_action", "reset_command", "counter_set_list",
"counter_set_keyword", "integer_list", "integer_list_range",
"integer_list_range_elt", "integer_range", "string_list", "address_list",
- "boolean", "number", "simulate_command", "sim_conf_start",
+ "boolean", "number", "basedate", "simulate_command", "sim_conf_start",
"sim_init_statement_list", "sim_init_statement", "sim_init_keyword",
"sim_server_list", "sim_server", "sim_server_offset", "sim_server_name",
"sim_act_list", "sim_act", "sim_act_stmt_list", "sim_act_stmt",
@@ -1023,15 +1033,15 @@
415, 416, 417, 418, 419, 420, 421, 422, 423, 424,
425, 426, 427, 428, 429, 430, 431, 432, 433, 434,
435, 436, 437, 438, 439, 440, 441, 442, 443, 444,
- 445, 446, 447, 448, 449, 450, 451, 452, 453, 61,
- 40, 41, 123, 125
+ 445, 446, 447, 448, 449, 450, 451, 452, 453, 454,
+ 455, 456, 457, 61, 40, 41, 123, 125
};
# endif
-#define YYPACT_NINF -189
+#define YYPACT_NINF -215
#define yypact_value_is_default(Yystate) \
- (!!((Yystate) == (-189)))
+ (!!((Yystate) == (-215)))
#define YYTABLE_NINF -7
@@ -1042,49 +1052,50 @@
STATE-NUM. */
static const yytype_int16 yypact[] =
{
- 18, -177, -45, -189, -189, -189, -40, -189, 32, 5,
- -129, -189, 32, -189, 204, -44, -189, -117, -189, -110,
- -101, -189, -189, -97, -189, -189, -44, -4, 495, -44,
- -189, -189, -96, -189, -94, -189, -189, 8, 54, 258,
- 10, -28, -189, -189, -89, 204, -86, -189, 270, 529,
- -85, -56, 14, -189, -189, -189, 83, 207, -95, -189,
- -44, -189, -44, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -7, 24, -73, -68, -189, -3, -189,
- -189, -106, -189, -189, -189, 313, -189, -189, -189, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, 32, -189,
- -189, -189, -189, -189, -189, 5, -189, 35, 65, -189,
- 32, -189, -189, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, 110, -189, -59, 368, -189, -189, -189,
- -97, -189, -189, -44, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, 495, -189, 44, -44, -189, -189, -51,
- -189, -189, -189, -189, -189, -189, -189, -189, 54, -189,
- -189, 86, 89, -189, -189, 33, -189, -189, -189, -189,
- -28, -189, 49, -75, -189, 204, -189, -189, -189, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, 270, -189,
- -7, -189, -189, -189, -33, -189, -189, -189, -189, -189,
- -189, -189, -189, 529, -189, 66, -7, -189, -189, 67,
- -56, -189, -189, -189, 68, -189, -53, -189, -189, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, -189, 16,
- -153, -189, -189, -189, -189, -189, 77, -189, -18, -189,
- -189, -189, -189, 226, -13, -189, -189, -189, -189, -8,
- 97, -189, -189, 110, -189, -7, -33, -189, -189, -189,
- -189, -189, -189, -189, -189, 449, -189, -189, 449, 449,
- -85, -189, -189, 11, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -189, -49, 108, -189, -189, -189, 125,
- -189, -189, -189, -189, -189, -189, -189, -189, -102, -20,
- -30, -189, -189, -189, -189, 13, -189, -189, 9, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -189, 449, 449, -189, 146, -85, 113,
- -189, 116, -189, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, -189, -189,
- -189, -54, -189, 23, -10, 6, -138, -189, -9, -189,
- -7, -189, -189, -189, -189, -189, -189, -189, -189, -189,
- 449, -189, -189, -189, -189, -17, -189, -189, -189, -44,
- -189, -189, -189, 20, -189, -189, -189, 0, 21, -7,
- 22, -173, -189, 25, -7, -189, -189, -189, 17, 7,
- -189, -189, -189, -189, -189, 217, 39, 36, -189, 46,
- -189, -7, -189, -189
+ 11, -175, 2, -215, -215, -215, 3, -215, 93, 9,
+ -138, -215, 93, -215, 66, -40, -215, -93, -215, -87,
+ -82, -215, -215, -81, -215, -215, -40, 20, 210, -40,
+ -215, -215, -70, -215, -67, -215, -215, 34, 6, -13,
+ 47, -6, -215, -215, -48, 66, -45, -215, 412, 483,
+ -39, -60, 62, -215, -215, -215, 127, 203, -63, -215,
+ -40, -215, -40, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, -11, 75, -24, -22, -215, -18, -215,
+ -215, -53, -215, -215, -215, 48, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -215, 93, -215,
+ -215, -215, -215, -215, -215, 9, -215, 82, 120, -215,
+ 93, -215, -215, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, 86, -215, 4, 373, -215, -215, -215,
+ -81, -215, -215, -40, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, 210, -215, 106, -40, -215, -215, 15,
+ -215, -215, -215, -215, -215, -215, -215, -215, 6, -215,
+ 105, 146, 151, 105, -30, -215, -215, -215, -215, -6,
+ -215, 117, -21, -215, 66, -215, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, 412, -215, -11,
+ 22, -215, -215, -215, -20, -215, -215, -215, -215, -215,
+ -215, -215, -215, 483, -215, 128, -11, -215, -215, -215,
+ 129, -60, -215, -215, -215, 132, -215, 10, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -215, -215, -215,
+ 1, -133, -215, -215, -215, -215, -215, 134, -215, 41,
+ -215, -215, -215, -215, -28, 42, -215, -215, -215, -215,
+ 45, 148, -215, -215, 86, -215, -11, -20, -215, -215,
+ -215, -215, -215, -215, -215, -215, 150, -215, 105, 105,
+ -215, -39, -215, -215, -215, 51, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -57, 178, -215,
+ -215, -215, 288, -215, -215, -215, -215, -215, -215, -215,
+ -215, -115, 25, 23, -215, -215, -215, -215, 61, -215,
+ -215, 21, -215, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, 477, -215, -215, 477, 105, 477, 201, -39,
+ 169, -215, 172, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -59, -215, 77, 36, 52, -100, -215, 39,
+ -215, -11, -215, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -215, -215, 477,
+ 477, -215, -215, -215, -215, -215, 43, -215, -215, -215,
+ -40, -215, -215, -215, 55, -215, 477, -215, -215, 49,
+ 56, -11, 54, -166, -215, 67, -11, -215, -215, -215,
+ 70, 63, -215, -215, -215, -215, -215, 124, 85, 64,
+ -215, 89, -215, -11, -215, -215
};
/* YYDEFACT[STATE-NUM] -- Default reduction number in state STATE-NUM.
@@ -1092,81 +1103,82 @@
means the default is an error. */
static const yytype_uint16 yydefact[] =
{
- 0, 0, 0, 24, 58, 236, 0, 71, 0, 0,
- 248, 239, 0, 229, 0, 0, 241, 0, 261, 0,
- 0, 242, 240, 0, 243, 25, 0, 0, 0, 0,
- 262, 237, 0, 23, 0, 244, 22, 0, 0, 0,
- 0, 0, 245, 21, 0, 0, 0, 238, 0, 0,
- 0, 0, 0, 56, 57, 297, 0, 2, 0, 7,
+ 0, 0, 0, 24, 58, 241, 0, 71, 0, 0,
+ 253, 244, 0, 234, 0, 0, 246, 0, 266, 0,
+ 0, 247, 245, 0, 248, 25, 0, 0, 0, 0,
+ 267, 242, 0, 23, 0, 249, 22, 0, 0, 0,
+ 0, 0, 250, 21, 0, 0, 0, 243, 0, 0,
+ 0, 0, 0, 56, 57, 303, 0, 2, 0, 7,
0, 8, 0, 9, 10, 13, 11, 12, 14, 15,
- 16, 17, 18, 0, 0, 0, 0, 222, 0, 223,
- 19, 0, 5, 62, 63, 64, 196, 197, 198, 199,
- 202, 200, 201, 203, 204, 205, 206, 207, 191, 193,
- 194, 195, 155, 156, 157, 127, 153, 0, 246, 230,
- 190, 102, 103, 104, 105, 109, 106, 107, 108, 110,
- 29, 30, 28, 0, 26, 0, 6, 65, 66, 258,
- 231, 257, 290, 59, 61, 161, 162, 163, 164, 165,
- 166, 167, 168, 128, 159, 0, 60, 70, 288, 232,
- 67, 273, 274, 275, 276, 277, 278, 279, 270, 272,
- 135, 29, 30, 135, 135, 26, 68, 189, 187, 188,
- 183, 185, 0, 0, 233, 97, 101, 98, 212, 213,
- 214, 215, 216, 217, 218, 219, 220, 221, 208, 210,
- 0, 86, 87, 88, 0, 89, 90, 96, 91, 95,
- 92, 93, 94, 80, 82, 0, 0, 252, 284, 0,
- 69, 283, 285, 281, 235, 1, 0, 4, 31, 55,
- 295, 294, 224, 225, 226, 227, 269, 268, 267, 0,
- 0, 79, 75, 76, 77, 78, 0, 72, 0, 192,
- 152, 154, 247, 99, 0, 179, 180, 181, 182, 0,
- 0, 177, 178, 169, 171, 0, 0, 27, 228, 256,
- 289, 158, 160, 287, 271, 131, 135, 135, 134, 129,
- 0, 184, 186, 0, 100, 209, 211, 293, 291, 292,
- 85, 81, 83, 84, 234, 0, 282, 280, 3, 20,
- 263, 264, 265, 260, 266, 259, 301, 302, 0, 0,
- 0, 74, 73, 119, 118, 0, 116, 117, 0, 111,
- 114, 115, 175, 176, 174, 170, 172, 173, 137, 138,
- 139, 140, 141, 142, 143, 144, 145, 146, 147, 148,
- 149, 150, 151, 136, 132, 133, 135, 251, 0, 0,
- 253, 0, 37, 38, 39, 54, 47, 49, 48, 51,
- 40, 41, 42, 43, 50, 52, 44, 32, 33, 36,
- 34, 0, 35, 0, 0, 0, 0, 304, 0, 299,
- 0, 112, 126, 122, 124, 120, 121, 123, 125, 113,
- 130, 250, 249, 255, 254, 0, 45, 46, 53, 0,
- 298, 296, 303, 0, 300, 286, 307, 0, 0, 0,
- 0, 0, 309, 0, 0, 305, 308, 306, 0, 0,
- 314, 315, 316, 317, 318, 0, 0, 0, 310, 0,
- 312, 0, 311, 313
+ 16, 17, 18, 0, 0, 0, 0, 227, 0, 228,
+ 19, 0, 5, 62, 63, 64, 201, 202, 203, 204,
+ 207, 205, 206, 208, 209, 210, 211, 212, 196, 198,
+ 199, 200, 160, 161, 162, 128, 158, 0, 251, 235,
+ 195, 103, 104, 105, 106, 110, 107, 108, 109, 111,
+ 29, 30, 28, 0, 26, 0, 6, 65, 66, 263,
+ 236, 262, 295, 59, 61, 166, 167, 168, 169, 170,
+ 171, 172, 173, 129, 164, 0, 60, 70, 293, 237,
+ 67, 278, 279, 280, 281, 282, 283, 284, 275, 277,
+ 136, 29, 30, 136, 136, 68, 194, 192, 193, 188,
+ 190, 0, 0, 238, 98, 102, 99, 217, 218, 219,
+ 220, 221, 222, 223, 224, 225, 226, 213, 215, 0,
+ 0, 87, 88, 89, 0, 90, 91, 97, 92, 96,
+ 93, 94, 95, 80, 82, 0, 0, 86, 257, 289,
+ 0, 69, 288, 290, 286, 240, 1, 0, 4, 31,
+ 55, 300, 299, 229, 230, 231, 232, 274, 273, 272,
+ 0, 0, 79, 75, 76, 77, 78, 0, 72, 0,
+ 197, 157, 159, 252, 100, 0, 184, 185, 186, 187,
+ 0, 0, 182, 183, 174, 176, 0, 0, 27, 233,
+ 261, 294, 163, 165, 292, 276, 0, 138, 136, 136,
+ 138, 0, 138, 189, 191, 0, 101, 214, 216, 301,
+ 298, 296, 297, 85, 81, 83, 84, 239, 0, 287,
+ 285, 3, 20, 268, 269, 270, 265, 271, 264, 307,
+ 308, 0, 0, 0, 74, 73, 120, 119, 0, 117,
+ 118, 0, 112, 115, 116, 180, 181, 179, 175, 177,
+ 178, 137, 132, 138, 138, 135, 136, 130, 256, 0,
+ 0, 258, 0, 37, 38, 39, 54, 47, 49, 48,
+ 51, 40, 41, 42, 43, 50, 52, 44, 32, 33,
+ 36, 34, 0, 35, 0, 0, 0, 0, 310, 0,
+ 305, 0, 113, 127, 123, 125, 121, 122, 124, 126,
+ 114, 140, 141, 142, 143, 144, 145, 146, 148, 149,
+ 147, 150, 151, 152, 153, 154, 155, 156, 139, 133,
+ 134, 138, 255, 254, 260, 259, 0, 45, 46, 53,
+ 0, 304, 302, 309, 0, 306, 131, 291, 313, 0,
+ 0, 0, 0, 0, 315, 0, 0, 311, 314, 312,
+ 0, 0, 320, 321, 322, 323, 324, 0, 0, 0,
+ 316, 0, 318, 0, 317, 319
};
/* YYPGOTO[NTERM-NUM]. */
static const yytype_int16 yypgoto[] =
{
- -189, -189, -189, -48, -189, -189, -15, -38, -189, -189,
- -189, -189, -189, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -189, -189, -189, 37, -189, -189, -189,
- -189, -42, -189, -189, -189, -189, -189, -189, -159, -189,
- -189, 131, -189, -189, 96, -189, -189, -189, -6, -189,
- -189, -189, -189, 74, -189, -189, 236, -71, -189, -189,
- -189, -189, 62, -189, -189, -189, -189, -189, -189, -189,
- -189, -189, -189, -189, -189, 122, -189, -189, -189, -189,
- -189, -189, 95, -189, -189, 45, -189, -189, 225, 1,
- -188, -189, -189, -189, -39, -189, -189, -103, -189, -189,
- -189, -136, -189, -149, -189
+ -215, -215, -215, -23, -215, -215, -15, -49, -215, -215,
+ -215, -215, -215, -215, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, 81, -215, -215, -215,
+ -215, -38, -215, -215, -215, -215, -215, -215, -154, -214,
+ -215, -215, 153, -215, -215, 142, -215, -215, -215, 32,
+ -215, -215, -215, -215, 121, -215, -215, 277, -35, -215,
+ -215, -215, -215, 107, -215, -215, -215, -215, -215, -215,
+ -215, -215, -215, -215, -215, -215, 163, -215, -215, -215,
+ -215, -215, -215, 137, -215, -215, 87, -215, -215, 267,
+ 53, -187, -215, -215, -215, -215, -2, -215, -215, -55,
+ -215, -215, -215, -109, -215, -121, -215
};
/* YYDEFGOTO[NTERM-NUM]. */
static const yytype_int16 yydefgoto[] =
{
- -1, 56, 57, 58, 59, 60, 132, 124, 125, 289,
- 357, 358, 359, 360, 361, 362, 363, 61, 62, 63,
- 64, 85, 237, 238, 65, 203, 204, 205, 206, 66,
- 175, 119, 243, 309, 310, 311, 379, 67, 265, 333,
- 105, 106, 107, 143, 144, 145, 68, 253, 254, 255,
- 256, 69, 170, 171, 172, 70, 98, 99, 100, 101,
- 71, 188, 189, 190, 72, 73, 74, 75, 76, 109,
- 174, 382, 284, 340, 130, 131, 77, 78, 295, 229,
- 79, 158, 159, 214, 210, 211, 212, 149, 133, 280,
- 222, 80, 81, 298, 299, 300, 366, 367, 398, 368,
- 401, 402, 415, 416, 417
+ -1, 56, 57, 58, 59, 60, 132, 124, 125, 292,
+ 348, 349, 350, 351, 352, 353, 354, 61, 62, 63,
+ 64, 85, 238, 239, 65, 203, 204, 205, 206, 66,
+ 174, 119, 244, 312, 313, 314, 370, 67, 267, 322,
+ 388, 105, 106, 107, 143, 144, 145, 68, 254, 255,
+ 256, 257, 69, 169, 170, 171, 70, 98, 99, 100,
+ 101, 71, 187, 188, 189, 72, 73, 74, 75, 76,
+ 109, 173, 393, 287, 331, 130, 131, 77, 78, 298,
+ 230, 79, 158, 159, 215, 211, 212, 213, 149, 133,
+ 283, 223, 207, 80, 81, 301, 302, 303, 357, 358,
+ 410, 359, 413, 414, 427, 428, 429
};
/* YYTABLE[YYPACT[STATE-NUM]] -- What to do in state STATE-NUM. If
@@ -1174,142 +1186,144 @@
number is the opposite. If YYTABLE_NINF, syntax error. */
static const yytype_int16 yytable[] =
{
- 123, 165, 276, 176, 268, 269, 208, 277, 386, 216,
- 364, 82, 207, 372, 338, 167, 102, 83, 283, 1,
- 400, 290, 84, 120, 164, 121, 220, 239, 2, 278,
- 405, 108, 226, 3, 4, 5, 373, 296, 297, 239,
- 86, 6, 7, 126, 87, 218, 364, 219, 8, 9,
- 127, 88, 10, 227, 11, 221, 12, 13, 134, 128,
- 14, 151, 152, 129, 147, 391, 148, 316, 168, 15,
- 150, 173, 166, 16, 177, 122, 213, 228, 258, 17,
- 153, 18, 291, 215, 292, 339, 223, 224, 296, 297,
- 19, 20, 225, 217, 21, 22, 230, 241, 242, 23,
- 24, 257, 89, 25, 26, 103, 262, 334, 335, 263,
- 104, 272, 27, 244, 266, 374, 122, 267, 260, 154,
- 270, 387, 375, 169, 273, 28, 29, 30, 282, 285,
- 287, 260, 31, 274, 342, 288, 90, 91, 279, 301,
- 376, 32, 302, 343, 209, 341, 33, 312, 34, 155,
- 35, 36, 313, 92, 245, 246, 247, 248, 93, 314,
- 37, 38, 39, 40, 41, 42, 43, 44, 369, 370,
- 45, 337, 46, 371, 381, 384, 293, 380, 385, 344,
- 345, 47, 394, 388, 395, 94, 48, 49, 50, 389,
- 51, 52, 377, 393, 390, 378, 346, 53, 54, 399,
- 294, 410, 411, 412, 413, 414, -6, 55, 95, 96,
- 97, 403, 397, 407, 400, 156, 408, 2, 347, 409,
- 157, 404, 3, 4, 5, 111, 348, 420, 349, 112,
- 6, 7, 336, 423, 422, 421, 240, 8, 9, 261,
- 281, 10, 350, 11, 271, 12, 13, 315, 110, 14,
- 275, 249, 259, 264, 146, 286, 303, 317, 15, 365,
- 351, 352, 16, 392, 304, 406, 419, 305, 17, 250,
- 18, 0, 0, 0, 251, 252, 178, 0, 0, 19,
- 20, 0, 0, 21, 22, 0, 160, 113, 23, 24,
- 0, 0, 25, 26, 0, 0, 353, 0, 354, 0,
- 383, 27, 179, 0, 0, 306, 355, 0, 0, 0,
- 356, 0, 0, 0, 28, 29, 30, 0, 0, 0,
- 180, 31, 0, 181, 0, 161, 0, 162, 0, 0,
- 32, 0, 0, 114, 0, 33, 307, 34, 0, 35,
- 36, 115, 231, 0, 116, 0, 0, 0, 0, 37,
+ 123, 208, 278, 306, 209, 397, 293, 175, 329, 270,
+ 272, 307, 1, 151, 152, 308, 160, 82, 227, 286,
+ 102, 2, 280, 221, 164, 363, 108, 3, 4, 5,
+ 120, 412, 121, 153, 217, 6, 7, 355, 266, 166,
+ 228, 417, 8, 9, 281, 219, 10, 220, 11, 364,
+ 12, 13, 355, 222, 309, 14, 325, 161, 327, 162,
+ 271, 299, 300, 240, 15, 229, 83, 84, 16, 319,
+ 294, 126, 295, 154, 17, 240, 18, 127, 232, 299,
+ 300, 330, 128, 129, 134, 310, 19, 20, 111, 245,
+ 21, 22, 112, 167, 147, 23, 24, 148, 150, 25,
+ 26, 86, 233, 259, 155, 234, 87, 402, 27, 389,
+ 390, 165, 103, 88, 323, 324, 172, 104, 261, 176,
+ 398, 28, 29, 30, 122, 122, 214, 216, 31, 218,
+ 365, 261, 246, 247, 248, 249, 276, 366, 32, 224,
+ 225, 163, 226, 33, 210, 34, 242, 35, 36, 168,
+ 311, 122, 113, 231, 243, 282, 367, 37, 38, 39,
+ 40, 41, 42, 43, 44, 296, 89, 45, 258, 46,
+ 263, 156, 391, 266, 405, 268, 157, 406, 47, 264,
+ 269, 274, 275, 48, 49, 50, 279, 51, 52, 297,
+ 235, 236, 285, 288, 53, 54, 290, 237, 304, 114,
+ 90, 91, 291, -6, 55, 305, 315, 115, 368, 316,
+ 116, 369, 317, 2, 321, 328, 332, 360, 92, 3,
+ 4, 5, 326, 93, 415, 362, 361, 6, 7, 420,
+ 392, 250, 117, 395, 8, 9, 396, 118, 10, 400,
+ 11, 399, 12, 13, 401, 404, 435, 14, 407, 251,
+ 94, 409, 411, 412, 252, 253, 15, 416, 241, 419,
+ 16, 422, 423, 424, 425, 426, 17, 433, 18, 135,
+ 136, 137, 138, 95, 96, 97, 421, 432, 19, 20,
+ 394, 434, 21, 22, 284, 262, 318, 23, 24, 110,
+ 273, 25, 26, 260, 277, 265, 146, 333, 289, 356,
+ 27, 139, 403, 140, 418, 141, 431, 334, 0, 0,
+ 320, 142, 0, 28, 29, 30, 0, 0, 0, 0,
+ 31, 0, 422, 423, 424, 425, 426, 0, 0, 0,
+ 32, 430, 0, 0, 0, 33, 0, 34, 0, 35,
+ 36, 0, 0, 0, 335, 336, 0, 0, 0, 37,
38, 39, 40, 41, 42, 43, 44, 0, 0, 45,
- 0, 46, 0, 0, 0, 232, 117, 0, 233, 0,
- 47, 118, 0, 0, 396, 48, 49, 50, 2, 51,
- 52, 0, 0, 3, 4, 5, 53, 54, 0, 0,
- 0, 6, 7, 0, 0, -6, 55, 182, 8, 9,
- 308, 0, 10, 0, 11, 0, 12, 13, 163, 0,
- 14, 410, 411, 412, 413, 414, 0, 0, 122, 15,
- 418, 0, 0, 16, 0, 183, 184, 185, 186, 17,
- 0, 18, 0, 187, 0, 0, 0, 0, 0, 0,
- 19, 20, 0, 0, 21, 22, 0, 0, 0, 23,
- 24, 234, 235, 25, 26, 0, 0, 0, 236, 0,
- 0, 0, 27, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 28, 29, 30, 0, 0,
- 0, 0, 31, 0, 0, 0, 0, 0, 0, 0,
- 0, 32, 0, 0, 0, 0, 33, 318, 34, 0,
- 35, 36, 0, 0, 0, 319, 0, 0, 0, 0,
- 37, 38, 39, 40, 41, 42, 43, 44, 0, 0,
- 45, 0, 46, 320, 321, 0, 0, 322, 0, 0,
- 0, 47, 0, 323, 0, 0, 48, 49, 50, 0,
- 51, 52, 191, 192, 0, 0, 0, 53, 54, 193,
- 0, 194, 135, 136, 137, 138, 0, 55, 0, 0,
- 324, 325, 0, 0, 326, 327, 0, 328, 329, 330,
- 0, 331, 0, 0, 0, 0, 0, 0, 195, 0,
- 0, 0, 0, 139, 0, 140, 0, 141, 0, 0,
- 0, 0, 0, 142, 0, 0, 0, 0, 0, 0,
+ 0, 46, 337, 0, 0, 0, 0, 0, 0, 0,
+ 47, 0, 0, 0, 0, 48, 49, 50, 0, 51,
+ 52, 0, 0, 2, 338, 408, 53, 54, 0, 3,
+ 4, 5, 339, 0, 340, -6, 55, 6, 7, 0,
+ 0, 0, 0, 0, 8, 9, 0, 0, 10, 341,
+ 11, 0, 12, 13, 0, 0, 0, 14, 177, 0,
+ 0, 0, 0, 0, 0, 0, 15, 342, 343, 0,
+ 16, 0, 0, 0, 0, 0, 17, 0, 18, 0,
+ 0, 0, 0, 0, 0, 178, 0, 0, 19, 20,
+ 0, 0, 21, 22, 0, 0, 0, 23, 24, 0,
+ 0, 25, 26, 344, 179, 345, 0, 180, 0, 0,
+ 27, 0, 0, 346, 0, 0, 0, 347, 0, 0,
+ 0, 0, 0, 28, 29, 30, 0, 0, 0, 0,
+ 31, 0, 0, 0, 0, 190, 0, 191, 192, 0,
+ 32, 0, 0, 0, 193, 33, 194, 34, 0, 35,
+ 36, 0, 0, 0, 0, 0, 0, 0, 371, 37,
+ 38, 39, 40, 41, 42, 43, 44, 372, 0, 45,
+ 0, 46, 0, 0, 195, 373, 0, 0, 0, 0,
+ 47, 0, 0, 181, 0, 48, 49, 50, 0, 51,
+ 52, 0, 0, 0, 374, 375, 53, 54, 376, 0,
+ 0, 0, 0, 0, 377, 0, 55, 0, 0, 0,
+ 0, 182, 183, 184, 185, 196, 0, 197, 0, 186,
+ 0, 0, 0, 198, 0, 199, 0, 0, 200, 0,
+ 0, 378, 379, 0, 0, 380, 381, 382, 0, 383,
+ 384, 385, 0, 386, 0, 0, 0, 0, 0, 0,
+ 0, 201, 202, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 0, 0, 0, 0, 0, 196, 0,
- 197, 0, 0, 0, 0, 0, 198, 0, 199, 0,
- 332, 200, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
- 0, 0, 0, 201, 202
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+ 0, 0, 387
};
static const yytype_int16 yycheck[] =
{
- 15, 39, 190, 45, 163, 164, 62, 40, 62, 57,
- 148, 188, 50, 4, 63, 43, 11, 62, 206, 1,
- 193, 5, 62, 67, 39, 69, 33, 98, 10, 62,
- 203, 160, 35, 15, 16, 17, 27, 190, 191, 110,
- 8, 23, 24, 160, 12, 60, 148, 62, 30, 31,
- 160, 19, 34, 56, 36, 62, 38, 39, 62, 160,
- 42, 7, 8, 160, 160, 203, 160, 255, 96, 51,
- 62, 160, 62, 55, 160, 160, 62, 80, 126, 61,
- 26, 63, 66, 0, 68, 134, 62, 160, 190, 191,
- 72, 73, 160, 188, 76, 77, 202, 62, 33, 81,
- 82, 160, 70, 85, 86, 100, 62, 266, 267, 160,
- 105, 62, 94, 3, 28, 106, 160, 28, 133, 65,
- 87, 175, 113, 151, 199, 107, 108, 109, 62, 62,
- 62, 146, 114, 175, 9, 188, 104, 105, 171, 62,
- 131, 123, 160, 18, 200, 37, 128, 160, 130, 95,
- 132, 133, 160, 121, 44, 45, 46, 47, 126, 62,
- 142, 143, 144, 145, 146, 147, 148, 149, 188, 199,
- 152, 160, 154, 160, 28, 62, 160, 336, 62, 54,
- 55, 163, 370, 160, 201, 153, 168, 169, 170, 199,
- 172, 173, 183, 202, 188, 186, 71, 179, 180, 199,
- 184, 194, 195, 196, 197, 198, 188, 189, 176, 177,
- 178, 399, 192, 188, 193, 161, 404, 10, 93, 202,
- 166, 199, 15, 16, 17, 21, 101, 188, 103, 25,
- 23, 24, 270, 421, 188, 199, 105, 30, 31, 143,
- 203, 34, 117, 36, 170, 38, 39, 253, 12, 42,
- 188, 141, 130, 158, 29, 210, 30, 256, 51, 298,
- 135, 136, 55, 366, 38, 401, 415, 41, 61, 159,
- 63, -1, -1, -1, 164, 165, 6, -1, -1, 72,
- 73, -1, -1, 76, 77, -1, 28, 83, 81, 82,
- -1, -1, 85, 86, -1, -1, 171, -1, 173, -1,
- 338, 94, 32, -1, -1, 79, 181, -1, -1, -1,
- 185, -1, -1, -1, 107, 108, 109, -1, -1, -1,
- 50, 114, -1, 53, -1, 67, -1, 69, -1, -1,
- 123, -1, -1, 129, -1, 128, 110, 130, -1, 132,
- 133, 137, 29, -1, 140, -1, -1, -1, -1, 142,
- 143, 144, 145, 146, 147, 148, 149, -1, -1, 152,
- -1, 154, -1, -1, -1, 52, 162, -1, 55, -1,
- 163, 167, -1, -1, 389, 168, 169, 170, 10, 172,
- 173, -1, -1, 15, 16, 17, 179, 180, -1, -1,
- -1, 23, 24, -1, -1, 188, 189, 127, 30, 31,
- 174, -1, 34, -1, 36, -1, 38, 39, 150, -1,
- 42, 194, 195, 196, 197, 198, -1, -1, 160, 51,
- 203, -1, -1, 55, -1, 155, 156, 157, 158, 61,
- -1, 63, -1, 163, -1, -1, -1, -1, -1, -1,
- 72, 73, -1, -1, 76, 77, -1, -1, -1, 81,
- 82, 138, 139, 85, 86, -1, -1, -1, 145, -1,
- -1, -1, 94, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, 107, 108, 109, -1, -1,
- -1, -1, 114, -1, -1, -1, -1, -1, -1, -1,
- -1, 123, -1, -1, -1, -1, 128, 48, 130, -1,
- 132, 133, -1, -1, -1, 56, -1, -1, -1, -1,
- 142, 143, 144, 145, 146, 147, 148, 149, -1, -1,
- 152, -1, 154, 74, 75, -1, -1, 78, -1, -1,
- -1, 163, -1, 84, -1, -1, 168, 169, 170, -1,
- 172, 173, 13, 14, -1, -1, -1, 179, 180, 20,
- -1, 22, 57, 58, 59, 60, -1, 189, -1, -1,
- 111, 112, -1, -1, 115, 116, -1, 118, 119, 120,
- -1, 122, -1, -1, -1, -1, -1, -1, 49, -1,
- -1, -1, -1, 88, -1, 90, -1, 92, -1, -1,
- -1, -1, -1, 98, -1, -1, -1, -1, -1, -1,
+ 15, 50, 189, 31, 64, 64, 5, 45, 65, 163,
+ 164, 39, 1, 7, 8, 43, 29, 192, 36, 206,
+ 11, 10, 42, 34, 39, 4, 164, 16, 17, 18,
+ 70, 197, 72, 27, 57, 24, 25, 152, 68, 45,
+ 58, 207, 31, 32, 64, 60, 35, 62, 37, 28,
+ 39, 40, 152, 64, 82, 44, 270, 70, 272, 72,
+ 90, 194, 195, 98, 53, 83, 64, 64, 57, 256,
+ 69, 164, 71, 67, 63, 110, 65, 164, 30, 194,
+ 195, 138, 164, 164, 64, 113, 75, 76, 22, 3,
+ 79, 80, 26, 99, 164, 84, 85, 164, 64, 88,
+ 89, 8, 54, 126, 98, 57, 13, 207, 97, 323,
+ 324, 64, 103, 20, 268, 269, 164, 108, 133, 164,
+ 179, 110, 111, 112, 164, 164, 64, 0, 117, 192,
+ 109, 146, 46, 47, 48, 49, 174, 116, 127, 64,
+ 164, 154, 164, 132, 204, 134, 64, 136, 137, 155,
+ 178, 164, 86, 206, 34, 175, 135, 146, 147, 148,
+ 149, 150, 151, 152, 153, 164, 73, 156, 164, 158,
+ 64, 165, 326, 68, 361, 29, 170, 391, 167, 164,
+ 29, 64, 203, 172, 173, 174, 164, 176, 177, 188,
+ 142, 143, 64, 64, 183, 184, 64, 149, 64, 133,
+ 107, 108, 192, 192, 193, 164, 164, 141, 187, 164,
+ 144, 190, 64, 10, 64, 164, 38, 192, 125, 16,
+ 17, 18, 271, 130, 411, 164, 203, 24, 25, 416,
+ 29, 145, 166, 64, 31, 32, 64, 171, 35, 203,
+ 37, 164, 39, 40, 192, 206, 433, 44, 205, 163,
+ 157, 196, 203, 197, 168, 169, 53, 203, 105, 192,
+ 57, 198, 199, 200, 201, 202, 63, 203, 65, 59,
+ 60, 61, 62, 180, 181, 182, 206, 192, 75, 76,
+ 329, 192, 79, 80, 203, 143, 254, 84, 85, 12,
+ 169, 88, 89, 130, 187, 158, 29, 9, 211, 301,
+ 97, 91, 357, 93, 413, 95, 427, 19, -1, -1,
+ 257, 101, -1, 110, 111, 112, -1, -1, -1, -1,
+ 117, -1, 198, 199, 200, 201, 202, -1, -1, -1,
+ 127, 207, -1, -1, -1, 132, -1, 134, -1, 136,
+ 137, -1, -1, -1, 56, 57, -1, -1, -1, 146,
+ 147, 148, 149, 150, 151, 152, 153, -1, -1, 156,
+ -1, 158, 74, -1, -1, -1, -1, -1, -1, -1,
+ 167, -1, -1, -1, -1, 172, 173, 174, -1, 176,
+ 177, -1, -1, 10, 96, 400, 183, 184, -1, 16,
+ 17, 18, 104, -1, 106, 192, 193, 24, 25, -1,
+ -1, -1, -1, -1, 31, 32, -1, -1, 35, 121,
+ 37, -1, 39, 40, -1, -1, -1, 44, 6, -1,
+ -1, -1, -1, -1, -1, -1, 53, 139, 140, -1,
+ 57, -1, -1, -1, -1, -1, 63, -1, 65, -1,
+ -1, -1, -1, -1, -1, 33, -1, -1, 75, 76,
+ -1, -1, 79, 80, -1, -1, -1, 84, 85, -1,
+ -1, 88, 89, 175, 52, 177, -1, 55, -1, -1,
+ 97, -1, -1, 185, -1, -1, -1, 189, -1, -1,
+ -1, -1, -1, 110, 111, 112, -1, -1, -1, -1,
+ 117, -1, -1, -1, -1, 12, -1, 14, 15, -1,
+ 127, -1, -1, -1, 21, 132, 23, 134, -1, 136,
+ 137, -1, -1, -1, -1, -1, -1, -1, 41, 146,
+ 147, 148, 149, 150, 151, 152, 153, 50, -1, 156,
+ -1, 158, -1, -1, 51, 58, -1, -1, -1, -1,
+ 167, -1, -1, 131, -1, 172, 173, 174, -1, 176,
+ 177, -1, -1, -1, 77, 78, 183, 184, 81, -1,
+ -1, -1, -1, -1, 87, -1, 193, -1, -1, -1,
+ -1, 159, 160, 161, 162, 92, -1, 94, -1, 167,
+ -1, -1, -1, 100, -1, 102, -1, -1, 105, -1,
+ -1, 114, 115, -1, -1, 118, 119, 120, -1, 122,
+ 123, 124, -1, 126, -1, -1, -1, -1, -1, -1,
+ -1, 128, 129, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, -1, -1, -1, -1, -1, 89, -1,
- 91, -1, -1, -1, -1, -1, 97, -1, 99, -1,
- 181, 102, -1, -1, -1, -1, -1, -1, -1, -1,
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
- -1, -1, -1, 124, 125
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
+ -1, -1, 185
};
/* YYSTOS[STATE-NUM] -- The (internal number of the) accessing
@@ -1316,86 +1330,88 @@
symbol of state STATE-NUM. */
static const yytype_uint16 yystos[] =
{
- 0, 1, 10, 15, 16, 17, 23, 24, 30, 31,
- 34, 36, 38, 39, 42, 51, 55, 61, 63, 72,
- 73, 76, 77, 81, 82, 85, 86, 94, 107, 108,
- 109, 114, 123, 128, 130, 132, 133, 142, 143, 144,
- 145, 146, 147, 148, 149, 152, 154, 163, 168, 169,
- 170, 172, 173, 179, 180, 189, 205, 206, 207, 208,
- 209, 221, 222, 223, 224, 228, 233, 241, 250, 255,
- 259, 264, 268, 269, 270, 271, 272, 280, 281, 284,
- 295, 296, 188, 62, 62, 225, 8, 12, 19, 70,
- 104, 105, 121, 126, 153, 176, 177, 178, 260, 261,
- 262, 263, 11, 100, 105, 244, 245, 246, 160, 273,
- 260, 21, 25, 83, 129, 137, 140, 162, 167, 235,
- 67, 69, 160, 210, 211, 212, 160, 160, 160, 160,
- 278, 279, 210, 292, 62, 57, 58, 59, 60, 88,
- 90, 92, 98, 247, 248, 249, 292, 160, 160, 291,
- 62, 7, 8, 26, 65, 95, 161, 166, 285, 286,
- 28, 67, 69, 150, 210, 211, 62, 43, 96, 151,
- 256, 257, 258, 160, 274, 234, 235, 160, 6, 32,
- 50, 53, 127, 155, 156, 157, 158, 163, 265, 266,
- 267, 13, 14, 20, 22, 49, 89, 91, 97, 99,
- 102, 124, 125, 229, 230, 231, 232, 211, 62, 200,
- 288, 289, 290, 62, 287, 0, 207, 188, 210, 210,
- 33, 62, 294, 62, 160, 160, 35, 56, 80, 283,
- 202, 29, 52, 55, 138, 139, 145, 226, 227, 261,
- 245, 62, 33, 236, 3, 44, 45, 46, 47, 141,
- 159, 164, 165, 251, 252, 253, 254, 160, 207, 279,
- 210, 248, 62, 160, 286, 242, 28, 28, 242, 242,
- 87, 257, 62, 199, 235, 266, 294, 40, 62, 171,
- 293, 230, 62, 294, 276, 62, 289, 62, 188, 213,
- 5, 66, 68, 160, 184, 282, 190, 191, 297, 298,
- 299, 62, 160, 30, 38, 41, 79, 110, 174, 237,
- 238, 239, 160, 160, 62, 252, 294, 293, 48, 56,
- 74, 75, 78, 84, 111, 112, 115, 116, 118, 119,
- 120, 122, 181, 243, 242, 242, 211, 160, 63, 134,
- 277, 37, 9, 18, 54, 55, 71, 93, 101, 103,
- 117, 135, 136, 171, 173, 181, 185, 214, 215, 216,
- 217, 218, 219, 220, 148, 298, 300, 301, 303, 188,
- 199, 160, 4, 27, 106, 113, 131, 183, 186, 240,
- 242, 28, 275, 211, 62, 62, 62, 175, 160, 199,
- 188, 203, 301, 202, 294, 201, 210, 192, 302, 199,
- 193, 304, 305, 294, 199, 203, 305, 188, 294, 202,
- 194, 195, 196, 197, 198, 306, 307, 308, 203, 307,
- 188, 199, 188, 294
+ 0, 1, 10, 16, 17, 18, 24, 25, 31, 32,
+ 35, 37, 39, 40, 44, 53, 57, 63, 65, 75,
+ 76, 79, 80, 84, 85, 88, 89, 97, 110, 111,
+ 112, 117, 127, 132, 134, 136, 137, 146, 147, 148,
+ 149, 150, 151, 152, 153, 156, 158, 167, 172, 173,
+ 174, 176, 177, 183, 184, 193, 209, 210, 211, 212,
+ 213, 225, 226, 227, 228, 232, 237, 245, 255, 260,
+ 264, 269, 273, 274, 275, 276, 277, 285, 286, 289,
+ 301, 302, 192, 64, 64, 229, 8, 13, 20, 73,
+ 107, 108, 125, 130, 157, 180, 181, 182, 265, 266,
+ 267, 268, 11, 103, 108, 249, 250, 251, 164, 278,
+ 265, 22, 26, 86, 133, 141, 144, 166, 171, 239,
+ 70, 72, 164, 214, 215, 216, 164, 164, 164, 164,
+ 283, 284, 214, 297, 64, 59, 60, 61, 62, 91,
+ 93, 95, 101, 252, 253, 254, 297, 164, 164, 296,
+ 64, 7, 8, 27, 67, 98, 165, 170, 290, 291,
+ 29, 70, 72, 154, 214, 64, 45, 99, 155, 261,
+ 262, 263, 164, 279, 238, 239, 164, 6, 33, 52,
+ 55, 131, 159, 160, 161, 162, 167, 270, 271, 272,
+ 12, 14, 15, 21, 23, 51, 92, 94, 100, 102,
+ 105, 128, 129, 233, 234, 235, 236, 300, 215, 64,
+ 204, 293, 294, 295, 64, 292, 0, 211, 192, 214,
+ 214, 34, 64, 299, 64, 164, 164, 36, 58, 83,
+ 288, 206, 30, 54, 57, 142, 143, 149, 230, 231,
+ 266, 250, 64, 34, 240, 3, 46, 47, 48, 49,
+ 145, 163, 168, 169, 256, 257, 258, 259, 164, 211,
+ 284, 214, 253, 64, 164, 291, 68, 246, 29, 29,
+ 246, 90, 246, 262, 64, 203, 239, 271, 299, 164,
+ 42, 64, 175, 298, 234, 64, 299, 281, 64, 294,
+ 64, 192, 217, 5, 69, 71, 164, 188, 287, 194,
+ 195, 303, 304, 305, 64, 164, 31, 39, 43, 82,
+ 113, 178, 241, 242, 243, 164, 164, 64, 257, 299,
+ 298, 64, 247, 246, 246, 247, 215, 247, 164, 65,
+ 138, 282, 38, 9, 19, 56, 57, 74, 96, 104,
+ 106, 121, 139, 140, 175, 177, 185, 189, 218, 219,
+ 220, 221, 222, 223, 224, 152, 304, 306, 307, 309,
+ 192, 203, 164, 4, 28, 109, 116, 135, 187, 190,
+ 244, 41, 50, 58, 77, 78, 81, 87, 114, 115,
+ 118, 119, 120, 122, 123, 124, 126, 185, 248, 247,
+ 247, 246, 29, 280, 215, 64, 64, 64, 179, 164,
+ 203, 192, 207, 307, 206, 299, 247, 205, 214, 196,
+ 308, 203, 197, 310, 311, 299, 203, 207, 311, 192,
+ 299, 206, 198, 199, 200, 201, 202, 312, 313, 314,
+ 207, 313, 192, 203, 192, 299
};
/* YYR1[YYN] -- Symbol number of symbol that rule YYN derives. */
static const yytype_uint16 yyr1[] =
{
- 0, 204, 205, 206, 206, 206, 207, 207, 207, 207,
- 207, 207, 207, 207, 207, 207, 207, 207, 207, 207,
- 208, 209, 209, 209, 209, 209, 210, 210, 211, 212,
- 212, 213, 213, 214, 214, 214, 215, 216, 216, 216,
- 216, 216, 216, 216, 216, 217, 217, 218, 218, 218,
- 218, 218, 218, 219, 220, 221, 222, 222, 223, 223,
- 223, 223, 224, 224, 224, 224, 224, 224, 224, 224,
- 224, 225, 225, 226, 226, 227, 227, 227, 227, 227,
- 228, 229, 229, 230, 230, 230, 231, 231, 231, 231,
- 231, 231, 231, 231, 231, 232, 232, 233, 233, 233,
- 234, 234, 235, 235, 235, 235, 235, 235, 235, 235,
- 236, 236, 237, 237, 237, 237, 238, 238, 239, 239,
- 240, 240, 240, 240, 240, 240, 240, 241, 241, 241,
- 241, 241, 241, 241, 241, 242, 242, 243, 243, 243,
- 243, 243, 243, 243, 243, 243, 243, 243, 243, 243,
- 243, 243, 244, 244, 245, 246, 246, 246, 247, 247,
- 248, 249, 249, 249, 249, 249, 249, 249, 249, 250,
- 251, 251, 252, 252, 252, 252, 252, 253, 253, 254,
- 254, 254, 254, 255, 256, 256, 257, 258, 258, 258,
- 259, 259, 260, 260, 261, 261, 262, 262, 262, 262,
- 262, 262, 263, 263, 263, 263, 263, 263, 264, 265,
- 265, 266, 267, 267, 267, 267, 267, 267, 267, 267,
- 267, 267, 268, 268, 268, 268, 268, 268, 268, 268,
- 268, 268, 268, 268, 268, 268, 269, 269, 269, 270,
- 270, 271, 271, 272, 272, 272, 273, 273, 273, 274,
- 275, 275, 276, 276, 277, 277, 278, 278, 279, 280,
- 280, 281, 281, 282, 282, 282, 282, 283, 283, 283,
- 284, 285, 285, 286, 286, 286, 286, 286, 286, 286,
- 287, 287, 288, 288, 289, 289, 290, 291, 291, 292,
- 292, 293, 293, 293, 294, 294, 295, 296, 297, 297,
- 298, 299, 299, 300, 300, 301, 302, 303, 304, 304,
- 305, 306, 306, 307, 308, 308, 308, 308, 308
+ 0, 208, 209, 210, 210, 210, 211, 211, 211, 211,
+ 211, 211, 211, 211, 211, 211, 211, 211, 211, 211,
+ 212, 213, 213, 213, 213, 213, 214, 214, 215, 216,
+ 216, 217, 217, 218, 218, 218, 219, 220, 220, 220,
+ 220, 220, 220, 220, 220, 221, 221, 222, 222, 222,
+ 222, 222, 222, 223, 224, 225, 226, 226, 227, 227,
+ 227, 227, 228, 228, 228, 228, 228, 228, 228, 228,
+ 228, 229, 229, 230, 230, 231, 231, 231, 231, 231,
+ 232, 233, 233, 234, 234, 234, 234, 235, 235, 235,
+ 235, 235, 235, 235, 235, 235, 236, 236, 237, 237,
+ 237, 238, 238, 239, 239, 239, 239, 239, 239, 239,
+ 239, 240, 240, 241, 241, 241, 241, 242, 242, 243,
+ 243, 244, 244, 244, 244, 244, 244, 244, 245, 245,
+ 245, 245, 245, 245, 245, 245, 246, 246, 247, 247,
+ 248, 248, 248, 248, 248, 248, 248, 248, 248, 248,
+ 248, 248, 248, 248, 248, 248, 248, 249, 249, 250,
+ 251, 251, 251, 252, 252, 253, 254, 254, 254, 254,
+ 254, 254, 254, 254, 255, 256, 256, 257, 257, 257,
+ 257, 257, 258, 258, 259, 259, 259, 259, 260, 261,
+ 261, 262, 263, 263, 263, 264, 264, 265, 265, 266,
+ 266, 267, 267, 267, 267, 267, 267, 268, 268, 268,
+ 268, 268, 268, 269, 270, 270, 271, 272, 272, 272,
+ 272, 272, 272, 272, 272, 272, 272, 273, 273, 273,
+ 273, 273, 273, 273, 273, 273, 273, 273, 273, 273,
+ 273, 274, 274, 274, 275, 275, 276, 276, 277, 277,
+ 277, 278, 278, 278, 279, 280, 280, 281, 281, 282,
+ 282, 283, 283, 284, 285, 285, 286, 286, 287, 287,
+ 287, 287, 288, 288, 288, 289, 290, 290, 291, 291,
+ 291, 291, 291, 291, 291, 292, 292, 293, 293, 294,
+ 294, 295, 296, 296, 297, 297, 298, 298, 298, 299,
+ 299, 300, 301, 302, 303, 303, 304, 305, 305, 306,
+ 306, 307, 308, 309, 310, 310, 311, 312, 312, 313,
+ 314, 314, 314, 314, 314
};
/* YYR2[YYN] -- Number of symbols on the right hand side of rule YYN. */
@@ -1410,29 +1426,30 @@
2, 2, 2, 2, 2, 2, 2, 2, 2, 2,
2, 0, 2, 2, 2, 1, 1, 1, 1, 1,
2, 2, 1, 2, 2, 2, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 2, 2, 3,
- 2, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 0, 2, 2, 2, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 2, 2, 3,
- 5, 3, 4, 4, 3, 0, 2, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 2, 2,
+ 3, 2, 1, 1, 1, 1, 1, 1, 1, 1,
+ 1, 0, 2, 2, 2, 1, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 2, 2,
+ 4, 6, 4, 5, 5, 4, 0, 2, 0, 2,
1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 2, 1, 2, 1, 1, 1, 2, 1,
- 2, 1, 1, 1, 1, 1, 1, 1, 1, 3,
- 2, 1, 2, 2, 2, 2, 2, 1, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 2, 1, 2,
+ 1, 1, 1, 2, 1, 2, 1, 1, 1, 1,
+ 1, 1, 1, 1, 3, 2, 1, 2, 2, 2,
+ 2, 2, 1, 1, 1, 1, 1, 1, 2, 2,
+ 1, 2, 1, 1, 1, 2, 2, 2, 1, 1,
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 1,
1, 1, 1, 2, 2, 1, 2, 1, 1, 1,
- 2, 2, 2, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 1, 2, 2,
- 1, 2, 1, 1, 1, 1, 1, 1, 1, 1,
- 1, 1, 1, 1, 2, 2, 2, 2, 3, 1,
- 2, 2, 2, 2, 3, 2, 1, 1, 1, 1,
- 1, 1, 1, 1, 1, 1, 1, 2, 0, 4,
- 1, 0, 0, 2, 2, 2, 2, 1, 1, 3,
- 3, 1, 1, 1, 1, 1, 1, 1, 1, 1,
- 2, 2, 1, 1, 1, 1, 1, 1, 1, 1,
- 2, 1, 2, 1, 1, 1, 5, 2, 1, 2,
- 1, 1, 1, 1, 1, 1, 5, 1, 3, 2,
- 3, 1, 1, 2, 1, 5, 4, 3, 2, 1,
- 6, 3, 2, 3, 1, 1, 1, 1, 1
+ 1, 1, 1, 1, 1, 1, 1, 1, 1, 2,
+ 2, 2, 2, 3, 1, 2, 2, 2, 2, 3,
+ 2, 1, 1, 1, 1, 1, 1, 1, 1, 1,
+ 1, 1, 2, 0, 4, 1, 0, 0, 2, 2,
+ 2, 2, 1, 1, 3, 3, 1, 1, 1, 1,
+ 1, 1, 1, 1, 1, 2, 2, 1, 1, 1,
+ 1, 1, 1, 1, 1, 2, 1, 2, 1, 1,
+ 1, 5, 2, 1, 2, 1, 1, 1, 1, 1,
+ 1, 2, 5, 1, 3, 2, 3, 1, 1, 2,
+ 1, 5, 4, 3, 2, 1, 6, 3, 2, 3,
+ 1, 1, 1, 1, 1
};
@@ -2109,7 +2126,7 @@
switch (yyn)
{
case 5:
-#line 378 "ntp_parser.y" /* yacc.c:1646 */
+#line 384 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
/* I will need to incorporate much more fine grained
* error messages. The following should suffice for
@@ -2122,11 +2139,11 @@
ip_ctx->errpos.nline,
ip_ctx->errpos.ncol);
}
-#line 2126 "ntp_parser.c" /* yacc.c:1646 */
+#line 2143 "ntp_parser.c" /* yacc.c:1646 */
break;
case 20:
-#line 414 "ntp_parser.y" /* yacc.c:1646 */
+#line 420 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
peer_node *my_node;
@@ -2133,74 +2150,74 @@
my_node = create_peer_node((yyvsp[-2].Integer), (yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo));
APPEND_G_FIFO(cfgt.peers, my_node);
}
-#line 2137 "ntp_parser.c" /* yacc.c:1646 */
+#line 2154 "ntp_parser.c" /* yacc.c:1646 */
break;
case 27:
-#line 433 "ntp_parser.y" /* yacc.c:1646 */
+#line 439 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Address_node) = create_address_node((yyvsp[0].String), (yyvsp[-1].Integer)); }
-#line 2143 "ntp_parser.c" /* yacc.c:1646 */
+#line 2160 "ntp_parser.c" /* yacc.c:1646 */
break;
case 28:
-#line 438 "ntp_parser.y" /* yacc.c:1646 */
+#line 444 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Address_node) = create_address_node((yyvsp[0].String), AF_UNSPEC); }
-#line 2149 "ntp_parser.c" /* yacc.c:1646 */
+#line 2166 "ntp_parser.c" /* yacc.c:1646 */
break;
case 29:
-#line 443 "ntp_parser.y" /* yacc.c:1646 */
+#line 449 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Integer) = AF_INET; }
-#line 2155 "ntp_parser.c" /* yacc.c:1646 */
+#line 2172 "ntp_parser.c" /* yacc.c:1646 */
break;
case 30:
-#line 445 "ntp_parser.y" /* yacc.c:1646 */
+#line 451 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Integer) = AF_INET6; }
-#line 2161 "ntp_parser.c" /* yacc.c:1646 */
+#line 2178 "ntp_parser.c" /* yacc.c:1646 */
break;
case 31:
-#line 450 "ntp_parser.y" /* yacc.c:1646 */
+#line 456 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val_fifo) = NULL; }
-#line 2167 "ntp_parser.c" /* yacc.c:1646 */
+#line 2184 "ntp_parser.c" /* yacc.c:1646 */
break;
case 32:
-#line 452 "ntp_parser.y" /* yacc.c:1646 */
+#line 458 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2176 "ntp_parser.c" /* yacc.c:1646 */
+#line 2193 "ntp_parser.c" /* yacc.c:1646 */
break;
case 36:
-#line 466 "ntp_parser.y" /* yacc.c:1646 */
+#line 472 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); }
-#line 2182 "ntp_parser.c" /* yacc.c:1646 */
+#line 2199 "ntp_parser.c" /* yacc.c:1646 */
break;
case 45:
-#line 482 "ntp_parser.y" /* yacc.c:1646 */
+#line 488 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2188 "ntp_parser.c" /* yacc.c:1646 */
+#line 2205 "ntp_parser.c" /* yacc.c:1646 */
break;
case 46:
-#line 484 "ntp_parser.y" /* yacc.c:1646 */
+#line 490 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_uval((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2194 "ntp_parser.c" /* yacc.c:1646 */
+#line 2211 "ntp_parser.c" /* yacc.c:1646 */
break;
case 53:
-#line 498 "ntp_parser.y" /* yacc.c:1646 */
+#line 504 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2200 "ntp_parser.c" /* yacc.c:1646 */
+#line 2217 "ntp_parser.c" /* yacc.c:1646 */
break;
case 55:
-#line 512 "ntp_parser.y" /* yacc.c:1646 */
+#line 518 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
unpeer_node *my_node;
@@ -2208,35 +2225,35 @@
if (my_node)
APPEND_G_FIFO(cfgt.unpeers, my_node);
}
-#line 2212 "ntp_parser.c" /* yacc.c:1646 */
+#line 2229 "ntp_parser.c" /* yacc.c:1646 */
break;
case 58:
-#line 533 "ntp_parser.y" /* yacc.c:1646 */
+#line 539 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.broadcastclient = 1; }
-#line 2218 "ntp_parser.c" /* yacc.c:1646 */
+#line 2235 "ntp_parser.c" /* yacc.c:1646 */
break;
case 59:
-#line 535 "ntp_parser.y" /* yacc.c:1646 */
+#line 541 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.manycastserver, (yyvsp[0].Address_fifo)); }
-#line 2224 "ntp_parser.c" /* yacc.c:1646 */
+#line 2241 "ntp_parser.c" /* yacc.c:1646 */
break;
case 60:
-#line 537 "ntp_parser.y" /* yacc.c:1646 */
+#line 543 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.multicastclient, (yyvsp[0].Address_fifo)); }
-#line 2230 "ntp_parser.c" /* yacc.c:1646 */
+#line 2247 "ntp_parser.c" /* yacc.c:1646 */
break;
case 61:
-#line 539 "ntp_parser.y" /* yacc.c:1646 */
+#line 545 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.mdnstries = (yyvsp[0].Integer); }
-#line 2236 "ntp_parser.c" /* yacc.c:1646 */
+#line 2253 "ntp_parser.c" /* yacc.c:1646 */
break;
case 62:
-#line 550 "ntp_parser.y" /* yacc.c:1646 */
+#line 556 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
attr_val *atrv;
@@ -2243,90 +2260,91 @@
atrv = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
APPEND_G_FIFO(cfgt.vars, atrv);
}
-#line 2247 "ntp_parser.c" /* yacc.c:1646 */
+#line 2264 "ntp_parser.c" /* yacc.c:1646 */
break;
case 63:
-#line 557 "ntp_parser.y" /* yacc.c:1646 */
+#line 563 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.auth.control_key = (yyvsp[0].Integer); }
-#line 2253 "ntp_parser.c" /* yacc.c:1646 */
+#line 2270 "ntp_parser.c" /* yacc.c:1646 */
break;
case 64:
-#line 559 "ntp_parser.y" /* yacc.c:1646 */
+#line 565 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
cfgt.auth.cryptosw++;
CONCAT_G_FIFOS(cfgt.auth.crypto_cmd_list, (yyvsp[0].Attr_val_fifo));
}
-#line 2262 "ntp_parser.c" /* yacc.c:1646 */
+#line 2279 "ntp_parser.c" /* yacc.c:1646 */
break;
case 65:
-#line 564 "ntp_parser.y" /* yacc.c:1646 */
+#line 570 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.auth.keys = (yyvsp[0].String); }
-#line 2268 "ntp_parser.c" /* yacc.c:1646 */
+#line 2285 "ntp_parser.c" /* yacc.c:1646 */
break;
case 66:
-#line 566 "ntp_parser.y" /* yacc.c:1646 */
+#line 572 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.auth.keysdir = (yyvsp[0].String); }
-#line 2274 "ntp_parser.c" /* yacc.c:1646 */
+#line 2291 "ntp_parser.c" /* yacc.c:1646 */
break;
case 67:
-#line 568 "ntp_parser.y" /* yacc.c:1646 */
+#line 574 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.auth.request_key = (yyvsp[0].Integer); }
-#line 2280 "ntp_parser.c" /* yacc.c:1646 */
+#line 2297 "ntp_parser.c" /* yacc.c:1646 */
break;
case 68:
-#line 570 "ntp_parser.y" /* yacc.c:1646 */
+#line 576 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.auth.revoke = (yyvsp[0].Integer); }
-#line 2286 "ntp_parser.c" /* yacc.c:1646 */
+#line 2303 "ntp_parser.c" /* yacc.c:1646 */
break;
case 69:
-#line 572 "ntp_parser.y" /* yacc.c:1646 */
+#line 578 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
- cfgt.auth.trusted_key_list = (yyvsp[0].Attr_val_fifo);
-
- // if (!cfgt.auth.trusted_key_list)
- // cfgt.auth.trusted_key_list = $2;
- // else
- // LINK_SLIST(cfgt.auth.trusted_key_list, $2, link);
+ /* [Bug 948] leaves it open if appending or
+ * replacing the trusted key list is the right
+ * way. In any case, either alternative should
+ * be coded correctly!
+ */
+ DESTROY_G_FIFO(cfgt.auth.trusted_key_list, destroy_attr_val); /* remove for append */
+ CONCAT_G_FIFOS(cfgt.auth.trusted_key_list, (yyvsp[0].Attr_val_fifo));
}
-#line 2299 "ntp_parser.c" /* yacc.c:1646 */
+#line 2317 "ntp_parser.c" /* yacc.c:1646 */
break;
case 70:
-#line 581 "ntp_parser.y" /* yacc.c:1646 */
+#line 588 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ cfgt.auth.ntp_signd_socket = (yyvsp[0].String); }
-#line 2305 "ntp_parser.c" /* yacc.c:1646 */
+#line 2323 "ntp_parser.c" /* yacc.c:1646 */
break;
case 71:
-#line 586 "ntp_parser.y" /* yacc.c:1646 */
+#line 593 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val_fifo) = NULL; }
-#line 2311 "ntp_parser.c" /* yacc.c:1646 */
+#line 2329 "ntp_parser.c" /* yacc.c:1646 */
break;
case 72:
-#line 588 "ntp_parser.y" /* yacc.c:1646 */
+#line 595 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2320 "ntp_parser.c" /* yacc.c:1646 */
+#line 2338 "ntp_parser.c" /* yacc.c:1646 */
break;
case 73:
-#line 596 "ntp_parser.y" /* yacc.c:1646 */
+#line 603 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2326 "ntp_parser.c" /* yacc.c:1646 */
+#line 2344 "ntp_parser.c" /* yacc.c:1646 */
break;
case 74:
-#line 598 "ntp_parser.y" /* yacc.c:1646 */
+#line 605 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val) = NULL;
cfgt.auth.revoke = (yyvsp[0].Integer);
@@ -2335,59 +2353,65 @@
"please use 'revoke %d' instead.",
cfgt.auth.revoke, cfgt.auth.revoke);
}
-#line 2339 "ntp_parser.c" /* yacc.c:1646 */
+#line 2357 "ntp_parser.c" /* yacc.c:1646 */
break;
case 80:
-#line 623 "ntp_parser.y" /* yacc.c:1646 */
+#line 630 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.orphan_cmds, (yyvsp[0].Attr_val_fifo)); }
-#line 2345 "ntp_parser.c" /* yacc.c:1646 */
+#line 2363 "ntp_parser.c" /* yacc.c:1646 */
break;
case 81:
-#line 628 "ntp_parser.y" /* yacc.c:1646 */
+#line 635 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2354 "ntp_parser.c" /* yacc.c:1646 */
+#line 2372 "ntp_parser.c" /* yacc.c:1646 */
break;
case 82:
-#line 633 "ntp_parser.y" /* yacc.c:1646 */
+#line 640 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2363 "ntp_parser.c" /* yacc.c:1646 */
+#line 2381 "ntp_parser.c" /* yacc.c:1646 */
break;
case 83:
-#line 641 "ntp_parser.y" /* yacc.c:1646 */
+#line 648 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (double)(yyvsp[0].Integer)); }
-#line 2369 "ntp_parser.c" /* yacc.c:1646 */
+#line 2387 "ntp_parser.c" /* yacc.c:1646 */
break;
case 84:
-#line 643 "ntp_parser.y" /* yacc.c:1646 */
+#line 650 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); }
-#line 2375 "ntp_parser.c" /* yacc.c:1646 */
+#line 2393 "ntp_parser.c" /* yacc.c:1646 */
break;
case 85:
-#line 645 "ntp_parser.y" /* yacc.c:1646 */
+#line 652 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (double)(yyvsp[0].Integer)); }
-#line 2381 "ntp_parser.c" /* yacc.c:1646 */
+#line 2399 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 97:
-#line 672 "ntp_parser.y" /* yacc.c:1646 */
+ case 86:
+#line 654 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
+ { (yyval.Attr_val) = create_attr_ival(T_Basedate, (yyvsp[0].Integer)); }
+#line 2405 "ntp_parser.c" /* yacc.c:1646 */
+ break;
+
+ case 98:
+#line 681 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.stats_list, (yyvsp[0].Int_fifo)); }
-#line 2387 "ntp_parser.c" /* yacc.c:1646 */
+#line 2411 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 98:
-#line 674 "ntp_parser.y" /* yacc.c:1646 */
+ case 99:
+#line 683 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
cfgt.stats_dir = (yyvsp[0].String);
@@ -2396,11 +2420,11 @@
yyerror("statsdir remote configuration ignored");
}
}
-#line 2400 "ntp_parser.c" /* yacc.c:1646 */
+#line 2424 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 99:
-#line 683 "ntp_parser.y" /* yacc.c:1646 */
+ case 100:
+#line 692 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
filegen_node *fgn;
@@ -2407,44 +2431,44 @@
fgn = create_filegen_node((yyvsp[-1].Integer), (yyvsp[0].Attr_val_fifo));
APPEND_G_FIFO(cfgt.filegen_opts, fgn);
}
-#line 2411 "ntp_parser.c" /* yacc.c:1646 */
+#line 2435 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 100:
-#line 693 "ntp_parser.y" /* yacc.c:1646 */
+ case 101:
+#line 702 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Int_fifo) = (yyvsp[-1].Int_fifo);
APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 2420 "ntp_parser.c" /* yacc.c:1646 */
+#line 2444 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 101:
-#line 698 "ntp_parser.y" /* yacc.c:1646 */
+ case 102:
+#line 707 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Int_fifo) = NULL;
APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 2429 "ntp_parser.c" /* yacc.c:1646 */
+#line 2453 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 110:
-#line 717 "ntp_parser.y" /* yacc.c:1646 */
+ case 111:
+#line 726 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val_fifo) = NULL; }
-#line 2435 "ntp_parser.c" /* yacc.c:1646 */
+#line 2459 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 111:
-#line 719 "ntp_parser.y" /* yacc.c:1646 */
+ case 112:
+#line 728 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2444 "ntp_parser.c" /* yacc.c:1646 */
+#line 2468 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 112:
-#line 727 "ntp_parser.y" /* yacc.c:1646 */
+ case 113:
+#line 736 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
(yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String));
@@ -2454,11 +2478,11 @@
yyerror("filegen file remote config ignored");
}
}
-#line 2458 "ntp_parser.c" /* yacc.c:1646 */
+#line 2482 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 113:
-#line 737 "ntp_parser.y" /* yacc.c:1646 */
+ case 114:
+#line 746 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
(yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
@@ -2467,11 +2491,11 @@
yyerror("filegen type remote config ignored");
}
}
-#line 2471 "ntp_parser.c" /* yacc.c:1646 */
+#line 2495 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 114:
-#line 746 "ntp_parser.y" /* yacc.c:1646 */
+ case 115:
+#line 755 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
const char *err;
@@ -2486,69 +2510,69 @@
yyerror(err);
}
}
-#line 2490 "ntp_parser.c" /* yacc.c:1646 */
+#line 2514 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 115:
-#line 761 "ntp_parser.y" /* yacc.c:1646 */
+ case 116:
+#line 770 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); }
-#line 2496 "ntp_parser.c" /* yacc.c:1646 */
+#line 2520 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 127:
-#line 791 "ntp_parser.y" /* yacc.c:1646 */
+ case 128:
+#line 800 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
CONCAT_G_FIFOS(cfgt.discard_opts, (yyvsp[0].Attr_val_fifo));
}
-#line 2504 "ntp_parser.c" /* yacc.c:1646 */
+#line 2528 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 128:
-#line 795 "ntp_parser.y" /* yacc.c:1646 */
+ case 129:
+#line 804 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
CONCAT_G_FIFOS(cfgt.mru_opts, (yyvsp[0].Attr_val_fifo));
}
-#line 2512 "ntp_parser.c" /* yacc.c:1646 */
+#line 2536 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 129:
-#line 799 "ntp_parser.y" /* yacc.c:1646 */
+ case 130:
+#line 808 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
restrict_node *rn;
- rn = create_restrict_node((yyvsp[-1].Address_node), NULL, (yyvsp[0].Int_fifo),
+ rn = create_restrict_node((yyvsp[-2].Address_node), NULL, (yyvsp[-1].Integer), (yyvsp[0].Int_fifo),
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
-#line 2524 "ntp_parser.c" /* yacc.c:1646 */
+#line 2548 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 130:
-#line 807 "ntp_parser.y" /* yacc.c:1646 */
+ case 131:
+#line 816 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
restrict_node *rn;
- rn = create_restrict_node((yyvsp[-3].Address_node), (yyvsp[-1].Address_node), (yyvsp[0].Int_fifo),
+ rn = create_restrict_node((yyvsp[-4].Address_node), (yyvsp[-2].Address_node), (yyvsp[-1].Integer), (yyvsp[0].Int_fifo),
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
-#line 2536 "ntp_parser.c" /* yacc.c:1646 */
+#line 2560 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 131:
-#line 815 "ntp_parser.y" /* yacc.c:1646 */
+ case 132:
+#line 824 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
restrict_node *rn;
- rn = create_restrict_node(NULL, NULL, (yyvsp[0].Int_fifo),
+ rn = create_restrict_node(NULL, NULL, (yyvsp[-1].Integer), (yyvsp[0].Int_fifo),
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
-#line 2548 "ntp_parser.c" /* yacc.c:1646 */
+#line 2572 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 132:
-#line 823 "ntp_parser.y" /* yacc.c:1646 */
+ case 133:
+#line 832 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
restrict_node *rn;
@@ -2559,15 +2583,15 @@
create_address_node(
estrdup("0.0.0.0"),
AF_INET),
- (yyvsp[0].Int_fifo),
+ (yyvsp[-1].Integer), (yyvsp[0].Int_fifo),
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
-#line 2567 "ntp_parser.c" /* yacc.c:1646 */
+#line 2591 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 133:
-#line 838 "ntp_parser.y" /* yacc.c:1646 */
+ case 134:
+#line 847 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
restrict_node *rn;
@@ -2578,91 +2602,117 @@
create_address_node(
estrdup("::"),
AF_INET6),
- (yyvsp[0].Int_fifo),
+ (yyvsp[-1].Integer), (yyvsp[0].Int_fifo),
lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
-#line 2586 "ntp_parser.c" /* yacc.c:1646 */
+#line 2610 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 134:
-#line 853 "ntp_parser.y" /* yacc.c:1646 */
+ case 135:
+#line 862 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
restrict_node * rn;
- APPEND_G_FIFO((yyvsp[0].Int_fifo), create_int_node((yyvsp[-1].Integer)));
+ APPEND_G_FIFO((yyvsp[0].Int_fifo), create_int_node((yyvsp[-2].Integer)));
rn = create_restrict_node(
- NULL, NULL, (yyvsp[0].Int_fifo), lex_current()->curpos.nline);
+ NULL, NULL, (yyvsp[-1].Integer), (yyvsp[0].Int_fifo), lex_current()->curpos.nline);
APPEND_G_FIFO(cfgt.restrict_opts, rn);
}
-#line 2599 "ntp_parser.c" /* yacc.c:1646 */
+#line 2623 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 135:
-#line 865 "ntp_parser.y" /* yacc.c:1646 */
+ case 136:
+#line 874 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
+ { (yyval.Integer) = -1; }
+#line 2629 "ntp_parser.c" /* yacc.c:1646 */
+ break;
+
+ case 137:
+#line 876 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
+ {
+ if (((yyvsp[0].Integer) < -1) || ((yyvsp[0].Integer) > 100)) {
+ struct FILE_INFO * ip_ctx;
+
+ ip_ctx = lex_current();
+ msyslog(LOG_ERR,
+ "Unreasonable ippeerlimit value (%d) in %s line %d, column %d. Using 0.",
+ (yyvsp[0].Integer),
+ ip_ctx->fname,
+ ip_ctx->errpos.nline,
+ ip_ctx->errpos.ncol);
+ (yyvsp[0].Integer) = 0;
+ }
+ (yyval.Integer) = (yyvsp[0].Integer);
+ }
+#line 2649 "ntp_parser.c" /* yacc.c:1646 */
+ break;
+
+ case 138:
+#line 895 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Int_fifo) = NULL; }
-#line 2605 "ntp_parser.c" /* yacc.c:1646 */
+#line 2655 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 136:
-#line 867 "ntp_parser.y" /* yacc.c:1646 */
+ case 139:
+#line 897 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Int_fifo) = (yyvsp[-1].Int_fifo);
APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 2614 "ntp_parser.c" /* yacc.c:1646 */
+#line 2664 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 152:
-#line 893 "ntp_parser.y" /* yacc.c:1646 */
+ case 157:
+#line 925 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2623 "ntp_parser.c" /* yacc.c:1646 */
+#line 2673 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 153:
-#line 898 "ntp_parser.y" /* yacc.c:1646 */
+ case 158:
+#line 930 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2632 "ntp_parser.c" /* yacc.c:1646 */
+#line 2682 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 154:
-#line 906 "ntp_parser.y" /* yacc.c:1646 */
+ case 159:
+#line 938 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2638 "ntp_parser.c" /* yacc.c:1646 */
+#line 2688 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 158:
-#line 917 "ntp_parser.y" /* yacc.c:1646 */
+ case 163:
+#line 949 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2647 "ntp_parser.c" /* yacc.c:1646 */
+#line 2697 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 159:
-#line 922 "ntp_parser.y" /* yacc.c:1646 */
+ case 164:
+#line 954 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2656 "ntp_parser.c" /* yacc.c:1646 */
+#line 2706 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 160:
-#line 930 "ntp_parser.y" /* yacc.c:1646 */
+ case 165:
+#line 962 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2662 "ntp_parser.c" /* yacc.c:1646 */
+#line 2712 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 169:
-#line 950 "ntp_parser.y" /* yacc.c:1646 */
+ case 174:
+#line 982 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
addr_opts_node *aon;
@@ -2669,41 +2719,41 @@
aon = create_addr_opts_node((yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo));
APPEND_G_FIFO(cfgt.fudge, aon);
}
-#line 2673 "ntp_parser.c" /* yacc.c:1646 */
+#line 2723 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 170:
-#line 960 "ntp_parser.y" /* yacc.c:1646 */
+ case 175:
+#line 992 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2682 "ntp_parser.c" /* yacc.c:1646 */
+#line 2732 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 171:
-#line 965 "ntp_parser.y" /* yacc.c:1646 */
+ case 176:
+#line 997 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2691 "ntp_parser.c" /* yacc.c:1646 */
+#line 2741 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 172:
-#line 973 "ntp_parser.y" /* yacc.c:1646 */
+ case 177:
+#line 1005 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); }
-#line 2697 "ntp_parser.c" /* yacc.c:1646 */
+#line 2747 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 173:
-#line 975 "ntp_parser.y" /* yacc.c:1646 */
+ case 178:
+#line 1007 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2703 "ntp_parser.c" /* yacc.c:1646 */
+#line 2753 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 174:
-#line 977 "ntp_parser.y" /* yacc.c:1646 */
+ case 179:
+#line 1009 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if ((yyvsp[0].Integer) >= 0 && (yyvsp[0].Integer) <= 16) {
(yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
@@ -2712,89 +2762,89 @@
yyerror("fudge factor: stratum value not in [0..16], ignored");
}
}
-#line 2716 "ntp_parser.c" /* yacc.c:1646 */
+#line 2766 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 175:
-#line 986 "ntp_parser.y" /* yacc.c:1646 */
+ case 180:
+#line 1018 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2722 "ntp_parser.c" /* yacc.c:1646 */
+#line 2772 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 176:
-#line 988 "ntp_parser.y" /* yacc.c:1646 */
+ case 181:
+#line 1020 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String)); }
-#line 2728 "ntp_parser.c" /* yacc.c:1646 */
+#line 2778 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 183:
-#line 1009 "ntp_parser.y" /* yacc.c:1646 */
+ case 188:
+#line 1041 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.rlimit, (yyvsp[0].Attr_val_fifo)); }
-#line 2734 "ntp_parser.c" /* yacc.c:1646 */
+#line 2784 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 184:
-#line 1014 "ntp_parser.y" /* yacc.c:1646 */
+ case 189:
+#line 1046 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2743 "ntp_parser.c" /* yacc.c:1646 */
+#line 2793 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 185:
-#line 1019 "ntp_parser.y" /* yacc.c:1646 */
+ case 190:
+#line 1051 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2752 "ntp_parser.c" /* yacc.c:1646 */
+#line 2802 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 186:
-#line 1027 "ntp_parser.y" /* yacc.c:1646 */
+ case 191:
+#line 1059 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 2758 "ntp_parser.c" /* yacc.c:1646 */
+#line 2808 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 190:
-#line 1043 "ntp_parser.y" /* yacc.c:1646 */
+ case 195:
+#line 1075 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.enable_opts, (yyvsp[0].Attr_val_fifo)); }
-#line 2764 "ntp_parser.c" /* yacc.c:1646 */
+#line 2814 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 191:
-#line 1045 "ntp_parser.y" /* yacc.c:1646 */
+ case 196:
+#line 1077 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.disable_opts, (yyvsp[0].Attr_val_fifo)); }
-#line 2770 "ntp_parser.c" /* yacc.c:1646 */
+#line 2820 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 192:
-#line 1050 "ntp_parser.y" /* yacc.c:1646 */
+ case 197:
+#line 1082 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2779 "ntp_parser.c" /* yacc.c:1646 */
+#line 2829 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 193:
-#line 1055 "ntp_parser.y" /* yacc.c:1646 */
+ case 198:
+#line 1087 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2788 "ntp_parser.c" /* yacc.c:1646 */
+#line 2838 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 194:
-#line 1063 "ntp_parser.y" /* yacc.c:1646 */
+ case 199:
+#line 1095 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer)); }
-#line 2794 "ntp_parser.c" /* yacc.c:1646 */
+#line 2844 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 195:
-#line 1065 "ntp_parser.y" /* yacc.c:1646 */
+ case 200:
+#line 1097 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
(yyval.Attr_val) = create_attr_ival(T_Flag, (yyvsp[0].Integer));
@@ -2808,41 +2858,41 @@
yyerror(err_str);
}
}
-#line 2812 "ntp_parser.c" /* yacc.c:1646 */
+#line 2862 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 208:
-#line 1104 "ntp_parser.y" /* yacc.c:1646 */
+ case 213:
+#line 1136 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.tinker, (yyvsp[0].Attr_val_fifo)); }
-#line 2818 "ntp_parser.c" /* yacc.c:1646 */
+#line 2868 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 209:
-#line 1109 "ntp_parser.y" /* yacc.c:1646 */
+ case 214:
+#line 1141 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2827 "ntp_parser.c" /* yacc.c:1646 */
+#line 2877 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 210:
-#line 1114 "ntp_parser.y" /* yacc.c:1646 */
+ case 215:
+#line 1146 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 2836 "ntp_parser.c" /* yacc.c:1646 */
+#line 2886 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 211:
-#line 1122 "ntp_parser.y" /* yacc.c:1646 */
+ case 216:
+#line 1154 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double)); }
-#line 2842 "ntp_parser.c" /* yacc.c:1646 */
+#line 2892 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 224:
-#line 1147 "ntp_parser.y" /* yacc.c:1646 */
+ case 229:
+#line 1179 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
attr_val *av;
@@ -2849,11 +2899,11 @@
av = create_attr_dval((yyvsp[-1].Integer), (yyvsp[0].Double));
APPEND_G_FIFO(cfgt.vars, av);
}
-#line 2853 "ntp_parser.c" /* yacc.c:1646 */
+#line 2903 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 225:
-#line 1154 "ntp_parser.y" /* yacc.c:1646 */
+ case 230:
+#line 1186 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
attr_val *av;
@@ -2860,11 +2910,11 @@
av = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer));
APPEND_G_FIFO(cfgt.vars, av);
}
-#line 2864 "ntp_parser.c" /* yacc.c:1646 */
+#line 2914 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 226:
-#line 1161 "ntp_parser.y" /* yacc.c:1646 */
+ case 231:
+#line 1193 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
attr_val *av;
@@ -2871,11 +2921,11 @@
av = create_attr_sval((yyvsp[-1].Integer), (yyvsp[0].String));
APPEND_G_FIFO(cfgt.vars, av);
}
-#line 2875 "ntp_parser.c" /* yacc.c:1646 */
+#line 2925 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 227:
-#line 1168 "ntp_parser.y" /* yacc.c:1646 */
+ case 232:
+#line 1200 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
char error_text[64];
attr_val *av;
@@ -2891,11 +2941,11 @@
yyerror(error_text);
}
}
-#line 2895 "ntp_parser.c" /* yacc.c:1646 */
+#line 2945 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 228:
-#line 1184 "ntp_parser.y" /* yacc.c:1646 */
+ case 233:
+#line 1216 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (!lex_from_file()) {
YYFREE((yyvsp[-1].String)); /* avoid leak */
@@ -2914,41 +2964,41 @@
}
YYFREE((yyvsp[-1].String)); /* avoid leak */
}
-#line 2918 "ntp_parser.c" /* yacc.c:1646 */
+#line 2968 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 229:
-#line 1203 "ntp_parser.y" /* yacc.c:1646 */
+ case 234:
+#line 1235 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ lex_flush_stack(); }
-#line 2924 "ntp_parser.c" /* yacc.c:1646 */
+#line 2974 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 230:
-#line 1205 "ntp_parser.y" /* yacc.c:1646 */
+ case 235:
+#line 1237 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ /* see drift_parm below for actions */ }
-#line 2930 "ntp_parser.c" /* yacc.c:1646 */
+#line 2980 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 231:
-#line 1207 "ntp_parser.y" /* yacc.c:1646 */
+ case 236:
+#line 1239 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.logconfig, (yyvsp[0].Attr_val_fifo)); }
-#line 2936 "ntp_parser.c" /* yacc.c:1646 */
+#line 2986 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 232:
-#line 1209 "ntp_parser.y" /* yacc.c:1646 */
+ case 237:
+#line 1241 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.phone, (yyvsp[0].String_fifo)); }
-#line 2942 "ntp_parser.c" /* yacc.c:1646 */
+#line 2992 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 233:
-#line 1211 "ntp_parser.y" /* yacc.c:1646 */
+ case 238:
+#line 1243 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ APPEND_G_FIFO(cfgt.setvar, (yyvsp[0].Set_var)); }
-#line 2948 "ntp_parser.c" /* yacc.c:1646 */
+#line 2998 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 234:
-#line 1213 "ntp_parser.y" /* yacc.c:1646 */
+ case 239:
+#line 1245 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
addr_opts_node *aon;
@@ -2955,27 +3005,27 @@
aon = create_addr_opts_node((yyvsp[-1].Address_node), (yyvsp[0].Attr_val_fifo));
APPEND_G_FIFO(cfgt.trap, aon);
}
-#line 2959 "ntp_parser.c" /* yacc.c:1646 */
+#line 3009 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 235:
-#line 1220 "ntp_parser.y" /* yacc.c:1646 */
+ case 240:
+#line 1252 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.ttl, (yyvsp[0].Attr_val_fifo)); }
-#line 2965 "ntp_parser.c" /* yacc.c:1646 */
+#line 3015 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 240:
-#line 1235 "ntp_parser.y" /* yacc.c:1646 */
+ case 245:
+#line 1267 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
#ifndef LEAP_SMEAR
yyerror("Built without LEAP_SMEAR support.");
#endif
}
-#line 2975 "ntp_parser.c" /* yacc.c:1646 */
+#line 3025 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 246:
-#line 1255 "ntp_parser.y" /* yacc.c:1646 */
+ case 251:
+#line 1287 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
attr_val *av;
@@ -2986,11 +3036,11 @@
yyerror("driftfile remote configuration ignored");
}
}
-#line 2990 "ntp_parser.c" /* yacc.c:1646 */
+#line 3040 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 247:
-#line 1266 "ntp_parser.y" /* yacc.c:1646 */
+ case 252:
+#line 1298 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
attr_val *av;
@@ -2998,16 +3048,20 @@
APPEND_G_FIFO(cfgt.vars, av);
av = create_attr_dval(T_WanderThreshold, (yyvsp[0].Double));
APPEND_G_FIFO(cfgt.vars, av);
+ msyslog(LOG_WARNING,
+ "'driftfile FILENAME WanderValue' is deprecated, "
+ "please use separate 'driftfile FILENAME' and "
+ "'nonvolatile WanderValue' lines instead.");
} else {
YYFREE((yyvsp[-1].String));
yyerror("driftfile remote configuration ignored");
}
}
-#line 3007 "ntp_parser.c" /* yacc.c:1646 */
+#line 3061 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 248:
-#line 1279 "ntp_parser.y" /* yacc.c:1646 */
+ case 253:
+#line 1315 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if (lex_from_file()) {
attr_val *av;
@@ -3017,71 +3071,71 @@
yyerror("driftfile remote configuration ignored");
}
}
-#line 3021 "ntp_parser.c" /* yacc.c:1646 */
+#line 3075 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 249:
-#line 1292 "ntp_parser.y" /* yacc.c:1646 */
+ case 254:
+#line 1328 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Set_var) = create_setvar_node((yyvsp[-3].String), (yyvsp[-1].String), (yyvsp[0].Integer)); }
-#line 3027 "ntp_parser.c" /* yacc.c:1646 */
+#line 3081 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 251:
-#line 1298 "ntp_parser.y" /* yacc.c:1646 */
+ case 256:
+#line 1334 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Integer) = 0; }
-#line 3033 "ntp_parser.c" /* yacc.c:1646 */
+#line 3087 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 252:
-#line 1303 "ntp_parser.y" /* yacc.c:1646 */
+ case 257:
+#line 1339 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val_fifo) = NULL; }
-#line 3039 "ntp_parser.c" /* yacc.c:1646 */
+#line 3093 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 253:
-#line 1305 "ntp_parser.y" /* yacc.c:1646 */
+ case 258:
+#line 1341 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 3048 "ntp_parser.c" /* yacc.c:1646 */
+#line 3102 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 254:
-#line 1313 "ntp_parser.y" /* yacc.c:1646 */
+ case 259:
+#line 1349 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival((yyvsp[-1].Integer), (yyvsp[0].Integer)); }
-#line 3054 "ntp_parser.c" /* yacc.c:1646 */
+#line 3108 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 255:
-#line 1315 "ntp_parser.y" /* yacc.c:1646 */
+ case 260:
+#line 1351 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val) = create_attr_sval((yyvsp[-1].Integer), estrdup((yyvsp[0].Address_node)->address));
destroy_address_node((yyvsp[0].Address_node));
}
-#line 3063 "ntp_parser.c" /* yacc.c:1646 */
+#line 3117 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 256:
-#line 1323 "ntp_parser.y" /* yacc.c:1646 */
+ case 261:
+#line 1359 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 3072 "ntp_parser.c" /* yacc.c:1646 */
+#line 3126 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 257:
-#line 1328 "ntp_parser.y" /* yacc.c:1646 */
+ case 262:
+#line 1364 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 3081 "ntp_parser.c" /* yacc.c:1646 */
+#line 3135 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 258:
-#line 1336 "ntp_parser.y" /* yacc.c:1646 */
+ case 263:
+#line 1372 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
char prefix;
char * type;
@@ -3103,11 +3157,11 @@
(yyval.Attr_val) = create_attr_sval(prefix, estrdup(type));
YYFREE((yyvsp[0].String));
}
-#line 3107 "ntp_parser.c" /* yacc.c:1646 */
+#line 3161 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 259:
-#line 1361 "ntp_parser.y" /* yacc.c:1646 */
+ case 264:
+#line 1397 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
nic_rule_node *nrn;
@@ -3114,11 +3168,11 @@
nrn = create_nic_rule_node((yyvsp[0].Integer), NULL, (yyvsp[-1].Integer));
APPEND_G_FIFO(cfgt.nic_rules, nrn);
}
-#line 3118 "ntp_parser.c" /* yacc.c:1646 */
+#line 3172 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 260:
-#line 1368 "ntp_parser.y" /* yacc.c:1646 */
+ case 265:
+#line 1404 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
nic_rule_node *nrn;
@@ -3125,119 +3179,119 @@
nrn = create_nic_rule_node(0, (yyvsp[0].String), (yyvsp[-1].Integer));
APPEND_G_FIFO(cfgt.nic_rules, nrn);
}
-#line 3129 "ntp_parser.c" /* yacc.c:1646 */
+#line 3183 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 270:
-#line 1396 "ntp_parser.y" /* yacc.c:1646 */
+ case 275:
+#line 1432 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ CONCAT_G_FIFOS(cfgt.reset_counters, (yyvsp[0].Int_fifo)); }
-#line 3135 "ntp_parser.c" /* yacc.c:1646 */
+#line 3189 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 271:
-#line 1401 "ntp_parser.y" /* yacc.c:1646 */
+ case 276:
+#line 1437 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Int_fifo) = (yyvsp[-1].Int_fifo);
APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 3144 "ntp_parser.c" /* yacc.c:1646 */
+#line 3198 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 272:
-#line 1406 "ntp_parser.y" /* yacc.c:1646 */
+ case 277:
+#line 1442 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Int_fifo) = NULL;
APPEND_G_FIFO((yyval.Int_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 3153 "ntp_parser.c" /* yacc.c:1646 */
+#line 3207 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 280:
-#line 1430 "ntp_parser.y" /* yacc.c:1646 */
+ case 285:
+#line 1466 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 3162 "ntp_parser.c" /* yacc.c:1646 */
+#line 3216 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 281:
-#line 1435 "ntp_parser.y" /* yacc.c:1646 */
+ case 286:
+#line 1471 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), create_int_node((yyvsp[0].Integer)));
}
-#line 3171 "ntp_parser.c" /* yacc.c:1646 */
+#line 3225 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 282:
-#line 1443 "ntp_parser.y" /* yacc.c:1646 */
+ case 287:
+#line 1479 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-1].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 3180 "ntp_parser.c" /* yacc.c:1646 */
+#line 3234 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 283:
-#line 1448 "ntp_parser.y" /* yacc.c:1646 */
+ case 288:
+#line 1484 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[0].Attr_val));
}
-#line 3189 "ntp_parser.c" /* yacc.c:1646 */
+#line 3243 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 284:
-#line 1456 "ntp_parser.y" /* yacc.c:1646 */
+ case 289:
+#line 1492 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_ival('i', (yyvsp[0].Integer)); }
-#line 3195 "ntp_parser.c" /* yacc.c:1646 */
+#line 3249 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 286:
-#line 1462 "ntp_parser.y" /* yacc.c:1646 */
+ case 291:
+#line 1498 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_rangeval('-', (yyvsp[-3].Integer), (yyvsp[-1].Integer)); }
-#line 3201 "ntp_parser.c" /* yacc.c:1646 */
+#line 3255 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 287:
-#line 1467 "ntp_parser.y" /* yacc.c:1646 */
+ case 292:
+#line 1503 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.String_fifo) = (yyvsp[-1].String_fifo);
APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[0].String)));
}
-#line 3210 "ntp_parser.c" /* yacc.c:1646 */
+#line 3264 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 288:
-#line 1472 "ntp_parser.y" /* yacc.c:1646 */
+ case 293:
+#line 1508 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.String_fifo) = NULL;
APPEND_G_FIFO((yyval.String_fifo), create_string_node((yyvsp[0].String)));
}
-#line 3219 "ntp_parser.c" /* yacc.c:1646 */
+#line 3273 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 289:
-#line 1480 "ntp_parser.y" /* yacc.c:1646 */
+ case 294:
+#line 1516 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Address_fifo) = (yyvsp[-1].Address_fifo);
APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[0].Address_node));
}
-#line 3228 "ntp_parser.c" /* yacc.c:1646 */
+#line 3282 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 290:
-#line 1485 "ntp_parser.y" /* yacc.c:1646 */
+ case 295:
+#line 1521 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Address_fifo) = NULL;
APPEND_G_FIFO((yyval.Address_fifo), (yyvsp[0].Address_node));
}
-#line 3237 "ntp_parser.c" /* yacc.c:1646 */
+#line 3291 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 291:
-#line 1493 "ntp_parser.y" /* yacc.c:1646 */
+ case 296:
+#line 1529 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
if ((yyvsp[0].Integer) != 0 && (yyvsp[0].Integer) != 1) {
yyerror("Integer value is not boolean (0 or 1). Assuming 1");
@@ -3246,29 +3300,35 @@
(yyval.Integer) = (yyvsp[0].Integer);
}
}
-#line 3250 "ntp_parser.c" /* yacc.c:1646 */
+#line 3304 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 292:
-#line 1501 "ntp_parser.y" /* yacc.c:1646 */
+ case 297:
+#line 1537 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Integer) = 1; }
-#line 3256 "ntp_parser.c" /* yacc.c:1646 */
+#line 3310 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 293:
-#line 1502 "ntp_parser.y" /* yacc.c:1646 */
+ case 298:
+#line 1538 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Integer) = 0; }
-#line 3262 "ntp_parser.c" /* yacc.c:1646 */
+#line 3316 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 294:
-#line 1506 "ntp_parser.y" /* yacc.c:1646 */
+ case 299:
+#line 1542 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Double) = (double)(yyvsp[0].Integer); }
-#line 3268 "ntp_parser.c" /* yacc.c:1646 */
+#line 3322 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 296:
-#line 1517 "ntp_parser.y" /* yacc.c:1646 */
+ case 301:
+#line 1548 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
+ { (yyval.Integer) = basedate_eval_string((yyvsp[0].String)); YYFREE((yyvsp[0].String)); }
+#line 3328 "ntp_parser.c" /* yacc.c:1646 */
+ break;
+
+ case 302:
+#line 1556 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
sim_node *sn;
@@ -3278,125 +3338,125 @@
/* Revert from ; to \n for end-of-command */
old_config_style = 1;
}
-#line 3282 "ntp_parser.c" /* yacc.c:1646 */
+#line 3342 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 297:
-#line 1534 "ntp_parser.y" /* yacc.c:1646 */
+ case 303:
+#line 1573 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ old_config_style = 0; }
-#line 3288 "ntp_parser.c" /* yacc.c:1646 */
+#line 3348 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 298:
-#line 1539 "ntp_parser.y" /* yacc.c:1646 */
+ case 304:
+#line 1578 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-2].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
}
-#line 3297 "ntp_parser.c" /* yacc.c:1646 */
+#line 3357 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 299:
-#line 1544 "ntp_parser.y" /* yacc.c:1646 */
+ case 305:
+#line 1583 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
}
-#line 3306 "ntp_parser.c" /* yacc.c:1646 */
+#line 3366 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 300:
-#line 1552 "ntp_parser.y" /* yacc.c:1646 */
+ case 306:
+#line 1591 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-2].Integer), (yyvsp[0].Double)); }
-#line 3312 "ntp_parser.c" /* yacc.c:1646 */
+#line 3372 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 303:
-#line 1562 "ntp_parser.y" /* yacc.c:1646 */
+ case 309:
+#line 1601 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Sim_server_fifo) = (yyvsp[-1].Sim_server_fifo);
APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[0].Sim_server));
}
-#line 3321 "ntp_parser.c" /* yacc.c:1646 */
+#line 3381 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 304:
-#line 1567 "ntp_parser.y" /* yacc.c:1646 */
+ case 310:
+#line 1606 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Sim_server_fifo) = NULL;
APPEND_G_FIFO((yyval.Sim_server_fifo), (yyvsp[0].Sim_server));
}
-#line 3330 "ntp_parser.c" /* yacc.c:1646 */
+#line 3390 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 305:
-#line 1575 "ntp_parser.y" /* yacc.c:1646 */
+ case 311:
+#line 1614 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Sim_server) = ONLY_SIM(create_sim_server((yyvsp[-4].Address_node), (yyvsp[-2].Double), (yyvsp[-1].Sim_script_fifo))); }
-#line 3336 "ntp_parser.c" /* yacc.c:1646 */
+#line 3396 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 306:
-#line 1580 "ntp_parser.y" /* yacc.c:1646 */
+ case 312:
+#line 1619 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Double) = (yyvsp[-1].Double); }
-#line 3342 "ntp_parser.c" /* yacc.c:1646 */
+#line 3402 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 307:
-#line 1585 "ntp_parser.y" /* yacc.c:1646 */
+ case 313:
+#line 1624 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Address_node) = (yyvsp[0].Address_node); }
-#line 3348 "ntp_parser.c" /* yacc.c:1646 */
+#line 3408 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 308:
-#line 1590 "ntp_parser.y" /* yacc.c:1646 */
+ case 314:
+#line 1629 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Sim_script_fifo) = (yyvsp[-1].Sim_script_fifo);
APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[0].Sim_script));
}
-#line 3357 "ntp_parser.c" /* yacc.c:1646 */
+#line 3417 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 309:
-#line 1595 "ntp_parser.y" /* yacc.c:1646 */
+ case 315:
+#line 1634 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Sim_script_fifo) = NULL;
APPEND_G_FIFO((yyval.Sim_script_fifo), (yyvsp[0].Sim_script));
}
-#line 3366 "ntp_parser.c" /* yacc.c:1646 */
+#line 3426 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 310:
-#line 1603 "ntp_parser.y" /* yacc.c:1646 */
+ case 316:
+#line 1642 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Sim_script) = ONLY_SIM(create_sim_script_info((yyvsp[-3].Double), (yyvsp[-1].Attr_val_fifo))); }
-#line 3372 "ntp_parser.c" /* yacc.c:1646 */
+#line 3432 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 311:
-#line 1608 "ntp_parser.y" /* yacc.c:1646 */
+ case 317:
+#line 1647 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = (yyvsp[-2].Attr_val_fifo);
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
}
-#line 3381 "ntp_parser.c" /* yacc.c:1646 */
+#line 3441 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 312:
-#line 1613 "ntp_parser.y" /* yacc.c:1646 */
+ case 318:
+#line 1652 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{
(yyval.Attr_val_fifo) = NULL;
APPEND_G_FIFO((yyval.Attr_val_fifo), (yyvsp[-1].Attr_val));
}
-#line 3390 "ntp_parser.c" /* yacc.c:1646 */
+#line 3450 "ntp_parser.c" /* yacc.c:1646 */
break;
- case 313:
-#line 1621 "ntp_parser.y" /* yacc.c:1646 */
+ case 319:
+#line 1660 "../../ntpd/ntp_parser.y" /* yacc.c:1646 */
{ (yyval.Attr_val) = create_attr_dval((yyvsp[-2].Integer), (yyvsp[0].Double)); }
-#line 3396 "ntp_parser.c" /* yacc.c:1646 */
+#line 3456 "ntp_parser.c" /* yacc.c:1646 */
break;
-#line 3400 "ntp_parser.c" /* yacc.c:1646 */
+#line 3460 "ntp_parser.c" /* yacc.c:1646 */
default: break;
}
/* User semantic actions sometimes alter yychar, and that requires
@@ -3624,7 +3684,7 @@
#endif
return yyresult;
}
-#line 1632 "ntp_parser.y" /* yacc.c:1906 */
+#line 1671 "../../ntpd/ntp_parser.y" /* yacc.c:1906 */
void
Index: contrib/ntp/ntpd/ntp_refclock.c
===================================================================
--- contrib/ntp/ntpd/ntp_refclock.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_refclock.c (版本 330908)
@@ -1044,7 +1044,7 @@
clktype = (u_char)REFCLOCKTYPE(srcadr);
unit = REFCLOCKUNIT(srcadr);
- peer = findexistingpeer(srcadr, NULL, NULL, -1, 0);
+ peer = findexistingpeer(srcadr, NULL, NULL, -1, 0, NULL);
if (NULL == peer)
return;
@@ -1155,7 +1155,7 @@
clktype = (u_char) REFCLOCKTYPE(srcadr);
unit = REFCLOCKUNIT(srcadr);
- peer = findexistingpeer(srcadr, NULL, NULL, -1, 0);
+ peer = findexistingpeer(srcadr, NULL, NULL, -1, 0, NULL);
if (NULL == peer || NULL == peer->procptr)
return;
@@ -1247,16 +1247,24 @@
/*
* If flag3 is lit, select the kernel PPS if we can.
+ *
+ * Note: EOPNOTSUPP is the only 'legal' error code we deal with;
+ * it is part of the 'if we can' strategy. Any other error
+ * indicates something more sinister and makes this function fail.
*/
if (mode & CLK_FLAG3) {
if (time_pps_kcbind(ap->handle, PPS_KC_HARDPPS,
ap->pps_params.mode & ~PPS_TSFMT_TSPEC,
- PPS_TSFMT_TSPEC) < 0) {
- msyslog(LOG_ERR,
- "refclock_params: time_pps_kcbind: %m");
- return (0);
+ PPS_TSFMT_TSPEC) < 0)
+ {
+ if (errno != EOPNOTSUPP) {
+ msyslog(LOG_ERR,
+ "refclock_params: time_pps_kcbind: %m");
+ return (0);
+ }
+ } else {
+ hardpps_enable = 1;
}
- hardpps_enable = 1;
}
return (1);
}
Index: contrib/ntp/ntpd/ntp_util.c
===================================================================
--- contrib/ntp/ntpd/ntp_util.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_util.c (版本 330908)
@@ -666,6 +666,8 @@
* peer ip address
* IP address
* t1 t2 t3 t4 timestamps
+ * leap, version, mode, stratum, ppoll, precision, root delay, root dispersion, REFID
+ * length and hex dump of any EFs and any legacy MAC.
