ntpd 1.7.2

Full-featured implementation of NTP with NTS support
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

use std::{
    fs::{File, OpenOptions},
    os::unix::prelude::{OpenOptionsExt, PermissionsExt},
    sync::Arc,
};

use ntp_proto::{KeySet, KeySetProvider};
use tokio::sync::watch;
use tracing::{Span, instrument, warn};

use super::config::KeysetConfig;

#[instrument(level = tracing::Level::ERROR, name = "KeySet Provider", skip_all, fields(path = debug(config.key_storage_path.clone())))]
pub async fn spawn(config: KeysetConfig) -> watch::Receiver<Arc<KeySet>> {
    let (mut provider, mut next_interval) = match &config.key_storage_path {
        Some(path) => {
            let path = path.to_owned();

            if let Ok(meta) = std::fs::metadata(&path) {
                let perm = meta.permissions();

                if perm.mode() as libc::mode_t & (libc::S_IWOTH | libc::S_IROTH | libc::S_IXOTH)
                    != 0
                {
                    warn!(
                        "Keyset file permissions: Others can interact with it. This is a potential security issue."
                    );
                }
            }

            let (provider, time) = tokio::task::spawn_blocking(
                move || -> std::io::Result<(KeySetProvider, std::time::SystemTime)> {
                    let mut input = File::open(path)?;
                    KeySetProvider::load(&mut input, config.stale_key_count)
                },
            )
            .await
            .unwrap_or_else(|e| Err(std::io::Error::other(e)))
            .unwrap_or_else(|e| {
                warn!(error = ?e, "Could not load nts server keys, starting with new set");
                (
                    KeySetProvider::new(config.stale_key_count),
                    std::time::SystemTime::now(),
                )
            });
            (
                provider,
                std::time::Duration::from_secs(config.key_rotation_interval as _).saturating_sub(
                    std::time::SystemTime::now()
                        .duration_since(time)
                        .unwrap_or(std::time::Duration::from_secs(0)),
                ),
            )
        }
        None => (
            KeySetProvider::new(config.stale_key_count),
            std::time::Duration::from_secs(config.key_rotation_interval as _),
        ),
    };
    let (tx, rx) = watch::channel(provider.get());
    let span = Span::current();
    tokio::task::spawn_blocking(move || {
        let _enter = span.enter();
        loop {
            // First save, then sleep. Ensures new sets created at boot are also saved.
            if let Some(path) = &config.key_storage_path
                && let Err(e) = (|| -> std::io::Result<()> {
                    let mut output = OpenOptions::new()
                        .create(true)
                        .truncate(true)
                        .write(true)
                        .mode(0o600)
                        .open(path)?;
                    provider.store(&mut output)
                })()
            {
                if e.kind() == std::io::ErrorKind::NotFound
                    || e.kind() == std::io::ErrorKind::PermissionDenied
                {
                    warn!(error = ?e, "Could not store nts server keys, parent directory does not exist or has insufficient permissions");
                } else {
                    warn!(error = ?e, "Could not store nts server keys");
                }
            }
            if tx.send(provider.get()).is_err() {
                break;
            }
            std::thread::sleep(next_interval);
            next_interval = std::time::Duration::from_secs(config.key_rotation_interval as _);
            provider.rotate();
        }
    });
    rx
}