*/
void
record_raw_stats(
@@ -683,7 +685,9 @@
int precision,
double root_delay, /* seconds */
double root_dispersion,/* seconds */
- u_int32 refid
+ u_int32 refid,
+ int len,
+ u_char *extra
)
{
l_fp now;
@@ -697,13 +701,23 @@
day = now.l_ui / 86400 + MJD_1900;
now.l_ui %= 86400;
if (rawstats.fp != NULL) {
- fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s\n",
+ fprintf(rawstats.fp, "%lu %s %s %s %s %s %s %s %d %d %d %d %d %d %.6f %.6f %s",
day, ulfptoa(&now, 3),
- stoa(srcadr), dstadr ? stoa(dstadr) : "-",
+ srcadr ? stoa(srcadr) : "-",
+ dstadr ? stoa(dstadr) : "-",
ulfptoa(t1, 9), ulfptoa(t2, 9),
ulfptoa(t3, 9), ulfptoa(t4, 9),
leap, version, mode, stratum, ppoll, precision,
root_delay, root_dispersion, refid_str(refid, stratum));
+ if (len > 0) {
+ int i;
+
+ fprintf(rawstats.fp, " %d: ", len);
+ for (i = 0; i < len; ++i) {
+ fprintf(rawstats.fp, "%02x", extra[i]);
+ }
+ }
+ fprintf(rawstats.fp, "\n");
fflush(rawstats.fp);
}
}
Index: contrib/ntp/ntpd/ntpd.1ntpdmdoc
===================================================================
--- contrib/ntp/ntpd/ntpd.1ntpdmdoc (版本 330566)
+++ contrib/ntp/ntpd/ntpd.1ntpdmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPD 1ntpdmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:23 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:47 PM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/ntpd/ntp_leapsec.c
===================================================================
--- contrib/ntp/ntpd/ntp_leapsec.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_leapsec.c (版本 330908)
@@ -743,14 +743,24 @@
const leap_info_t * pi)
{
/* If the table is full, make room by throwing out the oldest
- * entry. But remember the accumulated leap seconds! Likewise,
- * assume a positive leap insertion if this is the first entry
- * in the table. This is not necessarily the best of all ideas,
- * but it helps a great deal if a system does not have a leap
- * table and gets updated from an upstream server.
+ * entry. But remember the accumulated leap seconds!
+ *
+ * Setting the first entry is a bit tricky, too: Simply assuming
+ * it is an insertion is wrong if the first entry is a dynamic
+ * leap second removal. So we decide on the sign -- if the first
+ * entry has a negative offset, we assume that it is a leap
+ * second removal. In both cases the table base offset is set
+ * accordingly to reflect the decision.
+ *
+ * In practice starting with a removal can only happen if the
+ * first entry is a dynamic request without having a leap file
+ * for the history proper.
*/
if (pt->head.size == 0) {
- pt->head.base_tai = pi->taiof - 1;
+ if (pi->taiof >= 0)
+ pt->head.base_tai = pi->taiof - 1;
+ else
+ pt->head.base_tai = pi->taiof + 1;
} else if (pt->head.size >= MAX_HIST) {
pt->head.size = MAX_HIST - 1;
pt->head.base_tai = pt->info[pt->head.size].taiof;
Index: contrib/ntp/ntpd/ntp_proto.c
===================================================================
--- contrib/ntp/ntpd/ntp_proto.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_proto.c (版本 330908)
@@ -1,7 +1,8 @@
/*
* ntp_proto.c - NTP version 4 protocol machinery
*
- * ATTENTION: Get approval from Dave Mills on all changes to this file!
+ * ATTENTION: Get approval from Harlan on all changes to this file!
+ * (Harlan will be discussing these changes with Dave Mills.)
*
*/
#ifdef HAVE_CONFIG_H
@@ -37,29 +38,34 @@
#define AUTH(x, y) ((x) ? (y) == AUTH_OK \
: (y) == AUTH_OK || (y) == AUTH_NONE)
-#define AUTH_NONE 0 /* authentication not required */
-#define AUTH_OK 1 /* authentication OK */
-#define AUTH_ERROR 2 /* authentication error */
-#define AUTH_CRYPTO 3 /* crypto_NAK */
+typedef enum
+auth_state {
+ AUTH_UNKNOWN = -1, /* Unknown */
+ AUTH_NONE, /* authentication not required */
+ AUTH_OK, /* authentication OK */
+ AUTH_ERROR, /* authentication error */
+ AUTH_CRYPTO /* crypto_NAK */
+} auth_code;
/*
* Set up Kiss Code values
*/
-enum kiss_codes {
+typedef enum
+kiss_codes {
NOKISS, /* No Kiss Code */
RATEKISS, /* Rate limit Kiss Code */
DENYKISS, /* Deny Kiss */
RSTRKISS, /* Restricted Kiss */
- XKISS, /* Experimental Kiss */
- UNKNOWNKISS /* Unknown Kiss Code */
-};
+ XKISS /* Experimental Kiss */
+} kiss_code;
-enum nak_error_codes {
+typedef enum
+nak_error_codes {
NONAK, /* No NAK seen */
INVALIDNAK, /* NAK cannot be used */
VALIDNAK /* NAK is valid */
-};
+} nak_code;
/*
* traffic shaping parameters
@@ -182,7 +188,7 @@
int dynamic_interleave = DYNAMIC_INTERLEAVE; /* Bug 2978 mitigation */
int kiss_code_check(u_char hisleap, u_char hisstratum, u_char hismode, u_int32 refid);
-enum nak_error_codes valid_NAK(struct peer *peer, struct recvbuf *rbufp, u_char hismode);
+nak_code valid_NAK (struct peer *peer, struct recvbuf *rbufp, u_char hismode);
static double root_distance (struct peer *);
static void clock_combine (peer_select *, int, int);
static void peer_xmit (struct peer *);
@@ -260,12 +266,9 @@
return (RSTRKISS);
} else if(memcmp(&refid,"X", 1) == 0) {
return (XKISS);
- } else {
- return (UNKNOWNKISS);
}
- } else {
- return (NOKISS);
}
+ return (NOKISS);
}
@@ -272,7 +275,7 @@
/*
* Check that NAK is valid
*/
-enum nak_error_codes
+nak_code
valid_NAK(
struct peer *peer,
struct recvbuf *rbufp,
@@ -583,6 +586,7 @@
u_char hisleap; /* packet leap indicator */
u_char hismode; /* packet mode */
u_char hisstratum; /* packet stratum */
+ r4addr r4a; /* address restrictions */
u_short restrict_mask; /* restrict bits */
const char *hm_str; /* hismode string */
const char *am_str; /* association match string */
@@ -589,8 +593,8 @@
int kissCode = NOKISS; /* Kiss Code */
int has_mac; /* length of MAC field */
int authlen; /* offset of MAC field */
- int is_authentic = AUTH_NONE; /* cryptosum ok */
- int crypto_nak_test; /* result of crypto-NAK check */
+ auth_code is_authentic = AUTH_UNKNOWN; /* Was AUTH_NONE */
+ nak_code crypto_nak_test; /* result of crypto-NAK check */
int retcode = AM_NOMATCH; /* match code */
keyid_t skeyid = 0; /* key IDs */
u_int32 opcode = 0; /* extension field opcode */
@@ -612,6 +616,13 @@
#endif /* HAVE_NTP_SIGND */
/*
+ * Note that there are many places we do not call record_raw_stats().
+ *
+ * We only want to call it *after* we've sent a response, or perhaps
+ * when we've decided to drop a packet.
+ */
+
+ /*
* Monitor the packet and get restrictions. Note that the packet
* length for control and private mode packets must be checked
* by the service routines. Some restrictions have to be handled
@@ -626,25 +637,33 @@
sys_badlength++;
return; /* bogus port */
}
- restrict_mask = restrictions(&rbufp->recv_srcadr);
+ restrictions(&rbufp->recv_srcadr, &r4a);
+ restrict_mask = r4a.rflags;
+
pkt = &rbufp->recv_pkt;
- DPRINTF(2, ("receive: at %ld %s<-%s flags %x restrict %03x org %#010x.%08x xmt %#010x.%08x\n",
- current_time, stoa(&rbufp->dstadr->sin),
- stoa(&rbufp->recv_srcadr), rbufp->dstadr->flags,
- restrict_mask, ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
- ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
hisversion = PKT_VERSION(pkt->li_vn_mode);
hisleap = PKT_LEAP(pkt->li_vn_mode);
hismode = (int)PKT_MODE(pkt->li_vn_mode);
hisstratum = PKT_TO_STRATUM(pkt->stratum);
+ DPRINTF(2, ("receive: at %ld %s<-%s ippeerlimit %d mode %d iflags %s restrict %s org %#010x.%08x xmt %#010x.%08x\n",
+ current_time, stoa(&rbufp->dstadr->sin),
+ stoa(&rbufp->recv_srcadr), r4a.ippeerlimit, hismode,
+ build_iflags(rbufp->dstadr->flags),
+ build_rflags(restrict_mask),
+ ntohl(pkt->org.l_ui), ntohl(pkt->org.l_uf),
+ ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
+
+ /* See basic mode and broadcast checks, below */
INSIST(0 != hisstratum);
if (restrict_mask & RES_IGNORE) {
+ DPRINTF(2, ("receive: drop: RES_IGNORE\n"));
sys_restricted++;
return; /* ignore everything */
}
if (hismode == MODE_PRIVATE) {
if (!ntp_mode7 || (restrict_mask & RES_NOQUERY)) {
+ DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
sys_restricted++;
return; /* no query private */
}
@@ -654,6 +673,7 @@
}
if (hismode == MODE_CONTROL) {
if (restrict_mask & RES_NOQUERY) {
+ DPRINTF(2, ("receive: drop: RES_NOQUERY\n"));
sys_restricted++;
return; /* no query control */
}
@@ -661,6 +681,7 @@
return;
}
if (restrict_mask & RES_DONTSERVE) {
+ DPRINTF(2, ("receive: drop: RES_DONTSERVE\n"));
sys_restricted++;
return; /* no time serve */
}
@@ -671,6 +692,7 @@
*/
if (restrict_mask & RES_FLAKE) {
if ((double)ntp_random() / 0x7fffffff < .1) {
+ DPRINTF(2, ("receive: drop: RES_FLAKE\n"));
sys_restricted++;
return; /* no flakeway */
}
@@ -677,6 +699,18 @@
}
/*
+ ** Format Layer Checks
+ **
+ ** Validate the packet format. The packet size, packet header,
+ ** and any extension field lengths are checked. We identify
+ ** the beginning of the MAC, to identify the upper limit of
+ ** of the hash computation.
+ **
+ ** In case of a format layer check violation, the packet is
+ ** discarded with no further processing.
+ */
+
+ /*
* Version check must be after the query packets, since they
* intentionally use an early version.
*/
@@ -686,6 +720,7 @@
&& hisversion >= NTP_OLDVERSION) {
sys_oldversion++; /* previous version */
} else {
+ DPRINTF(2, ("receive: drop: RES_VERSION\n"));
sys_badlength++;
return; /* old version */
}
@@ -700,6 +735,7 @@
if (hisversion == NTP_OLDVERSION) {
hismode = MODE_CLIENT;
} else {
+ DPRINTF(2, ("receive: drop: MODE_UNSPEC\n"));
sys_badlength++;
return; /* invalid mode */
}
@@ -716,6 +752,16 @@
* is a runt and discarded forthwith. If greater than 6, an
* extension field is present, so we subtract the length of the
* field and go around again.
+ *
+ * Note the above description is lame. We should/could also check
+ * the two bytes that make up the EF type and subtype, and then
+ * check the two bytes that tell us the EF length. A legacy MAC
+ * has a 4 byte keyID, and for conforming symmetric keys its value
+ * must be <= 64k, meaning the top two bytes will always be zero.
+ * Since the EF Type of 0 is reserved/unused, there's no way a
+ * conforming legacy MAC could ever be misinterpreted as an EF.
+ *
+ * There is more, but this isn't the place to document it.
*/
authlen = LEN_PKT_NOMAC;
@@ -728,9 +774,14 @@
#endif /*AUTOKEY */
if (has_mac % 4 != 0 || has_mac < (int)MIN_MAC_LEN) {
+ DPRINTF(2, ("receive: drop: bad post-packet length\n"));
sys_badlength++;
return; /* bad length */
}
+ /*
+ * This next test is clearly wrong - it needlessly
+ * prohibits short EFs (which don't yet exist)
+ */
if (has_mac <= (int)MAX_MAC_LEN) {
skeyid = ntohl(((u_int32 *)pkt)[authlen / 4]);
break;
@@ -741,6 +792,7 @@
if ( len % 4 != 0
|| len < 4
|| (int)len + authlen > rbufp->recv_length) {
+ DPRINTF(2, ("receive: drop: bad EF length\n"));
sys_badlength++;
return; /* bad length */
}
@@ -757,6 +809,7 @@
if ( hostlen >= sizeof(hostname)
|| hostlen > len -
offsetof(struct exten, pkt)) {
+ DPRINTF(2, ("receive: drop: bad autokey hostname length\n"));
sys_badlength++;
return; /* bad length */
}
@@ -764,6 +817,7 @@
hostname[hostlen] = '\0';
groupname = strchr(hostname, '@');
if (groupname == NULL) {
+ DPRINTF(2, ("receive: drop: empty autokey groupname\n"));
sys_declined++;
return;
}
@@ -779,14 +833,27 @@
* If has_mac is < 0 we had a malformed packet.
*/
if (has_mac < 0) {
+ DPRINTF(2, ("receive: drop: post-packet under-read\n"));
sys_badlength++;
return; /* bad length */
}
/*
- * If authentication required, a MAC must be present.
+ ** Packet Data Verification Layer
+ **
+ ** This layer verifies the packet data content. If
+ ** authentication is required, a MAC must be present.
+ ** If a MAC is present, it must validate.
+ ** Crypto-NAK? Look - a shiny thing!
+ **
+ ** If authentication fails, we're done.
+ */
+
+ /*
+ * If authentication is explicitly required, a MAC must be present.
*/
if (restrict_mask & RES_DONTTRUST && has_mac == 0) {
+ DPRINTF(2, ("receive: drop: RES_DONTTRUST\n"));
sys_restricted++;
return; /* access denied */
}
@@ -803,9 +870,12 @@
if ( !(restrict_mask & RES_KOD)
|| MODE_BROADCAST == hismode
|| MODE_SERVER == hismode) {
- if (MODE_SERVER == hismode)
+ if (MODE_SERVER == hismode) {
DPRINTF(1, ("Possibly self-induced rate limiting of MODE_SERVER from %s\n",
stoa(&rbufp->recv_srcadr)));
+ } else {
+ DPRINTF(2, ("receive: drop: RES_KOD\n"));
+ }
return; /* rate exceeded */
}
if (hismode == MODE_CLIENT)
@@ -837,6 +907,7 @@
* multicaster, the broadcast address is null, so we use the
* unicast address anyway. Don't ask.
*/
+
peer = findpeer(rbufp, hismode, &retcode);
dstadr_sin = &rbufp->dstadr->sin;
NTOHL_FP(&pkt->org, &p_org);
@@ -921,6 +992,14 @@
#endif /* HAVE_NTP_SIGND */
} else {
+ /*
+ * has_mac is not 0
+ * Not a VALID_NAK
+ * Not an MS-SNTP SIGND packet
+ *
+ * So there is a MAC here.
+ */
+
restrict_mask &= ~RES_MSSNTP;
#ifdef AUTOKEY
/*
@@ -956,6 +1035,7 @@
* % can't happen
*/
if (has_mac < (int)MAX_MD5_LEN) {
+ DPRINTF(2, ("receive: drop: MD5 digest too short\n"));
sys_badauth++;
return;
}
@@ -972,6 +1052,7 @@
if ( crypto_flags
&& rbufp->dstadr ==
ANY_INTERFACE_CHOOSE(&rbufp->recv_srcadr)) {
+ DPRINTF(2, ("receive: drop: BCAST from wildcard\n"));
sys_restricted++;
return; /* no wildcard */
}
@@ -1033,7 +1114,81 @@
ntohl(pkt->xmt.l_ui), ntohl(pkt->xmt.l_uf)));
}
+
/*
+ * Bug 3454:
+ *
+ * Now come at this from a different perspective:
+ * - If we expect a MAC and it's not there, we drop it.
+ * - If we expect one keyID and get another, we drop it.
+ * - If we have a MAC ahd it hasn't been validated yet, try.
+ * - if the provided MAC doesn't validate, we drop it.
+ *
+ * There might be more to this.
+ */
+ if (0 != peer && 0 != peer->keyid) {
+ /* Should we msyslog() any of these? */
+
+ /*
+ * This should catch:
+ * - no keyID where one is expected,
+ * - different keyID than what we expect.
+ */
+ if (peer->keyid != skeyid) {
+ DPRINTF(2, ("receive: drop: Wanted keyID %d, got %d from %s\n",
+ peer->keyid, skeyid,
+ stoa(&rbufp->recv_srcadr)));
+ sys_restricted++;
+ return; /* drop: access denied */
+ }
+
+ /*
+ * if has_mac != 0 ...
+ * - If it has not yet been validated, do so.
+ * (under what circumstances might that happen?)
+ * - if missing or bad MAC, log and drop.
+ */
+ if (0 != has_mac) {
+ if (is_authentic == AUTH_UNKNOWN) {
+ /* How can this happen? */
+ DPRINTF(2, ("receive: 3454 check: AUTH_UNKNOWN from %s\n",
+ stoa(&rbufp->recv_srcadr)));
+ if (!authdecrypt(skeyid, (u_int32 *)pkt, authlen,
+ has_mac)) {
+ /* MAC invalid or not found */
+ is_authentic = AUTH_ERROR;
+ } else {
+ is_authentic = AUTH_OK;
+ }
+ }
+ if (is_authentic != AUTH_OK) {
+ DPRINTF(2, ("receive: drop: missing or bad MAC from %s\n",
+ stoa(&rbufp->recv_srcadr)));
+ sys_restricted++;
+ return; /* drop: access denied */
+ }
+ }
+ }
+ /**/
+
+ /*
+ ** On-Wire Protocol Layer
+ **
+ ** Verify protocol operations consistent with the on-wire protocol.
+ ** The protocol discards bogus and duplicate packets as well as
+ ** minimizes disruptions doe to protocol restarts and dropped
+ ** packets. The operations are controlled by two timestamps:
+ ** the transmit timestamp saved in the client state variables,
+ ** and the origin timestamp in the server packet header. The
+ ** comparison of these two timestamps is called the loopback test.
+ ** The transmit timestamp functions as a nonce to verify that the
+ ** response corresponds to the original request. The transmit
+ ** timestamp also serves to discard replays of the most recent
+ ** packet. Upon failure of either test, the packet is discarded
+ ** with no further action.
+ */
+
+ /*
* The association matching rules are implemented by a set of
* routines and an association table. A packet matching an
* association is processed by the peer process for that
@@ -1050,6 +1205,8 @@
* an ordinary client, simply toss a server mode packet back
* over the fence. If a manycast client, we have to work a
* little harder.
+ *
+ * There are cases here where we do not call record_raw_stats().
*/
case AM_FXMIT:
@@ -1058,6 +1215,21 @@
* send a crypto-NAK.
*/
if (!(rbufp->dstadr->flags & INT_MCASTOPEN)) {
+ /* HMS: would be nice to log FAST_XMIT|BADAUTH|RESTRICTED */
+ record_raw_stats(&rbufp->recv_srcadr,
+ &rbufp->dstadr->sin,
+ &p_org, &p_rec, &p_xmt, &rbufp->recv_time,
+ PKT_LEAP(pkt->li_vn_mode),
+ PKT_VERSION(pkt->li_vn_mode),
+ PKT_MODE(pkt->li_vn_mode),
+ PKT_TO_STRATUM(pkt->stratum),
+ pkt->ppoll,
+ pkt->precision,
+ FPTOD(NTOHS_FP(pkt->rootdelay)),
+ FPTOD(NTOHS_FP(pkt->rootdisp)),
+ pkt->refid,
+ rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
+
if (AUTH(restrict_mask & RES_DONTTRUST,
is_authentic)) {
fast_xmit(rbufp, MODE_SERVER, skeyid,
@@ -1067,8 +1239,10 @@
restrict_mask);
sys_badauth++;
} else {
+ DPRINTF(2, ("receive: AM_FXMIT drop: !mcast restricted\n"));
sys_restricted++;
}
+
return; /* hooray */
}
@@ -1077,6 +1251,7 @@
* configured as a manycast server.
*/
if (!sys_manycastserver) {
+ DPRINTF(2, ("receive: AM_FXMIT drop: Not manycastserver\n"));
sys_restricted++;
return; /* not enabled */
}
@@ -1086,6 +1261,7 @@
* Do not respond if not the same group.
*/
if (group_test(groupname, NULL)) {
+ DPRINTF(2, ("receive: AM_FXMIT drop: empty groupname\n"));
sys_declined++;
return;
}
@@ -1100,6 +1276,7 @@
|| sys_stratum >= hisstratum
|| (!sys_cohort && sys_stratum == hisstratum + 1)
|| rbufp->dstadr->addr_refid == pkt->refid) {
+ DPRINTF(2, ("receive: AM_FXMIT drop: LEAP_NOTINSYNC || stratum || loop\n"));
sys_declined++;
return; /* no help */
}
@@ -1108,9 +1285,24 @@
* Respond only if authentication succeeds. Don't do a
* crypto-NAK, as that would not be useful.
*/
- if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic))
+ if (AUTH(restrict_mask & RES_DONTTRUST, is_authentic)) {
+ record_raw_stats(&rbufp->recv_srcadr,
+ &rbufp->dstadr->sin,
+ &p_org, &p_rec, &p_xmt, &rbufp->recv_time,
+ PKT_LEAP(pkt->li_vn_mode),
+ PKT_VERSION(pkt->li_vn_mode),
+ PKT_MODE(pkt->li_vn_mode),
+ PKT_TO_STRATUM(pkt->stratum),
+ pkt->ppoll,
+ pkt->precision,
+ FPTOD(NTOHS_FP(pkt->rootdelay)),
+ FPTOD(NTOHS_FP(pkt->rootdisp)),
+ pkt->refid,
+ rbufp->recv_length - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
+
fast_xmit(rbufp, MODE_SERVER, skeyid,
restrict_mask);
+ }
return; /* hooray */
/*
@@ -1131,6 +1323,8 @@
* There is an implosion hazard at the manycast client, since
* the manycast servers send the server packet immediately. If
* the guy is already here, don't fire up a duplicate.
+ *
+ * There are cases here where we do not call record_raw_stats().
*/
case AM_MANYCAST:
@@ -1139,11 +1333,13 @@
* Do not respond if not the same group.
*/
if (group_test(groupname, NULL)) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: empty groupname\n"));
sys_declined++;
return;
}
#endif /* AUTOKEY */
if ((peer2 = findmanycastpeer(rbufp)) == NULL) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: No manycast peer\n"));
sys_restricted++;
return; /* not enabled */
}
@@ -1150,7 +1346,10 @@
if (!AUTH( (!(peer2->cast_flags & MDF_POOL)
&& sys_authenticate)
|| (restrict_mask & (RES_NOPEER |
- RES_DONTTRUST)), is_authentic)) {
+ RES_DONTTRUST)), is_authentic)
+ /* MC: RES_NOEPEER? */
+ ) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: bad auth || (NOPEER|DONTTRUST)\n"));
sys_restricted++;
return; /* access denied */
}
@@ -1162,15 +1361,17 @@
if ( hisleap == LEAP_NOTINSYNC
|| hisstratum < sys_floor
|| hisstratum >= sys_ceiling) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: unsync/stratum\n"));
sys_declined++;
return; /* no help */
}
peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr,
- MODE_CLIENT, hisversion, peer2->minpoll,
- peer2->maxpoll, FLAG_PREEMPT |
- (FLAG_IBURST & peer2->flags), MDF_UCAST |
- MDF_UCLNT, 0, skeyid, sys_ident);
+ r4a.ippeerlimit, MODE_CLIENT, hisversion,
+ peer2->minpoll, peer2->maxpoll,
+ FLAG_PREEMPT | (FLAG_IBURST & peer2->flags),
+ MDF_UCAST | MDF_UCLNT, 0, skeyid, sys_ident);
if (NULL == peer) {
+ DPRINTF(2, ("receive: AM_MANYCAST drop: duplicate\n"));
sys_declined++;
return; /* ignore duplicate */
}
@@ -1197,6 +1398,8 @@
* the packet is authentic and we are enabled as broadcast
* client, mobilize a broadcast client association. We don't
* kiss any frogs here.
+ *
+ * There are cases here where we do not call record_raw_stats().
*/
case AM_NEWBCL:
@@ -1205,16 +1408,21 @@
* Do not respond if not the same group.
*/
if (group_test(groupname, sys_ident)) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: groupname mismatch\n"));
sys_declined++;
return;
}
#endif /* AUTOKEY */
if (sys_bclient == 0) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: not a bclient\n"));
sys_restricted++;
return; /* not enabled */
}
if (!AUTH(sys_authenticate | (restrict_mask &
- (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
+ (RES_NOPEER | RES_DONTTRUST)), is_authentic)
+ /* NEWBCL: RES_NOEPEER? */
+ ) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: AUTH failed\n"));
sys_restricted++;
return; /* access denied */
}
@@ -1226,6 +1434,7 @@
if ( hisleap == LEAP_NOTINSYNC
|| hisstratum < sys_floor
|| hisstratum >= sys_ceiling) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: Unsync or bad stratum\n"));
sys_declined++;
return; /* no help */
}
@@ -1237,6 +1446,7 @@
*/
if ( crypto_flags && skeyid > NTP_MAXKEY
&& (opcode & 0xffff0000) != (CRYPTO_ASSOC | CRYPTO_RESP)) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not CRYPTO_ASSOC\n"));
sys_declined++;
return; /* protocol error */
}
@@ -1267,6 +1477,7 @@
*/
if (crypto_flags && skeyid > NTP_MAXKEY) {
sys_restricted++;
+ DPRINTF(2, ("receive: AM_NEWBCL drop: Autokey but not 2-way\n"));
return; /* no autokey */
}
#endif /* AUTOKEY */
@@ -1275,11 +1486,12 @@
* Do not execute the volley. Start out in
* broadcast client mode.
*/
- peer = newpeer(&rbufp->recv_srcadr, NULL,
- match_ep, MODE_BCLIENT, hisversion,
- pkt->ppoll, pkt->ppoll, FLAG_PREEMPT,
- MDF_BCLNT, 0, skeyid, sys_ident);
+ peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep,
+ r4a.ippeerlimit, MODE_BCLIENT, hisversion,
+ pkt->ppoll, pkt->ppoll,
+ FLAG_PREEMPT, MDF_BCLNT, 0, skeyid, sys_ident);
if (NULL == peer) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: duplicate\n"));
sys_restricted++;
return; /* ignore duplicate */
@@ -1299,10 +1511,12 @@
* is fixed at this value.
*/
peer = newpeer(&rbufp->recv_srcadr, NULL, match_ep,
- MODE_CLIENT, hisversion, pkt->ppoll, pkt->ppoll,
+ r4a.ippeerlimit, MODE_CLIENT, hisversion,
+ pkt->ppoll, pkt->ppoll,
FLAG_BC_VOL | FLAG_IBURST | FLAG_PREEMPT, MDF_BCLNT,
0, skeyid, sys_ident);
if (NULL == peer) {
+ DPRINTF(2, ("receive: AM_NEWBCL drop: empty newpeer() failed\n"));
sys_restricted++;
return; /* ignore duplicate */
}
@@ -1316,8 +1530,11 @@
/*
* This is the first packet received from a symmetric active
- * peer. If the packet is authentic and the first he sent,
- * mobilize a passive association. If not, kiss the frog.
+ * peer. If the packet is authentic, the first he sent, and
+ * RES_NOEPEER is not enabled, mobilize a passive association
+ * If not, kiss the frog.
+ *
+ * There are cases here where we do not call record_raw_stats().
*/
case AM_NEWPASS:
@@ -1326,38 +1543,42 @@
* Do not respond if not the same group.
*/
if (group_test(groupname, sys_ident)) {
+ DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n"));
sys_declined++;
return;
}
#endif /* AUTOKEY */
if (!AUTH(sys_authenticate | (restrict_mask &
- (RES_NOPEER | RES_DONTTRUST)), is_authentic)) {
-
- /*
- * If authenticated but cannot mobilize an
- * association, send a symmetric passive
- * response without mobilizing an association.
- * This is for drat broken Windows clients. See
- * Microsoft KB 875424 for preferred workaround.
- */
- if (AUTH(restrict_mask & RES_DONTTRUST,
- is_authentic)) {
- fast_xmit(rbufp, MODE_PASSIVE, skeyid,
- restrict_mask);
- return; /* hooray */
+ (RES_NOPEER | RES_DONTTRUST)), is_authentic)
+ ) {
+ if (0 == (restrict_mask & RES_NOEPEER)) {
+ /*
+ * If authenticated but cannot mobilize an
+ * association, send a symmetric passive
+ * response without mobilizing an association.
+ * This is for drat broken Windows clients. See
+ * Microsoft KB 875424 for preferred workaround.
+ */
+ if (AUTH(restrict_mask & RES_DONTTRUST,
+ is_authentic)) {
+ fast_xmit(rbufp, MODE_PASSIVE, skeyid,
+ restrict_mask);
+ return; /* hooray */
+ }
+ if (is_authentic == AUTH_ERROR) {
+ fast_xmit(rbufp, MODE_ACTIVE, 0,
+ restrict_mask);
+ sys_restricted++;
+ return;
+ }
}
- if (is_authentic == AUTH_ERROR) {
- fast_xmit(rbufp, MODE_ACTIVE, 0,
- restrict_mask);
- sys_restricted++;
- return;
- }
/* [Bug 2941]
* If we got here, the packet isn't part of an
- * existing association, it isn't correctly
- * authenticated, and it didn't meet either of
- * the previous two special cases so we should
- * just drop it on the floor. For example,
+ * existing association, either isn't correctly
+ * authenticated or it is but we are refusing
+ * ephemeral peer requests, and it didn't meet
+ * either of the previous two special cases so we
+ * should just drop it on the floor. For example,
* crypto-NAKs (is_authentic == AUTH_CRYPTO)
* will make it this far. This is just
* debug-printed and not logged to avoid log
@@ -1384,6 +1605,7 @@
*/
if ( hisleap != LEAP_NOTINSYNC
&& (hisstratum < sys_floor || hisstratum >= sys_ceiling)) {
+ DPRINTF(2, ("receive: AM_NEWPASS drop: Autokey group mismatch\n"));
sys_declined++;
return; /* no help */
}
@@ -1390,12 +1612,14 @@
/*
* The message is correctly authenticated and allowed.
- * Mobilize a symmetric passive association.
+ * Mobilize a symmetric passive association, if we won't
+ * exceed the ippeerlimit.
*/
- if ((peer = newpeer(&rbufp->recv_srcadr, NULL,
- rbufp->dstadr, MODE_PASSIVE, hisversion, pkt->ppoll,
- NTP_MAXDPOLL, 0, MDF_UCAST, 0, skeyid,
- sys_ident)) == NULL) {
+ if ((peer = newpeer(&rbufp->recv_srcadr, NULL, rbufp->dstadr,
+ r4a.ippeerlimit, MODE_PASSIVE, hisversion,
+ pkt->ppoll, NTP_MAXDPOLL, 0, MDF_UCAST, 0,
+ skeyid, sys_ident)) == NULL) {
+ DPRINTF(2, ("receive: AM_NEWPASS drop: newpeer() failed\n"));
sys_declined++;
return; /* ignore duplicate */
}
@@ -1404,6 +1628,8 @@
/*
* Process regular packet. Nothing special.
+ *
+ * There are cases here where we do not call record_raw_stats().
*/
case AM_PROCPKT:
@@ -1412,6 +1638,7 @@
* Do not respond if not the same group.
*/
if (group_test(groupname, peer->ident)) {
+ DPRINTF(2, ("receive: AM_PROCPKT drop: Autokey group mismatch\n"));
sys_declined++;
return;
}
@@ -1437,7 +1664,7 @@
/* This is noteworthy, not error-worthy */
if (pkt->ppoll != peer->ppoll) {
- msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %ud to %ud",
+ msyslog(LOG_INFO, "receive: broadcast poll from %s changed from %u to %u",
stoa(&rbufp->recv_srcadr),
peer->ppoll, pkt->ppoll);
}
@@ -1445,7 +1672,7 @@
/* This is error-worthy */
if (pkt->ppoll < peer->minpoll ||
pkt->ppoll > peer->maxpoll ) {
- msyslog(LOG_INFO, "receive: broadcast poll of %ud from %s is out-of-range (%d to %d)!",
+ msyslog(LOG_INFO, "receive: broadcast poll of %u from %s is out-of-range (%d to %d)!",
pkt->ppoll, stoa(&rbufp->recv_srcadr),
peer->minpoll, peer->maxpoll);
++bail;
@@ -1520,6 +1747,7 @@
}
if (bail) {
+ DPRINTF(2, ("receive: AM_PROCPKT drop: bail\n"));
peer->timelastrec = current_time;
sys_declined++;
return;
@@ -1535,6 +1763,7 @@
* attempt to deny service, just ignore it.
*/
case AM_ERR:
+ DPRINTF(2, ("receive: AM_ERR drop.\n"));
sys_declined++;
return;
@@ -1542,6 +1771,7 @@
* For everything else there is the bit bucket.
*/
default:
+ DPRINTF(2, ("receive: default drop.\n"));
sys_declined++;
return;
}
@@ -1555,6 +1785,7 @@
if ( is_authentic != AUTH_CRYPTO
&& ( ((peer->flags & FLAG_SKEY) && skeyid <= NTP_MAXKEY)
|| (!(peer->flags & FLAG_SKEY) && skeyid > NTP_MAXKEY))) {
+ DPRINTF(2, ("receive: drop: Autokey but wrong/bad auth\n"));
sys_badauth++;
return;
}
@@ -1575,9 +1806,12 @@
* A KoD packet we pay attention to cannot have a 0 transmit
* timestamp.
*/
+
+ kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid);
+
if (L_ISZERO(&p_xmt)) {
peer->flash |= TEST3; /* unsynch */
- if (STRATUM_UNSPEC == hisstratum) { /* KoD packet */
+ if (kissCode != NOKISS) { /* KoD packet */
peer->bogusorg++; /* for TEST2 or TEST3 */
msyslog(LOG_INFO,
"receive: Unexpected zero transmit timestamp in KoD from %s",
@@ -1591,6 +1825,7 @@
* the most recent packet, authenticated or not.
*/
} else if (L_ISEQU(&peer->xmt, &p_xmt)) {
+ DPRINTF(2, ("receive: drop: Duplicate xmit\n"));
peer->flash |= TEST1; /* duplicate */
peer->oldpkt++;
return;
@@ -1601,13 +1836,13 @@
* see if this is an interleave broadcast packet until after
* we've validated the MAC that SHOULD be provided.
*
- * hisstratum should never be 0.
+ * hisstratum cannot be 0 - see assertion above.
* If hisstratum is 15, then we'll advertise as UNSPEC but
* at least we'll be able to sync with the broadcast server.
*/
} else if (hismode == MODE_BROADCAST) {
- if ( 0 == hisstratum
- || STRATUM_UNSPEC <= hisstratum) {
+ /* 0 is unexpected too, and impossible */
+ if (STRATUM_UNSPEC <= hisstratum) {
/* Is this a ++sys_declined or ??? */
msyslog(LOG_INFO,
"receive: Unexpected stratum (%d) in broadcast from %s",
@@ -1628,7 +1863,7 @@
* (nonzero) org, rec, and xmt timestamps set to the xmt timestamp
* that we have previously sent out. Watch interleave mode.
*/
- } else if (STRATUM_UNSPEC == hisstratum) {
+ } else if (kissCode != NOKISS) {
DEBUG_INSIST(!L_ISZERO(&p_xmt));
if ( L_ISZERO(&p_org) /* We checked p_xmt above */
|| L_ISZERO(&p_rec)) {
@@ -1675,7 +1910,8 @@
* should 'aorg' be all-zero because this really was the original
* transmit timestamp, we'll ignore this reply. There is a window
* of one nanosecond once every 136 years' time where this is
- * possible. We currently ignore this situation.
+ * possible. We currently ignore this situation, as a completely
+ * zero timestamp is (quietly?) disallowed.
*
* Otherwise, check for bogus packet in basic mode.
* If it is bogus, switch to interleaved mode and resynchronize,
@@ -1684,11 +1920,11 @@
*
* This could also mean somebody is forging packets claiming to
* be from us, attempting to cause our server to KoD us.
+ *
+ * We have earlier asserted that hisstratum cannot be 0.
+ * If hisstratum is STRATUM_UNSPEC, it means he's not sync'd.
*/
} else if (peer->flip == 0) {
- INSIST(0 != hisstratum);
- INSIST(STRATUM_UNSPEC != hisstratum);
-
if (0) {
} else if (L_ISZERO(&p_org)) {
const char *action;
@@ -1767,10 +2003,13 @@
*/
} else if ( !L_ISZERO(&peer->dst)
&& !L_ISEQU(&p_org, &peer->dst)) {
+ DPRINTF(2, ("receive: drop: Bogus packet in interleaved symmetric mode\n"));
peer->bogusorg++;
peer->flags |= FLAG_XBOGUS;
peer->flash |= TEST2; /* bogus */
+#ifdef BUG3453
return; /* Bogus packet, we are done */
+#endif
}
/**/
@@ -1788,6 +2027,7 @@
if (unpeer_crypto_nak_early) {
unpeer(peer);
}
+ DPRINTF(2, ("receive: drop: PREEMPT crypto_NAK\n"));
return;
}
#ifdef AUTOKEY
@@ -1795,6 +2035,7 @@
peer_clear(peer, "AUTH");
}
#endif /* AUTOKEY */
+ DPRINTF(2, ("receive: drop: crypto_NAK\n"));
return;
/*
@@ -1832,6 +2073,7 @@
peer_clear(peer, "AUTH");
}
#endif /* AUTOKEY */
+ DPRINTF(2, ("receive: drop: Bad or missing AUTH\n"));
return;
}
@@ -1901,11 +2143,9 @@
/*
* Check for any kiss codes. Note this is only used when a server
- * responds to a packet request
+ * responds to a packet request.
*/
- kissCode = kiss_code_check(hisleap, hisstratum, hismode, pkt->refid);
-
/*
* Check to see if this is a RATE Kiss Code
* Currently this kiss code will accept whatever poll
@@ -2204,11 +2444,12 @@
/*
* Capture the header values in the client/peer association..
*/
- record_raw_stats(&peer->srcadr, peer->dstadr ?
- &peer->dstadr->sin : NULL,
+ record_raw_stats(&peer->srcadr,
+ peer->dstadr ? &peer->dstadr->sin : NULL,
&p_org, &p_rec, &p_xmt, &peer->dst,
pleap, pversion, pmode, pstratum, pkt->ppoll, pkt->precision,
- p_del, p_disp, pkt->refid);
+ p_del, p_disp, pkt->refid,
+ len - MIN_V4_PKT_LEN, (u_char *)&pkt->exten);
peer->leap = pleap;
peer->stratum = min(pstratum, STRATUM_UNSPEC);
peer->pmode = pmode;
@@ -4301,6 +4542,7 @@
int rc;
struct interface * lcladr;
sockaddr_u * rmtadr;
+ r4addr r4a;
int restrict_mask;
struct peer * p;
l_fp xmt_tx;
@@ -4337,11 +4579,12 @@
/* copy_addrinfo_list ai_addr points to a sockaddr_u */
rmtadr = (sockaddr_u *)(void *)pool->ai->ai_addr;
pool->ai = pool->ai->ai_next;
- p = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT, 0);
+ p = findexistingpeer(rmtadr, NULL, NULL, MODE_CLIENT, 0, NULL);
} while (p != NULL && pool->ai != NULL);
if (p != NULL)
return; /* out of addresses, re-query DNS next poll */
- restrict_mask = restrictions(rmtadr);
+ restrictions(rmtadr, &r4a);
+ restrict_mask = r4a.rflags;
if (RES_FLAGS & restrict_mask)
restrict_source(rmtadr, 0,
current_time + POOL_SOLICIT_WINDOW + 1);
@@ -4932,4 +5175,6 @@
sys_badauth = 0;
sys_limitrejected = 0;
sys_kodsent = 0;
+ sys_lamport = 0;
+ sys_tsrounding = 0;
}
Index: contrib/ntp/ntpd/ntp_scanner.c
===================================================================
--- contrib/ntp/ntpd/ntp_scanner.c (版本 330566)
+++ contrib/ntp/ntpd/ntp_scanner.c (版本 330908)
@@ -167,6 +167,7 @@
stream->backch = EOF;
if (stream->fpi)
conf_file_sum += ch;
+ stream->curpos.ncol++;
} else if (stream->fpi) {
/* fetch next 7-bit ASCII char (or EOF) from file */
while ((ch = fgetc(stream->fpi)) != EOF && ch > SCHAR_MAX)
Index: contrib/ntp/ntpd/ntpd.1ntpdman
===================================================================
--- contrib/ntp/ntpd/ntpd.1ntpdman (版本 330566)
+++ contrib/ntp/ntpd/ntpd.1ntpdman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpd 1ntpdman "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpd 1ntpdman "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wcairs/ag-fdaWls)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Ffa4WQ/ag-RfaWVQ)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:13 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:30 PM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/ntpd/ntpd.man.in
===================================================================
--- contrib/ntp/ntpd/ntpd.man.in (版本 330566)
+++ contrib/ntp/ntpd/ntpd.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpd @NTPD_MS@ "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpd @NTPD_MS@ "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wcairs/ag-fdaWls)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-Ffa4WQ/ag-RfaWVQ)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:13 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:30 PM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/ntpd/refclock_jjy.c
===================================================================
--- contrib/ntp/ntpd/refclock_jjy.c (版本 330566)
+++ contrib/ntp/ntpd/refclock_jjy.c (版本 330908)
@@ -110,6 +110,11 @@
/* [Fix] C-DEX JST2000 */
/* Thanks to Mr. Kuramatsu for the report and the patch. */
/* */
+/* 2017/04/30 */
+/* [Change] Avoid a wrong report of the coverity static analysis */
+/* tool. ( The code is harmless and has no bug. ) */
+/* teljjy_conn_send() */
+/* */
/**********************************************************************/
#ifdef HAVE_CONFIG_H
@@ -393,6 +398,7 @@
#define JJY_CLOCKSTATS_MARK_ATTENTION 5
#define JJY_CLOCKSTATS_MARK_WARNING 6
#define JJY_CLOCKSTATS_MARK_ERROR 7
+#define JJY_CLOCKSTATS_MARK_BUG 8
/* Local constants definition for the clockstats messages */
@@ -3299,6 +3305,7 @@
const char * pCmd ;
int i, iLen, iNextClockState ;
+ char sLog [ 120 ] ;
DEBUG_TELJJY_PRINTF( "teljjy_conn_send" ) ;
@@ -3327,8 +3334,8 @@
/* Loopback character comes */
#ifdef DEBUG
if ( debug ) {
- printf( "refclock_jjy.c : teljjy_conn_send : iLoopbackCount=%d\n",
- up->iLoopbackCount ) ;
+ printf( "refclock_jjy.c : teljjy_conn_send : iClockCommandSeq=%d iLoopbackCount=%d\n",
+ up->iClockCommandSeq, up->iLoopbackCount ) ;
}
#endif
@@ -3351,8 +3358,18 @@
if ( teljjy_command_sequence[up->iClockCommandSeq].iExpectedReplyType == TELJJY_REPLY_LOOPBACK ) {
/* Loopback character and timestamp */
- gettimeofday( &(up->sendTime[up->iLoopbackCount]), NULL ) ;
- up->bLoopbackMode = TRUE ;
+ if ( up->iLoopbackCount < MAX_LOOPBACK ) {
+ gettimeofday( &(up->sendTime[up->iLoopbackCount]), NULL ) ;
+ up->bLoopbackMode = TRUE ;
+ } else {
+ /* This else-block is never come. */
+ /* This code avoid wrong report of the coverity static analysis scan tool. */
+ snprintf( sLog, sizeof(sLog)-1, "refclock_jjy.c ; teljjy_conn_send ; iClockCommandSeq=%d iLoopbackCount=%d MAX_LOOPBACK=%d",
+ up->iClockCommandSeq, up->iLoopbackCount, MAX_LOOPBACK ) ;
+ jjy_write_clockstats( peer, JJY_CLOCKSTATS_MARK_BUG, sLog ) ;
+ msyslog ( LOG_ERR, "%s", sLog ) ;
+ up->bLoopbackMode = FALSE ;
+ }
} else {
/* Regular command */
up->bLoopbackMode = FALSE ;
@@ -4383,6 +4400,9 @@
case JJY_CLOCKSTATS_MARK_ERROR :
pMark = "-X- " ;
break ;
+ case JJY_CLOCKSTATS_MARK_BUG :
+ pMark = "!!! " ;
+ break ;
default :
pMark = "" ;
break ;
Index: contrib/ntp/ntpdc/Makefile.in
===================================================================
--- contrib/ntp/ntpdc/Makefile.in (版本 330566)
+++ contrib/ntp/ntpdc/Makefile.in (版本 330908)
@@ -107,6 +107,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -1246,7 +1247,6 @@
-cd ../sntp/libopts && $(MAKE) $(AM_MAKEFLAGS) libopts.la
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/ntpdc/ntpdc-opts.h
===================================================================
--- contrib/ntp/ntpdc/ntpdc-opts.h (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc-opts.h (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpdc-opts.h)
*
- * It has been AutoGen-ed March 21, 2017 at 10:44:43 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:14:56 PM by AutoGen 5.18.5
* From the definitions ntpdc-opts.def
* and the template file options
*
@@ -83,9 +83,9 @@
/** count of all options for ntpdc */
#define OPTION_CT 15
/** ntpdc version */
-#define NTPDC_VERSION "4.2.8p10"
+#define NTPDC_VERSION "4.2.8p11"
/** Full ntpdc version text */
-#define NTPDC_FULL_VERSION "ntpdc 4.2.8p10"
+#define NTPDC_FULL_VERSION "ntpdc 4.2.8p11"
/**
* Interface defines for all options. Replace "n" with the UPPER_CASED
Index: contrib/ntp/ntpdc/ntpdc.html
===================================================================
--- contrib/ntp/ntpdc/ntpdc.html (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc.html (版本 330908)
@@ -36,7 +36,7 @@
clock. Run as root, it can correct the system clock to this offset as
well. It can be run as an interactive command or from a cron job.
- <p>This document applies to version 4.2.8p10 of <code>ntpdc</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntpdc</code>.
<p>The program implements the SNTP protocol as defined by RFC 5905, the NTPv4
IETF specification.
@@ -152,7 +152,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10-beta
+<pre class="example">ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11
Usage: ntpdc [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [ host ...]
Flg Arg Option-Name Description
-4 no ipv4 Force IPv4 DNS name resolution
Index: contrib/ntp/ntpd/refclock_parse.c
===================================================================
--- contrib/ntp/ntpd/refclock_parse.c (版本 330566)
+++ contrib/ntp/ntpd/refclock_parse.c (版本 330908)
@@ -3614,7 +3614,9 @@
}
else
{
- int count = tmpctl.parseformat.parse_count - 1;
+ int count = tmpctl.parseformat.parse_count;
+ if (count)
+ --count;
start = tt = add_var(&out->kv_list, 80, RO|DEF);
tt = ap(start, 80, tt, "refclock_format=\"");
@@ -3780,9 +3782,14 @@
}
else
{
+ unsigned int count = tmpctl.parsegettc.parse_count;
+ if (count)
+ --count;
ERR(ERR_BADDATA)
- msyslog(LOG_WARNING, "PARSE receiver #%d: FAILED TIMECODE: \"%s\" (check receiver configuration / wiring)",
- CLK_UNIT(parse->peer), mkascii(buffer, sizeof buffer, tmpctl.parsegettc.parse_buffer, (unsigned)(tmpctl.parsegettc.parse_count - 1)));
+ msyslog(LOG_WARNING, "PARSE receiver #%d: FAILED TIMECODE: \"%s\" (check receiver configuration / wiring)",
+ CLK_UNIT(parse->peer),
+ mkascii(buffer, sizeof(buffer),
+ tmpctl.parsegettc.parse_buffer, count));
}
/* copy status to show only changes in case of failures */
parse->timedata.parse_status = parsetime->parse_status;
Index: contrib/ntp/ntpdc/layout.std
===================================================================
--- contrib/ntp/ntpdc/layout.std (版本 330566)
+++ contrib/ntp/ntpdc/layout.std (版本 330908)
@@ -168,7 +168,7 @@
offsetof(unused4) = 60
offsetof(peer6) = 64
-sizeof(struct info_sys_stats) = 44
+sizeof(struct info_sys_stats) = 52
offsetof(timeup) = 0
offsetof(timereset) = 4
offsetof(denied) = 8
@@ -180,6 +180,8 @@
offsetof(badauth) = 32
offsetof(received) = 36
offsetof(limitrejected) = 40
+offsetof(lamport) = 44
+offsetof(tsrounding) = 48
sizeof(struct old_info_sys_stats) = 40
offsetof(timeup) = 0
@@ -260,7 +262,7 @@
offsetof(addr) = 0
offsetof(mask) = 4
offsetof(count) = 8
-offsetof(flags) = 12
+offsetof(rflags) = 12
offsetof(mflags) = 14
offsetof(v6_flag) = 16
offsetof(unused1) = 20
@@ -267,14 +269,15 @@
offsetof(addr6) = 24
offsetof(mask6) = 40
-sizeof(struct conf_restrict) = 48
+sizeof(struct conf_restrict) = 52
offsetof(addr) = 0
offsetof(mask) = 4
-offsetof(flags) = 8
-offsetof(mflags) = 10
-offsetof(v6_flag) = 12
-offsetof(addr6) = 16
-offsetof(mask6) = 32
+offsetof(ippeerlimit) = 8
+offsetof(flags) = 10
+offsetof(mflags) = 12
+offsetof(v6_flag) = 16
+offsetof(addr6) = 20
+offsetof(mask6) = 36
sizeof(struct info_monitor_1) = 72
offsetof(avg_int) = 0
Index: contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc
===================================================================
--- contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc.1ntpdcmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPDC 1ntpdcmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:57 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:09 PM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/ntpdc/ntpdc.mdoc.in
===================================================================
--- contrib/ntp/ntpdc/ntpdc.mdoc.in (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPDC @NTPDC_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpdc-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:57 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:09 PM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/ntpq/invoke-ntpq.texi
===================================================================
--- contrib/ntp/ntpq/invoke-ntpq.texi (版本 330566)
+++ contrib/ntp/ntpq/invoke-ntpq.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntpq.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:45:28 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:15:26 PM by AutoGen 5.18.5
# From the definitions ntpq-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -14,13 +14,9 @@
The
@code{ntpq}
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -64,6 +60,16 @@
the remote host is not heard from within a suitable timeout
time.
+Note that in contexts where a host name is expected, a
+@code{-4}
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+@code{-6}
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+@quotedblleft{}NTP Debugging Techniques@quotedblright{}
+page.
+
Specifying a
command line option other than
@code{-i}
@@ -76,7 +82,9 @@
@code{ntpq}
will attempt to read
interactive format commands from the standard input.
+
@subsubsection Internal Commands
+
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
@@ -86,41 +94,36 @@
number of interactive format commands are executed entirely within
the
@code{ntpq}
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
@table @asis
-@item @code{?} @code{[@kbd{command_keyword}]}
-@item @code{help} @code{[@kbd{command_keyword}]}
+@item @code{?} @code{[@kbd{command}]}
+@item @code{help} @code{[@kbd{command}]}
A
@quoteleft{}?@quoteright{}
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
@code{ntpq}
A
@quoteleft{}?@quoteright{}
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-@code{ntpq}
-than this manual
-page.
-@item @code{addvars} @kbd{variable_name}@code{[@code{=value}]} @code{...}
-@item @code{rmvars} @kbd{variable_name} @code{...}
+@item @code{addvars} @kbd{name}@code{[=@kbd{value}]}@code{[,...]}
+@item @code{rmvars} @kbd{name}@code{[,...]}
@item @code{clearvars}
@item @code{showvars}
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-@quoteleft{}variable_name=value@quoteright{},
+@kbd{name}@code{[=@kbd{value}]},
where the
-@quoteleft{}=value@quoteright{}
+.No = Ns Ar value
is ignored, and can be omitted,
in requests to the server to read variables.
The
@code{ntpq}
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
@code{readlist}
and
@code{writelist}
@@ -135,35 +138,31 @@
@code{rmvars}
command can be used to remove individual variables from the list,
while the
-@code{clearlist}
+@code{clearvars}
command removes all variables from the
list.
The
@code{showvars}
command displays the current list of optional variables.
-@item @code{authenticate} @code{[yes | no]}
+@item @code{authenticate} @code{[@code{yes}|@code{no}]}
Normally
@code{ntpq}
does not authenticate requests unless
they are write requests.
The command
-@quoteleft{}authenticate yes@quoteright{}
+@code{authenticate} @code{yes}
causes
@code{ntpq}
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-@code{peer}
-display.
+requests slightly differently.
The command
-@quoteleft{}authenticate@quoteright{}
+@code{authenticate}
causes
@code{ntpq}
to display whether or not
-@code{ntpq}
-is currently autheinticating requests.
+it is currently authenticating requests.
@item @code{cooked}
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -172,13 +171,13 @@
values reformatted for human consumption.
Variables which
@code{ntpq}
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
@quoteleft{}?@quoteright{}.
-@item @code{debug} @code{[@code{more} | @code{less} | @code{off}]}
+@item @code{debug} @code{[@code{more}|@code{less}|@code{off}]}
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
-@item @code{delay} @kbd{milliseconds}
+Otherwise, the debugging level is changed as indicated.
+@item @code{delay} @code{[@kbd{milliseconds}]}
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -187,14 +186,21 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
+@item @code{drefid} @code{[@code{hash}|@code{ipv4}]}
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
@item @code{exit}
Exit
@code{ntpq}
-@item @code{host} @kbd{hostname}
+@item @code{host} @code{[@kbd{name}]}
Set the host to which future queries will be sent.
-@kbd{hostname}
+The
+@kbd{name}
may be either a host name or a numeric address.
-@item @code{hostnames} @code{[@code{yes} | @code{no}]}
+Without any arguments, displays the current host.
+@item @code{hostnames} @code{[@code{yes}|@code{no}]}
If
@code{yes}
is specified, host names are printed in
@@ -209,7 +215,9 @@
modified using the command line
@code{-n}
switch.
-@item @code{keyid} @kbd{keyid}
+Without any arguments, displays whether host names or numeric addresses
+are shown.
+@item @code{keyid} @code{[@kbd{keyid}]}
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -217,18 +225,20 @@
@code{controlkey}
key number the server has been configured to use for this
purpose.
-@item @code{keytype} @code{[@code{md5} | @code{OpenSSLDigestType}]}
-Specify the type of key to use for authenticating requests.
-@code{md5}
-is alway supported.
+Without any arguments, displays the current
+@kbd{keyid}.
+@item @code{keytype} @code{[@kbd{digest}]}
+Specify the digest algorithm to use for authenticating requests, with default
+@code{MD5}.
If
@code{ntpq}
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+@kbd{digest}
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-@code{keytype}
-is displayed.
-@item @code{ntpversion} @code{[@code{1} | @code{2} | @code{3} | @code{4}]}
+@code{keytype} @kbd{digest}
+algorithm used is displayed.
+@item @code{ntpversion} @code{[@code{1}|@code{2}|@code{3}|@code{4}]}
Sets the NTP version number which
@code{ntpq}
claims in
@@ -246,9 +256,11 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-@code{poll}
+@item @code{poll} @code{[@kbd{n}]} @code{[@code{verbose}]}
+Poll an NTP server in client mode
@kbd{n}
-@code{verbose}
+times.
+Poll not implemented yet.
@item @code{quit}
Exit
@code{ntpq}
@@ -258,24 +270,28 @@
The only formating/interpretation done on
the data is to transform nonascii data into a printable (but barely
understandable) form.
-@item @code{timeout} @kbd{milliseconds}
+@item @code{timeout} @code{[@kbd{milliseconds}]}
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
@code{ntpq}
retries each query once after a timeout, the total waiting time for
a timeout will be twice the timeout value set.
@item @code{version}
-Print the version of the
+Display the version of the
@code{ntpq}
program.
@end table
@subsubsection Control Message Commands
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
@code{peers}
command, which sends a series of messages,
@@ -285,6 +301,16 @@
@code{mreadvar}
commands, which iterate over a range of associations.
@table @asis
+@item @code{apeers}
+Display a list of peers in the form:
+@example
+[tally]remote refid assid st t when pool reach delay offset jitter
+@end example
+where the output is just like the
+@code{peers}
+command except that the
+@code{refid}
+is displayed in hex format and the association number is also displayed.
@item @code{associations}
Display a list of mobilized associations in the form:
@example
@@ -291,57 +317,105 @@
ind assid status conf reach auth condition last_event cnt
@end example
@table @asis
-@item Sy String Ta Sy Description
+@item Sy Variable Ta Sy Description
@item @code{ind} @code{Ta} @code{index} @code{on} @code{this} @code{list}
-@item @code{assid} @code{Ta} @code{association} @code{ID}
+@item @code{assid} @code{Ta} @code{association} @code{id}
@item @code{status} @code{Ta} @code{peer} @code{status} @code{word}
-@item @code{conf} @code{Ta} @code{yes}: @code{persistent,} @code{no}: @code{ephemeral}
-@item @code{reach} @code{Ta} @code{yes}: @code{reachable,} @code{no}: @code{unreachable}
-@item @code{auth} @code{Ta} @code{ok}, @code{yes}, @code{bad} @code{and} @code{none}
-@item @code{condition} @code{Ta} @code{selection} @code{status} @code{(see} @code{the} @code{select} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)}
-@item @code{last_event} @code{Ta} @code{event} @code{report} @code{(see} @code{the} @code{event} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)}
-@item @code{cnt} @code{Ta} @code{event} @code{count} @code{(see} @code{the} @code{count} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)}
+@item @code{conf} @code{Ta} @code{yes}: @code{No} @code{persistent,} @code{no}: @code{No} @code{ephemeral}
+@item @code{reach} @code{Ta} @code{yes}: @code{No} @code{reachable,} @code{no}: @code{No} @code{unreachable}
+@item @code{auth} @code{Ta} @code{ok}, @code{yes}, @code{bad} @code{No} @code{and} @code{none}
+@item @code{condition} @code{Ta} @code{selection} @code{status} @code{(see} @code{the} @code{select} @code{No} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)}
+@item @code{last_event} @code{Ta} @code{event} @code{report} @code{(see} @code{the} @code{event} @code{No} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)}
+@item @code{cnt} @code{Ta} @code{event} @code{count} @code{(see} @code{the} @code{count} @code{No} @code{field} @code{of} @code{the} @code{peer} @code{status} @code{word)}
@end table
@item @code{authinfo}
-Display the authentication statistics.
-@item @code{clockvar} @kbd{assocID} @code{[@kbd{name}@code{[@code{=}@kbd{value}]}]} @code{[...]}
-@item @code{cv} @kbd{assocID} @code{[@kbd{name}@code{[@code{=}@kbd{value}]}]} @code{[...]}
-Display a list of clock variables for those associations supporting a reference clock.
-@item @code{:config} @code{[...]}
-Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
+@item @code{clocklist} @code{[@kbd{associd}]}
+@item @code{cl} @code{[@kbd{associd}]}
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
+@item @code{clockvar} @code{[@kbd{associd}]} @code{[@kbd{name}@code{[=@kbd{value}]}]}@code{[,...]}
+@item @code{cv} @code{[@kbd{associd}]} @code{[@kbd{name}@code{[=@kbd{value}]}]}@code{[,...]}
+Display a list of clock variables for those associations supporting a
+reference clock.
+@item @code{:config} @kbd{configuration command line}
+Send the remainder of the command line, including whitespace, to the
+server as a run-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
@item @code{config-from-file} @kbd{filename}
-Send the each line of
+Send each line of
@kbd{filename}
-to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
@item @code{ifstats}
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
@item @code{iostats}
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
@item @code{kerninfo}
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
@item @code{lassociations}
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
-@item @code{lopeers} @code{[@code{-4} | @code{-6}]}
-Obtain and print a list of all peers and clients showing
-@kbd{dstadr}
-(associated with any given IP version).
-@item @code{lpeers} @code{[@code{-4} | @code{-6}]}
-Print a peer spreadsheet for the appropriate IP version(s).
-@kbd{dstadr}
-(associated with any given IP version).
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
+@item @code{lopeers} @code{[@code{-4}|@code{-6}]}
+Display a list of all peers and clients showing
+@code{dstadr}
+(associated with the given IP version).
+@item @code{lpassociations}
+Display the last obtained list of associations, including all clients.
+@item @code{lpeers} @code{[@code{-4}|@code{-6}]}
+Display a list of all peers and clients (associated with the given IP version).
@item @code{monstats}
-Display monitor facility statistics.
-@item @code{mrulist} @code{[@code{limited} | @code{kod} | @code{mincount}=@kbd{count} | @code{laddr}=@kbd{localaddr} | @code{sort}=@kbd{sortorder} | @code{resany}=@kbd{hexmask} | @code{resall}=@kbd{hexmask}]}
-Obtain and print traffic counts collected and maintained by the monitor facility.
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
+@item @code{mreadlist} @kbd{associdlo} @kbd{associdhi}
+@item @code{mrl} @kbd{associdlo} @kbd{associdhi}
+Perform the same function as the
+@code{readlist}
+command for a range of association ids.
+@item @code{mreadvar} @kbd{associdlo} @kbd{associdhi} @code{[@kbd{name}]}@code{[,...]}
+This range may be determined from the list displayed by any
+command showing associations.
+@item @code{mrv} @kbd{associdlo} @kbd{associdhi} @code{[@kbd{name}]}@code{[,...]}
+Perform the same function as the
+@code{readvar}
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+@item @code{mrulist} @code{[@code{limited} | @code{kod} | @code{mincount}=@kbd{count} | @code{laddr}=@kbd{localaddr} | @code{sort}=@code{[-]}@kbd{sortorder} | @code{resany}=@kbd{hexmask} | @code{resall}=@kbd{hexmask}]}
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-@code{sort}=@kbd{sortorder},
+@code{sort}=@code{[-]}@kbd{sortorder},
the options filter the list returned by
-@code{ntpd.}
+@code{ntpd(8)}.
The
@code{limited}
and
@code{kod}
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
@code{mincount}=@kbd{count}
option filters entries representing less than
@@ -362,18 +436,21 @@
@kbd{sortorder}
defaults to
@code{lstint}
-and may be any of
+and may be
@code{addr},
+@code{avgint},
@code{count},
-@code{avgint},
@code{lstint},
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+@quoteleft{}-@quoteright{}
+to reverse the sort order.
The output columns are:
@table @asis
@item Column
Description
@item @code{lstint}
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
@code{ntpq}
@item @code{avgint}
Average interval in s between packets from this address.
@@ -381,7 +458,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
@code{restrict}
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
@item @code{r}
Rate control indicator, either
a period,
@@ -399,23 +477,15 @@
@item @code{rport}
Source port of last packet from this address.
@item @code{remote} @code{address}
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
@end table
-@item @code{mreadvar} @code{assocID} @code{assocID} @code{[@kbd{variable_name}@code{[=@kbd{value}]} ...]}
-@item @code{mrv} @code{assocID} @code{assocID} @code{[@kbd{variable_name}@code{[=@kbd{value}]} ...]}
-Perform the same function as the
-@code{readvar}
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-@code{associations}
-command.
@item @code{opeers} @code{[@code{-4} | @code{-6}]}
Obtain and print the old-style list of all peers and clients showing
-@kbd{dstadr}
-(associated with any given IP version),
+@code{dstadr}
+(associated with the given IP version),
rather than the
-@kbd{refid}.
+@code{refid}.
@item @code{passociations}
Perform the same function as the
@code{associations}
@@ -436,21 +506,25 @@
.Lk decode.html#peer "peer status word"
@item @code{remote}
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+@code{ntpq}
@code{-w}
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
@item @code{refid}
-association ID or
+source IP address or
.Lk decode.html#kiss "'kiss code"
@item @code{st}
-stratum
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
@item @code{t}
@code{u}:
unicast or manycast client,
@code{b}:
broadcast or multicast client,
+@code{p}:
+pool source,
@code{l}:
local (reference clock),
@code{s}:
@@ -462,9 +536,12 @@
@code{M}:
multicast server
@item @code{when}
-sec/min/hr since last received packet
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+@quoteleft{}-@quoteright{}
+if a packet has never been received
@item @code{poll}
-poll interval (log2 s)
+poll interval (s)
@item @code{reach}
reach shift register (octal)
@item @code{delay}
@@ -472,29 +549,26 @@
@item @code{offset}
offset of server relative to this host
@item @code{jitter}
-jitter
+offset RMS error estimate.
@end table
-@item @code{apeers}
-Display a list of peers in the form:
-@example
-[tally]remote refid assid st t when pool reach delay offset jitter
-@end example
-where the output is just like the
-@code{peers}
-command except that the
-@code{refid}
-is displayed in hex format and the association number is also displayed.
-@item @code{pstats} @kbd{assocID}
-Show the statistics for the peer with the given
-@kbd{assocID}.
-@item @code{readlist} @kbd{assocID}
-@item @code{rl} @kbd{assocID}
-Read the system or peer variables included in the variable list.
-@item @code{readvar} @kbd{assocID} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]}
-@item @code{rv} @kbd{assocID} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]}
-Display the specified variables.
+@item @code{pstats} @kbd{associd}
+Display the statistics for the peer with the given
+@kbd{associd}:
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
+@item @code{readlist} @code{[@kbd{associd}]}
+@item @code{rl} @code{[@kbd{associd}]}
+Display all system or peer variables.
+If the
+@kbd{associd}
+is omitted, it is assumed to be zero.
+@item @code{readvar} @code{[@kbd{associd} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]}]}
+@item @code{rv} @code{[@kbd{associd} @kbd{name}@code{[=@kbd{value}]} @code{[, ...]}]}
+Display the specified system or peer variables.
If
-@kbd{assocID}
+@kbd{associd}
is zero, the variables are from the
@ref{System Variables}
name space, otherwise they are from the
@@ -501,57 +575,78 @@
@ref{Peer Variables}
name space.
The
-@kbd{assocID}
+@kbd{associd}
is required, as the same name can occur in both spaces.
If no
@kbd{name}
is included, all operative variables in the name space are displayed.
-
In this case only, if the
-@kbd{assocID}
-is omitted, it is assumed zero.
+@kbd{associd}
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts-per-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+@kbd{YYYY}@kbd{MM} @kbd{DD} @kbd{TTTT},
+where
+@kbd{YYYY}
+is the year,
+@kbd{MM}
+the month of year,
+@kbd{DD}
+the day of month and
+@kbd{TTTT}
+the time of day.
@item @code{reslist}
-Show the access control (restrict) list for
+Display the access control (restrict) list for
@code{ntpq}
-
+Authentication is required.
@item @code{saveconfig} @kbd{filename}
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
@code{:config}
or
@code{config-from-file},
-to the ntpd host's file
+to the NTP server host file
@kbd{filename}.
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-@code{ntpd}
+@code{ntpd(8)}
configuration file.
@kbd{filename}
can use
-@code{strftime()}
-format specifies to substitute the current date and time, for example,
-@code{q]saveconfig} @code{ntp-%Y%m%d-%H%M%S.confq]}.
+@code{date(1)}
+format specifiers to substitute the current date and time, for
+example,
+@example
+@code{saveconfig} @file{ntp-%Y%m%d-%H%M%S.conf}.
+@end example
The filename used is stored in system variable
@code{savedconfig}.
Authentication is required.
+@item @code{sysinfo}
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+@item @code{sysstats}
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
@item @code{timerstats}
-Display interval timer counters.
-@item @code{writelist} @kbd{assocID}
-Write the system or peer variables included in the variable list.
-@item @code{writevar} @kbd{assocID} @kbd{name}=@kbd{value} @code{[, ...]}
-Write the specified variables.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
+@item @code{writelist} @kbd{associd}
+Set all system or peer variables included in the variable list.
+@item @code{writevar} @kbd{associd} @kbd{name}=@kbd{value} @code{[, ...]}
+Set the specified variables in the variable list.
If the
-@kbd{assocID}
+@kbd{associd}
is zero, the variables are from the
@ref{System Variables}
name space, otherwise they are from the
@@ -558,24 +653,20 @@
@ref{Peer Variables}
name space.
The
-@kbd{assocID}
+@kbd{associd}
is required, as the same name can occur in both spaces.
-@item @code{sysinfo}
-Display operational summary.
-@item @code{sysstats}
-Print statistics counters maintained in the protocol module.
+Authentication is required.
@end table
@subsubsection Status Words and Kiss Codes
-
The current state of the operating program is shown
in a set of status words
maintained by the system.
Status information is also available on a per-association basis.
-These words are displayed in the
-@code{rv}
+These words are displayed by the
+@code{readlist}
and
-@code{as}
+@code{associations}
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -593,9 +684,10 @@
@subsubsection System Variables
The following system variables appear in the
-@code{rv}
+@code{readlist}
billboard.
Not all variables are displayed in some configurations.
+
@table @asis
@item Variable
Description
@@ -617,25 +709,25 @@
total roundtrip delay to the primary reference clock
@item @code{rootdisp}
total dispersion to the primary reference clock
+@item @code{refid}
+reference id or
+.Lk decode.html#kiss "kiss code"
+@item @code{reftime}
+reference time
+@item @code{clock}
+date and time of day
@item @code{peer}
-system peer association ID
+system peer association id
@item @code{tc}
time constant and poll exponent (log2 s) (3-17)
@item @code{mintc}
minimum time constant (log2 s) (3-10)
-@item @code{clock}
-date and time of day
-@item @code{refid}
-reference ID or
-.Lk decode.html#kiss "kiss code"
-@item @code{reftime}
-reference time
@item @code{offset}
-combined offset of server relative to this host
+combined offset of server relative to this host
+@item @code{frequency}
+frequency drift (PPM) relative to hardware clock
@item @code{sys_jitter}
combined system jitter
-@item @code{frequency}
-frequency offset (PPM) relative to hardware clock
@item @code{clk_wander}
clock frequency wander (PPM)
@item @code{clk_jitter}
@@ -655,7 +747,6 @@
additional system variables are displayed,
including some or all of the following,
depending on the particular Autokey dance:
-
@table @asis
@item Variable
Description
@@ -678,7 +769,7 @@
@end table
@subsubsection Peer Variables
The following peer variables appear in the
-@code{rv}
+@code{readlist}
billboard for each association.
Not all variables are displayed in some configurations.
@@ -686,7 +777,7 @@
@item Variable
Description
@item @code{associd}
-association ID
+association id
@item @code{status}
.Lk decode.html#peer "peer status word"
@item @code{srcadr}
@@ -708,10 +799,12 @@
@item @code{rootdisp}
total root dispersion to the primary reference clock
@item @code{refid}
-reference ID or
+reference id or
.Lk decode.html#kiss "kiss code"
@item @code{reftime}
reference time
+@item @code{rec}
+last packet received time
@item @code{reach}
reach register (octal)
@item @code{unreach}
@@ -729,6 +822,8 @@
.Lk rate.html "Rate Management and the Kiss-o'-Death Packet" )
@item @code{flash}
.Lk decode.html#flash "flash status word"
+@item @code{keyid}
+symmetric key id
@item @code{offset}
filter offset
@item @code{delay}
@@ -737,8 +832,6 @@
filter dispersion
@item @code{jitter}
filter jitter
-@item @code{ident}
-Autokey group name for this association
@item @code{bias}
unicast/broadcast bias
@item @code{xleave}
@@ -749,7 +842,8 @@
@code{bias}
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
@code{xleave}
variable appears only for the interleaved symmetric and interleaved modes.
@@ -770,16 +864,18 @@
@item @code{signature}
OpenSSL digest/signature scheme
@item @code{initsequence}
-initial key ID
+initial key id
@item @code{initkey}
initial key index
@item @code{timestamp}
Autokey signature timestamp
+@item @code{ident}
+Autokey group name for this association
@end table
@subsubsection Clock Variables
The following clock variables appear in the
-@code{cv}
+@code{clocklist}
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
@table @asis
@@ -786,7 +882,7 @@
@item Variable
Description
@item @code{associd}
-association ID
+association id
@item @code{status}
.Lk decode.html#clock "clock status word"
@item @code{device}
@@ -808,7 +904,7 @@
@item @code{stratum}
driver stratum
@item @code{refid}
-driver reference ID
+driver reference id
@item @code{flags}
driver flags
@end table
@@ -848,12 +944,12 @@
@exampleindent 0
@example
-ntpq - standard NTP query program - Ver. 4.2.8p10-beta
+ntpq - standard NTP query program - Ver. 4.2.8p11
Usage: ntpq [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [ host ...]
Flg Arg Option-Name Description
- -4 no ipv4 Force IPv4 DNS name resolution
+ -4 no ipv4 Force IPv4 name resolution
- prohibits the option 'ipv6'
- -6 no ipv6 Force IPv6 DNS name resolution
+ -6 no ipv6 Force IPv6 name resolution
- prohibits the option 'ipv4'
-c Str command run a command and exit
- may appear multiple times
@@ -899,7 +995,7 @@
@subsection ipv4 option (-4)
@cindex ntpq-ipv4
-This is the ``force ipv4 dns name resolution'' option.
+This is the ``force ipv4 name resolution'' option.
@noindent
This option has some usage constraints. It:
@@ -909,13 +1005,13 @@
ipv6.
@end itemize
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv4 namespace.
@node ntpq ipv6
@subsection ipv6 option (-6)
@cindex ntpq-ipv6
-This is the ``force ipv6 dns name resolution'' option.
+This is the ``force ipv6 name resolution'' option.
@noindent
This option has some usage constraints. It:
@@ -925,7 +1021,7 @@
ipv4.
@end itemize
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv6 namespace.
@node ntpq command
@subsection command option (-c)
@@ -967,7 +1063,7 @@
This is the ``numeric host addresses'' option.
Output all host addresses in dotted-quad numeric format rather than
-converting to the canonical host names.
+converting to the canonical host names.
@node ntpq old-rv
@subsection old-rv option
@cindex ntpq-old-rv
Index: contrib/ntp/ntpq/ntpq-subs.c
===================================================================
--- contrib/ntp/ntpq/ntpq-subs.c (版本 330566)
+++ contrib/ntp/ntpq/ntpq-subs.c (版本 330908)
@@ -307,12 +307,12 @@
sockaddr_u bcast;
int enabled;
u_int flags;
- int mcast_count;
+ u_int mcast_count;
char name[32];
- int peer_count;
- int received;
- int sent;
- int send_errors;
+ u_int peer_count;
+ u_int received;
+ u_int sent;
+ u_int send_errors;
u_int ttl;
u_int uptime;
} ifstats_row;
@@ -1452,6 +1452,8 @@
else
return 0;
+ if (ts->l_ui < lasttime->l_ui)
+ return -1;
return (ts->l_ui - lasttime->l_ui);
}
@@ -1490,7 +1492,14 @@
}
diff = (diff + 11) / 24;
- snprintf(buf, cb, "%ldd", diff);
+ if (diff <= 999) {
+ snprintf(buf, cb, "%ldd", diff);
+ return buf;
+ }
+
+ /* years are only approximated... */
+ diff = (long)floor(diff / 365.25 + 0.5);
+ snprintf(buf, cb, "%ldy", diff);
return buf;
}
@@ -1833,8 +1842,12 @@
if (!have_srchost)
strlcpy(clock_name, nntohost(&srcadr),
sizeof(clock_name));
+ /* wide and long source - space over on next line */
+ /* allow for host + sp if > 1 and regular tally + source + sp */
if (wideremote && 15 < strlen(clock_name))
- fprintf(fp, "%c%s\n ", c, clock_name);
+ fprintf(fp, "%c%s\n%*s", c, clock_name,
+ ((numhosts > 1) ? (int)maxhostlen + 1 : 0)
+ + 1 + 15 + 1, "");
else
fprintf(fp, "%c%-15.15s ", c, clock_name);
if (!have_da_rid) {
@@ -2225,14 +2238,13 @@
col = -1;
if (1 == sscanf(resp, "column %d syntax error", &col)
&& col >= 0 && (size_t)col <= strlen(cfgcmd) + 1) {
- if (interactive) {
- printf("______"); /* "ntpq> " */
- printf("________"); /* ":config " */
- } else
+ if (interactive)
+ fputs(" *", stdout); /* "ntpq> :config " */
+ else
printf("%s\n", cfgcmd);
- for (i = 1; i < col; i++)
- putchar('_');
- printf("^\n");
+ for (i = 0; i < col; i++)
+ fputc('_', stdout);
+ fputs("^\n", stdout);
}
printf("%s\n", resp);
free(resp);
@@ -3277,7 +3289,7 @@
return;
if (prow->ifnum + 1 <= ifnum) {
if (*pfields < IFSTATS_FIELDS)
- fprintf(fp, "Warning: incomplete row with %d (of %d) fields",
+ fprintf(fp, "Warning: incomplete row with %d (of %d) fields\n",
*pfields, IFSTATS_FIELDS);
*pfields = 0;
prow->ifnum = ifnum;
@@ -3314,7 +3326,7 @@
"==============================================================================\n");
*/
fprintf(fp,
- "%3u %-24.24s %c %4x %3d %2d %6d %6d %6d %5d %8d\n"
+ "%3u %-24.24s %c %4x %3u %2u %6u %6u %6u %5u %8d\n"
" %s\n",
prow->ifnum, prow->name,
(prow->enabled)
@@ -3414,7 +3426,7 @@
case 'm':
if (1 == sscanf(tag, mc_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.mcast_count))
+ 1 == sscanf(val, "%u", &row.mcast_count))
comprende = TRUE;
break;
@@ -3435,31 +3447,31 @@
case 'p':
if (1 == sscanf(tag, pc_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.peer_count))
+ 1 == sscanf(val, "%u", &row.peer_count))
comprende = TRUE;
break;
case 'r':
if (1 == sscanf(tag, rx_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.received))
+ 1 == sscanf(val, "%u", &row.received))
comprende = TRUE;
break;
case 't':
if (1 == sscanf(tag, tl_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.ttl))
+ 1 == sscanf(val, "%u", &row.ttl))
comprende = TRUE;
else if (1 == sscanf(tag, tx_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.sent))
+ 1 == sscanf(val, "%u", &row.sent))
comprende = TRUE;
else if (1 == sscanf(tag, txerr_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.send_errors))
+ 1 == sscanf(val, "%u", &row.send_errors))
comprende = TRUE;
break;
case 'u':
if (1 == sscanf(tag, up_fmt, &ui) &&
- 1 == sscanf(val, "%d", &row.uptime))
+ 1 == sscanf(val, "%u", &row.uptime))
comprende = TRUE;
break;
}
@@ -3472,7 +3484,7 @@
}
}
if (fields != IFSTATS_FIELDS)
- fprintf(fp, "Warning: incomplete row with %d (of %d) fields",
+ fprintf(fp, "Warning: incomplete row with %d (of %d) fields\n",
fields, IFSTATS_FIELDS);
fflush(fp);
@@ -3847,6 +3859,10 @@
VDC_INIT("ss_limited", "rate limited: ", NTP_STR),
VDC_INIT("ss_kodsent", "KoD responses: ", NTP_STR),
VDC_INIT("ss_processed", "processed for time: ", NTP_STR),
+#if 0
+ VDC_INIT("ss_lamport", "Lamport violations: ", NTP_STR),
+ VDC_INIT("ss_tsrounding", "bad timestamp rounding:", NTP_STR),
+#endif
VDC_INIT(NULL, NULL, 0)
};
Index: contrib/ntp/ntpq/ntpq.html
===================================================================
--- contrib/ntp/ntpq/ntpq.html (版本 330566)
+++ contrib/ntp/ntpq/ntpq.html (版本 330908)
@@ -44,7 +44,7 @@
and determine the performance of
<code>ntpd</code>, the NTP daemon.
- <p>This document applies to version 4.2.8p10 of <code>ntpq</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntpq</code>.
<ul class="menu">
<li><a accesskey="1" href="#ntpq-Description">ntpq Description</a>
@@ -97,13 +97,9 @@
<p>The
<code>ntpq</code>
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -147,6 +143,16 @@
the remote host is not heard from within a suitable timeout
time.
+ <p>Note that in contexts where a host name is expected, a
+<code>-4</code>
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+<code>-6</code>
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+NTP Debugging Techniques
+page.
+
<p>Specifying a
command line option other than
<code>-i</code>
@@ -171,35 +177,30 @@
number of interactive format commands are executed entirely within
the
<code>ntpq</code>
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
<dl>
-<dt><code>?</code> <code>[</code><kbd>command_keyword</kbd><code>]</code><br><dt><code>help</code> <code>[</code><kbd>command_keyword</kbd><code>]</code><dd>A
+<dt><code>?</code> <code>[</code><kbd>command</kbd><code>]</code><br><dt><code>help</code> <code>[</code><kbd>command</kbd><code>]</code><dd>A
?
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
<code>ntpq</code>
A
?
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-<code>ntpq</code>
-than this manual
-page.
-<br><dt><code>addvars</code> <kbd>variable_name</kbd><code>[=value]</code> <code>...</code><br><dt><code>rmvars</code> <kbd>variable_name</kbd> <code>...</code><br><dt><code>clearvars</code><br><dt><code>showvars</code><dd>The data carried by NTP mode 6 messages consists of a list of
+<br><dt><code>addvars</code> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code><code>[,...]</code><br><dt><code>rmvars</code> <kbd>name</kbd><code>[,...]</code><br><dt><code>clearvars</code><br><dt><code>showvars</code><dd>The arguments to this command consist of a list of
items of the form
-variable_name=value,
+<kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code>,
where the
-=value
+.No = Ns Ar value
is ignored, and can be omitted,
in requests to the server to read variables.
The
<code>ntpq</code>
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
<code>readlist</code>
and
<code>writelist</code>
@@ -214,34 +215,30 @@
<code>rmvars</code>
command can be used to remove individual variables from the list,
while the
-<code>clearlist</code>
+<code>clearvars</code>
command removes all variables from the
list.
The
<code>showvars</code>
command displays the current list of optional variables.
-<br><dt><code>authenticate</code> <code>[yes | no]</code><dd>Normally
+<br><dt><code>authenticate</code> <code>[yes|no]</code><dd>Normally
<code>ntpq</code>
does not authenticate requests unless
they are write requests.
The command
-authenticate yes
+<code>authenticate</code> <code>yes</code>
causes
<code>ntpq</code>
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-<code>peer</code>
-display.
+requests slightly differently.
The command
-authenticate
+<code>authenticate</code>
causes
<code>ntpq</code>
to display whether or not
-<code>ntpq</code>
-is currently autheinticating requests.
+it is currently authenticating requests.
<br><dt><code>cooked</code><dd>Causes output from query commands to be "cooked", so that
variables which are recognized by
<code>ntpq</code>
@@ -249,12 +246,12 @@
values reformatted for human consumption.
Variables which
<code>ntpq</code>
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
?.
-<br><dt><code>debug</code> <code>[more | less | off]</code><dd>With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
-<br><dt><code>delay</code> <kbd>milliseconds</kbd><dd>Specify a time interval to be added to timestamps included in
+<br><dt><code>debug</code> <code>[more|less|off]</code><dd>With no argument, displays the current debug level.
+Otherwise, the debugging level is changed as indicated.
+<br><dt><code>delay</code> <code>[</code><kbd>milliseconds</kbd><code>]</code><dd>Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
(unreliable) server reconfiguration over long delay network paths
@@ -262,12 +259,18 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
+<br><dt><code>drefid</code> <code>[hash|ipv4]</code><dd>Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
<br><dt><code>exit</code><dd>Exit
<code>ntpq</code>
-<br><dt><code>host</code> <kbd>hostname</kbd><dd>Set the host to which future queries will be sent.
-<kbd>hostname</kbd>
+<br><dt><code>host</code> <code>[</code><kbd>name</kbd><code>]</code><dd>Set the host to which future queries will be sent.
+The
+<kbd>name</kbd>
may be either a host name or a numeric address.
-<br><dt><code>hostnames</code> <code>[yes | no]</code><dd>If
+Without any arguments, displays the current host.
+<br><dt><code>hostnames</code> <code>[yes|no]</code><dd>If
<code>yes</code>
is specified, host names are printed in
information displays.
@@ -281,7 +284,9 @@
modified using the command line
<code>-n</code>
switch.
-<br><dt><code>keyid</code> <kbd>keyid</kbd><dd>This command allows the specification of a key number to be
+Without any arguments, displays whether host names or numeric addresses
+are shown.
+<br><dt><code>keyid</code> <code>[</code><kbd>keyid</kbd><code>]</code><dd>This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
to the
@@ -288,17 +293,19 @@
<code>controlkey</code>
key number the server has been configured to use for this
purpose.
-<br><dt><code>keytype</code> <code>[md5 | OpenSSLDigestType]</code><dd>Specify the type of key to use for authenticating requests.
-<code>md5</code>
-is alway supported.
+Without any arguments, displays the current
+<kbd>keyid</kbd>.
+<br><dt><code>keytype</code> <code>[</code><kbd>digest</kbd><code>]</code><dd>Specify the digest algorithm to use for authenticating requests, with default
+<code>MD5</code>.
If
<code>ntpq</code>
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+<kbd>digest</kbd>
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-<code>keytype</code>
-is displayed.
-<br><dt><code>ntpversion</code> <code>[1 | 2 | 3 | 4]</code><dd>Sets the NTP version number which
+<code>keytype</code> <kbd>digest</kbd>
+algorithm used is displayed.
+<br><dt><code>ntpversion</code> <code>[1|2|3|4]</code><dd>Sets the NTP version number which
<code>ntpq</code>
claims in
packets.
@@ -314,9 +321,10 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-<code>poll</code>
+<br><dt><code>poll</code> <code>[</code><kbd>n</kbd><code>]</code> <code>[verbose]</code><dd>Poll an NTP server in client mode
<kbd>n</kbd>
-<code>verbose</code>
+times.
+Poll not implemented yet.
<br><dt><code>quit</code><dd>Exit
<code>ntpq</code>
<br><dt><code>raw</code><dd>Causes all output from query commands is printed as received
@@ -324,14 +332,15 @@
The only formating/interpretation done on
the data is to transform nonascii data into a printable (but barely
understandable) form.
-<br><dt><code>timeout</code> <kbd>milliseconds</kbd><dd>Specify a timeout period for responses to server queries.
+<br><dt><code>timeout</code> <code>[</code><kbd>milliseconds</kbd><code>]</code><dd>Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
<code>ntpq</code>
retries each query once after a timeout, the total waiting time for
a timeout will be twice the timeout value set.
-<br><dt><code>version</code><dd>Print the version of the
+<br><dt><code>version</code><dd>Display the version of the
<code>ntpq</code>
program.
</dl>
@@ -338,9 +347,12 @@
<h5 class="subsubsection">Control Message Commands</h5>
-<p>Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode-6 message to the server and expect a single response message.
+<p>Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
<code>peers</code>
command, which sends a series of messages,
@@ -350,38 +362,87 @@
<code>mreadvar</code>
commands, which iterate over a range of associations.
<dl>
-<dt><code>associations</code><dd>Display a list of mobilized associations in the form:
+<dt><code>apeers</code><dd>Display a list of peers in the form:
+ <pre class="example"> [tally]remote refid assid st t when pool reach delay offset jitter
+ </pre>
+ <p>where the output is just like the
+<code>peers</code>
+command except that the
+<code>refid</code>
+is displayed in hex format and the association number is also displayed.
+<br><dt><code>associations</code><dd>Display a list of mobilized associations in the form:
<pre class="example"> ind assid status conf reach auth condition last_event cnt
</pre>
<dl>
-<dt>Sy String Ta Sy Description<br><dt><code>ind</code> <code>Ta</code> <code>index</code> <code>on</code> <code>this</code> <code>list</code><br><dt><code>assid</code> <code>Ta</code> <code>association</code> <code>ID</code><br><dt><code>status</code> <code>Ta</code> <code>peer</code> <code>status</code> <code>word</code><br><dt><code>conf</code> <code>Ta</code> <code>yes</code>: <code>persistent,</code> <code>no</code>: <code>ephemeral</code><br><dt><code>reach</code> <code>Ta</code> <code>yes</code>: <code>reachable,</code> <code>no</code>: <code>unreachable</code><br><dt><code>auth</code> <code>Ta</code> <code>ok</code>, <code>yes</code>, <code>bad</code> <code>and</code> <code>none</code><br><dt><code>condition</code> <code>Ta</code> <code>selection</code> <code>status</code> <code>(see</code> <code>the</code> <code>select</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>last_event</code> <code>Ta</code> <code>event</code> <code>report</code> <code>(see</code> <code>the</code> <code>event</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>cnt</code> <code>Ta</code> <code>event</code> <code>count</code> <code>(see</code> <code>the</code> <code>count</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><dd></dl>
- <br><dt><code>authinfo</code><dd>Display the authentication statistics.
-<br><dt><code>clockvar</code> <kbd>assocID</kbd> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code> <code>[...]</code><br><dt><code>cv</code> <kbd>assocID</kbd> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code> <code>[...]</code><dd>Display a list of clock variables for those associations supporting a reference clock.
-<br><dt><code>:config</code> <code>[...]</code><dd>Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
-<br><dt><code>config-from-file</code> <kbd>filename</kbd><dd>Send the each line of
+<dt>Sy Variable Ta Sy Description<br><dt><code>ind</code> <code>Ta</code> <code>index</code> <code>on</code> <code>this</code> <code>list</code><br><dt><code>assid</code> <code>Ta</code> <code>association</code> <code>id</code><br><dt><code>status</code> <code>Ta</code> <code>peer</code> <code>status</code> <code>word</code><br><dt><code>conf</code> <code>Ta</code> <code>yes</code>: <code>No</code> <code>persistent,</code> <code>no</code>: <code>No</code> <code>ephemeral</code><br><dt><code>reach</code> <code>Ta</code> <code>yes</code>: <code>No</code> <code>reachable,</code> <code>no</code>: <code>No</code> <code>unreachable</code><br><dt><code>auth</code> <code>Ta</code> <code>ok</code>, <code>yes</code>, <code>bad</code> <code>No</code> <code>and</code> <code>none</code><br><dt><code>condition</code> <code>Ta</code> <code>selection</code> <code>status</code> <code>(see</code> <code>the</code> <code>select</code> <code>No</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>last_event</code> <code>Ta</code> <code>event</code> <code>report</code> <code>(see</code> <code>the</code> <code>event</code> <code>No</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><br><dt><code>cnt</code> <code>Ta</code> <code>event</code> <code>count</code> <code>(see</code> <code>the</code> <code>count</code> <code>No</code> <code>field</code> <code>of</code> <code>the</code> <code>peer</code> <code>status</code> <code>word)</code><dd></dl>
+ <br><dt><code>authinfo</code><dd>Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
+<br><dt><code>clocklist</code> <code>[</code><kbd>associd</kbd><code>]</code><br><dt><code>cl</code> <code>[</code><kbd>associd</kbd><code>]</code><dd>Display all clock variables in the variable list for those associations
+supporting a reference clock.
+<br><dt><code>clockvar</code> <code>[</code><kbd>associd</kbd><code>]</code> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code><code>[,...]</code><br><dt><code>cv</code> <code>[</code><kbd>associd</kbd><code>]</code> <code>[</code><kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]]</code><code>[,...]</code><dd>Display a list of clock variables for those associations supporting a
+reference clock.
+<br><dt><code>:config</code> <kbd>configuration command line</kbd><dd>Send the remainder of the command line, including whitespace, to the
+server as a run-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+<br><dt><code>config-from-file</code> <kbd>filename</kbd><dd>Send each line of
<kbd>filename</kbd>
-to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
-<br><dt><code>ifstats</code><dd>Display statistics for each local network address. Authentication is required.
-<br><dt><code>iostats</code><dd>Display network and reference clock I/O statistics.
-<br><dt><code>kerninfo</code><dd>Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
-<br><dt><code>lassociations</code><dd>Perform the same function as the associations command, except display mobilized and unmobilized associations.
-<br><dt><code>lopeers</code> <code>[-4 | -6]</code><dd>Obtain and print a list of all peers and clients showing
-<kbd>dstadr</kbd>
-(associated with any given IP version).
-<br><dt><code>lpeers</code> <code>[-4 | -6]</code><dd>Print a peer spreadsheet for the appropriate IP version(s).
-<kbd>dstadr</kbd>
-(associated with any given IP version).
-<br><dt><code>monstats</code><dd>Display monitor facility statistics.
-<br><dt><code>mrulist</code> <code>[limited | kod | mincount=</code><kbd>count</kbd><code> | laddr=</code><kbd>localaddr</kbd><code> | sort=</code><kbd>sortorder</kbd><code> | resany=</code><kbd>hexmask</kbd><code> | resall=</code><kbd>hexmask</kbd><code>]</code><dd>Obtain and print traffic counts collected and maintained by the monitor facility.
+to the server as run-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
+<br><dt><code>ifstats</code><dd>Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
+<br><dt><code>iostats</code><dd>Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
+<br><dt><code>kerninfo</code><dd>Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
+<br><dt><code>lassociations</code><dd>Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
+<br><dt><code>lopeers</code> <code>[-4|-6]</code><dd>Display a list of all peers and clients showing
+<code>dstadr</code>
+(associated with the given IP version).
+<br><dt><code>lpassociations</code><dd>Display the last obtained list of associations, including all clients.
+<br><dt><code>lpeers</code> <code>[-4|-6]</code><dd>Display a list of all peers and clients (associated with the given IP version).
+<br><dt><code>monstats</code><dd>Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
+<br><dt><code>mreadlist</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd><br><dt><code>mrl</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd><dd>Perform the same function as the
+<code>readlist</code>
+command for a range of association ids.
+<br><dt><code>mreadvar</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd> <code>[</code><kbd>name</kbd><code>]</code><code>[,...]</code><dd>This range may be determined from the list displayed by any
+command showing associations.
+<br><dt><code>mrv</code> <kbd>associdlo</kbd> <kbd>associdhi</kbd> <code>[</code><kbd>name</kbd><code>]</code><code>[,...]</code><dd>Perform the same function as the
+<code>readvar</code>
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+<br><dt><code>mrulist</code> <code>[limited | kod | mincount=</code><kbd>count</kbd><code> | laddr=</code><kbd>localaddr</kbd><code> | sort=[-]</code><kbd>sortorder</kbd><code> | resany=</code><kbd>hexmask</kbd><code> | resall=</code><kbd>hexmask</kbd><code>]</code><dd>Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-<code>sort</code>=<kbd>sortorder</kbd>,
+<code>sort</code>=<code>[-]</code><kbd>sortorder</kbd>,
the options filter the list returned by
-<code>ntpd.</code>
+<code>ntpd(8)</code>.
The
<code>limited</code>
and
<code>kod</code>
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
<code>mincount</code>=<kbd>count</kbd>
option filters entries representing less than
@@ -402,22 +463,26 @@
<kbd>sortorder</kbd>
defaults to
<code>lstint</code>
-and may be any of
+and may be
<code>addr</code>,
+<code>avgint</code>,
<code>count</code>,
-<code>avgint</code>,
<code>lstint</code>,
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+-
+to reverse the sort order.
The output columns are:
<dl>
<dt>Column<dd>Description
-<br><dt><code>lstint</code><dd>Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+<br><dt><code>lstint</code><dd>Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
<code>ntpq</code>
<br><dt><code>avgint</code><dd>Average interval in s between packets from this address.
<br><dt><code>rstr</code><dd>Restriction flags associated with this address.
Most are copied unchanged from the matching
<code>restrict</code>
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
<br><dt><code>r</code><dd>Rate control indicator, either
a period,
<code>L</code>
@@ -429,20 +494,14 @@
<br><dt><code>v</code><dd>Packet version number.
<br><dt><code>count</code><dd>Packets received from this address.
<br><dt><code>rport</code><dd>Source port of last packet from this address.
-<br><dt><code>remote</code> <code>address</code><dd>DNS name, numeric address, or address followed by
+<br><dt><code>remote</code> <code>address</code><dd>host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
</dl>
- <br><dt><code>mreadvar</code> <code>assocID</code> <code>assocID</code> <code>[</code><kbd>variable_name</kbd><code>[=</code><kbd>value</kbd><code>] ...]</code><br><dt><code>mrv</code> <code>assocID</code> <code>assocID</code> <code>[</code><kbd>variable_name</kbd><code>[=</code><kbd>value</kbd><code>] ...]</code><dd>Perform the same function as the
-<code>readvar</code>
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-<code>associations</code>
-command.
-<br><dt><code>opeers</code> <code>[-4 | -6]</code><dd>Obtain and print the old-style list of all peers and clients showing
-<kbd>dstadr</kbd>
-(associated with any given IP version),
+ <br><dt><code>opeers</code> <code>[-4 | -6]</code><dd>Obtain and print the old-style list of all peers and clients showing
+<code>dstadr</code>
+(associated with the given IP version),
rather than the
-<kbd>refid</kbd>.
+<code>refid</code>.
<br><dt><code>passociations</code><dd>Perform the same function as the
<code>associations</code>
command,
@@ -457,18 +516,22 @@
field of the
.Lk decode.html#peer "peer status word"
<br><dt><code>remote</code><dd>host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+<code>ntpq</code>
<code>-w</code>
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
-<br><dt><code>refid</code><dd>association ID or
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
+<br><dt><code>refid</code><dd>source IP address or
.Lk decode.html#kiss "'kiss code"
-<br><dt><code>st</code><dd>stratum
+<br><dt><code>st</code><dd>stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
<br><dt><code>t</code><dd><code>u</code>:
unicast or manycast client,
<code>b</code>:
broadcast or multicast client,
+<code>p</code>:
+pool source,
<code>l</code>:
local (reference clock),
<code>s</code>:
@@ -479,27 +542,29 @@
broadcast server,
<code>M</code>:
multicast server
-<br><dt><code>when</code><dd>sec/min/hr since last received packet
-<br><dt><code>poll</code><dd>poll interval (log2 s)
+<br><dt><code>when</code><dd>time in seconds, minutes, hours, or days since the last packet
+was received, or
+-
+if a packet has never been received
+<br><dt><code>poll</code><dd>poll interval (s)
<br><dt><code>reach</code><dd>reach shift register (octal)
<br><dt><code>delay</code><dd>roundtrip delay
<br><dt><code>offset</code><dd>offset of server relative to this host
-<br><dt><code>jitter</code><dd>jitter
+<br><dt><code>jitter</code><dd>offset RMS error estimate.
</dl>
- <br><dt><code>apeers</code><dd>Display a list of peers in the form:
- <pre class="example"> [tally]remote refid assid st t when pool reach delay offset jitter
- </pre>
- <p>where the output is just like the
-<code>peers</code>
-command except that the
-<code>refid</code>
-is displayed in hex format and the association number is also displayed.
-<br><dt><code>pstats</code> <kbd>assocID</kbd><dd>Show the statistics for the peer with the given
-<kbd>assocID</kbd>.
-<br><dt><code>readlist</code> <kbd>assocID</kbd><br><dt><code>rl</code> <kbd>assocID</kbd><dd>Read the system or peer variables included in the variable list.
-<br><dt><code>readvar</code> <kbd>assocID</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code> <code>[, ...]</code><br><dt><code>rv</code> <kbd>assocID</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>]</code> <code>[, ...]</code><dd>Display the specified variables.
+ <br><dt><code>pstats</code> <kbd>associd</kbd><dd>Display the statistics for the peer with the given
+<kbd>associd</kbd>:
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
+<br><dt><code>readlist</code> <code>[</code><kbd>associd</kbd><code>]</code><br><dt><code>rl</code> <code>[</code><kbd>associd</kbd><code>]</code><dd>Display all system or peer variables.
+If the
+<kbd>associd</kbd>
+is omitted, it is assumed to be zero.
+<br><dt><code>readvar</code> <code>[</code><kbd>associd</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>] [, ...]]</code><br><dt><code>rv</code> <code>[</code><kbd>associd</kbd> <kbd>name</kbd><code>[=</code><kbd>value</kbd><code>] [, ...]]</code><dd>Display the specified system or peer variables.
If
-<kbd>assocID</kbd>
+<kbd>associd</kbd>
is zero, the variables are from the
<a href="#System-Variables">System Variables</a>
name space, otherwise they are from the
@@ -506,52 +571,70 @@
<a href="#Peer-Variables">Peer Variables</a>
name space.
The
-<kbd>assocID</kbd>
+<kbd>associd</kbd>
is required, as the same name can occur in both spaces.
If no
<kbd>name</kbd>
-is included, all operative variables in the name space are displayed.
-
- <p>In this case only, if the
-<kbd>assocID</kbd>
-is omitted, it is assumed zero.
+is included, all operative variables in the name space are displayed.
+In this case only, if the
+<kbd>associd</kbd>
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts-per-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
-<br><dt><code>reslist</code><dd>Show the access control (restrict) list for
+<kbd>YYYY</kbd><kbd>MM</kbd> <kbd>DD</kbd> <kbd>TTTT</kbd>,
+where
+<kbd>YYYY</kbd>
+is the year,
+<kbd>MM</kbd>
+the month of year,
+<kbd>DD</kbd>
+the day of month and
+<kbd>TTTT</kbd>
+the time of day.
+<br><dt><code>reslist</code><dd>Display the access control (restrict) list for
<code>ntpq</code>
-
- <br><dt><code>saveconfig</code> <kbd>filename</kbd><dd>Write the current configuration,
-including any runtime modifications given with
+Authentication is required.
+<br><dt><code>saveconfig</code> <kbd>filename</kbd><dd>Save the current configuration,
+including any runtime modifications made by
<code>:config</code>
or
<code>config-from-file</code>,
-to the ntpd host's file
+to the NTP server host file
<kbd>filename</kbd>.
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-<code>ntpd</code>
+<code>ntpd(8)</code>
configuration file.
<kbd>filename</kbd>
can use
-<code>strftime()</code>
-format specifies to substitute the current date and time, for example,
-<code>q]saveconfig</code> <code>ntp-%Y%m%d-%H%M%S.confq]</code>.
-The filename used is stored in system variable
+<code>date(1)</code>
+format specifiers to substitute the current date and time, for
+example,
+ <pre class="example"> <code>saveconfig</code> <span class="file">ntp-%Y%m%d-%H%M%S.conf</span>.
+ </pre>
+ <p>The filename used is stored in system variable
<code>savedconfig</code>.
Authentication is required.
-<br><dt><code>timerstats</code><dd>Display interval timer counters.
-<br><dt><code>writelist</code> <kbd>assocID</kbd><dd>Write the system or peer variables included in the variable list.
-<br><dt><code>writevar</code> <kbd>assocID</kbd> <kbd>name</kbd>=<kbd>value</kbd> <code>[, ...]</code><dd>Write the specified variables.
+<br><dt><code>sysinfo</code><dd>Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+<br><dt><code>sysstats</code><dd>Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
+<br><dt><code>timerstats</code><dd>Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
+<br><dt><code>writelist</code> <kbd>associd</kbd><dd>Set all system or peer variables included in the variable list.
+<br><dt><code>writevar</code> <kbd>associd</kbd> <kbd>name</kbd>=<kbd>value</kbd> <code>[, ...]</code><dd>Set the specified variables in the variable list.
If the
-<kbd>assocID</kbd>
+<kbd>associd</kbd>
is zero, the variables are from the
<a href="#System-Variables">System Variables</a>
name space, otherwise they are from the
@@ -558,10 +641,9 @@
<a href="#Peer-Variables">Peer Variables</a>
name space.
The
-<kbd>assocID</kbd>
+<kbd>associd</kbd>
is required, as the same name can occur in both spaces.
-<br><dt><code>sysinfo</code><dd>Display operational summary.
-<br><dt><code>sysstats</code><dd>Print statistics counters maintained in the protocol module.
+Authentication is required.
</dl>
<h5 class="subsubsection">Status Words and Kiss Codes</h5>
@@ -570,10 +652,10 @@
in a set of status words
maintained by the system.
Status information is also available on a per-association basis.
-These words are displayed in the
-<code>rv</code>
+These words are displayed by the
+<code>readlist</code>
and
-<code>as</code>
+<code>associations</code>
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -592,9 +674,10 @@
<h5 class="subsubsection">System Variables</h5>
<p>The following system variables appear in the
-<code>rv</code>
+<code>readlist</code>
billboard.
Not all variables are displayed in some configurations.
+
<dl>
<dt>Variable<dd>Description
<br><dt><code>status</code><dd>.Lk decode.html#sys "system status word"
@@ -606,16 +689,16 @@
<br><dt><code>precision</code><dd>precision (log2 s)
<br><dt><code>rootdelay</code><dd>total roundtrip delay to the primary reference clock
<br><dt><code>rootdisp</code><dd>total dispersion to the primary reference clock
-<br><dt><code>peer</code><dd>system peer association ID
+<br><dt><code>refid</code><dd>reference id or
+.Lk decode.html#kiss "kiss code"
+<br><dt><code>reftime</code><dd>reference time
+<br><dt><code>clock</code><dd>date and time of day
+<br><dt><code>peer</code><dd>system peer association id
<br><dt><code>tc</code><dd>time constant and poll exponent (log2 s) (3-17)
<br><dt><code>mintc</code><dd>minimum time constant (log2 s) (3-10)
-<br><dt><code>clock</code><dd>date and time of day
-<br><dt><code>refid</code><dd>reference ID or
-.Lk decode.html#kiss "kiss code"
-<br><dt><code>reftime</code><dd>reference time
-<br><dt><code>offset</code><dd>combined offset of server relative to this host
+<br><dt><code>offset</code><dd>combined offset of server relative to this host
+<br><dt><code>frequency</code><dd>frequency drift (PPM) relative to hardware clock
<br><dt><code>sys_jitter</code><dd>combined system jitter
-<br><dt><code>frequency</code><dd>frequency offset (PPM) relative to hardware clock
<br><dt><code>clk_wander</code><dd>clock frequency wander (PPM)
<br><dt><code>clk_jitter</code><dd>clock jitter
<br><dt><code>tai</code><dd>TAI-UTC offset (s)
@@ -630,7 +713,6 @@
additional system variables are displayed,
including some or all of the following,
depending on the particular Autokey dance:
-
<dl>
<dt>Variable<dd>Description
<br><dt><code>host</code><dd>Autokey host name for this host
@@ -646,13 +728,13 @@
<h5 class="subsubsection">Peer Variables</h5>
<p>The following peer variables appear in the
-<code>rv</code>
+<code>readlist</code>
billboard for each association.
Not all variables are displayed in some configurations.
<dl>
<dt>Variable<dd>Description
-<br><dt><code>associd</code><dd>association ID
+<br><dt><code>associd</code><dd>association id
<br><dt><code>status</code><dd>.Lk decode.html#peer "peer status word"
<br><dt><code>srcadr</code><dd>source (remote) IP address
<br><dt><code>srcport</code><dd>source (remote) port
@@ -663,9 +745,10 @@
<br><dt><code>precision</code><dd>precision (log2 s)
<br><dt><code>rootdelay</code><dd>total roundtrip delay to the primary reference clock
<br><dt><code>rootdisp</code><dd>total root dispersion to the primary reference clock
-<br><dt><code>refid</code><dd>reference ID or
+<br><dt><code>refid</code><dd>reference id or
.Lk decode.html#kiss "kiss code"
<br><dt><code>reftime</code><dd>reference time
+<br><dt><code>rec</code><dd>last packet received time
<br><dt><code>reach</code><dd>reach register (octal)
<br><dt><code>unreach</code><dd>unreach counter
<br><dt><code>hmode</code><dd>host mode (1-6)
@@ -675,11 +758,11 @@
<br><dt><code>headway</code><dd>headway (see
.Lk rate.html "Rate Management and the Kiss-o'-Death Packet" )
<br><dt><code>flash</code><dd>.Lk decode.html#flash "flash status word"
+<br><dt><code>keyid</code><dd>symmetric key id
<br><dt><code>offset</code><dd>filter offset
<br><dt><code>delay</code><dd>filter delay
<br><dt><code>dispersion</code><dd>filter dispersion
<br><dt><code>jitter</code><dd>filter jitter
-<br><dt><code>ident</code><dd>Autokey group name for this association
<br><dt><code>bias</code><dd>unicast/broadcast bias
<br><dt><code>xleave</code><dd>interleave delay (see
.Lk xleave.html "NTP Interleaved Modes" )
@@ -688,7 +771,8 @@
<code>bias</code>
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
<code>xleave</code>
variable appears only for the interleaved symmetric and interleaved modes.
@@ -703,20 +787,21 @@
<br><dt><code>host</code><dd>Autokey server name
<br><dt><code>flags</code><dd>peer flags (see Autokey specification)
<br><dt><code>signature</code><dd>OpenSSL digest/signature scheme
-<br><dt><code>initsequence</code><dd>initial key ID
+<br><dt><code>initsequence</code><dd>initial key id
<br><dt><code>initkey</code><dd>initial key index
<br><dt><code>timestamp</code><dd>Autokey signature timestamp
+<br><dt><code>ident</code><dd>Autokey group name for this association
</dl>
<h5 class="subsubsection">Clock Variables</h5>
<p>The following clock variables appear in the
-<code>cv</code>
+<code>clocklist</code>
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
<dl>
<dt>Variable<dd>Description
-<br><dt><code>associd</code><dd>association ID
+<br><dt><code>associd</code><dd>association id
<br><dt><code>status</code><dd>.Lk decode.html#clock "clock status word"
<br><dt><code>device</code><dd>device description
<br><dt><code>timecode</code><dd>ASCII time code string (specific to device)
@@ -727,7 +812,7 @@
<br><dt><code>fudgetime1</code><dd>fudge time 1
<br><dt><code>fudgetime2</code><dd>fudge time 2
<br><dt><code>stratum</code><dd>driver stratum
-<br><dt><code>refid</code><dd>driver reference ID
+<br><dt><code>refid</code><dd>driver reference id
<br><dt><code>flags</code><dd>driver flags
</dl>
@@ -770,12 +855,12 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntpq - standard NTP query program - Ver. 4.2.8p10-beta
+<pre class="example">ntpq - standard NTP query program - Ver. 4.2.8p10
Usage: ntpq [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [ host ...]
Flg Arg Option-Name Description
- -4 no ipv4 Force IPv4 DNS name resolution
+ -4 no ipv4 Force IPv4 name resolution
- prohibits the option 'ipv6'
- -6 no ipv6 Force IPv6 DNS name resolution
+ -6 no ipv6 Force IPv6 name resolution
- prohibits the option 'ipv4'
-c Str command run a command and exit
- may appear multiple times
@@ -826,7 +911,7 @@
<h4 class="subsection">ipv4 option (-4)</h4>
<p><a name="index-ntpq_002dipv4-4"></a>
-This is the &ldquo;force ipv4 dns name resolution&rdquo; option.
+This is the &ldquo;force ipv4 name resolution&rdquo; option.
<p class="noindent">This option has some usage constraints. It:
<ul>
@@ -834,7 +919,7 @@
ipv6.
</ul>
- <p>Force DNS resolution of following host names on the command line
+ <p>Force resolution of following host names on the command line
to the IPv4 namespace.
<div class="node">
<p><hr>
@@ -847,7 +932,7 @@
<h4 class="subsection">ipv6 option (-6)</h4>
<p><a name="index-ntpq_002dipv6-5"></a>
-This is the &ldquo;force ipv6 dns name resolution&rdquo; option.
+This is the &ldquo;force ipv6 name resolution&rdquo; option.
<p class="noindent">This option has some usage constraints. It:
<ul>
@@ -855,7 +940,7 @@
ipv4.
</ul>
- <p>Force DNS resolution of following host names on the command line
+ <p>Force resolution of following host names on the command line
to the IPv6 namespace.
<div class="node">
<p><hr>
@@ -1185,7 +1270,7 @@
with default <code>MD5</code>.
If the OpenSSL library is installed,
digest can be be any message digest algorithm supported by the library.
-The current selections are: <code>MD2</code>, <code>MD4</code>, <code>MD5</code>, <code>MDC2</code>, <code>RIPEMD160</code>, <code>SHA</code> and <code>SHA1</code>.
+The current selections are: <code>AES128CMAC</code>, <code>MD2</code>, <code>MD4</code>, <code>MD5</code>, <code>MDC2</code>, <code>RIPEMD160</code>, <code>SHA</code> and <code>SHA1</code>.
<br><dt><code><a name="ntpversion"></a> ntpversion 1 | 2 | 3 | 4</code><dd>Sets the NTP version number which <code>ntpq</code> claims in packets.
Defaults to 2.
Index: contrib/ntp/ntpsnmpd/Makefile.in
===================================================================
--- contrib/ntp/ntpsnmpd/Makefile.in (版本 330566)
+++ contrib/ntp/ntpsnmpd/Makefile.in (版本 330908)
@@ -106,6 +106,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -1198,7 +1199,6 @@
#
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd-opts.h (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.h)
*
- * It has been AutoGen-ed March 21, 2017 at 10:45:36 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:15:31 PM by AutoGen 5.18.5
* From the definitions ntpsnmpd-opts.def
* and the template file options
*
@@ -76,9 +76,9 @@
/** count of all options for ntpsnmpd */
#define OPTION_CT 8
/** ntpsnmpd version */
-#define NTPSNMPD_VERSION "4.2.8p10"
+#define NTPSNMPD_VERSION "4.2.8p11"
/** Full ntpsnmpd version text */
-#define NTPSNMPD_FULL_VERSION "ntpsnmpd 4.2.8p10"
+#define NTPSNMPD_FULL_VERSION "ntpsnmpd 4.2.8p11"
/**
* Interface defines for all options. Replace "n" with the UPPER_CASED
Index: contrib/ntp/ntpsnmpd/ntpsnmpd.man.in
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd.man.in (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpsnmpd @NTPSNMPD_MS@ "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpsnmpd @NTPSNMPD_MS@ "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-yhaGex/ag-6haacx)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-_Ia4FU/ag-lJaWEU)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:33 PM by AutoGen 5.18.5
.\" From the definitions ntpsnmpd-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/Makefile.in
===================================================================
--- contrib/ntp/scripts/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman
===================================================================
--- contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH calc_tickadj 1calc_tickadjman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH calc_tickadj 1calc_tickadjman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bsaa0i/ag-osaiZi)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-mfaiQP/ag-zfaqPP)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:39:52 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:40 AM by AutoGen 5.18.5
.\" From the definitions calc_tickadj-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in
===================================================================
--- contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/calc_tickadj.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt CALC_TICKADJ 1calc_tickadjmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (calc_tickadj-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:39:54 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:43 AM by AutoGen 5.18.5
.\" From the definitions calc_tickadj-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/lib/Makefile.in
===================================================================
--- contrib/ntp/scripts/lib/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/lib/Makefile.in (版本 330908)
@@ -100,6 +100,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/ntpq/Makefile.am
===================================================================
--- contrib/ntp/ntpq/Makefile.am (版本 330566)
+++ contrib/ntp/ntpq/Makefile.am (版本 330908)
@@ -21,9 +21,13 @@
ntpq_LDADD += ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM)
ntpq_LDADD += $(PTHREAD_LIBS) $(EDITLINE_LIBS)
ntpq_LDADD += $(LDADD_NTP)
+ntpq_LDADD += $(NTP_HARD_LDFLAGS)
noinst_HEADERS= ntpq.h
noinst_LIBRARIES= libntpq.a
-libntpq_a_CFLAGS= -DNO_MAIN_ALLOWED -DBUILD_AS_LIB
+libntpq_a_CFLAGS= $(AM_CFLAGS)
+libntpq_a_CFLAGS+= -DNO_MAIN_ALLOWED -DBUILD_AS_LIB
+libntpq_a_CPPFLAGS= $(AM_CPPFLAGS)
+libntpq_a_LDFLAGS= $(AM_LDFLAGS)
CLEANFILES=
DISTCLEANFILES= .version version.c config.log $(man_MANS)
ETAGS_ARGS= Makefile.am
Index: contrib/ntp/ntpq/ntpq-opts.def
===================================================================
--- contrib/ntp/ntpq/ntpq-opts.def (版本 330566)
+++ contrib/ntp/ntpq/ntpq-opts.def (版本 330908)
@@ -14,9 +14,9 @@
name = ipv4;
flags-cant = ipv6;
value = 4;
- descrip = "Force IPv4 DNS name resolution";
+ descrip = "Force IPv4 name resolution";
doc = <<- _EndOfDoc_
- Force DNS resolution of following host names on the command line
+ Force resolution of following host names on the command line
to the IPv4 namespace.
_EndOfDoc_;
};
@@ -25,9 +25,9 @@
name = ipv6;
flags-cant = ipv4;
value = 6;
- descrip = "Force IPv6 DNS name resolution";
+ descrip = "Force IPv6 name resolution";
doc = <<- _EndOfDoc_
- Force DNS resolution of following host names on the command line
+ Force resolution of following host names on the command line
to the IPv6 namespace.
_EndOfDoc_;
};
@@ -67,7 +67,7 @@
descrip = "numeric host addresses";
doc = <<- _EndOfDoc_
Output all host addresses in dotted-quad numeric format rather than
- converting to the canonical host names.
+ converting to the canonical host names.
_EndOfDoc_;
};
@@ -126,16 +126,12 @@
ds-type = 'DESCRIPTION';
ds-format = 'mdoc';
ds-text = <<- _END_PROG_MDOC_DESCRIP
-
+.Pp
The
.Nm
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -146,7 +142,7 @@
utility can also obtain and print a
list of peers in a common format by sending multiple queries to the
server.
-
+.Pp
If one or more request options is included on the command line
when
.Nm
@@ -164,7 +160,7 @@
.Nm
utility will prompt for
commands if the standard input is a terminal device.
-
+.Pp
.Nm
uses NTP mode 6 packets to communicate with the
NTP server, and hence can be used to query any compatible server on
@@ -178,7 +174,17 @@
one attempt to retransmit requests, and will time requests out if
the remote host is not heard from within a suitable timeout
time.
-
+.Pp
+Note that in contexts where a host name is expected, a
+.Fl 4
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+.Fl 6
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+.Dq NTP Debugging Techniques
+page.
+.Pp
Specifying a
command line option other than
.Fl i
@@ -191,53 +197,48 @@
.Nm
will attempt to read
interactive format commands from the standard input.
+
.Ss "Internal Commands"
+.Pp
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
uniquely identify the command need be typed.
-
+.Pp
A
number of interactive format commands are executed entirely within
the
.Nm
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
-.Bl -tag -width "? [command_keyword]" -compact -offset indent
-.It Ic ? Op Ar command_keyword
-.It Ic help Op Ar command_keyword
+.Bl -tag -width "help [command]" -compact -offset indent
+.It Ic ? Op Ar command
+.It Ic help Op Ar command
A
.Ql \&?
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
.Nm .
A
.Ql \&?
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-.Nm
-than this manual
-page.
-.It Ic addvars Ar variable_name Ns Xo Op Ic =value
-.Ic ...
-.Xc
-.It Ic rmvars Ar variable_name Ic ...
+.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,...
+.It Ic rmvars Ar name Ns Op ,...
.It Ic clearvars
.It Ic showvars
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-.Ql variable_name=value ,
+.Ar name Ns Op \&= Ns Ar value ,
where the
-.Ql =value
+.No \&= Ns Ar value
is ignored, and can be omitted,
in requests to the server to read variables.
The
.Nm
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
.Ic readlist
and
.Ic writelist
@@ -252,35 +253,31 @@
.Ic rmvars
command can be used to remove individual variables from the list,
while the
-.Ic clearlist
+.Ic clearvars
command removes all variables from the
list.
The
.Ic showvars
command displays the current list of optional variables.
-.It Ic authenticate Op yes | no
+.It Ic authenticate Op Cm yes Ns | Ns Cm no
Normally
.Nm
does not authenticate requests unless
they are write requests.
The command
-.Ql authenticate yes
+.Ic authenticate Cm yes
causes
.Nm
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-.Ic peer
-display.
+requests slightly differently.
The command
-.Ql authenticate
+.Ic authenticate
causes
.Nm
to display whether or not
-.Nm
-is currently autheinticating requests.
+it is currently authenticating requests.
.It Ic cooked
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -289,20 +286,13 @@
values reformatted for human consumption.
Variables which
.Nm
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
.Ql \&? .
-.It Xo
-.Ic debug
-.Oo
-.Cm more |
-.Cm less |
-.Cm off
-.Oc
-.Xc
+.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
-.It Ic delay Ar milliseconds
+Otherwise, the debugging level is changed as indicated.
+.It Ic delay Op Ar milliseconds
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -311,14 +301,21 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
+.It Ic drefid Op Cm hash Ns | Ns Cm ipv4
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
.It Ic exit
Exit
.Nm .
-.It Ic host Ar hostname
+.It Ic host Op Ar name
Set the host to which future queries will be sent.
-.Ar hostname
+The
+.Ar name
may be either a host name or a numeric address.
-.It Ic hostnames Op Cm yes | Cm no
+Without any arguments, displays the current host.
+.It Ic hostnames Op Cm yes Ns | Ns Cm no
If
.Cm yes
is specified, host names are printed in
@@ -333,7 +330,9 @@
modified using the command line
.Fl n
switch.
-.It Ic keyid Ar keyid
+Without any arguments, displays whether host names or numeric addresses
+are shown.
+.It Ic keyid Op Ar keyid
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -341,28 +340,20 @@
.Cm controlkey
key number the server has been configured to use for this
purpose.
-.It Ic keytype Xo Oo
-.Cm md5 |
-.Cm OpenSSLDigestType
-.Oc
-.Xc
-Specify the type of key to use for authenticating requests.
-.Cm md5
-is alway supported.
+Without any arguments, displays the current
+.Ar keyid .
+.It Ic keytype Op Ar digest
+Specify the digest algorithm to use for authenticating requests, with default
+.Cm MD5 .
If
.Nm
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+.Ar digest
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-.Ic keytype
-is displayed.
-.It Ic ntpversion Xo Oo
-.Cm 1 |
-.Cm 2 |
-.Cm 3 |
-.Cm 4
-.Oc
-.Xc
+.Ic keytype Ar digest
+algorithm used is displayed.
+.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4
Sets the NTP version number which
.Nm
claims in
@@ -380,13 +371,11 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-.\" Not yet implemented.
-.\" .It Ic poll
-.\" .Op Ar n
-.\" .Op Ic verbose
-.\" Poll an NTP server in client mode
-.\" .Ar n
-.\" times.
+.It Ic poll Oo Ar n Oc Op Cm verbose
+Poll an NTP server in client mode
+.Ar n
+times.
+Poll not implemented yet.
.It Ic quit
Exit
.Nm .
@@ -396,96 +385,151 @@
The only formating/interpretation done on
the data is to transform nonascii data into a printable (but barely
understandable) form.
-.It Ic timeout Ar milliseconds
+.It Ic timeout Op Ar milliseconds
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
.Nm
retries each query once after a timeout, the total waiting time for
a timeout will be twice the timeout value set.
.It Ic version
-Print the version of the
+Display the version of the
.Nm
program.
.El
.Ss "Control Message Commands"
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
-.Li peers
+.Ic peers
command, which sends a series of messages,
and the
-.Li mreadlist
+.Ic mreadlist
and
-.Li mreadvar
+.Ic mreadvar
commands, which iterate over a range of associations.
.Bl -tag -width "something" -compact -offset indent
-.It Cm associations
+.It Ic apeers
+Display a list of peers in the form:
+.Dl [tally]remote refid assid st t when pool reach delay offset jitter
+where the output is just like the
+.Ic peers
+command except that the
+.Cm refid
+is displayed in hex format and the association number is also displayed.
+.It Ic associations
Display a list of mobilized associations in the form:
.Dl ind assid status conf reach auth condition last_event cnt
-.Bl -column -offset indent ".Sy Variable" ".Sy Description"
-.It Sy String Ta Sy Description
-.It Li ind Ta index on this list
-.It Li assid Ta association ID
-.It Li status Ta peer status word
-.It Li conf Ta Li yes : persistent, Li no : ephemeral
-.It Li reach Ta Li yes : reachable, Li no : unreachable
-.It Li auth Ta Li ok , Li yes , Li bad and Li none
-.It Li condition Ta selection status (see the Li select field of the peer status word)
-.It Li last_event Ta event report (see the Li event field of the peer status word)
-.It Li cnt Ta event count (see the Li count field of the peer status word)
+.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word"
+.It Sy Variable Ta Sy Description
+.It Cm ind Ta index on this list
+.It Cm assid Ta association id
+.It Cm status Ta peer status word
+.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral
+.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable
+.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none
+.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&)
+.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&)
+.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&)
.El
-.It Cm authinfo
-Display the authentication statistics.
-.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-Display a list of clock variables for those associations supporting a reference clock.
-.It Cm :config Op ...
-Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
-.It Cm config-from-file Ar filename
-Send the each line of
+.It Ic authinfo
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
+.It Ic clocklist Op Ar associd
+.It Ic cl Op Ar associd
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
+.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+Display a list of clock variables for those associations supporting a
+reference clock.
+.It Ic :config Ar "configuration command line"
+Send the remainder of the command line, including whitespace, to the
+server as a run-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+.It Ic config-from-file Ar filename
+Send each line of
.Ar filename
-to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
.It Ic ifstats
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
.It Ic iostats
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
.It Ic kerninfo
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
.It Ic lassociations
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
-.It Ic lopeers Xo
-.Oo Ic -4 |
-.Ic -6
-.Oc
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
+.It Ic lopeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients showing
+.Cm dstadr
+(associated with the given IP version).
+.It Ic lpassociations
+Display the last obtained list of associations, including all clients.
+.It Ic lpeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients (associated with the given IP version).
+.It Ic monstats
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
+.It Ic mreadlist Ar associdlo Ar associdhi
+.It Ic mrl Ar associdlo Ar associdhi
+Perform the same function as the
+.Ic readlist
+command for a range of association ids.
+.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+This range may be determined from the list displayed by any
+command showing associations.
+.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+Perform the same function as the
+.Ic readvar
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count |
+.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&- Oc Ns Ar sortorder |
+.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc
.Xc
-Obtain and print a list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version).
-.It Ic lpeers Xo
-.Oo Ic -4 |
-.Ic -6
-.Oc
-.Xc
-Print a peer spreadsheet for the appropriate IP version(s).
-.Ar dstadr
-(associated with any given IP version).
-.It Ic monstats
-Display monitor facility statistics.
-.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc
-Obtain and print traffic counts collected and maintained by the monitor facility.
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-.Cm sort Ns = Ns Ar sortorder ,
+.Cm sort Ns \&= Ns Oo \&- Oc Ns Ar sortorder ,
the options filter the list returned by
-.Cm ntpd.
+.Xr ntpd 8 .
The
.Cm limited
and
.Cm kod
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
.Cm mincount Ns = Ns Ar count
option filters entries representing less than
@@ -506,18 +550,21 @@
.Ar sortorder
defaults to
.Cm lstint
-and may be any of
+and may be
.Cm addr ,
+.Cm avgint ,
.Cm count ,
-.Cm avgint ,
.Cm lstint ,
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+.Ql \&-
+to reverse the sort order.
The output columns are:
.Bl -tag -width "something" -compact -offset indent
.It Column
Description
.It Ic lstint
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
.Nm .
.It Ic avgint
Average interval in s between packets from this address.
@@ -525,7 +572,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
.Ic restrict
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
.It Ic r
Rate control indicator, either
a period,
@@ -543,27 +591,15 @@
.It Ic rport
Source port of last packet from this address.
.It Ic remote address
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
.El
-.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-Perform the same function as the
-.Ic readvar
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-.Ic associations
-command.
-.It Ic opeers Xo
-.Oo Ic -4 |
-.Ic -6
-.Oc
-.Xc
+.It Ic opeers Op Fl 4 | Fl 6
Obtain and print the old-style list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version),
+.Cm dstadr
+(associated with the given IP version),
rather than the
-.Ar refid .
+.Cm refid .
.It Ic passociations
Perform the same function as the
.Ic associations
@@ -575,28 +611,32 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic [tally]
+.It Cm [tally]
single-character code indicating current value of the
.Ic select
field of the
.Lk decode.html#peer "peer status word"
-.It Ic remote
+.It Cm remote
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+.Nm
.Fl w
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
-.It Ic refid
-association ID or
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
+.It Cm refid
+source IP address or
.Lk decode.html#kiss "'kiss code"
-.It Ic st
-stratum
-.It Ic t
+.It Cm st
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
+.It Cm t
.Ic u :
unicast or manycast client,
.Ic b :
broadcast or multicast client,
+.Ic p :
+pool source,
.Ic l :
local (reference clock),
.Ic s :
@@ -607,38 +647,40 @@
broadcast server,
.Ic M :
multicast server
-.It Ic when
-sec/min/hr since last received packet
-.It Ic poll
-poll interval (log2 s)
-.It Ic reach
+.It Cm when
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+.Ql \&-
+if a packet has never been received
+.It Cm poll
+poll interval (s)
+.It Cm reach
reach shift register (octal)
-.It Ic delay
+.It Cm delay
roundtrip delay
-.It Ic offset
+.It Cm offset
offset of server relative to this host
-.It Ic jitter
-jitter
+.It Cm jitter
+offset RMS error estimate.
.El
-.It Ic apeers
-Display a list of peers in the form:
-.Dl [tally]remote refid assid st t when pool reach delay offset jitter
-where the output is just like the
-.Ic peers
-command except that the
-.Ic refid
-is displayed in hex format and the association number is also displayed.
-.It Ic pstats Ar assocID
-Show the statistics for the peer with the given
-.Ar assocID .
-.It Ic readlist Ar assocID
-.It Ic rl Ar assocID
-Read the system or peer variables included in the variable list.
-.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-Display the specified variables.
+.It Ic pstats Ar associd
+Display the statistics for the peer with the given
+.Ar associd :
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
+.It Ic readlist Op Ar associd
+.It Ic rl Op Ar associd
+Display all system or peer variables.
+If the
+.Ar associd
+is omitted, it is assumed to be zero.
+.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+Display the specified system or peer variables.
If
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -645,57 +687,76 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
If no
.Ar name
is included, all operative variables in the name space are displayed.
-
In this case only, if the
-.Ar assocID
-is omitted, it is assumed zero.
+.Ar associd
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts-per-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+.Ar YYYY Ns Ar MM Ar DD Ar TTTT ,
+where
+.Ar YYYY
+is the year,
+.Ar MM
+the month of year,
+.Ar DD
+the day of month and
+.Ar TTTT
+the time of day.
.It Ic reslist
-Show the access control (restrict) list for
+Display the access control (restrict) list for
.Nm .
-
+Authentication is required.
.It Ic saveconfig Ar filename
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
.Ic :config
or
.Ic config-from-file ,
-to the ntpd host's file
+to the NTP server host file
.Ar filename .
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-.Ic ntpd
+.Xr ntpd 8
configuration file.
.Ar filename
can use
-.Xr strftime
-format specifies to substitute the current date and time, for example,
-.Ic q]saveconfig ntp-%Y%m%d-%H%M%S.confq] .
+.Xr date 1
+format specifiers to substitute the current date and time, for
+example,
+.D1 Ic saveconfig Pa ntp-%Y%m%d-%H%M%S.conf .
The filename used is stored in system variable
-.Ic savedconfig .
+.Cm savedconfig .
Authentication is required.
+.It Ic sysinfo
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+.It Ic sysstats
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
.It Ic timerstats
-Display interval timer counters.
-.It Ic writelist Ar assocID
-Write the system or peer variables included in the variable list.
-.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ...
-Write the specified variables.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
+.It Ic writelist Ar associd
+Set all system or peer variables included in the variable list.
+.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ...
+Set the specified variables in the variable list.
If the
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -702,24 +763,20 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
-.It Ic sysinfo
-Display operational summary.
-.It Ic sysstats
-Print statistics counters maintained in the protocol module.
+Authentication is required.
.El
.Ss Status Words and Kiss Codes
-
The current state of the operating program is shown
in a set of status words
maintained by the system.
Status information is also available on a per-association basis.
-These words are displayed in the
-.Ic rv
+These words are displayed by the
+.Ic readlist
and
-.Ic as
+.Ic associations
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -737,58 +794,59 @@
.Ss System Variables
The following system variables appear in the
-.Ic rv
+.Ic readlist
billboard.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic status
+.It Cm status
.Lk decode.html#sys "system status word"
-.It Ic version
+.It Cm version
NTP software version and build time
-.It Ic processor
+.It Cm processor
hardware platform and version
-.It Ic system
+.It Cm system
operating system and version
-.It Ic leap
+.It Cm leap
leap warning indicator (0-3)
-.It Ic stratum
+.It Cm stratum
stratum (1-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total dispersion to the primary reference clock
-.It Ic peer
-system peer association ID
-.It Ic tc
+.It Cm refid
+reference id or
+.Lk decode.html#kiss "kiss code"
+.It Cm reftime
+reference time
+.It Ic clock
+date and time of day
+.It Cm peer
+system peer association id
+.It Cm tc
time constant and poll exponent (log2 s) (3-17)
-.It Ic mintc
+.It Cm mintc
minimum time constant (log2 s) (3-10)
-.It Ic clock
-date and time of day
-.It Ic refid
-reference ID or
-.Lk decode.html#kiss "kiss code"
-.It Ic reftime
-reference time
-.It Ic offset
-combined offset of server relative to this host
-.It Ic sys_jitter
+.It Cm offset
+combined offset of server relative to this host
+.It Cm frequency
+frequency drift (PPM) relative to hardware clock
+.It Cm sys_jitter
combined system jitter
-.It Ic frequency
-frequency offset (PPM) relative to hardware clock
-.It Ic clk_wander
+.It Cm clk_wander
clock frequency wander (PPM)
-.It Ic clk_jitter
+.It Cm clk_jitter
clock jitter
-.It Ic tai
+.It Cm tai
TAI-UTC offset (s)
-.It Ic leapsec
+.It Cm leapsec
NTP seconds when the next leap second is/was inserted
-.It Ic expire
+.It Cm expire
NTP seconds when the NIST leapseconds file expires
.El
The jitter and wander statistics are exponentially-weighted RMS averages.
@@ -799,103 +857,105 @@
additional system variables are displayed,
including some or all of the following,
depending on the particular Autokey dance:
-
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic host
+.It Cm host
Autokey host name for this host
-.It Ic ident
+.It Cm ident
Autokey group name for this host
-.It Ic flags
+.It Cm flags
host flags (see Autokey specification)
-.It Ic digest
+.It Cm digest
OpenSSL message digest algorithm
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic update
+.It Cm update
NTP seconds at last signature update
-.It Ic cert
+.It Cm cert
certificate subject, issuer and certificate flags
-.It Ic until
+.It Cm until
NTP seconds when the certificate expires
.El
.Ss Peer Variables
The following peer variables appear in the
-.Ic rv
+.Ic readlist
billboard for each association.
Not all variables are displayed in some configurations.
-
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#peer "peer status word"
-.It Ic srcadr
+.It Cm srcadr
source (remote) IP address
-.It Ic srcport
+.It Cm srcport
source (remote) port
-.It Ic dstadr
+.It Cm dstadr
destination (local) IP address
-.It Ic dstport
+.It Cm dstport
destination (local) port
-.It Ic leap
+.It Cm leap
leap indicator (0-3)
-.It Ic stratum
+.It Cm stratum
stratum (0-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total root dispersion to the primary reference clock
-.It Ic refid
-reference ID or
+.It Cm refid
+reference id or
.Lk decode.html#kiss "kiss code"
-.It Ic reftime
+.It Cm reftime
reference time
-.It Ic reach
+.It Cm rec
+last packet received time
+.It Cm reach
reach register (octal)
-.It Ic unreach
+.It Cm unreach
unreach counter
-.It Ic hmode
+.It Cm hmode
host mode (1-6)
-.It Ic pmode
+.It Cm pmode
peer mode (1-5)
-.It Ic hpoll
+.It Cm hpoll
host poll exponent (log2 s) (3-17)
-.It Ic ppoll
+.It Cm ppoll
peer poll exponent (log2 s) (3-17)
-.It Ic headway
+.It Cm headway
headway (see
.Lk rate.html "Rate Management and the Kiss-o'-Death Packet" )
-.It Ic flash
+.It Cm flash
.Lk decode.html#flash "flash status word"
-.It Ic offset
+.It Cm keyid
+symmetric key id
+.It Cm offset
filter offset
-.It Ic delay
+.It Cm delay
filter delay
-.It Ic dispersion
+.It Cm dispersion
filter dispersion
-.It Ic jitter
+.It Cm jitter
filter jitter
-.It Ic ident
-Autokey group name for this association
-.It Ic bias
+.It Cm bias
unicast/broadcast bias
-.It Ic xleave
+.It Cm xleave
interleave delay (see
.Lk xleave.html "NTP Interleaved Modes" )
.El
The
-.Ic bias
+.Cm bias
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
-.Ic xleave
+.Cm xleave
variable appears only for the interleaved symmetric and interleaved modes.
It represents the internal queuing, buffering and transmission delays
for the preceding packet.
@@ -905,55 +965,57 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic host
+.It Cm host
Autokey server name
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic initsequence
-initial key ID
-.It Ic initkey
+.It Cm initsequence
+initial key id
+.It Cm initkey
initial key index
-.It Ic timestamp
+.It Cm timestamp
Autokey signature timestamp
+.It Cm ident
+Autokey group name for this association
.El
.Ss Clock Variables
The following clock variables appear in the
-.Ic cv
+.Ic clocklist
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#clock "clock status word"
-.It Ic device
+.It Cm device
device description
-.It Ic timecode
+.It Cm timecode
ASCII time code string (specific to device)
-.It Ic poll
+.It Cm poll
poll messages sent
-.It Ic noreply
+.It Cm noreply
no reply
-.It Ic badformat
+.It Cm badformat
bad format
-.It Ic baddata
+.It Cm baddata
bad date or time
-.It Ic fudgetime1
+.It Cm fudgetime1
fudge time 1
-.It Ic fudgetime2
+.It Cm fudgetime2
fudge time 2
-.It Ic stratum
+.It Cm stratum
driver stratum
-.It Ic refid
-driver reference ID
-.It Ic flags
+.It Cm refid
+driver reference id
+.It Cm flags
driver flags
.El
_END_PROG_MDOC_DESCRIP;
Index: contrib/ntp/ntpq/ntpq.1ntpqmdoc
===================================================================
--- contrib/ntp/ntpq/ntpq.1ntpqmdoc (版本 330566)
+++ contrib/ntp/ntpq/ntpq.1ntpqmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPQ 1ntpqmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:31 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:28 PM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -18,15 +18,12 @@
[ host ...]
.Pp
.Sh DESCRIPTION
+.Pp
The
.Nm
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -37,6 +34,7 @@
utility can also obtain and print a
list of peers in a common format by sending multiple queries to the
server.
+.Pp
If one or more request options is included on the command line
when
.Nm
@@ -54,6 +52,7 @@
.Nm
utility will prompt for
commands if the standard input is a terminal device.
+.Pp
.Nm
uses NTP mode 6 packets to communicate with the
NTP server, and hence can be used to query any compatible server on
@@ -67,6 +66,17 @@
one attempt to retransmit requests, and will time requests out if
the remote host is not heard from within a suitable timeout
time.
+.Pp
+Note that in contexts where a host name is expected, a
+.Fl 4
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+.Fl 6
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+.Dq NTP Debugging Techniques
+page.
+.Pp
Specifying a
command line option other than
.Fl i
@@ -80,51 +90,46 @@
will attempt to read
interactive format commands from the standard input.
.Ss "Internal Commands"
+.Pp
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
uniquely identify the command need be typed.
+.Pp
A
number of interactive format commands are executed entirely within
the
.Nm
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
-.Bl -tag -width "? [command_keyword]" -compact -offset indent
-.It Ic ? Op Ar command_keyword
-.It Ic help Op Ar command_keyword
+.Bl -tag -width "help [command]" -compact -offset indent
+.It Ic ? Op Ar command
+.It Ic help Op Ar command
A
.Ql \&?
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
.Nm .
A
.Ql \&?
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-.Nm
-than this manual
-page.
-.It Ic addvars Ar variable_name Ns Xo Op Ic =value
-.Ic ...
-.Xc
-.It Ic rmvars Ar variable_name Ic ...
+.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,...
+.It Ic rmvars Ar name Ns Op ,...
.It Ic clearvars
.It Ic showvars
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-.Ql variable_name=value ,
+.Ar name Ns Op \&= Ns Ar value ,
where the
-.Ql =value
+.No \&= Ns Ar value
is ignored, and can be omitted,
in requests to the server to read variables.
The
.Nm
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
.Ic readlist
and
.Ic writelist
@@ -139,35 +144,31 @@
.Ic rmvars
command can be used to remove individual variables from the list,
while the
-.Ic clearlist
+.Ic clearvars
command removes all variables from the
list.
The
.Ic showvars
command displays the current list of optional variables.
-.It Ic authenticate Op yes | no
+.It Ic authenticate Op Cm yes Ns | Ns Cm no
Normally
.Nm
does not authenticate requests unless
they are write requests.
The command
-.Ql authenticate yes
+.Ic authenticate Cm yes
causes
.Nm
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-.Ic peer
-display.
+requests slightly differently.
The command
-.Ql authenticate
+.Ic authenticate
causes
.Nm
to display whether or not
-.Nm
-is currently autheinticating requests.
+it is currently authenticating requests.
.It Ic cooked
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -176,20 +177,13 @@
values reformatted for human consumption.
Variables which
.Nm
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
.Ql \&? .
-.It Xo
-.Ic debug
-.Oo
-.Cm more |
-.Cm less |
-.Cm off
-.Oc
-.Xc
+.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
-.It Ic delay Ar milliseconds
+Otherwise, the debugging level is changed as indicated.
+.It Ic delay Op Ar milliseconds
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -198,14 +192,21 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
+.It Ic drefid Op Cm hash Ns | Ns Cm ipv4
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
.It Ic exit
Exit
.Nm .
-.It Ic host Ar hostname
+.It Ic host Op Ar name
Set the host to which future queries will be sent.
-.Ar hostname
+The
+.Ar name
may be either a host name or a numeric address.
-.It Ic hostnames Op Cm yes | Cm no
+Without any arguments, displays the current host.
+.It Ic hostnames Op Cm yes Ns | Ns Cm no
If
.Cm yes
is specified, host names are printed in
@@ -220,7 +221,9 @@
modified using the command line
.Fl n
switch.
-.It Ic keyid Ar keyid
+Without any arguments, displays whether host names or numeric addresses
+are shown.
+.It Ic keyid Op Ar keyid
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -228,28 +231,20 @@
.Cm controlkey
key number the server has been configured to use for this
purpose.
-.It Ic keytype Xo Oo
-.Cm md5 |
-.Cm OpenSSLDigestType
-.Oc
-.Xc
-Specify the type of key to use for authenticating requests.
-.Cm md5
-is alway supported.
+Without any arguments, displays the current
+.Ar keyid .
+.It Ic keytype Op Ar digest
+Specify the digest algorithm to use for authenticating requests, with default
+.Cm MD5 .
If
.Nm
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+.Ar digest
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-.Ic keytype
-is displayed.
-.It Ic ntpversion Xo Oo
-.Cm 1 |
-.Cm 2 |
-.Cm 3 |
-.Cm 4
-.Oc
-.Xc
+.Ic keytype Ar digest
+algorithm used is displayed.
+.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4
Sets the NTP version number which
.Nm
claims in
@@ -267,13 +262,11 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-.\" Not yet implemented.
-.\" .It Ic poll
-.\" .Op Ar n
-.\" .Op Ic verbose
-.\" Poll an NTP server in client mode
-.\" .Ar n
-.\" times.
+.It Ic poll Oo Ar n Oc Op Cm verbose
+Poll an NTP server in client mode
+.Ar n
+times.
+Poll not implemented yet.
.It Ic quit
Exit
.Nm .
@@ -283,95 +276,150 @@
The only formating/interpretation done on
the data is to transform nonascii data into a printable (but barely
understandable) form.
-.It Ic timeout Ar milliseconds
+.It Ic timeout Op Ar milliseconds
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
.Nm
retries each query once after a timeout, the total waiting time for
a timeout will be twice the timeout value set.
.It Ic version
-Print the version of the
+Display the version of the
.Nm
program.
.El
.Ss "Control Message Commands"
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode\-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
-.Li peers
+.Ic peers
command, which sends a series of messages,
and the
-.Li mreadlist
+.Ic mreadlist
and
-.Li mreadvar
+.Ic mreadvar
commands, which iterate over a range of associations.
.Bl -tag -width "something" -compact -offset indent
-.It Cm associations
+.It Ic apeers
+Display a list of peers in the form:
+.Dl [tally]remote refid assid st t when pool reach delay offset jitter
+where the output is just like the
+.Ic peers
+command except that the
+.Cm refid
+is displayed in hex format and the association number is also displayed.
+.It Ic associations
Display a list of mobilized associations in the form:
.Dl ind assid status conf reach auth condition last_event cnt
-.Bl -column -offset indent ".Sy Variable" ".Sy Description"
-.It Sy String Ta Sy Description
-.It Li ind Ta index on this list
-.It Li assid Ta association ID
-.It Li status Ta peer status word
-.It Li conf Ta Li yes : persistent, Li no : ephemeral
-.It Li reach Ta Li yes : reachable, Li no : unreachable
-.It Li auth Ta Li ok , Li yes , Li bad and Li none
-.It Li condition Ta selection status (see the Li select field of the peer status word)
-.It Li last_event Ta event report (see the Li event field of the peer status word)
-.It Li cnt Ta event count (see the Li count field of the peer status word)
+.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word"
+.It Sy Variable Ta Sy Description
+.It Cm ind Ta index on this list
+.It Cm assid Ta association id
+.It Cm status Ta peer status word
+.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral
+.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable
+.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none
+.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&)
+.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&)
+.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&)
.El
-.It Cm authinfo
-Display the authentication statistics.
-.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-Display a list of clock variables for those associations supporting a reference clock.
-.It Cm :config Op ...
-Send the remainder of the command line, including whitespace, to the server as a run\-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
-.It Cm config\-from\-file Ar filename
-Send the each line of
+.It Ic authinfo
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
+.It Ic clocklist Op Ar associd
+.It Ic cl Op Ar associd
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
+.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+Display a list of clock variables for those associations supporting a
+reference clock.
+.It Ic :config Ar "configuration command line"
+Send the remainder of the command line, including whitespace, to the
+server as a run\-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+.It Ic config\-from\-file Ar filename
+Send each line of
.Ar filename
-to the server as run\-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run\-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
.It Ic ifstats
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
.It Ic iostats
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
.It Ic kerninfo
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
.It Ic lassociations
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
-.It Ic lopeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
+.It Ic lopeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients showing
+.Cm dstadr
+(associated with the given IP version).
+.It Ic lpassociations
+Display the last obtained list of associations, including all clients.
+.It Ic lpeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients (associated with the given IP version).
+.It Ic monstats
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
+.It Ic mreadlist Ar associdlo Ar associdhi
+.It Ic mrl Ar associdlo Ar associdhi
+Perform the same function as the
+.Ic readlist
+command for a range of association ids.
+.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+This range may be determined from the list displayed by any
+command showing associations.
+.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+Perform the same function as the
+.Ic readvar
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count |
+.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder |
+.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc
.Xc
-Obtain and print a list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version).
-.It Ic lpeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
-.Xc
-Print a peer spreadsheet for the appropriate IP version(s).
-.Ar dstadr
-(associated with any given IP version).
-.It Ic monstats
-Display monitor facility statistics.
-.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc
-Obtain and print traffic counts collected and maintained by the monitor facility.
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-.Cm sort Ns = Ns Ar sortorder ,
+.Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder ,
the options filter the list returned by
-.Cm ntpd.
+.Xr ntpd 8 .
The
.Cm limited
and
.Cm kod
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
.Cm mincount Ns = Ns Ar count
option filters entries representing less than
@@ -392,18 +440,21 @@
.Ar sortorder
defaults to
.Cm lstint
-and may be any of
+and may be
.Cm addr ,
+.Cm avgint ,
.Cm count ,
-.Cm avgint ,
.Cm lstint ,
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+.Ql \&\-
+to reverse the sort order.
The output columns are:
.Bl -tag -width "something" -compact -offset indent
.It Column
Description
.It Ic lstint
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
.Nm .
.It Ic avgint
Average interval in s between packets from this address.
@@ -411,7 +462,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
.Ic restrict
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
.It Ic r
Rate control indicator, either
a period,
@@ -429,27 +481,15 @@
.It Ic rport
Source port of last packet from this address.
.It Ic remote address
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
.El
-.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-Perform the same function as the
-.Ic readvar
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-.Ic associations
-command.
-.It Ic opeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
-.Xc
+.It Ic opeers Op Fl 4 | Fl 6
Obtain and print the old\-style list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version),
+.Cm dstadr
+(associated with the given IP version),
rather than the
-.Ar refid .
+.Cm refid .
.It Ic passociations
Perform the same function as the
.Ic associations
@@ -461,28 +501,32 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic [tally]
+.It Cm [tally]
single\-character code indicating current value of the
.Ic select
field of the
.Lk decode.html#peer "peer status word"
-.It Ic remote
+.It Cm remote
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+.Nm
.Fl w
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
-.It Ic refid
-association ID or
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
+.It Cm refid
+source IP address or
.Lk decode.html#kiss "'kiss code"
-.It Ic st
-stratum
-.It Ic t
+.It Cm st
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
+.It Cm t
.Ic u :
unicast or manycast client,
.Ic b :
broadcast or multicast client,
+.Ic p :
+pool source,
.Ic l :
local (reference clock),
.Ic s :
@@ -493,38 +537,40 @@
broadcast server,
.Ic M :
multicast server
-.It Ic when
-sec/min/hr since last received packet
-.It Ic poll
-poll interval (log2 s)
-.It Ic reach
+.It Cm when
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+.Ql \&\-
+if a packet has never been received
+.It Cm poll
+poll interval (s)
+.It Cm reach
reach shift register (octal)
-.It Ic delay
+.It Cm delay
roundtrip delay
-.It Ic offset
+.It Cm offset
offset of server relative to this host
-.It Ic jitter
-jitter
+.It Cm jitter
+offset RMS error estimate.
.El
-.It Ic apeers
-Display a list of peers in the form:
-.Dl [tally]remote refid assid st t when pool reach delay offset jitter
-where the output is just like the
-.Ic peers
-command except that the
-.Ic refid
-is displayed in hex format and the association number is also displayed.
-.It Ic pstats Ar assocID
-Show the statistics for the peer with the given
-.Ar assocID .
-.It Ic readlist Ar assocID
-.It Ic rl Ar assocID
-Read the system or peer variables included in the variable list.
-.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-Display the specified variables.
+.It Ic pstats Ar associd
+Display the statistics for the peer with the given
+.Ar associd :
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
+.It Ic readlist Op Ar associd
+.It Ic rl Op Ar associd
+Display all system or peer variables.
+If the
+.Ar associd
+is omitted, it is assumed to be zero.
+.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+Display the specified system or peer variables.
If
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -531,55 +577,76 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
If no
.Ar name
is included, all operative variables in the name space are displayed.
In this case only, if the
-.Ar assocID
-is omitted, it is assumed zero.
+.Ar associd
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts\-per\-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+.Ar YYYY Ns Ar MM Ar DD Ar TTTT ,
+where
+.Ar YYYY
+is the year,
+.Ar MM
+the month of year,
+.Ar DD
+the day of month and
+.Ar TTTT
+the time of day.
.It Ic reslist
-Show the access control (restrict) list for
+Display the access control (restrict) list for
.Nm .
+Authentication is required.
.It Ic saveconfig Ar filename
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
.Ic :config
or
.Ic config\-from\-file ,
-to the ntpd host's file
+to the NTP server host file
.Ar filename .
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-.Ic ntpd
+.Xr ntpd 8
configuration file.
.Ar filename
can use
-.Xr strftime
-format specifies to substitute the current date and time, for example,
-.Ic q]saveconfig ntp\-%Y%m%d\-%H%M%S.confq] .
+.Xr date 1
+format specifiers to substitute the current date and time, for
+example,
+.D1 Ic saveconfig Pa ntp\-%Y%m%d\-%H%M%S.conf .
The filename used is stored in system variable
-.Ic savedconfig .
+.Cm savedconfig .
Authentication is required.
+.It Ic sysinfo
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+.It Ic sysstats
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
.It Ic timerstats
-Display interval timer counters.
-.It Ic writelist Ar assocID
-Write the system or peer variables included in the variable list.
-.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ...
-Write the specified variables.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
+.It Ic writelist Ar associd
+Set all system or peer variables included in the variable list.
+.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ...
+Set the specified variables in the variable list.
If the
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -586,12 +653,9 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
-.It Ic sysinfo
-Display operational summary.
-.It Ic sysstats
-Print statistics counters maintained in the protocol module.
+Authentication is required.
.El
.Ss Status Words and Kiss Codes
The current state of the operating program is shown
@@ -598,10 +662,10 @@
in a set of status words
maintained by the system.
Status information is also available on a per\-association basis.
-These words are displayed in the
-.Ic rv
+These words are displayed by the
+.Ic readlist
and
-.Ic as
+.Ic associations
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -618,58 +682,59 @@
in the reference identifier field in various billboards.
.Ss System Variables
The following system variables appear in the
-.Ic rv
+.Ic readlist
billboard.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic status
+.It Cm status
.Lk decode.html#sys "system status word"
-.It Ic version
+.It Cm version
NTP software version and build time
-.It Ic processor
+.It Cm processor
hardware platform and version
-.It Ic system
+.It Cm system
operating system and version
-.It Ic leap
+.It Cm leap
leap warning indicator (0\-3)
-.It Ic stratum
+.It Cm stratum
stratum (1\-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total dispersion to the primary reference clock
-.It Ic peer
-system peer association ID
-.It Ic tc
+.It Cm refid
+reference id or
+.Lk decode.html#kiss "kiss code"
+.It Cm reftime
+reference time
+.It Ic clock
+date and time of day
+.It Cm peer
+system peer association id
+.It Cm tc
time constant and poll exponent (log2 s) (3\-17)
-.It Ic mintc
+.It Cm mintc
minimum time constant (log2 s) (3\-10)
-.It Ic clock
-date and time of day
-.It Ic refid
-reference ID or
-.Lk decode.html#kiss "kiss code"
-.It Ic reftime
-reference time
-.It Ic offset
-combined offset of server relative to this host
-.It Ic sys_jitter
+.It Cm offset
+combined offset of server relative to this host
+.It Cm frequency
+frequency drift (PPM) relative to hardware clock
+.It Cm sys_jitter
combined system jitter
-.It Ic frequency
-frequency offset (PPM) relative to hardware clock
-.It Ic clk_wander
+.It Cm clk_wander
clock frequency wander (PPM)
-.It Ic clk_jitter
+.It Cm clk_jitter
clock jitter
-.It Ic tai
+.It Cm tai
TAI\-UTC offset (s)
-.It Ic leapsec
+.It Cm leapsec
NTP seconds when the next leap second is/was inserted
-.It Ic expire
+.It Cm expire
NTP seconds when the NIST leapseconds file expires
.El
The jitter and wander statistics are exponentially\-weighted RMS averages.
@@ -683,98 +748,102 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic host
+.It Cm host
Autokey host name for this host
-.It Ic ident
+.It Cm ident
Autokey group name for this host
-.It Ic flags
+.It Cm flags
host flags (see Autokey specification)
-.It Ic digest
+.It Cm digest
OpenSSL message digest algorithm
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic update
+.It Cm update
NTP seconds at last signature update
-.It Ic cert
+.It Cm cert
certificate subject, issuer and certificate flags
-.It Ic until
+.It Cm until
NTP seconds when the certificate expires
.El
.Ss Peer Variables
The following peer variables appear in the
-.Ic rv
+.Ic readlist
billboard for each association.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#peer "peer status word"
-.It Ic srcadr
+.It Cm srcadr
source (remote) IP address
-.It Ic srcport
+.It Cm srcport
source (remote) port
-.It Ic dstadr
+.It Cm dstadr
destination (local) IP address
-.It Ic dstport
+.It Cm dstport
destination (local) port
-.It Ic leap
+.It Cm leap
leap indicator (0\-3)
-.It Ic stratum
+.It Cm stratum
stratum (0\-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total root dispersion to the primary reference clock
-.It Ic refid
-reference ID or
+.It Cm refid
+reference id or
.Lk decode.html#kiss "kiss code"
-.It Ic reftime
+.It Cm reftime
reference time
-.It Ic reach
+.It Cm rec
+last packet received time
+.It Cm reach
reach register (octal)
-.It Ic unreach
+.It Cm unreach
unreach counter
-.It Ic hmode
+.It Cm hmode
host mode (1\-6)
-.It Ic pmode
+.It Cm pmode
peer mode (1\-5)
-.It Ic hpoll
+.It Cm hpoll
host poll exponent (log2 s) (3\-17)
-.It Ic ppoll
+.It Cm ppoll
peer poll exponent (log2 s) (3\-17)
-.It Ic headway
+.It Cm headway
headway (see
.Lk rate.html "Rate Management and the Kiss\-o'\-Death Packet" )
-.It Ic flash
+.It Cm flash
.Lk decode.html#flash "flash status word"
-.It Ic offset
+.It Cm keyid
+symmetric key id
+.It Cm offset
filter offset
-.It Ic delay
+.It Cm delay
filter delay
-.It Ic dispersion
+.It Cm dispersion
filter dispersion
-.It Ic jitter
+.It Cm jitter
filter jitter
-.It Ic ident
-Autokey group name for this association
-.It Ic bias
+.It Cm bias
unicast/broadcast bias
-.It Ic xleave
+.It Cm xleave
interleave delay (see
.Lk xleave.html "NTP Interleaved Modes" )
.El
The
-.Ic bias
+.Cm bias
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
-.Ic xleave
+.Cm xleave
variable appears only for the interleaved symmetric and interleaved modes.
It represents the internal queuing, buffering and transmission delays
for the preceding packet.
@@ -784,71 +853,73 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic host
+.It Cm host
Autokey server name
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic initsequence
-initial key ID
-.It Ic initkey
+.It Cm initsequence
+initial key id
+.It Cm initkey
initial key index
-.It Ic timestamp
+.It Cm timestamp
Autokey signature timestamp
+.It Cm ident
+Autokey group name for this association
.El
.Ss Clock Variables
The following clock variables appear in the
-.Ic cv
+.Ic clocklist
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#clock "clock status word"
-.It Ic device
+.It Cm device
device description
-.It Ic timecode
+.It Cm timecode
ASCII time code string (specific to device)
-.It Ic poll
+.It Cm poll
poll messages sent
-.It Ic noreply
+.It Cm noreply
no reply
-.It Ic badformat
+.It Cm badformat
bad format
-.It Ic baddata
+.It Cm baddata
bad date or time
-.It Ic fudgetime1
+.It Cm fudgetime1
fudge time 1
-.It Ic fudgetime2
+.It Cm fudgetime2
fudge time 2
-.It Ic stratum
+.It Cm stratum
driver stratum
-.It Ic refid
-driver reference ID
-.It Ic flags
+.It Cm refid
+driver reference id
+.It Cm flags
driver flags
.El
.Sh "OPTIONS"
.Bl -tag
.It Fl 4 , Fl \-ipv4
-Force IPv4 DNS name resolution.
+Force IPv4 name resolution.
This option must not appear in combination with any of the following options:
ipv6.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv4 namespace.
.It Fl 6 , Fl \-ipv6
-Force IPv6 DNS name resolution.
+Force IPv6 name resolution.
This option must not appear in combination with any of the following options:
ipv4.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv6 namespace.
.It Fl c Ar cmd , Fl \-command Ns = Ns Ar cmd
run a command and exit.
@@ -878,7 +949,7 @@
numeric host addresses.
.sp
Output all host addresses in dotted\-quad numeric format rather than
-converting to the canonical host names.
+converting to the canonical host names.
.It Fl \-old\-rv
Always output status line with readvar.
.sp
Index: contrib/ntp/ntpdate/Makefile.in
===================================================================
--- contrib/ntp/ntpdate/Makefile.in (版本 330566)
+++ contrib/ntp/ntpdate/Makefile.in (版本 330908)
@@ -106,6 +106,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -974,7 +975,6 @@
#
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/ntpdc/ntpdc-opts.c
===================================================================
--- contrib/ntp/ntpdc/ntpdc-opts.c (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc-opts.c (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpdc-opts.c)
*
- * It has been AutoGen-ed March 21, 2017 at 10:44:44 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:14:56 PM by AutoGen 5.18.5
* From the definitions ntpdc-opts.def
* and the template file options
*
@@ -69,7 +69,7 @@
* static const strings for ntpdc options
*/
static char const ntpdc_opt_strs[1914] =
-/* 0 */ "ntpdc 4.2.8p10\n"
+/* 0 */ "ntpdc 4.2.8p11\n"
"Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n"
"This is free software. It is licensed for use, modification and\n"
"redistribution under the terms of the NTP License, copies of which\n"
@@ -128,7 +128,7 @@
/* 1695 */ "no-load-opts\0"
/* 1708 */ "no\0"
/* 1711 */ "NTPDC\0"
-/* 1717 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10\n"
+/* 1717 */ "ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11\n"
"Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n\0"
/* 1848 */ "$HOME\0"
/* 1854 */ ".\0"
@@ -135,7 +135,7 @@
/* 1856 */ ".ntprc\0"
/* 1863 */ "http://bugs.ntp.org, bugs@ntp.org\0"
/* 1897 */ "\n\0"
-/* 1899 */ "ntpdc 4.2.8p10";
+/* 1899 */ "ntpdc 4.2.8p11";
/**
* ipv4 option description with
@@ -796,7 +796,7 @@
translate option names.
*/
/* referenced via ntpdcOptions.pzCopyright */
- puts(_("ntpdc 4.2.8p10\n\
+ puts(_("ntpdc 4.2.8p11\n\
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\
This is free software. It is licensed for use, modification and\n\
redistribution under the terms of the NTP License, copies of which\n\
@@ -862,7 +862,7 @@
puts(_("load options from a config file"));
/* referenced via ntpdcOptions.pzUsageTitle */
- puts(_("ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10\n\
+ puts(_("ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11\n\
Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n"));
/* referenced via ntpdcOptions.pzExplain */
@@ -869,7 +869,7 @@
puts(_("\n"));
/* referenced via ntpdcOptions.pzFullVersion */
- puts(_("ntpdc 4.2.8p10"));
+ puts(_("ntpdc 4.2.8p11"));
/* referenced via ntpdcOptions.pzFullUsage */
puts(_("<<<NOT-FOUND>>>"));
Index: contrib/ntp/ntpdc/ntpdc.c
===================================================================
--- contrib/ntp/ntpdc/ntpdc.c (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc.c (版本 330908)
@@ -499,7 +499,7 @@
int optionValue = SO_SYNCHRONOUS_NONALERT;
int err;
- err = setsockopt(INVALID_SOCKET, SOL_SOCKET, SO_OPENTYPE, (char *)&optionValue, sizeof(optionValue));
+ err = setsockopt(INVALID_SOCKET, SOL_SOCKET, SO_OPENTYPE, (void *)&optionValue, sizeof(optionValue));
if (err != NO_ERROR) {
(void) fprintf(stderr, "cannot open nonoverlapped sockets\n");
exit(1);
@@ -519,7 +519,7 @@
int rbufsize = INITDATASIZE + 2048; /* 2K for slop */
if (setsockopt(sockfd, SOL_SOCKET, SO_RCVBUF,
- &rbufsize, sizeof(int)) == -1)
+ (void *)&rbufsize, sizeof(int)) == -1)
error("setsockopt");
}
# endif
Index: contrib/ntp/ntpdc/ntpdc_ops.c
===================================================================
--- contrib/ntp/ntpdc/ntpdc_ops.c (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc_ops.c (版本 330908)
@@ -1683,7 +1683,7 @@
const char *mask;
struct resflags *rf;
u_int32 count;
- u_short flags;
+ u_short rflags;
u_short mflags;
char flagstr[300];
static const char *comma = ", ";
@@ -1730,7 +1730,7 @@
((pcmd->argval->ival == 4) && (rl->v6_flag == 0)))
skip = 0;
count = ntohl(rl->count);
- flags = ntohs(rl->flags);
+ rflags = ntohs(rl->rflags);
mflags = ntohs(rl->mflags);
flagstr[0] = '\0';
@@ -1753,7 +1753,7 @@
: &resflagsV3[0];
while (rf->bit != 0) {
- if (flags & rf->bit) {
+ if (rflags & rf->bit) {
if (!res)
strlcat(flagstr, comma,
sizeof(flagstr));
Index: contrib/ntp/ntpq/ntpq-opts.c
===================================================================
--- contrib/ntp/ntpq/ntpq-opts.c (版本 330566)
+++ contrib/ntp/ntpq/ntpq-opts.c (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpq-opts.c)
*
- * It has been AutoGen-ed March 21, 2017 at 10:45:05 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:15:12 PM by AutoGen 5.18.5
* From the definitions ntpq-opts.def
* and the template file options
*
@@ -68,8 +68,8 @@
/**
* static const strings for ntpq options
*/
-static char const ntpq_opt_strs[1985] =
-/* 0 */ "ntpq 4.2.8p10\n"
+static char const ntpq_opt_strs[1977] =
+/* 0 */ "ntpq 4.2.8p11\n"
"Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n"
"This is free software. It is licensed for use, modification and\n"
"redistribution under the terms of the NTP License, copies of which\n"
@@ -86,60 +86,60 @@
"Time Foundation makes no representations about the suitability this\n"
"software for any purpose. It is provided \"as is\" without express or\n"
"implied warranty.\n\0"
-/* 1009 */ "Force IPv4 DNS name resolution\0"
-/* 1040 */ "IPV4\0"
-/* 1045 */ "ipv4\0"
-/* 1050 */ "Force IPv6 DNS name resolution\0"
-/* 1081 */ "IPV6\0"
-/* 1086 */ "ipv6\0"
-/* 1091 */ "run a command and exit\0"
-/* 1114 */ "COMMAND\0"
-/* 1122 */ "command\0"
-/* 1130 */ "Increase debug verbosity level\0"
-/* 1161 */ "DEBUG_LEVEL\0"
-/* 1173 */ "debug-level\0"
-/* 1185 */ "Set the debug verbosity level\0"
-/* 1215 */ "SET_DEBUG_LEVEL\0"
-/* 1231 */ "set-debug-level\0"
-/* 1247 */ "Force ntpq to operate in interactive mode\0"
-/* 1289 */ "INTERACTIVE\0"
-/* 1301 */ "interactive\0"
-/* 1313 */ "numeric host addresses\0"
-/* 1336 */ "NUMERIC\0"
-/* 1344 */ "numeric\0"
-/* 1352 */ "Always output status line with readvar\0"
-/* 1391 */ "OLD_RV\0"
-/* 1398 */ "old-rv\0"
-/* 1405 */ "Print a list of the peers\0"
-/* 1431 */ "PEERS\0"
-/* 1437 */ "peers\0"
-/* 1443 */ "Set default display type for S2+ refids\0"
-/* 1483 */ "REFID\0"
-/* 1489 */ "refid\0"
-/* 1495 */ "Display the full 'remote' value\0"
-/* 1527 */ "WIDE\0"
-/* 1532 */ "wide\0"
-/* 1537 */ "display extended usage information and exit\0"
-/* 1581 */ "help\0"
-/* 1586 */ "extended usage information passed thru pager\0"
-/* 1631 */ "more-help\0"
-/* 1641 */ "output version information and exit\0"
-/* 1677 */ "version\0"
-/* 1685 */ "save the option state to a config file\0"
-/* 1724 */ "save-opts\0"
-/* 1734 */ "load options from a config file\0"
-/* 1766 */ "LOAD_OPTS\0"
-/* 1776 */ "no-load-opts\0"
-/* 1789 */ "no\0"
-/* 1792 */ "NTPQ\0"
-/* 1797 */ "ntpq - standard NTP query program - Ver. 4.2.8p10\n"
+/* 1009 */ "Force IPv4 name resolution\0"
+/* 1036 */ "IPV4\0"
+/* 1041 */ "ipv4\0"
+/* 1046 */ "Force IPv6 name resolution\0"
+/* 1073 */ "IPV6\0"
+/* 1078 */ "ipv6\0"
+/* 1083 */ "run a command and exit\0"
+/* 1106 */ "COMMAND\0"
+/* 1114 */ "command\0"
+/* 1122 */ "Increase debug verbosity level\0"
+/* 1153 */ "DEBUG_LEVEL\0"
+/* 1165 */ "debug-level\0"
+/* 1177 */ "Set the debug verbosity level\0"
+/* 1207 */ "SET_DEBUG_LEVEL\0"
+/* 1223 */ "set-debug-level\0"
+/* 1239 */ "Force ntpq to operate in interactive mode\0"
+/* 1281 */ "INTERACTIVE\0"
+/* 1293 */ "interactive\0"
+/* 1305 */ "numeric host addresses\0"
+/* 1328 */ "NUMERIC\0"
+/* 1336 */ "numeric\0"
+/* 1344 */ "Always output status line with readvar\0"
+/* 1383 */ "OLD_RV\0"
+/* 1390 */ "old-rv\0"
+/* 1397 */ "Print a list of the peers\0"
+/* 1423 */ "PEERS\0"
+/* 1429 */ "peers\0"
+/* 1435 */ "Set default display type for S2+ refids\0"
+/* 1475 */ "REFID\0"
+/* 1481 */ "refid\0"
+/* 1487 */ "Display the full 'remote' value\0"
+/* 1519 */ "WIDE\0"
+/* 1524 */ "wide\0"
+/* 1529 */ "display extended usage information and exit\0"
+/* 1573 */ "help\0"
+/* 1578 */ "extended usage information passed thru pager\0"
+/* 1623 */ "more-help\0"
+/* 1633 */ "output version information and exit\0"
+/* 1669 */ "version\0"
+/* 1677 */ "save the option state to a config file\0"
+/* 1716 */ "save-opts\0"
+/* 1726 */ "load options from a config file\0"
+/* 1758 */ "LOAD_OPTS\0"
+/* 1768 */ "no-load-opts\0"
+/* 1781 */ "no\0"
+/* 1784 */ "NTPQ\0"
+/* 1789 */ "ntpq - standard NTP query program - Ver. 4.2.8p11\n"
"Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n\0"
-/* 1917 */ "$HOME\0"
-/* 1923 */ ".\0"
-/* 1925 */ ".ntprc\0"
-/* 1932 */ "http://bugs.ntp.org, bugs@ntp.org\0"
-/* 1966 */ "ntpq 4.2.8p10\0"
-/* 1980 */ "hash";
+/* 1909 */ "$HOME\0"
+/* 1915 */ ".\0"
+/* 1917 */ ".ntprc\0"
+/* 1924 */ "http://bugs.ntp.org, bugs@ntp.org\0"
+/* 1958 */ "ntpq 4.2.8p11\0"
+/* 1972 */ "hash";
/**
* ipv4 option description with
@@ -148,9 +148,9 @@
/** Descriptive text for the ipv4 option */
#define IPV4_DESC (ntpq_opt_strs+1009)
/** Upper-cased name for the ipv4 option */
-#define IPV4_NAME (ntpq_opt_strs+1040)
+#define IPV4_NAME (ntpq_opt_strs+1036)
/** Name string for the ipv4 option */
-#define IPV4_name (ntpq_opt_strs+1045)
+#define IPV4_name (ntpq_opt_strs+1041)
/** Other options that appear in conjunction with the ipv4 option */
static int const aIpv4CantList[] = {
INDEX_OPT_IPV6, NO_EQUIVALENT };
@@ -162,11 +162,11 @@
* "Must also have options" and "Incompatible options":
*/
/** Descriptive text for the ipv6 option */
-#define IPV6_DESC (ntpq_opt_strs+1050)
+#define IPV6_DESC (ntpq_opt_strs+1046)
/** Upper-cased name for the ipv6 option */
-#define IPV6_NAME (ntpq_opt_strs+1081)
+#define IPV6_NAME (ntpq_opt_strs+1073)
/** Name string for the ipv6 option */
-#define IPV6_name (ntpq_opt_strs+1086)
+#define IPV6_name (ntpq_opt_strs+1078)
/** Other options that appear in conjunction with the ipv6 option */
static int const aIpv6CantList[] = {
INDEX_OPT_IPV4, NO_EQUIVALENT };
@@ -177,11 +177,11 @@
* command option description:
*/
/** Descriptive text for the command option */
-#define COMMAND_DESC (ntpq_opt_strs+1091)
+#define COMMAND_DESC (ntpq_opt_strs+1083)
/** Upper-cased name for the command option */
-#define COMMAND_NAME (ntpq_opt_strs+1114)
+#define COMMAND_NAME (ntpq_opt_strs+1106)
/** Name string for the command option */
-#define COMMAND_name (ntpq_opt_strs+1122)
+#define COMMAND_name (ntpq_opt_strs+1114)
/** Compiled in flag settings for the command option */
#define COMMAND_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
@@ -190,11 +190,11 @@
* debug-level option description:
*/
/** Descriptive text for the debug-level option */
-#define DEBUG_LEVEL_DESC (ntpq_opt_strs+1130)
+#define DEBUG_LEVEL_DESC (ntpq_opt_strs+1122)
/** Upper-cased name for the debug-level option */
-#define DEBUG_LEVEL_NAME (ntpq_opt_strs+1161)
+#define DEBUG_LEVEL_NAME (ntpq_opt_strs+1153)
/** Name string for the debug-level option */
-#define DEBUG_LEVEL_name (ntpq_opt_strs+1173)
+#define DEBUG_LEVEL_name (ntpq_opt_strs+1165)
/** Compiled in flag settings for the debug-level option */
#define DEBUG_LEVEL_FLAGS (OPTST_DISABLED)
@@ -202,11 +202,11 @@
* set-debug-level option description:
*/
/** Descriptive text for the set-debug-level option */
-#define SET_DEBUG_LEVEL_DESC (ntpq_opt_strs+1185)
+#define SET_DEBUG_LEVEL_DESC (ntpq_opt_strs+1177)
/** Upper-cased name for the set-debug-level option */
-#define SET_DEBUG_LEVEL_NAME (ntpq_opt_strs+1215)
+#define SET_DEBUG_LEVEL_NAME (ntpq_opt_strs+1207)
/** Name string for the set-debug-level option */
-#define SET_DEBUG_LEVEL_name (ntpq_opt_strs+1231)
+#define SET_DEBUG_LEVEL_name (ntpq_opt_strs+1223)
/** Compiled in flag settings for the set-debug-level option */
#define SET_DEBUG_LEVEL_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
@@ -216,11 +216,11 @@
* "Must also have options" and "Incompatible options":
*/
/** Descriptive text for the interactive option */
-#define INTERACTIVE_DESC (ntpq_opt_strs+1247)
+#define INTERACTIVE_DESC (ntpq_opt_strs+1239)
/** Upper-cased name for the interactive option */
-#define INTERACTIVE_NAME (ntpq_opt_strs+1289)
+#define INTERACTIVE_NAME (ntpq_opt_strs+1281)
/** Name string for the interactive option */
-#define INTERACTIVE_name (ntpq_opt_strs+1301)
+#define INTERACTIVE_name (ntpq_opt_strs+1293)
/** Other options that appear in conjunction with the interactive option */
static int const aInteractiveCantList[] = {
INDEX_OPT_COMMAND,
@@ -232,11 +232,11 @@
* numeric option description:
*/
/** Descriptive text for the numeric option */
-#define NUMERIC_DESC (ntpq_opt_strs+1313)
+#define NUMERIC_DESC (ntpq_opt_strs+1305)
/** Upper-cased name for the numeric option */
-#define NUMERIC_NAME (ntpq_opt_strs+1336)
+#define NUMERIC_NAME (ntpq_opt_strs+1328)
/** Name string for the numeric option */
-#define NUMERIC_name (ntpq_opt_strs+1344)
+#define NUMERIC_name (ntpq_opt_strs+1336)
/** Compiled in flag settings for the numeric option */
#define NUMERIC_FLAGS (OPTST_DISABLED)
@@ -244,11 +244,11 @@
* old-rv option description:
*/
/** Descriptive text for the old-rv option */
-#define OLD_RV_DESC (ntpq_opt_strs+1352)
+#define OLD_RV_DESC (ntpq_opt_strs+1344)
/** Upper-cased name for the old-rv option */
-#define OLD_RV_NAME (ntpq_opt_strs+1391)
+#define OLD_RV_NAME (ntpq_opt_strs+1383)
/** Name string for the old-rv option */
-#define OLD_RV_name (ntpq_opt_strs+1398)
+#define OLD_RV_name (ntpq_opt_strs+1390)
/** Compiled in flag settings for the old-rv option */
#define OLD_RV_FLAGS (OPTST_DISABLED)
@@ -257,11 +257,11 @@
* "Must also have options" and "Incompatible options":
*/
/** Descriptive text for the peers option */
-#define PEERS_DESC (ntpq_opt_strs+1405)
+#define PEERS_DESC (ntpq_opt_strs+1397)
/** Upper-cased name for the peers option */
-#define PEERS_NAME (ntpq_opt_strs+1431)
+#define PEERS_NAME (ntpq_opt_strs+1423)
/** Name string for the peers option */
-#define PEERS_name (ntpq_opt_strs+1437)
+#define PEERS_name (ntpq_opt_strs+1429)
/** Other options that appear in conjunction with the peers option */
static int const aPeersCantList[] = {
INDEX_OPT_INTERACTIVE, NO_EQUIVALENT };
@@ -272,11 +272,11 @@
* refid option description:
*/
/** Descriptive text for the refid option */
-#define REFID_DESC (ntpq_opt_strs+1443)
+#define REFID_DESC (ntpq_opt_strs+1435)
/** Upper-cased name for the refid option */
-#define REFID_NAME (ntpq_opt_strs+1483)
+#define REFID_NAME (ntpq_opt_strs+1475)
/** Name string for the refid option */
-#define REFID_name (ntpq_opt_strs+1489)
+#define REFID_name (ntpq_opt_strs+1481)
/** The compiled in default value for the refid option argument */
#define REFID_DFT_ARG ((char const*)REFID_IPV4)
/** Compiled in flag settings for the refid option */
@@ -287,11 +287,11 @@
* wide option description:
*/
/** Descriptive text for the wide option */
-#define WIDE_DESC (ntpq_opt_strs+1495)
+#define WIDE_DESC (ntpq_opt_strs+1487)
/** Upper-cased name for the wide option */
-#define WIDE_NAME (ntpq_opt_strs+1527)
+#define WIDE_NAME (ntpq_opt_strs+1519)
/** Name string for the wide option */
-#define WIDE_name (ntpq_opt_strs+1532)
+#define WIDE_name (ntpq_opt_strs+1524)
/** Compiled in flag settings for the wide option */
#define WIDE_FLAGS (OPTST_DISABLED)
@@ -298,11 +298,11 @@
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (ntpq_opt_strs+1537)
-#define HELP_name (ntpq_opt_strs+1581)
+#define HELP_DESC (ntpq_opt_strs+1529)
+#define HELP_name (ntpq_opt_strs+1573)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (ntpq_opt_strs+1586)
-#define MORE_HELP_name (ntpq_opt_strs+1631)
+#define MORE_HELP_DESC (ntpq_opt_strs+1578)
+#define MORE_HELP_name (ntpq_opt_strs+1623)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC HELP_DESC
@@ -315,14 +315,14 @@
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (ntpq_opt_strs+1641)
-#define VER_name (ntpq_opt_strs+1677)
-#define SAVE_OPTS_DESC (ntpq_opt_strs+1685)
-#define SAVE_OPTS_name (ntpq_opt_strs+1724)
-#define LOAD_OPTS_DESC (ntpq_opt_strs+1734)
-#define LOAD_OPTS_NAME (ntpq_opt_strs+1766)
-#define NO_LOAD_OPTS_name (ntpq_opt_strs+1776)
-#define LOAD_OPTS_pfx (ntpq_opt_strs+1789)
+#define VER_DESC (ntpq_opt_strs+1633)
+#define VER_name (ntpq_opt_strs+1669)
+#define SAVE_OPTS_DESC (ntpq_opt_strs+1677)
+#define SAVE_OPTS_name (ntpq_opt_strs+1716)
+#define LOAD_OPTS_DESC (ntpq_opt_strs+1726)
+#define LOAD_OPTS_NAME (ntpq_opt_strs+1758)
+#define NO_LOAD_OPTS_name (ntpq_opt_strs+1768)
+#define LOAD_OPTS_pfx (ntpq_opt_strs+1781)
#define LOAD_OPTS_name (NO_LOAD_OPTS_name + 3)
/**
* Declare option callback procedures
@@ -543,24 +543,24 @@
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/** Reference to the upper cased version of ntpq. */
-#define zPROGNAME (ntpq_opt_strs+1792)
+#define zPROGNAME (ntpq_opt_strs+1784)
/** Reference to the title line for ntpq usage. */
-#define zUsageTitle (ntpq_opt_strs+1797)
+#define zUsageTitle (ntpq_opt_strs+1789)
/** ntpq configuration file name. */
-#define zRcName (ntpq_opt_strs+1925)
+#define zRcName (ntpq_opt_strs+1917)
/** Directories to search for ntpq config files. */
static char const * const apzHomeList[3] = {
- ntpq_opt_strs+1917,
- ntpq_opt_strs+1923,
+ ntpq_opt_strs+1909,
+ ntpq_opt_strs+1915,
NULL };
/** The ntpq program bug email address. */
-#define zBugsAddr (ntpq_opt_strs+1932)
+#define zBugsAddr (ntpq_opt_strs+1924)
/** Clarification/explanation of what ntpq does. */
#define zExplain (NULL)
/** Extra detail explaining what ntpq does. */
#define zDetail (NULL)
/** The full version string for ntpq. */
-#define zFullVersion (ntpq_opt_strs+1966)
+#define zFullVersion (ntpq_opt_strs+1958)
/* extracted from optcode.tlib near line 364 */
#if defined(ENABLE_NLS)
@@ -633,7 +633,7 @@
/* extracted from optmain.tlib near line 945 */
static char const * const names[2] = {
- ntpq_opt_strs+1980, ntpq_opt_strs+1045 };
+ ntpq_opt_strs+1972, ntpq_opt_strs+1041 };
if (pOptions <= OPTPROC_EMIT_LIMIT) {
(void) optionEnumerationVal(pOptions, pOptDesc, names, 2);
@@ -841,7 +841,7 @@
translate option names.
*/
/* referenced via ntpqOptions.pzCopyright */
- puts(_("ntpq 4.2.8p10\n\
+ puts(_("ntpq 4.2.8p11\n\
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\
This is free software. It is licensed for use, modification and\n\
redistribution under the terms of the NTP License, copies of which\n\
@@ -862,10 +862,10 @@
implied warranty.\n"));
/* referenced via ntpqOptions.pOptDesc->pzText */
- puts(_("Force IPv4 DNS name resolution"));
+ puts(_("Force IPv4 name resolution"));
/* referenced via ntpqOptions.pOptDesc->pzText */
- puts(_("Force IPv6 DNS name resolution"));
+ puts(_("Force IPv6 name resolution"));
/* referenced via ntpqOptions.pOptDesc->pzText */
puts(_("run a command and exit"));
@@ -910,11 +910,11 @@
puts(_("load options from a config file"));
/* referenced via ntpqOptions.pzUsageTitle */
- puts(_("ntpq - standard NTP query program - Ver. 4.2.8p10\n\
+ puts(_("ntpq - standard NTP query program - Ver. 4.2.8p11\n\
Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [ host ...]\n"));
/* referenced via ntpqOptions.pzFullVersion */
- puts(_("ntpq 4.2.8p10"));
+ puts(_("ntpq 4.2.8p11"));
/* referenced via ntpqOptions.pzFullUsage */
puts(_("<<<NOT-FOUND>>>"));
Index: contrib/ntp/ntpq/ntpq.1ntpqman
===================================================================
--- contrib/ntp/ntpq/ntpq.1ntpqman (版本 330566)
+++ contrib/ntp/ntpq/ntpq.1ntpqman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpq 1ntpqman "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpq 1ntpqman "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-P4aWgw/ag-p5aWew)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-D4aGRT/ag-Q4ayQT)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:26 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:22 PM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -31,15 +31,14 @@
.ne 2
.SH DESCRIPTION
+.sp \n(Ppu
+.ne 2
+
The
\f\*[B-Font]ntpq\fP
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -50,6 +49,9 @@
utility can also obtain and print a
list of peers in a common format by sending multiple queries to the
server.
+.sp \n(Ppu
+.ne 2
+
If one or more request options is included on the command line
when
\f\*[B-Font]ntpq\fP
@@ -67,6 +69,9 @@
\f\*[B-Font]ntpq\fP
utility will prompt for
commands if the standard input is a terminal device.
+.sp \n(Ppu
+.ne 2
+
\f\*[B-Font]ntpq\fP
uses NTP mode 6 packets to communicate with the
NTP server, and hence can be used to query any compatible server on
@@ -80,6 +85,21 @@
one attempt to retransmit requests, and will time requests out if
the remote host is not heard from within a suitable timeout
time.
+.sp \n(Ppu
+.ne 2
+
+Note that in contexts where a host name is expected, a
+\f\*[B-Font]\-4\f[]
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+\f\*[B-Font]\-6\f[]
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+\*[Lq]NTP Debugging Techniques\*[Rq]
+page.
+.sp \n(Ppu
+.ne 2
+
Specifying a
command line option other than
\f\*[B-Font]\-i\f[]
@@ -93,64 +113,65 @@
will attempt to read
interactive format commands from the standard input.
.SS "Internal Commands"
+.sp \n(Ppu
+.ne 2
+
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
uniquely identify the command need be typed.
+.sp \n(Ppu
+.ne 2
+
A
number of interactive format commands are executed entirely within
the
\f\*[B-Font]ntpq\fP
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
-.TP 20
-.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command_keyword\f[]]
+.TP 15
+.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command\f[]]
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command_keyword\f[]]
+.TP 15
+.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command\f[]]
A
\[oq]\&?\[cq]
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
\f\*[B-Font]ntpq\fP.
A
\[oq]\&?\[cq]
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-\f\*[B-Font]ntpq\fP
-than this manual
-page.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]variable_name\f[][\f\*[B-Font]=value\f[]] \f\*[B-Font]...\f[]
+.TP 15
+.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][,...]
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]variable_name\f[] \f\*[B-Font]...\f[]
+.TP 15
+.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]name\f[][,...]
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]clearvars\f[]
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]showvars\f[]
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-\[oq]variable_name=value\[cq],
+\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]],
where the
-\[oq]=value\[cq]
+.NOP \&=\f\*[I-Font]value\f[]
is ignored, and can be omitted,
in requests to the server to read variables.
The
\f\*[B-Font]ntpq\fP
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
\f\*[B-Font]readlist\f[]
and
\f\*[B-Font]writelist\f[]
@@ -165,7 +186,7 @@
\f\*[B-Font]rmvars\f[]
command can be used to remove individual variables from the list,
while the
-\f\*[B-Font]clearlist\f[]
+\f\*[B-Font]clearvars\f[]
command removes all variables from the
list.
The
@@ -173,33 +194,29 @@
command displays the current list of optional variables.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]authenticate\f[] [yes | no]
+.TP 15
+.NOP \f\*[B-Font]authenticate\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]]
Normally
\f\*[B-Font]ntpq\fP
does not authenticate requests unless
they are write requests.
The command
-\[oq]authenticate yes\[cq]
+\f\*[B-Font]authenticate\f[] \f\*[B-Font]yes\f[]
causes
\f\*[B-Font]ntpq\fP
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-\f\*[B-Font]peer\f[]
-display.
+requests slightly differently.
The command
-\[oq]authenticate\[cq]
+\f\*[B-Font]authenticate\f[]
causes
\f\*[B-Font]ntpq\fP
to display whether or not
-\f\*[B-Font]ntpq\fP
-is currently autheinticating requests.
+it is currently authenticating requests.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]cooked\f[]
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -208,19 +225,19 @@
values reformatted for human consumption.
Variables which
\f\*[B-Font]ntpq\fP
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
\[oq]\&?\[cq].
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[] | \f\*[B-Font]less\f[] | \f\*[B-Font]off\f[]]
+.TP 15
+.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[]|\f\*[B-Font]less\f[]|\f\*[B-Font]off\f[]]
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
+Otherwise, the debugging level is changed as indicated.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]delay\f[] \f\*[I-Font]milliseconds\f[]
+.TP 15
+.NOP \f\*[B-Font]delay\f[] [\f\*[I-Font]milliseconds\f[]]
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -229,23 +246,33 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
.br
.ns
-.TP 20
+.TP 15
+.NOP \f\*[B-Font]drefid\f[] [\f\*[B-Font]hash\f[]|\f\*[B-Font]ipv4\f[]]
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
+.br
+.ns
+.TP 15
.NOP \f\*[B-Font]exit\f[]
Exit
\f\*[B-Font]ntpq\fP.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]host\f[] \f\*[I-Font]hostname\f[]
+.TP 15
+.NOP \f\*[B-Font]host\f[] [\f\*[I-Font]name\f[]]
Set the host to which future queries will be sent.
-\f\*[I-Font]hostname\f[]
+The
+\f\*[I-Font]name\f[]
may be either a host name or a numeric address.
+Without any arguments, displays the current host.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[] | \f\*[B-Font]no\f[]]
+.TP 15
+.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]]
If
\f\*[B-Font]yes\f[]
is specified, host names are printed in
@@ -260,10 +287,12 @@
modified using the command line
\f\*[B-Font]\-n\f[]
switch.
+Without any arguments, displays whether host names or numeric addresses
+are shown.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]keyid\f[] \f\*[I-Font]keyid\f[]
+.TP 15
+.NOP \f\*[B-Font]keyid\f[] [\f\*[I-Font]keyid\f[]]
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -271,24 +300,26 @@
\f\*[B-Font]controlkey\f[]
key number the server has been configured to use for this
purpose.
+Without any arguments, displays the current
+\f\*[I-Font]keyid\f[].
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]keytype\f[] [\f\*[B-Font]md5\f[] | \f\*[B-Font]OpenSSLDigestType\f[]]
-Specify the type of key to use for authenticating requests.
-\f\*[B-Font]md5\f[]
-is alway supported.
+.TP 15
+.NOP \f\*[B-Font]keytype\f[] [\f\*[I-Font]digest\f[]]
+Specify the digest algorithm to use for authenticating requests, with default
+\f\*[B-Font]MD5\f[].
If
\f\*[B-Font]ntpq\fP
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+\f\*[I-Font]digest\f[]
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-\f\*[B-Font]keytype\f[]
-is displayed.
+\f\*[B-Font]keytype\f[] \f\*[I-Font]digest\f[]
+algorithm used is displayed.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[] | \f\*[B-Font]2\f[] | \f\*[B-Font]3\f[] | \f\*[B-Font]4\f[]]
+.TP 15
+.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[]|\f\*[B-Font]2\f[]|\f\*[B-Font]3\f[]|\f\*[B-Font]4\f[]]
Sets the NTP version number which
\f\*[B-Font]ntpq\fP
claims in
@@ -301,7 +332,7 @@
when communicating with servers.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]passwd\f[]
This command prompts you to type in a password (which will not
be echoed) which will be used to authenticate configuration
@@ -309,22 +340,23 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-.\" Not yet implemented.
-.\" .It Ic poll
-.\" .Op Ar n
-.\" .Op Ic verbose
-.\" Poll an NTP server in client mode
-.\" .Ar n
-.\" times.
.br
.ns
-.TP 20
+.TP 15
+.NOP \f\*[B-Font]poll\f[] [\f\*[I-Font]n\f[]] [\f\*[B-Font]verbose\f[]]
+Poll an NTP server in client mode
+\f\*[I-Font]n\f[]
+times.
+Poll not implemented yet.
+.br
+.ns
+.TP 15
.NOP \f\*[B-Font]quit\f[]
Exit
\f\*[B-Font]ntpq\fP.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]raw\f[]
Causes all output from query commands is printed as received
from the remote server.
@@ -333,11 +365,12 @@
understandable) form.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]timeout\f[] \f\*[I-Font]milliseconds\f[]
+.TP 15
+.NOP \f\*[B-Font]timeout\f[] [\f\*[I-Font]milliseconds\f[]]
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
\f\*[B-Font]ntpq\fP
retries each query once after a timeout, the total waiting time for
@@ -344,119 +377,202 @@
a timeout will be twice the timeout value set.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]version\f[]
-Print the version of the
+Display the version of the
\f\*[B-Font]ntpq\fP
program.
.PP
.SS "Control Message Commands"
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
-\f[C]peers\f[]
+\f\*[B-Font]peers\f[]
command, which sends a series of messages,
and the
-\f[C]mreadlist\f[]
+\f\*[B-Font]mreadlist\f[]
and
-\f[C]mreadvar\f[]
+\f\*[B-Font]mreadvar\f[]
commands, which iterate over a range of associations.
.TP 10
+.NOP \f\*[B-Font]apeers\f[]
+Display a list of peers in the form:
+.Dl [tally]remote refid assid st t when pool reach delay offset jitter
+where the output is just like the
+\f\*[B-Font]peers\f[]
+command except that the
+\f\*[B-Font]refid\f[]
+is displayed in hex format and the association number is also displayed.
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]associations\f[]
Display a list of mobilized associations in the form:
.Dl ind assid status conf reach auth condition last_event cnt
.RS
.IP \fB\(bu\fP 2
-.IP \fB\(bu\fP 2 \f[C]ind\f[] \f[C]Ta\f[] \f[C]index\f[] \f[C]on\f[] \f[C]this\f[] \f[C]list\f[]
-.IP \fB\(bu\fP 2 \f[C]assid\f[] \f[C]Ta\f[] \f[C]association\f[] \f[C]ID\f[]
-.IP \fB\(bu\fP 2 \f[C]status\f[] \f[C]Ta\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word\f[]
-.IP \fB\(bu\fP 2 \f[C]conf\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]persistent,\f[] \f[C]no\f[]: \f[C]ephemeral\f[]
-.IP \fB\(bu\fP 2 \f[C]reach\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]reachable,\f[] \f[C]no\f[]: \f[C]unreachable\f[]
-.IP \fB\(bu\fP 2 \f[C]auth\f[] \f[C]Ta\f[] \f[C]ok\f[], \f[C]yes\f[], \f[C]bad\f[] \f[C]and\f[] \f[C]none\f[]
-.IP \fB\(bu\fP 2 \f[C]condition\f[] \f[C]Ta\f[] \f[C]selection\f[] \f[C]status\f[] \f[C](see\f[] \f[C]the\f[] \f[C]select\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[]
-.IP \fB\(bu\fP 2 \f[C]last_event\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]report\f[] \f[C](see\f[] \f[C]the\f[] \f[C]event\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[]
-.IP \fB\(bu\fP 2 \f[C]cnt\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]count\f[] \f[C](see\f[] \f[C]the\f[] \f[C]count\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]ind\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]index\f[] \f\*[B-Font]on\f[] \f\*[B-Font]this\f[] \f\*[B-Font]list\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]assid\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]association\f[] \f\*[B-Font]id\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]status\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]conf\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]persistent,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]ephemeral\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]reach\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]reachable,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]unreachable\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]auth\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]ok\f[], \f\*[B-Font]yes\f[], \f\*[B-Font]bad\f[] \f\*[B-Font]No\f[] \f\*[B-Font]and\f[] \f\*[B-Font]none\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]condition\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]selection\f[] \f\*[B-Font]status\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]select\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]last_event\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]report\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]event\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]cnt\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]count\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]count\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[]
.RE
.br
.ns
.TP 10
.NOP \f\*[B-Font]authinfo\f[]
-Display the authentication statistics.
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]clockvar\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...]
+.NOP \f\*[B-Font]clocklist\f[] [\f\*[I-Font]associd\f[]]
.br
.ns
.TP 10
-.NOP \f\*[B-Font]cv\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...]
-Display a list of clock variables for those associations supporting a reference clock.
+.NOP \f\*[B-Font]cl\f[] [\f\*[I-Font]associd\f[]]
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]:config\f[] [...]
-Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
+.NOP \f\*[B-Font]clockvar\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...]
.br
.ns
.TP 10
+.NOP \f\*[B-Font]cv\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...]
+Display a list of clock variables for those associations supporting a
+reference clock.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]:config\f[] \f\*[I-Font]configuration command line\f[]
+Send the remainder of the command line, including whitespace, to the
+server as a run-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]config-from-file\f[] \f\*[I-Font]filename\f[]
-Send the each line of
+Send each line of
\f\*[I-Font]filename\f[]
-to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
.br
.ns
.TP 10
.NOP \f\*[B-Font]ifstats\f[]
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
.br
.ns
.TP 10
.NOP \f\*[B-Font]iostats\f[]
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
.br
.ns
.TP 10
.NOP \f\*[B-Font]kerninfo\f[]
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
.br
.ns
.TP 10
.NOP \f\*[B-Font]lassociations\f[]
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]]
-Obtain and print a list of all peers and clients showing
-\f\*[I-Font]dstadr\f[]
-(associated with any given IP version).
+.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]]
+Display a list of all peers and clients showing
+\f\*[B-Font]dstadr\f[]
+(associated with the given IP version).
.br
.ns
.TP 10
-.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]]
-Print a peer spreadsheet for the appropriate IP version(s).
-\f\*[I-Font]dstadr\f[]
-(associated with any given IP version).
+.NOP \f\*[B-Font]lpassociations\f[]
+Display the last obtained list of associations, including all clients.
.br
.ns
.TP 10
+.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]]
+Display a list of all peers and clients (associated with the given IP version).
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]monstats\f[]
-Display monitor facility statistics.
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]=\f\*[I-Font]hexmask\f[]]
-Obtain and print traffic counts collected and maintained by the monitor facility.
+.NOP \f\*[B-Font]mreadlist\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[]
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mrl\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[]
+Perform the same function as the
+\f\*[B-Font]readlist\f[]
+command for a range of association ids.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mreadvar\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...]
+This range may be determined from the list displayed by any
+command showing associations.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mrv\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...]
+Perform the same function as the
+\f\*[B-Font]readvar\f[]
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]\&=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]\&=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]\&=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]\&=\f\*[I-Font]hexmask\f[]]
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-\f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[],
+\f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[],
the options filter the list returned by
-\f\*[B-Font]ntpd.\f[]
+\fCntpd\f[]\fR(8)\f[].
The
\f\*[B-Font]limited\f[]
and
\f\*[B-Font]kod\f[]
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
\f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[]
option filters entries representing less than
@@ -477,12 +593,14 @@
\f\*[I-Font]sortorder\f[]
defaults to
\f\*[B-Font]lstint\f[]
-and may be any of
+and may be
\f\*[B-Font]addr\f[],
+\f\*[B-Font]avgint\f[],
\f\*[B-Font]count\f[],
-\f\*[B-Font]avgint\f[],
\f\*[B-Font]lstint\f[],
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+\[oq]\&-\[cq]
+to reverse the sort order.
The output columns are:
.RS
.TP 10
@@ -492,7 +610,8 @@
.ns
.TP 10
.NOP \f\*[B-Font]lstint\f[]
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
\f\*[B-Font]ntpq\fP.
.br
.ns
@@ -506,7 +625,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
\f\*[B-Font]restrict\f[]
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
.br
.ns
.TP 10
@@ -542,32 +662,18 @@
.ns
.TP 10
.NOP \f\*[B-Font]remote\f[] \f\*[B-Font]address\f[]
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
.RE
.br
.ns
.TP 10
-.NOP \f\*[B-Font]mreadvar\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ...
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]mrv\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ...
-Perform the same function as the
-\f\*[B-Font]readvar\f[]
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-\f\*[B-Font]associations\f[]
-command.
-.br
-.ns
-.TP 10
.NOP \f\*[B-Font]opeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]]
Obtain and print the old-style list of all peers and clients showing
-\f\*[I-Font]dstadr\f[]
-(associated with any given IP version),
+\f\*[B-Font]dstadr\f[]
+(associated with the given IP version),
rather than the
-\f\*[I-Font]refid\f[].
+\f\*[B-Font]refid\f[].
.br
.ns
.TP 10
@@ -599,22 +705,24 @@
.TP 10
.NOP \f\*[B-Font]remote\f[]
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+\f\*[B-Font]ntpq\fP
\f\*[B-Font]\-w\f[]
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
.br
.ns
.TP 10
.NOP \f\*[B-Font]refid\f[]
-association ID or
+source IP address or
.Lk decode.html#kiss "'kiss code"
.br
.ns
.TP 10
.NOP \f\*[B-Font]st\f[]
-stratum
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
.br
.ns
.TP 10
@@ -623,6 +731,8 @@
unicast or manycast client,
\f\*[B-Font]b\f[]:
broadcast or multicast client,
+\f\*[B-Font]p\f[]:
+pool source,
\f\*[B-Font]l\f[]:
local (reference clock),
\f\*[B-Font]s\f[]:
@@ -637,12 +747,15 @@
.ns
.TP 10
.NOP \f\*[B-Font]when\f[]
-sec/min/hr since last received packet
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+\[oq]\&-\[cq]
+if a packet has never been received
.br
.ns
.TP 10
.NOP \f\*[B-Font]poll\f[]
-poll interval (log2 s)
+poll interval (s)
.br
.ns
.TP 10
@@ -662,45 +775,41 @@
.ns
.TP 10
.NOP \f\*[B-Font]jitter\f[]
-jitter
+offset RMS error estimate.
.RE
.br
.ns
.TP 10
-.NOP \f\*[B-Font]apeers\f[]
-Display a list of peers in the form:
-.Dl [tally]remote refid assid st t when pool reach delay offset jitter
-where the output is just like the
-\f\*[B-Font]peers\f[]
-command except that the
-\f\*[B-Font]refid\f[]
-is displayed in hex format and the association number is also displayed.
+.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]associd\f[]
+Display the statistics for the peer with the given
+\f\*[I-Font]associd\f[]:
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]assocID\f[]
-Show the statistics for the peer with the given
-\f\*[I-Font]assocID\f[].
+.NOP \f\*[B-Font]readlist\f[] [\f\*[I-Font]associd\f[]]
.br
.ns
.TP 10
-.NOP \f\*[B-Font]readlist\f[] \f\*[I-Font]assocID\f[]
+.NOP \f\*[B-Font]rl\f[] [\f\*[I-Font]associd\f[]]
+Display all system or peer variables.
+If the
+\f\*[I-Font]associd\f[]
+is omitted, it is assumed to be zero.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]rl\f[] \f\*[I-Font]assocID\f[]
-Read the system or peer variables included in the variable list.
+.NOP \f\*[B-Font]readvar\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]]
.br
.ns
.TP 10
-.NOP \f\*[B-Font]readvar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]rv\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]
-Display the specified variables.
+.NOP \f\*[B-Font]rv\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]]
+Display the specified system or peer variables.
If
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is zero, the variables are from the
\fISystem\f[] \fIVariables\f[]
name space, otherwise they are from the
@@ -707,50 +816,59 @@
\fIPeer\f[] \fIVariables\f[]
name space.
The
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is required, as the same name can occur in both spaces.
If no
\f\*[I-Font]name\f[]
is included, all operative variables in the name space are displayed.
In this case only, if the
-\f\*[I-Font]assocID\f[]
-is omitted, it is assumed zero.
+\f\*[I-Font]associd\f[]
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts-per-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+\f\*[I-Font]YYYY\f[]\f\*[I-Font]MM\f[] \f\*[I-Font]DD\f[] \f\*[I-Font]TTTT\f[],
+where
+\f\*[I-Font]YYYY\f[]
+is the year,
+\f\*[I-Font]MM\f[]
+the month of year,
+\f\*[I-Font]DD\f[]
+the day of month and
+\f\*[I-Font]TTTT\f[]
+the time of day.
.br
.ns
.TP 10
.NOP \f\*[B-Font]reslist\f[]
-Show the access control (restrict) list for
+Display the access control (restrict) list for
\f\*[B-Font]ntpq\fP.
+Authentication is required.
.br
.ns
.TP 10
.NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[]
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
\f\*[B-Font]:config\f[]
or
\f\*[B-Font]config-from-file\f[],
-to the ntpd host's file
+to the NTP server host file
\f\*[I-Font]filename\f[].
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-\f\*[B-Font]ntpd\f[]
+\fCntpd\f[]\fR(8)\f[]
configuration file.
\f\*[I-Font]filename\f[]
can use
-\fCstrftime\f[]\fR()\f[]
-format specifies to substitute the current date and time, for example,
-\f\*[B-Font]q]saveconfig\f[] \f\*[B-Font]ntp-%Y%m%d-%H%M%S.confq]\f[].
+\fCdate\f[]\fR(1)\f[]
+format specifiers to substitute the current date and time, for
+example,
+.in +4
+\f\*[B-Font]saveconfig\f[] \fIntp-%Y%m%d-%H%M%S.conf\f[].
+.in -4
The filename used is stored in system variable
\f\*[B-Font]savedconfig\f[].
Authentication is required.
@@ -757,20 +875,40 @@
.br
.ns
.TP 10
+.NOP \f\*[B-Font]sysinfo\f[]
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]sysstats\f[]
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]timerstats\f[]
-Display interval timer counters.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]assocID\f[]
-Write the system or peer variables included in the variable list.
+.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]associd\f[]
+Set all system or peer variables included in the variable list.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...]
-Write the specified variables.
+.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]associd\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...]
+Set the specified variables in the variable list.
If the
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is zero, the variables are from the
\fISystem\f[] \fIVariables\f[]
name space, otherwise they are from the
@@ -777,18 +915,9 @@
\fIPeer\f[] \fIVariables\f[]
name space.
The
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is required, as the same name can occur in both spaces.
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]sysinfo\f[]
-Display operational summary.
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]sysstats\f[]
-Print statistics counters maintained in the protocol module.
+Authentication is required.
.PP
.SS Status Words and Kiss Codes
The current state of the operating program is shown
@@ -795,10 +924,10 @@
in a set of status words
maintained by the system.
Status information is also available on a per-association basis.
-These words are displayed in the
-\f\*[B-Font]rv\f[]
+These words are displayed by the
+\f\*[B-Font]readlist\f[]
and
-\f\*[B-Font]as\f[]
+\f\*[B-Font]associations\f[]
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -817,9 +946,12 @@
in the reference identifier field in various billboards.
.SS System Variables
The following system variables appear in the
-\f\*[B-Font]rv\f[]
+\f\*[B-Font]readlist\f[]
billboard.
Not all variables are displayed in some configurations.
+.sp \n(Ppu
+.ne 2
+
.TP 10
.NOP Variable
Description
@@ -871,49 +1003,49 @@
.br
.ns
.TP 10
-.NOP \f\*[B-Font]peer\f[]
-system peer association ID
+.NOP \f\*[B-Font]refid\f[]
+reference id or
+.Lk decode.html#kiss "kiss code"
.br
.ns
.TP 10
-.NOP \f\*[B-Font]tc\f[]
-time constant and poll exponent (log2 s) (3-17)
+.NOP \f\*[B-Font]reftime\f[]
+reference time
.br
.ns
.TP 10
-.NOP \f\*[B-Font]mintc\f[]
-minimum time constant (log2 s) (3-10)
+.NOP \f\*[B-Font]clock\f[]
+date and time of day
.br
.ns
.TP 10
-.NOP \f\*[B-Font]clock\f[]
-date and time of day
+.NOP \f\*[B-Font]peer\f[]
+system peer association id
.br
.ns
.TP 10
-.NOP \f\*[B-Font]refid\f[]
-reference ID or
-.Lk decode.html#kiss "kiss code"
+.NOP \f\*[B-Font]tc\f[]
+time constant and poll exponent (log2 s) (3-17)
.br
.ns
.TP 10
-.NOP \f\*[B-Font]reftime\f[]
-reference time
+.NOP \f\*[B-Font]mintc\f[]
+minimum time constant (log2 s) (3-10)
.br
.ns
.TP 10
.NOP \f\*[B-Font]offset\f[]
-combined offset of server relative to this host
+combined offset of server relative to this host
.br
.ns
.TP 10
-.NOP \f\*[B-Font]sys_jitter\f[]
-combined system jitter
+.NOP \f\*[B-Font]frequency\f[]
+frequency drift (PPM) relative to hardware clock
.br
.ns
.TP 10
-.NOP \f\*[B-Font]frequency\f[]
-frequency offset (PPM) relative to hardware clock
+.NOP \f\*[B-Font]sys_jitter\f[]
+combined system jitter
.br
.ns
.TP 10
@@ -996,9 +1128,12 @@
.PP
.SS Peer Variables
The following peer variables appear in the
-\f\*[B-Font]rv\f[]
+\f\*[B-Font]readlist\f[]
billboard for each association.
Not all variables are displayed in some configurations.
+.sp \n(Ppu
+.ne 2
+
.TP 10
.NOP Variable
Description
@@ -1006,7 +1141,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]associd\f[]
-association ID
+association id
.br
.ns
.TP 10
@@ -1061,7 +1196,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]refid\f[]
-reference ID or
+reference id or
.Lk decode.html#kiss "kiss code"
.br
.ns
@@ -1071,6 +1206,11 @@
.br
.ns
.TP 10
+.NOP \f\*[B-Font]rec\f[]
+last packet received time
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]reach\f[]
reach register (octal)
.br
@@ -1112,6 +1252,11 @@
.br
.ns
.TP 10
+.NOP \f\*[B-Font]keyid\f[]
+symmetric key id
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]offset\f[]
filter offset
.br
@@ -1132,11 +1277,6 @@
.br
.ns
.TP 10
-.NOP \f\*[B-Font]ident\f[]
-Autokey group name for this association
-.br
-.ns
-.TP 10
.NOP \f\*[B-Font]bias\f[]
unicast/broadcast bias
.br
@@ -1150,7 +1290,8 @@
\f\*[B-Font]bias\f[]
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
\f\*[B-Font]xleave\f[]
variable appears only for the interleaved symmetric and interleaved modes.
@@ -1188,7 +1329,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]initsequence\f[]
-initial key ID
+initial key id
.br
.ns
.TP 10
@@ -1199,10 +1340,15 @@
.TP 10
.NOP \f\*[B-Font]timestamp\f[]
Autokey signature timestamp
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]ident\f[]
+Autokey group name for this association
.PP
.SS Clock Variables
The following clock variables appear in the
-\f\*[B-Font]cv\f[]
+\f\*[B-Font]clocklist\f[]
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
.TP 10
@@ -1212,7 +1358,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]associd\f[]
-association ID
+association id
.br
.ns
.TP 10
@@ -1267,7 +1413,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]refid\f[]
-driver reference ID
+driver reference id
.br
.ns
.TP 10
@@ -1277,19 +1423,19 @@
.SH "OPTIONS"
.TP
.NOP \f\*[B-Font]\-4\f[], \f\*[B-Font]\-\-ipv4\f[]
-Force IPv4 DNS name resolution.
+Force IPv4 name resolution.
This option must not appear in combination with any of the following options:
ipv6.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv4 namespace.
.TP
.NOP \f\*[B-Font]\-6\f[], \f\*[B-Font]\-\-ipv6\f[]
-Force IPv6 DNS name resolution.
+Force IPv6 name resolution.
This option must not appear in combination with any of the following options:
ipv4.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv6 namespace.
.TP
.NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]cmd\f[], \f\*[B-Font]\-\-command\f[]=\f\*[I-Font]cmd\f[]
@@ -1324,7 +1470,7 @@
numeric host addresses.
.sp
Output all host addresses in dotted-quad numeric format rather than
-converting to the canonical host names.
+converting to the canonical host names.
.TP
.NOP \f\*[B-Font]\-\-old\-rv\f[]
Always output status line with readvar.
Index: contrib/ntp/ntpq/ntpq.man.in
===================================================================
--- contrib/ntp/ntpq/ntpq.man.in (版本 330566)
+++ contrib/ntp/ntpq/ntpq.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpq @NTPQ_MS@ "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpq @NTPQ_MS@ "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-P4aWgw/ag-p5aWew)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-D4aGRT/ag-Q4ayQT)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:26 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:22 PM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -31,15 +31,14 @@
.ne 2
.SH DESCRIPTION
+.sp \n(Ppu
+.ne 2
+
The
\f\*[B-Font]ntpq\fP
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -50,6 +49,9 @@
utility can also obtain and print a
list of peers in a common format by sending multiple queries to the
server.
+.sp \n(Ppu
+.ne 2
+
If one or more request options is included on the command line
when
\f\*[B-Font]ntpq\fP
@@ -67,6 +69,9 @@
\f\*[B-Font]ntpq\fP
utility will prompt for
commands if the standard input is a terminal device.
+.sp \n(Ppu
+.ne 2
+
\f\*[B-Font]ntpq\fP
uses NTP mode 6 packets to communicate with the
NTP server, and hence can be used to query any compatible server on
@@ -80,6 +85,21 @@
one attempt to retransmit requests, and will time requests out if
the remote host is not heard from within a suitable timeout
time.
+.sp \n(Ppu
+.ne 2
+
+Note that in contexts where a host name is expected, a
+\f\*[B-Font]\-4\f[]
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+\f\*[B-Font]\-6\f[]
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+\*[Lq]NTP Debugging Techniques\*[Rq]
+page.
+.sp \n(Ppu
+.ne 2
+
Specifying a
command line option other than
\f\*[B-Font]\-i\f[]
@@ -93,64 +113,65 @@
will attempt to read
interactive format commands from the standard input.
.SS "Internal Commands"
+.sp \n(Ppu
+.ne 2
+
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
uniquely identify the command need be typed.
+.sp \n(Ppu
+.ne 2
+
A
number of interactive format commands are executed entirely within
the
\f\*[B-Font]ntpq\fP
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
-.TP 20
-.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command_keyword\f[]]
+.TP 15
+.NOP \f\*[B-Font]?\f[] [\f\*[I-Font]command\f[]]
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command_keyword\f[]]
+.TP 15
+.NOP \f\*[B-Font]help\f[] [\f\*[I-Font]command\f[]]
A
\[oq]\&?\[cq]
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
\f\*[B-Font]ntpq\fP.
A
\[oq]\&?\[cq]
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-\f\*[B-Font]ntpq\fP
-than this manual
-page.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]variable_name\f[][\f\*[B-Font]=value\f[]] \f\*[B-Font]...\f[]
+.TP 15
+.NOP \f\*[B-Font]addvars\f[] \f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][,...]
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]variable_name\f[] \f\*[B-Font]...\f[]
+.TP 15
+.NOP \f\*[B-Font]rmvars\f[] \f\*[I-Font]name\f[][,...]
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]clearvars\f[]
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]showvars\f[]
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-\[oq]variable_name=value\[cq],
+\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]],
where the
-\[oq]=value\[cq]
+.NOP \&=\f\*[I-Font]value\f[]
is ignored, and can be omitted,
in requests to the server to read variables.
The
\f\*[B-Font]ntpq\fP
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
\f\*[B-Font]readlist\f[]
and
\f\*[B-Font]writelist\f[]
@@ -165,7 +186,7 @@
\f\*[B-Font]rmvars\f[]
command can be used to remove individual variables from the list,
while the
-\f\*[B-Font]clearlist\f[]
+\f\*[B-Font]clearvars\f[]
command removes all variables from the
list.
The
@@ -173,33 +194,29 @@
command displays the current list of optional variables.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]authenticate\f[] [yes | no]
+.TP 15
+.NOP \f\*[B-Font]authenticate\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]]
Normally
\f\*[B-Font]ntpq\fP
does not authenticate requests unless
they are write requests.
The command
-\[oq]authenticate yes\[cq]
+\f\*[B-Font]authenticate\f[] \f\*[B-Font]yes\f[]
causes
\f\*[B-Font]ntpq\fP
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-\f\*[B-Font]peer\f[]
-display.
+requests slightly differently.
The command
-\[oq]authenticate\[cq]
+\f\*[B-Font]authenticate\f[]
causes
\f\*[B-Font]ntpq\fP
to display whether or not
-\f\*[B-Font]ntpq\fP
-is currently autheinticating requests.
+it is currently authenticating requests.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]cooked\f[]
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -208,19 +225,19 @@
values reformatted for human consumption.
Variables which
\f\*[B-Font]ntpq\fP
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
\[oq]\&?\[cq].
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[] | \f\*[B-Font]less\f[] | \f\*[B-Font]off\f[]]
+.TP 15
+.NOP \f\*[B-Font]debug\f[] [\f\*[B-Font]more\f[]|\f\*[B-Font]less\f[]|\f\*[B-Font]off\f[]]
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
+Otherwise, the debugging level is changed as indicated.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]delay\f[] \f\*[I-Font]milliseconds\f[]
+.TP 15
+.NOP \f\*[B-Font]delay\f[] [\f\*[I-Font]milliseconds\f[]]
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -229,23 +246,33 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
.br
.ns
-.TP 20
+.TP 15
+.NOP \f\*[B-Font]drefid\f[] [\f\*[B-Font]hash\f[]|\f\*[B-Font]ipv4\f[]]
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
+.br
+.ns
+.TP 15
.NOP \f\*[B-Font]exit\f[]
Exit
\f\*[B-Font]ntpq\fP.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]host\f[] \f\*[I-Font]hostname\f[]
+.TP 15
+.NOP \f\*[B-Font]host\f[] [\f\*[I-Font]name\f[]]
Set the host to which future queries will be sent.
-\f\*[I-Font]hostname\f[]
+The
+\f\*[I-Font]name\f[]
may be either a host name or a numeric address.
+Without any arguments, displays the current host.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[] | \f\*[B-Font]no\f[]]
+.TP 15
+.NOP \f\*[B-Font]hostnames\f[] [\f\*[B-Font]yes\f[]|\f\*[B-Font]no\f[]]
If
\f\*[B-Font]yes\f[]
is specified, host names are printed in
@@ -260,10 +287,12 @@
modified using the command line
\f\*[B-Font]\-n\f[]
switch.
+Without any arguments, displays whether host names or numeric addresses
+are shown.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]keyid\f[] \f\*[I-Font]keyid\f[]
+.TP 15
+.NOP \f\*[B-Font]keyid\f[] [\f\*[I-Font]keyid\f[]]
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -271,24 +300,26 @@
\f\*[B-Font]controlkey\f[]
key number the server has been configured to use for this
purpose.
+Without any arguments, displays the current
+\f\*[I-Font]keyid\f[].
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]keytype\f[] [\f\*[B-Font]md5\f[] | \f\*[B-Font]OpenSSLDigestType\f[]]
-Specify the type of key to use for authenticating requests.
-\f\*[B-Font]md5\f[]
-is alway supported.
+.TP 15
+.NOP \f\*[B-Font]keytype\f[] [\f\*[I-Font]digest\f[]]
+Specify the digest algorithm to use for authenticating requests, with default
+\f\*[B-Font]MD5\f[].
If
\f\*[B-Font]ntpq\fP
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+\f\*[I-Font]digest\f[]
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-\f\*[B-Font]keytype\f[]
-is displayed.
+\f\*[B-Font]keytype\f[] \f\*[I-Font]digest\f[]
+algorithm used is displayed.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[] | \f\*[B-Font]2\f[] | \f\*[B-Font]3\f[] | \f\*[B-Font]4\f[]]
+.TP 15
+.NOP \f\*[B-Font]ntpversion\f[] [\f\*[B-Font]1\f[]|\f\*[B-Font]2\f[]|\f\*[B-Font]3\f[]|\f\*[B-Font]4\f[]]
Sets the NTP version number which
\f\*[B-Font]ntpq\fP
claims in
@@ -301,7 +332,7 @@
when communicating with servers.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]passwd\f[]
This command prompts you to type in a password (which will not
be echoed) which will be used to authenticate configuration
@@ -309,22 +340,23 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-.\" Not yet implemented.
-.\" .It Ic poll
-.\" .Op Ar n
-.\" .Op Ic verbose
-.\" Poll an NTP server in client mode
-.\" .Ar n
-.\" times.
.br
.ns
-.TP 20
+.TP 15
+.NOP \f\*[B-Font]poll\f[] [\f\*[I-Font]n\f[]] [\f\*[B-Font]verbose\f[]]
+Poll an NTP server in client mode
+\f\*[I-Font]n\f[]
+times.
+Poll not implemented yet.
+.br
+.ns
+.TP 15
.NOP \f\*[B-Font]quit\f[]
Exit
\f\*[B-Font]ntpq\fP.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]raw\f[]
Causes all output from query commands is printed as received
from the remote server.
@@ -333,11 +365,12 @@
understandable) form.
.br
.ns
-.TP 20
-.NOP \f\*[B-Font]timeout\f[] \f\*[I-Font]milliseconds\f[]
+.TP 15
+.NOP \f\*[B-Font]timeout\f[] [\f\*[I-Font]milliseconds\f[]]
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
\f\*[B-Font]ntpq\fP
retries each query once after a timeout, the total waiting time for
@@ -344,119 +377,202 @@
a timeout will be twice the timeout value set.
.br
.ns
-.TP 20
+.TP 15
.NOP \f\*[B-Font]version\f[]
-Print the version of the
+Display the version of the
\f\*[B-Font]ntpq\fP
program.
.PP
.SS "Control Message Commands"
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
-\f[C]peers\f[]
+\f\*[B-Font]peers\f[]
command, which sends a series of messages,
and the
-\f[C]mreadlist\f[]
+\f\*[B-Font]mreadlist\f[]
and
-\f[C]mreadvar\f[]
+\f\*[B-Font]mreadvar\f[]
commands, which iterate over a range of associations.
.TP 10
+.NOP \f\*[B-Font]apeers\f[]
+Display a list of peers in the form:
+.Dl [tally]remote refid assid st t when pool reach delay offset jitter
+where the output is just like the
+\f\*[B-Font]peers\f[]
+command except that the
+\f\*[B-Font]refid\f[]
+is displayed in hex format and the association number is also displayed.
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]associations\f[]
Display a list of mobilized associations in the form:
.Dl ind assid status conf reach auth condition last_event cnt
.RS
.IP \fB\(bu\fP 2
-.IP \fB\(bu\fP 2 \f[C]ind\f[] \f[C]Ta\f[] \f[C]index\f[] \f[C]on\f[] \f[C]this\f[] \f[C]list\f[]
-.IP \fB\(bu\fP 2 \f[C]assid\f[] \f[C]Ta\f[] \f[C]association\f[] \f[C]ID\f[]
-.IP \fB\(bu\fP 2 \f[C]status\f[] \f[C]Ta\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word\f[]
-.IP \fB\(bu\fP 2 \f[C]conf\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]persistent,\f[] \f[C]no\f[]: \f[C]ephemeral\f[]
-.IP \fB\(bu\fP 2 \f[C]reach\f[] \f[C]Ta\f[] \f[C]yes\f[]: \f[C]reachable,\f[] \f[C]no\f[]: \f[C]unreachable\f[]
-.IP \fB\(bu\fP 2 \f[C]auth\f[] \f[C]Ta\f[] \f[C]ok\f[], \f[C]yes\f[], \f[C]bad\f[] \f[C]and\f[] \f[C]none\f[]
-.IP \fB\(bu\fP 2 \f[C]condition\f[] \f[C]Ta\f[] \f[C]selection\f[] \f[C]status\f[] \f[C](see\f[] \f[C]the\f[] \f[C]select\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[]
-.IP \fB\(bu\fP 2 \f[C]last_event\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]report\f[] \f[C](see\f[] \f[C]the\f[] \f[C]event\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[]
-.IP \fB\(bu\fP 2 \f[C]cnt\f[] \f[C]Ta\f[] \f[C]event\f[] \f[C]count\f[] \f[C](see\f[] \f[C]the\f[] \f[C]count\f[] \f[C]field\f[] \f[C]of\f[] \f[C]the\f[] \f[C]peer\f[] \f[C]status\f[] \f[C]word)\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]ind\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]index\f[] \f\*[B-Font]on\f[] \f\*[B-Font]this\f[] \f\*[B-Font]list\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]assid\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]association\f[] \f\*[B-Font]id\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]status\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]conf\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]persistent,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]ephemeral\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]reach\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]yes\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]reachable,\f[] \f\*[B-Font]no\f[]: \f\*[B-Font]No\f[] \f\*[B-Font]unreachable\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]auth\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]ok\f[], \f\*[B-Font]yes\f[], \f\*[B-Font]bad\f[] \f\*[B-Font]No\f[] \f\*[B-Font]and\f[] \f\*[B-Font]none\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]condition\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]selection\f[] \f\*[B-Font]status\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]select\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]last_event\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]report\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]event\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[]
+.IP \fB\(bu\fP 2 \f\*[B-Font]cnt\f[] \f\*[B-Font]Ta\f[] \f\*[B-Font]event\f[] \f\*[B-Font]count\f[] \f\*[B-Font]\&(see\f[] \f\*[B-Font]the\f[] \f\*[B-Font]count\f[] \f\*[B-Font]No\f[] \f\*[B-Font]field\f[] \f\*[B-Font]of\f[] \f\*[B-Font]the\f[] \f\*[B-Font]peer\f[] \f\*[B-Font]status\f[] \f\*[B-Font]word\&)\f[]
.RE
.br
.ns
.TP 10
.NOP \f\*[B-Font]authinfo\f[]
-Display the authentication statistics.
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]clockvar\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...]
+.NOP \f\*[B-Font]clocklist\f[] [\f\*[I-Font]associd\f[]]
.br
.ns
.TP 10
-.NOP \f\*[B-Font]cv\f[] \f\*[I-Font]assocID\f[] [\f\*[I-Font]name\f[][\f\*[B-Font]=\f[]\f\*[I-Font]value\f[]] [] ...]
-Display a list of clock variables for those associations supporting a reference clock.
+.NOP \f\*[B-Font]cl\f[] [\f\*[I-Font]associd\f[]]
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]:config\f[] [...]
-Send the remainder of the command line, including whitespace, to the server as a run-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
+.NOP \f\*[B-Font]clockvar\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...]
.br
.ns
.TP 10
+.NOP \f\*[B-Font]cv\f[] [\f\*[I-Font]associd\f[]] [\f\*[I-Font]name\f[][\&=\f\*[I-Font]value\f[]][] ,...]
+Display a list of clock variables for those associations supporting a
+reference clock.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]:config\f[] \f\*[I-Font]configuration command line\f[]
+Send the remainder of the command line, including whitespace, to the
+server as a run-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]config-from-file\f[] \f\*[I-Font]filename\f[]
-Send the each line of
+Send each line of
\f\*[I-Font]filename\f[]
-to the server as run-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
.br
.ns
.TP 10
.NOP \f\*[B-Font]ifstats\f[]
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
.br
.ns
.TP 10
.NOP \f\*[B-Font]iostats\f[]
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
.br
.ns
.TP 10
.NOP \f\*[B-Font]kerninfo\f[]
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
.br
.ns
.TP 10
.NOP \f\*[B-Font]lassociations\f[]
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]]
-Obtain and print a list of all peers and clients showing
-\f\*[I-Font]dstadr\f[]
-(associated with any given IP version).
+.NOP \f\*[B-Font]lopeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]]
+Display a list of all peers and clients showing
+\f\*[B-Font]dstadr\f[]
+(associated with the given IP version).
.br
.ns
.TP 10
-.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]]
-Print a peer spreadsheet for the appropriate IP version(s).
-\f\*[I-Font]dstadr\f[]
-(associated with any given IP version).
+.NOP \f\*[B-Font]lpassociations\f[]
+Display the last obtained list of associations, including all clients.
.br
.ns
.TP 10
+.NOP \f\*[B-Font]lpeers\f[] [\f\*[B-Font]\-4\f[]|\f\*[B-Font]\-6\f[]]
+Display a list of all peers and clients (associated with the given IP version).
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]monstats\f[]
-Display monitor facility statistics.
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]=\f\*[I-Font]hexmask\f[]]
-Obtain and print traffic counts collected and maintained by the monitor facility.
+.NOP \f\*[B-Font]mreadlist\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[]
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mrl\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[]
+Perform the same function as the
+\f\*[B-Font]readlist\f[]
+command for a range of association ids.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mreadvar\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...]
+This range may be determined from the list displayed by any
+command showing associations.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mrv\f[] \f\*[I-Font]associdlo\f[] \f\*[I-Font]associdhi\f[] [\f\*[I-Font]name\f[]][,...]
+Perform the same function as the
+\f\*[B-Font]readvar\f[]
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]mrulist\f[] [\f\*[B-Font]limited\f[] | \f\*[B-Font]kod\f[] | \f\*[B-Font]mincount\f[]\&=\f\*[I-Font]count\f[] | \f\*[B-Font]laddr\f[]\&=\f\*[I-Font]localaddr\f[] | \f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[] | \f\*[B-Font]resany\f[]\&=\f\*[I-Font]hexmask\f[] | \f\*[B-Font]resall\f[]\&=\f\*[I-Font]hexmask\f[]]
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-\f\*[B-Font]sort\f[]=\f\*[I-Font]sortorder\f[],
+\f\*[B-Font]sort\f[]\&=[\&-]\f\*[I-Font]sortorder\f[],
the options filter the list returned by
-\f\*[B-Font]ntpd.\f[]
+\fCntpd\f[]\fR(8)\f[].
The
\f\*[B-Font]limited\f[]
and
\f\*[B-Font]kod\f[]
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
\f\*[B-Font]mincount\f[]=\f\*[I-Font]count\f[]
option filters entries representing less than
@@ -477,12 +593,14 @@
\f\*[I-Font]sortorder\f[]
defaults to
\f\*[B-Font]lstint\f[]
-and may be any of
+and may be
\f\*[B-Font]addr\f[],
+\f\*[B-Font]avgint\f[],
\f\*[B-Font]count\f[],
-\f\*[B-Font]avgint\f[],
\f\*[B-Font]lstint\f[],
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+\[oq]\&-\[cq]
+to reverse the sort order.
The output columns are:
.RS
.TP 10
@@ -492,7 +610,8 @@
.ns
.TP 10
.NOP \f\*[B-Font]lstint\f[]
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
\f\*[B-Font]ntpq\fP.
.br
.ns
@@ -506,7 +625,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
\f\*[B-Font]restrict\f[]
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
.br
.ns
.TP 10
@@ -542,32 +662,18 @@
.ns
.TP 10
.NOP \f\*[B-Font]remote\f[] \f\*[B-Font]address\f[]
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
.RE
.br
.ns
.TP 10
-.NOP \f\*[B-Font]mreadvar\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ...
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]mrv\f[] \f\*[B-Font]assocID\f[] \f\*[B-Font]assocID\f[] [\f\*[I-Font]variable_name\f[][=\f\*[I-Font]value\f[]]] ...
-Perform the same function as the
-\f\*[B-Font]readvar\f[]
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-\f\*[B-Font]associations\f[]
-command.
-.br
-.ns
-.TP 10
.NOP \f\*[B-Font]opeers\f[] [\f\*[B-Font]\-4\f[] | \f\*[B-Font]\-6\f[]]
Obtain and print the old-style list of all peers and clients showing
-\f\*[I-Font]dstadr\f[]
-(associated with any given IP version),
+\f\*[B-Font]dstadr\f[]
+(associated with the given IP version),
rather than the
-\f\*[I-Font]refid\f[].
+\f\*[B-Font]refid\f[].
.br
.ns
.TP 10
@@ -599,22 +705,24 @@
.TP 10
.NOP \f\*[B-Font]remote\f[]
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+\f\*[B-Font]ntpq\fP
\f\*[B-Font]\-w\f[]
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
.br
.ns
.TP 10
.NOP \f\*[B-Font]refid\f[]
-association ID or
+source IP address or
.Lk decode.html#kiss "'kiss code"
.br
.ns
.TP 10
.NOP \f\*[B-Font]st\f[]
-stratum
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
.br
.ns
.TP 10
@@ -623,6 +731,8 @@
unicast or manycast client,
\f\*[B-Font]b\f[]:
broadcast or multicast client,
+\f\*[B-Font]p\f[]:
+pool source,
\f\*[B-Font]l\f[]:
local (reference clock),
\f\*[B-Font]s\f[]:
@@ -637,12 +747,15 @@
.ns
.TP 10
.NOP \f\*[B-Font]when\f[]
-sec/min/hr since last received packet
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+\[oq]\&-\[cq]
+if a packet has never been received
.br
.ns
.TP 10
.NOP \f\*[B-Font]poll\f[]
-poll interval (log2 s)
+poll interval (s)
.br
.ns
.TP 10
@@ -662,45 +775,41 @@
.ns
.TP 10
.NOP \f\*[B-Font]jitter\f[]
-jitter
+offset RMS error estimate.
.RE
.br
.ns
.TP 10
-.NOP \f\*[B-Font]apeers\f[]
-Display a list of peers in the form:
-.Dl [tally]remote refid assid st t when pool reach delay offset jitter
-where the output is just like the
-\f\*[B-Font]peers\f[]
-command except that the
-\f\*[B-Font]refid\f[]
-is displayed in hex format and the association number is also displayed.
+.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]associd\f[]
+Display the statistics for the peer with the given
+\f\*[I-Font]associd\f[]:
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]pstats\f[] \f\*[I-Font]assocID\f[]
-Show the statistics for the peer with the given
-\f\*[I-Font]assocID\f[].
+.NOP \f\*[B-Font]readlist\f[] [\f\*[I-Font]associd\f[]]
.br
.ns
.TP 10
-.NOP \f\*[B-Font]readlist\f[] \f\*[I-Font]assocID\f[]
+.NOP \f\*[B-Font]rl\f[] [\f\*[I-Font]associd\f[]]
+Display all system or peer variables.
+If the
+\f\*[I-Font]associd\f[]
+is omitted, it is assumed to be zero.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]rl\f[] \f\*[I-Font]assocID\f[]
-Read the system or peer variables included in the variable list.
+.NOP \f\*[B-Font]readvar\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]]
.br
.ns
.TP 10
-.NOP \f\*[B-Font]readvar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]rv\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]
-Display the specified variables.
+.NOP \f\*[B-Font]rv\f[] [\f\*[I-Font]associd\f[] \f\*[I-Font]name\f[][=\f\*[I-Font]value\f[]] [, ...]]
+Display the specified system or peer variables.
If
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is zero, the variables are from the
\fISystem\f[] \fIVariables\f[]
name space, otherwise they are from the
@@ -707,50 +816,59 @@
\fIPeer\f[] \fIVariables\f[]
name space.
The
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is required, as the same name can occur in both spaces.
If no
\f\*[I-Font]name\f[]
is included, all operative variables in the name space are displayed.
In this case only, if the
-\f\*[I-Font]assocID\f[]
-is omitted, it is assumed zero.
+\f\*[I-Font]associd\f[]
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts-per-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+\f\*[I-Font]YYYY\f[]\f\*[I-Font]MM\f[] \f\*[I-Font]DD\f[] \f\*[I-Font]TTTT\f[],
+where
+\f\*[I-Font]YYYY\f[]
+is the year,
+\f\*[I-Font]MM\f[]
+the month of year,
+\f\*[I-Font]DD\f[]
+the day of month and
+\f\*[I-Font]TTTT\f[]
+the time of day.
.br
.ns
.TP 10
.NOP \f\*[B-Font]reslist\f[]
-Show the access control (restrict) list for
+Display the access control (restrict) list for
\f\*[B-Font]ntpq\fP.
+Authentication is required.
.br
.ns
.TP 10
.NOP \f\*[B-Font]saveconfig\f[] \f\*[I-Font]filename\f[]
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
\f\*[B-Font]:config\f[]
or
\f\*[B-Font]config-from-file\f[],
-to the ntpd host's file
+to the NTP server host file
\f\*[I-Font]filename\f[].
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-\f\*[B-Font]ntpd\f[]
+\fCntpd\f[]\fR(8)\f[]
configuration file.
\f\*[I-Font]filename\f[]
can use
-\fCstrftime\f[]\fR()\f[]
-format specifies to substitute the current date and time, for example,
-\f\*[B-Font]q]saveconfig\f[] \f\*[B-Font]ntp-%Y%m%d-%H%M%S.confq]\f[].
+\fCdate\f[]\fR(1)\f[]
+format specifiers to substitute the current date and time, for
+example,
+.in +4
+\f\*[B-Font]saveconfig\f[] \fIntp-%Y%m%d-%H%M%S.conf\f[].
+.in -4
The filename used is stored in system variable
\f\*[B-Font]savedconfig\f[].
Authentication is required.
@@ -757,20 +875,40 @@
.br
.ns
.TP 10
+.NOP \f\*[B-Font]sysinfo\f[]
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]sysstats\f[]
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]timerstats\f[]
-Display interval timer counters.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]assocID\f[]
-Write the system or peer variables included in the variable list.
+.NOP \f\*[B-Font]writelist\f[] \f\*[I-Font]associd\f[]
+Set all system or peer variables included in the variable list.
.br
.ns
.TP 10
-.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]assocID\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...]
-Write the specified variables.
+.NOP \f\*[B-Font]writevar\f[] \f\*[I-Font]associd\f[] \f\*[I-Font]name\f[]=\f\*[I-Font]value\f[] [, ...]
+Set the specified variables in the variable list.
If the
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is zero, the variables are from the
\fISystem\f[] \fIVariables\f[]
name space, otherwise they are from the
@@ -777,18 +915,9 @@
\fIPeer\f[] \fIVariables\f[]
name space.
The
-\f\*[I-Font]assocID\f[]
+\f\*[I-Font]associd\f[]
is required, as the same name can occur in both spaces.
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]sysinfo\f[]
-Display operational summary.
-.br
-.ns
-.TP 10
-.NOP \f\*[B-Font]sysstats\f[]
-Print statistics counters maintained in the protocol module.
+Authentication is required.
.PP
.SS Status Words and Kiss Codes
The current state of the operating program is shown
@@ -795,10 +924,10 @@
in a set of status words
maintained by the system.
Status information is also available on a per-association basis.
-These words are displayed in the
-\f\*[B-Font]rv\f[]
+These words are displayed by the
+\f\*[B-Font]readlist\f[]
and
-\f\*[B-Font]as\f[]
+\f\*[B-Font]associations\f[]
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -817,9 +946,12 @@
in the reference identifier field in various billboards.
.SS System Variables
The following system variables appear in the
-\f\*[B-Font]rv\f[]
+\f\*[B-Font]readlist\f[]
billboard.
Not all variables are displayed in some configurations.
+.sp \n(Ppu
+.ne 2
+
.TP 10
.NOP Variable
Description
@@ -871,49 +1003,49 @@
.br
.ns
.TP 10
-.NOP \f\*[B-Font]peer\f[]
-system peer association ID
+.NOP \f\*[B-Font]refid\f[]
+reference id or
+.Lk decode.html#kiss "kiss code"
.br
.ns
.TP 10
-.NOP \f\*[B-Font]tc\f[]
-time constant and poll exponent (log2 s) (3-17)
+.NOP \f\*[B-Font]reftime\f[]
+reference time
.br
.ns
.TP 10
-.NOP \f\*[B-Font]mintc\f[]
-minimum time constant (log2 s) (3-10)
+.NOP \f\*[B-Font]clock\f[]
+date and time of day
.br
.ns
.TP 10
-.NOP \f\*[B-Font]clock\f[]
-date and time of day
+.NOP \f\*[B-Font]peer\f[]
+system peer association id
.br
.ns
.TP 10
-.NOP \f\*[B-Font]refid\f[]
-reference ID or
-.Lk decode.html#kiss "kiss code"
+.NOP \f\*[B-Font]tc\f[]
+time constant and poll exponent (log2 s) (3-17)
.br
.ns
.TP 10
-.NOP \f\*[B-Font]reftime\f[]
-reference time
+.NOP \f\*[B-Font]mintc\f[]
+minimum time constant (log2 s) (3-10)
.br
.ns
.TP 10
.NOP \f\*[B-Font]offset\f[]
-combined offset of server relative to this host
+combined offset of server relative to this host
.br
.ns
.TP 10
-.NOP \f\*[B-Font]sys_jitter\f[]
-combined system jitter
+.NOP \f\*[B-Font]frequency\f[]
+frequency drift (PPM) relative to hardware clock
.br
.ns
.TP 10
-.NOP \f\*[B-Font]frequency\f[]
-frequency offset (PPM) relative to hardware clock
+.NOP \f\*[B-Font]sys_jitter\f[]
+combined system jitter
.br
.ns
.TP 10
@@ -996,9 +1128,12 @@
.PP
.SS Peer Variables
The following peer variables appear in the
-\f\*[B-Font]rv\f[]
+\f\*[B-Font]readlist\f[]
billboard for each association.
Not all variables are displayed in some configurations.
+.sp \n(Ppu
+.ne 2
+
.TP 10
.NOP Variable
Description
@@ -1006,7 +1141,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]associd\f[]
-association ID
+association id
.br
.ns
.TP 10
@@ -1061,7 +1196,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]refid\f[]
-reference ID or
+reference id or
.Lk decode.html#kiss "kiss code"
.br
.ns
@@ -1071,6 +1206,11 @@
.br
.ns
.TP 10
+.NOP \f\*[B-Font]rec\f[]
+last packet received time
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]reach\f[]
reach register (octal)
.br
@@ -1112,6 +1252,11 @@
.br
.ns
.TP 10
+.NOP \f\*[B-Font]keyid\f[]
+symmetric key id
+.br
+.ns
+.TP 10
.NOP \f\*[B-Font]offset\f[]
filter offset
.br
@@ -1132,11 +1277,6 @@
.br
.ns
.TP 10
-.NOP \f\*[B-Font]ident\f[]
-Autokey group name for this association
-.br
-.ns
-.TP 10
.NOP \f\*[B-Font]bias\f[]
unicast/broadcast bias
.br
@@ -1150,7 +1290,8 @@
\f\*[B-Font]bias\f[]
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
\f\*[B-Font]xleave\f[]
variable appears only for the interleaved symmetric and interleaved modes.
@@ -1188,7 +1329,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]initsequence\f[]
-initial key ID
+initial key id
.br
.ns
.TP 10
@@ -1199,10 +1340,15 @@
.TP 10
.NOP \f\*[B-Font]timestamp\f[]
Autokey signature timestamp
+.br
+.ns
+.TP 10
+.NOP \f\*[B-Font]ident\f[]
+Autokey group name for this association
.PP
.SS Clock Variables
The following clock variables appear in the
-\f\*[B-Font]cv\f[]
+\f\*[B-Font]clocklist\f[]
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
.TP 10
@@ -1212,7 +1358,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]associd\f[]
-association ID
+association id
.br
.ns
.TP 10
@@ -1267,7 +1413,7 @@
.ns
.TP 10
.NOP \f\*[B-Font]refid\f[]
-driver reference ID
+driver reference id
.br
.ns
.TP 10
@@ -1277,19 +1423,19 @@
.SH "OPTIONS"
.TP
.NOP \f\*[B-Font]\-4\f[], \f\*[B-Font]\-\-ipv4\f[]
-Force IPv4 DNS name resolution.
+Force IPv4 name resolution.
This option must not appear in combination with any of the following options:
ipv6.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv4 namespace.
.TP
.NOP \f\*[B-Font]\-6\f[], \f\*[B-Font]\-\-ipv6\f[]
-Force IPv6 DNS name resolution.
+Force IPv6 name resolution.
This option must not appear in combination with any of the following options:
ipv4.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv6 namespace.
.TP
.NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]cmd\f[], \f\*[B-Font]\-\-command\f[]=\f\*[I-Font]cmd\f[]
@@ -1324,7 +1470,7 @@
numeric host addresses.
.sp
Output all host addresses in dotted-quad numeric format rather than
-converting to the canonical host names.
+converting to the canonical host names.
.TP
.NOP \f\*[B-Font]\-\-old\-rv\f[]
Always output status line with readvar.
Index: contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi
===================================================================
--- contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi (版本 330566)
+++ contrib/ntp/ntpsnmpd/invoke-ntpsnmpd.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntpsnmpd.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:15:36 PM by AutoGen 5.18.5
# From the definitions ntpsnmpd-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
Index: contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpsnmpd 1ntpsnmpdman "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpsnmpd 1ntpsnmpdman "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-yhaGex/ag-6haacx)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-_Ia4FU/ag-lJaWEU)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:33 PM by AutoGen 5.18.5
.\" From the definitions ntpsnmpd-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPSNMPD @NTPSNMPD_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:39 PM by AutoGen 5.18.5
.\" From the definitions ntpsnmpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/build/Makefile.in
===================================================================
--- contrib/ntp/scripts/build/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/build/Makefile.in (版本 330908)
@@ -100,6 +100,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc
===================================================================
--- contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/calc_tickadj.1calc_tickadjmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt CALC_TICKADJ 1calc_tickadjmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (calc_tickadj-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:39:54 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:43 AM by AutoGen 5.18.5
.\" From the definitions calc_tickadj-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi
===================================================================
--- contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/invoke-calc_tickadj.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-calc_tickadj.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:39:57 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:49:45 AM by AutoGen 5.18.5
# From the definitions calc_tickadj-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
Index: contrib/ntp/ntpd/ntpd.mdoc.in
===================================================================
--- contrib/ntp/ntpd/ntpd.mdoc.in (版本 330566)
+++ contrib/ntp/ntpd/ntpd.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPD @NTPD_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpd-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:23 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:14:47 PM by AutoGen 5.18.5
.\" From the definitions ntpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/ntpd/refclock_palisade.c
===================================================================
--- contrib/ntp/ntpd/refclock_palisade.c (版本 330566)
+++ contrib/ntp/ntpd/refclock_palisade.c (版本 330908)
@@ -80,10 +80,6 @@
#endif
#include "refclock_palisade.h"
-/* Table to get from month to day of the year */
-const int days_of_year [12] = {
- 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334
-};
#ifdef DEBUG
const char * Tracking_Status[15][15] = {
@@ -107,7 +103,7 @@
NOFLAGS /* not used */
};
-int day_of_year (char *dt);
+static int decode_date(struct refclockproc *pp, const char *cp);
/* Extract the clock type from the mode setting */
#define CLK_TYPE(x) ((int)(((x)->ttl) & 0x7F))
@@ -226,7 +222,7 @@
sendetx (&tx, fd);
/* activate packets 0x8F-AB and 0x8F-AC */
- sendsupercmd (&tx, 0x8F, 0xA5);
+ sendsupercmd (&tx, 0x8E, 0xA5);
sendint (&tx, 0x5);
sendetx (&tx, fd);
@@ -400,34 +396,79 @@
}
-
/*
- * unpack_date - get day and year from date
+ * unpack helpers
*/
+
+static inline uint8_t
+get_u8(
+ const char *cp)
+{
+ return ((const u_char*)cp)[0];
+}
+
+static inline uint16_t
+get_u16(
+ const char *cp)
+{
+ return ((uint16_t)get_u8(cp) << 8) | get_u8(cp + 1);
+}
+
+/*
+ * unpack & fix date (the receiver provides a valid time for 1024 weeks
+ * after 1997-12-14 and therefore folds back in 2017, 2037,...)
+ *
+ * Returns -1 on error, day-of-month + (month * 32) othertwise.
+ */
int
-day_of_year (
- char * dt
- )
+decode_date(
+ struct refclockproc *pp,
+ const char *cp)
{
- int day, mon, year;
+ static int32_t s_baseday = 0;
+
+ struct calendar jd;
+ int32_t rd;
- mon = dt[1];
- /* Check month is inside array bounds */
- if ((mon < 1) || (mon > 12))
- return -1;
+ if (0 == s_baseday) {
+ if (!ntpcal_get_build_date(&jd)) {
+ jd.year = 2015;
+ jd.month = 1;
+ jd.monthday = 1;
+ }
+ s_baseday = ntpcal_date_to_rd(&jd);
+ }
- day = dt[0] + days_of_year[mon - 1];
- year = getint((u_char *) (dt + 2));
+ /* get date fields and convert to RDN */
+ jd.monthday = get_u8 ( cp );
+ jd.month = get_u8 (cp + 1);
+ jd.year = get_u16(cp + 2);
+ rd = ntpcal_date_to_rd(&jd);
- if ( !(year % 4) && ((year % 100) ||
- (!(year % 100) && !(year%400)))
- &&(mon > 2))
- day ++; /* leap year and March or later */
+ /* for the paranoid: do reverse calculation and cross-check */
+ ntpcal_rd_to_date(&jd, rd);
+ if ((jd.monthday != get_u8 ( cp )) ||
+ (jd.month != get_u8 (cp + 1)) ||
+ (jd.year != get_u16(cp + 2)) )
+ return - 1;
+
+ /* calculate cycle shift to base day and calculate re-folded
+ * date
+ *
+ * One could do a proper modulo calculation here, but a counting
+ * loop is probably faster for the next few rollovers...
+ */
+ while (rd < s_baseday)
+ rd += 7*1024;
+ ntpcal_rd_to_date(&jd, rd);
- return day;
+ /* fill refclock structure & indicate success */
+ pp->day = jd.yearday;
+ pp->year = jd.year;
+ return ((int)jd.month << 5) | jd.monthday;
}
+
-
/*
* TSIP_decode - decode the TSIP data packets
*/
@@ -441,7 +482,8 @@
double secs;
double secfrac;
unsigned short event = 0;
-
+ int mmday;
+
struct palisade_unit *up;
struct refclockproc *pp;
@@ -535,16 +577,16 @@
pp->minute = secint / 60;
secint %= 60;
pp->second = secint % 60;
-
- if ((pp->day = day_of_year(&mb(11))) < 0) break;
- pp->year = getint((u_char *) &mb(13));
+ mmday = decode_date(pp, &mb(11));
+ if (mmday < 0)
+ break;
#ifdef DEBUG
if (debug > 1)
printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d UTC %02d\n",
up->unit, mb(0) & 0xff, event, pp->hour, pp->minute,
- pp->second, pp->nsec, mb(12), mb(11), pp->year, GPS_UTC_Offset);
+ pp->second, pp->nsec, (mmday >> 5), (mmday & 31), pp->year, GPS_UTC_Offset);
#endif
/* Only use this packet when no
* 8F-AD's are being received
@@ -584,7 +626,11 @@
break;
}
- up->month = mb(15);
+ mmday = decode_date(pp, &mb(14));
+ if (mmday < 0)
+ break;
+ up->month = (mmday >> 5); /* Save for LEAP check */
+
if ( (up->leap_status & PALISADE_LEAP_PENDING) &&
/* Avoid early announce: https://bugs.ntp.org/2773 */
(6 == up->month || 12 == up->month) ) {
@@ -612,19 +658,15 @@
pp->nsec = (long) (getdbl((u_char *) &mb(3))
* 1000000000);
- if ((pp->day = day_of_year(&mb(14))) < 0)
- break;
- pp->year = getint((u_char *) &mb(16));
pp->hour = mb(11);
pp->minute = mb(12);
pp->second = mb(13);
- up->month = mb(14); /* Save for LEAP check */
#ifdef DEBUG
if (debug > 1)
printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d UTC %02x %s\n",
up->unit, mb(0) & 0xff, event, pp->hour, pp->minute,
- pp->second, pp->nsec, mb(15), mb(14), pp->year,
+ pp->second, pp->nsec, (mmday >> 5), (mmday & 31), pp->year,
mb(19), *Tracking_Status[st]);
#endif
return 1;
@@ -750,7 +792,8 @@
printf (" Time is from GPS\n\n");
#endif
- if ((pp->day = day_of_year(&mb(13))) < 0)
+ mmday = decode_date(pp, &mb(13));
+ if (mmday < 0)
break;
tow = getlong((u_char *) &mb(1));
#ifdef DEBUG
@@ -757,10 +800,9 @@
if (debug > 1) {
printf("pp->day: %d\n", pp->day);
printf("TOW: %ld\n", tow);
- printf("DAY: %d\n", mb(13));
+ printf("DAY: %d\n", (mmday & 31));
}
#endif
- pp->year = getint((u_char *) &mb(15));
pp->hour = mb(12);
pp->minute = mb(11);
pp->second = mb(10);
@@ -768,7 +810,9 @@
#ifdef DEBUG
if (debug > 1)
- printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d ",up->unit, mb(0) & 0xff, event, pp->hour, pp->minute, pp->second, pp->nsec, mb(14), mb(13), pp->year);
+ printf("TSIP_decode: unit %d: %02X #%d %02d:%02d:%02d.%09ld %02d/%02d/%04d ",
+ up->unit, mb(0) & 0xff, event, pp->hour, pp->minute, pp->second,
+ pp->nsec, (mmday >> 5), (mmday & 31), pp->year);
#endif
return 1;
break;
Index: contrib/ntp/ntpdc/invoke-ntpdc.texi
===================================================================
--- contrib/ntp/ntpdc/invoke-ntpdc.texi (版本 330566)
+++ contrib/ntp/ntpdc/invoke-ntpdc.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntpdc.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:44:50 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:15:06 PM by AutoGen 5.18.5
# From the definitions ntpdc-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -76,7 +76,7 @@
@exampleindent 0
@example
-ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p10-beta
+ntpdc - vendor-specific NTPD control program - Ver. 4.2.8p11
Usage: ntpdc [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [ host ...]
Flg Arg Option-Name Description
-4 no ipv4 Force IPv4 DNS name resolution
Index: contrib/ntp/ntpdc/ntpdc.1ntpdcman
===================================================================
--- contrib/ntp/ntpdc/ntpdc.1ntpdcman (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc.1ntpdcman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpdc 1ntpdcman "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpdc 1ntpdcman "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-T2aicv/ag-q4aGav)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-MnaqKS/ag-YnaiJS)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:50 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:03 PM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/ntpdc/ntpdc.man.in
===================================================================
--- contrib/ntp/ntpdc/ntpdc.man.in (版本 330566)
+++ contrib/ntp/ntpdc/ntpdc.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpdc @NTPDC_MS@ "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH ntpdc @NTPDC_MS@ "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-T2aicv/ag-q4aGav)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-MnaqKS/ag-YnaiJS)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:44:50 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:03 PM by AutoGen 5.18.5
.\" From the definitions ntpdc-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/ntpq/Makefile.in
===================================================================
--- contrib/ntp/ntpq/Makefile.in (版本 330566)
+++ contrib/ntp/ntpq/Makefile.in (版本 330908)
@@ -108,6 +108,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -167,7 +168,7 @@
ntpq_DEPENDENCIES = version.o $(am__DEPENDENCIES_1) ../libntp/libntp.a \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
$(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1) \
- $(am__DEPENDENCIES_1)
+ $(am__DEPENDENCIES_1) $(am__DEPENDENCIES_1)
AM_V_lt = $(am__v_lt_@AM_V@)
am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@)
am__v_lt_0 = --silent
@@ -547,10 +548,12 @@
# LDADD might need RESLIB and ADJLIB
ntpq_LDADD = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a \
$(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS) $(EDITLINE_LIBS) \
- $(LDADD_NTP)
+ $(LDADD_NTP) $(NTP_HARD_LDFLAGS)
noinst_HEADERS = ntpq.h
noinst_LIBRARIES = libntpq.a
-libntpq_a_CFLAGS = -DNO_MAIN_ALLOWED -DBUILD_AS_LIB
+libntpq_a_CFLAGS = $(AM_CFLAGS) -DNO_MAIN_ALLOWED -DBUILD_AS_LIB
+libntpq_a_CPPFLAGS = $(AM_CPPFLAGS)
+libntpq_a_LDFLAGS = $(AM_LDFLAGS)
CLEANFILES = check-libopts check-libntp .deps-ver
DISTCLEANFILES = .version version.c config.log $(man_MANS)
ETAGS_ARGS = Makefile.am
@@ -828,32 +831,32 @@
@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $<
libntpq_a-libntpq.o: libntpq.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq.Tpo $(DEPDIR)/libntpq_a-libntpq.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq.c' object='libntpq_a-libntpq.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.o `test -f 'libntpq.c' || echo '$(srcdir)/'`libntpq.c
libntpq_a-libntpq.obj: libntpq.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq.Tpo -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq.Tpo $(DEPDIR)/libntpq_a-libntpq.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq.c' object='libntpq_a-libntpq.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq.obj `if test -f 'libntpq.c'; then $(CYGPATH_W) 'libntpq.c'; else $(CYGPATH_W) '$(srcdir)/libntpq.c'; fi`
libntpq_a-libntpq_subs.o: libntpq_subs.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.o -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq_subs.Tpo $(DEPDIR)/libntpq_a-libntpq_subs.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq_subs.c' object='libntpq_a-libntpq_subs.o' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.o `test -f 'libntpq_subs.c' || echo '$(srcdir)/'`libntpq_subs.c
libntpq_a-libntpq_subs.obj: libntpq_subs.c
-@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi`
+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -MT libntpq_a-libntpq_subs.obj -MD -MP -MF $(DEPDIR)/libntpq_a-libntpq_subs.Tpo -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/libntpq_a-libntpq_subs.Tpo $(DEPDIR)/libntpq_a-libntpq_subs.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='libntpq_subs.c' object='libntpq_a-libntpq_subs.obj' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libntpq_a_CPPFLAGS) $(CPPFLAGS) $(libntpq_a_CFLAGS) $(CFLAGS) -c -o libntpq_a-libntpq_subs.obj `if test -f 'libntpq_subs.c'; then $(CYGPATH_W) 'libntpq_subs.c'; else $(CYGPATH_W) '$(srcdir)/libntpq_subs.c'; fi`
mostlyclean-libtool:
-rm -f *.lo
@@ -1272,7 +1275,6 @@
-cd ../sntp/libopts && $(MAKE) $(AM_MAKEFLAGS) libopts.la
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/ntpq/ntpq-opts.h
===================================================================
--- contrib/ntp/ntpq/ntpq-opts.h (版本 330566)
+++ contrib/ntp/ntpq/ntpq-opts.h (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpq-opts.h)
*
- * It has been AutoGen-ed March 21, 2017 at 10:45:04 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:15:12 PM by AutoGen 5.18.5
* From the definitions ntpq-opts.def
* and the template file options
*
@@ -84,9 +84,9 @@
/** count of all options for ntpq */
#define OPTION_CT 16
/** ntpq version */
-#define NTPQ_VERSION "4.2.8p10"
+#define NTPQ_VERSION "4.2.8p11"
/** Full ntpq version text */
-#define NTPQ_FULL_VERSION "ntpq 4.2.8p10"
+#define NTPQ_FULL_VERSION "ntpq 4.2.8p11"
/**
* Interface defines for all options. Replace "n" with the UPPER_CASED
Index: contrib/ntp/ntpq/ntpq.c
===================================================================
--- contrib/ntp/ntpq/ntpq.c (版本 330566)
+++ contrib/ntp/ntpq/ntpq.c (版本 330908)
@@ -2,10 +2,11 @@
* ntpq - query an NTP server using mode 6 commands
*/
#include <config.h>
-#include <stdio.h>
#include <ctype.h>
#include <signal.h>
#include <setjmp.h>
+#include <stddef.h>
+#include <stdio.h>
#include <sys/types.h>
#include <sys/time.h>
#ifdef HAVE_UNISTD_H
@@ -34,7 +35,15 @@
#include "openssl/evp.h"
#include "openssl/objects.h"
#include "openssl/err.h"
+#ifdef SYS_WINNT
+# include "openssl/opensslv.h"
+# if !defined(HAVE_EVP_MD_DO_ALL_SORTED) && OPENSSL_VERSION_NUMBER > 0x10000000L
+# define HAVE_EVP_MD_DO_ALL_SORTED 1
+# endif
+#endif
#include "libssl_compat.h"
+
+#define CMAC "AES128CMAC"
#endif
#include <ssl_applink.c>
@@ -189,7 +198,7 @@
static int findcmd (const char *, struct xcmd *,
struct xcmd *, struct xcmd **);
static int rtdatetolfp (char *, l_fp *);
-static int decodearr (char *, int *, l_fp *);
+static int decodearr (char *, int *, l_fp *, int);
static void help (struct parse *, FILE *);
static int helpsort (const void *, const void *);
static void printusage (struct xcmd *, FILE *);
@@ -227,6 +236,16 @@
static int my_easprintf (char**, const char *, ...) NTP_PRINTF(2, 3);
void ntpq_custom_opt_handler (tOptions *, tOptDesc *);
+/* read a character from memory and expand to integer */
+static inline int
+pgetc(
+ const char *cp
+ )
+{
+ return (int)*(const unsigned char*)cp;
+}
+
+
#ifdef OPENSSL
# ifdef HAVE_EVP_MD_DO_ALL_SORTED
static void list_md_fn(const EVP_MD *m, const char *from,
@@ -233,6 +252,7 @@
const char *to, void *arg );
# endif
#endif
+static char *insert_cmac(char *list);
static char *list_digest_names(void);
/*
@@ -450,6 +470,7 @@
}
#endif
+
#ifndef BUILD_AS_LIB
int
ntpqmain(
@@ -484,14 +505,16 @@
char *msg;
list = list_digest_names();
- for (icmd = 0; icmd < sizeof(builtins)/sizeof(builtins[0]); icmd++) {
- if (strcmp("keytype", builtins[icmd].keyword) == 0)
+
+ for (icmd = 0; icmd < sizeof(builtins)/sizeof(*builtins); icmd++) {
+ if (strcmp("keytype", builtins[icmd].keyword) == 0) {
break;
+ }
}
/* CID: 1295478 */
/* This should only "trip" if "keytype" is removed from builtins */
- INSIST(icmd < sizeof(builtins)/sizeof(builtins[0]));
+ INSIST(icmd < sizeof(builtins)/sizeof(*builtins));
#ifdef OPENSSL
builtins[icmd].desc[0] = "digest-name";
@@ -584,9 +607,15 @@
getcmds();
} else {
for (ihost = 0; ihost < numhosts; ihost++) {
- if (openhost(chosts[ihost].name, chosts[ihost].fam))
- for (icmd = 0; icmd < numcmds; icmd++)
+ if (openhost(chosts[ihost].name, chosts[ihost].fam)) {
+ if (ihost)
+ fputc('\n', current_output);
+ for (icmd = 0; icmd < numcmds; icmd++) {
+ if (icmd)
+ fputc('\n', current_output);
docmd(ccmds[icmd]);
+ }
+ }
}
}
#ifdef SYS_WINNT
@@ -719,7 +748,7 @@
int err;
err = setsockopt(INVALID_SOCKET, SOL_SOCKET, SO_OPENTYPE,
- (char *)&optionValue, sizeof(optionValue));
+ (void *)&optionValue, sizeof(optionValue));
if (err) {
mfprintf(stderr,
"setsockopt(SO_SYNCHRONOUS_NONALERT)"
@@ -743,7 +772,7 @@
# ifdef SO_RCVBUF
{ int rbufsize = DATASIZE + 2048; /* 2K for slop */
if (setsockopt(sockfd, SOL_SOCKET, SO_RCVBUF,
- &rbufsize, sizeof(int)) == -1)
+ (void *)&rbufsize, sizeof(int)) == -1)
error("setsockopt");
}
# endif
@@ -2014,7 +2043,7 @@
* d[d]-Mth-y[y[y[y]]] hh:mm:ss
*/
cp = str;
- if (!isdigit((int)*cp)) {
+ if (!isdigit(pgetc(cp))) {
if (*cp == '-') {
/*
* Catch special case
@@ -2026,7 +2055,7 @@
}
cal.monthday = (u_char) (*cp++ - '0'); /* ascii dependent */
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.monthday = (u_char)((cal.monthday << 3) + (cal.monthday << 1));
cal.monthday = (u_char)(cal.monthday + *cp++ - '0');
}
@@ -2048,18 +2077,18 @@
if (*cp++ != '-')
return 0;
- if (!isdigit((int)*cp))
+ if (!isdigit(pgetc(cp)))
return 0;
cal.year = (u_short)(*cp++ - '0');
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.year = (u_short)((cal.year << 3) + (cal.year << 1));
cal.year = (u_short)(*cp++ - '0');
}
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.year = (u_short)((cal.year << 3) + (cal.year << 1));
cal.year = (u_short)(cal.year + *cp++ - '0');
}
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.year = (u_short)((cal.year << 3) + (cal.year << 1));
cal.year = (u_short)(cal.year + *cp++ - '0');
}
@@ -2072,26 +2101,26 @@
return 1;
}
- if (*cp++ != ' ' || !isdigit((int)*cp))
+ if (*cp++ != ' ' || !isdigit(pgetc(cp)))
return 0;
cal.hour = (u_char)(*cp++ - '0');
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.hour = (u_char)((cal.hour << 3) + (cal.hour << 1));
cal.hour = (u_char)(cal.hour + *cp++ - '0');
}
- if (*cp++ != ':' || !isdigit((int)*cp))
+ if (*cp++ != ':' || !isdigit(pgetc(cp)))
return 0;
cal.minute = (u_char)(*cp++ - '0');
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.minute = (u_char)((cal.minute << 3) + (cal.minute << 1));
cal.minute = (u_char)(cal.minute + *cp++ - '0');
}
- if (*cp++ != ':' || !isdigit((int)*cp))
+ if (*cp++ != ':' || !isdigit(pgetc(cp)))
return 0;
cal.second = (u_char)(*cp++ - '0');
- if (isdigit((int)*cp)) {
+ if (isdigit(pgetc(cp))) {
cal.second = (u_char)((cal.second << 3) + (cal.second << 1));
cal.second = (u_char)(cal.second + *cp++ - '0');
}
@@ -2215,34 +2244,36 @@
*/
static int
decodearr(
- char *str,
- int *narr,
- l_fp *lfparr
+ char *cp,
+ int *narr,
+ l_fp *lfpa,
+ int amax
)
{
- register char *cp, *bp;
- register l_fp *lfp;
+ char *bp;
char buf[60];
- lfp = lfparr;
- cp = str;
*narr = 0;
- while (*narr < 8) {
- while (isspace((int)*cp))
- cp++;
- if (*cp == '\0')
- break;
+ while (*narr < amax && *cp) {
+ if (isspace(pgetc(cp))) {
+ do
+ ++cp;
+ while (*cp && isspace(pgetc(cp)));
+ } else {
+ bp = buf;
+ do {
+ if (bp != (buf + sizeof(buf) - 1))
+ *bp++ = *cp;
+ ++cp;
+ } while (*cp && !isspace(pgetc(cp)));
+ *bp = '\0';
- bp = buf;
- while (!isspace((int)*cp) && *cp != '\0')
- *bp++ = *cp++;
- *bp++ = '\0';
-
- if (!decodetime(buf, lfp))
- return 0;
- (*narr)++;
- lfp++;
+ if (!decodetime(buf, lfpa))
+ return 0;
+ ++(*narr);
+ ++lfpa;
+ }
}
return 1;
}
@@ -3049,7 +3080,7 @@
/*
* Space past commas and white space
*/
- while (cp < cpend && (*cp == ',' || isspace((int)*cp)))
+ while (cp < cpend && (*cp == ',' || isspace(pgetc(cp))))
cp++;
if (cp >= cpend)
return 0;
@@ -3061,7 +3092,7 @@
srclen = strcspn(cp, ",=\r\n");
srclen = min(srclen, (size_t)(cpend - cp));
len = srclen;
- while (len > 0 && isspace((unsigned char)cp[len - 1]))
+ while (len > 0 && isspace(pgetc(&cp[len - 1])))
len--;
if (len >= sizeof(name))
return 0;
@@ -3087,7 +3118,7 @@
* So far, so good. Copy out the value
*/
cp++; /* past '=' */
- while (cp < cpend && (isspace((unsigned char)*cp) && *cp != '\r' && *cp != '\n'))
+ while (cp < cpend && (isspace(pgetc(cp)) && *cp != '\r' && *cp != '\n'))
cp++;
np = cp;
if ('"' == *np) {
@@ -3108,7 +3139,7 @@
/*
* Trim off any trailing whitespace
*/
- while (len > 0 && isspace((unsigned char)value[len - 1]))
+ while (len > 0 && isspace(pgetc(&value[len - 1])))
len--;
value[len] = '\0';
@@ -3191,7 +3222,7 @@
*/
if (cp == (cpend - 1) || *(cp + 1) != '\n')
makeascii(1, cp, fp);
- } else if (isspace((unsigned char)*cp) || isprint((unsigned char)*cp))
+ } else if (isspace(pgetc(cp)) || isprint(pgetc(cp)))
putc(*cp, fp);
else
makeascii(1, cp, fp);
@@ -3399,7 +3430,7 @@
break;
case TS:
- if (!decodets(value, &lfp))
+ if (!value || !decodets(value, &lfp))
output_raw = '?';
else
output(fp, name, prettydate(&lfp));
@@ -3407,7 +3438,7 @@
case HA: /* fallthru */
case NA:
- if (!decodenetnum(value, &hval)) {
+ if (!value || !decodenetnum(value, &hval)) {
output_raw = '?';
} else if (fmt == HA){
output(fp, name, nntohost(&hval));
@@ -3417,7 +3448,9 @@
break;
case RF:
- if (decodenetnum(value, &hval)) {
+ if (!value) {
+ output_raw = '?';
+ } else if (decodenetnum(value, &hval)) {
if (ISREFCLOCKADR(&hval))
output(fp, name,
refnumtoa(&hval));
@@ -3431,7 +3464,7 @@
break;
case LP:
- if (!decodeuint(value, &uval) || uval > 3) {
+ if (!value || !decodeuint(value, &uval) || uval > 3) {
output_raw = '?';
} else {
b[0] = (0x2 & uval)
@@ -3446,7 +3479,7 @@
break;
case OC:
- if (!decodeuint(value, &uval)) {
+ if (!value || !decodeuint(value, &uval)) {
output_raw = '?';
} else {
snprintf(b, sizeof(b), "%03lo", uval);
@@ -3455,7 +3488,7 @@
break;
case AR:
- if (!decodearr(value, &narr, lfparr))
+ if (!value || !decodearr(value, &narr, lfparr, 8))
output_raw = '?';
else
outputarr(fp, name, narr, lfparr);
@@ -3462,7 +3495,7 @@
break;
case FX:
- if (!decodeuint(value, &uval))
+ if (!value || !decodeuint(value, &uval))
output_raw = '?';
else
output(fp, name, tstflags(uval));
@@ -3584,81 +3617,205 @@
* Obtain list of digest names
*/
+#if defined(OPENSSL) && !defined(HAVE_EVP_MD_DO_ALL_SORTED)
+# if defined(_MSC_VER) && OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define HAVE_EVP_MD_DO_ALL_SORTED
+# endif
+#endif
+
#ifdef OPENSSL
# ifdef HAVE_EVP_MD_DO_ALL_SORTED
+# define K_PER_LINE 8
+# define K_NL_PFX_STR "\n "
+# define K_DELIM_STR ", "
+
struct hstate {
char *list;
const char **seen;
int idx;
};
-#define K_PER_LINE 8
-#define K_NL_PFX_STR "\n "
-#define K_DELIM_STR ", "
-static void list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg )
+
+
+static void
+list_md_fn(const EVP_MD *m, const char *from, const char *to, void *arg)
{
- size_t len, n;
- const char *name, *cp, **seen;
+ size_t len, n, digest_len;
+ const char *name, **seen;
struct hstate *hstate = arg;
- EVP_MD_CTX *ctx;
- u_int digest_len;
- u_char digest[EVP_MAX_MD_SIZE];
+ char *cp;
- if (!m)
+ /* m is MD obj, from is name or alias, to is base name for alias */
+ if (!m || !from || to) {
return; /* Ignore aliases */
+ }
+ /* Discard MACs that NTP won't accept. */
+ /* Keep this consistent with keytype_from_text() in ssl_init.c. */
+ if (EVP_MD_size(m) > (MAX_MAC_LEN - sizeof(keyid_t))) {
+ return;
+ }
+
name = EVP_MD_name(m);
/* Lowercase names aren't accepted by keytype_from_text in ssl_init.c */
- for( cp = name; *cp; cp++ ) {
- if( islower((unsigned char)*cp) )
+ for (cp = name; *cp; cp++) {
+ if (islower((unsigned char)*cp)) {
return;
+ }
}
+
len = (cp - name) + 1;
/* There are duplicates. Discard if name has been seen. */
- for (seen = hstate->seen; *seen; seen++)
- if (!strcmp(*seen, name))
+ for (seen = hstate->seen; *seen; seen++) {
+ if (!strcmp(*seen, name)) {
return;
+ }
+ }
+
n = (seen - hstate->seen) + 2;
hstate->seen = erealloc(hstate->seen, n * sizeof(*seen));
hstate->seen[n-2] = name;
hstate->seen[n-1] = NULL;
- /* Discard MACs that NTP won't accept.
- * Keep this consistent with keytype_from_text() in ssl_init.c.
- */
+ if (hstate->list != NULL) {
+ len += strlen(hstate->list);
+ }
- ctx = EVP_MD_CTX_new();
- EVP_DigestInit(ctx, EVP_get_digestbyname(name));
- EVP_DigestFinal(ctx, digest, &digest_len);
- EVP_MD_CTX_free(ctx);
- if (digest_len > (MAX_MAC_LEN - sizeof(keyid_t)))
- return;
+ len += (hstate->idx >= K_PER_LINE)
+ ? strlen(K_NL_PFX_STR)
+ : strlen(K_DELIM_STR);
- if (hstate->list != NULL)
- len += strlen(hstate->list);
- len += (hstate->idx >= K_PER_LINE)? strlen(K_NL_PFX_STR): strlen(K_DELIM_STR);
-
if (hstate->list == NULL) {
- hstate->list = (char *)emalloc(len);
+ hstate->list = (char *)emalloc(len);
hstate->list[0] = '\0';
- } else
+ } else {
hstate->list = (char *)erealloc(hstate->list, len);
+ }
sprintf(hstate->list + strlen(hstate->list), "%s%s",
- ((hstate->idx >= K_PER_LINE)? K_NL_PFX_STR : K_DELIM_STR),
+ ((hstate->idx >= K_PER_LINE) ? K_NL_PFX_STR : K_DELIM_STR),
name);
- if (hstate->idx >= K_PER_LINE)
+
+ if (hstate->idx >= K_PER_LINE) {
hstate->idx = 1;
- else
+ } else {
hstate->idx++;
+ }
}
+
+
+/* Insert CMAC into SSL digests list */
+static char *
+insert_cmac(char *list)
+{
+ int insert;
+ size_t len;
+
+
+ /* If list empty, we need to insert CMAC on new line */
+ insert = (!list || !*list);
+
+ if (insert) {
+ len = strlen(K_NL_PFX_STR) + strlen(CMAC);
+ list = (char *)erealloc(list, len + 1);
+ sprintf(list, "%s%s", K_NL_PFX_STR, CMAC);
+ } else { /* List not empty */
+ /* Check if CMAC already in list - future proofing */
+ const char *cmac_sn;
+ char *cmac_p;
+
+ cmac_sn = OBJ_nid2sn(NID_cmac);
+ cmac_p = list;
+ insert = cmac_sn != NULL && *cmac_sn != '\0';
+
+ /* CMAC in list if found, followed by nul char or ',' */
+ while (insert && NULL != (cmac_p = strstr(cmac_p, cmac_sn))) {
+ cmac_p += strlen(cmac_sn);
+ /* Still need to insert if not nul and not ',' */
+ insert = *cmac_p && ',' != *cmac_p;
+ }
+
+ /* Find proper insertion point */
+ if (insert) {
+ char *last_nl;
+ char *point;
+ char *delim;
+ int found;
+
+ /* Default to start if list empty */
+ found = 0;
+ delim = list;
+ len = strlen(list);
+
+ /* While new lines */
+ while (delim < list + len && *delim &&
+ !strncmp(K_NL_PFX_STR, delim, strlen(K_NL_PFX_STR))) {
+ point = delim + strlen(K_NL_PFX_STR);
+
+ /* While digest names on line */
+ while (point < list + len && *point) {
+ /* Another digest after on same or next line? */
+ delim = strstr( point, K_DELIM_STR);
+ last_nl = strstr( point, K_NL_PFX_STR);
+
+ /* No - end of list */
+ if (!delim && !last_nl) {
+ delim = list + len;
+ } else
+ /* New line and no delim or before delim? */
+ if (last_nl && (!delim || last_nl < delim)) {
+ delim = last_nl;
+ }
+
+ /* Found insertion point where CMAC before entry? */
+ if (strncmp(CMAC, point, delim - point) < 0) {
+ found = 1;
+ break;
+ }
+
+ if (delim < list + len && *delim &&
+ !strncmp(K_DELIM_STR, delim, strlen(K_DELIM_STR))) {
+ point += strlen(K_DELIM_STR);
+ } else {
+ break;
+ }
+ } /* While digest names on line */
+ } /* While new lines */
+
+ /* If found in list */
+ if (found) {
+ /* insert cmac and delim */
+ /* Space for list could move - save offset */
+ ptrdiff_t p_offset = point - list;
+ len += strlen(CMAC) + strlen(K_DELIM_STR);
+ list = (char *)erealloc(list, len + 1);
+ point = list + p_offset;
+ /* move to handle src/dest overlap */
+ memmove(point + strlen(CMAC) + strlen(K_DELIM_STR),
+ point, strlen(point) + 1);
+ strncpy(point, CMAC, strlen(CMAC));
+ strncpy(point + strlen(CMAC), K_DELIM_STR, strlen(K_DELIM_STR));
+ } else { /* End of list */
+ /* append delim and cmac */
+ len += strlen(K_DELIM_STR) + strlen(CMAC);
+ list = (char *)erealloc(list, len + 1);
+ strcpy(list + strlen(list), K_DELIM_STR);
+ strcpy(list + strlen(list), CMAC);
+ }
+ } /* insert */
+ } /* List not empty */
+
+ return list;
+}
# endif
#endif
-static char *list_digest_names(void)
+
+static char *
+list_digest_names(void)
{
char *list = NULL;
@@ -3666,12 +3823,16 @@
# ifdef HAVE_EVP_MD_DO_ALL_SORTED
struct hstate hstate = { NULL, NULL, K_PER_LINE+1 };
- hstate.seen = (const char **) emalloc_zero(1*sizeof( const char * )); // replaces -> calloc(1, sizeof( const char * ));
+ /* replace calloc(1, sizeof(const char *)) */
+ hstate.seen = (const char **)emalloc_zero(sizeof(const char *));
INIT_SSL();
EVP_MD_do_all_sorted(list_md_fn, &hstate);
list = hstate.list;
free(hstate.seen);
+
+ list = insert_cmac(list); /* Insert CMAC into SSL digests list */
+
# else
list = (char *)emalloc(sizeof("md5, others (upgrade to OpenSSL-1.0 for full list)"));
strcpy(list, "md5, others (upgrade to OpenSSL-1.0 for full list)");
Index: contrib/ntp/ntpq/ntpq.mdoc.in
===================================================================
--- contrib/ntp/ntpq/ntpq.mdoc.in (版本 330566)
+++ contrib/ntp/ntpq/ntpq.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPQ @NTPQ_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpq-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:31 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:28 PM by AutoGen 5.18.5
.\" From the definitions ntpq-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -18,15 +18,12 @@
[ host ...]
.Pp
.Sh DESCRIPTION
+.Pp
The
.Nm
-utility program is used to query NTP servers which
-implement the standard NTP mode 6 control message formats defined
-in Appendix B of the NTPv3 specification RFC1305, requesting
+utility program is used to query NTP servers to monitor NTP operations
+and performance, requesting
information about current state and/or changes in that state.
-The same formats are used in NTPv4, although some of the
-variables have changed and new ones added. The description on this
-page is for the NTPv4 variables.
The program may be run either in interactive mode or controlled using
command line arguments.
Requests to read and write arbitrary
@@ -37,6 +34,7 @@
utility can also obtain and print a
list of peers in a common format by sending multiple queries to the
server.
+.Pp
If one or more request options is included on the command line
when
.Nm
@@ -54,6 +52,7 @@
.Nm
utility will prompt for
commands if the standard input is a terminal device.
+.Pp
.Nm
uses NTP mode 6 packets to communicate with the
NTP server, and hence can be used to query any compatible server on
@@ -67,6 +66,17 @@
one attempt to retransmit requests, and will time requests out if
the remote host is not heard from within a suitable timeout
time.
+.Pp
+Note that in contexts where a host name is expected, a
+.Fl 4
+qualifier preceding the host name forces resolution to the IPv4
+namespace, while a
+.Fl 6
+qualifier forces resolution to the IPv6 namespace.
+For examples and usage, see the
+.Dq NTP Debugging Techniques
+page.
+.Pp
Specifying a
command line option other than
.Fl i
@@ -80,51 +90,46 @@
will attempt to read
interactive format commands from the standard input.
.Ss "Internal Commands"
+.Pp
Interactive format commands consist of a keyword followed by zero
to four arguments.
Only enough characters of the full keyword to
uniquely identify the command need be typed.
+.Pp
A
number of interactive format commands are executed entirely within
the
.Nm
-utility itself and do not result in NTP mode 6
+utility itself and do not result in NTP
requests being sent to a server.
These are described following.
-.Bl -tag -width "? [command_keyword]" -compact -offset indent
-.It Ic ? Op Ar command_keyword
-.It Ic help Op Ar command_keyword
+.Bl -tag -width "help [command]" -compact -offset indent
+.It Ic ? Op Ar command
+.It Ic help Op Ar command
A
.Ql \&?
-by itself will print a list of all the command
-keywords known to this incarnation of
+by itself will print a list of all the commands
+known to
.Nm .
A
.Ql \&?
-followed by a command keyword will print function and usage
+followed by a command name will print function and usage
information about the command.
-This command is probably a better
-source of information about
-.Nm
-than this manual
-page.
-.It Ic addvars Ar variable_name Ns Xo Op Ic =value
-.Ic ...
-.Xc
-.It Ic rmvars Ar variable_name Ic ...
+.It Ic addvars Ar name Ns Oo \&= Ns Ar value Oc Ns Op ,...
+.It Ic rmvars Ar name Ns Op ,...
.It Ic clearvars
.It Ic showvars
-The data carried by NTP mode 6 messages consists of a list of
+The arguments to this command consist of a list of
items of the form
-.Ql variable_name=value ,
+.Ar name Ns Op \&= Ns Ar value ,
where the
-.Ql =value
+.No \&= Ns Ar value
is ignored, and can be omitted,
in requests to the server to read variables.
The
.Nm
-utility maintains an internal list in which data to be included in control
-messages can be assembled, and sent using the
+utility maintains an internal list in which data to be included in
+messages can be assembled, and displayed or set using the
.Ic readlist
and
.Ic writelist
@@ -139,35 +144,31 @@
.Ic rmvars
command can be used to remove individual variables from the list,
while the
-.Ic clearlist
+.Ic clearvars
command removes all variables from the
list.
The
.Ic showvars
command displays the current list of optional variables.
-.It Ic authenticate Op yes | no
+.It Ic authenticate Op Cm yes Ns | Ns Cm no
Normally
.Nm
does not authenticate requests unless
they are write requests.
The command
-.Ql authenticate yes
+.Ic authenticate Cm yes
causes
.Nm
to send authentication with all requests it
makes.
Authenticated requests causes some servers to handle
-requests slightly differently, and can occasionally melt the CPU in
-fuzzballs if you turn authentication on before doing a
-.Ic peer
-display.
+requests slightly differently.
The command
-.Ql authenticate
+.Ic authenticate
causes
.Nm
to display whether or not
-.Nm
-is currently autheinticating requests.
+it is currently authenticating requests.
.It Ic cooked
Causes output from query commands to be "cooked", so that
variables which are recognized by
@@ -176,20 +177,13 @@
values reformatted for human consumption.
Variables which
.Nm
-thinks should have a decodable value but didn't are
+could not decode completely are
marked with a trailing
.Ql \&? .
-.It Xo
-.Ic debug
-.Oo
-.Cm more |
-.Cm less |
-.Cm off
-.Oc
-.Xc
+.It Ic debug Op Cm more Ns | Ns Cm less Ns | Ns Cm off
With no argument, displays the current debug level.
-Otherwise, the debug level is changed to the indicated level.
-.It Ic delay Ar milliseconds
+Otherwise, the debugging level is changed as indicated.
+.It Ic delay Op Ar milliseconds
Specify a time interval to be added to timestamps included in
requests which require authentication.
This is used to enable
@@ -198,14 +192,21 @@
Actually the
server does not now require timestamps in authenticated requests,
so this command may be obsolete.
+Without any arguments, displays the current delay.
+.It Ic drefid Op Cm hash Ns | Ns Cm ipv4
+Display refids as IPv4 or hash.
+Without any arguments, displays whether refids are shown as IPv4
+addresses or hashes.
.It Ic exit
Exit
.Nm .
-.It Ic host Ar hostname
+.It Ic host Op Ar name
Set the host to which future queries will be sent.
-.Ar hostname
+The
+.Ar name
may be either a host name or a numeric address.
-.It Ic hostnames Op Cm yes | Cm no
+Without any arguments, displays the current host.
+.It Ic hostnames Op Cm yes Ns | Ns Cm no
If
.Cm yes
is specified, host names are printed in
@@ -220,7 +221,9 @@
modified using the command line
.Fl n
switch.
-.It Ic keyid Ar keyid
+Without any arguments, displays whether host names or numeric addresses
+are shown.
+.It Ic keyid Op Ar keyid
This command allows the specification of a key number to be
used to authenticate configuration requests.
This must correspond
@@ -228,28 +231,20 @@
.Cm controlkey
key number the server has been configured to use for this
purpose.
-.It Ic keytype Xo Oo
-.Cm md5 |
-.Cm OpenSSLDigestType
-.Oc
-.Xc
-Specify the type of key to use for authenticating requests.
-.Cm md5
-is alway supported.
+Without any arguments, displays the current
+.Ar keyid .
+.It Ic keytype Op Ar digest
+Specify the digest algorithm to use for authenticating requests, with default
+.Cm MD5 .
If
.Nm
-was built with OpenSSL support,
-any digest type supported by OpenSSL can also be provided.
+was built with OpenSSL support, and OpenSSL is installed,
+.Ar digest
+can be any message digest algorithm supported by OpenSSL.
If no argument is given, the current
-.Ic keytype
-is displayed.
-.It Ic ntpversion Xo Oo
-.Cm 1 |
-.Cm 2 |
-.Cm 3 |
-.Cm 4
-.Oc
-.Xc
+.Ic keytype Ar digest
+algorithm used is displayed.
+.It Ic ntpversion Op Cm 1 Ns | Ns Cm 2 Ns | Ns Cm 3 Ns | Ns Cm 4
Sets the NTP version number which
.Nm
claims in
@@ -267,13 +262,11 @@
The password must correspond to the key configured for
use by the NTP server for this purpose if such requests are to be
successful.
-.\" Not yet implemented.
-.\" .It Ic poll
-.\" .Op Ar n
-.\" .Op Ic verbose
-.\" Poll an NTP server in client mode
-.\" .Ar n
-.\" times.
+.It Ic poll Oo Ar n Oc Op Cm verbose
+Poll an NTP server in client mode
+.Ar n
+times.
+Poll not implemented yet.
.It Ic quit
Exit
.Nm .
@@ -283,95 +276,150 @@
The only formating/interpretation done on
the data is to transform nonascii data into a printable (but barely
understandable) form.
-.It Ic timeout Ar milliseconds
+.It Ic timeout Op Ar milliseconds
Specify a timeout period for responses to server queries.
The
default is about 5000 milliseconds.
+Without any arguments, displays the current timeout period.
Note that since
.Nm
retries each query once after a timeout, the total waiting time for
a timeout will be twice the timeout value set.
.It Ic version
-Print the version of the
+Display the version of the
.Nm
program.
.El
.Ss "Control Message Commands"
-Association IDs are used to identify system, peer and clock variables.
-System variables are assigned an association ID of zero and system name space, while each association is assigned a nonzero association ID and peer namespace.
-Most control commands send a single mode\-6 message to the server and expect a single response message.
+Association ids are used to identify system, peer and clock variables.
+System variables are assigned an association id of zero and system name
+space, while each association is assigned a nonzero association id and
+peer namespace.
+Most control commands send a single message to the server and expect a
+single response message.
The exceptions are the
-.Li peers
+.Ic peers
command, which sends a series of messages,
and the
-.Li mreadlist
+.Ic mreadlist
and
-.Li mreadvar
+.Ic mreadvar
commands, which iterate over a range of associations.
.Bl -tag -width "something" -compact -offset indent
-.It Cm associations
+.It Ic apeers
+Display a list of peers in the form:
+.Dl [tally]remote refid assid st t when pool reach delay offset jitter
+where the output is just like the
+.Ic peers
+command except that the
+.Cm refid
+is displayed in hex format and the association number is also displayed.
+.It Ic associations
Display a list of mobilized associations in the form:
.Dl ind assid status conf reach auth condition last_event cnt
-.Bl -column -offset indent ".Sy Variable" ".Sy Description"
-.It Sy String Ta Sy Description
-.It Li ind Ta index on this list
-.It Li assid Ta association ID
-.It Li status Ta peer status word
-.It Li conf Ta Li yes : persistent, Li no : ephemeral
-.It Li reach Ta Li yes : reachable, Li no : unreachable
-.It Li auth Ta Li ok , Li yes , Li bad and Li none
-.It Li condition Ta selection status (see the Li select field of the peer status word)
-.It Li last_event Ta event report (see the Li event field of the peer status word)
-.It Li cnt Ta event count (see the Li count field of the peer status word)
+.Bl -column -offset indent ".Sy Variable" "see the select field of the peer status word"
+.It Sy Variable Ta Sy Description
+.It Cm ind Ta index on this list
+.It Cm assid Ta association id
+.It Cm status Ta peer status word
+.It Cm conf Ta Cm yes : No persistent, Cm no : No ephemeral
+.It Cm reach Ta Cm yes : No reachable, Cm no : No unreachable
+.It Cm auth Ta Cm ok , Cm yes , Cm bad No and Cm none
+.It Cm condition Ta selection status \&(see the Cm select No field of the peer status word\&)
+.It Cm last_event Ta event report \&(see the Cm event No field of the peer status word\&)
+.It Cm cnt Ta event count \&(see the Cm count No field of the peer status word\&)
.El
-.It Cm authinfo
-Display the authentication statistics.
-.It Cm clockvar Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-.It Cm cv Ar assocID Oo Ar name Ns Oo Cm = Ns Ar value Oc Oc Op ...
-Display a list of clock variables for those associations supporting a reference clock.
-.It Cm :config Op ...
-Send the remainder of the command line, including whitespace, to the server as a run\-time configuration command in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is of course required.
-.It Cm config\-from\-file Ar filename
-Send the each line of
+.It Ic authinfo
+Display the authentication statistics counters:
+time since reset, stored keys, free keys, key lookups, keys not found,
+uncached keys, expired keys, encryptions, decryptions.
+.It Ic clocklist Op Ar associd
+.It Ic cl Op Ar associd
+Display all clock variables in the variable list for those associations
+supporting a reference clock.
+.It Ic clockvar Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+.It Ic cv Oo Ar associd Oc Oo Ar name Ns Oo \&= Ns Ar value Oc Ns Oc Ns Op ,...
+Display a list of clock variables for those associations supporting a
+reference clock.
+.It Ic :config Ar "configuration command line"
+Send the remainder of the command line, including whitespace, to the
+server as a run\-time configuration command in the same format as a line
+in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is of course required.
+.It Ic config\-from\-file Ar filename
+Send each line of
.Ar filename
-to the server as run\-time configuration commands in the same format as a line in the configuration file. This command is experimental until further notice and clarification. Authentication is required.
+to the server as run\-time configuration commands in the same format as
+lines in the configuration file.
+This command is experimental until further notice and clarification.
+Authentication is required.
.It Ic ifstats
-Display statistics for each local network address. Authentication is required.
+Display status and statistics counters for each local network interface address:
+interface number, interface name and address or broadcast, drop, flag,
+ttl, mc, received, sent, send failed, peers, uptime.
+Authentication is required.
.It Ic iostats
-Display network and reference clock I/O statistics.
+Display network and reference clock I/O statistics:
+time since reset, receive buffers, free receive buffers, used receive buffers,
+low water refills, dropped packets, ignored packets, received packets,
+packets sent, packet send failures, input wakeups, useful input wakeups.
.It Ic kerninfo
-Display kernel loop and PPS statistics. As with other ntpq output, times are in milliseconds. The precision value displayed is in milliseconds as well, unlike the precision system variable.
+Display kernel loop and PPS statistics:
+associd, status, pll offset, pll frequency, maximum error,
+estimated error, kernel status, pll time constant, precision,
+frequency tolerance, pps frequency, pps stability, pps jitter,
+calibration interval, calibration cycles, jitter exceeded,
+stability exceeded, calibration errors.
+As with other ntpq output, times are in milliseconds; very small values
+may be shown as exponentials.
+The precision value displayed is in milliseconds as well, unlike the
+precision system variable.
.It Ic lassociations
-Perform the same function as the associations command, except display mobilized and unmobilized associations.
-.It Ic lopeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
+Perform the same function as the associations command, except display
+mobilized and unmobilized associations, including all clients.
+.It Ic lopeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients showing
+.Cm dstadr
+(associated with the given IP version).
+.It Ic lpassociations
+Display the last obtained list of associations, including all clients.
+.It Ic lpeers Op Fl 4 Ns | Ns Fl 6
+Display a list of all peers and clients (associated with the given IP version).
+.It Ic monstats
+Display monitor facility status, statistics, and limits:
+enabled, addresses, peak addresses, maximum addresses,
+reclaim above count, reclaim older than, kilobytes, maximum kilobytes.
+.It Ic mreadlist Ar associdlo Ar associdhi
+.It Ic mrl Ar associdlo Ar associdhi
+Perform the same function as the
+.Ic readlist
+command for a range of association ids.
+.It Ic mreadvar Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+This range may be determined from the list displayed by any
+command showing associations.
+.It Ic mrv Ar associdlo Ar associdhi Oo Ar name Oc Ns Op ,...
+Perform the same function as the
+.Ic readvar
+command for a range of association ids.
+This range may be determined from the list displayed by any
+command showing associations.
+.It Xo Ic mrulist Oo Cm limited | Cm kod | Cm mincount Ns \&= Ns Ar count |
+.Cm laddr Ns \&= Ns Ar localaddr | Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder |
+.Cm resany Ns \&= Ns Ar hexmask | Cm resall Ns \&= Ns Ar hexmask Oc
.Xc
-Obtain and print a list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version).
-.It Ic lpeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
-.Xc
-Print a peer spreadsheet for the appropriate IP version(s).
-.Ar dstadr
-(associated with any given IP version).
-.It Ic monstats
-Display monitor facility statistics.
-.It Ic mrulist Oo Ic limited | Ic kod | Ic mincount Ns = Ns Ar count | Ic laddr Ns = Ns Ar localaddr | Ic sort Ns = Ns Ar sortorder | Ic resany Ns = Ns Ar hexmask | Ic resall Ns = Ns Ar hexmask Oc
-Obtain and print traffic counts collected and maintained by the monitor facility.
+Display traffic counts of the most recently seen source addresses
+collected and maintained by the monitor facility.
With the exception of
-.Cm sort Ns = Ns Ar sortorder ,
+.Cm sort Ns \&= Ns Oo \&\- Oc Ns Ar sortorder ,
the options filter the list returned by
-.Cm ntpd.
+.Xr ntpd 8 .
The
.Cm limited
and
.Cm kod
-options return only entries representing client addresses from which the last packet received triggered either discarding or a KoD response.
+options return only entries representing client addresses from which the
+last packet received triggered either discarding or a KoD response.
The
.Cm mincount Ns = Ns Ar count
option filters entries representing less than
@@ -392,18 +440,21 @@
.Ar sortorder
defaults to
.Cm lstint
-and may be any of
+and may be
.Cm addr ,
+.Cm avgint ,
.Cm count ,
-.Cm avgint ,
.Cm lstint ,
-or any of those preceded by a minus sign (hyphen) to reverse the sort order.
+or any of those preceded by
+.Ql \&\-
+to reverse the sort order.
The output columns are:
.Bl -tag -width "something" -compact -offset indent
.It Column
Description
.It Ic lstint
-Interval in s between the receipt of the most recent packet from this address and the completion of the retrieval of the MRU list by
+Interval in seconds between the receipt of the most recent packet from
+this address and the completion of the retrieval of the MRU list by
.Nm .
.It Ic avgint
Average interval in s between packets from this address.
@@ -411,7 +462,8 @@
Restriction flags associated with this address.
Most are copied unchanged from the matching
.Ic restrict
-command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless the last packet from this address triggered a rate control response.
+command, however 0x400 (kod) and 0x20 (limited) flags are cleared unless
+the last packet from this address triggered a rate control response.
.It Ic r
Rate control indicator, either
a period,
@@ -429,27 +481,15 @@
.It Ic rport
Source port of last packet from this address.
.It Ic remote address
-DNS name, numeric address, or address followed by
+host or DNS name, numeric address, or address followed by
claimed DNS name which could not be verified in parentheses.
.El
-.It Ic mreadvar assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-.It Ic mrv assocID assocID Oo Ar variable_name Ns Oo = Ns Ar value Oc Oc ...
-Perform the same function as the
-.Ic readvar
-command, except for a range of association IDs.
-This range is determined from the association list cached by the most recent
-.Ic associations
-command.
-.It Ic opeers Xo
-.Oo Ic \-4 |
-.Ic \-6
-.Oc
-.Xc
+.It Ic opeers Op Fl 4 | Fl 6
Obtain and print the old\-style list of all peers and clients showing
-.Ar dstadr
-(associated with any given IP version),
+.Cm dstadr
+(associated with the given IP version),
rather than the
-.Ar refid .
+.Cm refid .
.It Ic passociations
Perform the same function as the
.Ic associations
@@ -461,28 +501,32 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic [tally]
+.It Cm [tally]
single\-character code indicating current value of the
.Ic select
field of the
.Lk decode.html#peer "peer status word"
-.It Ic remote
+.It Cm remote
host name (or IP number) of peer.
-The value displayed will be truncated to 15 characters unless the
+The value displayed will be truncated to 15 characters unless the
+.Nm
.Fl w
-flag is given, in which case the full value will be displayed
-on the first line,
-and the remaining data is displayed on the next line.
-.It Ic refid
-association ID or
+option is given, in which case the full value will be displayed
+on the first line, and if too long,
+the remaining data will be displayed on the next line.
+.It Cm refid
+source IP address or
.Lk decode.html#kiss "'kiss code"
-.It Ic st
-stratum
-.It Ic t
+.It Cm st
+stratum: 0 for local reference clocks, 1 for servers with local
+reference clocks, ..., 16 for unsynchronized server clocks
+.It Cm t
.Ic u :
unicast or manycast client,
.Ic b :
broadcast or multicast client,
+.Ic p :
+pool source,
.Ic l :
local (reference clock),
.Ic s :
@@ -493,38 +537,40 @@
broadcast server,
.Ic M :
multicast server
-.It Ic when
-sec/min/hr since last received packet
-.It Ic poll
-poll interval (log2 s)
-.It Ic reach
+.It Cm when
+time in seconds, minutes, hours, or days since the last packet
+was received, or
+.Ql \&\-
+if a packet has never been received
+.It Cm poll
+poll interval (s)
+.It Cm reach
reach shift register (octal)
-.It Ic delay
+.It Cm delay
roundtrip delay
-.It Ic offset
+.It Cm offset
offset of server relative to this host
-.It Ic jitter
-jitter
+.It Cm jitter
+offset RMS error estimate.
.El
-.It Ic apeers
-Display a list of peers in the form:
-.Dl [tally]remote refid assid st t when pool reach delay offset jitter
-where the output is just like the
-.Ic peers
-command except that the
-.Ic refid
-is displayed in hex format and the association number is also displayed.
-.It Ic pstats Ar assocID
-Show the statistics for the peer with the given
-.Ar assocID .
-.It Ic readlist Ar assocID
-.It Ic rl Ar assocID
-Read the system or peer variables included in the variable list.
-.It Ic readvar Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-.It Ic rv Ar assocID Ar name Ns Oo Ns = Ns Ar value Oc Oo , ... Oc
-Display the specified variables.
+.It Ic pstats Ar associd
+Display the statistics for the peer with the given
+.Ar associd :
+associd, status, remote host, local address, time last received,
+time until next send, reachability change, packets sent,
+packets received, bad authentication, bogus origin, duplicate,
+bad dispersion, bad reference time, candidate order.
+.It Ic readlist Op Ar associd
+.It Ic rl Op Ar associd
+Display all system or peer variables.
+If the
+.Ar associd
+is omitted, it is assumed to be zero.
+.It Ic readvar Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+.It Ic rv Op Ar associd Ar name Ns Oo Ns = Ns Ar value Oc Op , ...
+Display the specified system or peer variables.
If
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -531,55 +577,76 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
If no
.Ar name
is included, all operative variables in the name space are displayed.
In this case only, if the
-.Ar assocID
-is omitted, it is assumed zero.
+.Ar associd
+is omitted, it is assumed to be zero.
Multiple names are specified with comma separators and without whitespace.
Note that time values are represented in milliseconds
and frequency values in parts\-per\-million (PPM).
Some NTP timestamps are represented in the format
-YYYYMMDDTTTT ,
-where YYYY is the year,
-MM the month of year,
-DD the day of month and
-TTTT the time of day.
+.Ar YYYY Ns Ar MM Ar DD Ar TTTT ,
+where
+.Ar YYYY
+is the year,
+.Ar MM
+the month of year,
+.Ar DD
+the day of month and
+.Ar TTTT
+the time of day.
.It Ic reslist
-Show the access control (restrict) list for
+Display the access control (restrict) list for
.Nm .
+Authentication is required.
.It Ic saveconfig Ar filename
-Write the current configuration,
-including any runtime modifications given with
+Save the current configuration,
+including any runtime modifications made by
.Ic :config
or
.Ic config\-from\-file ,
-to the ntpd host's file
+to the NTP server host file
.Ar filename .
This command will be rejected by the server unless
.Lk miscopt.html#saveconfigdir "saveconfigdir"
appears in the
-.Ic ntpd
+.Xr ntpd 8
configuration file.
.Ar filename
can use
-.Xr strftime
-format specifies to substitute the current date and time, for example,
-.Ic q]saveconfig ntp\-%Y%m%d\-%H%M%S.confq] .
+.Xr date 1
+format specifiers to substitute the current date and time, for
+example,
+.D1 Ic saveconfig Pa ntp\-%Y%m%d\-%H%M%S.conf .
The filename used is stored in system variable
-.Ic savedconfig .
+.Cm savedconfig .
Authentication is required.
+.It Ic sysinfo
+Display system operational summary:
+associd, status, system peer, system peer mode, leap indicator,
+stratum, log2 precision, root delay, root dispersion,
+reference id, reference time, system jitter, clock jitter,
+clock wander, broadcast delay, symm. auth. delay.
+.It Ic sysstats
+Display system uptime and packet counts maintained in the
+protocol module:
+uptime, sysstats reset, packets received, current version,
+older version, bad length or format, authentication failed,
+declined, restricted, rate limited, KoD responses,
+processed for time.
.It Ic timerstats
-Display interval timer counters.
-.It Ic writelist Ar assocID
-Write the system or peer variables included in the variable list.
-.It Ic writevar Ar assocID Ar name Ns = Ns Ar value Op , ...
-Write the specified variables.
+Display interval timer counters:
+time since reset, timer overruns, calls to transmit.
+.It Ic writelist Ar associd
+Set all system or peer variables included in the variable list.
+.It Ic writevar Ar associd Ar name Ns = Ns Ar value Op , ...
+Set the specified variables in the variable list.
If the
-.Ar assocID
+.Ar associd
is zero, the variables are from the
.Sx System Variables
name space, otherwise they are from the
@@ -586,12 +653,9 @@
.Sx Peer Variables
name space.
The
-.Ar assocID
+.Ar associd
is required, as the same name can occur in both spaces.
-.It Ic sysinfo
-Display operational summary.
-.It Ic sysstats
-Print statistics counters maintained in the protocol module.
+Authentication is required.
.El
.Ss Status Words and Kiss Codes
The current state of the operating program is shown
@@ -598,10 +662,10 @@
in a set of status words
maintained by the system.
Status information is also available on a per\-association basis.
-These words are displayed in the
-.Ic rv
+These words are displayed by the
+.Ic readlist
and
-.Ic as
+.Ic associations
commands both in hexadecimal and in decoded short tip strings.
The codes, tips and short explanations are documented on the
.Lk decode.html "Event Messages and Status Words"
@@ -618,58 +682,59 @@
in the reference identifier field in various billboards.
.Ss System Variables
The following system variables appear in the
-.Ic rv
+.Ic readlist
billboard.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic status
+.It Cm status
.Lk decode.html#sys "system status word"
-.It Ic version
+.It Cm version
NTP software version and build time
-.It Ic processor
+.It Cm processor
hardware platform and version
-.It Ic system
+.It Cm system
operating system and version
-.It Ic leap
+.It Cm leap
leap warning indicator (0\-3)
-.It Ic stratum
+.It Cm stratum
stratum (1\-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total dispersion to the primary reference clock
-.It Ic peer
-system peer association ID
-.It Ic tc
+.It Cm refid
+reference id or
+.Lk decode.html#kiss "kiss code"
+.It Cm reftime
+reference time
+.It Ic clock
+date and time of day
+.It Cm peer
+system peer association id
+.It Cm tc
time constant and poll exponent (log2 s) (3\-17)
-.It Ic mintc
+.It Cm mintc
minimum time constant (log2 s) (3\-10)
-.It Ic clock
-date and time of day
-.It Ic refid
-reference ID or
-.Lk decode.html#kiss "kiss code"
-.It Ic reftime
-reference time
-.It Ic offset
-combined offset of server relative to this host
-.It Ic sys_jitter
+.It Cm offset
+combined offset of server relative to this host
+.It Cm frequency
+frequency drift (PPM) relative to hardware clock
+.It Cm sys_jitter
combined system jitter
-.It Ic frequency
-frequency offset (PPM) relative to hardware clock
-.It Ic clk_wander
+.It Cm clk_wander
clock frequency wander (PPM)
-.It Ic clk_jitter
+.It Cm clk_jitter
clock jitter
-.It Ic tai
+.It Cm tai
TAI\-UTC offset (s)
-.It Ic leapsec
+.It Cm leapsec
NTP seconds when the next leap second is/was inserted
-.It Ic expire
+.It Cm expire
NTP seconds when the NIST leapseconds file expires
.El
The jitter and wander statistics are exponentially\-weighted RMS averages.
@@ -683,98 +748,102 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic host
+.It Cm host
Autokey host name for this host
-.It Ic ident
+.It Cm ident
Autokey group name for this host
-.It Ic flags
+.It Cm flags
host flags (see Autokey specification)
-.It Ic digest
+.It Cm digest
OpenSSL message digest algorithm
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic update
+.It Cm update
NTP seconds at last signature update
-.It Ic cert
+.It Cm cert
certificate subject, issuer and certificate flags
-.It Ic until
+.It Cm until
NTP seconds when the certificate expires
.El
.Ss Peer Variables
The following peer variables appear in the
-.Ic rv
+.Ic readlist
billboard for each association.
Not all variables are displayed in some configurations.
+.Pp
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#peer "peer status word"
-.It Ic srcadr
+.It Cm srcadr
source (remote) IP address
-.It Ic srcport
+.It Cm srcport
source (remote) port
-.It Ic dstadr
+.It Cm dstadr
destination (local) IP address
-.It Ic dstport
+.It Cm dstport
destination (local) port
-.It Ic leap
+.It Cm leap
leap indicator (0\-3)
-.It Ic stratum
+.It Cm stratum
stratum (0\-15)
-.It Ic precision
+.It Cm precision
precision (log2 s)
-.It Ic rootdelay
+.It Cm rootdelay
total roundtrip delay to the primary reference clock
-.It Ic rootdisp
+.It Cm rootdisp
total root dispersion to the primary reference clock
-.It Ic refid
-reference ID or
+.It Cm refid
+reference id or
.Lk decode.html#kiss "kiss code"
-.It Ic reftime
+.It Cm reftime
reference time
-.It Ic reach
+.It Cm rec
+last packet received time
+.It Cm reach
reach register (octal)
-.It Ic unreach
+.It Cm unreach
unreach counter
-.It Ic hmode
+.It Cm hmode
host mode (1\-6)
-.It Ic pmode
+.It Cm pmode
peer mode (1\-5)
-.It Ic hpoll
+.It Cm hpoll
host poll exponent (log2 s) (3\-17)
-.It Ic ppoll
+.It Cm ppoll
peer poll exponent (log2 s) (3\-17)
-.It Ic headway
+.It Cm headway
headway (see
.Lk rate.html "Rate Management and the Kiss\-o'\-Death Packet" )
-.It Ic flash
+.It Cm flash
.Lk decode.html#flash "flash status word"
-.It Ic offset
+.It Cm keyid
+symmetric key id
+.It Cm offset
filter offset
-.It Ic delay
+.It Cm delay
filter delay
-.It Ic dispersion
+.It Cm dispersion
filter dispersion
-.It Ic jitter
+.It Cm jitter
filter jitter
-.It Ic ident
-Autokey group name for this association
-.It Ic bias
+.It Cm bias
unicast/broadcast bias
-.It Ic xleave
+.It Cm xleave
interleave delay (see
.Lk xleave.html "NTP Interleaved Modes" )
.El
The
-.Ic bias
+.Cm bias
variable is calculated when the first broadcast packet is received
after the calibration volley.
-It represents the offset of the broadcast subgraph relative to the unicast subgraph.
+It represents the offset of the broadcast subgraph relative to the
+unicast subgraph.
The
-.Ic xleave
+.Cm xleave
variable appears only for the interleaved symmetric and interleaved modes.
It represents the internal queuing, buffering and transmission delays
for the preceding packet.
@@ -784,71 +853,73 @@
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic host
+.It Cm host
Autokey server name
-.It Ic flags
+.It Cm flags
peer flags (see Autokey specification)
-.It Ic signature
+.It Cm signature
OpenSSL digest/signature scheme
-.It Ic initsequence
-initial key ID
-.It Ic initkey
+.It Cm initsequence
+initial key id
+.It Cm initkey
initial key index
-.It Ic timestamp
+.It Cm timestamp
Autokey signature timestamp
+.It Cm ident
+Autokey group name for this association
.El
.Ss Clock Variables
The following clock variables appear in the
-.Ic cv
+.Ic clocklist
billboard for each association with a reference clock.
Not all variables are displayed in some configurations.
.Bl -tag -width "something" -compact -offset indent
.It Variable
Description
-.It Ic associd
-association ID
-.It Ic status
+.It Cm associd
+association id
+.It Cm status
.Lk decode.html#clock "clock status word"
-.It Ic device
+.It Cm device
device description
-.It Ic timecode
+.It Cm timecode
ASCII time code string (specific to device)
-.It Ic poll
+.It Cm poll
poll messages sent
-.It Ic noreply
+.It Cm noreply
no reply
-.It Ic badformat
+.It Cm badformat
bad format
-.It Ic baddata
+.It Cm baddata
bad date or time
-.It Ic fudgetime1
+.It Cm fudgetime1
fudge time 1
-.It Ic fudgetime2
+.It Cm fudgetime2
fudge time 2
-.It Ic stratum
+.It Cm stratum
driver stratum
-.It Ic refid
-driver reference ID
-.It Ic flags
+.It Cm refid
+driver reference id
+.It Cm flags
driver flags
.El
.Sh "OPTIONS"
.Bl -tag
.It Fl 4 , Fl \-ipv4
-Force IPv4 DNS name resolution.
+Force IPv4 name resolution.
This option must not appear in combination with any of the following options:
ipv6.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv4 namespace.
.It Fl 6 , Fl \-ipv6
-Force IPv6 DNS name resolution.
+Force IPv6 name resolution.
This option must not appear in combination with any of the following options:
ipv4.
.sp
-Force DNS resolution of following host names on the command line
+Force resolution of following host names on the command line
to the IPv6 namespace.
.It Fl c Ar cmd , Fl \-command Ns = Ns Ar cmd
run a command and exit.
@@ -878,7 +949,7 @@
numeric host addresses.
.sp
Output all host addresses in dotted\-quad numeric format rather than
-converting to the canonical host names.
+converting to the canonical host names.
.It Fl \-old\-rv
Always output status line with readvar.
.sp
Index: contrib/ntp/ntpsnmpd/netsnmp_daemonize.c
===================================================================
--- contrib/ntp/ntpsnmpd/netsnmp_daemonize.c (版本 330566)
+++ contrib/ntp/ntpsnmpd/netsnmp_daemonize.c (版本 330908)
@@ -194,7 +194,7 @@
int i = 0;
int saved_errno;
- DEBUGMSGT(("daemonize","deamonizing...\n"));
+ DEBUGMSGT(("daemonize","daemonizing...\n"));
#ifdef HAVE_WORKING_FORK
/*
* Fork to return control to the invoking process and to
Index: contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd.1ntpsnmpdmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPSNMPD 1ntpsnmpdmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:40 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:39 PM by AutoGen 5.18.5
.\" From the definitions ntpsnmpd-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/packageinfo.sh
===================================================================
--- contrib/ntp/packageinfo.sh (版本 330566)
+++ contrib/ntp/packageinfo.sh (版本 330908)
@@ -83,7 +83,7 @@
# - Numeric values increment
# - empty 'increments' to 1
# - NEW 'increments' to empty
-point=10
+point=11
### betapoint is normally modified by script.
# ntp-stable Beta number (betapoint)
Index: contrib/ntp/scripts/build/UpdatePoint
===================================================================
--- contrib/ntp/scripts/build/UpdatePoint (版本 330566)
+++ contrib/ntp/scripts/build/UpdatePoint (版本 330908)
@@ -127,6 +127,7 @@
stable)
case "$prerelease" in
'')
+ # echo "Checking <$betapoint::$rcpoint::$point>"
case "$betapoint::$rcpoint::$point" in
*::*::NEW)
# new minor release (no p)
@@ -148,6 +149,14 @@
# bp=1
# bbp=0
;;
+ ::[Gg][Oo]::*)
+ # echo "Good - betapoint is empty. Look in $0 and figure out what's going on here."
+ crcp=z
+ ;;
+ *::[Gg][Oo]::*)
+ echo "betapoint is NOT empty. Look in $0 and figure out what's going on here."
+ test=1
+ ;;
*) echo "betapoint is <$betapoint>, rcpoint is <$rcpoint>"
echo "betapoint must be 0 and rcpoint must be empty to start the"
echo "beta cycle."
@@ -265,7 +274,18 @@
;;
z::*)
newrcpoint=
- newbetapoint=0
+ case "$repo" in
+ dev)
+ newbetapoint=0
+ ;;
+ stable)
+ newbetapoint=
+ ;;
+ *)
+ echo "crcp::rcpoint - bogus repo <$repo>"
+ exit 1
+ ;;
+ esac
;;
*) echo "Unexpected value for 'crcp::rcpoint' <$crcp::$rcpoint>!"
exit 1
Index: contrib/ntp/scripts/calc_tickadj/calc_tickadj.html
===================================================================
--- contrib/ntp/scripts/calc_tickadj/calc_tickadj.html (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/calc_tickadj.html (版本 330908)
@@ -31,7 +31,7 @@
<h2 class="unnumbered">calc_tickadj User's Manual</h2>
<p>This document describes the use of the NTP Project's <code>calc_tickadj</code> program.
-This document applies to version 4.2.8p10 of <code>calc_tickadj</code>.
+This document applies to version 4.2.8p11 of <code>calc_tickadj</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
Index: contrib/ntp/scripts/invoke-plot_summary.texi
===================================================================
--- contrib/ntp/scripts/invoke-plot_summary.texi (版本 330566)
+++ contrib/ntp/scripts/invoke-plot_summary.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-plot_summary.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:40 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 04:55:58 PM by AutoGen 5.18.5
# From the definitions plot_summary-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -41,7 +41,7 @@
@exampleindent 0
@example
-plot_summary - plot statistics generated by summary script - Ver. 4.2.8p10
+plot_summary - plot statistics generated by summary script - Ver. 4.2.8p11
USAGE: plot_summary [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
--directory=str Where the summary files are
Index: contrib/ntp/ntpq/ntpq.texi
===================================================================
--- contrib/ntp/ntpq/ntpq.texi (版本 330566)
+++ contrib/ntp/ntpq/ntpq.texi (版本 330908)
@@ -168,7 +168,7 @@
with default @code{MD5}.
If the OpenSSL library is installed,
digest can be be any message digest algorithm supported by the library.
-The current selections are: @code{MD2}, @code{MD4}, @code{MD5}, @code{MDC2}, @code{RIPEMD160}, @code{SHA} and @code{SHA1}.
+The current selections are: @code{AES128CMAC}, @code{MD2}, @code{MD4}, @code{MD5}, @code{MDC2}, @code{RIPEMD160}, @code{SHA} and @code{SHA1}.
@item @anchor{ntpversion} @code{ntpversion 1 | 2 | 3 | 4}
Sets the NTP version number which @code{ntpq} claims in packets.
Index: contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd-opts.c (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntpsnmpd-opts.c)
*
- * It has been AutoGen-ed March 21, 2017 at 10:45:37 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:15:31 PM by AutoGen 5.18.5
* From the definitions ntpsnmpd-opts.def
* and the template file options
*
@@ -61,7 +61,7 @@
* static const strings for ntpsnmpd options
*/
static char const ntpsnmpd_opt_strs[1613] =
-/* 0 */ "ntpsnmpd 4.2.8p10\n"
+/* 0 */ "ntpsnmpd 4.2.8p11\n"
"Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n"
"This is free software. It is licensed for use, modification and\n"
"redistribution under the terms of the NTP License, copies of which\n"
@@ -101,7 +101,7 @@
/* 1415 */ "no-load-opts\0"
/* 1428 */ "no\0"
/* 1431 */ "NTPSNMPD\0"
-/* 1440 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p10\n"
+/* 1440 */ "ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p11\n"
"Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
/* 1544 */ "$HOME\0"
/* 1550 */ ".\0"
@@ -108,7 +108,7 @@
/* 1552 */ ".ntprc\0"
/* 1559 */ "http://bugs.ntp.org, bugs@ntp.org\0"
/* 1593 */ "\n\0"
-/* 1595 */ "ntpsnmpd 4.2.8p10";
+/* 1595 */ "ntpsnmpd 4.2.8p11";
/**
* nofork option description:
@@ -554,7 +554,7 @@
translate option names.
*/
/* referenced via ntpsnmpdOptions.pzCopyright */
- puts(_("ntpsnmpd 4.2.8p10\n\
+ puts(_("ntpsnmpd 4.2.8p11\n\
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\
This is free software. It is licensed for use, modification and\n\
redistribution under the terms of the NTP License, copies of which\n\
@@ -599,7 +599,7 @@
puts(_("load options from a config file"));
/* referenced via ntpsnmpdOptions.pzUsageTitle */
- puts(_("ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p10\n\
+ puts(_("ntpsnmpd - NTP SNMP MIB agent - Ver. 4.2.8p11\n\
Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n"));
/* referenced via ntpsnmpdOptions.pzExplain */
@@ -606,7 +606,7 @@
puts(_("\n"));
/* referenced via ntpsnmpdOptions.pzFullVersion */
- puts(_("ntpsnmpd 4.2.8p10"));
+ puts(_("ntpsnmpd 4.2.8p11"));
/* referenced via ntpsnmpdOptions.pzFullUsage */
puts(_("<<<NOT-FOUND>>>"));
Index: contrib/ntp/ntpsnmpd/ntpsnmpd.html
===================================================================
--- contrib/ntp/ntpsnmpd/ntpsnmpd.html (版本 330566)
+++ contrib/ntp/ntpsnmpd/ntpsnmpd.html (版本 330908)
@@ -42,7 +42,7 @@
<p>The <code>ntpsnmpd</code> utility program is used to monitor NTP daemon <code>ntpd</code>
operations and determine performance. It uses the standard NTP mode 6 control
- <p>This document applies to version 4.2.8p10 of <code>ntpsnmpd</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntpsnmpd</code>.
<ul class="menu">
<li><a accesskey="1" href="#ntpsnmpd-Description">ntpsnmpd Description</a>: Description
Index: contrib/ntp/parseutil/Makefile.in
===================================================================
--- contrib/ntp/parseutil/Makefile.in (版本 330566)
+++ contrib/ntp/parseutil/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/calc_tickadj/Makefile.in
===================================================================
--- contrib/ntp/scripts/calc_tickadj/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/Makefile.in (版本 330908)
@@ -102,6 +102,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in
===================================================================
--- contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in (版本 330566)
+++ contrib/ntp/scripts/calc_tickadj/calc_tickadj.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH calc_tickadj 1calc_tickadjman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH calc_tickadj 1calc_tickadjman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bsaa0i/ag-osaiZi)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-mfaiQP/ag-zfaqPP)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:39:52 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:40 AM by AutoGen 5.18.5
.\" From the definitions calc_tickadj-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/invoke-summary.texi
===================================================================
--- contrib/ntp/scripts/invoke-summary.texi (版本 330566)
+++ contrib/ntp/scripts/invoke-summary.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-summary.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:46 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 04:56:04 PM by AutoGen 5.18.5
# From the definitions summary-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -42,7 +42,7 @@
@exampleindent 0
@example
-summary - compute various stastics from NTP stat files - Ver. 4.2.8p10
+summary - compute various stastics from NTP stat files - Ver. 4.2.8p11
USAGE: summary [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
--directory=str Directory containing stat files
Index: contrib/ntp/scripts/ntp-wait/ntp-wait-opts
===================================================================
--- contrib/ntp/scripts/ntp-wait/ntp-wait-opts (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/ntp-wait-opts (版本 330908)
@@ -1,6 +1,6 @@
# EDIT THIS FILE WITH CAUTION (ntp-wait-opts)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:00 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:49:48 AM by AutoGen 5.18.5
# From the definitions ntp-wait-opts.def
# and the template file perlopt
@@ -40,7 +40,7 @@
'help|?', 'more-help'));
$usage = <<'USAGE';
-ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p10
+ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p11
USAGE: ntp-wait [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
-n, --tries=num Number of times to check ntpd
Index: contrib/ntp/scripts/ntp-wait/ntp-wait.man.in
===================================================================
--- contrib/ntp/scripts/ntp-wait/ntp-wait.man.in (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/ntp-wait.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntp-wait @NTP_WAIT_MS@ "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntp-wait @NTP_WAIT_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-xOaq.j/ag-KOay9j)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-tuay0Q/ag-GuaGZQ)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:02 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:50 AM by AutoGen 5.18.5
.\" From the definitions ntp-wait-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/ntp-wait/Makefile.in
===================================================================
--- contrib/ntp/scripts/ntp-wait/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc
===================================================================
--- contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_WAIT 1ntp-waitmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:07 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:55 AM by AutoGen 5.18.5
.\" From the definitions ntp-wait-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/ntpsweep/Makefile.in
===================================================================
--- contrib/ntp/scripts/ntpsweep/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc
===================================================================
--- contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPSWEEP 1ntpsweepmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpsweep-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:16 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:04 AM by AutoGen 5.18.5
.\" From the definitions ntpsweep-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/ntptrace/Makefile.in
===================================================================
--- contrib/ntp/scripts/ntptrace/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/ntptrace/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc
===================================================================
--- contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc (版本 330566)
+++ contrib/ntp/scripts/ntptrace/ntptrace.1ntptracemdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPTRACE 1ntptracemdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntptrace-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:25 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:13 AM by AutoGen 5.18.5
.\" From the definitions ntptrace-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/plot_summary-opts
===================================================================
--- contrib/ntp/scripts/plot_summary-opts (版本 330566)
+++ contrib/ntp/scripts/plot_summary-opts (版本 330908)
@@ -1,6 +1,6 @@
# EDIT THIS FILE WITH CAUTION (plot_summary-opts)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:37 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 04:55:55 PM by AutoGen 5.18.5
# From the definitions plot_summary-opts.def
# and the template file perlopt
@@ -46,7 +46,7 @@
'help|?', 'more-help'));
$usage = <<'USAGE';
-plot_summary - plot statistics generated by summary script - Ver. 4.2.8p10
+plot_summary - plot statistics generated by summary script - Ver. 4.2.8p11
USAGE: plot_summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
--directory=str Where the summary files are
Index: contrib/ntp/scripts/plot_summary.man.in
===================================================================
--- contrib/ntp/scripts/plot_summary.man.in (版本 330566)
+++ contrib/ntp/scripts/plot_summary.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH plot_summary 1plot_summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH plot_summary 1plot_summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-BEaaJo/ag-OEaiIo)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-NpayvG/ag-0paGuG)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:42 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:00 PM by AutoGen 5.18.5
.\" From the definitions plot_summary-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/summary.1summarymdoc
===================================================================
--- contrib/ntp/scripts/summary.1summarymdoc (版本 330566)
+++ contrib/ntp/scripts/summary.1summarymdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt SUMMARY 1summarymdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (summary-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:49 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:08 PM by AutoGen 5.18.5
.\" From the definitions summary-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman
===================================================================
--- contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/ntp-wait.1ntp-waitman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntp-wait 1ntp-waitman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntp-wait 1ntp-waitman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-xOaq.j/ag-KOay9j)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-tuay0Q/ag-GuaGZQ)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:02 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:50 AM by AutoGen 5.18.5
.\" From the definitions ntp-wait-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in
===================================================================
--- contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/ntp-wait.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_WAIT @NTP_WAIT_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-wait-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:07 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:49:55 AM by AutoGen 5.18.5
.\" From the definitions ntp-wait-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman
===================================================================
--- contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/ntpsweep.1ntpsweepman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpsweep 1ntpsweepman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntpsweep 1ntpsweepman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cxaykl/ag-pxaGjl)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cfaGaS/ag-pfaO_R)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:13 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:01 AM by AutoGen 5.18.5
.\" From the definitions ntpsweep-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in
===================================================================
--- contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/ntpsweep.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPSWEEP 1ntpsweepmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntpsweep-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:16 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:04 AM by AutoGen 5.18.5
.\" From the definitions ntpsweep-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman
===================================================================
--- contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman (版本 330566)
+++ contrib/ntp/scripts/ntptrace/ntptrace.1ntptraceman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntptrace 1ntptraceman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntptrace 1ntptraceman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-y.a4mm/ag-W.aamm)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wXa4cT/ag-JXaacT)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:19 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:08 AM by AutoGen 5.18.5
.\" From the definitions ntptrace-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in
===================================================================
--- contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/ntptrace/ntptrace.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTPTRACE @NTPTRACE_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntptrace-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:25 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:13 AM by AutoGen 5.18.5
.\" From the definitions ntptrace-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/plot_summary.html
===================================================================
--- contrib/ntp/scripts/plot_summary.html (版本 330566)
+++ contrib/ntp/scripts/plot_summary.html (版本 330908)
@@ -31,7 +31,7 @@
<h2 class="unnumbered">Plot_summary User Manual</h2>
<p>This document describes the use of the NTP Project's <code>plot_summary</code> program.
-This document applies to version 4.2.8p10 of <code>plot_summary</code>.
+This document applies to version 4.2.8p11 of <code>plot_summary</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -89,7 +89,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">plot_summary - plot statistics generated by summary script - Ver. 4.2.8p10
+<pre class="example">plot_summary - plot statistics generated by summary script - Ver. 4.2.8p11
USAGE: plot_summary [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
--directory=str Where the summary files are
Index: contrib/ntp/scripts/summary.1summaryman
===================================================================
--- contrib/ntp/scripts/summary.1summaryman (版本 330566)
+++ contrib/ntp/scripts/summary.1summaryman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH summary 1summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH summary 1summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-41aOWo/ag-h2aWVo)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-AMaaJG/ag-NMaiIG)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:48 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:06 PM by AutoGen 5.18.5
.\" From the definitions summary-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/summary.mdoc.in
===================================================================
--- contrib/ntp/scripts/summary.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/summary.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt SUMMARY 1summarymdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (summary-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:49 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:08 PM by AutoGen 5.18.5
.\" From the definitions summary-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi
===================================================================
--- contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/invoke-ntp-wait.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp-wait.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:05 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:49:53 AM by AutoGen 5.18.5
# From the definitions ntp-wait-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -61,7 +61,7 @@
@exampleindent 0
@example
-ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p10
+ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p11
USAGE: ntp-wait [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
-n, --tries=num Number of times to check ntpd
Index: contrib/ntp/scripts/ntp-wait/ntp-wait.html
===================================================================
--- contrib/ntp/scripts/ntp-wait/ntp-wait.html (版本 330566)
+++ contrib/ntp/scripts/ntp-wait/ntp-wait.html (版本 330908)
@@ -39,7 +39,7 @@
and only then start any applicaitons (like database servers) that require
accurate and stable time.
- <p>This document applies to version 4.2.8p10 of <code>ntp-wait</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntp-wait</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -114,7 +114,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p10
+<pre class="example">ntp-wait - Wait for ntpd to stabilize the system clock - Ver. 4.2.8p11
USAGE: ntp-wait [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
-n, --tries=num Number of times to check ntpd
Index: contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi
===================================================================
--- contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/invoke-ntpsweep.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntpsweep.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:11 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:49:59 AM by AutoGen 5.18.5
# From the definitions ntpsweep-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -45,7 +45,7 @@
@exampleindent 0
@example
-ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p10
+ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p11
USAGE: ntpsweep [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [hostfile]
-l, --host-list=str Host to execute actions on
Index: contrib/ntp/scripts/ntpsweep/ntpsweep.html
===================================================================
--- contrib/ntp/scripts/ntpsweep/ntpsweep.html (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/ntpsweep.html (版本 330908)
@@ -30,7 +30,7 @@
<p>This document describes the use of the NTP Project's <code>ntpsweep</code> program.
- <p>This document applies to version 4.2.8p10 of <code>ntpsweep</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntpsweep</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -90,7 +90,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p10
+<pre class="example">ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p11
USAGE: ntpsweep [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [hostfile]
-l, --host-list=str Host to execute actions on
Index: contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi
===================================================================
--- contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi (版本 330566)
+++ contrib/ntp/scripts/ntptrace/invoke-ntptrace.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntptrace.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:23 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:50:11 AM by AutoGen 5.18.5
# From the definitions ntptrace-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -62,7 +62,7 @@
@exampleindent 0
@example
-ntptrace - Trace peers of an NTP server - Ver. 4.2.8p10
+ntptrace - Trace peers of an NTP server - Ver. 4.2.8p11
USAGE: ntptrace [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... [host]
-n, --numeric Print IP addresses instead of hostnames
Index: contrib/ntp/scripts/ntptrace/ntptrace.html
===================================================================
--- contrib/ntp/scripts/ntptrace/ntptrace.html (版本 330566)
+++ contrib/ntp/scripts/ntptrace/ntptrace.html (版本 330908)
@@ -31,7 +31,7 @@
<h2 class="unnumbered">Simple Network Time Protocol User Manual</h2>
<p>This document describes the use of the NTP Project's <code>ntptrace</code> program.
-This document applies to version 4.2.8p10 of <code>ntptrace</code>.
+This document applies to version 4.2.8p11 of <code>ntptrace</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -107,7 +107,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntptrace - Trace peers of an NTP server - Ver. 4.2.8p10
+<pre class="example">ntptrace - Trace peers of an NTP server - Ver. 4.2.8p11
USAGE: ntptrace [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... [host]
-n, --numeric Print IP addresses instead of hostnames
Index: contrib/ntp/scripts/plot_summary.1plot_summaryman
===================================================================
--- contrib/ntp/scripts/plot_summary.1plot_summaryman (版本 330566)
+++ contrib/ntp/scripts/plot_summary.1plot_summaryman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH plot_summary 1plot_summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH plot_summary 1plot_summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-BEaaJo/ag-OEaiIo)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-NpayvG/ag-0paGuG)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:42 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:00 PM by AutoGen 5.18.5
.\" From the definitions plot_summary-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/plot_summary.mdoc.in
===================================================================
--- contrib/ntp/scripts/plot_summary.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/plot_summary.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt PLOT_SUMMARY 1plot_summarymdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (plot_summary-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:44 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:02 PM by AutoGen 5.18.5
.\" From the definitions plot_summary-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/summary.html
===================================================================
--- contrib/ntp/scripts/summary.html (版本 330566)
+++ contrib/ntp/scripts/summary.html (版本 330908)
@@ -31,7 +31,7 @@
<h2 class="unnumbered">Summary User Manual</h2>
<p>This document describes the use of the NTP Project's <code>summary</code> program.
-This document applies to version 4.2.8p10 of <code>summary</code>.
+This document applies to version 4.2.8p11 of <code>summary</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -88,7 +88,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">summary - compute various stastics from NTP stat files - Ver. 4.2.8p10
+<pre class="example">summary - compute various stastics from NTP stat files - Ver. 4.2.8p11
USAGE: summary [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
--directory=str Directory containing stat files
Index: contrib/ntp/scripts/update-leap/Makefile.in
===================================================================
--- contrib/ntp/scripts/update-leap/Makefile.in (版本 330566)
+++ contrib/ntp/scripts/update-leap/Makefile.in (版本 330908)
@@ -101,6 +101,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
Index: contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap.1update-leapmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt UPDATE_LEAP 1update-leapmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (update-leap-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:35 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:55:53 PM by AutoGen 5.18.5
.\" From the definitions update-leap-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/update-leap/update-leap.1update-leapman
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap.1update-leapman (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap.1update-leapman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH update-leap 1update-leapman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH update-leap 1update-leapman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-6XaW6m/ag-hYa45m)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cKaOWT/ag-pKaWVT)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:27 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:15 AM by AutoGen 5.18.5
.\" From the definitions update-leap-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/ntpsweep/ntpsweep-opts
===================================================================
--- contrib/ntp/scripts/ntpsweep/ntpsweep-opts (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/ntpsweep-opts (版本 330908)
@@ -1,6 +1,6 @@
# EDIT THIS FILE WITH CAUTION (ntpsweep-opts)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:09 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:49:57 AM by AutoGen 5.18.5
# From the definitions ntpsweep-opts.def
# and the template file perlopt
@@ -43,7 +43,7 @@
'help|?', 'more-help'));
$usage = <<'USAGE';
-ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p10
+ntpsweep - Print various informations about given ntp servers - Ver. 4.2.8p11
USAGE: ntpsweep [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [hostfile]
-l, --host-list=str Host to execute actions on
Index: contrib/ntp/scripts/ntpsweep/ntpsweep.man.in
===================================================================
--- contrib/ntp/scripts/ntpsweep/ntpsweep.man.in (版本 330566)
+++ contrib/ntp/scripts/ntpsweep/ntpsweep.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntpsweep 1ntpsweepman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntpsweep 1ntpsweepman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cxaykl/ag-pxaGjl)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cfaGaS/ag-pfaO_R)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:13 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:01 AM by AutoGen 5.18.5
.\" From the definitions ntpsweep-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/ntptrace/ntptrace-opts
===================================================================
--- contrib/ntp/scripts/ntptrace/ntptrace-opts (版本 330566)
+++ contrib/ntp/scripts/ntptrace/ntptrace-opts (版本 330908)
@@ -1,6 +1,6 @@
# EDIT THIS FILE WITH CAUTION (ntptrace-opts)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:18 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 10:50:06 AM by AutoGen 5.18.5
# From the definitions ntptrace-opts.def
# and the template file perlopt
@@ -40,7 +40,7 @@
'help|?', 'more-help'));
$usage = <<'USAGE';
-ntptrace - Trace peers of an NTP server - Ver. 4.2.8p10
+ntptrace - Trace peers of an NTP server - Ver. 4.2.8p11
USAGE: ntptrace [ -<flag> [<val>] | --<name>[{=| }<val>] ]... [host]
-n, --numeric Print IP addresses instead of hostnames
Index: contrib/ntp/scripts/ntptrace/ntptrace.man.in
===================================================================
--- contrib/ntp/scripts/ntptrace/ntptrace.man.in (版本 330566)
+++ contrib/ntp/scripts/ntptrace/ntptrace.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntptrace @NTPTRACE_MS@ "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntptrace @NTPTRACE_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-y.a4mm/ag-W.aamm)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-wXa4cT/ag-JXaacT)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:19 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:08 AM by AutoGen 5.18.5
.\" From the definitions ntptrace-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/plot_summary.1plot_summarymdoc
===================================================================
--- contrib/ntp/scripts/plot_summary.1plot_summarymdoc (版本 330566)
+++ contrib/ntp/scripts/plot_summary.1plot_summarymdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt PLOT_SUMMARY 1plot_summarymdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (plot_summary-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:44 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:02 PM by AutoGen 5.18.5
.\" From the definitions plot_summary-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/scripts/summary-opts
===================================================================
--- contrib/ntp/scripts/summary-opts (版本 330566)
+++ contrib/ntp/scripts/summary-opts (版本 330908)
@@ -1,6 +1,6 @@
# EDIT THIS FILE WITH CAUTION (summary-opts)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:38 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 04:55:57 PM by AutoGen 5.18.5
# From the definitions summary-opts.def
# and the template file perlopt
@@ -44,7 +44,7 @@
'help|?', 'more-help'));
$usage = <<'USAGE';
-summary - compute various stastics from NTP stat files - Ver. 4.2.8p10
+summary - compute various stastics from NTP stat files - Ver. 4.2.8p11
USAGE: summary [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
--directory=str Directory containing stat files
Index: contrib/ntp/scripts/summary.man.in
===================================================================
--- contrib/ntp/scripts/summary.man.in (版本 330566)
+++ contrib/ntp/scripts/summary.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH summary 1summaryman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH summary 1summaryman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-41aOWo/ag-h2aWVo)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-AMaaJG/ag-NMaiIG)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:48 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:56:06 PM by AutoGen 5.18.5
.\" From the definitions summary-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/scripts/update-leap/update-leap-opts
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap-opts (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap-opts (版本 330908)
@@ -1,6 +1,6 @@
# EDIT THIS FILE WITH CAUTION (update-leap-opts)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:36 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 04:32:15 PM by AutoGen 5.18.5
# From the definitions update-leap-opts.def
# and the template file perlopt
@@ -46,7 +46,7 @@
'help|?', 'more-help'));
$usage = <<'USAGE';
-update-leap - leap-seconds file manager/updater - Ver. 4.2.8p10
+update-leap - leap-seconds file manager/updater - Ver. 4.2.8p11
USAGE: update-leap [ -<flag> [<val>] | --<name>[{=| }<val>] ]...
-s, --source-url=str The URL of the master copy of the leapseconds file
Index: contrib/ntp/scripts/update-leap/invoke-update-leap.texi
===================================================================
--- contrib/ntp/scripts/update-leap/invoke-update-leap.texi (版本 330566)
+++ contrib/ntp/scripts/update-leap/invoke-update-leap.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-update-leap.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:40:30 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 04:55:50 PM by AutoGen 5.18.5
# From the definitions update-leap-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -70,56 +70,81 @@
@exampleindent 0
@example
- update-leap
- Usage: $0 [options] [leapfile]
- Verifies and if necessary, updates leap-second definition file
+Usage: update-leap [options]
- All arguments are optional: Default (or current value) shown: -s
- Specify the URL of the master copy to download $LEAPSRC -d Specify
- the filename on the local system $LEAPFILE -e Specify how long (in
- days) before expiration the file is to be refreshed. Note that
- larger values imply more frequent refreshes. "$PREFETCH" -f Specify
- location of ntp.conf (used to make sure leapfile directive is
- present and to default leapfile) $NTPCONF -F Force update even if
- current file is OK and not close to expiring. -r Specify number of
- times to retry on get failure $MAXTRIES -i Specify number of minutes
- between retries $INTERVAL -l Use syslog for output (Implied if
- CRONJOB is set) -L Don't use syslog for output -P Specify the syslog
- facility for logging $LOGFAC -t Name of temporary file used in
- validation $TMPFILE -q Only report errors to stdout -v Verbose
- output
+Verifies and if necessary, updates leap-second definition file
- The following options are not (yet) implemented in the perl version:
- -4 Use only IPv4 -6 Use only IPv6 -c Command to restart NTP after
- installing a new file <none> - ntpd checks file daily -p 4|6 Prefer
- IPv4 or IPv6 (as specified) addresses, but use either -z Specify
- path for utilities $PATHLIST -Z Only use system path
+All arguments are optional: Default (or current value) shown:
+ -C Absolute path to CA Cert (see SSL/TLS Considerations)
+ -D Path to a CAdir (see SSL/TLS Considerations)
+ -e Specify how long (in days) before expiration the file is to be
+ refreshed. Note that larger values imply more frequent refreshes.
+ 60
+ -F Force update even if current file is OK and not close to expiring.
+ -f Absolute path ntp.conf file (default /etc/ntp.conf)
+ /etc/ntp.conf
+ -h show help
+ -i Specify number of minutes between retries
+ 10
+ -L Absolute path to leapfile on the local system
+ (overrides value in ntp.conf)
+ -l Specify the syslog(3) facility for logging
+ LOG_USER
+ -q Only report errors (cannot be used with -v)
+ -r Specify number of attempts to retrieve file
+ 6
+ -s Send output to syslog(3) - implied if STDOUT has no tty or redirected
+ -t Send output to terminal - implied if STDOUT attached to terminal
+ -u Specify the URL of the master copy to download
+ https://www.ietf.org/timezones/data/leap-seconds.list
+ -v Verbose - show debug messages (cannot be used with -q)
- $0 will validate the file currently on the local system
+The following options are not (yet) implemented in the perl version:
+ -4 Use only IPv4
+ -6 Use only IPv6
+ -c Command to restart NTP after installing a new file
+ <none> - ntpd checks file daily
+ -p 4|6
+ Prefer IPv4 or IPv6 (as specified) addresses, but use either
- Ordinarily, the file is found using the "leapfile" directive in
- $NTPCONF. However, an alternate location can be specified on the
- command line.
+update-leap will validate the file currently on the local system.
- If the file does not exist, is not valid, has expired, or is
- expiring soon, a new copy will be downloaded. If the new copy
- validates, it is installed and NTP is (optionally) restarted.
+Ordinarily, the leapfile is found using the 'leapfile' directive in
+/etc/ntp.conf. However, an alternate location can be specified on the
+command line with the -L flag.
- If the current file is acceptable, no download or restart occurs.
+If the leapfile does not exist, is not valid, has expired, or is
+expiring soon, a new copy will be downloaded. If the new copy is
+valid, it is installed.
- -c can also be used to invoke another script to perform
- administrative functions, e.g. to copy the file to other local
- systems.
+If the current file is acceptable, no download or restart occurs.
- This can be run as a cron job. As the file is rarely updated, and
- leap seconds are announced at least one month in advance (usually
- longer), it need not be run more frequently than about once every
- three weeks.
+This can be run as a cron job. As the file is rarely updated, and
+leap seconds are announced at least one month in advance (usually
+longer), it need not be run more frequently than about once every
+three weeks.
- For cron-friendly behavior, define CRONJOB=1 in the crontab.
+SSL/TLS Considerations
+-----------------------
+The perl modules can usually locate the CA certificate used to verify
+the peer's identity.
- Version $VERSION
+On BSDs, the default is typically the file /etc/ssl/certs.pem. On
+Linux, the location is typically a path to a CAdir - a directory of
+symlinks named according to a hash of the certificates' subject names.
+
+The -C or -D options are available to pass in a location if no CA cert
+is found in the default location.
+
+External Dependencies
+---------------------
+The following perl modules are required:
+HTTP::Tiny - version >= 0.056
+IO::Socket::SSL - version >= 1.56
+NET::SSLeay - version >= 1.49
+
+Version: 1.004
@end example
@exampleindent 4
Index: contrib/ntp/scripts/update-leap/update-leap.html
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap.html (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap.html (版本 330908)
@@ -30,7 +30,7 @@
<p>This document describes the use of the NTP Project's <code>update-leap</code> program.
- <p>This document applies to version 4.2.8p10 of <code>update-leap</code>.
+ <p>This document applies to version 4.2.8p11 of <code>update-leap</code>.
<div class="shortcontents">
<h2>Short Contents</h2>
@@ -114,56 +114,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example"> update-leap
- Usage: $0 [options] [leapfile]
-
- Verifies and if necessary, updates leap-second definition file
-
- All arguments are optional: Default (or current value) shown: -s
- Specify the URL of the master copy to download $LEAPSRC -d Specify
- the filename on the local system $LEAPFILE -e Specify how long (in
- days) before expiration the file is to be refreshed. Note that
- larger values imply more frequent refreshes. "$PREFETCH" -f Specify
- location of ntp.conf (used to make sure leapfile directive is
- present and to default leapfile) $NTPCONF -F Force update even if
- current file is OK and not close to expiring. -r Specify number of
- times to retry on get failure $MAXTRIES -i Specify number of minutes
- between retries $INTERVAL -l Use syslog for output (Implied if
- CRONJOB is set) -L Don't use syslog for output -P Specify the syslog
- facility for logging $LOGFAC -t Name of temporary file used in
- validation $TMPFILE -q Only report errors to stdout -v Verbose
- output
-
- The following options are not (yet) implemented in the perl version:
- -4 Use only IPv4 -6 Use only IPv6 -c Command to restart NTP after
- installing a new file &lt;none&gt; - ntpd checks file daily -p 4|6 Prefer
- IPv4 or IPv6 (as specified) addresses, but use either -z Specify
- path for utilities $PATHLIST -Z Only use system path
-
- $0 will validate the file currently on the local system
-
- Ordinarily, the file is found using the "leapfile" directive in
- $NTPCONF. However, an alternate location can be specified on the
- command line.
-
- If the file does not exist, is not valid, has expired, or is
- expiring soon, a new copy will be downloaded. If the new copy
- validates, it is installed and NTP is (optionally) restarted.
-
- If the current file is acceptable, no download or restart occurs.
-
- -c can also be used to invoke another script to perform
- administrative functions, e.g. to copy the file to other local
- systems.
-
- This can be run as a cron job. As the file is rarely updated, and
- leap seconds are announced at least one month in advance (usually
- longer), it need not be run more frequently than about once every
- three weeks.
-
- For cron-friendly behavior, define CRONJOB=1 in the crontab.
-
- Version $VERSION
+<pre class="example">
</pre>
<div class="node">
<p><hr>
Index: contrib/ntp/sntp/Makefile.in
===================================================================
--- contrib/ntp/sntp/Makefile.in (版本 330566)
+++ contrib/ntp/sntp/Makefile.in (版本 330908)
@@ -1632,7 +1632,6 @@
#
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/sntp/crypto.h
===================================================================
--- contrib/ntp/sntp/crypto.h (版本 330566)
+++ contrib/ntp/sntp/crypto.h (版本 330908)
@@ -20,7 +20,8 @@
struct key * next;
int key_id;
int key_len;
- char type[10];
+ int typei;
+ char typen[20];
char key_seq[64];
};
Index: contrib/ntp/sntp/invoke-sntp.texi
===================================================================
--- contrib/ntp/sntp/invoke-sntp.texi (版本 330566)
+++ contrib/ntp/sntp/invoke-sntp.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-sntp.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:36:49 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:13:11 PM by AutoGen 5.18.5
# From the definitions sntp-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -101,15 +101,18 @@
@exampleindent 0
@example
-sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10
-Usage: sntp [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \
+sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p245
+USAGE: sntp [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]... \
[ hostname-or-IP ...]
Flg Arg Option-Name Description
-4 no ipv4 Force IPv4 DNS name resolution
- - prohibits the option 'ipv6'
+ - prohibits these options:
+ ipv6
-6 no ipv6 Force IPv6 DNS name resolution
- - prohibits the option 'ipv4'
- -a Num authentication Enable authentication with the key auth-keynumber
+ - prohibits these options:
+ ipv4
+ -a Num authentication Enable authentication with the key @@var@{auth-keynumber@}
+ -B Num bctimeout The number of seconds to wait for broadcasts
-b Str broadcast Listen to the address specified for broadcast time sync
- may appear multiple times
-c Str concurrent Concurrently query all IPs returned for host-name
@@ -116,31 +119,31 @@
- may appear multiple times
-d no debug-level Increase debug verbosity level
- may appear multiple times
- -D Num set-debug-level Set the debug verbosity level
+ -D Str set-debug-level Set the debug verbosity level
- may appear multiple times
-g Num gap The gap (in milliseconds) between time requests
-K Fil kod KoD history filename
- -k Fil keyfile Look in this file for the key specified with -a
+ -k Fil keyfile Look in this file for the key specified with @@option@{-a@}
-l Fil logfile Log to specified logfile
- -M Num steplimit Adjustments less than steplimit msec will be slewed
- - it must be in the range:
+ -M Num steplimit Adjustments less than @@var@{steplimit@} msec will be slewed
+ - It must be in the range:
greater than or equal to 0
- -o Num ntpversion Send int as our NTP protocol version
- - it must be in the range:
+ -o Num ntpversion Send @@var@{int@} as our NTP version
+ - It must be in the range:
0 to 7
-r no usereservedport Use the NTP Reserved Port (port 123)
- -S no step OK to 'step' the time with settimeofday(2)
- -s no slew OK to 'slew' the time with adjtime(2)
- -t Num timeout The number of seconds to wait for responses
+ -S no step OK to 'step' the time with @@command@{settimeofday(2)@}
+ -s no slew OK to 'slew' the time with @@command@{adjtime(2)@}
+ -u Num uctimeout The number of seconds to wait for unicast responses
no wait Wait for pending replies (if not setting the time)
- - disabled as '--no-wait'
+ - disabled as --no-wait
- enabled by default
- opt version output version information and exit
- -? no help display extended usage information and exit
- -! no more-help extended usage information passed thru pager
- -> opt save-opts save the option state to a config file
- -< Str load-opts load options from a config file
- - disabled as '--no-load-opts'
+ opt version Output version information and exit
+ -? no help Display extended usage information and exit
+ -! no more-help Extended usage information passed thru pager
+ -> opt save-opts Save the option state to a config file
+ -< Str load-opts Load options from a config file
+ - disabled as --no-load-opts
- may appear multiple times
Options are specified by doubled hyphens and their name or by a single
@@ -147,12 +150,13 @@
hyphen and the flag character.
+
The following option preset mechanisms are supported:
- reading file $HOME/.ntprc
- reading file ./.ntprc
- examining environment variables named SNTP_*
-Please send bug reports to: <http://bugs.ntp.org, bugs@@ntp.org>
+please send bug reports to: http://bugs.ntp.org, bugs@@ntp.org
@end example
@exampleindent 4
Index: contrib/ntp/sntp/m4/ntp_openssl.m4
===================================================================
--- contrib/ntp/sntp/m4/ntp_openssl.m4 (版本 330566)
+++ contrib/ntp/sntp/m4/ntp_openssl.m4 (版本 330908)
@@ -85,7 +85,12 @@
VER_SUFFIX=o
ntp_openssl=yes
ntp_openssl_from_pkg_config=yes
- AC_MSG_RESULT([yes])
+ ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`"
+ case "$ntp_openssl_version" in
+ *.*) ;;
+ *) ntp_openssl_version='(unknown)' ;;
+ esac
+ AC_MSG_RESULT([yes, version $ntp_openssl_version])
break
fi
Index: contrib/ntp/sntp/sntp-opts.c
===================================================================
--- contrib/ntp/sntp/sntp-opts.c (版本 330566)
+++ contrib/ntp/sntp/sntp-opts.c (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (sntp-opts.c)
*
- * It has been AutoGen-ed March 21, 2017 at 10:36:29 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 10:25:32 AM by AutoGen 5.18.5
* From the definitions sntp-opts.def
* and the template file options
*
@@ -69,8 +69,8 @@
/**
* static const strings for sntp options
*/
-static char const sntp_opt_strs[2552] =
-/* 0 */ "sntp 4.2.8p10\n"
+static char const sntp_opt_strs[2566] =
+/* 0 */ "sntp 4.2.8p11\n"
"Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n"
"This is free software. It is licensed for use, modification and\n"
"redistribution under the terms of the NTP License, copies of which\n"
@@ -118,52 +118,53 @@
/* 1537 */ "Look in this file for the key specified with -a\0"
/* 1585 */ "KEYFILE\0"
/* 1593 */ "keyfile\0"
-/* 1601 */ "Log to specified logfile\0"
-/* 1626 */ "LOGFILE\0"
-/* 1634 */ "logfile\0"
-/* 1642 */ "Adjustments less than steplimit msec will be slewed\0"
-/* 1694 */ "STEPLIMIT\0"
-/* 1704 */ "steplimit\0"
-/* 1714 */ "Send int as our NTP protocol version\0"
-/* 1751 */ "NTPVERSION\0"
-/* 1762 */ "ntpversion\0"
-/* 1773 */ "Use the NTP Reserved Port (port 123)\0"
-/* 1810 */ "USERESERVEDPORT\0"
-/* 1826 */ "usereservedport\0"
-/* 1842 */ "OK to 'step' the time with settimeofday(2)\0"
-/* 1885 */ "STEP\0"
-/* 1890 */ "step\0"
-/* 1895 */ "OK to 'slew' the time with adjtime(2)\0"
-/* 1933 */ "SLEW\0"
-/* 1938 */ "slew\0"
-/* 1943 */ "The number of seconds to wait for responses\0"
-/* 1987 */ "TIMEOUT\0"
-/* 1995 */ "timeout\0"
-/* 2003 */ "Wait for pending replies (if not setting the time)\0"
-/* 2054 */ "WAIT\0"
-/* 2059 */ "no-wait\0"
-/* 2067 */ "no\0"
-/* 2070 */ "display extended usage information and exit\0"
-/* 2114 */ "help\0"
-/* 2119 */ "extended usage information passed thru pager\0"
-/* 2164 */ "more-help\0"
-/* 2174 */ "output version information and exit\0"
-/* 2210 */ "version\0"
-/* 2218 */ "save the option state to a config file\0"
-/* 2257 */ "save-opts\0"
-/* 2267 */ "load options from a config file\0"
-/* 2299 */ "LOAD_OPTS\0"
-/* 2309 */ "no-load-opts\0"
-/* 2322 */ "SNTP\0"
-/* 2327 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10\n"
+/* 1601 */ "/etc/ntp.keys\0"
+/* 1615 */ "Log to specified logfile\0"
+/* 1640 */ "LOGFILE\0"
+/* 1648 */ "logfile\0"
+/* 1656 */ "Adjustments less than steplimit msec will be slewed\0"
+/* 1708 */ "STEPLIMIT\0"
+/* 1718 */ "steplimit\0"
+/* 1728 */ "Send int as our NTP protocol version\0"
+/* 1765 */ "NTPVERSION\0"
+/* 1776 */ "ntpversion\0"
+/* 1787 */ "Use the NTP Reserved Port (port 123)\0"
+/* 1824 */ "USERESERVEDPORT\0"
+/* 1840 */ "usereservedport\0"
+/* 1856 */ "OK to 'step' the time with settimeofday(2)\0"
+/* 1899 */ "STEP\0"
+/* 1904 */ "step\0"
+/* 1909 */ "OK to 'slew' the time with adjtime(2)\0"
+/* 1947 */ "SLEW\0"
+/* 1952 */ "slew\0"
+/* 1957 */ "The number of seconds to wait for responses\0"
+/* 2001 */ "TIMEOUT\0"
+/* 2009 */ "timeout\0"
+/* 2017 */ "Wait for pending replies (if not setting the time)\0"
+/* 2068 */ "WAIT\0"
+/* 2073 */ "no-wait\0"
+/* 2081 */ "no\0"
+/* 2084 */ "display extended usage information and exit\0"
+/* 2128 */ "help\0"
+/* 2133 */ "extended usage information passed thru pager\0"
+/* 2178 */ "more-help\0"
+/* 2188 */ "output version information and exit\0"
+/* 2224 */ "version\0"
+/* 2232 */ "save the option state to a config file\0"
+/* 2271 */ "save-opts\0"
+/* 2281 */ "load options from a config file\0"
+/* 2313 */ "LOAD_OPTS\0"
+/* 2323 */ "no-load-opts\0"
+/* 2336 */ "SNTP\0"
+/* 2341 */ "sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p11\n"
"Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n"
"\t\t[ hostname-or-IP ...]\n\0"
-/* 2487 */ "$HOME\0"
-/* 2493 */ ".\0"
-/* 2495 */ ".ntprc\0"
-/* 2502 */ "http://bugs.ntp.org, bugs@ntp.org\0"
-/* 2536 */ "\n\0"
-/* 2538 */ "sntp 4.2.8p10";
+/* 2501 */ "$HOME\0"
+/* 2507 */ ".\0"
+/* 2509 */ ".ntprc\0"
+/* 2516 */ "http://bugs.ntp.org, bugs@ntp.org\0"
+/* 2550 */ "\n\0"
+/* 2552 */ "sntp 4.2.8p11";
/**
* ipv4 option description with
@@ -300,6 +301,8 @@
#define KEYFILE_NAME (sntp_opt_strs+1585)
/** Name string for the keyfile option */
#define KEYFILE_name (sntp_opt_strs+1593)
+/** The compiled in default value for the keyfile option argument */
+#define KEYFILE_DFT_ARG (sntp_opt_strs+1601)
/** Compiled in flag settings for the keyfile option */
#define KEYFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
@@ -308,11 +311,11 @@
* logfile option description:
*/
/** Descriptive text for the logfile option */
-#define LOGFILE_DESC (sntp_opt_strs+1601)
+#define LOGFILE_DESC (sntp_opt_strs+1615)
/** Upper-cased name for the logfile option */
-#define LOGFILE_NAME (sntp_opt_strs+1626)
+#define LOGFILE_NAME (sntp_opt_strs+1640)
/** Name string for the logfile option */
-#define LOGFILE_name (sntp_opt_strs+1634)
+#define LOGFILE_name (sntp_opt_strs+1648)
/** Compiled in flag settings for the logfile option */
#define LOGFILE_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_FILE))
@@ -321,11 +324,11 @@
* steplimit option description:
*/
/** Descriptive text for the steplimit option */
-#define STEPLIMIT_DESC (sntp_opt_strs+1642)
+#define STEPLIMIT_DESC (sntp_opt_strs+1656)
/** Upper-cased name for the steplimit option */
-#define STEPLIMIT_NAME (sntp_opt_strs+1694)
+#define STEPLIMIT_NAME (sntp_opt_strs+1708)
/** Name string for the steplimit option */
-#define STEPLIMIT_name (sntp_opt_strs+1704)
+#define STEPLIMIT_name (sntp_opt_strs+1718)
/** Compiled in flag settings for the steplimit option */
#define STEPLIMIT_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
@@ -334,11 +337,11 @@
* ntpversion option description:
*/
/** Descriptive text for the ntpversion option */
-#define NTPVERSION_DESC (sntp_opt_strs+1714)
+#define NTPVERSION_DESC (sntp_opt_strs+1728)
/** Upper-cased name for the ntpversion option */
-#define NTPVERSION_NAME (sntp_opt_strs+1751)
+#define NTPVERSION_NAME (sntp_opt_strs+1765)
/** Name string for the ntpversion option */
-#define NTPVERSION_name (sntp_opt_strs+1762)
+#define NTPVERSION_name (sntp_opt_strs+1776)
/** The compiled in default value for the ntpversion option argument */
#define NTPVERSION_DFT_ARG ((char const*)4)
/** Compiled in flag settings for the ntpversion option */
@@ -349,11 +352,11 @@
* usereservedport option description:
*/
/** Descriptive text for the usereservedport option */
-#define USERESERVEDPORT_DESC (sntp_opt_strs+1773)
+#define USERESERVEDPORT_DESC (sntp_opt_strs+1787)
/** Upper-cased name for the usereservedport option */
-#define USERESERVEDPORT_NAME (sntp_opt_strs+1810)
+#define USERESERVEDPORT_NAME (sntp_opt_strs+1824)
/** Name string for the usereservedport option */
-#define USERESERVEDPORT_name (sntp_opt_strs+1826)
+#define USERESERVEDPORT_name (sntp_opt_strs+1840)
/** Compiled in flag settings for the usereservedport option */
#define USERESERVEDPORT_FLAGS (OPTST_DISABLED)
@@ -361,11 +364,11 @@
* step option description:
*/
/** Descriptive text for the step option */
-#define STEP_DESC (sntp_opt_strs+1842)
+#define STEP_DESC (sntp_opt_strs+1856)
/** Upper-cased name for the step option */
-#define STEP_NAME (sntp_opt_strs+1885)
+#define STEP_NAME (sntp_opt_strs+1899)
/** Name string for the step option */
-#define STEP_name (sntp_opt_strs+1890)
+#define STEP_name (sntp_opt_strs+1904)
/** Compiled in flag settings for the step option */
#define STEP_FLAGS (OPTST_DISABLED)
@@ -373,11 +376,11 @@
* slew option description:
*/
/** Descriptive text for the slew option */
-#define SLEW_DESC (sntp_opt_strs+1895)
+#define SLEW_DESC (sntp_opt_strs+1909)
/** Upper-cased name for the slew option */
-#define SLEW_NAME (sntp_opt_strs+1933)
+#define SLEW_NAME (sntp_opt_strs+1947)
/** Name string for the slew option */
-#define SLEW_name (sntp_opt_strs+1938)
+#define SLEW_name (sntp_opt_strs+1952)
/** Compiled in flag settings for the slew option */
#define SLEW_FLAGS (OPTST_DISABLED)
@@ -385,11 +388,11 @@
* timeout option description:
*/
/** Descriptive text for the timeout option */
-#define TIMEOUT_DESC (sntp_opt_strs+1943)
+#define TIMEOUT_DESC (sntp_opt_strs+1957)
/** Upper-cased name for the timeout option */
-#define TIMEOUT_NAME (sntp_opt_strs+1987)
+#define TIMEOUT_NAME (sntp_opt_strs+2001)
/** Name string for the timeout option */
-#define TIMEOUT_name (sntp_opt_strs+1995)
+#define TIMEOUT_name (sntp_opt_strs+2009)
/** The compiled in default value for the timeout option argument */
#define TIMEOUT_DFT_ARG ((char const*)5)
/** Compiled in flag settings for the timeout option */
@@ -400,13 +403,13 @@
* wait option description:
*/
/** Descriptive text for the wait option */
-#define WAIT_DESC (sntp_opt_strs+2003)
+#define WAIT_DESC (sntp_opt_strs+2017)
/** Upper-cased name for the wait option */
-#define WAIT_NAME (sntp_opt_strs+2054)
+#define WAIT_NAME (sntp_opt_strs+2068)
/** disablement name for the wait option */
-#define NOT_WAIT_name (sntp_opt_strs+2059)
+#define NOT_WAIT_name (sntp_opt_strs+2073)
/** disablement prefix for the wait option */
-#define NOT_WAIT_PFX (sntp_opt_strs+2067)
+#define NOT_WAIT_PFX (sntp_opt_strs+2081)
/** Name string for the wait option */
#define WAIT_name (NOT_WAIT_name + 3)
/** Compiled in flag settings for the wait option */
@@ -415,11 +418,11 @@
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (sntp_opt_strs+2070)
-#define HELP_name (sntp_opt_strs+2114)
+#define HELP_DESC (sntp_opt_strs+2084)
+#define HELP_name (sntp_opt_strs+2128)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (sntp_opt_strs+2119)
-#define MORE_HELP_name (sntp_opt_strs+2164)
+#define MORE_HELP_DESC (sntp_opt_strs+2133)
+#define MORE_HELP_name (sntp_opt_strs+2178)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC HELP_DESC
@@ -432,14 +435,14 @@
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (sntp_opt_strs+2174)
-#define VER_name (sntp_opt_strs+2210)
-#define SAVE_OPTS_DESC (sntp_opt_strs+2218)
-#define SAVE_OPTS_name (sntp_opt_strs+2257)
-#define LOAD_OPTS_DESC (sntp_opt_strs+2267)
-#define LOAD_OPTS_NAME (sntp_opt_strs+2299)
-#define NO_LOAD_OPTS_name (sntp_opt_strs+2309)
-#define LOAD_OPTS_pfx (sntp_opt_strs+2067)
+#define VER_DESC (sntp_opt_strs+2188)
+#define VER_name (sntp_opt_strs+2224)
+#define SAVE_OPTS_DESC (sntp_opt_strs+2232)
+#define SAVE_OPTS_name (sntp_opt_strs+2271)
+#define LOAD_OPTS_DESC (sntp_opt_strs+2281)
+#define LOAD_OPTS_NAME (sntp_opt_strs+2313)
+#define NO_LOAD_OPTS_name (sntp_opt_strs+2323)
+#define LOAD_OPTS_pfx (sntp_opt_strs+2081)
#define LOAD_OPTS_name (NO_LOAD_OPTS_name + 3)
/**
* Declare option callback procedures
@@ -574,7 +577,7 @@
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
/* opt state flags */ KEYFILE_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --keyfile */
+ /* last opt argumnt */ { KEYFILE_DFT_ARG },
/* arg list/cookie */ NULL,
/* must/cannot opts */ NULL, NULL,
/* option proc */ doOptKeyfile,
@@ -745,24 +748,24 @@
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/** Reference to the upper cased version of sntp. */
-#define zPROGNAME (sntp_opt_strs+2322)
+#define zPROGNAME (sntp_opt_strs+2336)
/** Reference to the title line for sntp usage. */
-#define zUsageTitle (sntp_opt_strs+2327)
+#define zUsageTitle (sntp_opt_strs+2341)
/** sntp configuration file name. */
-#define zRcName (sntp_opt_strs+2495)
+#define zRcName (sntp_opt_strs+2509)
/** Directories to search for sntp config files. */
static char const * const apzHomeList[3] = {
- sntp_opt_strs+2487,
- sntp_opt_strs+2493,
+ sntp_opt_strs+2501,
+ sntp_opt_strs+2507,
NULL };
/** The sntp program bug email address. */
-#define zBugsAddr (sntp_opt_strs+2502)
+#define zBugsAddr (sntp_opt_strs+2516)
/** Clarification/explanation of what sntp does. */
-#define zExplain (sntp_opt_strs+2536)
+#define zExplain (sntp_opt_strs+2550)
/** Extra detail explaining what sntp does. */
#define zDetail (NULL)
/** The full version string for sntp. */
-#define zFullVersion (sntp_opt_strs+2538)
+#define zFullVersion (sntp_opt_strs+2552)
/* extracted from optcode.tlib near line 364 */
#if defined(ENABLE_NLS)
@@ -1173,7 +1176,7 @@
translate option names.
*/
/* referenced via sntpOptions.pzCopyright */
- puts(_("sntp 4.2.8p10\n\
+ puts(_("sntp 4.2.8p11\n\
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\
This is free software. It is licensed for use, modification and\n\
redistribution under the terms of the NTP License, copies of which\n\
@@ -1263,7 +1266,7 @@
puts(_("load options from a config file"));
/* referenced via sntpOptions.pzUsageTitle */
- puts(_("sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10\n\
+ puts(_("sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p11\n\
Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]... \\\n\
\t\t[ hostname-or-IP ...]\n"));
@@ -1271,7 +1274,7 @@
puts(_("\n"));
/* referenced via sntpOptions.pzFullVersion */
- puts(_("sntp 4.2.8p10"));
+ puts(_("sntp 4.2.8p11"));
/* referenced via sntpOptions.pzFullUsage */
puts(_("<<<NOT-FOUND>>>"));
Index: contrib/ntp/sntp/sntp.1sntpmdoc
===================================================================
--- contrib/ntp/sntp/sntp.1sntpmdoc (版本 330566)
+++ contrib/ntp/sntp/sntp.1sntpmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt SNTP 1sntpmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:36:52 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:13:14 PM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -138,6 +138,11 @@
warning message will be displayed. The file will not be created.
.It Fl k Ar file\-name , Fl \-keyfile Ns = Ns Ar file\-name
Look in this file for the key specified with \fB\-a\fP.
+The default
+.Ar file\-name
+for this option is:
+.ti +4
+ /etc/ntp.keys
.sp
This option specifies the keyfile.
\fBsntp\fP will search for the key specified with \fB\-a\fP
Index: contrib/ntp/sntp/tests/Makefile.am
===================================================================
--- contrib/ntp/sntp/tests/Makefile.am (版本 330566)
+++ contrib/ntp/sntp/tests/Makefile.am (版本 330908)
@@ -21,11 +21,12 @@
testLogfile2.log \
$(NULL)
-std_unity_list = \
- $(srcdir)/../unity/auto/generate_test_runner.rb \
+std_unity_list = \
+ $(abs_top_srcdir)/unity/auto/generate_test_runner.rb \
+ $(abs_srcdir)/testconf.yml \
$(NULL)
-run_unity = cd $(srcdir) && ruby ../unity/auto/generate_test_runner.rb
+run_unity = ruby $(std_unity_list)
# Use EXTRA_PROGRAMS for test files that are under development but
# not production-ready
@@ -69,6 +70,7 @@
data/kod-test-blanks \
data/kod-test-correct \
data/kod-test-empty \
+ testconf.yml \
$(NULL)
CLEANFILES += \
@@ -187,31 +189,31 @@
$(srcdir)/run-kodFile.c: $(srcdir)/kodFile.c $(std_unity_list)
- $(run_unity) kodFile.c run-kodFile.c
+ $(run_unity) $< $@
$(srcdir)/run-keyFile.c: $(srcdir)/keyFile.c $(std_unity_list)
- $(run_unity) keyFile.c run-keyFile.c
+ $(run_unity) $< $@
$(srcdir)/run-kodDatabase.c: $(srcdir)/kodDatabase.c $(std_unity_list)
- $(run_unity) kodDatabase.c run-kodDatabase.c
+ $(run_unity) $< $@
$(srcdir)/run-networking.c: $(srcdir)/networking.c $(std_unity_list)
- $(run_unity) networking.c run-networking.c
+ $(run_unity) $< $@
$(srcdir)/run-packetProcessing.c: $(srcdir)/packetProcessing.c $(std_unity_list)
- $(run_unity) packetProcessing.c run-packetProcessing.c
+ $(run_unity) $< $@
$(srcdir)/run-packetHandling.c: $(srcdir)/packetHandling.c $(std_unity_list)
- $(run_unity) packetHandling.c run-packetHandling.c
+ $(run_unity) $< $@
$(srcdir)/run-utilities.c: $(srcdir)/utilities.c $(std_unity_list)
- $(run_unity) utilities.c run-utilities.c
+ $(run_unity) $< $@
$(srcdir)/run-crypto.c: $(srcdir)/crypto.c $(std_unity_list)
- $(run_unity) crypto.c run-crypto.c
+ $(run_unity) $< $@
$(srcdir)/run-t-log.c: $(srcdir)/t-log.c $(std_unity_list)
- $(run_unity) t-log.c run-t-log.c
+ $(run_unity) $< $@
#$(srcdir)/../version.c: $(srcdir)/../version.c
Index: contrib/ntp/sntp/tests/packetHandling.c
===================================================================
--- contrib/ntp/sntp/tests/packetHandling.c (版本 330566)
+++ contrib/ntp/sntp/tests/packetHandling.c (版本 330908)
@@ -84,7 +84,8 @@
testkey.key_id = 30;
testkey.key_len = 9;
memcpy(testkey.key_seq, "123456789", testkey.key_len);
- memcpy(testkey.type, "MD5", 3);
+ strlcpy(testkey.typen, "MD5", sizeof(testkey.typen));
+ testkey.typei = keytype_from_text(testkey.typen, NULL);
GETTIMEOFDAY(&xmt, NULL);
xmt.tv_sec += JAN_1970;
@@ -106,7 +107,7 @@
TEST_ASSERT_EQUAL(testkey.key_id, ntohl(testpkt.exten[0]));
TEST_ASSERT_EQUAL(MAX_MD5_LEN - 4, /* Remove the key_id, only keep the mac. */
- make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN, &testkey, expected_mac));
+ make_mac(&testpkt, LEN_PKT_NOMAC, MAX_MD5_LEN-4, &testkey, expected_mac));
TEST_ASSERT_EQUAL_MEMORY(expected_mac, (char*)&testpkt.exten[1], MAX_MD5_LEN -4);
}
Index: contrib/ntp/sntp/tests/run-kodDatabase.c
===================================================================
--- contrib/ntp/sntp/tests/run-kodDatabase.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-kodDatabase.c (版本 330908)
@@ -41,6 +41,13 @@
extern void test_DeleteEntry(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -56,6 +63,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("kodDatabase.c");
RUN_TEST(test_SingleEntryHandling, 14);
RUN_TEST(test_MultipleEntryHandling, 15);
Index: contrib/ntp/scripts/update-leap/update-leap.mdoc.in
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap.mdoc.in (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt UPDATE_LEAP 1update-leapmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (update-leap-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:35 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 04:55:53 PM by AutoGen 5.18.5
.\" From the definitions update-leap-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
Index: contrib/ntp/sntp/crypto.c
===================================================================
--- contrib/ntp/sntp/crypto.c (版本 330566)
+++ contrib/ntp/sntp/crypto.c (版本 330908)
@@ -1,3 +1,11 @@
+/*
+ * HMS: we need to test:
+ * - OpenSSL versions, if we are building with them
+ * - our versions
+ *
+ * We may need to test with(out) OPENSSL separately.
+ */
+
#include <config.h>
#include "crypto.h"
#include <ctype.h>
@@ -4,74 +12,185 @@
#include "isc/string.h"
#include "ntp_md5.h"
+/* HMS: We may not have OpenSSL, but we have our own AES-128-CMAC */
+#define CMAC "AES128CMAC"
+#ifdef OPENSSL
+# include "openssl/cmac.h"
+# define AES_128_KEY_SIZE 16
+#endif /* OPENSSL */
+
+#ifndef EVP_MAX_MD_SIZE
+# define EVP_MAX_MD_SIZE 32
+#endif
+
struct key *key_ptr;
size_t key_cnt = 0;
+typedef struct key Key_T;
+
+static u_int
+compute_mac(
+ u_char digest[EVP_MAX_MD_SIZE],
+ char const * macname,
+ void const * pkt_data,
+ u_int pkt_size,
+ void const * key_data,
+ u_int key_size
+ )
+{
+ u_int len = 0;
+ size_t slen = 0;
+ int key_type;
+
+ INIT_SSL();
+ key_type = keytype_from_text(macname, NULL);
+
+#ifdef OPENSSL
+ /* Check if CMAC key type specific code required */
+ if (key_type == NID_cmac) {
+ CMAC_CTX * ctx = NULL;
+ u_char keybuf[AES_128_KEY_SIZE];
+
+ /* adjust key size (zero padded buffer) if necessary */
+ if (AES_128_KEY_SIZE > key_size) {
+ memcpy(keybuf, key_data, key_size);
+ memset((keybuf + key_size), 0,
+ (AES_128_KEY_SIZE - key_size));
+ key_data = keybuf;
+ }
+
+ if (!(ctx = CMAC_CTX_new())) {
+ msyslog(LOG_ERR, "make_mac: CMAC %s CTX new failed.", CMAC);
+ }
+ else if (!CMAC_Init(ctx, key_data, AES_128_KEY_SIZE,
+ EVP_aes_128_cbc(), NULL)) {
+ msyslog(LOG_ERR, "make_mac: CMAC %s Init failed.", CMAC);
+ }
+ else if (!CMAC_Update(ctx, pkt_data, (size_t)pkt_size)) {
+ msyslog(LOG_ERR, "make_mac: CMAC %s Update failed.", CMAC);
+ }
+ else if (!CMAC_Final(ctx, digest, &slen)) {
+ msyslog(LOG_ERR, "make_mac: CMAC %s Final failed.", CMAC);
+ slen = 0;
+ }
+ len = (u_int)slen;
+
+ CMAC_CTX_cleanup(ctx);
+ /* Test our AES-128-CMAC implementation */
+
+ } else /* MD5 MAC handling */
+#endif
+ {
+ EVP_MD_CTX * ctx;
+
+ if (!(ctx = EVP_MD_CTX_new())) {
+ msyslog(LOG_ERR, "make_mac: MAC %s Digest CTX new failed.",
+ macname);
+ goto mac_fail;
+ }
+#ifdef OPENSSL /* OpenSSL 1 supports return codes 0 fail, 1 okay */
+# ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+# endif
+ /* [Bug 3457] DON'T use plain EVP_DigestInit! It would
+ * kill the flags! */
+ if (!EVP_DigestInit_ex(ctx, EVP_get_digestbynid(key_type), NULL)) {
+ msyslog(LOG_ERR, "make_mac: MAC %s Digest Init failed.",
+ macname);
+ goto mac_fail;
+ }
+ if (!EVP_DigestUpdate(ctx, key_data, key_size)) {
+ msyslog(LOG_ERR, "make_mac: MAC %s Digest Update key failed.",
+ macname);
+ goto mac_fail;
+ }
+ if (!EVP_DigestUpdate(ctx, pkt_data, pkt_size)) {
+ msyslog(LOG_ERR, "make_mac: MAC %s Digest Update data failed.",
+ macname);
+ goto mac_fail;
+ }
+ if (!EVP_DigestFinal(ctx, digest, &len)) {
+ msyslog(LOG_ERR, "make_mac: MAC %s Digest Final failed.",
+ macname);
+ len = 0;
+ }
+#else /* !OPENSSL */
+ EVP_DigestInit(ctx, EVP_get_digestbynid(key_type));
+ EVP_DigestUpdate(ctx, key_data, key_size);
+ EVP_DigestUpdate(ctx, pkt_data, pkt_size);
+ EVP_DigestFinal(ctx, digest, &len);
+#endif
+ mac_fail:
+ EVP_MD_CTX_free(ctx);
+ }
+
+ return len;
+}
+
int
make_mac(
- const void *pkt_data,
- int pkt_size,
- int mac_size,
- const struct key *cmp_key,
- void * digest
+ const void * pkt_data,
+ int pkt_size,
+ int mac_size,
+ Key_T const * cmp_key,
+ void * digest
)
{
- u_int len = mac_size;
- int key_type;
- EVP_MD_CTX * ctx;
+ u_int len;
+ u_char dbuf[EVP_MAX_MD_SIZE];
- if (cmp_key->key_len > 64)
+ if (cmp_key->key_len > 64 || mac_size <= 0)
return 0;
if (pkt_size % 4 != 0)
return 0;
- INIT_SSL();
- key_type = keytype_from_text(cmp_key->type, NULL);
-
- ctx = EVP_MD_CTX_new();
- EVP_DigestInit(ctx, EVP_get_digestbynid(key_type));
- EVP_DigestUpdate(ctx, (const u_char *)cmp_key->key_seq, (u_int)cmp_key->key_len);
- EVP_DigestUpdate(ctx, pkt_data, (u_int)pkt_size);
- EVP_DigestFinal(ctx, digest, &len);
- EVP_MD_CTX_free(ctx);
-
+ len = compute_mac(dbuf, cmp_key->typen,
+ pkt_data, (u_int)pkt_size,
+ cmp_key->key_seq, (u_int)cmp_key->key_len);
+
+
+ if (len) {
+ if (len > (u_int)mac_size)
+ len = (u_int)mac_size;
+ memcpy(digest, dbuf, len);
+ }
return (int)len;
}
-/* Generates a md5 digest of the key specified in keyid concatenated with the
+/* Generates a md5 digest of the key specified in keyid concatenated with the
* ntp packet (exluding the MAC) and compares this digest to the digest in
- * the packet's MAC. If they're equal this function returns 1 (packet is
+ * the packet's MAC. If they're equal this function returns 1 (packet is
* authentic) or else 0 (not authentic).
*/
int
auth_md5(
- const void *pkt_data,
- int pkt_size,
- int mac_size,
- const struct key *cmp_key
+ void const * pkt_data,
+ int pkt_size,
+ int mac_size,
+ Key_T const * cmp_key
)
{
- int hash_len;
- int authentic;
- char digest[20];
- const u_char *pkt_ptr;
- if (mac_size > (int)sizeof(digest))
- return 0;
- pkt_ptr = pkt_data;
- hash_len = make_mac(pkt_ptr, pkt_size, sizeof(digest), cmp_key,
- digest);
- if (!hash_len) {
- authentic = FALSE;
- } else {
- /* isc_tsmemcmp will be better when its easy to link
- * with. sntp is a 1-shot program, so snooping for
- * timing attacks is Harder.
- */
- authentic = !memcmp(digest, (const char*)pkt_data + pkt_size + 4,
- hash_len);
- }
- return authentic;
+ u_int len = 0;
+ u_char const * pkt_ptr = pkt_data;
+ u_char dbuf[EVP_MAX_MD_SIZE];
+
+ if (mac_size <= 0 || (size_t)mac_size > sizeof(dbuf))
+ return FALSE;
+
+ len = compute_mac(dbuf, cmp_key->typen,
+ pkt_ptr, (u_int)pkt_size,
+ cmp_key->key_seq, (u_int)cmp_key->key_len);
+
+ pkt_ptr += pkt_size + 4;
+ if (len > (u_int)mac_size)
+ len = (u_int)mac_size;
+
+ /* isc_tsmemcmp will be better when its easy to link with. sntp
+ * is a 1-shot program, so snooping for timing attacks is
+ * Harder.
+ */
+ return ((u_int)mac_size == len) && !memcmp(dbuf, pkt_ptr, len);
}
static int
@@ -94,7 +213,7 @@
}
/* Load keys from the specified keyfile into the key structures.
- * Returns -1 if the reading failed, otherwise it returns the
+ * Returns -1 if the reading failed, otherwise it returns the
* number of keys it read
*/
int
@@ -103,12 +222,15 @@
struct key **keys
)
{
- FILE *keyf = fopen(keyfile, "r");
+ FILE *keyf = fopen(keyfile, "r");
struct key *prev = NULL;
- int scan_cnt, line_cnt = 0;
+ int scan_cnt, line_cnt = 1;
char kbuf[200];
char keystring[129];
+ /* HMS: Is it OK to do this later, after we know we have a key file? */
+ INIT_SSL();
+
if (keyf == NULL) {
if (debug)
printf("sntp auth_init: Couldn't open key file %s for reading!\n", keyfile);
@@ -134,18 +256,19 @@
if (octothorpe)
*octothorpe = '\0';
act = emalloc(sizeof(*act));
- scan_cnt = sscanf(kbuf, "%d %9s %128s", &act->key_id, act->type, keystring);
+ /* keep width 15 = sizeof struct key.typen - 1 synced */
+ scan_cnt = sscanf(kbuf, "%d %15s %128s",
+ &act->key_id, act->typen, keystring);
if (scan_cnt == 3) {
int len = strlen(keystring);
+ goodline = 1; /* assume best for now */
if (len <= 20) {
act->key_len = len;
memcpy(act->key_seq, keystring, len + 1);
- goodline = 1;
} else if ((len & 1) != 0) {
goodline = 0; /* it's bad */
} else {
int j;
- goodline = 1;
act->key_len = len >> 1;
for (j = 0; j < len; j+=2) {
int val;
@@ -158,6 +281,13 @@
act->key_seq[j>>1] = (char)val;
}
}
+ act->typei = keytype_from_text(act->typen, NULL);
+ if (0 == act->typei) {
+ printf("%s: line %d: key %d, %s not supported - ignoring\n",
+ keyfile, line_cnt,
+ act->key_id, act->typen);
+ goodline = 0; /* it's bad */
+ }
}
if (goodline) {
act->next = NULL;
@@ -168,19 +298,21 @@
prev = act;
key_cnt++;
} else {
- msyslog(LOG_DEBUG, "auth_init: scanf %d items, skipping line %d.",
- scan_cnt, line_cnt);
+ if (debug) {
+ printf("auth_init: scanf %d items, skipping line %d.",
+ scan_cnt, line_cnt);
+ }
free(act);
}
line_cnt++;
}
fclose(keyf);
-
+
key_ptr = *keys;
return key_cnt;
}
-/* Looks for the key with keyid key_id and sets the d_key pointer to the
+/* Looks for the key with keyid key_id and sets the d_key pointer to the
* address of the key. If no matching key is found the pointer is not touched.
*/
void
Index: contrib/ntp/sntp/include/version.texi
===================================================================
--- contrib/ntp/sntp/include/version.texi (版本 330566)
+++ contrib/ntp/sntp/include/version.texi (版本 330908)
@@ -1,3 +1,3 @@
-@set UPDATED 21 March 2017
-@set EDITION 4.2.8p10
-@set VERSION 4.2.8p10
+@set UPDATED 27 February 2018
+@set EDITION 4.2.8p11
+@set VERSION 4.2.8p11
Index: contrib/ntp/sntp/m4/ntp_libevent.m4
===================================================================
--- contrib/ntp/sntp/m4/ntp_libevent.m4 (版本 330566)
+++ contrib/ntp/sntp/m4/ntp_libevent.m4 (版本 330908)
@@ -78,7 +78,12 @@
if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent
then
ntp_use_local_libevent=no
- AC_MSG_NOTICE([Using the installed libevent])
+ ntp_libevent_version="`$PKG_CONFIG --modversion libevent`"
+ case "$ntp_libevent_version" in
+ *.*) ;;
+ *) ntp_libevent_version='(unknown)' ;;
+ esac
+ AC_MSG_RESULT([yes, version $ntp_libevent_version])
CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads`
CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent`
# HMS: I hope the following is accurate.
@@ -106,7 +111,6 @@
LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads"
esac
LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core"
- AC_MSG_RESULT([yes])
else
ntp_use_local_libevent=yes
# HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS
Index: contrib/ntp/sntp/networking.c
===================================================================
--- contrib/ntp/sntp/networking.c (版本 330566)
+++ contrib/ntp/sntp/networking.c (版本 330908)
@@ -135,6 +135,8 @@
func_name, pkt_len);
return PACKET_UNUSEABLE;
}
+
+ /* HMS: the following needs a bit of work */
/* Note: pkt_len must be a multiple of 4 at this point! */
packet_end = (void*)((char*)rpkt + pkt_len);
exten_end = skip_efields(rpkt->exten, packet_end);
@@ -144,6 +146,7 @@
func_name);
return PACKET_UNUSEABLE;
}
+
/* get size of MAC in cells; can be zero */
exten_len = (u_int)(packet_end - exten_end);
@@ -150,12 +153,13 @@
/* deduce action required from remaining length */
switch (exten_len) {
- case 0: /* no MAC at all */
+ case 0: /* no Legacy MAC */
break;
case 1: /* crypto NAK */
+ /* Only if the keyID is 0 and there were no EFs */
key_id = ntohl(*exten_end);
- printf("Crypto NAK = 0x%08x\n", key_id);
+ printf("Crypto NAK = 0x%08x from %s\n", key_id, stoa(sender));
break;
case 3: /* key ID + 3DES MAC -- unsupported! */
Index: contrib/ntp/sntp/sntp.1sntpman
===================================================================
--- contrib/ntp/sntp/sntp.1sntpman (版本 330566)
+++ contrib/ntp/sntp/sntp.1sntpman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH sntp 1sntpman "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH sntp 1sntpman "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-aQaqbX/ag-nQaiaX)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-eaayfN/ag-qaaqeN)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:36:45 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:13:07 PM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -162,6 +162,11 @@
.TP
.NOP \f\*[B-Font]\-k\f[] \f\*[I-Font]file\-name\f[], \f\*[B-Font]\-\-keyfile\f[]=\f\*[I-Font]file\-name\f[]
Look in this file for the key specified with \fB-a\fP.
+The default
+\f\*[I-Font]file\-name\f[]
+for this option is:
+.ti +4
+ /etc/ntp.keys
.sp
This option specifies the keyfile.
\fBsntp\fP will search for the key specified with \fB-a\fP
Index: contrib/ntp/sntp/sntp.mdoc.in
===================================================================
--- contrib/ntp/sntp/sntp.mdoc.in (版本 330566)
+++ contrib/ntp/sntp/sntp.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt SNTP @SNTP_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (sntp-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:36:52 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:13:14 PM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -138,6 +138,11 @@
warning message will be displayed. The file will not be created.
.It Fl k Ar file\-name , Fl \-keyfile Ns = Ns Ar file\-name
Look in this file for the key specified with \fB\-a\fP.
+The default
+.Ar file\-name
+for this option is:
+.ti +4
+ /etc/ntp.keys
.sp
This option specifies the keyfile.
\fBsntp\fP will search for the key specified with \fB\-a\fP
Index: contrib/ntp/sntp/tests/keyFile.c
===================================================================
--- contrib/ntp/sntp/tests/keyFile.c (版本 330566)
+++ contrib/ntp/sntp/tests/keyFile.c (版本 330908)
@@ -32,9 +32,9 @@
expected.key_len, actual.key_len);
return FALSE;
}
- if (strcmp(expected.type, actual.type) != 0) {
+ if (strcmp(expected.typen, actual.typen) != 0) {
printf("Expected key_type: %s but was: %s\n",
- expected.type, actual.type);
+ expected.typen, actual.typen);
return FALSE;
}
@@ -59,7 +59,7 @@
temp.key_id = key_id;
temp.key_len = key_len;
- strlcpy(temp.type, type, sizeof(temp.type));
+ strlcpy(temp.typen, type, sizeof(temp.typen));
memcpy(temp.key_seq, key_seq, key_len);
return CompareKeys(temp, actual);
Index: contrib/ntp/sntp/tests/run-keyFile.c
===================================================================
--- contrib/ntp/sntp/tests/run-keyFile.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-keyFile.c (版本 330908)
@@ -38,6 +38,13 @@
extern void test_ReadKeyFileWithInvalidHex(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -53,6 +60,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("keyFile.c");
RUN_TEST(test_ReadEmptyKeyFile, 12);
RUN_TEST(test_ReadASCIIKeys, 13);
Index: contrib/ntp/sntp/tests/run-packetHandling.c
===================================================================
--- contrib/ntp/sntp/tests/run-packetHandling.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-packetHandling.c (版本 330908)
@@ -47,6 +47,13 @@
extern void test_HandleCorrectPacket(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -62,6 +69,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("packetHandling.c");
RUN_TEST(test_GenerateUnauthenticatedPacket, 17);
RUN_TEST(test_GenerateAuthenticatedPacket, 18);
Index: contrib/ntp/sntp/tests/testconf.yml
===================================================================
--- contrib/ntp/sntp/tests/testconf.yml (不存在的)
+++ contrib/ntp/sntp/tests/testconf.yml (版本 330908)
@@ -0,0 +1,9 @@
+# configure the test runner generator to properly set up the tests
+# - avoid cluttering the syslogs
+
+---
+:unity:
+ :suite_setup:
+ - extern int change_logfile(const char*, int);
+ - change_logfile("stderr", 0);
+
Index: contrib/ntp/scripts/update-leap/update-leap.man.in
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap.man.in (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH update-leap 1update-leapman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH update-leap 1update-leapman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-6XaW6m/ag-hYa45m)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-cKaOWT/ag-pKaWVT)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:40:27 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 10:50:15 AM by AutoGen 5.18.5
.\" From the definitions update-leap-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
Index: contrib/ntp/sntp/configure
===================================================================
--- contrib/ntp/sntp/configure (版本 330566)
+++ contrib/ntp/sntp/configure (版本 330908)
@@ -1,6 +1,6 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for sntp 4.2.8p10.
+# Generated by GNU Autoconf 2.69 for sntp 4.2.8p11.
#
# Report bugs to <http://bugs.ntp.org./>.
#
@@ -590,8 +590,8 @@
# Identity of this package.
PACKAGE_NAME='sntp'
PACKAGE_TARNAME='sntp'
-PACKAGE_VERSION='4.2.8p10'
-PACKAGE_STRING='sntp 4.2.8p10'
+PACKAGE_VERSION='4.2.8p11'
+PACKAGE_STRING='sntp 4.2.8p11'
PACKAGE_BUGREPORT='http://bugs.ntp.org./'
PACKAGE_URL='http://www.ntp.org./'
@@ -895,6 +895,7 @@
enable_option_checking
enable_silent_rules
enable_dependency_tracking
+with_hardenfile
with_locfile
with_gnu_ld
with_lineeditlibs
@@ -1483,7 +1484,7 @@
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sntp 4.2.8p10 to adapt to many kinds of systems.
+\`configure' configures sntp 4.2.8p11 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1553,7 +1554,7 @@
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sntp 4.2.8p10:";;
+ short | recursive ) echo "Configuration of sntp 4.2.8p11:";;
esac
cat <<\_ACEOF
@@ -1593,6 +1594,7 @@
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
+ --with-hardenfile=XXX os-specific or "/dev/null"
--with-locfile=XXX os-specific or "legacy"
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-lineeditlibs edit,editline (readline may be specified if desired)
@@ -1700,7 +1702,7 @@
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sntp configure 4.2.8p10
+sntp configure 4.2.8p11
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -2409,7 +2411,7 @@
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sntp $as_me 4.2.8p10, which was
+It was created by sntp $as_me 4.2.8p11, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3406,7 +3408,7 @@
# Define the identity of the package.
PACKAGE='sntp'
- VERSION='4.2.8p10'
+ VERSION='4.2.8p11'
cat >>confdefs.h <<_ACEOF
@@ -6089,11 +6091,11 @@
$as_echo_n "checking for compile/link hardening flags... " >&6; }
-# Check whether --with-locfile was given.
-if test "${with_locfile+set}" = set; then :
- withval=$with_locfile;
+# Check whether --with-hardenfile was given.
+if test "${with_hardenfile+set}" = set; then :
+ withval=$with_hardenfile;
else
- with_locfile=no
+ with_hardenfile=no
fi
@@ -6101,12 +6103,12 @@
( \
SENTINEL_DIR="$PWD" && \
cd $srcdir/ && \
- case "$with_locfile" in \
+ case "$with_hardenfile" in \
yes|no|'') \
scripts/genHardFlags -d "$SENTINEL_DIR" \
;; \
*) \
- scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \
+ scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \
;; \
esac \
) > genHardFlags.i 2> genHardFlags.err
@@ -24723,8 +24725,13 @@
if $PKG_CONFIG --atleast-version=$ntp_libevent_min_version libevent
then
ntp_use_local_libevent=no
- { $as_echo "$as_me:${as_lineno-$LINENO}: Using the installed libevent" >&5
-$as_echo "$as_me: Using the installed libevent" >&6;}
+ ntp_libevent_version="`$PKG_CONFIG --modversion libevent`"
+ case "$ntp_libevent_version" in
+ *.*) ;;
+ *) ntp_libevent_version='(unknown)' ;;
+ esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_libevent_version" >&5
+$as_echo "yes, version $ntp_libevent_version" >&6; }
CFLAGS_LIBEVENT=`$PKG_CONFIG --cflags libevent_pthreads`
CPPFLAGS_LIBEVENT=`$PKG_CONFIG --cflags-only-I libevent`
# HMS: I hope the following is accurate.
@@ -24752,8 +24759,6 @@
LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_pthreads"
esac
LDADD_LIBEVENT="$LDADD_LIBEVENT -levent_core"
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
else
ntp_use_local_libevent=yes
# HMS: do we only need to do this if LIBISC_PTHREADS_NOTHREADS
@@ -25130,8 +25135,13 @@
VER_SUFFIX=o
ntp_openssl=yes
ntp_openssl_from_pkg_config=yes
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
+ ntp_openssl_version="`$PKG_CONFIG --modversion $pkg`"
+ case "$ntp_openssl_version" in
+ *.*) ;;
+ *) ntp_openssl_version='(unknown)' ;;
+ esac
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes, version $ntp_openssl_version" >&5
+$as_echo "yes, version $ntp_openssl_version" >&6; }
break
fi
@@ -27068,7 +27078,7 @@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sntp $as_me 4.2.8p10, which was
+This file was extended by sntp $as_me 4.2.8p11, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -27135,7 +27145,7 @@
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-sntp config.status 4.2.8p10
+sntp config.status 4.2.8p11
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
Index: contrib/ntp/sntp/include/version.def
===================================================================
--- contrib/ntp/sntp/include/version.def (版本 330566)
+++ contrib/ntp/sntp/include/version.def (版本 330908)
@@ -1 +1 @@
-version = '4.2.8p10';
+version = '4.2.8p11';
Index: contrib/ntp/sntp/m4/ntp_harden.m4
===================================================================
--- contrib/ntp/sntp/m4/ntp_harden.m4 (版本 330566)
+++ contrib/ntp/sntp/m4/ntp_harden.m4 (版本 330908)
@@ -10,24 +10,24 @@
AC_MSG_CHECKING([for compile/link hardening flags])
AC_ARG_WITH(
- [locfile],
+ [hardenfile],
[AS_HELP_STRING(
- [--with-locfile=XXX],
- [os-specific or "legacy"]
+ [--with-hardenfile=XXX],
+ [os-specific or "/dev/null"]
)],
[],
- [with_locfile=no]
+ [with_hardenfile=no]
)
( \
SENTINEL_DIR="$PWD" && \
cd $srcdir/$1 && \
- case "$with_locfile" in \
+ case "$with_hardenfile" in \
yes|no|'') \
scripts/genHardFlags -d "$SENTINEL_DIR" \
;; \
*) \
- scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_locfile" \
+ scripts/genHardFlags -d "$SENTINEL_DIR" -f "$with_hardenfile" \
;; \
esac \
) > genHardFlags.i 2> genHardFlags.err
Index: contrib/ntp/sntp/main.c
===================================================================
--- contrib/ntp/sntp/main.c (版本 330566)
+++ contrib/ntp/sntp/main.c (版本 330908)
@@ -207,9 +207,8 @@
*/
kod_init_kod_db(OPT_ARG(KOD), FALSE);
- // HMS: Should we use arg-defalt for this too?
- if (HAVE_OPT(KEYFILE))
- auth_init(OPT_ARG(KEYFILE), &keys);
+ /* HMS: Check and see what happens if KEYFILE doesn't exist */
+ auth_init(OPT_ARG(KEYFILE), &keys);
/*
** Considering employing a variable that prevents functions of doing
@@ -379,7 +378,6 @@
{
struct addrinfo hints; /* Local copy is OK */
struct dns_ctx *ctx;
- long l;
char * name_copy;
size_t name_sz;
size_t octets;
@@ -405,15 +403,19 @@
ctx->name = name_copy; // point to it...
ctx->flags = flags;
ctx->timeout = response_tv;
+ ctx->key = NULL;
/* The following should arguably be passed in... */
- if (ENABLED_OPT(AUTHENTICATION) &&
- atoint(OPT_ARG(AUTHENTICATION), &l)) {
- ctx->key_id = l;
+ if (ENABLED_OPT(AUTHENTICATION)) {
+ ctx->key_id = OPT_VALUE_AUTHENTICATION;
get_key(ctx->key_id, &ctx->key);
+ if (NULL == ctx->key) {
+ fprintf(stderr, "%s: Authentication with keyID %d requested, but no matching keyID found in <%s>!\n",
+ progname, ctx->key_id, OPT_ARG(KEYFILE));
+ exit(1);
+ }
} else {
ctx->key_id = -1;
- ctx->key = NULL;
}
++n_pending_dns;
@@ -1132,13 +1134,21 @@
x_pkt->ppoll = 8;
/* FIXME! Modus broadcast + adr. check -> bdr. pkt */
set_li_vn_mode(x_pkt, LEAP_NOTINSYNC, ntpver, 3);
+ if (debug > 0) {
+ printf("generate_pkt: key_id %d, key pointer %p\n", key_id, pkt_key);
+ }
if (pkt_key != NULL) {
x_pkt->exten[0] = htonl(key_id);
- mac_size = 20; /* max room for MAC */
- mac_size = make_mac(x_pkt, pkt_len, mac_size,
+ mac_size = make_mac(x_pkt, pkt_len, MAX_MDG_LEN,
pkt_key, (char *)&x_pkt->exten[1]);
if (mac_size > 0)
- pkt_len += mac_size + 4;
+ pkt_len += mac_size + KEY_MAC_LEN;
+#ifdef DEBUG
+ if (debug > 0) {
+ printf("generate_pkt: mac_size is %d\n", mac_size);
+ }
+#endif
+
}
return pkt_len;
}
Index: contrib/ntp/sntp/sntp-opts.h
===================================================================
--- contrib/ntp/sntp/sntp-opts.h (版本 330566)
+++ contrib/ntp/sntp/sntp-opts.h (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (sntp-opts.h)
*
- * It has been AutoGen-ed March 21, 2017 at 10:36:28 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 10:25:31 AM by AutoGen 5.18.5
* From the definitions sntp-opts.def
* and the template file options
*
@@ -91,9 +91,9 @@
/** count of all options for sntp */
#define OPTION_CT 23
/** sntp version */
-#define SNTP_VERSION "4.2.8p10"
+#define SNTP_VERSION "4.2.8p11"
/** Full sntp version text */
-#define SNTP_FULL_VERSION "sntp 4.2.8p10"
+#define SNTP_FULL_VERSION "sntp 4.2.8p11"
/**
* Interface defines for all options. Replace "n" with the UPPER_CASED
Index: contrib/ntp/sntp/sntp.man.in
===================================================================
--- contrib/ntp/sntp/sntp.man.in (版本 330566)
+++ contrib/ntp/sntp/sntp.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH sntp @SNTP_MS@ "21 Mar 2017" "4.2.8p10" "User Commands"
+.TH sntp @SNTP_MS@ "27 Feb 2018" "4.2.8p11" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-aQaqbX/ag-nQaiaX)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-eaayfN/ag-qaaqeN)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:36:45 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:13:07 PM by AutoGen 5.18.5
.\" From the definitions sntp-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -162,6 +162,11 @@
.TP
.NOP \f\*[B-Font]\-k\f[] \f\*[I-Font]file\-name\f[], \f\*[B-Font]\-\-keyfile\f[]=\f\*[I-Font]file\-name\f[]
Look in this file for the key specified with \fB-a\fP.
+The default
+\f\*[I-Font]file\-name\f[]
+for this option is:
+.ti +4
+ /etc/ntp.keys
.sp
This option specifies the keyfile.
\fBsntp\fP will search for the key specified with \fB-a\fP
Index: contrib/ntp/sntp/tests/crypto.c
===================================================================
--- contrib/ntp/sntp/tests/crypto.c (版本 330566)
+++ contrib/ntp/sntp/tests/crypto.c (版本 330908)
@@ -5,18 +5,26 @@
#include "sntptest.h"
#include "crypto.h"
+#define CMAC "AES128CMAC"
+
#define MD5_LENGTH 16
#define SHA1_LENGTH 20
+#define CMAC_LENGTH 16
void test_MakeMd5Mac(void);
void test_MakeSHA1Mac(void);
+void test_MakeCMac(void);
void test_VerifyCorrectMD5(void);
void test_VerifySHA1(void);
+void test_VerifyCMAC(void);
void test_VerifyFailure(void);
void test_PacketSizeNotMultipleOfFourBytes(void);
+void VerifyLocalCMAC(struct key *cmac);
+void VerifyOpenSSLCMAC(struct key *cmac);
+
void
test_MakeMd5Mac(void)
{
@@ -31,8 +39,9 @@
md5.key_id = 10;
md5.key_len = 6;
memcpy(&md5.key_seq, "md5seq", md5.key_len);
- memcpy(&md5.type, "MD5", 4);
-
+ strlcpy(md5.typen, "MD5", sizeof(md5.typen));
+ md5.typei = keytype_from_text(md5.typen, NULL);
+
TEST_ASSERT_EQUAL(MD5_LENGTH,
make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual));
@@ -57,7 +66,8 @@
sha1.key_id = 20;
sha1.key_len = 7;
memcpy(&sha1.key_seq, "sha1seq", sha1.key_len);
- memcpy(&sha1.type, "SHA1", 5);
+ strlcpy(sha1.typen, "SHA1", sizeof(sha1.typen));
+ sha1.typei = keytype_from_text(sha1.typen, NULL);
TEST_ASSERT_EQUAL(SHA1_LENGTH,
make_mac(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1, actual));
@@ -73,6 +83,38 @@
void
+test_MakeCMac(void)
+{
+#ifdef OPENSSL
+
+ const char* PKT_DATA = "abcdefgh0123";
+ const int PKT_LEN = strlen(PKT_DATA);
+ const char* EXPECTED_DIGEST =
+ "\xdd\x35\xd5\xf5\x14\x23\xd9\xd6"
+ "\x38\x5d\x29\x80\xfe\x51\xb9\x6b";
+ char actual[CMAC_LENGTH];
+
+ struct key cmac;
+ cmac.next = NULL;
+ cmac.key_id = 30;
+ cmac.key_len = CMAC_LENGTH;
+ memcpy(&cmac.key_seq, "aes-128-cmac-seq", cmac.key_len);
+ memcpy(&cmac.typen, CMAC, strlen(CMAC) + 1);
+
+ TEST_ASSERT_EQUAL(CMAC_LENGTH,
+ make_mac(PKT_DATA, PKT_LEN, CMAC_LENGTH, &cmac, actual));
+
+ TEST_ASSERT_EQUAL_MEMORY(EXPECTED_DIGEST, actual, CMAC_LENGTH);
+
+#else
+
+ TEST_IGNORE_MESSAGE("OpenSSL not found, skipping...");
+
+#endif /* OPENSSL */
+}
+
+
+void
test_VerifyCorrectMD5(void)
{
const char* PKT_DATA =
@@ -87,7 +129,8 @@
md5.key_id = 0;
md5.key_len = 6;
memcpy(&md5.key_seq, "md5key", md5.key_len);
- memcpy(&md5.type, "MD5", 4);
+ strlcpy(md5.typen, "MD5", sizeof(md5.typen));
+ md5.typei = keytype_from_text(md5.typen, NULL);
TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5));
}
@@ -110,7 +153,8 @@
sha1.key_id = 0;
sha1.key_len = 7;
memcpy(&sha1.key_seq, "sha1key", sha1.key_len);
- memcpy(&sha1.type, "SHA1", 5);
+ strlcpy(sha1.typen, "SHA1", sizeof(sha1.typen));
+ sha1.typei = keytype_from_text(sha1.typen, NULL);
TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, SHA1_LENGTH, &sha1));
@@ -121,7 +165,61 @@
#endif /* OPENSSL */
}
+
void
+test_VerifyCMAC(void)
+{
+ const char* PKT_DATA =
+ "sometestdata" /* Data */
+ "\0\0\0\0" /* Key-ID (unused) */
+ "\x4e\x0c\xf0\xe2\xc7\x8e\xbb\xbf" /* MAC */
+ "\x79\xfc\x87\xc7\x8b\xb7\x4a\x0b";
+ const int PKT_LEN = 12;
+ struct key cmac;
+
+ cmac.next = NULL;
+ cmac.key_id = 0;
+ cmac.key_len = CMAC_LENGTH;
+ memcpy(&cmac.key_seq, "aes-128-cmac-key", cmac.key_len);
+ memcpy(&cmac.typen, CMAC, strlen(CMAC) + 1);
+
+ VerifyOpenSSLCMAC(&cmac);
+ VerifyLocalCMAC(&cmac);
+}
+
+
+void
+VerifyOpenSSLCMAC(struct key *cmac)
+{
+#ifdef OPENSSL
+
+ /* XXX: HMS: auth_md5 must be renamed/incorrect. */
+ // TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, CMAC_LENGTH, cmac));
+ TEST_IGNORE_MESSAGE("VerifyOpenSSLCMAC needs to be implemented, skipping...");
+
+#else
+
+ TEST_IGNORE_MESSAGE("OpenSSL not found, skipping...");
+
+#endif /* OPENSSL */
+ return;
+}
+
+
+void
+VerifyLocalCMAC(struct key *cmac)
+{
+
+ /* XXX: HMS: auth_md5 must be renamed/incorrect. */
+ // TEST_ASSERT_TRUE(auth_md5(PKT_DATA, PKT_LEN, CMAC_LENGTH, cmac));
+
+ TEST_IGNORE_MESSAGE("Hook in the local AES-128-CMAC check!");
+
+ return;
+}
+
+
+void
test_VerifyFailure(void)
{
/* We use a copy of the MD5 verification code, but modify the
@@ -139,7 +237,8 @@
md5.key_id = 0;
md5.key_len = 6;
memcpy(&md5.key_seq, "md5key", md5.key_len);
- memcpy(&md5.type, "MD5", 4);
+ strlcpy(md5.typen, "MD5", sizeof(md5.typen));
+ md5.typei = keytype_from_text(md5.typen, NULL);
TEST_ASSERT_FALSE(auth_md5(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5));
}
@@ -157,7 +256,8 @@
md5.key_id = 10;
md5.key_len = 6;
memcpy(&md5.key_seq, "md5seq", md5.key_len);
- memcpy(&md5.type, "MD5", 4);
+ strlcpy(md5.typen, "MD5", sizeof(md5.typen));
+ md5.typei = keytype_from_text(md5.typen, NULL);
TEST_ASSERT_EQUAL(0, make_mac(PKT_DATA, PKT_LEN, MD5_LENGTH, &md5, actual));
}
Index: contrib/ntp/sntp/tests/run-crypto.c
===================================================================
--- contrib/ntp/sntp/tests/run-crypto.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-crypto.c (版本 330908)
@@ -32,12 +32,21 @@
extern void tearDown(void);
extern void test_MakeMd5Mac(void);
extern void test_MakeSHA1Mac(void);
+extern void test_MakeCMac(void);
extern void test_VerifyCorrectMD5(void);
extern void test_VerifySHA1(void);
+extern void test_VerifyCMAC(void);
extern void test_VerifyFailure(void);
extern void test_PacketSizeNotMultipleOfFourBytes(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -53,13 +62,16 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("crypto.c");
- RUN_TEST(test_MakeMd5Mac, 12);
- RUN_TEST(test_MakeSHA1Mac, 13);
- RUN_TEST(test_VerifyCorrectMD5, 14);
- RUN_TEST(test_VerifySHA1, 15);
- RUN_TEST(test_VerifyFailure, 16);
- RUN_TEST(test_PacketSizeNotMultipleOfFourBytes, 17);
+ RUN_TEST(test_MakeMd5Mac, 15);
+ RUN_TEST(test_MakeSHA1Mac, 16);
+ RUN_TEST(test_MakeCMac, 17);
+ RUN_TEST(test_VerifyCorrectMD5, 18);
+ RUN_TEST(test_VerifySHA1, 19);
+ RUN_TEST(test_VerifyCMAC, 20);
+ RUN_TEST(test_VerifyFailure, 21);
+ RUN_TEST(test_PacketSizeNotMultipleOfFourBytes, 22);
return (UnityEnd());
}
Index: contrib/ntp/sntp/tests/run-networking.c
===================================================================
--- contrib/ntp/sntp/tests/run-networking.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-networking.c (版本 330908)
@@ -31,6 +31,13 @@
extern void tearDown(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -46,6 +53,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("networking.c");
return (UnityEnd());
Index: contrib/ntp/sntp/tests/run-utilities.c
===================================================================
--- contrib/ntp/sntp/tests/run-utilities.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-utilities.c (版本 330908)
@@ -41,6 +41,13 @@
extern void test_LfpOutputDecimalFormat(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -56,6 +63,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("utilities.c");
RUN_TEST(test_IPv4Address, 16);
RUN_TEST(test_IPv6Address, 17);
Index: contrib/ntp/scripts/update-leap/update-leap.in
===================================================================
--- contrib/ntp/scripts/update-leap/update-leap.in (版本 330566)
+++ contrib/ntp/scripts/update-leap/update-leap.in (版本 330908)
@@ -1,11 +1,13 @@
#! @PATH_PERL@ -w
-# Copyright (C) 2015 Network Time Foundation
+# Copyright (C) 2015, 2017 Network Time Foundation
# Author: Harlan Stenn
-
+#
+# General cleanup and https support: Paul McMath
+#
# Original shell version:
# Copyright (C) 2014 Timothe Litt litt at acm dot org
-
+#
# This script may be freely copied, used and modified providing that
# this notice and the copyright statement are included in all copies
# and derivative works. No warranty is offered, and use is entirely at
@@ -12,416 +14,461 @@
# your own risk. Bugfixes and improvements would be appreciated by the
# author.
+######## BEGIN #########
use strict;
+# Core modules
use Digest::SHA qw(sha1_hex);
+use File::Basename;
use File::Copy qw(move);
-use File::Fetch;
+use File::Temp qw(tempfile);
use Getopt::Long qw(:config auto_help no_ignore_case bundling);
-use Sys::Syslog;
+use Sys::Syslog qw(:standard :macros);
-my $VERSION="1.003";
+# External modules
+use HTTP::Tiny 0.056;
+use Net::SSLeay 1.49;
+use IO::Socket::SSL 1.56;
-# leap-seconds file manager/updater
+my $VERSION = '1.004';
-# ########## Default configuration ##########
-#
+my $RUN_DIR = '/tmp';
+my $RUN_UID = 0;
+my $TMP_FILE;
+my $TMP_FH;
+my $FILE_MODE = 0644;
-my $CRONJOB = $ENV{'CRONJOB'};
-$CRONJOB = "" unless defined($CRONJOB);
-my $LOGGER;
-my $QUIET = "";
-my $VERBOSE = "";
+######## DEFAULT CONFIGURATION ##########
+# LEAP FILE SRC URIS
+# HTTPS - (default)
+# https://www.ietf.org/timezones/data/leap-seconds
+# HTTP - No TLS/SSL - (not recommended)
+# http://www.ietf.org/timezones/data/leap-seconds.list
-# Where to get the file
-# Choices:
-# https://www.ietf.org/timezones/data/leap-seconds.list
-# ftp://time.nist.gov/pub/leap-seconds.list
-my $LEAPSRC="https://www.ietf.org/timezones/data/leap-seconds.list";
+my $LEAPSRC = 'https://www.ietf.org/timezones/data/leap-seconds.list';
my $LEAPFILE;
# How many times to try to download new file
-my $MAXTRIES=6;
-my $INTERVAL=10;
+my $MAXTRIES = 6;
+my $INTERVAL = 10;
-# Where to find ntp config file
-my $NTPCONF="/etc/ntp.conf";
+my $NTPCONF='/etc/ntp.conf';
# How long (in days) before expiration to get updated file
-my $PREFETCH="60";
+my $PREFETCH = 60;
+my $EXPIRES;
+my $FORCE;
-# How to restart NTP - older NTP: service ntpd? try-restart | condrestart
-# Recent NTP checks for new file daily, so there's nothing to do
-my $RESTART="";
+# Output Flags
+my $QUIET;
+my $DEBUG;
+my $SYSLOG;
+my $TOTERM;
+my $LOGFAC = 'LOG_USER';
-my $EXPIRES;
-my $FORCE = "";
+######### PARSE/SET OPTIONS #########
+my %SSL_OPTS;
+my %SSL_ATTRS = (
+ verify_SSL => 1,
+ SSL_options => \%SSL_OPTS,
+);
-# Where to put temporary copy before it's validated
-my $TMPFILE="/tmp/leap-seconds.$$.tmp";
+our(%opt);
-# Syslog facility
-my $LOGFAC="daemon";
+GetOptions(\%opt,
+ 'C=s',
+ 'D=s',
+ 'e:60',
+ 'F',
+ 'f=s',
+ 'h|help',
+ 'i:10',
+ 'L=s',
+ 'l=s',
+ 'q',
+ 'r:6',
+ 's',
+ 't',
+ 'u=s',
+ 'v',
+ );
-# ###########################################
+$LOGFAC = $opt{l} if defined $opt{l};
+$LEAPSRC = $opt{u} if defined $opt{u};
+$LEAPFILE = $opt{L} if defined $opt{L};
+$PREFETCH = $opt{e} if defined $opt{e};
+$NTPCONF = $opt{f} if defined $opt{f};
+$MAXTRIES = $opt{r} if defined $opt{r};
+$INTERVAL = $opt{i} if defined $opt{i};
-=item update-leap
+$FORCE = 1 if defined $opt{F};
+$DEBUG = 1 if defined $opt{v};
+$QUIET = 1 if defined $opt{q};
+$SYSLOG = 1 if defined $opt{s};
+$TOTERM = 1 if defined $opt{t};
-Usage: $0 [options] [leapfile]
+$SSL_OPTS{SSL_ca_file} = $opt{C} if (defined($opt{C}));
+$SSL_OPTS{SSL_ca_path} = $opt{D} if (defined($opt{D}));
-Verifies and if necessary, updates leap-second definition file
+###############
+## START MAIN
+###############
+my $PROG = basename($0);
-All arguments are optional: Default (or current value) shown:
- -s Specify the URL of the master copy to download
- $LEAPSRC
- -d Specify the filename on the local system
- $LEAPFILE
- -e Specify how long (in days) before expiration the file is to be
- refreshed. Note that larger values imply more frequent refreshes.
- "$PREFETCH"
- -f Specify location of ntp.conf (used to make sure leapfile directive is
- present and to default leapfile)
- $NTPCONF
- -F Force update even if current file is OK and not close to expiring.
- -r Specify number of times to retry on get failure
- $MAXTRIES
- -i Specify number of minutes between retries
- $INTERVAL
- -l Use syslog for output (Implied if CRONJOB is set)
- -L Don't use syslog for output
- -P Specify the syslog facility for logging
- $LOGFAC
- -t Name of temporary file used in validation
- $TMPFILE
- -q Only report errors to stdout
- -v Verbose output
+# Logging - Default is to use syslog(3) if STDOUT isn't
+# connected to a tty.
+if ($SYSLOG || !-t STDOUT) {
+ $SYSLOG = 1;
+ openlog($PROG, 'pid', $LOGFAC);
+}
+else {
+ $TOTERM = 1;
+}
-The following options are not (yet) implemented in the perl version:
- -4 Use only IPv4
- -6 Use only IPv6
- -c Command to restart NTP after installing a new file
- <none> - ntpd checks file daily
- -p 4|6
- Prefer IPv4 or IPv6 (as specified) addresses, but use either
- -z Specify path for utilities
- $PATHLIST
- -Z Only use system path
+if (defined $opt{q} && defined $opt{v}) {
+ log_fatal(LOG_ERR, '-q and -v options mutually exclusive');
+}
-$0 will validate the file currently on the local system
+if (defined $opt{L} && defined $opt{f}) {
+ log_fatal(LOG_ERR, '-L and -f options mutually exclusive');
+}
-Ordinarily, the file is found using the "leapfile" directive in $NTPCONF.
-However, an alternate location can be specified on the command line.
+$SIG{INT} = \&signal_catcher;
+$SIG{TERM} = \&signal_catcher;
+$SIG{QUIT} = \&signal_catcher;
-If the file does not exist, is not valid, has expired, or is expiring soon,
-a new copy will be downloaded. If the new copy validates, it is installed and
-NTP is (optionally) restarted.
+# Take some security precautions
+close STDIN;
-If the current file is acceptable, no download or restart occurs.
+# Show help
+if (defined $opt{h}) {
+ show_help();
+ exit 0;
+}
--c can also be used to invoke another script to perform administrative
-functions, e.g. to copy the file to other local systems.
+if ($< != $RUN_UID) {
+ log_fatal(LOG_ERR, 'User ' . getpwuid($<) . " (UID $<) tried to run $PROG");
+}
-This can be run as a cron job. As the file is rarely updated, and leap
-seconds are announced at least one month in advance (usually longer), it
-need not be run more frequently than about once every three weeks.
+chdir $RUN_DIR || log_fatal("Failed to change dir to $RUN_DIR");
-For cron-friendly behavior, define CRONJOB=1 in the crontab.
+# Parse ntp.conf for path to leapfile if not set by user
+if (! $LEAPFILE) {
-Version $VERSION
-=cut
+ open my $LF, '<', $NTPCONF || log_fatal(LOG_ERR, "Can't open <$NTPCONF>: $!");
-# Default: Use syslog for logging if running under cron
+ while (<$LF>) {
+ chomp;
+ $LEAPFILE = $1 if /^ *leapfile\s+"(\S+)"/;
+ }
+ close $LF;
-my $SYSLOG = $CRONJOB;
+ if (! $LEAPFILE) {
+ log_fatal(LOG_ERR, "No leapfile directive in $NTPCONF; leapfile location not known");
+ }
+}
-# Parse options
+-s $LEAPFILE || logger(LOG_DEBUG, "Leapfile $LEAPFILE is empty");
-our(%opt);
+# Download new file if:
+# 1. file doesn't exist
+# 2. invoked w/ force flag (-F)
+# 3. current file isn't valid
+# 4. current file expired or expires soon
-GetOptions(\%opt,
- 'c=s',
- 'e:60',
- 'F',
- 'f=s',
- 'i:10',
- 'L',
- 'l',
- 'P=s',
- 'q',
- 'r:6',
- 's=s',
- 't=s',
- 'v'
- );
+if ( !-e $LEAPFILE || $FORCE || ! verifySHA($LEAPFILE) ||
+ ( $EXPIRES lt ( $PREFETCH * 86400 + time() ) )) {
-$LOGFAC=$opt{P} if (defined($opt{P}));
-$LEAPSRC=$opt{s} if (defined($opt{s}));
-$PREFETCH=$opt{e} if (defined($opt{e}));
-$NTPCONF=$opt{f} if (defined($opt{f}));
-$FORCE="Y" if (defined($opt{F}));
-$RESTART=$opt{c} if (defined($opt{c}));
-$MAXTRIES=$opt{r} if (defined($opt{r}));
-$INTERVAL=$opt{i} if (defined($opt{i}));
-$TMPFILE=$opt{t} if (defined($opt{t}));
-$SYSLOG="Y" if (defined($opt{l}));
-$SYSLOG="" if (defined($opt{L}));
-$QUIET="Y" if (defined($opt{q}));
-$VERBOSE="Y" if (defined($opt{v}));
+ for (my $try = 1; $try <= $MAXTRIES; $try++) {
+ logger(LOG_DEBUG, "Attempting download from $LEAPSRC, try $try..");
-# export PATH="$PATHLIST$PATH"
+ ($TMP_FH, $TMP_FILE) = tempfile(UNLINK => 1, SUFFIX => '.list');
-# Handle logging
+ if (retrieve_file($TMP_FH)) {
-openlog($0, 'pid', $LOGFAC);
+ if ( verifySHA($TMP_FILE) ) {
+ move_file($TMP_FILE, $LEAPFILE);
+ chmod $FILE_MODE, $LEAPFILE;
+ logger(LOG_INFO, "Installed new $LEAPFILE from $LEAPSRC");
+ }
+ else {
+ logger(LOG_ERR, "Downloaded file $TMP_FILE rejected -- saved for diagnosis");
+ move_file($TMP_FILE, 'leap-seconds.list_corrupt');
+ exit 1;
+ }
+ # Fall through
+ exit 0;
+ }
+ # Failure
+ unlink $TMP_FILE;
+ logger(LOG_INFO, "Download failed. Waiting $INTERVAL minutes before retrying...");
+ sleep $INTERVAL * 60 ;
+ }
+
+ # Failed and out of retries
+ log_fatal(LOG_ERR, "Download from $LEAPSRC failed after $MAXTRIES attempts");
+}
+
+logger(LOG_INFO, "Not time to replace $LEAPFILE");
+
+exit 0;
+
+######## SUB ROUTINES #########
+sub move_file {
+
+ (my $src, my $dst) = @_;
+
+ if ( move($src, $dst) ) {
+ logger(LOG_DEBUG, "Moved $src to $dst");
+ }
+ else {
+ log_fatal(LOG_ERR, "Moving $src to $dst failed: $!");
+ }
+}
+
+# Removes temp file if terminating signal recv'd
+sub signal_catcher {
+ my $signame = shift;
+
+ close $TMP_FH;
+ unlink $TMP_FILE;
+ log_fatal(LOG_INFO, "Recv'd SIG${signame}. Terminating.");
+}
+
+sub log_fatal {
+ my ($p, $msg) = @_;
+ logger($p, $msg);
+ exit 1;
+}
+
sub logger {
- my ($priority, $message) = @_;
+ my ($p, $msg) = @_;
- # "priority" "message"
- #
- # Stdout unless syslog specified or logger isn't available
- #
- if ($SYSLOG eq "" or $LOGGER eq "") {
- if ($QUIET ne "" and ( $priority eq "info" or $priority eq "notice" or $priority eq "debug" ) ) {
- return 0
+ # Suppress LOG_DEBUG msgs unless $DEBUG set
+ return if (!$DEBUG && $p eq LOG_DEBUG);
+
+ # Suppress all but LOG_ERR msgs if $QUIET set
+ return if ($QUIET && $p ne LOG_ERR);
+
+ if ($TOTERM) {
+ if ($p eq LOG_ERR) { # errors should go to STDERR
+ print STDERR "$msg\n";
}
- printf "%s: $message\n", uc $priority;
- return 0;
+ else {
+ print STDOUT "$msg\n";
+ }
}
- # Also log to stdout if cron job && notice or higher
- if (($CRONJOB ne "" and ($priority ne "info" ) and ($priority ne "debug" )) || ($VERBOSE ne "")) {
- # Log to stderr as well
- print STDERR "$0: $priority: $message\n";
+ if ($SYSLOG) {
+ syslog($p, $msg)
}
- syslog($priority, $message);
}
-# Verify interval
-# INTERVAL=$(( $INTERVAL *1 ))
+#################################
+# Connect to server and retrieve file
+#
+# Since we make as many as $MAXTRIES attempts to connect to the remote
+# server to download the file, the network socket should be closed after
+# each attempt, rather than let it be reused (because it may be in some
+# unknown state).
+#
+# HTTP::Tiny doesn't export a method to explicitly close a connected
+# socket, therefore, we instantiate the lexically scoped $http object in
+# a function; when the function returns, the object goes out of scope
+# and is destroyed, closing the socket.
+sub retrieve_file {
+ my $fh = shift;
+ my $http;
+
+ if ($LEAPSRC =~ /^https\S+/) {
+ $http = HTTP::Tiny->new(%SSL_ATTRS);
+ (my $ok, my $why) = $http->can_ssl;
+ log_fatal(LOG_ERR, "TLS/SSL config error: $why") if ! $ok;
+ }
+ else {
+ $http = HTTP::Tiny->new();
+ }
+
+ my $reply = $http->get($LEAPSRC);
+
+ if ($reply->{success}) {
+ logger(LOG_DEBUG, "Download of $LEAPSRC succeeded");
+ print $fh $reply->{content} ||
+ log_fatal(LOG_ERR, "Couldn't write new file contents to temp file: $!");
+ close $fh;
+ return 1;
+ }
+ else {
+ close $fh;
+ return 0;
+ }
+}
+
+########################
# Validate a leap-seconds file checksum
#
-# File format: (full description in files)
-# # marks comments, except:
-# #$ number : the NTP date of the last update
-# #@ number : the NTP date that the file expires
-# Date (seconds since 1900) leaps : leaps is the # of seconds to add for times >= Date
+# File format: (full description in file)
+# Pound sign (#) marks comments, EXCEPT:
+# #$ number : the NTP date of the last update
+# #@ number : the NTP date that the file expires
+# #h hex hex hex hex hex : the SHA-1 checksum of the data & dates,
+# excluding whitespace w/o leading zeroes
+#
+# Date (seconds since 1900) leaps : leaps is the # of seconds to add
+# for times >= Date
# Date lines have comments.
-# #h hex hex hex hex hex is the SHA-1 checksum of the data & dates, excluding whitespace w/o leading zeroes
#
# Returns:
-# 0 File is valid
-# 1 Invalid Checksum
-# 2 Expired
+# 0 Invalid Checksum/Expired
+# 1 File is valid
sub verifySHA {
- my ($file, $verbose) = @_;
- my $raw = "";
- my $data = "";
+ my $file = shift;
+ my $fh;
+ my $data;
my $FSHA;
+ open $fh, '<', $file || log_fatal(LOG_ERR, "Can't open $file: $!");
+
# Remove comments, except those that are markers for last update,
# expires and hash
-
- unless (open(LF, $file)) {
- warn "Can't open <$file>: $!\n";
- print "Will try and create that file.\n";
- return 1;
- };
- while (<LF>) {
+ while (<$fh>) {
if (/^#\$/) {
- $raw .= $_;
- s/^..//;
- $data .= $_;
+ s/^..//;
+ $data .= $_;
}
elsif (/^#\@/) {
- $raw .= $_;
- s/^..//;
- $data .= $_;
- s/\s+//g;
- $EXPIRES = $_ - 2208988800;
+ s/^..//;
+ $data .= $_;
+ s/\s+//g;
+ $EXPIRES = $_ - 2208988800;
}
elsif (/^#h\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)\s+([[:xdigit:]]+)/) {
- chomp;
- $raw .= $_;
- $FSHA = sprintf("%08s%08s%08s%08s%08s", $1, $2, $3, $4, $5);
+ chomp;
+ $FSHA = sprintf("%08s%08s%08s%08s%08s", $1, $2, $3, $4, $5);
}
elsif (/^#/) {
- # ignore it
+ # ignore it
}
elsif (/^\d/) {
- s/#.*$//;
- $raw .= $_;
- $data .= $_;
- } else {
- chomp;
- print "Unexpected line: <$_>\n";
+ s/#.*$//;
+ $data .= $_;
+ }
+ else {
+ chomp;
+ print "Unexpected line: <$_>\n";
}
}
- close LF;
+ close $fh;
+ if ( $EXPIRES < time() ) {
+ logger(LOG_DEBUG, 'File expired on ' . gmtime($EXPIRES));
+ return 0;
+ }
+
+ if (! $FSHA) {
+ logger(LOG_NOTICE, "no checksum record found in file");
+ return 0;
+ }
+
# Remove all white space
$data =~ s/\s//g;
# Compute the SHA hash of the data, removing the marker and filename
# Computed in binary mode, which shouldn't matter since whitespace has been removed
-
my $DSHA = sha1_hex($data);
- # Extract the file's hash. Restore any leading zeroes in hash segments.
-
- if ( ( "$FSHA" ne "" ) && ( $FSHA eq $DSHA ) ) {
- if ( $verbose ne "" ) {
- logger("info", "Checksum of $file validated");
- }
- } else {
- logger("error", "Checksum of $file is invalid:");
- $FSHA="(no checksum record found in file)"
- if ( $FSHA eq "");
- logger("error", "EXPECTED: $FSHA");
- logger("error", "COMPUTED: $DSHA");
- return 1;
+ if ($FSHA eq $DSHA) {
+ logger(LOG_DEBUG, "Checksum of $file validated");
+ return 1;
+ }
+ else {
+ logger(LOG_NOTICE, "Checksum of $file is invalid EXPECTED: $FSHA COMPUTED: $DSHA");
+ return 0;
}
-
- # Check the expiration date, converting NTP epoch to Unix epoch used by date
-
- if ( $EXPIRES < time() ) {
- logger("notice", "File expired on " . gmtime($EXPIRES));
- return 2;
- }
- return 0;
}
-# Verify ntp.conf
+sub show_help {
+print <<EOF
--r $NTPCONF || die "Missing ntp configuration: $NTPCONF\n";
+Usage: $PROG [options]
-# Parse ntp.conf for leapfile directive
+Verifies and if necessary, updates leap-second definition file
-open(LF, $NTPCONF) || die "Can't open <$NTPCONF>: $!\n";
-while (<LF>) {
- chomp;
- if (/^ *leapfile\s+"(\S+)"/) {
- $LEAPFILE = $1;
- }
-}
-close LF;
+All arguments are optional: Default (or current value) shown:
+ -C Absolute path to CA Cert (see SSL/TLS Considerations)
+ -D Path to a CAdir (see SSL/TLS Considerations)
+ -e Specify how long (in days) before expiration the file is to be
+ refreshed. Note that larger values imply more frequent refreshes.
+ $PREFETCH
+ -F Force update even if current file is OK and not close to expiring.
+ -f Absolute path ntp.conf file (default /etc/ntp.conf)
+ $NTPCONF
+ -h show help
+ -i Specify number of minutes between retries
+ $INTERVAL
+ -L Absolute path to leapfile on the local system
+ (overrides value in ntp.conf)
+ -l Specify the syslog(3) facility for logging
+ $LOGFAC
+ -q Only report errors (cannot be used with -v)
+ -r Specify number of attempts to retrieve file
+ $MAXTRIES
+ -s Send output to syslog(3) - implied if STDOUT has no tty or redirected
+ -t Send output to terminal - implied if STDOUT attached to terminal
+ -u Specify the URL of the master copy to download
+ $LEAPSRC
+ -v Verbose - show debug messages (cannot be used with -q)
--s $LEAPFILE || warn "$NTPCONF specifies $LEAPFILE as a leapfile, which is empty.\n";
+The following options are not (yet) implemented in the perl version:
+ -4 Use only IPv4
+ -6 Use only IPv6
+ -c Command to restart NTP after installing a new file
+ <none> - ntpd checks file daily
+ -p 4|6
+ Prefer IPv4 or IPv6 (as specified) addresses, but use either
-# Allow placing the file someplace else - testing
+$PROG will validate the file currently on the local system.
-if ( defined $ARGV[0] ) {
- if ( $ARGV[0] ne $LEAPFILE ) {
- logger("notice", "Requested install to $ARGV[0], but $NTPCONF specifies $LEAPFILE");
- }
- $LEAPFILE = $ARGV[0];
-}
+Ordinarily, the leapfile is found using the 'leapfile' directive in
+$NTPCONF. However, an alternate location can be specified on the
+command line with the -L flag.
-# Verify the current file
-# If it is missing, doesn't validate or expired
-# Or is expiring soon
-# Download a new one
+If the leapfile does not exist, is not valid, has expired, or is
+expiring soon, a new copy will be downloaded. If the new copy is
+valid, it is installed.
-if ( $FORCE ne "" || verifySHA($LEAPFILE, $VERBOSE) || ( $EXPIRES lt ( $PREFETCH * 86400 + time() ) )) {
- my $TRY = 0;
- my $ff = File::Fetch->new(uri => $LEAPSRC) || die "Fetch failed.\n";
- while (1) {
- ++$TRY;
- logger("info", "Attempting download from $LEAPSRC, try $TRY..")
- if ($VERBOSE ne "");
- my $where = $ff->fetch( to => '/tmp' );
+If the current file is acceptable, no download or restart occurs.
- if ($where) {
- logger("info", "Download of $LEAPSRC succeeded");
+This can be run as a cron job. As the file is rarely updated, and
+leap seconds are announced at least one month in advance (usually
+longer), it need not be run more frequently than about once every
+three weeks.
- if ( verifySHA($where, $VERBOSE )) {
- # There is no point in retrying, as the file on the
- # server is almost certainly corrupt.
+SSL/TLS Considerations
+-----------------------
+The perl modules can usually locate the CA certificate used to verify
+the peer's identity.
- logger("warning", "Downloaded file $where rejected -- saved for diagnosis");
- exit 1;
- }
+On BSDs, the default is typically the file /etc/ssl/certs.pem. On
+Linux, the location is typically a path to a CAdir - a directory of
+symlinks named according to a hash of the certificates' subject names.
- # While the shell script version will set correct permissions
- # on temporary file, for the perl version that's harder, so
- # for now at least one should run this script as the
- # appropriate user.
+The -C or -D options are available to pass in a location if no CA cert
+is found in the default location.
- # REFFILE="$LEAPFILE"
- # if [ ! -f $LEAPFILE ]; then
- # logger "notice" "$LEAPFILE was missing, creating new copy - check permissions"
- # touch $LEAPFILE
- # # Can't copy permissions from old file, copy from NTPCONF instead
- # REFFILE="$NTPCONF"
- # fi
- # chmod --reference $REFFILE $TMPFILE
- # chown --reference $REFFILE $TMPFILE
- # ( which selinuxenabled && selinuxenabled && which chcon ) >/dev/null 2>&1
- # if [ $? == 0 ] ; then
- # chcon --reference $REFFILE $TMPFILE
- # fi
+External Dependencies
+---------------------
+The following perl modules are required:
+HTTP::Tiny - version >= 0.056
+IO::Socket::SSL - version >= 1.56
+NET::SSLeay - version >= 1.49
- # Replace current file with validated new one
+Version: $VERSION
- if ( move $where, $LEAPFILE ) {
- logger("notice", "Installed new $LEAPFILE from $LEAPSRC");
- } else {
- logger("error", "Install $where => $LEAPFILE failed -- saved for diagnosis: $!");
- exit 1;
- }
-
- # Restart NTP (or whatever else is specified)
-
- if ( $RESTART ne "" ) {
- if ( $VERBOSE ne "" ) {
- logger("info", "Attempting restart action: $RESTART");
- }
-
-# XXX
- #R="$( 2>&1 $RESTART )"
- #if [ $? -eq 0 ]; then
- # logger "notice" "Restart action succeeded"
- # if [ -n "$VERBOSE" -a -n "$R" ]; then
- # logger "info" "$R"
- # fi
- #else
- # logger "error" "Restart action failed"
- # if [ -n "$R" ]; then
- # logger "error" "$R"
- # fi
- # exit 2
- #fi
- }
- exit 0;
- }
-
- # Failed to download. See about trying again
-
- # rm -f $TMPFILE
- if ( $TRY ge $MAXTRIES ) {
- last;
- }
- if ( $VERBOSE ne "" ) {
- logger("info", "Waiting $INTERVAL minutes before retrying...");
- }
- sleep $INTERVAL * 60 ;
- }
-
- # Failed and out of retries
-
- logger("warning", "Download from $LEAPSRC failed after $TRY attempts");
- exit 1;
+EOF
}
-print "FORCE is <$FORCE>\n";
-print "verifySHA is " . verifySHA($LEAPFILE, "") . "\n";
-print "EXPIRES <$EXPIRES> vs ". ( $PREFETCH * 86400 + time() ) . "\n";
-
-logger("info", "Not time to replace $LEAPFILE");
-
-exit 0;
-
-# EOF
Index: contrib/ntp/sntp/check-libntp.mf
===================================================================
--- contrib/ntp/sntp/check-libntp.mf (版本 330566)
+++ contrib/ntp/sntp/check-libntp.mf (版本 330908)
@@ -8,7 +8,6 @@
CLEANFILES += check-libntp
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/sntp/harden/linux
===================================================================
--- contrib/ntp/sntp/harden/linux (版本 330566)
+++ contrib/ntp/sntp/harden/linux (版本 330908)
@@ -1,4 +1,4 @@
# generic linux hardening flags
-NTP_HARD_CFLAGS="-pie -fPIE -fPIC -fstack-protector-all -O1"
+NTP_HARD_CFLAGS="-fPIE -fPIC -fstack-protector-all -O1"
NTP_HARD_CPPFLAGS="-D_FORTIFY_SOURCE=2"
-NTP_HARD_LDFLAGS="-z relro -z now"
+NTP_HARD_LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
Index: contrib/ntp/sntp/m4/ntp_af_unspec.m4
===================================================================
--- contrib/ntp/sntp/m4/ntp_af_unspec.m4 (不存在的)
+++ contrib/ntp/sntp/m4/ntp_af_unspec.m4 (版本 330908)
@@ -0,0 +1,23 @@
+dnl ######################################################################
+dnl AF_UNSPEC checks
+AC_DEFUN([NTP_AF_UNSPEC], [
+
+# We could do a cv check here, but is it worth it?
+
+AC_COMPILE_IFELSE(
+ [AC_LANG_PROGRAM(
+ [[
+ #include <sys/socket.h>
+ #ifndef AF_UNSPEC
+ #include "Bletch: AF_UNSPEC is undefined!"
+ #endif
+ #if AF_UNSPEC != 0
+ #include "Bletch: AF_UNSPEC != 0"
+ #endif
+ ]],
+ [AC_MSG_NOTICE([AF_UNSPEC is zero, as expected.])],
+ [AC_MSG_ERROR([AF_UNSPEC is not zero on this platform!])]
+ )]
+)])
+
+dnl ######################################################################
Index: contrib/ntp/sntp/m4/version.m4
===================================================================
--- contrib/ntp/sntp/m4/version.m4 (版本 330566)
+++ contrib/ntp/sntp/m4/version.m4 (版本 330908)
@@ -1 +1 @@
-m4_define([VERSION_NUMBER],[4.2.8p10])
+m4_define([VERSION_NUMBER],[4.2.8p11])
Index: contrib/ntp/sntp/sntp-opts.def
===================================================================
--- contrib/ntp/sntp/sntp-opts.def (版本 330566)
+++ contrib/ntp/sntp/sntp-opts.def (版本 330908)
@@ -128,6 +128,7 @@
descrip = "Look in this file for the key specified with @option{-a}";
arg-type = file;
arg-name = "file-name";
+ arg-default = "/etc/ntp.keys";
doc = <<- _EndOfDoc_
This option specifies the keyfile.
@code{sntp} will search for the key specified with @option{-a}
Index: contrib/ntp/sntp/sntp.html
===================================================================
--- contrib/ntp/sntp/sntp.html (版本 330566)
+++ contrib/ntp/sntp/sntp.html (版本 330908)
@@ -36,7 +36,7 @@
clock. Run as root, it can correct the system clock to this offset as
well. It can be run as an interactive command or from a cron job.
- <p>This document applies to version 4.2.8p10 of <code>sntp</code>.
+ <p>This document applies to version 4.2.8p11 of <code>sntp</code>.
<p>The program implements the SNTP protocol as defined by RFC 5905, the NTPv4
IETF specification.
@@ -176,15 +176,18 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">sntp - standard Simple Network Time Protocol client program - Ver. 4.2.8p10
-Usage: sntp [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... \
+<pre class="example">sntp - standard Simple Network Time Protocol client program - Ver. 4.2.7p245
+USAGE: sntp [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]... \
[ hostname-or-IP ...]
Flg Arg Option-Name Description
-4 no ipv4 Force IPv4 DNS name resolution
- - prohibits the option 'ipv6'
+ - prohibits these options:
+ ipv6
-6 no ipv6 Force IPv6 DNS name resolution
- - prohibits the option 'ipv4'
- -a Num authentication Enable authentication with the key auth-keynumber
+ - prohibits these options:
+ ipv4
+ -a Num authentication Enable authentication with the key @var{auth-keynumber}
+ -B Num bctimeout The number of seconds to wait for broadcasts
-b Str broadcast Listen to the address specified for broadcast time sync
- may appear multiple times
-c Str concurrent Concurrently query all IPs returned for host-name
@@ -191,31 +194,31 @@
- may appear multiple times
-d no debug-level Increase debug verbosity level
- may appear multiple times
- -D Num set-debug-level Set the debug verbosity level
+ -D Str set-debug-level Set the debug verbosity level
- may appear multiple times
-g Num gap The gap (in milliseconds) between time requests
-K Fil kod KoD history filename
- -k Fil keyfile Look in this file for the key specified with -a
+ -k Fil keyfile Look in this file for the key specified with @option{-a}
-l Fil logfile Log to specified logfile
- -M Num steplimit Adjustments less than steplimit msec will be slewed
- - it must be in the range:
+ -M Num steplimit Adjustments less than @var{steplimit} msec will be slewed
+ - It must be in the range:
greater than or equal to 0
- -o Num ntpversion Send int as our NTP protocol version
- - it must be in the range:
+ -o Num ntpversion Send @var{int} as our NTP version
+ - It must be in the range:
0 to 7
-r no usereservedport Use the NTP Reserved Port (port 123)
- -S no step OK to 'step' the time with settimeofday(2)
- -s no slew OK to 'slew' the time with adjtime(2)
- -t Num timeout The number of seconds to wait for responses
+ -S no step OK to 'step' the time with @command{settimeofday(2)}
+ -s no slew OK to 'slew' the time with @command{adjtime(2)}
+ -u Num uctimeout The number of seconds to wait for unicast responses
no wait Wait for pending replies (if not setting the time)
- - disabled as '--no-wait'
+ - disabled as --no-wait
- enabled by default
- opt version output version information and exit
- -? no help display extended usage information and exit
- -! no more-help extended usage information passed thru pager
- -&gt; opt save-opts save the option state to a config file
- -&lt; Str load-opts load options from a config file
- - disabled as '--no-load-opts'
+ opt version Output version information and exit
+ -? no help Display extended usage information and exit
+ -! no more-help Extended usage information passed thru pager
+ -&gt; opt save-opts Save the option state to a config file
+ -&lt; Str load-opts Load options from a config file
+ - disabled as --no-load-opts
- may appear multiple times
Options are specified by doubled hyphens and their name or by a single
@@ -222,12 +225,13 @@
hyphen and the flag character.
+
The following option preset mechanisms are supported:
- reading file $HOME/.ntprc
- reading file ./.ntprc
- examining environment variables named SNTP_*
-Please send bug reports to: &lt;http://bugs.ntp.org, bugs@ntp.org&gt;
+please send bug reports to: http://bugs.ntp.org, bugs@ntp.org
</pre>
<div class="node">
<p><hr>
Index: contrib/ntp/sntp/tests/Makefile.in
===================================================================
--- contrib/ntp/sntp/tests/Makefile.in (版本 330566)
+++ contrib/ntp/sntp/tests/Makefile.in (版本 330908)
@@ -749,10 +749,11 @@
$(NULL)
std_unity_list = \
- $(srcdir)/../unity/auto/generate_test_runner.rb \
+ $(abs_top_srcdir)/unity/auto/generate_test_runner.rb \
+ $(abs_srcdir)/testconf.yml \
$(NULL)
-run_unity = cd $(srcdir) && ruby ../unity/auto/generate_test_runner.rb
+run_unity = ruby $(std_unity_list)
noinst_HEADERS = \
sntptest.h \
$(NULL)
@@ -772,6 +773,7 @@
data/kod-test-blanks \
data/kod-test-correct \
data/kod-test-empty \
+ testconf.yml \
$(NULL)
@@ -1499,31 +1501,31 @@
$(srcdir)/run-kodFile.c: $(srcdir)/kodFile.c $(std_unity_list)
- $(run_unity) kodFile.c run-kodFile.c
+ $(run_unity) $< $@
$(srcdir)/run-keyFile.c: $(srcdir)/keyFile.c $(std_unity_list)
- $(run_unity) keyFile.c run-keyFile.c
+ $(run_unity) $< $@
$(srcdir)/run-kodDatabase.c: $(srcdir)/kodDatabase.c $(std_unity_list)
- $(run_unity) kodDatabase.c run-kodDatabase.c
+ $(run_unity) $< $@
$(srcdir)/run-networking.c: $(srcdir)/networking.c $(std_unity_list)
- $(run_unity) networking.c run-networking.c
+ $(run_unity) $< $@
$(srcdir)/run-packetProcessing.c: $(srcdir)/packetProcessing.c $(std_unity_list)
- $(run_unity) packetProcessing.c run-packetProcessing.c
+ $(run_unity) $< $@
$(srcdir)/run-packetHandling.c: $(srcdir)/packetHandling.c $(std_unity_list)
- $(run_unity) packetHandling.c run-packetHandling.c
+ $(run_unity) $< $@
$(srcdir)/run-utilities.c: $(srcdir)/utilities.c $(std_unity_list)
- $(run_unity) utilities.c run-utilities.c
+ $(run_unity) $< $@
$(srcdir)/run-crypto.c: $(srcdir)/crypto.c $(std_unity_list)
- $(run_unity) crypto.c run-crypto.c
+ $(run_unity) $< $@
$(srcdir)/run-t-log.c: $(srcdir)/t-log.c $(std_unity_list)
- $(run_unity) t-log.c run-t-log.c
+ $(run_unity) $< $@
check-libsntp: ../libsntp.a
@echo stamp > $@
Index: contrib/ntp/sntp/tests/packetProcessing.c
===================================================================
--- contrib/ntp/sntp/tests/packetProcessing.c (版本 330566)
+++ contrib/ntp/sntp/tests/packetProcessing.c (版本 330908)
@@ -5,7 +5,10 @@
#include "ntp_stdlib.h"
#include "unity.h"
+#define CMAC "AES128CMAC"
+#define CMAC_LENGTH 16
+
const char * Version = "stub unit test Version string";
/* Hacks into the key database. */
@@ -35,6 +38,7 @@
void test_CorrectUnauthenticatedPacket(void);
void test_CorrectAuthenticatedPacketMD5(void);
void test_CorrectAuthenticatedPacketSHA1(void);
+void test_CorrectAuthenticatedPacketCMAC(void);
/* [Bug 2998] There are some issues whith the definition of 'struct pkt'
* when AUTOKEY is undefined -- the formal struct is too small to hold
@@ -76,7 +80,7 @@
key_ptr->next = NULL;
key_ptr->key_id = key_id;
key_ptr->key_len = key_len;
- memcpy(key_ptr->type, "MD5", 3);
+ memcpy(key_ptr->typen, type, strlen(type) + 1);
TEST_ASSERT_TRUE(key_len < sizeof(key_ptr->key_seq));
@@ -231,7 +235,7 @@
testpkt.p.exten[0] = htonl(50);
int mac_len = make_mac(&testpkt.p, pkt_len,
- MAX_MD5_LEN, key_ptr,
+ MAX_MD5_LEN - KEY_MAC_LEN, key_ptr,
&testpkt.p.exten[1]);
pkt_len += 4 + mac_len;
@@ -259,9 +263,9 @@
testpkt.p.exten[0] = htonl(50);
int mac_len = make_mac(&testpkt.p, pkt_len,
- MAX_MD5_LEN, key_ptr,
+ MAX_MD5_LEN - KEY_MAC_LEN, key_ptr,
&testpkt.p.exten[1]);
- pkt_len += 4 + mac_len;
+ pkt_len += KEY_MAC_LEN + mac_len;
TEST_ASSERT_EQUAL(SERVER_AUTH_FAIL,
process_pkt(&testpkt.p, &testsock, pkt_len,
@@ -424,10 +428,10 @@
/* Prepare the packet. */
testpkt.p.exten[0] = htonl(10);
int mac_len = make_mac(&testpkt.p, pkt_len,
- MAX_MD5_LEN, key_ptr,
+ MAX_MD5_LEN - KEY_MAC_LEN, key_ptr,
&testpkt.p.exten[1]);
- pkt_len += 4 + mac_len;
+ pkt_len += KEY_MAC_LEN + mac_len;
TEST_ASSERT_EQUAL(pkt_len,
process_pkt(&testpkt.p, &testsock, pkt_len,
@@ -446,6 +450,28 @@
/* Prepare the packet. */
testpkt.p.exten[0] = htonl(20);
int mac_len = make_mac(&testpkt.p, pkt_len,
+ MAX_MDG_LEN, key_ptr,
+ &testpkt.p.exten[1]);
+
+ pkt_len += KEY_MAC_LEN + mac_len;
+
+ TEST_ASSERT_EQUAL(pkt_len,
+ process_pkt(&testpkt.p, &testsock, pkt_len,
+ MODE_SERVER, &testspkt.p, "UnitTest"));
+}
+
+
+void
+test_CorrectAuthenticatedPacketCMAC(void)
+{
+ PrepareAuthenticationTest(30, CMAC_LENGTH, CMAC, "abcdefghijklmnop");
+ TEST_ASSERT_TRUE(ENABLED_OPT(AUTHENTICATION));
+
+ int pkt_len = LEN_PKT_NOMAC;
+
+ /* Prepare the packet. */
+ testpkt.p.exten[0] = htonl(30);
+ int mac_len = make_mac(&testpkt.p, pkt_len,
MAX_MAC_LEN, key_ptr,
&testpkt.p.exten[1]);
@@ -455,3 +481,4 @@
process_pkt(&testpkt.p, &testsock, pkt_len,
MODE_SERVER, &testspkt.p, "UnitTest"));
}
+
Index: contrib/ntp/sntp/tests/run-kodFile.c
===================================================================
--- contrib/ntp/sntp/tests/run-kodFile.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-kodFile.c (版本 330908)
@@ -39,6 +39,13 @@
extern void test_WriteFileWithMultipleEntries(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -54,6 +61,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("kodFile.c");
RUN_TEST(test_ReadEmptyFile, 19);
RUN_TEST(test_ReadCorrectFile, 20);
Index: contrib/ntp/sntp/tests/run-t-log.c
===================================================================
--- contrib/ntp/sntp/tests/run-t-log.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-t-log.c (版本 330908)
@@ -33,6 +33,13 @@
extern void testWriteInCustomLogfile(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -48,6 +55,7 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("t-log.c");
RUN_TEST(testChangePrognameInMysyslog, 10);
RUN_TEST(testOpenLogfileTest, 11);
Index: contrib/ntp/sntp/tests/run-packetProcessing.c
===================================================================
--- contrib/ntp/sntp/tests/run-packetProcessing.c (版本 330566)
+++ contrib/ntp/sntp/tests/run-packetProcessing.c (版本 330908)
@@ -48,8 +48,16 @@
extern void test_CorrectUnauthenticatedPacket(void);
extern void test_CorrectAuthenticatedPacketMD5(void);
extern void test_CorrectAuthenticatedPacketSHA1(void);
+extern void test_CorrectAuthenticatedPacketCMAC(void);
+//=======Suite Setup=====
+static void suite_setup(void)
+{
+extern int change_logfile(const char*, int);
+change_logfile("stderr", 0);
+}
+
//=======Test Reset Option=====
void resetTest(void);
void resetTest(void)
@@ -65,25 +73,27 @@
int main(int argc, char *argv[])
{
progname = argv[0];
+ suite_setup();
UnityBegin("packetProcessing.c");
- RUN_TEST(test_TooShortLength, 20);
- RUN_TEST(test_LengthNotMultipleOfFour, 21);
- RUN_TEST(test_TooShortExtensionFieldLength, 22);
- RUN_TEST(test_UnauthenticatedPacketReject, 23);
- RUN_TEST(test_CryptoNAKPacketReject, 24);
- RUN_TEST(test_AuthenticatedPacketInvalid, 25);
- RUN_TEST(test_AuthenticatedPacketUnknownKey, 26);
- RUN_TEST(test_ServerVersionTooOld, 27);
- RUN_TEST(test_ServerVersionTooNew, 28);
- RUN_TEST(test_NonWantedMode, 29);
- RUN_TEST(test_KoDRate, 30);
- RUN_TEST(test_KoDDeny, 31);
- RUN_TEST(test_RejectUnsyncedServer, 32);
- RUN_TEST(test_RejectWrongResponseServerMode, 33);
- RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 34);
- RUN_TEST(test_CorrectUnauthenticatedPacket, 35);
- RUN_TEST(test_CorrectAuthenticatedPacketMD5, 36);
- RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 37);
+ RUN_TEST(test_TooShortLength, 23);
+ RUN_TEST(test_LengthNotMultipleOfFour, 24);
+ RUN_TEST(test_TooShortExtensionFieldLength, 25);
+ RUN_TEST(test_UnauthenticatedPacketReject, 26);
+ RUN_TEST(test_CryptoNAKPacketReject, 27);
+ RUN_TEST(test_AuthenticatedPacketInvalid, 28);
+ RUN_TEST(test_AuthenticatedPacketUnknownKey, 29);
+ RUN_TEST(test_ServerVersionTooOld, 30);
+ RUN_TEST(test_ServerVersionTooNew, 31);
+ RUN_TEST(test_NonWantedMode, 32);
+ RUN_TEST(test_KoDRate, 33);
+ RUN_TEST(test_KoDDeny, 34);
+ RUN_TEST(test_RejectUnsyncedServer, 35);
+ RUN_TEST(test_RejectWrongResponseServerMode, 36);
+ RUN_TEST(test_AcceptNoSentPacketBroadcastMode, 37);
+ RUN_TEST(test_CorrectUnauthenticatedPacket, 38);
+ RUN_TEST(test_CorrectAuthenticatedPacketMD5, 39);
+ RUN_TEST(test_CorrectAuthenticatedPacketSHA1, 40);
+ RUN_TEST(test_CorrectAuthenticatedPacketCMAC, 41);
return (UnityEnd());
}
Index: contrib/ntp/sntp/unity/auto/generate_test_runner.rb
===================================================================
--- contrib/ntp/sntp/unity/auto/generate_test_runner.rb (版本 330566)
+++ contrib/ntp/sntp/unity/auto/generate_test_runner.rb (版本 330908)
@@ -246,7 +246,7 @@
def create_suite_setup_and_teardown(output)
unless (@options[:suite_setup].nil?)
output.puts("\n//=======Suite Setup=====")
- output.puts("static int suite_setup(void)")
+ output.puts("static void suite_setup(void)")
output.puts("{")
output.puts(@options[:suite_setup])
output.puts("}")
@@ -323,13 +323,13 @@
output.puts(" progname = argv[0];\n")
+ modname = filename.split(/[\/\\]/).last
-
output.puts(" suite_setup();") unless @options[:suite_setup].nil?
- output.puts(" UnityBegin(\"#{filename}\");")
+ output.puts(" UnityBegin(\"#{modname}\");")
if (@options[:use_param_tests])
tests.each do |test|
Index: contrib/ntp/sntp/version.c
===================================================================
--- contrib/ntp/sntp/version.c (版本 330566)
+++ contrib/ntp/sntp/version.c (版本 330908)
@@ -2,4 +2,4 @@
* version file for sntp
*/
#include <config.h>
-const char * Version = "sntp 4.2.8p10-beta@1.3728-o Tue Mar 21 14:36:42 UTC 2017 (43)";
+const char * Version = "sntp 4.2.8p11@1.3728-o Tue Feb 27 22:59:12 UTC 2018 (50)";
Index: contrib/ntp/util/Makefile.in
===================================================================
--- contrib/ntp/util/Makefile.in (版本 330566)
+++ contrib/ntp/util/Makefile.in (版本 330908)
@@ -110,6 +110,7 @@
$(top_srcdir)/sntp/m4/ltsugar.m4 \
$(top_srcdir)/sntp/m4/ltversion.m4 \
$(top_srcdir)/sntp/m4/lt~obsolete.m4 \
+ $(top_srcdir)/sntp/m4/ntp_af_unspec.m4 \
$(top_srcdir)/sntp/m4/ntp_cacheversion.m4 \
$(top_srcdir)/sntp/m4/ntp_compiler.m4 \
$(top_srcdir)/sntp/m4/ntp_crosscompile.m4 \
@@ -1365,7 +1366,6 @@
#
check-libntp: ../libntp/libntp.a
- @echo stamp > $@
../libntp/libntp.a:
cd ../libntp && $(MAKE) $(AM_MAKEFLAGS) libntp.a
Index: contrib/ntp/util/ntp-keygen-opts.h
===================================================================
--- contrib/ntp/util/ntp-keygen-opts.h (版本 330566)
+++ contrib/ntp/util/ntp-keygen-opts.h (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.h)
*
- * It has been AutoGen-ed March 21, 2017 at 10:45:47 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:15:43 PM by AutoGen 5.18.5
* From the definitions ntp-keygen-opts.def
* and the template file options
*
@@ -75,13 +75,13 @@
INDEX_OPT_IFFKEY = 8,
INDEX_OPT_IDENT = 9,
INDEX_OPT_LIFETIME = 10,
- INDEX_OPT_MD5KEY = 11,
- INDEX_OPT_MODULUS = 12,
+ INDEX_OPT_MODULUS = 11,
+ INDEX_OPT_MD5KEY = 12,
INDEX_OPT_PVT_CERT = 13,
INDEX_OPT_PASSWORD = 14,
INDEX_OPT_EXPORT_PASSWD = 15,
- INDEX_OPT_SIGN_KEY = 16,
- INDEX_OPT_SUBJECT_NAME = 17,
+ INDEX_OPT_SUBJECT_NAME = 16,
+ INDEX_OPT_SIGN_KEY = 17,
INDEX_OPT_TRUSTED_CERT = 18,
INDEX_OPT_MV_PARAMS = 19,
INDEX_OPT_MV_KEYS = 20,
@@ -94,9 +94,9 @@
/** count of all options for ntp-keygen */
#define OPTION_CT 26
/** ntp-keygen version */
-#define NTP_KEYGEN_VERSION "4.2.8p10"
+#define NTP_KEYGEN_VERSION "4.2.8p11"
/** Full ntp-keygen version text */
-#define NTP_KEYGEN_FULL_VERSION "ntp-keygen (ntp) 4.2.8p10"
+#define NTP_KEYGEN_FULL_VERSION "ntp-keygen (ntp) 4.2.8p11"
/**
* Interface defines for all options. Replace "n" with the UPPER_CASED
@@ -193,14 +193,14 @@
# warning undefining LIFETIME due to option name conflict
# undef LIFETIME
# endif
+# ifdef MODULUS
+# warning undefining MODULUS due to option name conflict
+# undef MODULUS
+# endif
# ifdef MD5KEY
# warning undefining MD5KEY due to option name conflict
# undef MD5KEY
# endif
-# ifdef MODULUS
-# warning undefining MODULUS due to option name conflict
-# undef MODULUS
-# endif
# ifdef PVT_CERT
# warning undefining PVT_CERT due to option name conflict
# undef PVT_CERT
@@ -213,14 +213,14 @@
# warning undefining EXPORT_PASSWD due to option name conflict
# undef EXPORT_PASSWD
# endif
+# ifdef SUBJECT_NAME
+# warning undefining SUBJECT_NAME due to option name conflict
+# undef SUBJECT_NAME
+# endif
# ifdef SIGN_KEY
# warning undefining SIGN_KEY due to option name conflict
# undef SIGN_KEY
# endif
-# ifdef SUBJECT_NAME
-# warning undefining SUBJECT_NAME due to option name conflict
-# undef SUBJECT_NAME
-# endif
# ifdef TRUSTED_CERT
# warning undefining TRUSTED_CERT due to option name conflict
# undef TRUSTED_CERT
@@ -245,13 +245,13 @@
# undef IFFKEY
# undef IDENT
# undef LIFETIME
+# undef MODULUS
# undef MD5KEY
-# undef MODULUS
# undef PVT_CERT
# undef PASSWORD
# undef EXPORT_PASSWD
+# undef SUBJECT_NAME
# undef SIGN_KEY
-# undef SUBJECT_NAME
# undef TRUSTED_CERT
# undef MV_PARAMS
# undef MV_KEYS
@@ -280,16 +280,16 @@
#ifdef AUTOKEY
#define OPT_VALUE_LIFETIME (DESC(LIFETIME).optArg.argInt)
#endif /* AUTOKEY */
-#define VALUE_OPT_MD5KEY 'M'
#define VALUE_OPT_MODULUS 'm'
#ifdef AUTOKEY
#define OPT_VALUE_MODULUS (DESC(MODULUS).optArg.argInt)
#endif /* AUTOKEY */
+#define VALUE_OPT_MD5KEY 'M'
#define VALUE_OPT_PVT_CERT 'P'
#define VALUE_OPT_PASSWORD 'p'
#define VALUE_OPT_EXPORT_PASSWD 'q'
+#define VALUE_OPT_SUBJECT_NAME 's'
#define VALUE_OPT_SIGN_KEY 'S'
-#define VALUE_OPT_SUBJECT_NAME 's'
#define VALUE_OPT_TRUSTED_CERT 'T'
#define VALUE_OPT_MV_PARAMS 'V'
#ifdef AUTOKEY
Index: contrib/ntp/util/ntp-keygen.man.in
===================================================================
--- contrib/ntp/util/ntp-keygen.man.in (版本 330566)
+++ contrib/ntp/util/ntp-keygen.man.in (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntp-keygen @NTP_KEYGEN_MS@ "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntp-keygen @NTP_KEYGEN_MS@ "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-uUaiiy/ag-lVaahy)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bBa46V/ag-nBaW5V)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:54 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:53 PM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -36,30 +36,33 @@
.SH DESCRIPTION
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
.sp \n(Ppu
.ne 2
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
.sp \n(Ppu
.ne 2
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -83,27 +86,38 @@
Some files used by this program are encrypted using a private password.
The
\f\*[B-Font]\-p\f[]
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
\f\*[B-Font]\-q\f[]
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-\fBgethostname\f[]\fR()\f[]
-function, normally the DNS name of the host is used.
+\fChostname\f[]\fR(1)\f[]
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+\f\*[B-Font]ntp-keygen\fP
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
.sp \n(Ppu
.ne 2
The
-\f\*[I-Font]pw\f[]
+\f\*[B-Font]pw\f[]
option of the
-\f\*[I-Font]crypto\f[]
+\f\*[B-Font]crypto\f[]
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-\f\*[I-Font]ntpd\f[]
-without password but only on the same host.
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
.sp \n(Ppu
.ne 2
@@ -111,7 +125,7 @@
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-\f\*[I-Font]ntp.keys\f[],
+\fIntp.keys\f[],
is usually installed in
\fI/etc\f[].
Other files and links are usually installed in
@@ -118,208 +132,95 @@
\fI/usr/local/etc\f[],
which is normally in a shared filesystem in
NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-\f\*[I-Font]keysdir\f[]
-configuration command in such cases.
-Normally, this is in
-\fI/etc\f[].
+In these cases, NFS clients can specify the files in another
+directory such as
+\fI/etc\f[]
+using the
+\f\*[B-Font]keysdir\f[]
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+configuration file command.
.sp \n(Ppu
.ne 2
This program directs commentary and error messages to the standard
error stream
-\f\*[I-Font]stderr\f[]
+\fIstderr\f[]
and remote files to the standard output stream
-\f\*[I-Font]stdout\f[]
+\fIstdout\f[]
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-\f\*[I-Font]ntpkey\f[]
+\fIntpkey\&*\f[]
and include the file type, generating host and filestamp,
as described in the
-\*[Lq]Cryptographic Data Files\*[Rq]
+\fICryptographic Data Files\f[]
section below.
.SS Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-\fI/usr/local/etc\f[]
-When run for the first time, or if all files with names beginning with
-\f\*[I-Font]ntpkey\f[]
-have been removed, use the
+The safest way to run the
\f\*[B-Font]ntp-keygen\fP
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.sp \n(Ppu
-.ne 2
-
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-\f\*[B-Font]ntp-keygen\fP
-with the
-\f\*[B-Font]\-T\f[]
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.sp \n(Ppu
-.ne 2
-
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-\f\*[B-Font]\-S\f[]
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-\f\*[B-Font]\-c\f[]
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.sp \n(Ppu
-.ne 2
-
-Additional information on trusted groups and identity schemes is on the
-\*[Lq]Autokey Public-Key Authentication\*[Rq]
-page.
-.sp \n(Ppu
-.ne 2
-
-The
-\fCntpd\f[]\fR(@NTPD_MS@)\f[]
-configuration command
-\f\*[B-Font]crypto\f[] \f\*[B-Font]pw\f[] \f\*[I-Font]password\f[]
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.sp \n(Ppu
-.ne 2
-
-File names begin with the prefix
-\f\*[B-Font]ntpkey_\f[]
-and end with the postfix
-\f\*[I-Font]_hostname.filestamp\f[],
-where
-\f\*[I-Font]hostname\f[]
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-\f\*[I-Font]filestamp\f[]
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-\f\*[B-Font]rm\f[] \f\*[B-Font]ntpkey\&*\f[]
-command or all files generated
-at a specific time can be removed by a
-\f\*[B-Font]rm\f[]
-\f\*[I-Font]\&*filestamp\f[]
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.sp \n(Ppu
-.ne 2
-
-All files are installed by default in the keys directory
+program is logged in directly as root.
+The recommended procedure is change to the
+\f\*[I-Font]keys\f[]
+directory, usually
\fI/usr/local/etc\f[],
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
+then run the program.
.sp \n(Ppu
.ne 2
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.sp \n(Ppu
-.ne 2
-
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-\fCntpd\f[]\fR(@NTPD_MS@)\f[]
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+\f\*[I-Font]keys\f[]
+directory, usually
+\fI/usr/local/etc\f[].
+When run for the first time, or if all files with names beginning with
+\fIntpkey\&*\f[]
+have been removed, use the
\f\*[B-Font]ntp-keygen\fP
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-\f\*[B-Font]ntp-keygen\fP
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-\fI/usr/local/etc\f[],
-then run the program.
-When run for the first time,
-or if all
-\f\*[B-Font]ntpkey\f[]
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
+command without arguments to generate a default
+\f\*[B-Font]RSA\f[]
+host key and matching
+\f\*[B-Font]RSA-MD5\f[]
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
.sp \n(Ppu
.ne 2
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+\f\*[B-Font]RSA\f[]
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+\f\*[B-Font]RSA\f[]
+or
+\f\*[B-Font]DSA\f[]
+type.
+By default, the message digest type is
+\f\*[B-Font]MD5\f[],
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+\f\*[B-Font]AES128CMAC\f[], \f\*[B-Font]MD2\f[], \f\*[B-Font]MD5\f[], \f\*[B-Font]MDC2\f[], \f\*[B-Font]SHA\f[], \f\*[B-Font]SHA1\f[]
+and
+\f\*[B-Font]RIPE160\f[]
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+\f\*[B-Font]RSA\f[]
+sign keys;
+however, only
+\f\*[B-Font]SHA\f[]
+and
+\f\*[B-Font]SHA1\f[]
+certificates are compatible with
+\f\*[B-Font]DSA\f[]
+sign keys.
.sp \n(Ppu
.ne 2
@@ -334,19 +235,19 @@
.ne 2
Running the program as other than root and using the Unix
-\f\*[B-Font]su\f[]
+\fCsu\f[]\fR(1)\f[]
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-\f\*[B-Font].rnd\f[]
+\fI.rnd\f[]
in the user home directory.
However, there should be only one
-\f\*[B-Font].rnd\f[],
+\fI.rnd\f[],
most conveniently
in the root directory, so it is convenient to define the
-\f\*[B-Font]$RANDFILE\f[]
+RANDFILE
environment variable used by the OpenSSL library as the path to
-\f\*[B-Font]/.rnd\f[].
+\fI.rnd\f[].
.sp \n(Ppu
.ne 2
@@ -358,7 +259,8 @@
\fI/etc\f[]
using the
\f\*[B-Font]keysdir\f[]
-command.
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -397,8 +299,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+\f\*[I-Font]hostname\f[]
+and
+\f\*[I-Font]filestamp\f[]
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
.sp \n(Ppu
.ne 2
@@ -409,108 +314,107 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+follows it to the file name to extract the
+\f\*[I-Font]filestamp\f[].
If a link is not present,
\fCntpd\f[]\fR(@NTPD_MS@)\f[]
-extracts the filestamp from the file itself.
+extracts the
+\f\*[I-Font]filestamp\f[]
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
\f\*[B-Font]ntp-keygen\fP
-program uses the same timestamp extension for all files generated
+program uses the same
+\f\*[I-Font]filestamp\f[]
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-\f\*[B-Font]ntp-keygen\fP
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-\fI/usr/local/etc\f[],
-then run the program.
-When run for the first time,
-or if all
-\f\*[B-Font]ntpkey\f[]
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
.sp \n(Ppu
.ne 2
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
+\f\*[B-Font]ntp-keygen\fP
+with the
+\f\*[B-Font]\-T\f[]
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
.sp \n(Ppu
.ne 2
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+\f\*[B-Font]\-S\f[]
+option and this can be either
+\f\*[B-Font]RSA\f[]
+or
+\f\*[B-Font]DSA\f[]
+type.
+By default, the signature
+message digest type is
+\f\*[B-Font]MD5\f[],
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+\f\*[B-Font]\-c\f[]
+option.
.sp \n(Ppu
.ne 2
-Running the program as other than root and using the Unix
-\f\*[B-Font]su\f[]
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-\f\*[B-Font].rnd\f[]
-in the user home directory.
-However, there should be only one
-\f\*[B-Font].rnd\f[],
-most conveniently
-in the root directory, so it is convenient to define the
-\f\*[B-Font]$RANDFILE\f[]
-environment variable used by the OpenSSL library as the path to
-\f\*[B-Font]/.rnd\f[].
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken-and-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball-and-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re-generated.
.sp \n(Ppu
.ne 2
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-\fI/etc\f[]
-using the
-\f\*[B-Font]keysdir\f[]
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
+Additional information on trusted groups and identity schemes is on the
+\*[Lq]Autokey Public-Key Authentication\*[Rq]
+page.
.sp \n(Ppu
.ne 2
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
+File names begin with the prefix
+\fIntpkey\f[]_
+and end with the suffix
+\fI_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[],
+where
+\f\*[I-Font]hostname\f[]
+is the owner name, usually the string returned
+by the Unix
+\fChostname\f[]\fR(1)\f[]
+command, and
+\f\*[I-Font]filestamp\f[]
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+\f\*[B-Font]rm\f[] \fIntpkey\&*\f[]
+command or all files generated
+at a specific time can be removed by a
+\f\*[B-Font]rm\f[] \fI\&*\f[]\f\*[I-Font]filestamp\f[]
+command.
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
+.SS Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -517,8 +421,14 @@
\fIAuthentication\f[] \fIOptions\f[]
section of
\fCntp.conf\f[]\fR(5)\f[].
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+\f\*[B-Font]RSA\f[]
+encryption,
+\f\*[B-Font]MD5\f[]
+message digest
+and
+\f\*[B-Font]TC\f[]
+identification.
First, configure a NTP subnet including one or more low-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -538,7 +448,7 @@
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-\f\*[B-Font]ntpkey\f[]
+\fIntpkey\f[]
files.
Then run
\f\*[B-Font]ntp-keygen\fP
@@ -565,7 +475,9 @@
\f\*[B-Font]RSA\f[]
or
\f\*[B-Font]DSA\f[].
-The most often need to do this is when a DSA-signed certificate is used.
+The most frequent need to do this is when a
+\f\*[B-Font]DSA\f[]\-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
\f\*[B-Font]ntp-keygen\fP
@@ -574,10 +486,10 @@
option and selected
\f\*[I-Font]scheme\f[]
as needed.
-f
+If
\f\*[B-Font]ntp-keygen\fP
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
.sp \n(Ppu
.ne 2
@@ -586,7 +498,7 @@
Simply run
\f\*[B-Font]ntp-keygen\fP
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
\fCntpd\f[]\fR(@NTPD_MS@)\f[]
should be restarted.
@@ -597,13 +509,15 @@
at which time the protocol is restarted.
.SS Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+\f\*[B-Font]TC\f[]
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-"Identification Schemes"
-page
-(maybe available at
-\f[C]http://www.eecis.udel.edu/%7emills/keygen.html\f[]).
+including
+\f\*[B-Font]PC\f[], \f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[]
+and
+\f\*[B-Font]MV\f[]
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -632,12 +546,15 @@
\f\*[B-Font]\-P\f[]
\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
to generate the host key file
-\fIntpkey_RSAkey_\f[]\f\*[I-Font]alice.filestamp\f[]
+\fIntpkey\f[]_ \f\*[B-Font]RSA\f[] \fIkey_alice.\f[] \f\*[I-Font]filestamp\f[]
and trusted private certificate file
-\fIntpkey_RSA-MD5_cert_\f[]\f\*[I-Font]alice.filestamp\f[].
+\fIntpkey\f[]_ \f\*[B-Font]RSA-MD5\f[] \f\*[B-Font]_\f[] \fIcert_alice.\f[] \f\*[I-Font]filestamp\f[],
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+\f\*[I-Font]bob\f[]
+install a soft link from the generic name
\fIntpkey_host_\f[]\f\*[I-Font]bob\f[]
to the host key file and soft link
\fIntpkey_cert_\f[]\f\*[I-Font]bob\f[]
@@ -646,13 +563,19 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
.sp \n(Ppu
.ne 2
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+\f\*[B-Font]IFF\f[]
+scheme proceed as in the
+\f\*[B-Font]TC\f[]
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+\f\*[B-Font]IFF\f[]
+parameter file.
On trusted host alice run
\f\*[B-Font]ntp-keygen\fP
\f\*[B-Font]\-T\f[]
@@ -659,15 +582,17 @@
\f\*[B-Font]\-I\f[]
\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
to produce her parameter file
-\fIntpkey_IFFpar_\f[]\f\*[I-Font]alice.filestamp\f[],
+\fIntpkey_IFFpar_alice.\f[]\f\*[I-Font]filestamp\f[],
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_iff_alice\f[]
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+\f\*[B-Font]IFF\f[]
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
.sp \n(Ppu
.ne 2
@@ -679,10 +604,10 @@
After generating the parameter file, on alice run
\f\*[B-Font]ntp-keygen\fP
\f\*[B-Font]\-e\f[]
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_iff_alice\f[]
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
@@ -689,9 +614,15 @@
.sp \n(Ppu
.ne 2
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+\f\*[B-Font]GQ\f[]
+scheme proceed as in the
+\f\*[B-Font]TC\f[]
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+\f\*[B-Font]IFF\f[]
+parameter file.
On trusted host alice run
\f\*[B-Font]ntp-keygen\fP
\f\*[B-Font]\-T\f[]
@@ -698,22 +629,32 @@
\f\*[B-Font]\-G\f[]
\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
to produce her parameter file
-\fIntpkey_GQpar_\f[]\f\*[I-Font]alice.filestamp\f[],
+\fIntpkey_GQpar_alice.\f[]\f\*[I-Font]filestamp\f[],
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-\fIntpkey_gq_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_gq_alice\f[]
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+\f\*[I-Font]bob\f[]
+install a soft link
from generic
\fIntpkey_gq_\f[]\f\*[I-Font]bob\f[]
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+\f\*[B-Font]GQ\f[]
+scheme updates the
+\f\*[B-Font]GQ\f[]
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
.sp \n(Ppu
.ne 2
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+\f\*[B-Font]MV\f[]
+scheme, proceed as in the
+\f\*[B-Font]TC\f[]
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -725,9 +666,9 @@
\f\*[I-Font]n\f[]
is the number of revokable keys (typically 5) to produce
the parameter file
-\fIntpkeys_MVpar_\f[]\f\*[I-Font]trish.filestamp\f[]
+\fIntpkeys_MVpar_trish.\f[]\f\*[I-Font]filestamp\f[]
and client key files
-\fIntpkeys_MVkeyd_\f[]\f\*[I-Font]trish.filestamp\f[]
+\fIntpkeys_MVkey\f[]\f\*[I-Font]d\f[] \f\*[I-Font]_\f[] \fItrish.\f[] \f\*[I-Font]filestamp\f[]
where
\f\*[I-Font]d\f[]
is the key number (0 \&<
@@ -736,95 +677,236 @@
\f\*[I-Font]n\f[]).
Copy the parameter file to alice and install a soft link
from the generic
-\fIntpkey_mv_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_mv_alice\f[]
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-\fIntpkey_mvkey_\f[]\f\*[I-Font]bob\f[]
+\fIntpkey_mvkey_bob\f[]
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+\f\*[B-Font]MV\f[]
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
.SS Command Line Options
.TP 7
-.NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]scheme\f[]
-Select certificate message digest/signature encryption scheme.
+.NOP \f\*[B-Font]\-b\f[] \f\*[B-Font]\-\-imbits\f[]= \f\*[I-Font]modulus\f[]
+Set the number of bits in the identity modulus for generating identity keys to
+\f\*[I-Font]modulus\f[]
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.TP 7
+.NOP \f\*[B-Font]\-c\f[] \f\*[B-Font]\-\-certificate\f[]= \f\*[I-Font]scheme\f[]
+Select certificate signature encryption/message digest scheme.
The
\f\*[I-Font]scheme\f[]
can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
+\f\*[B-Font]RSA-MD2\f[], \f\*[B-Font]RSA-MD5\f[], \f\*[B-Font]RSA-MDC2\f[], \f\*[B-Font]RSA-SHA\f[], \f\*[B-Font]RSA-SHA1\f[], \f\*[B-Font]RSA-RIPEMD160\f[], \f\*[B-Font]DSA-SHA\f[],
or
\f\*[B-Font]DSA-SHA1\f[].
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+\f\*[B-Font]RSA\f[]
+schemes must be used with an
+\f\*[B-Font]RSA\f[]
+sign key and
+\f\*[B-Font]DSA\f[]
+schemes must be used with a
+\f\*[B-Font]DSA\f[]
+sign key.
The default without this option is
\f\*[B-Font]RSA-MD5\f[].
+If compatibility with FIPS 140-2 is required, either the
+\f\*[B-Font]DSA-SHA\f[]
+or
+\f\*[B-Font]DSA-SHA1\f[]
+scheme must be used.
.TP 7
-.NOP \f\*[B-Font]\-d\f[]
-Enable debugging.
+.NOP \f\*[B-Font]\-C\f[] \f\*[B-Font]\-\-cipher\f[]= \f\*[I-Font]cipher\f[]
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three-key triple DES in CBC mode,
+\f\*[B-Font]des-ede3-cbc\f[].
+The
+\f\*[B-Font]openssl\f[] \f\*[B-Font]\-h\f[]
+command provided with OpenSSL displays available ciphers.
+.TP 7
+.NOP \f\*[B-Font]\-d\f[] \f\*[B-Font]\-\-debug-level\f[]
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye-friendly billboards.
.TP 7
-.NOP \f\*[B-Font]\-e\f[]
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
+.NOP \f\*[B-Font]\-D\f[] \f\*[B-Font]\-\-set-debug-level\f[]= \f\*[I-Font]level\f[]
+Set the debugging verbosity to
+\f\*[I-Font]level\f[].
+This option displays the cryptographic data produced in eye-friendly billboards.
.TP 7
-.NOP \f\*[B-Font]\-G\f[]
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
+.NOP \f\*[B-Font]\-e\f[] \f\*[B-Font]\-\-id-key\f[]
+Write the
+\f\*[B-Font]IFF\f[]
+or
+\f\*[B-Font]GQ\f[]
+public parameters from the
+\f\*[I-Font]IFFkey\f[] \f\*[I-Font]or\f[] \f\*[I-Font]GQkey\f[]
+client keys file previously specified
+as unencrypted data to the standard output stream
+\fIstdout\f[].
+This is intended for automatic key distribution by email.
.TP 7
-.NOP \f\*[B-Font]\-g\f[]
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
+.NOP \f\*[B-Font]\-G\f[] \f\*[B-Font]\-\-gq-params\f[]
+Generate a new encrypted
+\f\*[B-Font]GQ\f[]
+parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+\f\*[B-Font]\-I\f[]
+and
+\f\*[B-Font]\-V\f[]
+options.
.TP 7
-.NOP \f\*[B-Font]\-H\f[]
-Generate new host keys, obsoleting any that may exist.
+.NOP \f\*[B-Font]\-H\f[] \f\*[B-Font]\-\-host-key\f[]
+Generate a new encrypted
+\f\*[B-Font]RSA\f[]
+public/private host key file.
.TP 7
-.NOP \f\*[B-Font]\-I\f[]
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
+.NOP \f\*[B-Font]\-I\f[] \f\*[B-Font]\-\-iffkey\f[]
+Generate a new encrypted
+\f\*[B-Font]IFF\f[]
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+\f\*[B-Font]\-G\f[]
+and
+Fl V
+options.
.TP 7
-.NOP \f\*[B-Font]\-i\f[] \f\*[I-Font]name\f[]
-Set the suject name to
-\f\*[I-Font]name\f[].
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
+.NOP \f\*[B-Font]\-i\f[] \f\*[B-Font]\-\-ident\f[]= \f\*[I-Font]group\f[]
+Set the optional Autokey group name to
+\f\*[I-Font]group\f[].
+This is used in the identity scheme parameter file names of
+\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[],
+and
+\f\*[B-Font]MV\f[]
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+\f\*[B-Font]\-i\f[]
+or
+\f\*[B-Font]\-s\f[]
+following an
+\[oq]@@\[cq]
+character, is also used in certificate subject and issuer names in the form
+\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[]
+and should match the group specified via
+\f\*[B-Font]crypto\f[] \f\*[B-Font]ident\f[]
+or
+\f\*[B-Font]server\f[] \f\*[B-Font]ident\f[]
+in the ntpd configuration file.
.TP 7
-.NOP \f\*[B-Font]\-M\f[]
-Generate MD5 keys, obsoleting any that may exist.
+.NOP \f\*[B-Font]\-l\f[] \f\*[B-Font]\-\-lifetime\f[]= \f\*[I-Font]days\f[]
+Set the lifetime for certificate expiration to
+\f\*[I-Font]days\f[].
+The default lifetime is one year (365 days).
.TP 7
-.NOP \f\*[B-Font]\-P\f[]
-Generate a private certificate.
+.NOP \f\*[B-Font]\-m\f[] \f\*[B-Font]\-\-modulus\f[]= \f\*[I-Font]bits\f[]
+Set the number of bits in the prime modulus for generating files to
+\f\*[I-Font]bits\f[].
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.TP 7
+.NOP \f\*[B-Font]\-M\f[] \f\*[B-Font]\-\-md5key\f[]
+Generate a new symmetric keys file containing 10
+\f\*[B-Font]MD5\f[]
+keys, and if OpenSSL is available, 10
+\f\*[B-Font]SHA\f[]
+keys.
+An
+\f\*[B-Font]MD5\f[]
+key is a string of 20 random printable ASCII characters, while a
+\f\*[B-Font]SHA\f[]
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+.TP 7
+.NOP \f\*[B-Font]\-p\f[] \f\*[B-Font]\-\-password\f[]= \f\*[I-Font]passwd\f[]
+Set the password for reading and writing encrypted files to
+\f\*[I-Font]passwd\f[].
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+\f\*[B-Font]hostname\f[]
+command.
+.TP 7
+.NOP \f\*[B-Font]\-P\f[] \f\*[B-Font]\-\-pvt-cert\f[]
+Generate a new private certificate used by the
+\f\*[B-Font]PC\f[]
+identity scheme.
By default, the program generates public certificates.
+Note: the PC identity scheme is not recommended for new installations.
.TP 7
-.NOP \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
-Encrypt generated files containing private data with
-\f\*[I-Font]password\f[]
-and the DES-CBC algorithm.
+.NOP \f\*[B-Font]\-q\f[] \f\*[B-Font]\-\-export-passwd\f[]= \f\*[I-Font]passwd\f[]
+Set the password for writing encrypted
+\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[] \f\*[B-Font]and\f[] \f\*[B-Font]MV\f[]
+identity files redirected to
+\fIstdout\f[]
+to
+\f\*[I-Font]passwd\f[].
+In effect, these files are decrypted with the
+\f\*[B-Font]\-p\f[]
+password, then encrypted with the
+\f\*[B-Font]\-q\f[]
+password.
+By default, the password is the string returned by the Unix
+\f\*[B-Font]hostname\f[]
+command.
.TP 7
-.NOP \f\*[B-Font]\-q\f[]
-Set the password for reading files to password.
+.NOP \f\*[B-Font]\-s\f[] \f\*[B-Font]\-\-subject-key\f[]= [host] [@@ \f\*[I-Font]group\f[]]
+Specify the Autokey host name, where
+\f\*[I-Font]host\f[]
+is the optional host name and
+\f\*[I-Font]group\f[]
+is the optional group name.
+The host name, and if provided, group name are used in
+\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[]
+form as certificate subject and issuer.
+Specifying
+\f\*[B-Font]\-s\f[] \f\*[B-Font]\-@@\f[] \f\*[I-Font]group\f[]
+is allowed, and results in leaving the host name unchanged, as with
+\f\*[B-Font]\-i\f[] \f\*[I-Font]group\f[].
+The group name, or if no group is provided, the host name are also used in the
+file names of
+\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[],
+and
+\f\*[B-Font]MV\f[]
+identity scheme client parameter files.
+If
+\f\*[I-Font]host\f[]
+is not specified, the default host name is the string returned by the Unix
+\f\*[B-Font]hostname\f[]
+command.
.TP 7
-.NOP \f\*[B-Font]\-S\f[] [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]]
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
+.NOP \f\*[B-Font]\-S\f[] \f\*[B-Font]\-\-sign-key\f[]= [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]]
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140-2 is required, the sign key type must be
+\f\*[B-Font]DSA\f[].
.TP 7
-.NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]name\f[]
-Set the issuer name to
-\f\*[I-Font]name\f[].
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.TP 7
-.NOP \f\*[B-Font]\-T\f[]
+.NOP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-\-trusted-cert\f[]
Generate a trusted certificate.
By default, the program generates a non-trusted certificate.
.TP 7
-.NOP \f\*[B-Font]\-V\f[] \f\*[I-Font]nkeys\f[]
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
+.NOP \f\*[B-Font]\-V\f[] \f\*[B-Font]\-\-mv-params\f[] \f\*[I-Font]nkeys\f[]
+Generate
+\f\*[I-Font]nkeys\f[]
+encrypted server keys and parameters for the Mu-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+\f\*[B-Font]\-I\f[]
+and
+\f\*[B-Font]\-G\f[]
+options.
+Note: support for this option should be considered a work in progress.
.PP
.SS Random Seed File
All cryptographically sound key generation schemes must have means
@@ -852,7 +934,7 @@
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-\f\*[B-Font].rnd\f[],
+\fI.rnd\f[],
which must be available when starting the NTP daemon
or the
\f\*[B-Font]ntp-keygen\fP
@@ -875,48 +957,131 @@
RANDFILE
environment variable is not present,
the library will look for the
-\f\*[B-Font].rnd\f[]
+\fI.rnd\f[]
file in the user home directory.
+Since both the
+\f\*[B-Font]ntp-keygen\fP
+program and
+\fCntpd\f[]\fR(@NTPD_MS@)\f[]
+daemon must run as root, the logical place to put this file is in
+\fI/.rnd\f[]
+or
+\fI/root/.rnd\f[].
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
.SS Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+\fIntpkey_\f[]\f\*[I-Font]key\f[] \f\*[I-Font]_\f[] \f\*[I-Font]name\f[]. \f\*[I-Font]filestamp\f[],
+where
+\f\*[I-Font]key\f[]
+is the key or parameter type,
+\f\*[I-Font]name\f[]
+is the host or group name and
+\f\*[I-Font]filestamp\f[]
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+\f\*[I-Font]key\f[]
+names in generated file names include both upper and lower case
+characters, while
+\f\*[I-Font]key\f[]
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+\fIdate\f[]
+format.
+Lines beginning with
+\[oq]#\[cq]
+are considered comments and ignored by the
\f\*[B-Font]ntp-keygen\fP
program and
\fCntpd\f[]\fR(@NTPD_MS@)\f[]
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
.sp \n(Ppu
.ne 2
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+.sp \n(Ppu
+.ne 2
+
+The format of the symmetric keys file, ordinarily named
+\fIntp.keys\f[],
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+.br
.in +4
+.nf
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o}3i@@@@V@@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+.in -4
+.fi
+.in +4
+Figure 1. Typical Symmetric Key File
+.in -4
+.sp \n(Ppu
+.ne 2
+
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+.in +4
\f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[]
.in -4
where
\f\*[I-Font]keyno\f[]
-is a positive integer in the range 1-65,535,
+is a positive integer in the range 1-65534;
\f\*[I-Font]type\f[]
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+\f\*[B-Font]MD5\f[]
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140-2 is required,
+the key type must be either
+\f\*[B-Font]SHA\f[]
+or
+\f\*[B-Font]SHA1\f[];
\f\*[I-Font]key\f[]
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+\[oq]\[cq]!
+through
+\[oq]~\[cq]
+\&) excluding space and the
\[oq]#\[cq]
+character, and terminated by whitespace or a
+\[oq]#\[cq]
character.
+An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
+is truncated as necessary.
.sp \n(Ppu
.ne 2
@@ -933,8 +1098,8 @@
The
\f\*[B-Font]ntp-keygen\fP
-program generates a MD5 symmetric keys file
-\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname.filestamp\f[].
+program generates a symmetric keys file
+\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[].
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -973,10 +1138,10 @@
certificate scheme.
.sp
scheme is one of
-RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160,
+RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
DSA-SHA, or DSA-SHA1.
.sp
-Select the certificate message digest/signature encryption scheme.
+Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA-MD5.
@@ -986,7 +1151,7 @@
.sp
Select the cipher which is used to encrypt the files containing
private keys. The default is three-key triple DES in CBC mode,
-equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers
+equivalent to "\fB-C des-ede3-cbc\fP". The openssl tool lists ciphers
available in "\fBopenssl \-h\fP" output.
.TP
.NOP \f\*[B-Font]\-d\f[], \f\*[B-Font]\-\-debug\-level\f[]
@@ -1003,8 +1168,9 @@
.NOP \f\*[B-Font]\-e\f[], \f\*[B-Font]\-\-id\-key\f[]
Write IFF or GQ identity keys.
.sp
-Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
.TP
.NOP \f\*[B-Font]\-G\f[], \f\*[B-Font]\-\-gq\-params\f[]
Generate GQ parameters and keys.
@@ -1030,11 +1196,11 @@
the file name of IFF, GQ, and MV client parameters files. In
that role, the default is the host name if this option is not
provided. The group name, if specified using \fB-i/--ident\fP or
-using \fB-s/--subject-name\fP following an '\fB@\fP' character,
-is also a part of the self-signed host certificate's subject and
-issuer names in the form \fBhost@group\fP and should match the
-'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in
-\fBntpd\fP's configuration file.
+using \fB-s/--subject-name\fP following an '\fB@@\fP' character,
+is also a part of the self-signed host certificate subject and
+issuer names in the form \fBhost@@group\fP and should match the
+'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the
+\fBntpd\fP configuration file.
.TP
.NOP \f\*[B-Font]\-l\f[] \f\*[I-Font]lifetime\f[], \f\*[B-Font]\-\-lifetime\f[]=\f\*[I-Font]lifetime\f[]
set certificate lifetime.
@@ -1042,13 +1208,8 @@
.sp
Set the certificate expiration to lifetime days from now.
.TP
-.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[]
-generate MD5 keys.
-.sp
-Generate MD5 keys, obsoleting any that may exist.
-.TP
.NOP \f\*[B-Font]\-m\f[] \f\*[I-Font]modulus\f[], \f\*[B-Font]\-\-modulus\f[]=\f\*[I-Font]modulus\f[]
-modulus.
+prime modulus.
This option takes an integer number as its argument.
The value of
\f\*[I-Font]modulus\f[]
@@ -1062,6 +1223,11 @@
.sp
The number of bits in the prime modulus. The default is 512.
.TP
+.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[]
+generate symmetric keys.
+.sp
+Generate symmetric keys, obsoleting any that may exist.
+.TP
.NOP \f\*[B-Font]\-P\f[], \f\*[B-Font]\-\-pvt\-cert\f[]
generate PC private certificate.
.sp
@@ -1086,27 +1252,27 @@
"crypto pw password" configuration command. See also the option
--id-key (-e) for unencrypted exports.
.TP
-.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[]
-generate sign key (RSA or DSA).
-.sp
-Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
-.TP
.NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]host@group\f[], \f\*[B-Font]\-\-subject\-name\f[]=\f\*[I-Font]host@group\f[]
set host and optionally group name.
.sp
Set the Autokey host name, and optionally, group name specified
-following an '\fB@\fP' character. The host name is used in the file
+following an '\fB@@\fP' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
-in \fBhost@group\fP form for the host certificate's subject and issuer
-fields. Specifying '\fB-s @group\fP' is allowed, and results in
-leaving the host name unchanged while appending \fB@group\fP to the
+in \fBhost@@group\fP form for the host certificate subject and issuer
+fields. Specifying '\fB-s @@group\fP' is allowed, and results in
+leaving the host name unchanged while appending \fB@@group\fP to the
subject and issuer fields, as with \fB-i group\fP. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
.TP
+.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[]
+generate sign key (RSA or DSA).
+.sp
+Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
+.TP
.NOP \f\*[B-Font]\-T\f[], \f\*[B-Font]\-\-trusted\-cert\f[]
trusted certificate (TC scheme).
.sp
@@ -1162,18 +1328,6 @@
If any of these are directories, then the file \fI.ntprc\fP
is searched for within those directories.
.SH USAGE
-The
-\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
-option specifies the write password and
-\f\*[B-Font]\-q\f[] \f\*[I-Font]password\f[]
-option the read password for previously encrypted files.
-The
-\f\*[B-Font]ntp-keygen\fP
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
.SH "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.SH "FILES"
@@ -1200,10 +1354,7 @@
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.SH BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
+It can take quite a while to generate some cryptographic values.
.sp \n(Ppu
.ne 2
Index: contrib/ntp/util/invoke-ntp-keygen.texi
===================================================================
--- contrib/ntp/util/invoke-ntp-keygen.texi (版本 330566)
+++ contrib/ntp/util/invoke-ntp-keygen.texi (版本 330908)
@@ -6,7 +6,7 @@
#
# EDIT THIS FILE WITH CAUTION (invoke-ntp-keygen.texi)
#
-# It has been AutoGen-ed March 21, 2017 at 10:45:57 AM by AutoGen 5.18.5
+# It has been AutoGen-ed February 27, 2018 at 05:15:57 PM by AutoGen 5.18.5
# From the definitions ntp-keygen-opts.def
# and the template file agtexi-cmd.tpl
@end ignore
@@ -15,26 +15,29 @@
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -54,31 +57,42 @@
Some files used by this program are encrypted using a private password.
The
@code{-p}
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
@code{-q}
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-@code{gethostname()}
-function, normally the DNS name of the host is used.
+@code{hostname(1)}
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+@code{ntp-keygen}
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
The
-@kbd{pw}
+@code{pw}
option of the
-@kbd{crypto}
+@code{crypto}
+@code{ntpd(1ntpdmdoc)}
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-@kbd{ntpd}
-without password but only on the same host.
+@code{ntpd(1ntpdmdoc)}
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
Normally, encrypted files for each host are generated by that host and
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-@kbd{ntp.keys},
+@file{ntp.keys},
is usually installed in
@file{/etc}.
Other files and links are usually installed in
@@ -85,191 +99,90 @@
@file{/usr/local/etc},
which is normally in a shared filesystem in
NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-@kbd{keysdir}
-configuration command in such cases.
-Normally, this is in
-@file{/etc}.
+In these cases, NFS clients can specify the files in another
+directory such as
+@file{/etc}
+using the
+@code{keysdir}
+@code{ntpd(1ntpdmdoc)}
+configuration file command.
This program directs commentary and error messages to the standard
error stream
-@kbd{stderr}
+@file{stderr}
and remote files to the standard output stream
-@kbd{stdout}
+@file{stdout}
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-@kbd{ntpkey}
+@file{ntpkey*}
and include the file type, generating host and filestamp,
as described in the
-@quotedblleft{}Cryptographic Data Files@quotedblright{}
+@ref{Cryptographic Data Files}
section below.
+
@subsubsection Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-@file{/usr/local/etc}
-When run for the first time, or if all files with names beginning with
-@kbd{ntpkey}
-have been removed, use the
-@code{ntp-keygen}
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-@code{ntp-keygen}
-with the
-@code{-T}
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-@code{-S}
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-@code{-c}
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-
-Additional information on trusted groups and identity schemes is on the
-@quotedblleft{}Autokey Public-Key Authentication@quotedblright{}
-page.
-
-
-
-The
-@code{ntpd(1ntpdmdoc)}
-configuration command
-@code{crypto} @code{pw} @kbd{password}
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-
-
-File names begin with the prefix
-@code{ntpkey_}
-and end with the postfix
-@kbd{_hostname.filestamp},
-where
-@kbd{hostname}
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-@kbd{filestamp}
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-@code{rm} @code{ntpkey*}
-command or all files generated
-at a specific time can be removed by a
-@code{rm}
-@kbd{*filestamp}
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-
-All files are installed by default in the keys directory
-@file{/usr/local/etc},
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-@code{ntpd(1ntpdmdoc)}
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-@code{ntp-keygen}
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-@subsubsection Running the program
The safest way to run the
@code{ntp-keygen}
program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
+The recommended procedure is change to the
+@kbd{keys}
+directory, usually
@file{/usr/local/etc},
then run the program.
-When run for the first time,
-or if all
-@code{ntpkey}
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
+
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+@kbd{keys}
+directory, usually
+@file{/usr/local/etc}.
+When run for the first time, or if all files with names beginning with
+@file{ntpkey*}
+have been removed, use the
+@code{ntp-keygen}
+command without arguments to generate a default
+@code{RSA}
+host key and matching
+@code{RSA-MD5}
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+@code{RSA}
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+@code{RSA}
+or
+@code{DSA}
+type.
+By default, the message digest type is
+@code{MD5},
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+@code{AES128CMAC}, @code{MD2}, @code{MD5}, @code{MDC2}, @code{SHA}, @code{SHA1}
+and
+@code{RIPE160}
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+@code{RSA}
+sign keys;
+however, only
+@code{SHA}
+and
+@code{SHA1}
+certificates are compatible with
+@code{DSA}
+sign keys.
Private/public key files and certificates are compatible with
other OpenSSL applications and very likely other libraries as well.
@@ -280,19 +193,19 @@
as the other files, are probably not compatible with anything other than Autokey.
Running the program as other than root and using the Unix
-@code{su}
+@code{su(1)}
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-@code{.rnd}
+@file{.rnd}
in the user home directory.
However, there should be only one
-@code{.rnd},
+@file{.rnd},
most conveniently
in the root directory, so it is convenient to define the
-@code{$RANDFILE}
+.Ev RANDFILE
environment variable used by the OpenSSL library as the path to
-@code{/.rnd}.
+@file{.rnd}.
Installing the keys as root might not work in NFS-mounted
shared file systems, as NFS clients may not be able to write
@@ -302,7 +215,8 @@
@file{/etc}
using the
@code{keysdir}
-command.
+@code{ntpd(1ntpdmdoc)}
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -317,7 +231,6 @@
The owner name is also used for the host and sign key files,
while the trusted name is used for the identity files.
-
All files are installed by default in the keys directory
@file{/usr/local/etc},
which is normally in a shared filesystem
@@ -336,8 +249,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+@kbd{hostname}
+and
+@kbd{filestamp}
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
The recommended practice is to keep the file name extensions
@@ -346,99 +262,98 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+@code{ntpd(1ntpdmdoc)}
+follows it to the file name to extract the
+@kbd{filestamp}.
If a link is not present,
@code{ntpd(1ntpdmdoc)}
-extracts the filestamp from the file itself.
+extracts the
+@kbd{filestamp}
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
@code{ntp-keygen}
-program uses the same timestamp extension for all files generated
+program uses the same
+@kbd{filestamp}
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-@subsubsection Running the program
-The safest way to run the
+
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
@code{ntp-keygen}
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-@file{/usr/local/etc},
-then run the program.
-When run for the first time,
-or if all
-@code{ntpkey}
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+with the
+@code{-T}
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+@code{-S}
+option and this can be either
+@code{RSA}
+or
+@code{DSA}
+type.
+By default, the signature
+message digest type is
+@code{MD5},
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+@code{-c}
+option.
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken-and-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball-and-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re-generated.
-Running the program as other than root and using the Unix
-@code{su}
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-@code{.rnd}
-in the user home directory.
-However, there should be only one
-@code{.rnd},
-most conveniently
-in the root directory, so it is convenient to define the
-@code{$RANDFILE}
-environment variable used by the OpenSSL library as the path to
-@code{/.rnd}.
+Additional information on trusted groups and identity schemes is on the
+@quotedblleft{}Autokey Public-Key Authentication@quotedblright{}
+page.
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-@file{/etc}
-using the
-@code{keysdir}
+File names begin with the prefix
+@file{ntpkey}_
+and end with the suffix
+@file{_}@kbd{hostname}. @kbd{filestamp},
+where
+@kbd{hostname}
+is the owner name, usually the string returned
+by the Unix
+@code{hostname(1)}
+command, and
+@kbd{filestamp}
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+@code{rm} @file{ntpkey*}
+command or all files generated
+at a specific time can be removed by a
+@code{rm} @file{*}@kbd{filestamp}
command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-
-s Trusted Hosts and Groups
+@subsubsection Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -445,8 +360,14 @@
@ref{Authentication Options}
section of
@code{ntp.conf(5)}.
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+@code{RSA}
+encryption,
+@code{MD5}
+message digest
+and
+@code{TC}
+identification.
First, configure a NTP subnet including one or more low-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -464,7 +385,7 @@
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-@code{ntpkey}
+@file{ntpkey}
files.
Then run
@code{ntp-keygen}
@@ -489,7 +410,9 @@
@code{RSA}
or
@code{DSA}.
-The most often need to do this is when a DSA-signed certificate is used.
+The most frequent need to do this is when a
+@code{DSA}-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
@code{ntp-keygen}
@@ -498,10 +421,10 @@
option and selected
@kbd{scheme}
as needed.
-f
+If
@code{ntp-keygen}
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
After setting up the environment it is advisable to update certificates
from time to time, if only to extend the validity interval.
@@ -508,7 +431,7 @@
Simply run
@code{ntp-keygen}
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
@code{ntpd(1ntpdmdoc)}
should be restarted.
@@ -517,15 +440,18 @@
is restarted, it loads any new files and restarts the protocol.
Other dependent hosts will continue as usual until signatures are refreshed,
at which time the protocol is restarted.
+
@subsubsection Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+@code{TC}
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-"Identification Schemes"
-page
-(maybe available at
-@code{http://www.eecis.udel.edu/%7emills/keygen.html}).
+including
+@code{PC}, @code{IFF}, @code{GQ}
+and
+@code{MV}
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -550,12 +476,15 @@
@code{-P}
@code{-p} @kbd{password}
to generate the host key file
-@file{ntpkey_RSAkey_}@kbd{alice.filestamp}
+@file{ntpkey}_ @code{RSA} @file{key_alice.} @kbd{filestamp}
and trusted private certificate file
-@file{ntpkey_RSA-MD5_cert_}@kbd{alice.filestamp}.
+@file{ntpkey}_ @code{RSA-MD5} @code{_} @file{cert_alice.} @kbd{filestamp},
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+@kbd{bob}
+install a soft link from the generic name
@file{ntpkey_host_}@kbd{bob}
to the host key file and soft link
@file{ntpkey_cert_}@kbd{bob}
@@ -564,11 +493,17 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+@code{IFF}
+scheme proceed as in the
+@code{TC}
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+@code{IFF}
+parameter file.
On trusted host alice run
@code{ntp-keygen}
@code{-T}
@@ -575,15 +510,17 @@
@code{-I}
@code{-p} @kbd{password}
to produce her parameter file
-@file{ntpkey_IFFpar_}@kbd{alice.filestamp},
+@file{ntpkey_IFFpar_alice.}@kbd{filestamp},
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-@file{ntpkey_iff_}@kbd{alice}
+@file{ntpkey_iff_alice}
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+@code{IFF}
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
If a rogue client has the parameter file, it could masquerade
@@ -593,17 +530,23 @@
After generating the parameter file, on alice run
@code{ntp-keygen}
@code{-e}
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-@file{ntpkey_iff_}@kbd{alice}
+@file{ntpkey_iff_alice}
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+@code{GQ}
+scheme proceed as in the
+@code{TC}
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+@code{IFF}
+parameter file.
On trusted host alice run
@code{ntp-keygen}
@code{-T}
@@ -610,20 +553,30 @@
@code{-G}
@code{-p} @kbd{password}
to produce her parameter file
-@file{ntpkey_GQpar_}@kbd{alice.filestamp},
+@file{ntpkey_GQpar_alice.}@kbd{filestamp},
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-@file{ntpkey_gq_}@kbd{alice}
+@file{ntpkey_gq_alice}
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+@kbd{bob}
+install a soft link
from generic
@file{ntpkey_gq_}@kbd{bob}
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+@code{GQ}
+scheme updates the
+@code{GQ}
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+@code{MV}
+scheme, proceed as in the
+@code{TC}
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -635,9 +588,9 @@
@kbd{n}
is the number of revokable keys (typically 5) to produce
the parameter file
-@file{ntpkeys_MVpar_}@kbd{trish.filestamp}
+@file{ntpkeys_MVpar_trish.}@kbd{filestamp}
and client key files
-@file{ntpkeys_MVkeyd_}@kbd{trish.filestamp}
+@file{ntpkeys_MVkey}@kbd{d} @kbd{_} @file{trish.} @kbd{filestamp}
where
@kbd{d}
is the key number (0 <
@@ -646,81 +599,220 @@
@kbd{n}).
Copy the parameter file to alice and install a soft link
from the generic
-@file{ntpkey_mv_}@kbd{alice}
+@file{ntpkey_mv_alice}
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-@file{ntpkey_mvkey_}@kbd{bob}
+@file{ntpkey_mvkey_bob}
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+@code{MV}
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
+
@subsubsection Command Line Options
@table @asis
-@item @code{-c} @kbd{scheme}
-Select certificate message digest/signature encryption scheme.
+@item @code{-b} @code{--imbits}= @kbd{modulus}
+Set the number of bits in the identity modulus for generating identity keys to
+@kbd{modulus}
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+@item @code{-c} @code{--certificate}= @kbd{scheme}
+Select certificate signature encryption/message digest scheme.
The
@kbd{scheme}
can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
+@code{RSA-MD2}, @code{RSA-MD5}, @code{RSA-MDC2}, @code{RSA-SHA}, @code{RSA-SHA1}, @code{RSA-RIPEMD160}, @code{DSA-SHA},
or
@code{DSA-SHA1}.
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+@code{RSA}
+schemes must be used with an
+@code{RSA}
+sign key and
+@code{DSA}
+schemes must be used with a
+@code{DSA}
+sign key.
The default without this option is
@code{RSA-MD5}.
-@item @code{-d}
-Enable debugging.
+If compatibility with FIPS 140-2 is required, either the
+@code{DSA-SHA}
+or
+@code{DSA-SHA1}
+scheme must be used.
+@item @code{-C} @code{--cipher}= @kbd{cipher}
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three-key triple DES in CBC mode,
+@code{des-ede3-cbc}.
+The
+@code{openssl} @code{-h}
+command provided with OpenSSL displays available ciphers.
+@item @code{-d} @code{--debug-level}
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye-friendly billboards.
-@item @code{-e}
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-@item @code{-G}
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-@item @code{-g}
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-@item @code{-H}
-Generate new host keys, obsoleting any that may exist.
-@item @code{-I}
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-@item @code{-i} @kbd{name}
-Set the suject name to
-@kbd{name}.
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-@item @code{-M}
-Generate MD5 keys, obsoleting any that may exist.
-@item @code{-P}
-Generate a private certificate.
+@item @code{-D} @code{--set-debug-level}= @kbd{level}
+Set the debugging verbosity to
+@kbd{level}.
+This option displays the cryptographic data produced in eye-friendly billboards.
+@item @code{-e} @code{--id-key}
+Write the
+@code{IFF}
+or
+@code{GQ}
+public parameters from the
+@kbd{IFFkey} @kbd{or} @kbd{GQkey}
+client keys file previously specified
+as unencrypted data to the standard output stream
+@file{stdout}.
+This is intended for automatic key distribution by email.
+@item @code{-G} @code{--gq-params}
+Generate a new encrypted
+@code{GQ}
+parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+@code{-I}
+and
+@code{-V}
+options.
+@item @code{-H} @code{--host-key}
+Generate a new encrypted
+@code{RSA}
+public/private host key file.
+@item @code{-I} @code{--iffkey}
+Generate a new encrypted
+@code{IFF}
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+@code{-G}
+and
+Fl V
+options.
+@item @code{-i} @code{--ident}= @kbd{group}
+Set the optional Autokey group name to
+@kbd{group}.
+This is used in the identity scheme parameter file names of
+@code{IFF}, @code{GQ},
+and
+@code{MV}
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+@code{-i}
+or
+@code{-s}
+following an
+@quoteleft{}@@@quoteright{}
+character, is also used in certificate subject and issuer names in the form
+@kbd{host} @kbd{@@} @kbd{group}
+and should match the group specified via
+@code{crypto} @code{ident}
+or
+@code{server} @code{ident}
+in the ntpd configuration file.
+@item @code{-l} @code{--lifetime}= @kbd{days}
+Set the lifetime for certificate expiration to
+@kbd{days}.
+The default lifetime is one year (365 days).
+@item @code{-m} @code{--modulus}= @kbd{bits}
+Set the number of bits in the prime modulus for generating files to
+@kbd{bits}.
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+@item @code{-M} @code{--md5key}
+Generate a new symmetric keys file containing 10
+@code{MD5}
+keys, and if OpenSSL is available, 10
+@code{SHA}
+keys.
+An
+@code{MD5}
+key is a string of 20 random printable ASCII characters, while a
+@code{SHA}
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+@item @code{-p} @code{--password}= @kbd{passwd}
+Set the password for reading and writing encrypted files to
+@kbd{passwd}.
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+@code{hostname}
+command.
+@item @code{-P} @code{--pvt-cert}
+Generate a new private certificate used by the
+@code{PC}
+identity scheme.
By default, the program generates public certificates.
-@item @code{-p} @kbd{password}
-Encrypt generated files containing private data with
-@kbd{password}
-and the DES-CBC algorithm.
-@item @code{-q}
-Set the password for reading files to password.
-@item @code{-S} @code{[@code{RSA} | @code{DSA}]}
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-@item @code{-s} @kbd{name}
-Set the issuer name to
-@kbd{name}.
-This is used for the issuer field in certificates
-and in the file name for identity files.
-@item @code{-T}
+Note: the PC identity scheme is not recommended for new installations.
+@item @code{-q} @code{--export-passwd}= @kbd{passwd}
+Set the password for writing encrypted
+@code{IFF}, @code{GQ} @code{and} @code{MV}
+identity files redirected to
+@file{stdout}
+to
+@kbd{passwd}.
+In effect, these files are decrypted with the
+@code{-p}
+password, then encrypted with the
+@code{-q}
+password.
+By default, the password is the string returned by the Unix
+@code{hostname}
+command.
+@item @code{-s} @code{--subject-key}= @code{[host]} @code{[@@ @kbd{group}]}
+Specify the Autokey host name, where
+@kbd{host}
+is the optional host name and
+@kbd{group}
+is the optional group name.
+The host name, and if provided, group name are used in
+@kbd{host} @kbd{@@} @kbd{group}
+form as certificate subject and issuer.
+Specifying
+@code{-s} @code{-@@} @kbd{group}
+is allowed, and results in leaving the host name unchanged, as with
+@code{-i} @kbd{group}.
+The group name, or if no group is provided, the host name are also used in the
+file names of
+@code{IFF}, @code{GQ},
+and
+@code{MV}
+identity scheme client parameter files.
+If
+@kbd{host}
+is not specified, the default host name is the string returned by the Unix
+@code{hostname}
+command.
+@item @code{-S} @code{--sign-key}= @code{[@code{RSA} | @code{DSA}]}
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140-2 is required, the sign key type must be
+@code{DSA}.
+@item @code{-T} @code{--trusted-cert}
Generate a trusted certificate.
By default, the program generates a non-trusted certificate.
-@item @code{-V} @kbd{nkeys}
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
+@item @code{-V} @code{--mv-params} @kbd{nkeys}
+Generate
+@kbd{nkeys}
+encrypted server keys and parameters for the Mu-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+@code{-I}
+and
+@code{-G}
+options.
+Note: support for this option should be considered a work in progress.
@end table
+
@subsubsection Random Seed File
All cryptographically sound key generation schemes must have means
to randomize the entropy seed used to initialize
@@ -743,7 +835,7 @@
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-@code{.rnd},
+@file{.rnd},
which must be available when starting the NTP daemon
or the
@code{ntp-keygen}
@@ -766,46 +858,124 @@
.Ev RANDFILE
environment variable is not present,
the library will look for the
-@code{.rnd}
+@file{.rnd}
file in the user home directory.
+Since both the
+@code{ntp-keygen}
+program and
+@code{ntpd(1ntpdmdoc)}
+daemon must run as root, the logical place to put this file is in
+@file{/.rnd}
+or
+@file{/root/.rnd}.
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
+
@subsubsection Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+@file{ntpkey_}@kbd{key} @kbd{_} @kbd{name}. @kbd{filestamp},
+where
+@kbd{key}
+is the key or parameter type,
+@kbd{name}
+is the host or group name and
+@kbd{filestamp}
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+@kbd{key}
+names in generated file names include both upper and lower case
+characters, while
+@kbd{key}
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+@file{date}
+format.
+Lines beginning with
+@quoteleft{}#@quoteright{}
+are considered comments and ignored by the
@code{ntp-keygen}
program and
@code{ntpd(1ntpdmdoc)}
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+
+The format of the symmetric keys file, ordinarily named
+@file{ntp.keys},
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+@verbatim
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+@end verbatim
@example
+Figure 1. Typical Symmetric Key File
+@end example
+
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+@example
@kbd{keyno} @kbd{type} @kbd{key}
@end example
where
@kbd{keyno}
-is a positive integer in the range 1-65,535,
+is a positive integer in the range 1-65534;
@kbd{type}
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+@code{MD5}
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140-2 is required,
+the key type must be either
+@code{SHA}
+or
+@code{SHA1};
@kbd{key}
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+@quoteleft{}@quoteright{}!
+through
+@quoteleft{}~@quoteright{}
+) excluding space and the
@quoteleft{}#@quoteright{}
+character, and terminated by whitespace or a
+@quoteleft{}#@quoteright{}
character.
+An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
+is truncated as necessary.
Note that the keys used by the
@code{ntpq(1ntpqmdoc)}
@@ -818,8 +988,8 @@
The
@code{ntp-keygen}
-program generates a MD5 symmetric keys file
-@file{ntpkey_MD5key_}@kbd{hostname.filestamp}.
+program generates a symmetric keys file
+@file{ntpkey_MD5key_}@kbd{hostname}. @kbd{filestamp}.
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -853,13 +1023,13 @@
* ntp-keygen iffkey:: iffkey option (-I)
* ntp-keygen ident:: ident option (-i)
* ntp-keygen lifetime:: lifetime option (-l)
+* ntp-keygen modulus:: modulus option (-m)
* ntp-keygen md5key:: md5key option (-M)
-* ntp-keygen modulus:: modulus option (-m)
* ntp-keygen pvt-cert:: pvt-cert option (-P)
* ntp-keygen password:: password option (-p)
* ntp-keygen export-passwd:: export-passwd option (-q)
+* ntp-keygen subject-name:: subject-name option (-s)
* ntp-keygen sign-key:: sign-key option (-S)
-* ntp-keygen subject-name:: subject-name option (-s)
* ntp-keygen trusted-cert:: trusted-cert option (-T)
* ntp-keygen mv-params:: mv-params option (-V)
* ntp-keygen mv-keys:: mv-keys option (-v)
@@ -886,17 +1056,14 @@
@exampleindent 0
@example
-ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10-beta
-Usage: ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
+ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.7p245
+USAGE: ntp-keygen [ -<flag> [<val>] | --<name>[@{=| @}<val>] ]...
Flg Arg Option-Name Description
- -b Num imbits identity modulus bits
- - it must be in the range:
- 256 to 2048
-c Str certificate certificate scheme
-C Str cipher privatekey cipher
-d no debug-level Increase debug verbosity level
- may appear multiple times
- -D Num set-debug-level Set the debug verbosity level
+ -D Str set-debug-level Set the debug verbosity level
- may appear multiple times
-e no id-key Write IFF or GQ identity keys
-G no gq-params Generate GQ parameters and keys
@@ -906,22 +1073,22 @@
-l Num lifetime set certificate lifetime
-M no md5key generate MD5 keys
-m Num modulus modulus
- - it must be in the range:
+ - It must be in the range:
256 to 2048
-P no pvt-cert generate PC private certificate
- -p Str password local private password
- -q Str export-passwd export IFF or GQ group keys with password
+ -p Str pvt-passwd output private password
+ -q Str get-pvt-passwd input private password
-S Str sign-key generate sign key (RSA or DSA)
-s Str subject-name set host and optionally group name
-T no trusted-cert trusted certificate (TC scheme)
-V Num mv-params generate <num> MV parameters
-v Num mv-keys update <num> MV keys
- opt version output version information and exit
- -? no help display extended usage information and exit
- -! no more-help extended usage information passed thru pager
- -> opt save-opts save the option state to a config file
- -< Str load-opts load options from a config file
- - disabled as '--no-load-opts'
+ opt version Output version information and exit
+ -? no help Display extended usage information and exit
+ -! no more-help Extended usage information passed thru pager
+ -> opt save-opts Save the option state to a config file
+ -< Str load-opts Load options from a config file
+ - disabled as --no-load-opts
- may appear multiple times
Options are specified by doubled hyphens and their name or by a single
@@ -928,12 +1095,13 @@
hyphen and the flag character.
+
The following option preset mechanisms are supported:
- reading file $HOME/.ntprc
- reading file ./.ntprc
- examining environment variables named NTP_KEYGEN_*
-Please send bug reports to: <http://bugs.ntp.org, bugs@@ntp.org>
+please send bug reports to: http://bugs.ntp.org, bugs@@ntp.org
@end example
@exampleindent 4
@@ -967,10 +1135,10 @@
@end itemize
scheme is one of
-RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160,
+RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
DSA-SHA, or DSA-SHA1.
-Select the certificate message digest/signature encryption scheme.
+Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA-MD5.
@@ -990,7 +1158,7 @@
Select the cipher which is used to encrypt the files containing
private keys. The default is three-key triple DES in CBC mode,
-equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers
+equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers
available in "@code{openssl -h}" output.
@node ntp-keygen id-key
@subsection id-key option (-e)
@@ -1005,8 +1173,9 @@
must be compiled in by defining @code{AUTOKEY} during the compilation.
@end itemize
-Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
@node ntp-keygen gq-params
@subsection gq-params option (-G)
@cindex ntp-keygen-gq-params
@@ -1069,11 +1238,11 @@
the file name of IFF, GQ, and MV client parameters files. In
that role, the default is the host name if this option is not
provided. The group name, if specified using @code{-i/--ident} or
-using @code{-s/--subject-name} following an '@code{@}' character,
-is also a part of the self-signed host certificate's subject and
-issuer names in the form @code{host@group} and should match the
-'@code{crypto ident}' or '@code{server ident}' configuration in
-@code{ntpd}'s configuration file.
+using @code{-s/--subject-name} following an '@code{@@}' character,
+is also a part of the self-signed host certificate subject and
+issuer names in the form @code{host@@group} and should match the
+'@code{crypto ident}' or '@code{server ident}' configuration in the
+@code{ntpd} configuration file.
@node ntp-keygen lifetime
@subsection lifetime option (-l)
@cindex ntp-keygen-lifetime
@@ -1089,17 +1258,11 @@
@end itemize
Set the certificate expiration to lifetime days from now.
-@node ntp-keygen md5key
-@subsection md5key option (-M)
-@cindex ntp-keygen-md5key
-
-This is the ``generate md5 keys'' option.
-Generate MD5 keys, obsoleting any that may exist.
@node ntp-keygen modulus
@subsection modulus option (-m)
@cindex ntp-keygen-modulus
-This is the ``modulus'' option.
+This is the ``prime modulus'' option.
This option takes a number argument @file{modulus}.
@noindent
@@ -1110,6 +1273,12 @@
@end itemize
The number of bits in the prime modulus. The default is 512.
+@node ntp-keygen md5key
+@subsection md5key option (-M)
+@cindex ntp-keygen-md5key
+
+This is the ``generate symmetric keys'' option.
+Generate symmetric keys, obsoleting any that may exist.
@node ntp-keygen pvt-cert
@subsection pvt-cert option (-P)
@cindex ntp-keygen-pvt-cert
@@ -1163,23 +1332,6 @@
The same password must be specified to the remote ntpd via the
"crypto pw password" configuration command. See also the option
--id-key (-e) for unencrypted exports.
-@node ntp-keygen sign-key
-@subsection sign-key option (-S)
-@cindex ntp-keygen-sign-key
-
-This is the ``generate sign key (rsa or dsa)'' option.
-This option takes a string argument @file{sign}.
-
-@noindent
-This option has some usage constraints. It:
-@itemize @bullet
-@item
-must be compiled in by defining @code{AUTOKEY} during the compilation.
-@end itemize
-
-Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
@node ntp-keygen subject-name
@subsection subject-name option (-s)
@cindex ntp-keygen-subject-name
@@ -1195,15 +1347,32 @@
@end itemize
Set the Autokey host name, and optionally, group name specified
-following an '@code{@}' character. The host name is used in the file
+following an '@code{@@}' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
-in @code{host@group} form for the host certificate's subject and issuer
-fields. Specifying '@code{-s @group}' is allowed, and results in
-leaving the host name unchanged while appending @code{@group} to the
+in @code{host@@group} form for the host certificate subject and issuer
+fields. Specifying '@code{-s @@group}' is allowed, and results in
+leaving the host name unchanged while appending @code{@@group} to the
subject and issuer fields, as with @code{-i group}. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
+@node ntp-keygen sign-key
+@subsection sign-key option (-S)
+@cindex ntp-keygen-sign-key
+
+This is the ``generate sign key (rsa or dsa)'' option.
+This option takes a string argument @file{sign}.
+
+@noindent
+This option has some usage constraints. It:
+@itemize @bullet
+@item
+must be compiled in by defining @code{AUTOKEY} during the compilation.
+@end itemize
+
+Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
@node ntp-keygen trusted-cert
@subsection trusted-cert option (-T)
@cindex ntp-keygen-trusted-cert
Index: contrib/ntp/util/ntp-keygen.1ntp-keygenman
===================================================================
--- contrib/ntp/util/ntp-keygen.1ntp-keygenman (版本 330566)
+++ contrib/ntp/util/ntp-keygen.1ntp-keygenman (版本 330908)
@@ -10,11 +10,11 @@
.ds B-Font B
.ds I-Font I
.ds R-Font R
-.TH ntp-keygen 1ntp-keygenman "21 Mar 2017" "ntp (4.2.8p10)" "User Commands"
+.TH ntp-keygen 1ntp-keygenman "27 Feb 2018" "ntp (4.2.8p11)" "User Commands"
.\"
-.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-uUaiiy/ag-lVaahy)
+.\" EDIT THIS FILE WITH CAUTION (/tmp/.ag-bBa46V/ag-nBaW5V)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:54 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:15:53 PM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agman-cmd.tpl
.SH NAME
@@ -36,30 +36,33 @@
.SH DESCRIPTION
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
.sp \n(Ppu
.ne 2
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
.sp \n(Ppu
.ne 2
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -83,27 +86,38 @@
Some files used by this program are encrypted using a private password.
The
\f\*[B-Font]\-p\f[]
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
\f\*[B-Font]\-q\f[]
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-\fBgethostname\f[]\fR()\f[]
-function, normally the DNS name of the host is used.
+\fChostname\f[]\fR(1)\f[]
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+\f\*[B-Font]ntp-keygen\fP
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
.sp \n(Ppu
.ne 2
The
-\f\*[I-Font]pw\f[]
+\f\*[B-Font]pw\f[]
option of the
-\f\*[I-Font]crypto\f[]
+\f\*[B-Font]crypto\f[]
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-\f\*[I-Font]ntpd\f[]
-without password but only on the same host.
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
.sp \n(Ppu
.ne 2
@@ -111,7 +125,7 @@
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-\f\*[I-Font]ntp.keys\f[],
+\fIntp.keys\f[],
is usually installed in
\fI/etc\f[].
Other files and links are usually installed in
@@ -118,208 +132,95 @@
\fI/usr/local/etc\f[],
which is normally in a shared filesystem in
NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-\f\*[I-Font]keysdir\f[]
-configuration command in such cases.
-Normally, this is in
-\fI/etc\f[].
+In these cases, NFS clients can specify the files in another
+directory such as
+\fI/etc\f[]
+using the
+\f\*[B-Font]keysdir\f[]
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+configuration file command.
.sp \n(Ppu
.ne 2
This program directs commentary and error messages to the standard
error stream
-\f\*[I-Font]stderr\f[]
+\fIstderr\f[]
and remote files to the standard output stream
-\f\*[I-Font]stdout\f[]
+\fIstdout\f[]
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-\f\*[I-Font]ntpkey\f[]
+\fIntpkey\&*\f[]
and include the file type, generating host and filestamp,
as described in the
-\*[Lq]Cryptographic Data Files\*[Rq]
+\fICryptographic Data Files\f[]
section below.
.SS Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-\fI/usr/local/etc\f[]
-When run for the first time, or if all files with names beginning with
-\f\*[I-Font]ntpkey\f[]
-have been removed, use the
+The safest way to run the
\f\*[B-Font]ntp-keygen\fP
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.sp \n(Ppu
-.ne 2
-
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-\f\*[B-Font]ntp-keygen\fP
-with the
-\f\*[B-Font]\-T\f[]
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.sp \n(Ppu
-.ne 2
-
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-\f\*[B-Font]\-S\f[]
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-\f\*[B-Font]\-c\f[]
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.sp \n(Ppu
-.ne 2
-
-Additional information on trusted groups and identity schemes is on the
-\*[Lq]Autokey Public-Key Authentication\*[Rq]
-page.
-.sp \n(Ppu
-.ne 2
-
-The
-\fCntpd\f[]\fR(1ntpdmdoc)\f[]
-configuration command
-\f\*[B-Font]crypto\f[] \f\*[B-Font]pw\f[] \f\*[I-Font]password\f[]
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.sp \n(Ppu
-.ne 2
-
-File names begin with the prefix
-\f\*[B-Font]ntpkey_\f[]
-and end with the postfix
-\f\*[I-Font]_hostname.filestamp\f[],
-where
-\f\*[I-Font]hostname\f[]
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-\f\*[I-Font]filestamp\f[]
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-\f\*[B-Font]rm\f[] \f\*[B-Font]ntpkey\&*\f[]
-command or all files generated
-at a specific time can be removed by a
-\f\*[B-Font]rm\f[]
-\f\*[I-Font]\&*filestamp\f[]
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.sp \n(Ppu
-.ne 2
-
-All files are installed by default in the keys directory
+program is logged in directly as root.
+The recommended procedure is change to the
+\f\*[I-Font]keys\f[]
+directory, usually
\fI/usr/local/etc\f[],
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
+then run the program.
.sp \n(Ppu
.ne 2
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.sp \n(Ppu
-.ne 2
-
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-\fCntpd\f[]\fR(1ntpdmdoc)\f[]
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+\f\*[I-Font]keys\f[]
+directory, usually
+\fI/usr/local/etc\f[].
+When run for the first time, or if all files with names beginning with
+\fIntpkey\&*\f[]
+have been removed, use the
\f\*[B-Font]ntp-keygen\fP
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-\f\*[B-Font]ntp-keygen\fP
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-\fI/usr/local/etc\f[],
-then run the program.
-When run for the first time,
-or if all
-\f\*[B-Font]ntpkey\f[]
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
+command without arguments to generate a default
+\f\*[B-Font]RSA\f[]
+host key and matching
+\f\*[B-Font]RSA-MD5\f[]
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
.sp \n(Ppu
.ne 2
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+\f\*[B-Font]RSA\f[]
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+\f\*[B-Font]RSA\f[]
+or
+\f\*[B-Font]DSA\f[]
+type.
+By default, the message digest type is
+\f\*[B-Font]MD5\f[],
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+\f\*[B-Font]AES128CMAC\f[], \f\*[B-Font]MD2\f[], \f\*[B-Font]MD5\f[], \f\*[B-Font]MDC2\f[], \f\*[B-Font]SHA\f[], \f\*[B-Font]SHA1\f[]
+and
+\f\*[B-Font]RIPE160\f[]
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+\f\*[B-Font]RSA\f[]
+sign keys;
+however, only
+\f\*[B-Font]SHA\f[]
+and
+\f\*[B-Font]SHA1\f[]
+certificates are compatible with
+\f\*[B-Font]DSA\f[]
+sign keys.
.sp \n(Ppu
.ne 2
@@ -334,19 +235,19 @@
.ne 2
Running the program as other than root and using the Unix
-\f\*[B-Font]su\f[]
+\fCsu\f[]\fR(1)\f[]
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-\f\*[B-Font].rnd\f[]
+\fI.rnd\f[]
in the user home directory.
However, there should be only one
-\f\*[B-Font].rnd\f[],
+\fI.rnd\f[],
most conveniently
in the root directory, so it is convenient to define the
-\f\*[B-Font]$RANDFILE\f[]
+RANDFILE
environment variable used by the OpenSSL library as the path to
-\f\*[B-Font]/.rnd\f[].
+\fI.rnd\f[].
.sp \n(Ppu
.ne 2
@@ -358,7 +259,8 @@
\fI/etc\f[]
using the
\f\*[B-Font]keysdir\f[]
-command.
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -397,8 +299,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+\f\*[I-Font]hostname\f[]
+and
+\f\*[I-Font]filestamp\f[]
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
.sp \n(Ppu
.ne 2
@@ -409,108 +314,107 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+follows it to the file name to extract the
+\f\*[I-Font]filestamp\f[].
If a link is not present,
\fCntpd\f[]\fR(1ntpdmdoc)\f[]
-extracts the filestamp from the file itself.
+extracts the
+\f\*[I-Font]filestamp\f[]
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
\f\*[B-Font]ntp-keygen\fP
-program uses the same timestamp extension for all files generated
+program uses the same
+\f\*[I-Font]filestamp\f[]
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-.SS Running the program
-The safest way to run the
-\f\*[B-Font]ntp-keygen\fP
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-\fI/usr/local/etc\f[],
-then run the program.
-When run for the first time,
-or if all
-\f\*[B-Font]ntpkey\f[]
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
.sp \n(Ppu
.ne 2
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
+\f\*[B-Font]ntp-keygen\fP
+with the
+\f\*[B-Font]\-T\f[]
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
.sp \n(Ppu
.ne 2
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+\f\*[B-Font]\-S\f[]
+option and this can be either
+\f\*[B-Font]RSA\f[]
+or
+\f\*[B-Font]DSA\f[]
+type.
+By default, the signature
+message digest type is
+\f\*[B-Font]MD5\f[],
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+\f\*[B-Font]\-c\f[]
+option.
.sp \n(Ppu
.ne 2
-Running the program as other than root and using the Unix
-\f\*[B-Font]su\f[]
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-\f\*[B-Font].rnd\f[]
-in the user home directory.
-However, there should be only one
-\f\*[B-Font].rnd\f[],
-most conveniently
-in the root directory, so it is convenient to define the
-\f\*[B-Font]$RANDFILE\f[]
-environment variable used by the OpenSSL library as the path to
-\f\*[B-Font]/.rnd\f[].
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken-and-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball-and-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re-generated.
.sp \n(Ppu
.ne 2
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-\fI/etc\f[]
-using the
-\f\*[B-Font]keysdir\f[]
-command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
+Additional information on trusted groups and identity schemes is on the
+\*[Lq]Autokey Public-Key Authentication\*[Rq]
+page.
.sp \n(Ppu
.ne 2
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
+File names begin with the prefix
+\fIntpkey\f[]_
+and end with the suffix
+\fI_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[],
+where
+\f\*[I-Font]hostname\f[]
+is the owner name, usually the string returned
+by the Unix
+\fChostname\f[]\fR(1)\f[]
+command, and
+\f\*[I-Font]filestamp\f[]
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+\f\*[B-Font]rm\f[] \fIntpkey\&*\f[]
+command or all files generated
+at a specific time can be removed by a
+\f\*[B-Font]rm\f[] \fI\&*\f[]\f\*[I-Font]filestamp\f[]
+command.
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
+.SS Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -517,8 +421,14 @@
\fIAuthentication\f[] \fIOptions\f[]
section of
\fCntp.conf\f[]\fR(5)\f[].
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+\f\*[B-Font]RSA\f[]
+encryption,
+\f\*[B-Font]MD5\f[]
+message digest
+and
+\f\*[B-Font]TC\f[]
+identification.
First, configure a NTP subnet including one or more low-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -538,7 +448,7 @@
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-\f\*[B-Font]ntpkey\f[]
+\fIntpkey\f[]
files.
Then run
\f\*[B-Font]ntp-keygen\fP
@@ -565,7 +475,9 @@
\f\*[B-Font]RSA\f[]
or
\f\*[B-Font]DSA\f[].
-The most often need to do this is when a DSA-signed certificate is used.
+The most frequent need to do this is when a
+\f\*[B-Font]DSA\f[]\-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
\f\*[B-Font]ntp-keygen\fP
@@ -574,10 +486,10 @@
option and selected
\f\*[I-Font]scheme\f[]
as needed.
-f
+If
\f\*[B-Font]ntp-keygen\fP
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
.sp \n(Ppu
.ne 2
@@ -586,7 +498,7 @@
Simply run
\f\*[B-Font]ntp-keygen\fP
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
\fCntpd\f[]\fR(1ntpdmdoc)\f[]
should be restarted.
@@ -597,13 +509,15 @@
at which time the protocol is restarted.
.SS Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+\f\*[B-Font]TC\f[]
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-"Identification Schemes"
-page
-(maybe available at
-\f[C]http://www.eecis.udel.edu/%7emills/keygen.html\f[]).
+including
+\f\*[B-Font]PC\f[], \f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[]
+and
+\f\*[B-Font]MV\f[]
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -632,12 +546,15 @@
\f\*[B-Font]\-P\f[]
\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
to generate the host key file
-\fIntpkey_RSAkey_\f[]\f\*[I-Font]alice.filestamp\f[]
+\fIntpkey\f[]_ \f\*[B-Font]RSA\f[] \fIkey_alice.\f[] \f\*[I-Font]filestamp\f[]
and trusted private certificate file
-\fIntpkey_RSA-MD5_cert_\f[]\f\*[I-Font]alice.filestamp\f[].
+\fIntpkey\f[]_ \f\*[B-Font]RSA-MD5\f[] \f\*[B-Font]_\f[] \fIcert_alice.\f[] \f\*[I-Font]filestamp\f[],
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+\f\*[I-Font]bob\f[]
+install a soft link from the generic name
\fIntpkey_host_\f[]\f\*[I-Font]bob\f[]
to the host key file and soft link
\fIntpkey_cert_\f[]\f\*[I-Font]bob\f[]
@@ -646,13 +563,19 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
.sp \n(Ppu
.ne 2
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+\f\*[B-Font]IFF\f[]
+scheme proceed as in the
+\f\*[B-Font]TC\f[]
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+\f\*[B-Font]IFF\f[]
+parameter file.
On trusted host alice run
\f\*[B-Font]ntp-keygen\fP
\f\*[B-Font]\-T\f[]
@@ -659,15 +582,17 @@
\f\*[B-Font]\-I\f[]
\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
to produce her parameter file
-\fIntpkey_IFFpar_\f[]\f\*[I-Font]alice.filestamp\f[],
+\fIntpkey_IFFpar_alice.\f[]\f\*[I-Font]filestamp\f[],
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_iff_alice\f[]
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+\f\*[B-Font]IFF\f[]
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
.sp \n(Ppu
.ne 2
@@ -679,10 +604,10 @@
After generating the parameter file, on alice run
\f\*[B-Font]ntp-keygen\fP
\f\*[B-Font]\-e\f[]
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-\fIntpkey_iff_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_iff_alice\f[]
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
@@ -689,9 +614,15 @@
.sp \n(Ppu
.ne 2
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+\f\*[B-Font]GQ\f[]
+scheme proceed as in the
+\f\*[B-Font]TC\f[]
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+\f\*[B-Font]IFF\f[]
+parameter file.
On trusted host alice run
\f\*[B-Font]ntp-keygen\fP
\f\*[B-Font]\-T\f[]
@@ -698,22 +629,32 @@
\f\*[B-Font]\-G\f[]
\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
to produce her parameter file
-\fIntpkey_GQpar_\f[]\f\*[I-Font]alice.filestamp\f[],
+\fIntpkey_GQpar_alice.\f[]\f\*[I-Font]filestamp\f[],
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-\fIntpkey_gq_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_gq_alice\f[]
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+\f\*[I-Font]bob\f[]
+install a soft link
from generic
\fIntpkey_gq_\f[]\f\*[I-Font]bob\f[]
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+\f\*[B-Font]GQ\f[]
+scheme updates the
+\f\*[B-Font]GQ\f[]
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
.sp \n(Ppu
.ne 2
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+\f\*[B-Font]MV\f[]
+scheme, proceed as in the
+\f\*[B-Font]TC\f[]
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -725,9 +666,9 @@
\f\*[I-Font]n\f[]
is the number of revokable keys (typically 5) to produce
the parameter file
-\fIntpkeys_MVpar_\f[]\f\*[I-Font]trish.filestamp\f[]
+\fIntpkeys_MVpar_trish.\f[]\f\*[I-Font]filestamp\f[]
and client key files
-\fIntpkeys_MVkeyd_\f[]\f\*[I-Font]trish.filestamp\f[]
+\fIntpkeys_MVkey\f[]\f\*[I-Font]d\f[] \f\*[I-Font]_\f[] \fItrish.\f[] \f\*[I-Font]filestamp\f[]
where
\f\*[I-Font]d\f[]
is the key number (0 \&<
@@ -736,95 +677,236 @@
\f\*[I-Font]n\f[]).
Copy the parameter file to alice and install a soft link
from the generic
-\fIntpkey_mv_\f[]\f\*[I-Font]alice\f[]
+\fIntpkey_mv_alice\f[]
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-\fIntpkey_mvkey_\f[]\f\*[I-Font]bob\f[]
+\fIntpkey_mvkey_bob\f[]
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+\f\*[B-Font]MV\f[]
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
.SS Command Line Options
.TP 7
-.NOP \f\*[B-Font]\-c\f[] \f\*[I-Font]scheme\f[]
-Select certificate message digest/signature encryption scheme.
+.NOP \f\*[B-Font]\-b\f[] \f\*[B-Font]\-\-imbits\f[]= \f\*[I-Font]modulus\f[]
+Set the number of bits in the identity modulus for generating identity keys to
+\f\*[I-Font]modulus\f[]
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.TP 7
+.NOP \f\*[B-Font]\-c\f[] \f\*[B-Font]\-\-certificate\f[]= \f\*[I-Font]scheme\f[]
+Select certificate signature encryption/message digest scheme.
The
\f\*[I-Font]scheme\f[]
can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
+\f\*[B-Font]RSA-MD2\f[], \f\*[B-Font]RSA-MD5\f[], \f\*[B-Font]RSA-MDC2\f[], \f\*[B-Font]RSA-SHA\f[], \f\*[B-Font]RSA-SHA1\f[], \f\*[B-Font]RSA-RIPEMD160\f[], \f\*[B-Font]DSA-SHA\f[],
or
\f\*[B-Font]DSA-SHA1\f[].
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+\f\*[B-Font]RSA\f[]
+schemes must be used with an
+\f\*[B-Font]RSA\f[]
+sign key and
+\f\*[B-Font]DSA\f[]
+schemes must be used with a
+\f\*[B-Font]DSA\f[]
+sign key.
The default without this option is
\f\*[B-Font]RSA-MD5\f[].
+If compatibility with FIPS 140-2 is required, either the
+\f\*[B-Font]DSA-SHA\f[]
+or
+\f\*[B-Font]DSA-SHA1\f[]
+scheme must be used.
.TP 7
-.NOP \f\*[B-Font]\-d\f[]
-Enable debugging.
+.NOP \f\*[B-Font]\-C\f[] \f\*[B-Font]\-\-cipher\f[]= \f\*[I-Font]cipher\f[]
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three-key triple DES in CBC mode,
+\f\*[B-Font]des-ede3-cbc\f[].
+The
+\f\*[B-Font]openssl\f[] \f\*[B-Font]\-h\f[]
+command provided with OpenSSL displays available ciphers.
+.TP 7
+.NOP \f\*[B-Font]\-d\f[] \f\*[B-Font]\-\-debug-level\f[]
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye-friendly billboards.
.TP 7
-.NOP \f\*[B-Font]\-e\f[]
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
+.NOP \f\*[B-Font]\-D\f[] \f\*[B-Font]\-\-set-debug-level\f[]= \f\*[I-Font]level\f[]
+Set the debugging verbosity to
+\f\*[I-Font]level\f[].
+This option displays the cryptographic data produced in eye-friendly billboards.
.TP 7
-.NOP \f\*[B-Font]\-G\f[]
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
+.NOP \f\*[B-Font]\-e\f[] \f\*[B-Font]\-\-id-key\f[]
+Write the
+\f\*[B-Font]IFF\f[]
+or
+\f\*[B-Font]GQ\f[]
+public parameters from the
+\f\*[I-Font]IFFkey\f[] \f\*[I-Font]or\f[] \f\*[I-Font]GQkey\f[]
+client keys file previously specified
+as unencrypted data to the standard output stream
+\fIstdout\f[].
+This is intended for automatic key distribution by email.
.TP 7
-.NOP \f\*[B-Font]\-g\f[]
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
+.NOP \f\*[B-Font]\-G\f[] \f\*[B-Font]\-\-gq-params\f[]
+Generate a new encrypted
+\f\*[B-Font]GQ\f[]
+parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+\f\*[B-Font]\-I\f[]
+and
+\f\*[B-Font]\-V\f[]
+options.
.TP 7
-.NOP \f\*[B-Font]\-H\f[]
-Generate new host keys, obsoleting any that may exist.
+.NOP \f\*[B-Font]\-H\f[] \f\*[B-Font]\-\-host-key\f[]
+Generate a new encrypted
+\f\*[B-Font]RSA\f[]
+public/private host key file.
.TP 7
-.NOP \f\*[B-Font]\-I\f[]
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
+.NOP \f\*[B-Font]\-I\f[] \f\*[B-Font]\-\-iffkey\f[]
+Generate a new encrypted
+\f\*[B-Font]IFF\f[]
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+\f\*[B-Font]\-G\f[]
+and
+Fl V
+options.
.TP 7
-.NOP \f\*[B-Font]\-i\f[] \f\*[I-Font]name\f[]
-Set the suject name to
-\f\*[I-Font]name\f[].
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
+.NOP \f\*[B-Font]\-i\f[] \f\*[B-Font]\-\-ident\f[]= \f\*[I-Font]group\f[]
+Set the optional Autokey group name to
+\f\*[I-Font]group\f[].
+This is used in the identity scheme parameter file names of
+\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[],
+and
+\f\*[B-Font]MV\f[]
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+\f\*[B-Font]\-i\f[]
+or
+\f\*[B-Font]\-s\f[]
+following an
+\[oq]@@\[cq]
+character, is also used in certificate subject and issuer names in the form
+\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[]
+and should match the group specified via
+\f\*[B-Font]crypto\f[] \f\*[B-Font]ident\f[]
+or
+\f\*[B-Font]server\f[] \f\*[B-Font]ident\f[]
+in the ntpd configuration file.
.TP 7
-.NOP \f\*[B-Font]\-M\f[]
-Generate MD5 keys, obsoleting any that may exist.
+.NOP \f\*[B-Font]\-l\f[] \f\*[B-Font]\-\-lifetime\f[]= \f\*[I-Font]days\f[]
+Set the lifetime for certificate expiration to
+\f\*[I-Font]days\f[].
+The default lifetime is one year (365 days).
.TP 7
-.NOP \f\*[B-Font]\-P\f[]
-Generate a private certificate.
+.NOP \f\*[B-Font]\-m\f[] \f\*[B-Font]\-\-modulus\f[]= \f\*[I-Font]bits\f[]
+Set the number of bits in the prime modulus for generating files to
+\f\*[I-Font]bits\f[].
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.TP 7
+.NOP \f\*[B-Font]\-M\f[] \f\*[B-Font]\-\-md5key\f[]
+Generate a new symmetric keys file containing 10
+\f\*[B-Font]MD5\f[]
+keys, and if OpenSSL is available, 10
+\f\*[B-Font]SHA\f[]
+keys.
+An
+\f\*[B-Font]MD5\f[]
+key is a string of 20 random printable ASCII characters, while a
+\f\*[B-Font]SHA\f[]
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+.TP 7
+.NOP \f\*[B-Font]\-p\f[] \f\*[B-Font]\-\-password\f[]= \f\*[I-Font]passwd\f[]
+Set the password for reading and writing encrypted files to
+\f\*[I-Font]passwd\f[].
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+\f\*[B-Font]hostname\f[]
+command.
+.TP 7
+.NOP \f\*[B-Font]\-P\f[] \f\*[B-Font]\-\-pvt-cert\f[]
+Generate a new private certificate used by the
+\f\*[B-Font]PC\f[]
+identity scheme.
By default, the program generates public certificates.
+Note: the PC identity scheme is not recommended for new installations.
.TP 7
-.NOP \f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
-Encrypt generated files containing private data with
-\f\*[I-Font]password\f[]
-and the DES-CBC algorithm.
+.NOP \f\*[B-Font]\-q\f[] \f\*[B-Font]\-\-export-passwd\f[]= \f\*[I-Font]passwd\f[]
+Set the password for writing encrypted
+\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[] \f\*[B-Font]and\f[] \f\*[B-Font]MV\f[]
+identity files redirected to
+\fIstdout\f[]
+to
+\f\*[I-Font]passwd\f[].
+In effect, these files are decrypted with the
+\f\*[B-Font]\-p\f[]
+password, then encrypted with the
+\f\*[B-Font]\-q\f[]
+password.
+By default, the password is the string returned by the Unix
+\f\*[B-Font]hostname\f[]
+command.
.TP 7
-.NOP \f\*[B-Font]\-q\f[]
-Set the password for reading files to password.
+.NOP \f\*[B-Font]\-s\f[] \f\*[B-Font]\-\-subject-key\f[]= [host] [@@ \f\*[I-Font]group\f[]]
+Specify the Autokey host name, where
+\f\*[I-Font]host\f[]
+is the optional host name and
+\f\*[I-Font]group\f[]
+is the optional group name.
+The host name, and if provided, group name are used in
+\f\*[I-Font]host\f[] \f\*[I-Font]@@\f[] \f\*[I-Font]group\f[]
+form as certificate subject and issuer.
+Specifying
+\f\*[B-Font]\-s\f[] \f\*[B-Font]\-@@\f[] \f\*[I-Font]group\f[]
+is allowed, and results in leaving the host name unchanged, as with
+\f\*[B-Font]\-i\f[] \f\*[I-Font]group\f[].
+The group name, or if no group is provided, the host name are also used in the
+file names of
+\f\*[B-Font]IFF\f[], \f\*[B-Font]GQ\f[],
+and
+\f\*[B-Font]MV\f[]
+identity scheme client parameter files.
+If
+\f\*[I-Font]host\f[]
+is not specified, the default host name is the string returned by the Unix
+\f\*[B-Font]hostname\f[]
+command.
.TP 7
-.NOP \f\*[B-Font]\-S\f[] [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]]
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
+.NOP \f\*[B-Font]\-S\f[] \f\*[B-Font]\-\-sign-key\f[]= [\f\*[B-Font]RSA\f[] | \f\*[B-Font]DSA\f[]]
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140-2 is required, the sign key type must be
+\f\*[B-Font]DSA\f[].
.TP 7
-.NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]name\f[]
-Set the issuer name to
-\f\*[I-Font]name\f[].
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.TP 7
-.NOP \f\*[B-Font]\-T\f[]
+.NOP \f\*[B-Font]\-T\f[] \f\*[B-Font]\-\-trusted-cert\f[]
Generate a trusted certificate.
By default, the program generates a non-trusted certificate.
.TP 7
-.NOP \f\*[B-Font]\-V\f[] \f\*[I-Font]nkeys\f[]
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
+.NOP \f\*[B-Font]\-V\f[] \f\*[B-Font]\-\-mv-params\f[] \f\*[I-Font]nkeys\f[]
+Generate
+\f\*[I-Font]nkeys\f[]
+encrypted server keys and parameters for the Mu-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+\f\*[B-Font]\-I\f[]
+and
+\f\*[B-Font]\-G\f[]
+options.
+Note: support for this option should be considered a work in progress.
.PP
.SS Random Seed File
All cryptographically sound key generation schemes must have means
@@ -852,7 +934,7 @@
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-\f\*[B-Font].rnd\f[],
+\fI.rnd\f[],
which must be available when starting the NTP daemon
or the
\f\*[B-Font]ntp-keygen\fP
@@ -875,48 +957,131 @@
RANDFILE
environment variable is not present,
the library will look for the
-\f\*[B-Font].rnd\f[]
+\fI.rnd\f[]
file in the user home directory.
+Since both the
+\f\*[B-Font]ntp-keygen\fP
+program and
+\fCntpd\f[]\fR(1ntpdmdoc)\f[]
+daemon must run as root, the logical place to put this file is in
+\fI/.rnd\f[]
+or
+\fI/root/.rnd\f[].
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
.SS Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+\fIntpkey_\f[]\f\*[I-Font]key\f[] \f\*[I-Font]_\f[] \f\*[I-Font]name\f[]. \f\*[I-Font]filestamp\f[],
+where
+\f\*[I-Font]key\f[]
+is the key or parameter type,
+\f\*[I-Font]name\f[]
+is the host or group name and
+\f\*[I-Font]filestamp\f[]
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+\f\*[I-Font]key\f[]
+names in generated file names include both upper and lower case
+characters, while
+\f\*[I-Font]key\f[]
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+\fIdate\f[]
+format.
+Lines beginning with
+\[oq]#\[cq]
+are considered comments and ignored by the
\f\*[B-Font]ntp-keygen\fP
program and
\fCntpd\f[]\fR(1ntpdmdoc)\f[]
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
.sp \n(Ppu
.ne 2
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+.sp \n(Ppu
+.ne 2
+
+The format of the symmetric keys file, ordinarily named
+\fIntp.keys\f[],
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+.br
.in +4
+.nf
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o}3i@@@@V@@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+.in -4
+.fi
+.in +4
+Figure 1. Typical Symmetric Key File
+.in -4
+.sp \n(Ppu
+.ne 2
+
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+.in +4
\f\*[I-Font]keyno\f[] \f\*[I-Font]type\f[] \f\*[I-Font]key\f[]
.in -4
where
\f\*[I-Font]keyno\f[]
-is a positive integer in the range 1-65,535,
+is a positive integer in the range 1-65534;
\f\*[I-Font]type\f[]
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+\f\*[B-Font]MD5\f[]
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140-2 is required,
+the key type must be either
+\f\*[B-Font]SHA\f[]
+or
+\f\*[B-Font]SHA1\f[];
\f\*[I-Font]key\f[]
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+\[oq]\[cq]!
+through
+\[oq]~\[cq]
+\&) excluding space and the
\[oq]#\[cq]
+character, and terminated by whitespace or a
+\[oq]#\[cq]
character.
+An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
+is truncated as necessary.
.sp \n(Ppu
.ne 2
@@ -933,8 +1098,8 @@
The
\f\*[B-Font]ntp-keygen\fP
-program generates a MD5 symmetric keys file
-\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname.filestamp\f[].
+program generates a symmetric keys file
+\fIntpkey_MD5key_\f[]\f\*[I-Font]hostname\f[]. \f\*[I-Font]filestamp\f[].
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -973,10 +1138,10 @@
certificate scheme.
.sp
scheme is one of
-RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160,
+RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
DSA-SHA, or DSA-SHA1.
.sp
-Select the certificate message digest/signature encryption scheme.
+Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA-MD5.
@@ -986,7 +1151,7 @@
.sp
Select the cipher which is used to encrypt the files containing
private keys. The default is three-key triple DES in CBC mode,
-equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers
+equivalent to "\fB-C des-ede3-cbc\fP". The openssl tool lists ciphers
available in "\fBopenssl \-h\fP" output.
.TP
.NOP \f\*[B-Font]\-d\f[], \f\*[B-Font]\-\-debug\-level\f[]
@@ -1003,8 +1168,9 @@
.NOP \f\*[B-Font]\-e\f[], \f\*[B-Font]\-\-id\-key\f[]
Write IFF or GQ identity keys.
.sp
-Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
.TP
.NOP \f\*[B-Font]\-G\f[], \f\*[B-Font]\-\-gq\-params\f[]
Generate GQ parameters and keys.
@@ -1030,11 +1196,11 @@
the file name of IFF, GQ, and MV client parameters files. In
that role, the default is the host name if this option is not
provided. The group name, if specified using \fB-i/--ident\fP or
-using \fB-s/--subject-name\fP following an '\fB@\fP' character,
-is also a part of the self-signed host certificate's subject and
-issuer names in the form \fBhost@group\fP and should match the
-'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in
-\fBntpd\fP's configuration file.
+using \fB-s/--subject-name\fP following an '\fB@@\fP' character,
+is also a part of the self-signed host certificate subject and
+issuer names in the form \fBhost@@group\fP and should match the
+'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the
+\fBntpd\fP configuration file.
.TP
.NOP \f\*[B-Font]\-l\f[] \f\*[I-Font]lifetime\f[], \f\*[B-Font]\-\-lifetime\f[]=\f\*[I-Font]lifetime\f[]
set certificate lifetime.
@@ -1042,13 +1208,8 @@
.sp
Set the certificate expiration to lifetime days from now.
.TP
-.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[]
-generate MD5 keys.
-.sp
-Generate MD5 keys, obsoleting any that may exist.
-.TP
.NOP \f\*[B-Font]\-m\f[] \f\*[I-Font]modulus\f[], \f\*[B-Font]\-\-modulus\f[]=\f\*[I-Font]modulus\f[]
-modulus.
+prime modulus.
This option takes an integer number as its argument.
The value of
\f\*[I-Font]modulus\f[]
@@ -1062,6 +1223,11 @@
.sp
The number of bits in the prime modulus. The default is 512.
.TP
+.NOP \f\*[B-Font]\-M\f[], \f\*[B-Font]\-\-md5key\f[]
+generate symmetric keys.
+.sp
+Generate symmetric keys, obsoleting any that may exist.
+.TP
.NOP \f\*[B-Font]\-P\f[], \f\*[B-Font]\-\-pvt\-cert\f[]
generate PC private certificate.
.sp
@@ -1086,27 +1252,27 @@
"crypto pw password" configuration command. See also the option
--id-key (-e) for unencrypted exports.
.TP
-.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[]
-generate sign key (RSA or DSA).
-.sp
-Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
-.TP
.NOP \f\*[B-Font]\-s\f[] \f\*[I-Font]host@group\f[], \f\*[B-Font]\-\-subject\-name\f[]=\f\*[I-Font]host@group\f[]
set host and optionally group name.
.sp
Set the Autokey host name, and optionally, group name specified
-following an '\fB@\fP' character. The host name is used in the file
+following an '\fB@@\fP' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
-in \fBhost@group\fP form for the host certificate's subject and issuer
-fields. Specifying '\fB-s @group\fP' is allowed, and results in
-leaving the host name unchanged while appending \fB@group\fP to the
+in \fBhost@@group\fP form for the host certificate subject and issuer
+fields. Specifying '\fB-s @@group\fP' is allowed, and results in
+leaving the host name unchanged while appending \fB@@group\fP to the
subject and issuer fields, as with \fB-i group\fP. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
.TP
+.NOP \f\*[B-Font]\-S\f[] \f\*[I-Font]sign\f[], \f\*[B-Font]\-\-sign\-key\f[]=\f\*[I-Font]sign\f[]
+generate sign key (RSA or DSA).
+.sp
+Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
+.TP
.NOP \f\*[B-Font]\-T\f[], \f\*[B-Font]\-\-trusted\-cert\f[]
trusted certificate (TC scheme).
.sp
@@ -1162,18 +1328,6 @@
If any of these are directories, then the file \fI.ntprc\fP
is searched for within those directories.
.SH USAGE
-The
-\f\*[B-Font]\-p\f[] \f\*[I-Font]password\f[]
-option specifies the write password and
-\f\*[B-Font]\-q\f[] \f\*[I-Font]password\f[]
-option the read password for previously encrypted files.
-The
-\f\*[B-Font]ntp-keygen\fP
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
.SH "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.SH "FILES"
@@ -1200,10 +1354,7 @@
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.SH BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
+It can take quite a while to generate some cryptographic values.
.sp \n(Ppu
.ne 2
Index: contrib/ntp/sntp/utilities.c
===================================================================
--- contrib/ntp/sntp/utilities.c (版本 330566)
+++ contrib/ntp/sntp/utilities.c (版本 330908)
@@ -23,7 +23,7 @@
if (a > 0 && a % 8 == 0)
fprintf(output, "\n");
- fprintf(output, "%d: %x \t", a, pkt[a]);
+ fprintf(output, "%3d: %02x ", a, pkt[a]);
}
fprintf(output, "\n");
Index: contrib/ntp/util/ntp-keygen-opts.c
===================================================================
--- contrib/ntp/util/ntp-keygen-opts.c (版本 330566)
+++ contrib/ntp/util/ntp-keygen-opts.c (版本 330908)
@@ -1,7 +1,7 @@
/*
* EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.c)
*
- * It has been AutoGen-ed March 21, 2017 at 10:45:48 AM by AutoGen 5.18.5
+ * It has been AutoGen-ed February 27, 2018 at 05:15:44 PM by AutoGen 5.18.5
* From the definitions ntp-keygen-opts.def
* and the template file options
*
@@ -71,8 +71,8 @@
/**
* static const strings for ntp-keygen options
*/
-static char const ntp_keygen_opt_strs[2422] =
-/* 0 */ "ntp-keygen (ntp) 4.2.8p10\n"
+static char const ntp_keygen_opt_strs[2442] =
+/* 0 */ "ntp-keygen (ntp) 4.2.8p11\n"
"Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n"
"This is free software. It is licensed for use, modification and\n"
"redistribution under the terms of the NTP License, copies of which\n"
@@ -122,56 +122,57 @@
/* 1458 */ "set certificate lifetime\0"
/* 1483 */ "LIFETIME\0"
/* 1492 */ "lifetime\0"
-/* 1501 */ "generate MD5 keys\0"
-/* 1519 */ "MD5KEY\0"
-/* 1526 */ "md5key\0"
-/* 1533 */ "modulus\0"
-/* 1541 */ "MODULUS\0"
-/* 1549 */ "generate PC private certificate\0"
-/* 1581 */ "PVT_CERT\0"
-/* 1590 */ "pvt-cert\0"
-/* 1599 */ "local private password\0"
-/* 1622 */ "PASSWORD\0"
-/* 1631 */ "password\0"
-/* 1640 */ "export IFF or GQ group keys with password\0"
-/* 1682 */ "EXPORT_PASSWD\0"
-/* 1696 */ "export-passwd\0"
-/* 1710 */ "generate sign key (RSA or DSA)\0"
-/* 1741 */ "SIGN_KEY\0"
-/* 1750 */ "sign-key\0"
-/* 1759 */ "set host and optionally group name\0"
-/* 1794 */ "SUBJECT_NAME\0"
-/* 1807 */ "subject-name\0"
-/* 1820 */ "trusted certificate (TC scheme)\0"
-/* 1852 */ "TRUSTED_CERT\0"
-/* 1865 */ "trusted-cert\0"
-/* 1878 */ "generate <num> MV parameters\0"
-/* 1907 */ "MV_PARAMS\0"
-/* 1917 */ "mv-params\0"
-/* 1927 */ "update <num> MV keys\0"
-/* 1948 */ "MV_KEYS\0"
-/* 1956 */ "mv-keys\0"
-/* 1964 */ "display extended usage information and exit\0"
-/* 2008 */ "help\0"
-/* 2013 */ "extended usage information passed thru pager\0"
-/* 2058 */ "more-help\0"
-/* 2068 */ "output version information and exit\0"
-/* 2104 */ "version\0"
-/* 2112 */ "save the option state to a config file\0"
-/* 2151 */ "save-opts\0"
-/* 2161 */ "load options from a config file\0"
-/* 2193 */ "LOAD_OPTS\0"
-/* 2203 */ "no-load-opts\0"
-/* 2216 */ "no\0"
-/* 2219 */ "NTP_KEYGEN\0"
-/* 2230 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10\n"
+/* 1501 */ "prime modulus\0"
+/* 1515 */ "MODULUS\0"
+/* 1523 */ "modulus\0"
+/* 1531 */ "generate symmetric keys\0"
+/* 1555 */ "MD5KEY\0"
+/* 1562 */ "md5key\0"
+/* 1569 */ "generate PC private certificate\0"
+/* 1601 */ "PVT_CERT\0"
+/* 1610 */ "pvt-cert\0"
+/* 1619 */ "local private password\0"
+/* 1642 */ "PASSWORD\0"
+/* 1651 */ "password\0"
+/* 1660 */ "export IFF or GQ group keys with password\0"
+/* 1702 */ "EXPORT_PASSWD\0"
+/* 1716 */ "export-passwd\0"
+/* 1730 */ "set host and optionally group name\0"
+/* 1765 */ "SUBJECT_NAME\0"
+/* 1778 */ "subject-name\0"
+/* 1791 */ "generate sign key (RSA or DSA)\0"
+/* 1822 */ "SIGN_KEY\0"
+/* 1831 */ "sign-key\0"
+/* 1840 */ "trusted certificate (TC scheme)\0"
+/* 1872 */ "TRUSTED_CERT\0"
+/* 1885 */ "trusted-cert\0"
+/* 1898 */ "generate <num> MV parameters\0"
+/* 1927 */ "MV_PARAMS\0"
+/* 1937 */ "mv-params\0"
+/* 1947 */ "update <num> MV keys\0"
+/* 1968 */ "MV_KEYS\0"
+/* 1976 */ "mv-keys\0"
+/* 1984 */ "display extended usage information and exit\0"
+/* 2028 */ "help\0"
+/* 2033 */ "extended usage information passed thru pager\0"
+/* 2078 */ "more-help\0"
+/* 2088 */ "output version information and exit\0"
+/* 2124 */ "version\0"
+/* 2132 */ "save the option state to a config file\0"
+/* 2171 */ "save-opts\0"
+/* 2181 */ "load options from a config file\0"
+/* 2213 */ "LOAD_OPTS\0"
+/* 2223 */ "no-load-opts\0"
+/* 2236 */ "no\0"
+/* 2239 */ "NTP_KEYGEN\0"
+/* 2250 */ "ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p11\n"
"Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n\0"
-/* 2345 */ "$HOME\0"
-/* 2351 */ ".\0"
-/* 2353 */ ".ntprc\0"
-/* 2360 */ "http://bugs.ntp.org, bugs@ntp.org\0"
-/* 2394 */ "\n\0"
-/* 2396 */ "ntp-keygen (ntp) 4.2.8p10";
+/* 2365 */ "$HOME\0"
+/* 2371 */ ".\0"
+/* 2373 */ ".ntprc\0"
+/* 2380 */ "http://bugs.ntp.org, bugs@ntp.org\0"
+/* 2414 */ "\n\0"
+/* 2416 */ "ntp-keygen (ntp) 4.2.8p11";
/**
* imbits option description:
@@ -384,27 +385,15 @@
#endif /* AUTOKEY */
/**
- * md5key option description:
- */
-/** Descriptive text for the md5key option */
-#define MD5KEY_DESC (ntp_keygen_opt_strs+1501)
-/** Upper-cased name for the md5key option */
-#define MD5KEY_NAME (ntp_keygen_opt_strs+1519)
-/** Name string for the md5key option */
-#define MD5KEY_name (ntp_keygen_opt_strs+1526)
-/** Compiled in flag settings for the md5key option */
-#define MD5KEY_FLAGS (OPTST_DISABLED)
-
-/**
* modulus option description:
*/
#ifdef AUTOKEY
/** Descriptive text for the modulus option */
-#define MODULUS_DESC (ntp_keygen_opt_strs+1533)
+#define MODULUS_DESC (ntp_keygen_opt_strs+1501)
/** Upper-cased name for the modulus option */
-#define MODULUS_NAME (ntp_keygen_opt_strs+1541)
+#define MODULUS_NAME (ntp_keygen_opt_strs+1515)
/** Name string for the modulus option */
-#define MODULUS_name (ntp_keygen_opt_strs+1533)
+#define MODULUS_name (ntp_keygen_opt_strs+1523)
/** Compiled in flag settings for the modulus option */
#define MODULUS_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
@@ -417,15 +406,27 @@
#endif /* AUTOKEY */
/**
+ * md5key option description:
+ */
+/** Descriptive text for the md5key option */
+#define MD5KEY_DESC (ntp_keygen_opt_strs+1531)
+/** Upper-cased name for the md5key option */
+#define MD5KEY_NAME (ntp_keygen_opt_strs+1555)
+/** Name string for the md5key option */
+#define MD5KEY_name (ntp_keygen_opt_strs+1562)
+/** Compiled in flag settings for the md5key option */
+#define MD5KEY_FLAGS (OPTST_DISABLED)
+
+/**
* pvt-cert option description:
*/
#ifdef AUTOKEY
/** Descriptive text for the pvt-cert option */
-#define PVT_CERT_DESC (ntp_keygen_opt_strs+1549)
+#define PVT_CERT_DESC (ntp_keygen_opt_strs+1569)
/** Upper-cased name for the pvt-cert option */
-#define PVT_CERT_NAME (ntp_keygen_opt_strs+1581)
+#define PVT_CERT_NAME (ntp_keygen_opt_strs+1601)
/** Name string for the pvt-cert option */
-#define PVT_CERT_name (ntp_keygen_opt_strs+1590)
+#define PVT_CERT_name (ntp_keygen_opt_strs+1610)
/** Compiled in flag settings for the pvt-cert option */
#define PVT_CERT_FLAGS (OPTST_DISABLED)
@@ -441,11 +442,11 @@
*/
#ifdef AUTOKEY
/** Descriptive text for the password option */
-#define PASSWORD_DESC (ntp_keygen_opt_strs+1599)
+#define PASSWORD_DESC (ntp_keygen_opt_strs+1619)
/** Upper-cased name for the password option */
-#define PASSWORD_NAME (ntp_keygen_opt_strs+1622)
+#define PASSWORD_NAME (ntp_keygen_opt_strs+1642)
/** Name string for the password option */
-#define PASSWORD_name (ntp_keygen_opt_strs+1631)
+#define PASSWORD_name (ntp_keygen_opt_strs+1651)
/** Compiled in flag settings for the password option */
#define PASSWORD_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
@@ -462,11 +463,11 @@
*/
#ifdef AUTOKEY
/** Descriptive text for the export-passwd option */
-#define EXPORT_PASSWD_DESC (ntp_keygen_opt_strs+1640)
+#define EXPORT_PASSWD_DESC (ntp_keygen_opt_strs+1660)
/** Upper-cased name for the export-passwd option */
-#define EXPORT_PASSWD_NAME (ntp_keygen_opt_strs+1682)
+#define EXPORT_PASSWD_NAME (ntp_keygen_opt_strs+1702)
/** Name string for the export-passwd option */
-#define EXPORT_PASSWD_name (ntp_keygen_opt_strs+1696)
+#define EXPORT_PASSWD_name (ntp_keygen_opt_strs+1716)
/** Compiled in flag settings for the export-passwd option */
#define EXPORT_PASSWD_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
@@ -479,15 +480,36 @@
#endif /* AUTOKEY */
/**
+ * subject-name option description:
+ */
+#ifdef AUTOKEY
+/** Descriptive text for the subject-name option */
+#define SUBJECT_NAME_DESC (ntp_keygen_opt_strs+1730)
+/** Upper-cased name for the subject-name option */
+#define SUBJECT_NAME_NAME (ntp_keygen_opt_strs+1765)
+/** Name string for the subject-name option */
+#define SUBJECT_NAME_name (ntp_keygen_opt_strs+1778)
+/** Compiled in flag settings for the subject-name option */
+#define SUBJECT_NAME_FLAGS (OPTST_DISABLED \
+ | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
+
+#else /* disable subject-name */
+#define SUBJECT_NAME_FLAGS (OPTST_OMITTED | OPTST_NO_INIT)
+#define SUBJECT_NAME_NAME NULL
+#define SUBJECT_NAME_DESC NULL
+#define SUBJECT_NAME_name NULL
+#endif /* AUTOKEY */
+
+/**
* sign-key option description:
*/
#ifdef AUTOKEY
/** Descriptive text for the sign-key option */
-#define SIGN_KEY_DESC (ntp_keygen_opt_strs+1710)
+#define SIGN_KEY_DESC (ntp_keygen_opt_strs+1791)
/** Upper-cased name for the sign-key option */
-#define SIGN_KEY_NAME (ntp_keygen_opt_strs+1741)
+#define SIGN_KEY_NAME (ntp_keygen_opt_strs+1822)
/** Name string for the sign-key option */
-#define SIGN_KEY_name (ntp_keygen_opt_strs+1750)
+#define SIGN_KEY_name (ntp_keygen_opt_strs+1831)
/** Compiled in flag settings for the sign-key option */
#define SIGN_KEY_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
@@ -500,36 +522,15 @@
#endif /* AUTOKEY */
/**
- * subject-name option description:
- */
-#ifdef AUTOKEY
-/** Descriptive text for the subject-name option */
-#define SUBJECT_NAME_DESC (ntp_keygen_opt_strs+1759)
-/** Upper-cased name for the subject-name option */
-#define SUBJECT_NAME_NAME (ntp_keygen_opt_strs+1794)
-/** Name string for the subject-name option */
-#define SUBJECT_NAME_name (ntp_keygen_opt_strs+1807)
-/** Compiled in flag settings for the subject-name option */
-#define SUBJECT_NAME_FLAGS (OPTST_DISABLED \
- | OPTST_SET_ARGTYPE(OPARG_TYPE_STRING))
-
-#else /* disable subject-name */
-#define SUBJECT_NAME_FLAGS (OPTST_OMITTED | OPTST_NO_INIT)
-#define SUBJECT_NAME_NAME NULL
-#define SUBJECT_NAME_DESC NULL
-#define SUBJECT_NAME_name NULL
-#endif /* AUTOKEY */
-
-/**
* trusted-cert option description:
*/
#ifdef AUTOKEY
/** Descriptive text for the trusted-cert option */
-#define TRUSTED_CERT_DESC (ntp_keygen_opt_strs+1820)
+#define TRUSTED_CERT_DESC (ntp_keygen_opt_strs+1840)
/** Upper-cased name for the trusted-cert option */
-#define TRUSTED_CERT_NAME (ntp_keygen_opt_strs+1852)
+#define TRUSTED_CERT_NAME (ntp_keygen_opt_strs+1872)
/** Name string for the trusted-cert option */
-#define TRUSTED_CERT_name (ntp_keygen_opt_strs+1865)
+#define TRUSTED_CERT_name (ntp_keygen_opt_strs+1885)
/** Compiled in flag settings for the trusted-cert option */
#define TRUSTED_CERT_FLAGS (OPTST_DISABLED)
@@ -545,11 +546,11 @@
*/
#ifdef AUTOKEY
/** Descriptive text for the mv-params option */
-#define MV_PARAMS_DESC (ntp_keygen_opt_strs+1878)
+#define MV_PARAMS_DESC (ntp_keygen_opt_strs+1898)
/** Upper-cased name for the mv-params option */
-#define MV_PARAMS_NAME (ntp_keygen_opt_strs+1907)
+#define MV_PARAMS_NAME (ntp_keygen_opt_strs+1927)
/** Name string for the mv-params option */
-#define MV_PARAMS_name (ntp_keygen_opt_strs+1917)
+#define MV_PARAMS_name (ntp_keygen_opt_strs+1937)
/** Compiled in flag settings for the mv-params option */
#define MV_PARAMS_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
@@ -566,11 +567,11 @@
*/
#ifdef AUTOKEY
/** Descriptive text for the mv-keys option */
-#define MV_KEYS_DESC (ntp_keygen_opt_strs+1927)
+#define MV_KEYS_DESC (ntp_keygen_opt_strs+1947)
/** Upper-cased name for the mv-keys option */
-#define MV_KEYS_NAME (ntp_keygen_opt_strs+1948)
+#define MV_KEYS_NAME (ntp_keygen_opt_strs+1968)
/** Name string for the mv-keys option */
-#define MV_KEYS_name (ntp_keygen_opt_strs+1956)
+#define MV_KEYS_name (ntp_keygen_opt_strs+1976)
/** Compiled in flag settings for the mv-keys option */
#define MV_KEYS_FLAGS (OPTST_DISABLED \
| OPTST_SET_ARGTYPE(OPARG_TYPE_NUMERIC))
@@ -585,11 +586,11 @@
/*
* Help/More_Help/Version option descriptions:
*/
-#define HELP_DESC (ntp_keygen_opt_strs+1964)
-#define HELP_name (ntp_keygen_opt_strs+2008)
+#define HELP_DESC (ntp_keygen_opt_strs+1984)
+#define HELP_name (ntp_keygen_opt_strs+2028)
#ifdef HAVE_WORKING_FORK
-#define MORE_HELP_DESC (ntp_keygen_opt_strs+2013)
-#define MORE_HELP_name (ntp_keygen_opt_strs+2058)
+#define MORE_HELP_DESC (ntp_keygen_opt_strs+2033)
+#define MORE_HELP_name (ntp_keygen_opt_strs+2078)
#define MORE_HELP_FLAGS (OPTST_IMM | OPTST_NO_INIT)
#else
#define MORE_HELP_DESC HELP_DESC
@@ -602,14 +603,14 @@
# define VER_FLAGS (OPTST_SET_ARGTYPE(OPARG_TYPE_STRING) | \
OPTST_ARG_OPTIONAL | OPTST_IMM | OPTST_NO_INIT)
#endif
-#define VER_DESC (ntp_keygen_opt_strs+2068)
-#define VER_name (ntp_keygen_opt_strs+2104)
-#define SAVE_OPTS_DESC (ntp_keygen_opt_strs+2112)
-#define SAVE_OPTS_name (ntp_keygen_opt_strs+2151)
-#define LOAD_OPTS_DESC (ntp_keygen_opt_strs+2161)
-#define LOAD_OPTS_NAME (ntp_keygen_opt_strs+2193)
-#define NO_LOAD_OPTS_name (ntp_keygen_opt_strs+2203)
-#define LOAD_OPTS_pfx (ntp_keygen_opt_strs+2216)
+#define VER_DESC (ntp_keygen_opt_strs+2088)
+#define VER_name (ntp_keygen_opt_strs+2124)
+#define SAVE_OPTS_DESC (ntp_keygen_opt_strs+2132)
+#define SAVE_OPTS_name (ntp_keygen_opt_strs+2171)
+#define LOAD_OPTS_DESC (ntp_keygen_opt_strs+2181)
+#define LOAD_OPTS_NAME (ntp_keygen_opt_strs+2213)
+#define NO_LOAD_OPTS_name (ntp_keygen_opt_strs+2223)
+#define LOAD_OPTS_pfx (ntp_keygen_opt_strs+2236)
#define LOAD_OPTS_name (NO_LOAD_OPTS_name + 3)
/**
* Declare option callback procedures
@@ -772,28 +773,28 @@
/* desc, NAME, name */ LIFETIME_DESC, LIFETIME_NAME, LIFETIME_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 11, VALUE_OPT_MD5KEY,
- /* equiv idx, value */ 11, VALUE_OPT_MD5KEY,
+ { /* entry idx, value */ 11, VALUE_OPT_MODULUS,
+ /* equiv idx, value */ 11, VALUE_OPT_MODULUS,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
- /* opt state flags */ MD5KEY_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --md5key */
+ /* opt state flags */ MODULUS_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --modulus */
/* arg list/cookie */ NULL,
/* must/cannot opts */ NULL, NULL,
- /* option proc */ NULL,
- /* desc, NAME, name */ MD5KEY_DESC, MD5KEY_NAME, MD5KEY_name,
+ /* option proc */ doOptModulus,
+ /* desc, NAME, name */ MODULUS_DESC, MODULUS_NAME, MODULUS_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 12, VALUE_OPT_MODULUS,
- /* equiv idx, value */ 12, VALUE_OPT_MODULUS,
+ { /* entry idx, value */ 12, VALUE_OPT_MD5KEY,
+ /* equiv idx, value */ 12, VALUE_OPT_MD5KEY,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
- /* opt state flags */ MODULUS_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --modulus */
+ /* opt state flags */ MD5KEY_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --md5key */
/* arg list/cookie */ NULL,
/* must/cannot opts */ NULL, NULL,
- /* option proc */ doOptModulus,
- /* desc, NAME, name */ MODULUS_DESC, MODULUS_NAME, MODULUS_name,
+ /* option proc */ NULL,
+ /* desc, NAME, name */ MD5KEY_DESC, MD5KEY_NAME, MD5KEY_name,
/* disablement strs */ NULL, NULL },
{ /* entry idx, value */ 13, VALUE_OPT_PVT_CERT,
@@ -832,28 +833,28 @@
/* desc, NAME, name */ EXPORT_PASSWD_DESC, EXPORT_PASSWD_NAME, EXPORT_PASSWD_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 16, VALUE_OPT_SIGN_KEY,
- /* equiv idx, value */ 16, VALUE_OPT_SIGN_KEY,
+ { /* entry idx, value */ 16, VALUE_OPT_SUBJECT_NAME,
+ /* equiv idx, value */ 16, VALUE_OPT_SUBJECT_NAME,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
- /* opt state flags */ SIGN_KEY_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --sign-key */
+ /* opt state flags */ SUBJECT_NAME_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --subject-name */
/* arg list/cookie */ NULL,
/* must/cannot opts */ NULL, NULL,
/* option proc */ NULL,
- /* desc, NAME, name */ SIGN_KEY_DESC, SIGN_KEY_NAME, SIGN_KEY_name,
+ /* desc, NAME, name */ SUBJECT_NAME_DESC, SUBJECT_NAME_NAME, SUBJECT_NAME_name,
/* disablement strs */ NULL, NULL },
- { /* entry idx, value */ 17, VALUE_OPT_SUBJECT_NAME,
- /* equiv idx, value */ 17, VALUE_OPT_SUBJECT_NAME,
+ { /* entry idx, value */ 17, VALUE_OPT_SIGN_KEY,
+ /* equiv idx, value */ 17, VALUE_OPT_SIGN_KEY,
/* equivalenced to */ NO_EQUIVALENT,
/* min, max, act ct */ 0, 1, 0,
- /* opt state flags */ SUBJECT_NAME_FLAGS, 0,
- /* last opt argumnt */ { NULL }, /* --subject-name */
+ /* opt state flags */ SIGN_KEY_FLAGS, 0,
+ /* last opt argumnt */ { NULL }, /* --sign-key */
/* arg list/cookie */ NULL,
/* must/cannot opts */ NULL, NULL,
/* option proc */ NULL,
- /* desc, NAME, name */ SUBJECT_NAME_DESC, SUBJECT_NAME_NAME, SUBJECT_NAME_name,
+ /* desc, NAME, name */ SIGN_KEY_DESC, SIGN_KEY_NAME, SIGN_KEY_name,
/* disablement strs */ NULL, NULL },
{ /* entry idx, value */ 18, VALUE_OPT_TRUSTED_CERT,
@@ -960,24 +961,24 @@
/* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
/** Reference to the upper cased version of ntp-keygen. */
-#define zPROGNAME (ntp_keygen_opt_strs+2219)
+#define zPROGNAME (ntp_keygen_opt_strs+2239)
/** Reference to the title line for ntp-keygen usage. */
-#define zUsageTitle (ntp_keygen_opt_strs+2230)
+#define zUsageTitle (ntp_keygen_opt_strs+2250)
/** ntp-keygen configuration file name. */
-#define zRcName (ntp_keygen_opt_strs+2353)
+#define zRcName (ntp_keygen_opt_strs+2373)
/** Directories to search for ntp-keygen config files. */
static char const * const apzHomeList[3] = {
- ntp_keygen_opt_strs+2345,
- ntp_keygen_opt_strs+2351,
+ ntp_keygen_opt_strs+2365,
+ ntp_keygen_opt_strs+2371,
NULL };
/** The ntp-keygen program bug email address. */
-#define zBugsAddr (ntp_keygen_opt_strs+2360)
+#define zBugsAddr (ntp_keygen_opt_strs+2380)
/** Clarification/explanation of what ntp-keygen does. */
-#define zExplain (ntp_keygen_opt_strs+2394)
+#define zExplain (ntp_keygen_opt_strs+2414)
/** Extra detail explaining what ntp-keygen does. */
#define zDetail (NULL)
/** The full version string for ntp-keygen. */
-#define zFullVersion (ntp_keygen_opt_strs+2396)
+#define zFullVersion (ntp_keygen_opt_strs+2416)
/* extracted from optcode.tlib near line 364 */
#if defined(ENABLE_NLS)
@@ -1309,7 +1310,7 @@
translate option names.
*/
/* referenced via ntp_keygenOptions.pzCopyright */
- puts(_("ntp-keygen (ntp) 4.2.8p10\n\
+ puts(_("ntp-keygen (ntp) 4.2.8p11\n\
Copyright (C) 1992-2017 The University of Delaware and Network Time Foundation, all rights reserved.\n\
This is free software. It is licensed for use, modification and\n\
redistribution under the terms of the NTP License, copies of which\n\
@@ -1363,10 +1364,10 @@
puts(_("set certificate lifetime"));
/* referenced via ntp_keygenOptions.pOptDesc->pzText */
- puts(_("generate MD5 keys"));
+ puts(_("prime modulus"));
/* referenced via ntp_keygenOptions.pOptDesc->pzText */
- puts(_("modulus"));
+ puts(_("generate symmetric keys"));
/* referenced via ntp_keygenOptions.pOptDesc->pzText */
puts(_("generate PC private certificate"));
@@ -1378,10 +1379,10 @@
puts(_("export IFF or GQ group keys with password"));
/* referenced via ntp_keygenOptions.pOptDesc->pzText */
- puts(_("generate sign key (RSA or DSA)"));
+ puts(_("set host and optionally group name"));
/* referenced via ntp_keygenOptions.pOptDesc->pzText */
- puts(_("set host and optionally group name"));
+ puts(_("generate sign key (RSA or DSA)"));
/* referenced via ntp_keygenOptions.pOptDesc->pzText */
puts(_("trusted certificate (TC scheme)"));
@@ -1408,7 +1409,7 @@
puts(_("load options from a config file"));
/* referenced via ntp_keygenOptions.pzUsageTitle */
- puts(_("ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10\n\
+ puts(_("ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p11\n\
Usage: %s [ -<flag> [<val>] | --<name>[{=| }<val>] ]...\n"));
/* referenced via ntp_keygenOptions.pzExplain */
@@ -1415,7 +1416,7 @@
puts(_("\n"));
/* referenced via ntp_keygenOptions.pzFullVersion */
- puts(_("ntp-keygen (ntp) 4.2.8p10"));
+ puts(_("ntp-keygen (ntp) 4.2.8p11"));
/* referenced via ntp_keygenOptions.pzFullUsage */
puts(_("<<<NOT-FOUND>>>"));
Index: contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc
===================================================================
--- contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc (版本 330566)
+++ contrib/ntp/util/ntp-keygen.1ntp-keygenmdoc (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_KEYGEN 1ntp-keygenmdoc User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:59 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -21,26 +21,29 @@
.Sh DESCRIPTION
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
.Pp
-All files are in PEM\-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM\-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
.Pp
-When used to generate message digest keys, the program produces a file
-containing ten pseudo\-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo\-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex\-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -60,31 +63,42 @@
Some files used by this program are encrypted using a private password.
The
.Fl p
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
.Fl q
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
+.Xr hostname 1
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+.Nm
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
.Pp
The
-.Ar pw
+.Cm pw
option of the
-.Ar crypto
+.Ic crypto
+.Xr ntpd 1ntpdmdoc
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-.Ar ntpd
-without password but only on the same host.
+.Xr ntpd 1ntpdmdoc
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
.Pp
Normally, encrypted files for each host are generated by that host and
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-.Ar ntp.keys ,
+.Pa ntp.keys ,
is usually installed in
.Pa /etc .
Other files and links are usually installed in
@@ -91,188 +105,89 @@
.Pa /usr/local/etc ,
which is normally in a shared filesystem in
NFS\-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-.Ar keysdir
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
+In these cases, NFS clients can specify the files in another
+directory such as
+.Pa /etc
+using the
+.Ic keysdir
+.Xr ntpd 1ntpdmdoc
+configuration file command.
.Pp
This program directs commentary and error messages to the standard
error stream
-.Ar stderr
+.Pa stderr
and remote files to the standard output stream
-.Ar stdout
+.Pa stdout
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-.Ar ntpkey
+.Pa ntpkey\&*
and include the file type, generating host and filestamp,
as described in the
-.Dq Cryptographic Data Files
+.Sx "Cryptographic Data Files"
section below.
.Ss Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc
-When run for the first time, or if all files with names beginning with
-.Ar ntpkey
-have been removed, use the
-.Nm
-command without arguments to generate a
-default RSA host key and matching RSA\-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.Pp
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.Nm
-with the
-.Fl T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.Pp
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-.Fl S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-.Fl c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken\-and\-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball\-and\-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re\-generated.
-.Pp
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public\-Key Authentication
-page.
-.Pp
-The
-.Xr ntpd 1ntpdmdoc
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.Pp
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-.Ar _hostname.filestamp ,
-where
-.Ar hostname
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-.Ar filestamp
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-.Ar \&*filestamp
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS\-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write\-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
The safest way to run the
.Nm
program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
+The recommended procedure is change to the
+.Ar keys
+directory, usually
.Pa /usr/local/etc ,
then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA\-MD5 certificate file,
+.Pp
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+.Ar keys
+directory, usually
+.Pa /usr/local/etc .
+When run for the first time, or if all files with names beginning with
+.Pa ntpkey\&*
+have been removed, use the
+.Nm
+command without arguments to generate a default
+.Cm RSA
+host key and matching
+.Cm RSA\-MD5
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+.Cm RSA
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the message digest type is
+.Cm MD5 ,
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1
+and
+.Cm RIPE160
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+.Cm RSA
+sign keys;
+however, only
+.Cm SHA
+and
+.Cm SHA1
+certificates are compatible with
+.Cm DSA
+sign keys.
.Pp
Private/public key files and certificates are compatible with
other OpenSSL applications and very likely other libraries as well.
@@ -283,19 +198,19 @@
as the other files, are probably not compatible with anything other than Autokey.
.Pp
Running the program as other than root and using the Unix
-.Ic su
+.Xr su 1
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-.Cm .rnd
+.Pa .rnd
in the user home directory.
However, there should be only one
-.Cm .rnd ,
+.Pa .rnd ,
most conveniently
in the root directory, so it is convenient to define the
-.Cm $RANDFILE
+.Ev RANDFILE
environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+.Pa .rnd .
.Pp
Installing the keys as root might not work in NFS\-mounted
shared file systems, as NFS clients may not be able to write
@@ -305,7 +220,8 @@
.Pa /etc
using the
.Ic keysdir
-command.
+.Xr ntpd 1ntpdmdoc
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -338,8 +254,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+.Ar hostname
+and
+.Ar filestamp
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
.Pp
The recommended practice is to keep the file name extensions
@@ -348,98 +267,97 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+.Xr ntpd 1ntpdmdoc
+follows it to the file name to extract the
+.Ar filestamp .
If a link is not present,
.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
+extracts the
+.Ar filestamp
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
.Nm
-program uses the same timestamp extension for all files generated
+program uses the same
+.Ar filestamp
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
+.Pp
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA\-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+with the
+.Fl T
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+.Fl S
+option and this can be either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the signature
+message digest type is
+.Cm MD5 ,
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+.Fl c
+option.
.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken\-and\-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball\-and\-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re\-generated.
.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+Additional information on trusted groups and identity schemes is on the
+.Dq Autokey Public\-Key Authentication
+page.
.Pp
-Installing the keys as root might not work in NFS\-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
+File names begin with the prefix
+.Pa ntpkey Ns _
+and end with the suffix
+.Pa _ Ns Ar hostname . Ar filestamp ,
+where
+.Ar hostname
+is the owner name, usually the string returned
+by the Unix
+.Xr hostname 1
+command, and
+.Ar filestamp
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+.Ic rm Pa ntpkey\&*
+command or all files generated
+at a specific time can be removed by a
+.Ic rm Pa \&* Ns Ar filestamp
command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
+.Ss Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -446,8 +364,14 @@
.Sx Authentication Options
section of
.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+.Cm RSA
+encryption,
+.Cm MD5
+message digest
+and
+.Cm TC
+identification.
First, configure a NTP subnet including one or more low\-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -465,7 +389,7 @@
.Pp
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-.Cm ntpkey
+.Pa ntpkey
files.
Then run
.Nm
@@ -490,7 +414,9 @@
.Cm RSA
or
.Cm DSA .
-The most often need to do this is when a DSA\-signed certificate is used.
+The most frequent need to do this is when a
+.Cm DSA Ns \-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
.Nm
@@ -499,10 +425,10 @@
option and selected
.Ar scheme
as needed.
-f
+If
.Nm
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
.Pp
After setting up the environment it is advisable to update certificates
from time to time, if only to extend the validity interval.
@@ -509,7 +435,7 @@
Simply run
.Nm
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
.Xr ntpd 1ntpdmdoc
should be restarted.
@@ -520,13 +446,15 @@
at which time the protocol is restarted.
.Ss Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+.Cm TC
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
+including
+.Cm PC , IFF , GQ
+and
+.Cm MV
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -551,12 +479,15 @@
.Fl P
.Fl p Ar password
to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
+.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp
and trusted private certificate file
-.Pa ntpkey_RSA\-MD5_cert_ Ns Ar alice.filestamp .
+.Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp ,
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+.Ar bob
+install a soft link from the generic name
.Pa ntpkey_host_ Ns Ar bob
to the host key file and soft link
.Pa ntpkey_cert_ Ns Ar bob
@@ -565,11 +496,17 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
.Pp
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+.Cm IFF
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -576,15 +513,17 @@
.Fl I
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_IFFpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+.Cm IFF
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
.Pp
If a rogue client has the parameter file, it could masquerade
@@ -594,17 +533,23 @@
After generating the parameter file, on alice run
.Nm
.Fl e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
.Pp
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+.Cm GQ
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -611,20 +556,30 @@
.Fl G
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_GQpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-.Pa ntpkey_gq_ Ns Ar alice
+.Pa ntpkey_gq_alice
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+.Ar bob
+install a soft link
from generic
.Pa ntpkey_gq_ Ns Ar bob
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+.Cm GQ
+scheme updates the
+.Cm GQ
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
.Pp
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+.Cm MV
+scheme, proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -636,9 +591,9 @@
.Ar n
is the number of revokable keys (typically 5) to produce
the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVpar_trish. Ns Ar filestamp
and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp
where
.Ar d
is the key number (0 \&<
@@ -647,80 +602,217 @@
.Ar n ) .
Copy the parameter file to alice and install a soft link
from the generic
-.Pa ntpkey_mv_ Ns Ar alice
+.Pa ntpkey_mv_alice
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
+.Pa ntpkey_mvkey_bob
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+.Cm MV
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
.Ss Command Line Options
.Bl -tag -width indent
-.It Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
+.It Fl b Fl \-imbits Ns = Ar modulus
+Set the number of bits in the identity modulus for generating identity keys to
+.Ar modulus
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl c Fl \-certificate Ns = Ar scheme
+Select certificate signature encryption/message digest scheme.
The
.Ar scheme
can be one of the following:
-. Cm RSA\-MD2 , RSA\-MD5 , RSA\-SHA , RSA\-SHA1 , RSA\-MDC2 , RSA\-RIPEMD160 , DSA\-SHA ,
+.Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA ,
or
.Cm DSA\-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+.Cm RSA
+schemes must be used with an
+.Cm RSA
+sign key and
+.Cm DSA
+schemes must be used with a
+.Cm DSA
+sign key.
The default without this option is
.Cm RSA\-MD5 .
-.It Fl d
-Enable debugging.
+If compatibility with FIPS 140\-2 is required, either the
+.Cm DSA\-SHA
+or
+.Cm DSA\-SHA1
+scheme must be used.
+.It Fl C Fl \-cipher Ns = Ar cipher
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three\-key triple DES in CBC mode,
+.Cm des\-ede3\-cbc .
+The
+.Ic openssl Fl h
+command provided with OpenSSL displays available ciphers.
+.It Fl d Fl \-debug\-level
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye\-friendly billboards.
-.It Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.It Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.It Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.It Fl H
-Generate new host keys, obsoleting any that may exist.
-.It Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.It Fl i Ar name
-Set the suject name to
-.Ar name .
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.It Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.It Fl P
-Generate a private certificate.
+.It Fl D Fl \-set\-debug\-level Ns = Ar level
+Set the debugging verbosity to
+.Ar level .
+This option displays the cryptographic data produced in eye\-friendly billboards.
+.It Fl e Fl \-id\-key
+Write the
+.Cm IFF
+or
+.Cm GQ
+public parameters from the
+.Ar IFFkey or GQkey
+client keys file previously specified
+as unencrypted data to the standard output stream
+.Pa stdout .
+This is intended for automatic key distribution by email.
+.It Fl G Fl \-gq\-params
+Generate a new encrypted
+.Cm GQ
+parameters and key file for the Guillou\-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl V
+options.
+.It Fl H Fl \-host\-key
+Generate a new encrypted
+.Cm RSA
+public/private host key file.
+.It Fl I Fl \-iffkey
+Generate a new encrypted
+.Cm IFF
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+.Fl G
+and
+Fl V
+options.
+.It Fl i Fl \-ident Ns = Ar group
+Set the optional Autokey group name to
+.Ar group .
+This is used in the identity scheme parameter file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+.Fl i
+or
+.Fl s
+following an
+.Ql @
+character, is also used in certificate subject and issuer names in the form
+.Ar host @ group
+and should match the group specified via
+.Ic crypto Cm ident
+or
+.Ic server Cm ident
+in the ntpd configuration file.
+.It Fl l Fl \-lifetime Ns = Ar days
+Set the lifetime for certificate expiration to
+.Ar days .
+The default lifetime is one year (365 days).
+.It Fl m Fl \-modulus Ns = Ar bits
+Set the number of bits in the prime modulus for generating files to
+.Ar bits .
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl M Fl \-md5key
+Generate a new symmetric keys file containing 10
+.Cm MD5
+keys, and if OpenSSL is available, 10
+.Cm SHA
+keys.
+An
+.Cm MD5
+key is a string of 20 random printable ASCII characters, while a
+.Cm SHA
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+.It Fl p Fl \-password Ns = Ar passwd
+Set the password for reading and writing encrypted files to
+.Ar passwd .
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl P Fl \-pvt\-cert
+Generate a new private certificate used by the
+.Cm PC
+identity scheme.
By default, the program generates public certificates.
-.It Fl p Ar password
-Encrypt generated files containing private data with
-.Ar password
-and the DES\-CBC algorithm.
-.It Fl q
-Set the password for reading files to password.
-.It Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.It Fl s Ar name
-Set the issuer name to
-.Ar name .
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.It Fl T
+Note: the PC identity scheme is not recommended for new installations.
+.It Fl q Fl \-export\-passwd Ns = Ar passwd
+Set the password for writing encrypted
+.Cm IFF , GQ and MV
+identity files redirected to
+.Pa stdout
+to
+.Ar passwd .
+In effect, these files are decrypted with the
+.Fl p
+password, then encrypted with the
+.Fl q
+password.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group
+Specify the Autokey host name, where
+.Ar host
+is the optional host name and
+.Ar group
+is the optional group name.
+The host name, and if provided, group name are used in
+.Ar host @ group
+form as certificate subject and issuer.
+Specifying
+.Fl s @ Ar group
+is allowed, and results in leaving the host name unchanged, as with
+.Fl i Ar group .
+The group name, or if no group is provided, the host name are also used in the
+file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+identity scheme client parameter files.
+If
+.Ar host
+is not specified, the default host name is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140\-2 is required, the sign key type must be
+.Cm DSA .
+.It Fl T Fl \-trusted\-cert
Generate a trusted certificate.
By default, the program generates a non\-trusted certificate.
-.It Fl V Ar nkeys
-Generate parameters and keys for the Mu\-Varadharajan (MV) identification scheme.
+.It Fl V Fl \-mv\-params Ar nkeys
+Generate
+.Ar nkeys
+encrypted server keys and parameters for the Mu\-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl G
+options.
+Note: support for this option should be considered a work in progress.
.El
.Ss Random Seed File
All cryptographically sound key generation schemes must have means
@@ -744,7 +836,7 @@
.Pp
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-.Cm .rnd ,
+.Pa .rnd ,
which must be available when starting the NTP daemon
or the
.Nm
@@ -751,7 +843,7 @@
program.
The NTP daemon will first look for the file
using the path specified by the
-.Ic randfile
+.Cm randfile
subcommand of the
.Ic crypto
configuration command.
@@ -767,44 +859,118 @@
.Ev RANDFILE
environment variable is not present,
the library will look for the
-.Cm .rnd
+.Pa .rnd
file in the user home directory.
+Since both the
+.Nm
+program and
+.Xr ntpd 1ntpdmdoc
+daemon must run as root, the logical place to put this file is in
+.Pa /.rnd
+or
+.Pa /root/.rnd .
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
.Ss Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp ,
+where
+.Ar key
+is the key or parameter type,
+.Ar name
+is the host or group name and
+.Ar filestamp
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+.Ar key
+names in generated file names include both upper and lower case
+characters, while
+.Ar key
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+.Pa date
+format.
+Lines beginning with
+.Ql #
+are considered comments and ignored by the
.Nm
program and
.Xr ntpd 1ntpdmdoc
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM\-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
.Pp
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES\-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM\-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+.Pp
+The format of the symmetric keys file, ordinarily named
+.Pa ntp.keys ,
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+.Bd -literal -unfilled -offset center
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+.Ed
+.D1 Figure 1. Typical Symmetric Key File
+.Pp
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+.D1 Ar keyno Ar type Ar key
where
.Ar keyno
-is a positive integer in the range 1\-65,535,
+is a positive integer in the range 1\-65534;
.Ar type
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+.Cm MD5
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140\-2 is required,
+the key type must be either
+.Cm SHA
+or
+.Cm SHA1 ;
.Ar key
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+.Ql !
+through
+.Ql ~
+\&) excluding space and the
.Ql #
+character, and terminated by whitespace or a
+.Ql #
character.
+An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which
+is truncated as necessary.
.Pp
Note that the keys used by the
.Xr ntpq 1ntpqmdoc
@@ -817,8 +983,8 @@
.Pp
The
.Nm
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
+program generates a symmetric keys file
+.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp .
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -856,10 +1022,10 @@
certificate scheme.
.sp
scheme is one of
-RSA\-MD2, RSA\-MD5, RSA\-SHA, RSA\-SHA1, RSA\-MDC2, RSA\-RIPEMD160,
+RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160,
DSA\-SHA, or DSA\-SHA1.
.sp
-Select the certificate message digest/signature encryption scheme.
+Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA\-MD5.
@@ -868,7 +1034,7 @@
.sp
Select the cipher which is used to encrypt the files containing
private keys. The default is three\-key triple DES in CBC mode,
-equivalent to "@code{\-C des\-ede3\-cbc". The openssl tool lists ciphers
+equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers
available in "\fBopenssl \-h\fP" output.
.It Fl d , Fl \-debug\-level
Increase debug verbosity level.
@@ -882,8 +1048,9 @@
.It Fl e , Fl \-id\-key
Write IFF or GQ identity keys.
.sp
-Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
.It Fl G , Fl \-gq\-params
Generate GQ parameters and keys.
.sp
@@ -906,21 +1073,17 @@
that role, the default is the host name if this option is not
provided. The group name, if specified using \fB\-i/\-\-ident\fP or
using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character,
-is also a part of the self\-signed host certificate's subject and
+is also a part of the self\-signed host certificate subject and
issuer names in the form \fBhost@group\fP and should match the
-\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in
-\fBntpd\fP's configuration file.
+\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the
+\fBntpd\fP configuration file.
.It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime
set certificate lifetime.
This option takes an integer number as its argument.
.sp
Set the certificate expiration to lifetime days from now.
-.It Fl M , Fl \-md5key
-generate MD5 keys.
-.sp
-Generate MD5 keys, obsoleting any that may exist.
.It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus
-modulus.
+prime modulus.
This option takes an integer number as its argument.
The value of
.Ar modulus
@@ -933,6 +1096,10 @@
.in -4
.sp
The number of bits in the prime modulus. The default is 512.
+.It Fl M , Fl \-md5key
+generate symmetric keys.
+.sp
+Generate symmetric keys, obsoleting any that may exist.
.It Fl P , Fl \-pvt\-cert
generate PC private certificate.
.sp
@@ -954,12 +1121,6 @@
The same password must be specified to the remote ntpd via the
"crypto pw password" configuration command. See also the option
-\-id\-key (\-e) for unencrypted exports.
-.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
-generate sign key (RSA or DSA).
-.sp
-Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
.It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group
set host and optionally group name.
.sp
@@ -967,12 +1128,18 @@
following an '\fB@\fP' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
-in \fBhost@group\fP form for the host certificate's subject and issuer
+in \fBhost@group\fP form for the host certificate subject and issuer
fields. Specifying '\fB\-s @group\fP' is allowed, and results in
leaving the host name unchanged while appending \fB@group\fP to the
subject and issuer fields, as with \fB\-i group\fP. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
+.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
+generate sign key (RSA or DSA).
+.sp
+Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
.It Fl T , Fl \-trusted\-cert
trusted certificate (TC scheme).
.sp
@@ -1021,18 +1188,6 @@
If any of these are directories, then the file \fI.ntprc\fP
is searched for within those directories.
.Sh USAGE
-The
-.Fl p Ar password
-option specifies the write password and
-.Fl q Ar password
-option the read password for previously encrypted files.
-The
-.Nm
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
.Sh "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.Sh "FILES"
@@ -1056,10 +1211,7 @@
Copyright (C) 1992\-2017 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
+It can take quite a while to generate some cryptographic values.
.Pp
Please report bugs to http://bugs.ntp.org .
.Pp
Index: lib/libmagic/config.h
===================================================================
--- lib/libmagic/config.h (版本 330566)
+++ lib/libmagic/config.h (版本 330908)
@@ -293,7 +293,7 @@
#define PACKAGE_NAME "file"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "file 5.29"
+#define PACKAGE_STRING "file 5.32"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "file"
@@ -302,7 +302,7 @@
#define PACKAGE_URL ""
/* Define to the version of this package. */
-#define PACKAGE_VERSION "5.29"
+#define PACKAGE_VERSION "5.32"
/* Define to 1 if you have the ANSI C header files. */
#define STDC_HEADERS 1
@@ -333,7 +333,7 @@
/* Version number of package */
-#define VERSION "5.29"
+#define VERSION "5.32"
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
Index: contrib/ntp/util/ntp-keygen-opts.def
===================================================================
--- contrib/ntp/util/ntp-keygen-opts.def (版本 330566)
+++ contrib/ntp/util/ntp-keygen-opts.def (版本 330908)
@@ -35,10 +35,10 @@
descrip = "certificate scheme";
doc = <<- _EndOfDoc_
scheme is one of
- RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160,
+ RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
DSA-SHA, or DSA-SHA1.
- Select the certificate message digest/signature encryption scheme.
+ Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA-MD5.
@@ -55,7 +55,7 @@
doc = <<- _EndOfDoc_
Select the cipher which is used to encrypt the files containing
private keys. The default is three-key triple DES in CBC mode,
- equivalent to "@code{-C des-ede3-cbc". The openssl tool lists ciphers
+ equivalent to "@code{-C des-ede3-cbc}". The openssl tool lists ciphers
available in "@code{openssl -h}" output.
_EndOfDoc_;
};
@@ -68,8 +68,9 @@
ifdef = AUTOKEY;
descrip = "Write IFF or GQ identity keys";
doc = <<- _EndOfDoc_
- Write the IFF or GQ client keys to the standard output. This is
- intended for automatic key distribution by mail.
+ Write the public parameters from the IFF or GQ client keys to
+ the standard output.
+ This is intended for automatic key distribution by email.
_EndOfDoc_;
};
@@ -117,11 +118,11 @@
the file name of IFF, GQ, and MV client parameters files. In
that role, the default is the host name if this option is not
provided. The group name, if specified using @code{-i/--ident} or
- using @code{-s/--subject-name} following an '@code{@}' character,
- is also a part of the self-signed host certificate's subject and
- issuer names in the form @code{host@group} and should match the
- '@code{crypto ident}' or '@code{server ident}' configuration in
- @code{ntpd}'s configuration file.
+ using @code{-s/--subject-name} following an '@code{@@}' character,
+ is also a part of the self-signed host certificate subject and
+ issuer names in the form @code{host@@group} and should match the
+ '@code{crypto ident}' or '@code{server ident}' configuration in the
+ @code{ntpd} configuration file.
_EndOfDoc_;
};
@@ -138,15 +139,6 @@
};
flag = {
- value = M;
- name = md5key;
- descrip = "generate MD5 keys";
- doc = <<- _EndOfDoc_
- Generate MD5 keys, obsoleting any that may exist.
- _EndOfDoc_;
-};
-
-flag = {
value = m;
name = modulus;
arg-type = number;
@@ -153,7 +145,7 @@
arg-name = modulus;
arg-range = '256->2048';
ifdef = AUTOKEY;
- descrip = "modulus";
+ descrip = "prime modulus";
doc = <<- _EndOfDoc_
The number of bits in the prime modulus. The default is 512.
_EndOfDoc_;
@@ -160,6 +152,15 @@
};
flag = {
+ value = M;
+ name = md5key;
+ descrip = "generate symmetric keys";
+ doc = <<- _EndOfDoc_
+ Generate symmetric keys, obsoleting any that may exist.
+ _EndOfDoc_;
+};
+
+flag = {
value = P;
name = pvt-cert;
ifdef = AUTOKEY;
@@ -203,20 +204,6 @@
};
flag = {
- value = S;
- name = sign-key;
- arg-type = string;
- arg-name = sign;
- ifdef = AUTOKEY;
- descrip = "generate sign key (RSA or DSA)";
- doc = <<- _EndOfDoc_
- Generate a new sign key of the designated type, obsoleting any
- that may exist. By default, the program uses the host key as the
- sign key.
- _EndOfDoc_;
-};
-
-flag = {
value = s;
name = subject-name;
arg-type = string;
@@ -225,12 +212,12 @@
descrip = "set host and optionally group name";
doc = <<- _EndOfDoc_
Set the Autokey host name, and optionally, group name specified
- following an '@code{@}' character. The host name is used in the file
+ following an '@code{@@}' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
- in @code{host@group} form for the host certificate's subject and issuer
- fields. Specifying '@code{-s @group}' is allowed, and results in
- leaving the host name unchanged while appending @code{@group} to the
+ in @code{host@@group} form for the host certificate subject and issuer
+ fields. Specifying '@code{-s @@group}' is allowed, and results in
+ leaving the host name unchanged while appending @code{@@group} to the
subject and issuer fields, as with @code{-i group}. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
@@ -238,6 +225,20 @@
};
flag = {
+ value = S;
+ name = sign-key;
+ arg-type = string;
+ arg-name = sign;
+ ifdef = AUTOKEY;
+ descrip = "generate sign key (RSA or DSA)";
+ doc = <<- _EndOfDoc_
+ Generate a new sign key of the designated type, obsoleting any
+ that may exist. By default, the program uses the host key as the
+ sign key.
+ _EndOfDoc_;
+};
+
+flag = {
value = T;
name = trusted-cert;
ifdef = AUTOKEY;
@@ -280,26 +281,29 @@
ds-text = <<- _END_PROG_MDOC_DESCRIP
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
.Pp
-All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
.Pp
-When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -319,31 +323,42 @@
Some files used by this program are encrypted using a private password.
The
.Fl p
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
.Fl q
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
+.Xr hostname 1
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+.Nm
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
.Pp
The
-.Ar pw
+.Cm pw
option of the
-.Ar crypto
+.Ic crypto
+.Xr ntpd 1ntpdmdoc
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-.Ar ntpd
-without password but only on the same host.
+.Xr ntpd 1ntpdmdoc
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
.Pp
Normally, encrypted files for each host are generated by that host and
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-.Ar ntp.keys ,
+.Pa ntp.keys ,
is usually installed in
.Pa /etc .
Other files and links are usually installed in
@@ -350,191 +365,90 @@
.Pa /usr/local/etc ,
which is normally in a shared filesystem in
NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-.Ar keysdir
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
+In these cases, NFS clients can specify the files in another
+directory such as
+.Pa /etc
+using the
+.Ic keysdir
+.Xr ntpd 1ntpdmdoc
+configuration file command.
.Pp
This program directs commentary and error messages to the standard
error stream
-.Ar stderr
+.Pa stderr
and remote files to the standard output stream
-.Ar stdout
+.Pa stdout
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-.Ar ntpkey
+.Pa ntpkey\&*
and include the file type, generating host and filestamp,
as described in the
-.Dq Cryptographic Data Files
+.Sx "Cryptographic Data Files"
section below.
+
.Ss Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc
-When run for the first time, or if all files with names beginning with
-.Ar ntpkey
-have been removed, use the
-.Nm
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.Pp
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.Nm
-with the
-.Fl T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.Pp
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-.Fl S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-.Fl c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-.Pp
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public-Key Authentication
-page.
-
-
-.Pp
-The
-.Xr ntpd 1ntpdmdoc
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-
-.Pp
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-.Ar _hostname.filestamp ,
-where
-.Ar hostname
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-.Ar filestamp
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-.Ar \&*filestamp
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
The safest way to run the
.Nm
program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
+The recommended procedure is change to the
+.Ar keys
+directory, usually
.Pa /usr/local/etc ,
then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
+.Pp
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+.Ar keys
+directory, usually
+.Pa /usr/local/etc .
+When run for the first time, or if all files with names beginning with
+.Pa ntpkey\&*
+have been removed, use the
+.Nm
+command without arguments to generate a default
+.Cm RSA
+host key and matching
+.Cm RSA-MD5
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+.Cm RSA
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the message digest type is
+.Cm MD5 ,
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1
+and
+.Cm RIPE160
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+.Cm RSA
+sign keys;
+however, only
+.Cm SHA
+and
+.Cm SHA1
+certificates are compatible with
+.Cm DSA
+sign keys.
.Pp
Private/public key files and certificates are compatible with
other OpenSSL applications and very likely other libraries as well.
@@ -545,19 +459,19 @@
as the other files, are probably not compatible with anything other than Autokey.
.Pp
Running the program as other than root and using the Unix
-.Ic su
+.Xr su 1
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-.Cm .rnd
+.Pa .rnd
in the user home directory.
However, there should be only one
-.Cm .rnd ,
+.Pa .rnd ,
most conveniently
in the root directory, so it is convenient to define the
-.Cm $RANDFILE
+.Ev RANDFILE
environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+.Pa .rnd .
.Pp
Installing the keys as root might not work in NFS-mounted
shared file systems, as NFS clients may not be able to write
@@ -567,7 +481,8 @@
.Pa /etc
using the
.Ic keysdir
-command.
+.Xr ntpd 1ntpdmdoc
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -581,7 +496,6 @@
as the subject and issuer fields, respectively, of the certificate.
The owner name is also used for the host and sign key files,
while the trusted name is used for the identity files.
-
.Pp
All files are installed by default in the keys directory
.Pa /usr/local/etc ,
@@ -601,8 +515,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+.Ar hostname
+and
+.Ar filestamp
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
.Pp
The recommended practice is to keep the file name extensions
@@ -611,99 +528,98 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+.Xr ntpd 1ntpdmdoc
+follows it to the file name to extract the
+.Ar filestamp .
If a link is not present,
.Xr ntpd 1ntpdmdoc
-extracts the filestamp from the file itself.
+extracts the
+.Ar filestamp
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
.Nm
-program uses the same timestamp extension for all files generated
+program uses the same
+.Ar filestamp
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
+.Pp
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+with the
+.Fl T
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+.Fl S
+option and this can be either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the signature
+message digest type is
+.Cm MD5 ,
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+.Fl c
+option.
.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken-and-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball-and-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re-generated.
.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+Additional information on trusted groups and identity schemes is on the
+.Dq Autokey Public-Key Authentication
+page.
.Pp
-Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
+File names begin with the prefix
+.Pa ntpkey Ns _
+and end with the suffix
+.Pa _ Ns Ar hostname . Ar filestamp ,
+where
+.Ar hostname
+is the owner name, usually the string returned
+by the Unix
+.Xr hostname 1
+command, and
+.Ar filestamp
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+.Ic rm Pa ntpkey\&*
+command or all files generated
+at a specific time can be removed by a
+.Ic rm Pa \&* Ns Ar filestamp
command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
-s Trusted Hosts and Groups
+.Ss Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -710,8 +626,14 @@
.Sx Authentication Options
section of
.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+.Cm RSA
+encryption,
+.Cm MD5
+message digest
+and
+.Cm TC
+identification.
First, configure a NTP subnet including one or more low-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -729,7 +651,7 @@
.Pp
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-.Cm ntpkey
+.Pa ntpkey
files.
Then run
.Nm
@@ -754,7 +676,9 @@
.Cm RSA
or
.Cm DSA .
-The most often need to do this is when a DSA-signed certificate is used.
+The most frequent need to do this is when a
+.Cm DSA Ns -signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
.Nm
@@ -763,10 +687,10 @@
option and selected
.Ar scheme
as needed.
-f
+If
.Nm
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
.Pp
After setting up the environment it is advisable to update certificates
from time to time, if only to extend the validity interval.
@@ -773,7 +697,7 @@
Simply run
.Nm
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
.Xr ntpd 1ntpdmdoc
should be restarted.
@@ -782,15 +706,18 @@
is restarted, it loads any new files and restarts the protocol.
Other dependent hosts will continue as usual until signatures are refreshed,
at which time the protocol is restarted.
+
.Ss Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+.Cm TC
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
+including
+.Cm PC , IFF , GQ
+and
+.Cm MV
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -815,12 +742,15 @@
.Fl P
.Fl p Ar password
to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
+.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp
and trusted private certificate file
-.Pa ntpkey_RSA-MD5_cert_ Ns Ar alice.filestamp .
+.Pa ntpkey Ns _ Cm RSA-MD5 _ Pa cert_alice. Ar filestamp ,
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+.Ar bob
+install a soft link from the generic name
.Pa ntpkey_host_ Ns Ar bob
to the host key file and soft link
.Pa ntpkey_cert_ Ns Ar bob
@@ -829,11 +759,17 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
.Pp
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+.Cm IFF
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -840,15 +776,17 @@
.Fl I
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_IFFpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+.Cm IFF
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
.Pp
If a rogue client has the parameter file, it could masquerade
@@ -858,17 +796,23 @@
After generating the parameter file, on alice run
.Nm
.Fl e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
.Pp
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+.Cm GQ
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -875,20 +819,30 @@
.Fl G
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_GQpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-.Pa ntpkey_gq_ Ns Ar alice
+.Pa ntpkey_gq_alice
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+.Ar bob
+install a soft link
from generic
.Pa ntpkey_gq_ Ns Ar bob
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+.Cm GQ
+scheme updates the
+.Cm GQ
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
.Pp
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+.Cm MV
+scheme, proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -900,9 +854,9 @@
.Ar n
is the number of revokable keys (typically 5) to produce
the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVpar_trish. Ns Ar filestamp
and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp
where
.Ar d
is the key number (0 \&<
@@ -911,81 +865,220 @@
.Ar n ) .
Copy the parameter file to alice and install a soft link
from the generic
-.Pa ntpkey_mv_ Ns Ar alice
+.Pa ntpkey_mv_alice
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
+.Pa ntpkey_mvkey_bob
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+.Cm MV
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
+
.Ss Command Line Options
.Bl -tag -width indent
-.It Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
+.It Fl b Fl -imbits Ns = Ar modulus
+Set the number of bits in the identity modulus for generating identity keys to
+.Ar modulus
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl c Fl -certificate Ns = Ar scheme
+Select certificate signature encryption/message digest scheme.
The
.Ar scheme
can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
+.Cm RSA-MD2 , RSA-MD5 , RSA-MDC2 , RSA-SHA , RSA-SHA1 , RSA-RIPEMD160 , DSA-SHA ,
or
.Cm DSA-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+.Cm RSA
+schemes must be used with an
+.Cm RSA
+sign key and
+.Cm DSA
+schemes must be used with a
+.Cm DSA
+sign key.
The default without this option is
.Cm RSA-MD5 .
-.It Fl d
-Enable debugging.
+If compatibility with FIPS 140-2 is required, either the
+.Cm DSA-SHA
+or
+.Cm DSA-SHA1
+scheme must be used.
+.It Fl C Fl -cipher Ns = Ar cipher
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three-key triple DES in CBC mode,
+.Cm des-ede3-cbc .
+The
+.Ic openssl Fl h
+command provided with OpenSSL displays available ciphers.
+.It Fl d Fl -debug-level
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye-friendly billboards.
-.It Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.It Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.It Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.It Fl H
-Generate new host keys, obsoleting any that may exist.
-.It Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.It Fl i Ar name
-Set the suject name to
-.Ar name .
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.It Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.It Fl P
-Generate a private certificate.
+.It Fl D Fl -set-debug-level Ns = Ar level
+Set the debugging verbosity to
+.Ar level .
+This option displays the cryptographic data produced in eye-friendly billboards.
+.It Fl e Fl -id-key
+Write the
+.Cm IFF
+or
+.Cm GQ
+public parameters from the
+.Ar IFFkey or GQkey
+client keys file previously specified
+as unencrypted data to the standard output stream
+.Pa stdout .
+This is intended for automatic key distribution by email.
+.It Fl G Fl -gq-params
+Generate a new encrypted
+.Cm GQ
+parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl V
+options.
+.It Fl H Fl -host-key
+Generate a new encrypted
+.Cm RSA
+public/private host key file.
+.It Fl I Fl -iffkey
+Generate a new encrypted
+.Cm IFF
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+.Fl G
+and
+Fl V
+options.
+.It Fl i Fl -ident Ns = Ar group
+Set the optional Autokey group name to
+.Ar group .
+This is used in the identity scheme parameter file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+.Fl i
+or
+.Fl s
+following an
+.Ql @@
+character, is also used in certificate subject and issuer names in the form
+.Ar host @@ group
+and should match the group specified via
+.Ic crypto Cm ident
+or
+.Ic server Cm ident
+in the ntpd configuration file.
+.It Fl l Fl -lifetime Ns = Ar days
+Set the lifetime for certificate expiration to
+.Ar days .
+The default lifetime is one year (365 days).
+.It Fl m Fl -modulus Ns = Ar bits
+Set the number of bits in the prime modulus for generating files to
+.Ar bits .
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl M Fl -md5key
+Generate a new symmetric keys file containing 10
+.Cm MD5
+keys, and if OpenSSL is available, 10
+.Cm SHA
+keys.
+An
+.Cm MD5
+key is a string of 20 random printable ASCII characters, while a
+.Cm SHA
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+.It Fl p Fl -password Ns = Ar passwd
+Set the password for reading and writing encrypted files to
+.Ar passwd .
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl P Fl -pvt-cert
+Generate a new private certificate used by the
+.Cm PC
+identity scheme.
By default, the program generates public certificates.
-.It Fl p Ar password
-Encrypt generated files containing private data with
-.Ar password
-and the DES-CBC algorithm.
-.It Fl q
-Set the password for reading files to password.
-.It Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.It Fl s Ar name
-Set the issuer name to
-.Ar name .
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.It Fl T
+Note: the PC identity scheme is not recommended for new installations.
+.It Fl q Fl -export-passwd Ns = Ar passwd
+Set the password for writing encrypted
+.Cm IFF , GQ and MV
+identity files redirected to
+.Pa stdout
+to
+.Ar passwd .
+In effect, these files are decrypted with the
+.Fl p
+password, then encrypted with the
+.Fl q
+password.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl s Fl -subject-key Ns = Ar Oo host Oc Op @@ Ar group
+Specify the Autokey host name, where
+.Ar host
+is the optional host name and
+.Ar group
+is the optional group name.
+The host name, and if provided, group name are used in
+.Ar host @@ group
+form as certificate subject and issuer.
+Specifying
+.Fl s @@ Ar group
+is allowed, and results in leaving the host name unchanged, as with
+.Fl i Ar group .
+The group name, or if no group is provided, the host name are also used in the
+file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+identity scheme client parameter files.
+If
+.Ar host
+is not specified, the default host name is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl S Fl -sign-key Ns = Op Cm RSA | DSA
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140-2 is required, the sign key type must be
+.Cm DSA .
+.It Fl T Fl -trusted-cert
Generate a trusted certificate.
By default, the program generates a non-trusted certificate.
-.It Fl V Ar nkeys
-Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
+.It Fl V Fl -mv-params Ar nkeys
+Generate
+.Ar nkeys
+encrypted server keys and parameters for the Mu-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl G
+options.
+Note: support for this option should be considered a work in progress.
.El
+
.Ss Random Seed File
All cryptographically sound key generation schemes must have means
to randomize the entropy seed used to initialize
@@ -1008,7 +1101,7 @@
.Pp
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-.Cm .rnd ,
+.Pa .rnd ,
which must be available when starting the NTP daemon
or the
.Nm
@@ -1015,7 +1108,7 @@
program.
The NTP daemon will first look for the file
using the path specified by the
-.Ic randfile
+.Cm randfile
subcommand of the
.Ic crypto
configuration command.
@@ -1031,44 +1124,120 @@
.Ev RANDFILE
environment variable is not present,
the library will look for the
-.Cm .rnd
+.Pa .rnd
file in the user home directory.
+Since both the
+.Nm
+program and
+.Xr ntpd 1ntpdmdoc
+daemon must run as root, the logical place to put this file is in
+.Pa /.rnd
+or
+.Pa /root/.rnd .
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
+
.Ss Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp ,
+where
+.Ar key
+is the key or parameter type,
+.Ar name
+is the host or group name and
+.Ar filestamp
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+.Ar key
+names in generated file names include both upper and lower case
+characters, while
+.Ar key
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+.Pa date
+format.
+Lines beginning with
+.Ql #
+are considered comments and ignored by the
.Nm
program and
.Xr ntpd 1ntpdmdoc
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
.Pp
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+.Pp
+The format of the symmetric keys file, ordinarily named
+.Pa ntp.keys ,
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+.Bd -literal -unfilled -offset center
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+.Ed
+.D1 Figure 1. Typical Symmetric Key File
+.Pp
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+.D1 Ar keyno Ar type Ar key
where
.Ar keyno
-is a positive integer in the range 1-65,535,
+is a positive integer in the range 1-65534;
.Ar type
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+.Cm MD5
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140-2 is required,
+the key type must be either
+.Cm SHA
+or
+.Cm SHA1 ;
.Ar key
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+.Ql !
+through
+.Ql ~
+\&) excluding space and the
.Ql #
+character, and terminated by whitespace or a
+.Ql #
character.
+An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
+is truncated as necessary.
.Pp
Note that the keys used by the
.Xr ntpq 1ntpqmdoc
@@ -1081,8 +1250,8 @@
.Pp
The
.Nm
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
+program generates a symmetric keys file
+.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp .
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -1107,18 +1276,6 @@
ds-type = 'USAGE';
ds-format = 'mdoc';
ds-text = <<- _END_MDOC_USAGE
-The
-.Fl p Ar password
-option specifies the write password and
-.Fl q Ar password
-option the read password for previously encrypted files.
-The
-.Nm
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
_END_MDOC_USAGE;
};
@@ -1134,10 +1291,7 @@
ds-type = 'BUGS';
ds-format = 'mdoc';
ds-text = <<- _END_MDOC_BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
+It can take quite a while to generate some cryptographic values.
.Pp
Please report bugs to http://bugs.ntp.org .
_END_MDOC_BUGS;
Index: contrib/ntp/util/ntp-keygen.html
===================================================================
--- contrib/ntp/util/ntp-keygen.html (版本 330566)
+++ contrib/ntp/util/ntp-keygen.html (版本 330908)
@@ -70,7 +70,7 @@
printable ASCII format so they can be embedded as MIME attachments in
mail to other sites.
- <p>This document applies to version 4.2.8p10 of <code>ntp-keygen</code>.
+ <p>This document applies to version 4.2.8p11 of <code>ntp-keygen</code>.
<div class="node">
<p><hr>
@@ -217,26 +217,29 @@
<p>This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
- <p>All files are in PEM-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+ <p>The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
- <p>When used to generate message digest keys, the program produces a file
-containing ten pseudo-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+ <p>When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex-encoded random bit strings suitable for SHA1, AES-128-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -256,31 +259,42 @@
<p>Some files used by this program are encrypted using a private password.
The
<code>-p</code>
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
<code>-q</code>
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-<code>gethostname()</code>
-function, normally the DNS name of the host is used.
+<code>hostname(1)</code>
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+<code>ntp-keygen</code>
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
<p>The
-<kbd>pw</kbd>
+<code>pw</code>
option of the
-<kbd>crypto</kbd>
+<code>crypto</code>
+<code>ntpd(1ntpdmdoc)</code>
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-<kbd>ntpd</kbd>
-without password but only on the same host.
+<code>ntpd(1ntpdmdoc)</code>
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
<p>Normally, encrypted files for each host are generated by that host and
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-<kbd>ntp.keys</kbd>,
+<span class="file">ntp.keys</span>,
is usually installed in
<span class="file">/etc</span>.
Other files and links are usually installed in
@@ -287,192 +301,91 @@
<span class="file">/usr/local/etc</span>,
which is normally in a shared filesystem in
NFS-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-<kbd>keysdir</kbd>
-configuration command in such cases.
-Normally, this is in
-<span class="file">/etc</span>.
+In these cases, NFS clients can specify the files in another
+directory such as
+<span class="file">/etc</span>
+using the
+<code>keysdir</code>
+<code>ntpd(1ntpdmdoc)</code>
+configuration file command.
<p>This program directs commentary and error messages to the standard
error stream
-<kbd>stderr</kbd>
+<span class="file">stderr</span>
and remote files to the standard output stream
-<kbd>stdout</kbd>
+<span class="file">stdout</span>
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-<kbd>ntpkey</kbd>
+<span class="file">ntpkey*</span>
and include the file type, generating host and filestamp,
as described in the
-Cryptographic Data Files
+<a href="#Cryptographic-Data-Files">Cryptographic Data Files</a>
section below.
<h5 class="subsubsection">Running the Program</h5>
-<p>To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-<span class="file">/usr/local/etc</span>
-When run for the first time, or if all files with names beginning with
-<kbd>ntpkey</kbd>
-have been removed, use the
+<p>The safest way to run the
<code>ntp-keygen</code>
-command without arguments to generate a
-default RSA host key and matching RSA-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-
- <p>Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-<code>ntp-keygen</code>
-with the
-<code>-T</code>
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-
- <p>The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-<code>-S</code>
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-<code>-c</code>
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken-and-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball-and-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re-generated.
-
- <p>Additional information on trusted groups and identity schemes is on the
-Autokey Public-Key Authentication
-page.
-
- <p>The
-<code>ntpd(1ntpdmdoc)</code>
-configuration command
-<code>crypto</code> <code>pw</code> <kbd>password</kbd>
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-
- <p>File names begin with the prefix
-<code>ntpkey_</code>
-and end with the postfix
-<kbd>_hostname.filestamp</kbd>,
-where
-<kbd>hostname</kbd>
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-<kbd>filestamp</kbd>
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-<code>rm</code> <code>ntpkey*</code>
-command or all files generated
-at a specific time can be removed by a
-<code>rm</code>
-<kbd>*filestamp</kbd>
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-
- <p>All files are installed by default in the keys directory
+program is logged in directly as root.
+The recommended procedure is change to the
+<kbd>keys</kbd>
+directory, usually
<span class="file">/usr/local/etc</span>,
-which is normally in a shared filesystem
-in NFS-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
+then run the program.
- <p>Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-
- <p>The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-<code>ntpd(1ntpdmdoc)</code>
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
+ <p>To test and gain experience with Autokey concepts, log in as root and
+change to the
+<kbd>keys</kbd>
+directory, usually
+<span class="file">/usr/local/etc</span>.
+When run for the first time, or if all files with names beginning with
+<span class="file">ntpkey*</span>
+have been removed, use the
<code>ntp-keygen</code>
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-
-<h5 class="subsubsection">Running the program</h5>
-
-<p>The safest way to run the
-<code>ntp-keygen</code>
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-<span class="file">/usr/local/etc</span>,
-then run the program.
-When run for the first time,
-or if all
-<code>ntpkey</code>
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
+command without arguments to generate a default
+<code>RSA</code>
+host key and matching
+<code>RSA-MD5</code>
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
- <p>The host key is used to encrypt the cookie when required and so must be RSA type.
+ <p>The host key is used to encrypt the cookie when required and so must be
+<code>RSA</code>
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+<code>RSA</code>
+or
+<code>DSA</code>
+type.
+By default, the message digest type is
+<code>MD5</code>,
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+<code>AES128CMAC</code>, <code>MD2</code>, <code>MD5</code>, <code>MDC2</code>, <code>SHA</code>, <code>SHA1</code>
+and
+<code>RIPE160</code>
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+<code>RSA</code>
+sign keys;
+however, only
+<code>SHA</code>
+and
+<code>SHA1</code>
+certificates are compatible with
+<code>DSA</code>
+sign keys.
<p>Private/public key files and certificates are compatible with
other OpenSSL applications and very likely other libraries as well.
@@ -483,19 +396,19 @@
as the other files, are probably not compatible with anything other than Autokey.
<p>Running the program as other than root and using the Unix
-<code>su</code>
+<code>su(1)</code>
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-<code>.rnd</code>
+<span class="file">.rnd</span>
in the user home directory.
However, there should be only one
-<code>.rnd</code>,
+<span class="file">.rnd</span>,
most conveniently
in the root directory, so it is convenient to define the
-<code>$RANDFILE</code>
+.Ev RANDFILE
environment variable used by the OpenSSL library as the path to
-<code>/.rnd</code>.
+<span class="file">.rnd</span>.
<p>Installing the keys as root might not work in NFS-mounted
shared file systems, as NFS clients may not be able to write
@@ -505,7 +418,8 @@
<span class="file">/etc</span>
using the
<code>keysdir</code>
-command.
+<code>ntpd(1ntpdmdoc)</code>
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -538,8 +452,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+<kbd>hostname</kbd>
+and
+<kbd>filestamp</kbd>
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
<p>The recommended practice is to keep the file name extensions
@@ -548,109 +465,113 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+<code>ntpd(1ntpdmdoc)</code>
+follows it to the file name to extract the
+<kbd>filestamp</kbd>.
If a link is not present,
<code>ntpd(1ntpdmdoc)</code>
-extracts the filestamp from the file itself.
+extracts the
+<kbd>filestamp</kbd>
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
<code>ntp-keygen</code>
-program uses the same timestamp extension for all files generated
+program uses the same
+<kbd>filestamp</kbd>
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-<h5 class="subsubsection">Running the program</h5>
-
-<p>The safest way to run the
+ <p>Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
<code>ntp-keygen</code>
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-<span class="file">/usr/local/etc</span>,
-then run the program.
-When run for the first time,
-or if all
-<code>ntpkey</code>
-files have been removed,
-the program generates a RSA host key file and matching RSA-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+with the
+<code>-T</code>
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
- <p>The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+ <p>The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+<code>-S</code>
+option and this can be either
+<code>RSA</code>
+or
+<code>DSA</code>
+type.
+By default, the signature
+message digest type is
+<code>MD5</code>,
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+<code>-c</code>
+option.
- <p>Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+ <p>The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken-and-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball-and-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re-generated.
- <p>Running the program as other than root and using the Unix
-<code>su</code>
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-<code>.rnd</code>
-in the user home directory.
-However, there should be only one
-<code>.rnd</code>,
-most conveniently
-in the root directory, so it is convenient to define the
-<code>$RANDFILE</code>
-environment variable used by the OpenSSL library as the path to
-<code>/.rnd</code>.
+ <p>Additional information on trusted groups and identity schemes is on the
+Autokey Public-Key Authentication
+page.
- <p>Installing the keys as root might not work in NFS-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-<span class="file">/etc</span>
-using the
-<code>keysdir</code>
+ <p>File names begin with the prefix
+<span class="file">ntpkey</span>_
+and end with the suffix
+<span class="file">_</span><kbd>hostname</kbd>. <kbd>filestamp</kbd>,
+where
+<kbd>hostname</kbd>
+is the owner name, usually the string returned
+by the Unix
+<code>hostname(1)</code>
+command, and
+<kbd>filestamp</kbd>
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+<code>rm</code> <span class="file">ntpkey*</span>
+command or all files generated
+at a specific time can be removed by a
+<code>rm</code> <span class="file">*</span><kbd>filestamp</kbd>
command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
- <p>Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
+<h5 class="subsubsection">Trusted Hosts and Groups</h5>
- <p>s Trusted Hosts and Groups
-Each cryptographic configuration involves selection of a signature scheme
+<p>Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
<a href="#Authentication-Options">Authentication Options</a>
section of
<code>ntp.conf(5)</code>.
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+<code>RSA</code>
+encryption,
+<code>MD5</code>
+message digest
+and
+<code>TC</code>
+identification.
First, configure a NTP subnet including one or more low-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -668,7 +589,7 @@
<p>On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-<code>ntpkey</code>
+<span class="file">ntpkey</span>
files.
Then run
<code>ntp-keygen</code>
@@ -693,7 +614,9 @@
<code>RSA</code>
or
<code>DSA</code>.
-The most often need to do this is when a DSA-signed certificate is used.
+The most frequent need to do this is when a
+<code>DSA</code>-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
<code>ntp-keygen</code>
@@ -702,10 +625,10 @@
option and selected
<kbd>scheme</kbd>
as needed.
-f
+If
<code>ntp-keygen</code>
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
<p>After setting up the environment it is advisable to update certificates
from time to time, if only to extend the validity interval.
@@ -712,7 +635,7 @@
Simply run
<code>ntp-keygen</code>
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
<code>ntpd(1ntpdmdoc)</code>
should be restarted.
@@ -725,13 +648,15 @@
<h5 class="subsubsection">Identity Schemes</h5>
<p>As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+<code>TC</code>
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-"Identification Schemes"
-page
-(maybe available at
-<code>http://www.eecis.udel.edu/%7emills/keygen.html</code>).
+including
+<code>PC</code>, <code>IFF</code>, <code>GQ</code>
+and
+<code>MV</code>
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -756,12 +681,15 @@
<code>-P</code>
<code>-p</code> <kbd>password</kbd>
to generate the host key file
-<span class="file">ntpkey_RSAkey_</span><kbd>alice.filestamp</kbd>
+<span class="file">ntpkey</span>_ <code>RSA</code> <span class="file">key_alice.</span> <kbd>filestamp</kbd>
and trusted private certificate file
-<span class="file">ntpkey_RSA-MD5_cert_</span><kbd>alice.filestamp</kbd>.
+<span class="file">ntpkey</span>_ <code>RSA-MD5</code> <code>_</code> <span class="file">cert_alice.</span> <kbd>filestamp</kbd>,
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+<kbd>bob</kbd>
+install a soft link from the generic name
<span class="file">ntpkey_host_</span><kbd>bob</kbd>
to the host key file and soft link
<span class="file">ntpkey_cert_</span><kbd>bob</kbd>
@@ -770,11 +698,17 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
- <p>For the IFF scheme proceed as in the TC scheme to generate keys
+ <p>For the
+<code>IFF</code>
+scheme proceed as in the
+<code>TC</code>
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+<code>IFF</code>
+parameter file.
On trusted host alice run
<code>ntp-keygen</code>
<code>-T</code>
@@ -781,15 +715,17 @@
<code>-I</code>
<code>-p</code> <kbd>password</kbd>
to produce her parameter file
-<span class="file">ntpkey_IFFpar_</span><kbd>alice.filestamp</kbd>,
+<span class="file">ntpkey_IFFpar_alice.</span><kbd>filestamp</kbd>,
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-<span class="file">ntpkey_iff_</span><kbd>alice</kbd>
+<span class="file">ntpkey_iff_alice</span>
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+<code>IFF</code>
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
<p>If a rogue client has the parameter file, it could masquerade
@@ -799,17 +735,23 @@
After generating the parameter file, on alice run
<code>ntp-keygen</code>
<code>-e</code>
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-<span class="file">ntpkey_iff_</span><kbd>alice</kbd>
+<span class="file">ntpkey_iff_alice</span>
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
- <p>For the GQ scheme proceed as in the TC scheme to generate keys
+ <p>For the
+<code>GQ</code>
+scheme proceed as in the
+<code>TC</code>
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+<code>IFF</code>
+parameter file.
On trusted host alice run
<code>ntp-keygen</code>
<code>-T</code>
@@ -816,20 +758,30 @@
<code>-G</code>
<code>-p</code> <kbd>password</kbd>
to produce her parameter file
-<span class="file">ntpkey_GQpar_</span><kbd>alice.filestamp</kbd>,
+<span class="file">ntpkey_GQpar_alice.</span><kbd>filestamp</kbd>,
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-<span class="file">ntpkey_gq_</span><kbd>alice</kbd>
+<span class="file">ntpkey_gq_alice</span>
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+<kbd>bob</kbd>
+install a soft link
from generic
<span class="file">ntpkey_gq_</span><kbd>bob</kbd>
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+<code>GQ</code>
+scheme updates the
+<code>GQ</code>
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
- <p>For the MV scheme, proceed as in the TC scheme to generate keys
+ <p>For the
+<code>MV</code>
+scheme, proceed as in the
+<code>TC</code>
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -841,9 +793,9 @@
<kbd>n</kbd>
is the number of revokable keys (typically 5) to produce
the parameter file
-<span class="file">ntpkeys_MVpar_</span><kbd>trish.filestamp</kbd>
+<span class="file">ntpkeys_MVpar_trish.</span><kbd>filestamp</kbd>
and client key files
-<span class="file">ntpkeys_MVkeyd_</span><kbd>trish.filestamp</kbd>
+<span class="file">ntpkeys_MVkey</span><kbd>d</kbd> <kbd>_</kbd> <span class="file">trish.</span> <kbd>filestamp</kbd>
where
<kbd>d</kbd>
is the key number (0 &lt;
@@ -852,66 +804,199 @@
<kbd>n</kbd>).
Copy the parameter file to alice and install a soft link
from the generic
-<span class="file">ntpkey_mv_</span><kbd>alice</kbd>
+<span class="file">ntpkey_mv_alice</span>
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-<span class="file">ntpkey_mvkey_</span><kbd>bob</kbd>
+<span class="file">ntpkey_mvkey_bob</span>
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+<code>MV</code>
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
<h5 class="subsubsection">Command Line Options</h5>
<dl>
-<dt><code>-c</code> <kbd>scheme</kbd><dd>Select certificate message digest/signature encryption scheme.
+<dt><code>-b</code> <code>--imbits</code>= <kbd>modulus</kbd><dd>Set the number of bits in the identity modulus for generating identity keys to
+<kbd>modulus</kbd>
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+<br><dt><code>-c</code> <code>--certificate</code>= <kbd>scheme</kbd><dd>Select certificate signature encryption/message digest scheme.
The
<kbd>scheme</kbd>
can be one of the following:
-. Cm RSA-MD2 , RSA-MD5 , RSA-SHA , RSA-SHA1 , RSA-MDC2 , RSA-RIPEMD160 , DSA-SHA ,
+<code>RSA-MD2</code>, <code>RSA-MD5</code>, <code>RSA-MDC2</code>, <code>RSA-SHA</code>, <code>RSA-SHA1</code>, <code>RSA-RIPEMD160</code>, <code>DSA-SHA</code>,
or
<code>DSA-SHA1</code>.
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+<code>RSA</code>
+schemes must be used with an
+<code>RSA</code>
+sign key and
+<code>DSA</code>
+schemes must be used with a
+<code>DSA</code>
+sign key.
The default without this option is
<code>RSA-MD5</code>.
-<br><dt><code>-d</code><dd>Enable debugging.
+If compatibility with FIPS 140-2 is required, either the
+<code>DSA-SHA</code>
+or
+<code>DSA-SHA1</code>
+scheme must be used.
+<br><dt><code>-C</code> <code>--cipher</code>= <kbd>cipher</kbd><dd>Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three-key triple DES in CBC mode,
+<code>des-ede3-cbc</code>.
+The
+<code>openssl</code> <code>-h</code>
+command provided with OpenSSL displays available ciphers.
+<br><dt><code>-d</code> <code>--debug-level</code><dd>Increase debugging verbosity level.
This option displays the cryptographic data produced in eye-friendly billboards.
-<br><dt><code>-e</code><dd>Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-<br><dt><code>-G</code><dd>Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-<br><dt><code>-g</code><dd>Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-<br><dt><code>-H</code><dd>Generate new host keys, obsoleting any that may exist.
-<br><dt><code>-I</code><dd>Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-<br><dt><code>-i</code> <kbd>name</kbd><dd>Set the suject name to
-<kbd>name</kbd>.
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-<br><dt><code>-M</code><dd>Generate MD5 keys, obsoleting any that may exist.
-<br><dt><code>-P</code><dd>Generate a private certificate.
+<br><dt><code>-D</code> <code>--set-debug-level</code>= <kbd>level</kbd><dd>Set the debugging verbosity to
+<kbd>level</kbd>.
+This option displays the cryptographic data produced in eye-friendly billboards.
+<br><dt><code>-e</code> <code>--id-key</code><dd>Write the
+<code>IFF</code>
+or
+<code>GQ</code>
+public parameters from the
+<kbd>IFFkey</kbd> <kbd>or</kbd> <kbd>GQkey</kbd>
+client keys file previously specified
+as unencrypted data to the standard output stream
+<span class="file">stdout</span>.
+This is intended for automatic key distribution by email.
+<br><dt><code>-G</code> <code>--gq-params</code><dd>Generate a new encrypted
+<code>GQ</code>
+parameters and key file for the Guillou-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+<code>-I</code>
+and
+<code>-V</code>
+options.
+<br><dt><code>-H</code> <code>--host-key</code><dd>Generate a new encrypted
+<code>RSA</code>
+public/private host key file.
+<br><dt><code>-I</code> <code>--iffkey</code><dd>Generate a new encrypted
+<code>IFF</code>
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+<code>-G</code>
+and
+Fl V
+options.
+<br><dt><code>-i</code> <code>--ident</code>= <kbd>group</kbd><dd>Set the optional Autokey group name to
+<kbd>group</kbd>.
+This is used in the identity scheme parameter file names of
+<code>IFF</code>, <code>GQ</code>,
+and
+<code>MV</code>
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+<code>-i</code>
+or
+<code>-s</code>
+following an
+@
+character, is also used in certificate subject and issuer names in the form
+<kbd>host</kbd> <kbd>@</kbd> <kbd>group</kbd>
+and should match the group specified via
+<code>crypto</code> <code>ident</code>
+or
+<code>server</code> <code>ident</code>
+in the ntpd configuration file.
+<br><dt><code>-l</code> <code>--lifetime</code>= <kbd>days</kbd><dd>Set the lifetime for certificate expiration to
+<kbd>days</kbd>.
+The default lifetime is one year (365 days).
+<br><dt><code>-m</code> <code>--modulus</code>= <kbd>bits</kbd><dd>Set the number of bits in the prime modulus for generating files to
+<kbd>bits</kbd>.
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+<br><dt><code>-M</code> <code>--md5key</code><dd>Generate a new symmetric keys file containing 10
+<code>MD5</code>
+keys, and if OpenSSL is available, 10
+<code>SHA</code>
+keys.
+An
+<code>MD5</code>
+key is a string of 20 random printable ASCII characters, while a
+<code>SHA</code>
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+<br><dt><code>-p</code> <code>--password</code>= <kbd>passwd</kbd><dd>Set the password for reading and writing encrypted files to
+<kbd>passwd</kbd>.
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+<code>hostname</code>
+command.
+<br><dt><code>-P</code> <code>--pvt-cert</code><dd>Generate a new private certificate used by the
+<code>PC</code>
+identity scheme.
By default, the program generates public certificates.
-<br><dt><code>-p</code> <kbd>password</kbd><dd>Encrypt generated files containing private data with
-<kbd>password</kbd>
-and the DES-CBC algorithm.
-<br><dt><code>-q</code><dd>Set the password for reading files to password.
-<br><dt><code>-S</code> <code>[RSA | DSA]</code><dd>Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-<br><dt><code>-s</code> <kbd>name</kbd><dd>Set the issuer name to
-<kbd>name</kbd>.
-This is used for the issuer field in certificates
-and in the file name for identity files.
-<br><dt><code>-T</code><dd>Generate a trusted certificate.
+Note: the PC identity scheme is not recommended for new installations.
+<br><dt><code>-q</code> <code>--export-passwd</code>= <kbd>passwd</kbd><dd>Set the password for writing encrypted
+<code>IFF</code>, <code>GQ</code> <code>and</code> <code>MV</code>
+identity files redirected to
+<span class="file">stdout</span>
+to
+<kbd>passwd</kbd>.
+In effect, these files are decrypted with the
+<code>-p</code>
+password, then encrypted with the
+<code>-q</code>
+password.
+By default, the password is the string returned by the Unix
+<code>hostname</code>
+command.
+<br><dt><code>-s</code> <code>--subject-key</code>= <code>[host]</code> <code>[@ </code><kbd>group</kbd><code>]</code><dd>Specify the Autokey host name, where
+<kbd>host</kbd>
+is the optional host name and
+<kbd>group</kbd>
+is the optional group name.
+The host name, and if provided, group name are used in
+<kbd>host</kbd> <kbd>@</kbd> <kbd>group</kbd>
+form as certificate subject and issuer.
+Specifying
+<code>-s</code> <code>-@</code> <kbd>group</kbd>
+is allowed, and results in leaving the host name unchanged, as with
+<code>-i</code> <kbd>group</kbd>.
+The group name, or if no group is provided, the host name are also used in the
+file names of
+<code>IFF</code>, <code>GQ</code>,
+and
+<code>MV</code>
+identity scheme client parameter files.
+If
+<kbd>host</kbd>
+is not specified, the default host name is the string returned by the Unix
+<code>hostname</code>
+command.
+<br><dt><code>-S</code> <code>--sign-key</code>= <code>[RSA | DSA]</code><dd>Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140-2 is required, the sign key type must be
+<code>DSA</code>.
+<br><dt><code>-T</code> <code>--trusted-cert</code><dd>Generate a trusted certificate.
By default, the program generates a non-trusted certificate.
-<br><dt><code>-V</code> <kbd>nkeys</kbd><dd>Generate parameters and keys for the Mu-Varadharajan (MV) identification scheme.
+<br><dt><code>-V</code> <code>--mv-params</code> <kbd>nkeys</kbd><dd>Generate
+<kbd>nkeys</kbd>
+encrypted server keys and parameters for the Mu-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+<code>-I</code>
+and
+<code>-G</code>
+options.
+Note: support for this option should be considered a work in progress.
</dl>
<h5 class="subsubsection">Random Seed File</h5>
@@ -937,7 +1022,7 @@
<p>The entropy seed used by the OpenSSL library is contained in a file,
usually called
-<code>.rnd</code>,
+<span class="file">.rnd</span>,
which must be available when starting the NTP daemon
or the
<code>ntp-keygen</code>
@@ -960,8 +1045,16 @@
.Ev RANDFILE
environment variable is not present,
the library will look for the
-<code>.rnd</code>
+<span class="file">.rnd</span>
file in the user home directory.
+Since both the
+<code>ntp-keygen</code>
+program and
+<code>ntpd(1ntpdmdoc)</code>
+daemon must run as root, the logical place to put this file is in
+<span class="file">/.rnd</span>
+or
+<span class="file">/root/.rnd</span>.
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
@@ -968,39 +1061,106 @@
<h5 class="subsubsection">Cryptographic Data Files</h5>
-<p>All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+<p>All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+<span class="file">ntpkey_</span><kbd>key</kbd> <kbd>_</kbd> <kbd>name</kbd>. <kbd>filestamp</kbd>,
+where
+<kbd>key</kbd>
+is the key or parameter type,
+<kbd>name</kbd>
+is the host or group name and
+<kbd>filestamp</kbd>
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+<kbd>key</kbd>
+names in generated file names include both upper and lower case
+characters, while
+<kbd>key</kbd>
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+<span class="file">date</span>
+format.
+Lines beginning with
+#
+are considered comments and ignored by the
<code>ntp-keygen</code>
program and
<code>ntpd(1ntpdmdoc)</code>
-daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
+daemon.
- <p>The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
+ <p>The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+
+ <p>The format of the symmetric keys file, ordinarily named
+<span class="file">ntp.keys</span>,
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+<pre class="verbatim">
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+
+1 MD5 L";Nw&lt;\`.I&lt;f4U0)247"i # MD5 key
+2 MD5 &amp;>l0%XXK9O'51VwV&lt;xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&amp;4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o@}3i@@@@V@@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+</pre>
+<pre class="example"> Figure 1. Typical Symmetric Key File
+</pre>
+ <p>Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
<pre class="example"> <kbd>keyno</kbd> <kbd>type</kbd> <kbd>key</kbd>
</pre>
<p>where
<kbd>keyno</kbd>
-is a positive integer in the range 1-65,535,
+is a positive integer in the range 1-65534;
<kbd>type</kbd>
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+<code>MD5</code>
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140-2 is required,
+the key type must be either
+<code>SHA</code>
+or
+<code>SHA1</code>;
<kbd>key</kbd>
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+!
+through
+~
+) excluding space and the
#
-character.
+character, and terminated by whitespace or a
+#
+character.
+An OpenSSL key consists of a hex-encoded ASCII string of 40 characters, which
+is truncated as necessary.
<p>Note that the keys used by the
<code>ntpq(1ntpqmdoc)</code>
@@ -1013,8 +1173,8 @@
<p>The
<code>ntp-keygen</code>
-program generates a MD5 symmetric keys file
-<span class="file">ntpkey_MD5key_</span><kbd>hostname.filestamp</kbd>.
+program generates a symmetric keys file
+<span class="file">ntpkey_MD5key_</span><kbd>hostname</kbd>. <kbd>filestamp</kbd>.
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -1048,13 +1208,13 @@
<li><a accesskey="8" href="#ntp_002dkeygen-iffkey">ntp-keygen iffkey</a>: iffkey option (-I)
<li><a accesskey="9" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>: ident option (-i)
<li><a href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>: lifetime option (-l)
+<li><a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>: modulus option (-m)
<li><a href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>: md5key option (-M)
-<li><a href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>: modulus option (-m)
<li><a href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>: pvt-cert option (-P)
<li><a href="#ntp_002dkeygen-password">ntp-keygen password</a>: password option (-p)
<li><a href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>: export-passwd option (-q)
+<li><a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>: subject-name option (-s)
<li><a href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>: sign-key option (-S)
-<li><a href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>: subject-name option (-s)
<li><a href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>: trusted-cert option (-T)
<li><a href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>: mv-params option (-V)
<li><a href="#ntp_002dkeygen-mv_002dkeys">ntp-keygen mv-keys</a>: mv-keys option (-v)
@@ -1085,7 +1245,7 @@
used to select the program, defaulting to <span class="file">more</span>. Both will exit
with a status code of 0.
-<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10-beta
+<pre class="example">ntp-keygen (ntp) - Create a NTP host key - Ver. 4.2.8p10
Usage: ntp-keygen [ -&lt;flag&gt; [&lt;val&gt;] | --&lt;name&gt;[{=| }&lt;val&gt;] ]...
Flg Arg Option-Name Description
-b Num imbits identity modulus bits
@@ -1103,15 +1263,15 @@
-I no iffkey generate IFF parameters
-i Str ident set Autokey group name
-l Num lifetime set certificate lifetime
- -M no md5key generate MD5 keys
- -m Num modulus modulus
+ -m Num modulus prime modulus
- it must be in the range:
256 to 2048
+ -M no md5key generate symmetric keys
-P no pvt-cert generate PC private certificate
-p Str password local private password
-q Str export-passwd export IFF or GQ group keys with password
+ -s Str subject-name set host and optionally group name
-S Str sign-key generate sign key (RSA or DSA)
- -s Str subject-name set host and optionally group name
-T no trusted-cert trusted certificate (TC scheme)
-V Num mv-params generate &lt;num&gt; MV parameters
-v Num mv-keys update &lt;num&gt; MV keys
@@ -1174,10 +1334,10 @@
</ul>
<p>scheme is one of
-RSA-MD2, RSA-MD5, RSA-SHA, RSA-SHA1, RSA-MDC2, RSA-RIPEMD160,
+RSA-MD2, RSA-MD5, RSA-MDC2, RSA-SHA, RSA-SHA1, RSA-RIPEMD160,
DSA-SHA, or DSA-SHA1.
- <p>Select the certificate message digest/signature encryption scheme.
+ <p>Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA-MD5.
@@ -1202,9 +1362,9 @@
<p>Select the cipher which is used to encrypt the files containing
private keys. The default is three-key triple DES in CBC mode,
-equivalent to "<code>-C des-ede3-cbc". The openssl tool lists ciphers
-available in "openssl -h" output.
-</code><div class="node">
+equivalent to "<code>-C des-ede3-cbc</code>". The openssl tool lists ciphers
+available in "<code>openssl -h</code>" output.
+<div class="node">
<p><hr>
<a name="ntp_002dkeygen-id_002dkey"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-gq_002dparams">ntp-keygen gq-params</a>,
Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-cipher">ntp-keygen cipher</a>,
@@ -1222,8 +1382,9 @@
<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation.
</ul>
- <p>Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+ <p>Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
<div class="node">
<p><hr>
<a name="ntp_002dkeygen-gq_002dparams"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-host_002dkey">ntp-keygen host-key</a>,
@@ -1306,14 +1467,14 @@
the file name of IFF, GQ, and MV client parameters files. In
that role, the default is the host name if this option is not
provided. The group name, if specified using <code>-i/--ident</code> or
-using <code>-s/--subject-name</code> following an '<code>}' character,
-is also a part of the self-signed host certificate's subject and
-issuer names in the form host
- <p>'crypto ident' or 'server ident' configuration in
-ntpd's configuration file.
-</code><div class="node">
+using <code>-s/--subject-name</code> following an '<code>@</code>' character,
+is also a part of the self-signed host certificate subject and
+issuer names in the form <code>host@group</code> and should match the
+'<code>crypto ident</code>' or '<code>server ident</code>' configuration in the
+<code>ntpd</code> configuration file.
+<div class="node">
<p><hr>
-<a name="ntp_002dkeygen-lifetime"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>,
+<a name="ntp_002dkeygen-lifetime"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>,
Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-ident">ntp-keygen ident</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
@@ -1322,7 +1483,7 @@
<h4 class="subsection">lifetime option (-l)</h4>
<p><a name="index-ntp_002dkeygen_002dlifetime-12"></a>
-This is the ``set certificate lifetime'' option.
+This is the &ldquo;set certificate lifetime&rdquo; option.
This option takes a number argument <span class="file">lifetime</span>.
<p class="noindent">This option has some usage constraints. It:
@@ -1333,29 +1494,16 @@
<p>Set the certificate expiration to lifetime days from now.
<div class="node">
<p><hr>
-<a name="ntp_002dkeygen-md5key"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>,
+<a name="ntp_002dkeygen-modulus"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>,
Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-lifetime">ntp-keygen lifetime</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
</div>
-<h4 class="subsection">md5key option (-M)</h4>
-
-<p><a name="index-ntp_002dkeygen_002dmd5key-13"></a>
-This is the ``generate md5 keys'' option.
-Generate MD5 keys, obsoleting any that may exist.
-<div class="node">
-<p><hr>
-<a name="ntp_002dkeygen-modulus"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>,
-Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>,
-Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
-<br>
-</div>
-
<h4 class="subsection">modulus option (-m)</h4>
-<p><a name="index-ntp_002dkeygen_002dmodulus-14"></a>
-This is the ``modulus'' option.
+<p><a name="index-ntp_002dkeygen_002dmodulus-13"></a>
+This is the &ldquo;prime modulus&rdquo; option.
This option takes a number argument <span class="file">modulus</span>.
<p class="noindent">This option has some usage constraints. It:
@@ -1366,16 +1514,29 @@
<p>The number of bits in the prime modulus. The default is 512.
<div class="node">
<p><hr>
-<a name="ntp_002dkeygen-pvt_002dcert"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>,
+<a name="ntp_002dkeygen-md5key"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-pvt_002dcert">ntp-keygen pvt-cert</a>,
Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-modulus">ntp-keygen modulus</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
</div>
+<h4 class="subsection">md5key option (-M)</h4>
+
+<p><a name="index-ntp_002dkeygen_002dmd5key-14"></a>
+This is the &ldquo;generate symmetric keys&rdquo; option.
+Generate symmetric keys, obsoleting any that may exist.
+<div class="node">
+<p><hr>
+<a name="ntp_002dkeygen-pvt_002dcert"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-password">ntp-keygen password</a>,
+Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-md5key">ntp-keygen md5key</a>,
+Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
+<br>
+</div>
+
<h4 class="subsection">pvt-cert option (-P)</h4>
<p><a name="index-ntp_002dkeygen_002dpvt_002dcert-15"></a>
-This is the ``generate pc private certificate'' option.
+This is the &ldquo;generate pc private certificate&rdquo; option.
<p class="noindent">This option has some usage constraints. It:
<ul>
@@ -1395,7 +1556,7 @@
<h4 class="subsection">password option (-p)</h4>
<p><a name="index-ntp_002dkeygen_002dpassword-16"></a>
-This is the ``local private password'' option.
+This is the &ldquo;local private password&rdquo; option.
This option takes a string argument <span class="file">passwd</span>.
<p class="noindent">This option has some usage constraints. It:
@@ -1410,7 +1571,7 @@
hostname.
<div class="node">
<p><hr>
-<a name="ntp_002dkeygen-export_002dpasswd"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>,
+<a name="ntp_002dkeygen-export_002dpasswd"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>,
Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-password">ntp-keygen password</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
@@ -1419,7 +1580,7 @@
<h4 class="subsection">export-passwd option (-q)</h4>
<p><a name="index-ntp_002dkeygen_002dexport_002dpasswd-17"></a>
-This is the ``export iff or gq group keys with password'' option.
+This is the &ldquo;export iff or gq group keys with password&rdquo; option.
This option takes a string argument <span class="file">passwd</span>.
<p class="noindent">This option has some usage constraints. It:
@@ -1431,20 +1592,20 @@
encrypted with the DES-CBC algorithm and the specified password.
The same password must be specified to the remote ntpd via the
"crypto pw password" configuration command. See also the option
---id-key (-e) for unencrypted exports.
+&ndash;id-key (-e) for unencrypted exports.
<div class="node">
<p><hr>
-<a name="ntp_002dkeygen-sign_002dkey"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>,
+<a name="ntp_002dkeygen-subject_002dname"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>,
Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-export_002dpasswd">ntp-keygen export-passwd</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
</div>
-<h4 class="subsection">sign-key option (-S)</h4>
+<h4 class="subsection">subject-name option (-s)</h4>
-<p><a name="index-ntp_002dkeygen_002dsign_002dkey-18"></a>
-This is the ``generate sign key (rsa or dsa)'' option.
-This option takes a string argument <span class="file">sign</span>.
+<p><a name="index-ntp_002dkeygen_002dsubject_002dname-18"></a>
+This is the &ldquo;set host and optionally group name&rdquo; option.
+This option takes a string argument <span class="file">host@group</span>.
<p class="noindent">This option has some usage constraints. It:
<ul>
@@ -1451,22 +1612,29 @@
<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation.
</ul>
- <p>Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
+ <p>Set the Autokey host name, and optionally, group name specified
+following an '<code>@</code>' character. The host name is used in the file
+name of generated host and signing certificates, without the
+group name. The host name, and if provided, group name are used
+in <code>host@group</code> form for the host certificate subject and issuer
+fields. Specifying '<code>-s @group</code>' is allowed, and results in
+leaving the host name unchanged while appending <code>@group</code> to the
+subject and issuer fields, as with <code>-i group</code>. The group name, or
+if not provided, the host name are also used in the file names
+of IFF, GQ, and MV client parameter files.
<div class="node">
<p><hr>
-<a name="ntp_002dkeygen-subject_002dname"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>,
-Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>,
+<a name="ntp_002dkeygen-sign_002dkey"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-trusted_002dcert">ntp-keygen trusted-cert</a>,
+Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
</div>
-<h4 class="subsection">subject-name option (-s)</h4>
+<h4 class="subsection">sign-key option (-S)</h4>
-<p><a name="index-ntp_002dkeygen_002dsubject_002dname-19"></a>
-This is the ``set host and optionally group name'' option.
-This option takes a string argument <span class="file">host@group</span>.
+<p><a name="index-ntp_002dkeygen_002dsign_002dkey-19"></a>
+This is the &ldquo;generate sign key (rsa or dsa)&rdquo; option.
+This option takes a string argument <span class="file">sign</span>.
<p class="noindent">This option has some usage constraints. It:
<ul>
@@ -1473,20 +1641,13 @@
<li>must be compiled in by defining <code>AUTOKEY</code> during the compilation.
</ul>
- <p>Set the Autokey host name, and optionally, group name specified
-following an '<code>}' character. The host name is used in the file
-name of generated host and signing certificates, without the
-group name. The host name, and if provided, group name are used
-in host
- <p>fields. Specifying '-s
- <p>leaving the host name unchanged while appending
- <p>subject and issuer fields, as with -i group. The group name, or
-if not provided, the host name are also used in the file names
-of IFF, GQ, and MV client parameter files.
-</code><div class="node">
+ <p>Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
+<div class="node">
<p><hr>
<a name="ntp_002dkeygen-trusted_002dcert"></a>Next:&nbsp;<a rel="next" accesskey="n" href="#ntp_002dkeygen-mv_002dparams">ntp-keygen mv-params</a>,
-Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-subject_002dname">ntp-keygen subject-name</a>,
+Previous:&nbsp;<a rel="previous" accesskey="p" href="#ntp_002dkeygen-sign_002dkey">ntp-keygen sign-key</a>,
Up:&nbsp;<a rel="up" accesskey="u" href="#ntp_002dkeygen-Invocation">ntp-keygen Invocation</a>
<br>
</div>
@@ -1494,7 +1655,7 @@
<h4 class="subsection">trusted-cert option (-T)</h4>
<p><a name="index-ntp_002dkeygen_002dtrusted_002dcert-20"></a>
-This is the ``trusted certificate (tc scheme)'' option.
+This is the &ldquo;trusted certificate (tc scheme)&rdquo; option.
<p class="noindent">This option has some usage constraints. It:
<ul>
@@ -1514,7 +1675,7 @@
<h4 class="subsection">mv-params option (-V)</h4>
<p><a name="index-ntp_002dkeygen_002dmv_002dparams-21"></a>
-This is the ``generate &lt;num&gt; mv parameters'' option.
+This is the &ldquo;generate &lt;num&gt; mv parameters&rdquo; option.
This option takes a number argument <span class="file">num</span>.
<p class="noindent">This option has some usage constraints. It:
@@ -1535,7 +1696,7 @@
<h4 class="subsection">mv-keys option (-v)</h4>
<p><a name="index-ntp_002dkeygen_002dmv_002dkeys-22"></a>
-This is the ``update &lt;num&gt; mv keys'' option.
+This is the &ldquo;update &lt;num&gt; mv keys&rdquo; option.
This option takes a number argument <span class="file">num</span>.
<p class="noindent">This option has some usage constraints. It:
Index: contrib/ntp/util/ntp-keygen.mdoc.in
===================================================================
--- contrib/ntp/util/ntp-keygen.mdoc.in (版本 330566)
+++ contrib/ntp/util/ntp-keygen.mdoc.in (版本 330908)
@@ -1,9 +1,9 @@
-.Dd March 21 2017
+.Dd February 27 2018
.Dt NTP_KEYGEN @NTP_KEYGEN_MS@ User Commands
.Os
.\" EDIT THIS FILE WITH CAUTION (ntp-keygen-opts.mdoc)
.\"
-.\" It has been AutoGen-ed March 21, 2017 at 10:45:59 AM by AutoGen 5.18.5
+.\" It has been AutoGen-ed February 27, 2018 at 05:16:00 PM by AutoGen 5.18.5
.\" From the definitions ntp-keygen-opts.def
.\" and the template file agmdoc-cmd.tpl
.Sh NAME
@@ -21,26 +21,29 @@
.Sh DESCRIPTION
This program generates cryptographic data files used by the NTPv4
authentication and identification schemes.
-It generates MD5 key files used in symmetric key cryptography.
-In addition, if the OpenSSL software library has been installed,
-it generates keys, certificate and identity files used in public key
-cryptography.
+It can generate message digest keys used in symmetric key cryptography and,
+if the OpenSSL software library has been installed, it can generate host keys,
+signing keys, certificates, and identity keys and parameters used in Autokey
+public key cryptography.
These files are used for cookie encryption,
-digital signature and challenge/response identification algorithms
+digital signature, and challenge/response identification algorithms
compatible with the Internet standard security infrastructure.
.Pp
-All files are in PEM\-encoded printable ASCII format,
-so they can be embedded as MIME attachments in mail to other sites
+The message digest symmetric keys file is generated in a format
+compatible with NTPv3.
+All other files are in PEM\-encoded printable ASCII format,
+so they can be embedded as MIME attachments in email to other sites
and certificate authorities.
By default, files are not encrypted.
.Pp
-When used to generate message digest keys, the program produces a file
-containing ten pseudo\-random printable ASCII strings suitable for the
-MD5 message digest algorithm included in the distribution.
+When used to generate message digest symmetric keys, the program
+produces a file containing ten pseudo\-random printable ASCII strings
+suitable for the MD5 message digest algorithm included in the
+distribution.
If the OpenSSL library is installed, it produces an additional ten
-hex\-encoded random bit strings suitable for the SHA1 and other message
-digest algorithms.
-The message digest keys file must be distributed and stored
+hex\-encoded random bit strings suitable for SHA1, AES\-128\-CMAC, and
+other message digest algorithms.
+The message digest symmetric keys file must be distributed and stored
using secure means beyond the scope of NTP itself.
Besides the keys used for ordinary NTP associations, additional keys
can be defined as passwords for the
@@ -60,31 +63,42 @@
Some files used by this program are encrypted using a private password.
The
.Fl p
-option specifies the password for local encrypted files and the
+option specifies the read password for local encrypted files and the
.Fl q
-option the password for encrypted files sent to remote sites.
+option the write password for encrypted files sent to remote sites.
If no password is specified, the host name returned by the Unix
-.Fn gethostname
-function, normally the DNS name of the host is used.
+.Xr hostname 1
+command, normally the DNS name of the host, is used as the the default read
+password, for convenience.
+The
+.Nm
+program prompts for the password if it reads an encrypted file
+and the password is missing or incorrect.
+If an encrypted file is read successfully and
+no write password is specified, the read password is used
+as the write password by default.
.Pp
The
-.Ar pw
+.Cm pw
option of the
-.Ar crypto
+.Ic crypto
+.Xr ntpd @NTPD_MS@
configuration command specifies the read
password for previously encrypted local files.
-This must match the local password used by this program.
+This must match the local read password used by this program.
If not specified, the host name is used.
-Thus, if files are generated by this program without password,
+Thus, if files are generated by this program without an explicit password,
they can be read back by
-.Ar ntpd
-without password but only on the same host.
+.Xr ntpd @NTPD_MS@
+without specifying an explicit password but only on the same host.
+If the write password used for encryption is specified as the host name,
+these files can be read by that host with no explicit password.
.Pp
Normally, encrypted files for each host are generated by that host and
used only by that host, although exceptions exist as noted later on
this page.
The symmetric keys file, normally called
-.Ar ntp.keys ,
+.Pa ntp.keys ,
is usually installed in
.Pa /etc .
Other files and links are usually installed in
@@ -91,188 +105,89 @@
.Pa /usr/local/etc ,
which is normally in a shared filesystem in
NFS\-mounted networks and cannot be changed by shared clients.
-The location of the keys directory can be changed by the
-.Ar keysdir
-configuration command in such cases.
-Normally, this is in
-.Pa /etc .
+In these cases, NFS clients can specify the files in another
+directory such as
+.Pa /etc
+using the
+.Ic keysdir
+.Xr ntpd @NTPD_MS@
+configuration file command.
.Pp
This program directs commentary and error messages to the standard
error stream
-.Ar stderr
+.Pa stderr
and remote files to the standard output stream
-.Ar stdout
+.Pa stdout
where they can be piped to other applications or redirected to files.
The names used for generated files and links all begin with the
string
-.Ar ntpkey
+.Pa ntpkey\&*
and include the file type, generating host and filestamp,
as described in the
-.Dq Cryptographic Data Files
+.Sx "Cryptographic Data Files"
section below.
.Ss Running the Program
-To test and gain experience with Autokey concepts, log in as root and
-change to the keys directory, usually
-.Pa /usr/local/etc
-When run for the first time, or if all files with names beginning with
-.Ar ntpkey
-have been removed, use the
-.Nm
-command without arguments to generate a
-default RSA host key and matching RSA\-MD5 certificate with expiration
-date one year hence.
-If run again without options, the program uses the
-existing keys and parameters and generates only a new certificate with
-new expiration date one year hence.
-.Pp
-Run the command on as many hosts as necessary.
-Designate one of them as the trusted host (TH) using
-.Nm
-with the
-.Fl T
-option and configure it to synchronize from reliable Internet servers.
-Then configure the other hosts to synchronize to the TH directly or
-indirectly.
-A certificate trail is created when Autokey asks the immediately
-ascendant host towards the TH to sign its certificate, which is then
-provided to the immediately descendant host on request.
-All group hosts should have acyclic certificate trails ending on the TH.
-.Pp
-The host key is used to encrypt the cookie when required and so must be
-RSA type.
-By default, the host key is also the sign key used to encrypt
-signatures.
-A different sign key can be assigned using the
-.Fl S
-option and this can be either RSA or DSA type.
-By default, the signature
-message digest type is MD5, but any combination of sign key type and
-message digest type supported by the OpenSSL library can be specified
-using the
-.Fl c
-option.
-The rules say cryptographic media should be generated with proventic
-filestamps, which means the host should already be synchronized before
-this program is run.
-This of course creates a chicken\-and\-egg problem
-when the host is started for the first time.
-Accordingly, the host time
-should be set by some other means, such as eyeball\-and\-wristwatch, at
-least so that the certificate lifetime is within the current year.
-After that and when the host is synchronized to a proventic source, the
-certificate should be re\-generated.
-.Pp
-Additional information on trusted groups and identity schemes is on the
-.Dq Autokey Public\-Key Authentication
-page.
-.Pp
-The
-.Xr ntpd @NTPD_MS@
-configuration command
-.Ic crypto pw Ar password
-specifies the read password for previously encrypted files.
-The daemon expires on the spot if the password is missing
-or incorrect.
-For convenience, if a file has been previously encrypted,
-the default read password is the name of the host running
-the program.
-If the previous write password is specified as the host name,
-these files can be read by that host with no explicit password.
-.Pp
-File names begin with the prefix
-.Cm ntpkey_
-and end with the postfix
-.Ar _hostname.filestamp ,
-where
-.Ar hostname
-is the owner name, usually the string returned
-by the Unix gethostname() routine, and
-.Ar filestamp
-is the NTP seconds when the file was generated, in decimal digits.
-This both guarantees uniqueness and simplifies maintenance
-procedures, since all files can be quickly removed
-by a
-.Ic rm ntpkey\&*
-command or all files generated
-at a specific time can be removed by a
-.Ic rm
-.Ar \&*filestamp
-command.
-To further reduce the risk of misconfiguration,
-the first two lines of a file contain the file name
-and generation date and time as comments.
-.Pp
-All files are installed by default in the keys directory
-.Pa /usr/local/etc ,
-which is normally in a shared filesystem
-in NFS\-mounted networks.
-The actual location of the keys directory
-and each file can be overridden by configuration commands,
-but this is not recommended.
-Normally, the files for each host are generated by that host
-and used only by that host, although exceptions exist
-as noted later on this page.
-.Pp
-Normally, files containing private values,
-including the host key, sign key and identification parameters,
-are permitted root read/write\-only;
-while others containing public values are permitted world readable.
-Alternatively, files containing private values can be encrypted
-and these files permitted world readable,
-which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
-dependent clients can all be installed in the same shared directory.
-.Pp
-The recommended practice is to keep the file name extensions
-when installing a file and to install a soft link
-from the generic names specified elsewhere on this page
-to the generated files.
-This allows new file generations to be activated simply
-by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
-If a link is not present,
-.Xr ntpd @NTPD_MS@
-extracts the filestamp from the file itself.
-This allows clients to verify that the file and generation times
-are always current.
-The
-.Nm
-program uses the same timestamp extension for all files generated
-at one time, so each generation is distinct and can be readily
-recognized in monitoring data.
-.Ss Running the program
The safest way to run the
.Nm
program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
+The recommended procedure is change to the
+.Ar keys
+directory, usually
.Pa /usr/local/etc ,
then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA\-MD5 certificate file,
+.Pp
+To test and gain experience with Autokey concepts, log in as root and
+change to the
+.Ar keys
+directory, usually
+.Pa /usr/local/etc .
+When run for the first time, or if all files with names beginning with
+.Pa ntpkey\&*
+have been removed, use the
+.Nm
+command without arguments to generate a default
+.Cm RSA
+host key and matching
+.Cm RSA\-MD5
+certificate file with expiration date one year hence,
which is all that is necessary in many cases.
The program also generates soft links from the generic names
to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+If run again without options, the program uses the
+existing keys and parameters and generates a new certificate file with
+new expiration date one year hence, and soft link.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
+The host key is used to encrypt the cookie when required and so must be
+.Cm RSA
+type.
By default, the host key is also the sign key used to encrypt signatures.
When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
+either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the message digest type is
+.Cm MD5 ,
+but any combination
of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
+can be specified, including those using the
+.Cm AES128CMAC , MD2 , MD5 , MDC2 , SHA , SHA1
+and
+.Cm RIPE160
+message digest algorithms.
However, the scheme specified in the certificate must be compatible
with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+Certificates using any digest algorithm are compatible with
+.Cm RSA
+sign keys;
+however, only
+.Cm SHA
+and
+.Cm SHA1
+certificates are compatible with
+.Cm DSA
+sign keys.
.Pp
Private/public key files and certificates are compatible with
other OpenSSL applications and very likely other libraries as well.
@@ -283,19 +198,19 @@
as the other files, are probably not compatible with anything other than Autokey.
.Pp
Running the program as other than root and using the Unix
-.Ic su
+.Xr su 1
command
to assume root may not work properly, since by default the OpenSSL library
looks for the random seed file
-.Cm .rnd
+.Pa .rnd
in the user home directory.
However, there should be only one
-.Cm .rnd ,
+.Pa .rnd ,
most conveniently
in the root directory, so it is convenient to define the
-.Cm $RANDFILE
+.Ev RANDFILE
environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+.Pa .rnd .
.Pp
Installing the keys as root might not work in NFS\-mounted
shared file systems, as NFS clients may not be able to write
@@ -305,7 +220,8 @@
.Pa /etc
using the
.Ic keysdir
-command.
+.Xr ntpd @NTPD_MS@
+configuration file command.
There is no need for one client to read the keys and certificates
of other clients or servers, as these data are obtained automatically
by the Autokey protocol.
@@ -338,8 +254,11 @@
Alternatively, files containing private values can be encrypted
and these files permitted world readable,
which simplifies maintenance in shared file systems.
-Since uniqueness is insured by the hostname and
-file name extensions, the files for a NFS server and
+Since uniqueness is insured by the
+.Ar hostname
+and
+.Ar filestamp
+file name extensions, the files for an NTP server and
dependent clients can all be installed in the same shared directory.
.Pp
The recommended practice is to keep the file name extensions
@@ -348,98 +267,97 @@
to the generated files.
This allows new file generations to be activated simply
by changing the link.
-If a link is present, ntpd follows it to the file name
-to extract the filestamp.
+If a link is present,
+.Xr ntpd @NTPD_MS@
+follows it to the file name to extract the
+.Ar filestamp .
If a link is not present,
.Xr ntpd @NTPD_MS@
-extracts the filestamp from the file itself.
+extracts the
+.Ar filestamp
+from the file itself.
This allows clients to verify that the file and generation times
are always current.
The
.Nm
-program uses the same timestamp extension for all files generated
+program uses the same
+.Ar filestamp
+extension for all files generated
at one time, so each generation is distinct and can be readily
recognized in monitoring data.
-.Ss Running the program
-The safest way to run the
+.Pp
+Run the command on as many hosts as necessary.
+Designate one of them as the trusted host (TH) using
.Nm
-program is logged in directly as root.
-The recommended procedure is change to the keys directory,
-usually
-.Pa /usr/local/etc ,
-then run the program.
-When run for the first time,
-or if all
-.Cm ntpkey
-files have been removed,
-the program generates a RSA host key file and matching RSA\-MD5 certificate file,
-which is all that is necessary in many cases.
-The program also generates soft links from the generic names
-to the respective files.
-If run again, the program uses the same host key file,
-but generates a new certificate file and link.
+with the
+.Fl T
+option and configure it to synchronize from reliable Internet servers.
+Then configure the other hosts to synchronize to the TH directly or
+indirectly.
+A certificate trail is created when Autokey asks the immediately
+ascendant host towards the TH to sign its certificate, which is then
+provided to the immediately descendant host on request.
+All group hosts should have acyclic certificate trails ending on the TH.
.Pp
-The host key is used to encrypt the cookie when required and so must be RSA type.
-By default, the host key is also the sign key used to encrypt signatures.
-When necessary, a different sign key can be specified and this can be
-either RSA or DSA type.
-By default, the message digest type is MD5, but any combination
-of sign key type and message digest type supported by the OpenSSL library
-can be specified, including those using the MD2, MD5, SHA, SHA1, MDC2
-and RIPE160 message digest algorithms.
-However, the scheme specified in the certificate must be compatible
-with the sign key.
-Certificates using any digest algorithm are compatible with RSA sign keys;
-however, only SHA and SHA1 certificates are compatible with DSA sign keys.
+The host key is used to encrypt the cookie when required and so must be
+RSA type.
+By default, the host key is also the sign key used to encrypt
+signatures.
+A different sign key can be assigned using the
+.Fl S
+option and this can be either
+.Cm RSA
+or
+.Cm DSA
+type.
+By default, the signature
+message digest type is
+.Cm MD5 ,
+but any combination of sign key type and
+message digest type supported by the OpenSSL library can be specified
+using the
+.Fl c
+option.
.Pp
-Private/public key files and certificates are compatible with
-other OpenSSL applications and very likely other libraries as well.
-Certificates or certificate requests derived from them should be compatible
-with extant industry practice, although some users might find
-the interpretation of X509v3 extension fields somewhat liberal.
-However, the identification parameter files, although encoded
-as the other files, are probably not compatible with anything other than Autokey.
+The rules say cryptographic media should be generated with proventic
+filestamps, which means the host should already be synchronized before
+this program is run.
+This of course creates a chicken\-and\-egg problem
+when the host is started for the first time.
+Accordingly, the host time
+should be set by some other means, such as eyeball\-and\-wristwatch, at
+least so that the certificate lifetime is within the current year.
+After that and when the host is synchronized to a proventic source, the
+certificate should be re\-generated.
.Pp
-Running the program as other than root and using the Unix
-.Ic su
-command
-to assume root may not work properly, since by default the OpenSSL library
-looks for the random seed file
-.Cm .rnd
-in the user home directory.
-However, there should be only one
-.Cm .rnd ,
-most conveniently
-in the root directory, so it is convenient to define the
-.Cm $RANDFILE
-environment variable used by the OpenSSL library as the path to
-.Cm /.rnd .
+Additional information on trusted groups and identity schemes is on the
+.Dq Autokey Public\-Key Authentication
+page.
.Pp
-Installing the keys as root might not work in NFS\-mounted
-shared file systems, as NFS clients may not be able to write
-to the shared keys directory, even as root.
-In this case, NFS clients can specify the files in another
-directory such as
-.Pa /etc
-using the
-.Ic keysdir
+File names begin with the prefix
+.Pa ntpkey Ns _
+and end with the suffix
+.Pa _ Ns Ar hostname . Ar filestamp ,
+where
+.Ar hostname
+is the owner name, usually the string returned
+by the Unix
+.Xr hostname 1
+command, and
+.Ar filestamp
+is the NTP seconds when the file was generated, in decimal digits.
+This both guarantees uniqueness and simplifies maintenance
+procedures, since all files can be quickly removed
+by a
+.Ic rm Pa ntpkey\&*
+command or all files generated
+at a specific time can be removed by a
+.Ic rm Pa \&* Ns Ar filestamp
command.
-There is no need for one client to read the keys and certificates
-of other clients or servers, as these data are obtained automatically
-by the Autokey protocol.
-.Pp
-Ordinarily, cryptographic files are generated by the host that uses them,
-but it is possible for a trusted agent (TA) to generate these files
-for other hosts; however, in such cases files should always be encrypted.
-The subject name and trusted name default to the hostname
-of the host generating the files, but can be changed by command line options.
-It is convenient to designate the owner name and trusted name
-as the subject and issuer fields, respectively, of the certificate.
-The owner name is also used for the host and sign key files,
-while the trusted name is used for the identity files.
-seconds.
-seconds.
-s Trusted Hosts and Groups
+To further reduce the risk of misconfiguration,
+the first two lines of a file contain the file name
+and generation date and time as comments.
+.Ss Trusted Hosts and Groups
Each cryptographic configuration involves selection of a signature scheme
and identification scheme, called a cryptotype,
as explained in the
@@ -446,8 +364,14 @@
.Sx Authentication Options
section of
.Xr ntp.conf 5 .
-The default cryptotype uses RSA encryption, MD5 message digest
-and TC identification.
+The default cryptotype uses
+.Cm RSA
+encryption,
+.Cm MD5
+message digest
+and
+.Cm TC
+identification.
First, configure a NTP subnet including one or more low\-stratum
trusted hosts from which all other hosts derive synchronization
directly or indirectly.
@@ -465,7 +389,7 @@
.Pp
On each trusted host as root, change to the keys directory.
To insure a fresh fileset, remove all
-.Cm ntpkey
+.Pa ntpkey
files.
Then run
.Nm
@@ -490,7 +414,9 @@
.Cm RSA
or
.Cm DSA .
-The most often need to do this is when a DSA\-signed certificate is used.
+The most frequent need to do this is when a
+.Cm DSA Ns \-signed
+certificate is used.
If it is necessary to use a different certificate scheme than the default,
run
.Nm
@@ -499,10 +425,10 @@
option and selected
.Ar scheme
as needed.
-f
+If
.Nm
is run again without these options, it generates a new certificate
-using the same scheme and sign key.
+using the same scheme and sign key, and soft link.
.Pp
After setting up the environment it is advisable to update certificates
from time to time, if only to extend the validity interval.
@@ -509,7 +435,7 @@
Simply run
.Nm
with the same flags as before to generate new certificates
-using existing keys.
+using existing keys, and soft links.
However, if the host or sign key is changed,
.Xr ntpd @NTPD_MS@
should be restarted.
@@ -520,13 +446,15 @@
at which time the protocol is restarted.
.Ss Identity Schemes
As mentioned on the Autonomous Authentication page,
-the default TC identity scheme is vulnerable to a middleman attack.
+the default
+.Cm TC
+identity scheme is vulnerable to a middleman attack.
However, there are more secure identity schemes available,
-including PC, IFF, GQ and MV described on the
-.Qq Identification Schemes
-page
-(maybe available at
-.Li http://www.eecis.udel.edu/%7emills/keygen.html ) .
+including
+.Cm PC , IFF , GQ
+and
+.Cm MV
+schemes described below.
These schemes are based on a TA, one or more trusted hosts
and some number of nontrusted hosts.
Trusted hosts prove identity using values provided by the TA,
@@ -551,12 +479,15 @@
.Fl P
.Fl p Ar password
to generate the host key file
-.Pa ntpkey_RSAkey_ Ns Ar alice.filestamp
+.Pa ntpkey Ns _ Cm RSA Pa key_alice. Ar filestamp
and trusted private certificate file
-.Pa ntpkey_RSA\-MD5_cert_ Ns Ar alice.filestamp .
+.Pa ntpkey Ns _ Cm RSA\-MD5 _ Pa cert_alice. Ar filestamp ,
+and soft links.
Copy both files to all group hosts;
they replace the files which would be generated in other schemes.
-On each host bob install a soft link from the generic name
+On each host
+.Ar bob
+install a soft link from the generic name
.Pa ntpkey_host_ Ns Ar bob
to the host key file and soft link
.Pa ntpkey_cert_ Ns Ar bob
@@ -565,11 +496,17 @@
by trusted host alice.
In this scheme it is not possible to refresh
either the keys or certificates without copying them
-to all other hosts in the group.
+to all other hosts in the group, and recreating the soft links.
.Pp
-For the IFF scheme proceed as in the TC scheme to generate keys
+For the
+.Cm IFF
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host in the group,
-generate the IFF parameter file.
+generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -576,15 +513,17 @@
.Fl I
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_IFFpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_IFFpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts that operate as both servers
and clients and install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
If there are no hosts restricted to operate only as clients,
there is nothing further to do.
-As the IFF scheme is independent
+As the
+.Cm IFF
+scheme is independent
of keys and certificates, these files can be refreshed as needed.
.Pp
If a rogue client has the parameter file, it could masquerade
@@ -594,17 +533,23 @@
After generating the parameter file, on alice run
.Nm
.Fl e
-and pipe the output to a file or mail program.
-Copy or mail this file to all restricted clients.
+and pipe the output to a file or email program.
+Copy or email this file to all restricted clients.
On these clients install a soft link from the generic
-.Pa ntpkey_iff_ Ns Ar alice
+.Pa ntpkey_iff_alice
to this file.
To further protect the integrity of the keys,
each file can be encrypted with a secret password.
.Pp
-For the GQ scheme proceed as in the TC scheme to generate keys
+For the
+.Cm GQ
+scheme proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts, then for every trusted host
-in the group, generate the IFF parameter file.
+in the group, generate the
+.Cm IFF
+parameter file.
On trusted host alice run
.Nm
.Fl T
@@ -611,20 +556,30 @@
.Fl G
.Fl p Ar password
to produce her parameter file
-.Pa ntpkey_GQpar_ Ns Ar alice.filestamp ,
+.Pa ntpkey_GQpar_alice. Ns Ar filestamp ,
which includes both server and client keys.
Copy this file to all group hosts and install a soft link
from the generic
-.Pa ntpkey_gq_ Ns Ar alice
+.Pa ntpkey_gq_alice
to this file.
-In addition, on each host bob install a soft link
+In addition, on each host
+.Ar bob
+install a soft link
from generic
.Pa ntpkey_gq_ Ns Ar bob
to this file.
-As the GQ scheme updates the GQ parameters file and certificate
+As the
+.Cm GQ
+scheme updates the
+.Cm GQ
+parameters file and certificate
at the same time, keys and certificates can be regenerated as needed.
.Pp
-For the MV scheme, proceed as in the TC scheme to generate keys
+For the
+.Cm MV
+scheme, proceed as in the
+.Cm TC
+scheme to generate keys
and certificates for all group hosts.
For illustration assume trish is the TA, alice one of several trusted hosts
and bob one of her clients.
@@ -636,9 +591,9 @@
.Ar n
is the number of revokable keys (typically 5) to produce
the parameter file
-.Pa ntpkeys_MVpar_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVpar_trish. Ns Ar filestamp
and client key files
-.Pa ntpkeys_MVkeyd_ Ns Ar trish.filestamp
+.Pa ntpkeys_MVkey Ns Ar d _ Pa trish. Ar filestamp
where
.Ar d
is the key number (0 \&<
@@ -647,80 +602,217 @@
.Ar n ) .
Copy the parameter file to alice and install a soft link
from the generic
-.Pa ntpkey_mv_ Ns Ar alice
+.Pa ntpkey_mv_alice
to this file.
Copy one of the client key files to alice for later distribution
to her clients.
-It doesn't matter which client key file goes to alice,
+It does not matter which client key file goes to alice,
since they all work the same way.
-Alice copies the client key file to all of her cliens.
+Alice copies the client key file to all of her clients.
On client bob install a soft link from generic
-.Pa ntpkey_mvkey_ Ns Ar bob
+.Pa ntpkey_mvkey_bob
to the client key file.
-As the MV scheme is independent of keys and certificates,
+As the
+.Cm MV
+scheme is independent of keys and certificates,
these files can be refreshed as needed.
.Ss Command Line Options
.Bl -tag -width indent
-.It Fl c Ar scheme
-Select certificate message digest/signature encryption scheme.
+.It Fl b Fl \-imbits Ns = Ar modulus
+Set the number of bits in the identity modulus for generating identity keys to
+.Ar modulus
+bits.
+The number of bits in the identity modulus defaults to 256, but can be set to
+values from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl c Fl \-certificate Ns = Ar scheme
+Select certificate signature encryption/message digest scheme.
The
.Ar scheme
can be one of the following:
-. Cm RSA\-MD2 , RSA\-MD5 , RSA\-SHA , RSA\-SHA1 , RSA\-MDC2 , RSA\-RIPEMD160 , DSA\-SHA ,
+.Cm RSA\-MD2 , RSA\-MD5 , RSA\-MDC2 , RSA\-SHA , RSA\-SHA1 , RSA\-RIPEMD160 , DSA\-SHA ,
or
.Cm DSA\-SHA1 .
-Note that RSA schemes must be used with a RSA sign key and DSA
-schemes must be used with a DSA sign key.
+Note that
+.Cm RSA
+schemes must be used with an
+.Cm RSA
+sign key and
+.Cm DSA
+schemes must be used with a
+.Cm DSA
+sign key.
The default without this option is
.Cm RSA\-MD5 .
-.It Fl d
-Enable debugging.
+If compatibility with FIPS 140\-2 is required, either the
+.Cm DSA\-SHA
+or
+.Cm DSA\-SHA1
+scheme must be used.
+.It Fl C Fl \-cipher Ns = Ar cipher
+Select the OpenSSL cipher to encrypt the files containing private keys.
+The default without this option is three\-key triple DES in CBC mode,
+.Cm des\-ede3\-cbc .
+The
+.Ic openssl Fl h
+command provided with OpenSSL displays available ciphers.
+.It Fl d Fl \-debug\-level
+Increase debugging verbosity level.
This option displays the cryptographic data produced in eye\-friendly billboards.
-.It Fl e
-Write the IFF client keys to the standard output.
-This is intended for automatic key distribution by mail.
-.It Fl G
-Generate parameters and keys for the GQ identification scheme,
-obsoleting any that may exist.
-.It Fl g
-Generate keys for the GQ identification scheme
-using the existing GQ parameters.
-If the GQ parameters do not yet exist, create them first.
-.It Fl H
-Generate new host keys, obsoleting any that may exist.
-.It Fl I
-Generate parameters for the IFF identification scheme,
-obsoleting any that may exist.
-.It Fl i Ar name
-Set the suject name to
-.Ar name .
-This is used as the subject field in certificates
-and in the file name for host and sign keys.
-.It Fl M
-Generate MD5 keys, obsoleting any that may exist.
-.It Fl P
-Generate a private certificate.
+.It Fl D Fl \-set\-debug\-level Ns = Ar level
+Set the debugging verbosity to
+.Ar level .
+This option displays the cryptographic data produced in eye\-friendly billboards.
+.It Fl e Fl \-id\-key
+Write the
+.Cm IFF
+or
+.Cm GQ
+public parameters from the
+.Ar IFFkey or GQkey
+client keys file previously specified
+as unencrypted data to the standard output stream
+.Pa stdout .
+This is intended for automatic key distribution by email.
+.It Fl G Fl \-gq\-params
+Generate a new encrypted
+.Cm GQ
+parameters and key file for the Guillou\-Quisquater (GQ) identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl V
+options.
+.It Fl H Fl \-host\-key
+Generate a new encrypted
+.Cm RSA
+public/private host key file.
+.It Fl I Fl \-iffkey
+Generate a new encrypted
+.Cm IFF
+key file for the Schnorr (IFF) identity scheme.
+This option is mutually exclusive with the
+.Fl G
+and
+Fl V
+options.
+.It Fl i Fl \-ident Ns = Ar group
+Set the optional Autokey group name to
+.Ar group .
+This is used in the identity scheme parameter file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+client parameters files.
+In that role, the default is the host name if no group is provided.
+The group name, if specified using
+.Fl i
+or
+.Fl s
+following an
+.Ql @
+character, is also used in certificate subject and issuer names in the form
+.Ar host @ group
+and should match the group specified via
+.Ic crypto Cm ident
+or
+.Ic server Cm ident
+in the ntpd configuration file.
+.It Fl l Fl \-lifetime Ns = Ar days
+Set the lifetime for certificate expiration to
+.Ar days .
+The default lifetime is one year (365 days).
+.It Fl m Fl \-modulus Ns = Ar bits
+Set the number of bits in the prime modulus for generating files to
+.Ar bits .
+The modulus defaults to 512, but can be set from 256 to 2048 (32 to 256 octets).
+Use the larger moduli with caution, as this can consume considerable computing
+resources and increases the size of authenticated packets.
+.It Fl M Fl \-md5key
+Generate a new symmetric keys file containing 10
+.Cm MD5
+keys, and if OpenSSL is available, 10
+.Cm SHA
+keys.
+An
+.Cm MD5
+key is a string of 20 random printable ASCII characters, while a
+.Cm SHA
+key is a string of 40 random hex digits.
+The file can be edited using a text editor to change the key type or key content.
+This option is mutually exclusive with all other options.
+.It Fl p Fl \-password Ns = Ar passwd
+Set the password for reading and writing encrypted files to
+.Ar passwd .
+These include the host, sign and identify key files.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl P Fl \-pvt\-cert
+Generate a new private certificate used by the
+.Cm PC
+identity scheme.
By default, the program generates public certificates.
-.It Fl p Ar password
-Encrypt generated files containing private data with
-.Ar password
-and the DES\-CBC algorithm.
-.It Fl q
-Set the password for reading files to password.
-.It Fl S Oo Cm RSA | DSA Oc
-Generate a new sign key of the designated type,
-obsoleting any that may exist.
-By default, the program uses the host key as the sign key.
-.It Fl s Ar name
-Set the issuer name to
-.Ar name .
-This is used for the issuer field in certificates
-and in the file name for identity files.
-.It Fl T
+Note: the PC identity scheme is not recommended for new installations.
+.It Fl q Fl \-export\-passwd Ns = Ar passwd
+Set the password for writing encrypted
+.Cm IFF , GQ and MV
+identity files redirected to
+.Pa stdout
+to
+.Ar passwd .
+In effect, these files are decrypted with the
+.Fl p
+password, then encrypted with the
+.Fl q
+password.
+By default, the password is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl s Fl \-subject\-key Ns = Ar Oo host Oc Op @ Ar group
+Specify the Autokey host name, where
+.Ar host
+is the optional host name and
+.Ar group
+is the optional group name.
+The host name, and if provided, group name are used in
+.Ar host @ group
+form as certificate subject and issuer.
+Specifying
+.Fl s @ Ar group
+is allowed, and results in leaving the host name unchanged, as with
+.Fl i Ar group .
+The group name, or if no group is provided, the host name are also used in the
+file names of
+.Cm IFF , GQ ,
+and
+.Cm MV
+identity scheme client parameter files.
+If
+.Ar host
+is not specified, the default host name is the string returned by the Unix
+.Ic hostname
+command.
+.It Fl S Fl \-sign\-key Ns = Op Cm RSA | DSA
+Generate a new encrypted public/private sign key file of the specified type.
+By default, the sign key is the host key and has the same type.
+If compatibility with FIPS 140\-2 is required, the sign key type must be
+.Cm DSA .
+.It Fl T Fl \-trusted\-cert
Generate a trusted certificate.
By default, the program generates a non\-trusted certificate.
-.It Fl V Ar nkeys
-Generate parameters and keys for the Mu\-Varadharajan (MV) identification scheme.
+.It Fl V Fl \-mv\-params Ar nkeys
+Generate
+.Ar nkeys
+encrypted server keys and parameters for the Mu\-Varadharajan (MV)
+identity scheme.
+This option is mutually exclusive with the
+.Fl I
+and
+.Fl G
+options.
+Note: support for this option should be considered a work in progress.
.El
.Ss Random Seed File
All cryptographically sound key generation schemes must have means
@@ -744,7 +836,7 @@
.Pp
The entropy seed used by the OpenSSL library is contained in a file,
usually called
-.Cm .rnd ,
+.Pa .rnd ,
which must be available when starting the NTP daemon
or the
.Nm
@@ -751,7 +843,7 @@
program.
The NTP daemon will first look for the file
using the path specified by the
-.Ic randfile
+.Cm randfile
subcommand of the
.Ic crypto
configuration command.
@@ -767,44 +859,118 @@
.Ev RANDFILE
environment variable is not present,
the library will look for the
-.Cm .rnd
+.Pa .rnd
file in the user home directory.
+Since both the
+.Nm
+program and
+.Xr ntpd @NTPD_MS@
+daemon must run as root, the logical place to put this file is in
+.Pa /.rnd
+or
+.Pa /root/.rnd .
If the file is not available or cannot be written,
the daemon exits with a message to the system log and the program
exits with a suitable error message.
.Ss Cryptographic Data Files
-All other file formats begin with two lines.
-The first contains the file name, including the generated host name
-and filestamp.
-The second contains the datestamp in conventional Unix date format.
-Lines beginning with # are considered comments and ignored by the
+All file formats begin with two nonencrypted lines.
+The first line contains the file name, including the generated host name
+and filestamp, in the format
+.Pa ntpkey_ Ns Ar key _ Ar name . Ar filestamp ,
+where
+.Ar key
+is the key or parameter type,
+.Ar name
+is the host or group name and
+.Ar filestamp
+is the filestamp (NTP seconds) when the file was created.
+By convention,
+.Ar key
+names in generated file names include both upper and lower case
+characters, while
+.Ar key
+names in generated link names include only lower case characters.
+The filestamp is not used in generated link names.
+The second line contains the datestamp in conventional Unix
+.Pa date
+format.
+Lines beginning with
+.Ql #
+are considered comments and ignored by the
.Nm
program and
.Xr ntpd @NTPD_MS@
daemon.
-Cryptographic values are encoded first using ASN.1 rules,
-then encrypted if necessary, and finally written PEM\-encoded
-printable ASCII format preceded and followed by MIME content identifier lines.
.Pp
-The format of the symmetric keys file is somewhat different
-than the other files in the interest of backward compatibility.
-Since DES\-CBC is deprecated in NTPv4, the only key format of interest
-is MD5 alphanumeric strings.
-Following hte heard the keys are
-entered one per line in the format
-.D1 Ar keyno type key
+The remainder of the file contains cryptographic data, encoded first using ASN.1
+rules, then encrypted if necessary, and finally written in PEM\-encoded
+printable ASCII text, preceded and followed by MIME content identifier lines.
+.Pp
+The format of the symmetric keys file, ordinarily named
+.Pa ntp.keys ,
+is somewhat different than the other files in the interest of backward compatibility.
+Ordinarily, the file is generated by this program, but it can be constructed
+and edited using an ordinary text editor.
+.Bd -literal -unfilled -offset center
+# ntpkey_MD5key_bk.ntp.org.3595864945
+# Thu Dec 12 19:22:25 2013
+1 MD5 L";Nw<\`.I<f4U0)247"i # MD5 key
+2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key
+3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key
+4 MD5 Yue:tL[+vR)M\`n~bY,'? # MD5 key
+5 MD5 B;fx'Kgr/&4ZTbL6=RxA # MD5 key
+6 MD5 4eYwa\`o}3i@@V@..R9!l # MD5 key
+7 MD5 \`A.([h+;wTQ|xfi%Sn_! # MD5 key
+8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key
+9 MD5 3\-5vcn*6l29DS?Xdsg)* # MD5 key
+10 MD5 2late4Me # MD5 key
+11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key
+12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key
+13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key
+14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key
+15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key
+16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key
+17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key
+18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key
+19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key
+20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key
+.Ed
+.D1 Figure 1. Typical Symmetric Key File
+.Pp
+Figure 1 shows a typical symmetric keys file used by the reference
+implementation.
+Following the header the keys are entered one per line in the format
+.D1 Ar keyno Ar type Ar key
where
.Ar keyno
-is a positive integer in the range 1\-65,535,
+is a positive integer in the range 1\-65534;
.Ar type
-is the string MD5 defining the key format and
+is the key type for the message digest algorithm, which in the absence of the
+OpenSSL library must be
+.Cm MD5
+to designate the MD5 message digest algorithm;
+if the OpenSSL library is installed, the key type can be any
+message digest algorithm supported by that library;
+however, if compatibility with FIPS 140\-2 is required,
+the key type must be either
+.Cm SHA
+or
+.Cm SHA1 ;
.Ar key
is the key itself,
-which is a printable ASCII string 16 characters or less in length.
-Each character is chosen from the 93 printable characters
-in the range 0x21 through 0x7f excluding space and the
+which is a printable ASCII string 20 characters or less in length:
+each character is chosen from the 93 printable characters
+in the range 0x21 through 0x7e (
+.Ql !
+through
+.Ql ~
+\&) excluding space and the
.Ql #
+character, and terminated by whitespace or a
+.Ql #
character.
+An OpenSSL key consists of a hex\-encoded ASCII string of 40 characters, which
+is truncated as necessary.
.Pp
Note that the keys used by the
.Xr ntpq @NTPQ_MS@
@@ -817,8 +983,8 @@
.Pp
The
.Nm
-program generates a MD5 symmetric keys file
-.Pa ntpkey_MD5key_ Ns Ar hostname.filestamp .
+program generates a symmetric keys file
+.Pa ntpkey_MD5key_ Ns Ar hostname Ns . Ns Ar filestamp .
Since the file contains private shared keys,
it should be visible only to root and distributed by secure means
to other subnet hosts.
@@ -856,10 +1022,10 @@
certificate scheme.
.sp
scheme is one of
-RSA\-MD2, RSA\-MD5, RSA\-SHA, RSA\-SHA1, RSA\-MDC2, RSA\-RIPEMD160,
+RSA\-MD2, RSA\-MD5, RSA\-MDC2, RSA\-SHA, RSA\-SHA1, RSA\-RIPEMD160,
DSA\-SHA, or DSA\-SHA1.
.sp
-Select the certificate message digest/signature encryption scheme.
+Select the certificate signature encryption/message digest scheme.
Note that RSA schemes must be used with a RSA sign key and DSA
schemes must be used with a DSA sign key. The default without
this option is RSA\-MD5.
@@ -868,7 +1034,7 @@
.sp
Select the cipher which is used to encrypt the files containing
private keys. The default is three\-key triple DES in CBC mode,
-equivalent to "@code{\-C des\-ede3\-cbc". The openssl tool lists ciphers
+equivalent to "\fB\-C des\-ede3\-cbc\fP". The openssl tool lists ciphers
available in "\fBopenssl \-h\fP" output.
.It Fl d , Fl \-debug\-level
Increase debug verbosity level.
@@ -882,8 +1048,9 @@
.It Fl e , Fl \-id\-key
Write IFF or GQ identity keys.
.sp
-Write the IFF or GQ client keys to the standard output. This is
-intended for automatic key distribution by mail.
+Write the public parameters from the IFF or GQ client keys to
+the standard output.
+This is intended for automatic key distribution by email.
.It Fl G , Fl \-gq\-params
Generate GQ parameters and keys.
.sp
@@ -906,21 +1073,17 @@
that role, the default is the host name if this option is not
provided. The group name, if specified using \fB\-i/\-\-ident\fP or
using \fB\-s/\-\-subject\-name\fP following an '\fB@\fP' character,
-is also a part of the self\-signed host certificate's subject and
+is also a part of the self\-signed host certificate subject and
issuer names in the form \fBhost@group\fP and should match the
-\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in
-\fBntpd\fP's configuration file.
+\'\fBcrypto ident\fP' or '\fBserver ident\fP' configuration in the
+\fBntpd\fP configuration file.
.It Fl l Ar lifetime , Fl \-lifetime Ns = Ns Ar lifetime
set certificate lifetime.
This option takes an integer number as its argument.
.sp
Set the certificate expiration to lifetime days from now.
-.It Fl M , Fl \-md5key
-generate MD5 keys.
-.sp
-Generate MD5 keys, obsoleting any that may exist.
.It Fl m Ar modulus , Fl \-modulus Ns = Ns Ar modulus
-modulus.
+prime modulus.
This option takes an integer number as its argument.
The value of
.Ar modulus
@@ -933,6 +1096,10 @@
.in -4
.sp
The number of bits in the prime modulus. The default is 512.
+.It Fl M , Fl \-md5key
+generate symmetric keys.
+.sp
+Generate symmetric keys, obsoleting any that may exist.
.It Fl P , Fl \-pvt\-cert
generate PC private certificate.
.sp
@@ -954,12 +1121,6 @@
The same password must be specified to the remote ntpd via the
"crypto pw password" configuration command. See also the option
-\-id\-key (\-e) for unencrypted exports.
-.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
-generate sign key (RSA or DSA).
-.sp
-Generate a new sign key of the designated type, obsoleting any
-that may exist. By default, the program uses the host key as the
-sign key.
.It Fl s Ar host@group , Fl \-subject\-name Ns = Ns Ar host@group
set host and optionally group name.
.sp
@@ -967,12 +1128,18 @@
following an '\fB@\fP' character. The host name is used in the file
name of generated host and signing certificates, without the
group name. The host name, and if provided, group name are used
-in \fBhost@group\fP form for the host certificate's subject and issuer
+in \fBhost@group\fP form for the host certificate subject and issuer
fields. Specifying '\fB\-s @group\fP' is allowed, and results in
leaving the host name unchanged while appending \fB@group\fP to the
subject and issuer fields, as with \fB\-i group\fP. The group name, or
if not provided, the host name are also used in the file names
of IFF, GQ, and MV client parameter files.
+.It Fl S Ar sign , Fl \-sign\-key Ns = Ns Ar sign
+generate sign key (RSA or DSA).
+.sp
+Generate a new sign key of the designated type, obsoleting any
+that may exist. By default, the program uses the host key as the
+sign key.
.It Fl T , Fl \-trusted\-cert
trusted certificate (TC scheme).
.sp
@@ -1021,18 +1188,6 @@
If any of these are directories, then the file \fI.ntprc\fP
is searched for within those directories.
.Sh USAGE
-The
-.Fl p Ar password
-option specifies the write password and
-.Fl q Ar password
-option the read password for previously encrypted files.
-The
-.Nm
-program prompts for the password if it reads an encrypted file
-and the password is missing or incorrect.
-If an encrypted file is read successfully and
-no write password is specified, the read password is used
-as the write password by default.
.Sh "ENVIRONMENT"
See \fBOPTION PRESETS\fP for configuration environment variables.
.Sh "FILES"
@@ -1056,10 +1211,7 @@
Copyright (C) 1992\-2017 The University of Delaware and Network Time Foundation all rights reserved.
This program is released under the terms of the NTP license, <http://ntp.org/license>.
.Sh BUGS
-It can take quite a while to generate some cryptographic values,
-from one to several minutes with modern architectures
-such as UltraSPARC and up to tens of minutes to an hour
-with older architectures such as SPARC IPC.
+It can take quite a while to generate some cryptographic values.
.Pp
Please report bugs to http://bugs.ntp.org .
.Pp