Review

README

@@ -1,3 +1,15 @@
+This is a modified version of chrony 4.8, with added support for the protocols
+needed for NTS pools. It is mainly intended for use as a server for the
+experimental pool at https://experimental.ntspooltest.org/.
+
+For inclusion in a pool, this version of chrony requires that the pool token is
+added to the file specified by the ntsauthtokenfile configuration command. See
+the crhony.conf documentation for details on how to do this.
+
+The original README for chrony is included below for reference.
+
+===============================================================================
+
 This is the README for chrony.
 
 What is chrony?

conf.c

@@ -102,6 +102,7 @@ static char *rtc_device;
 static int acquisition_port = -1;
 static int ntp_port = NTP_PORT;
 static char *keys_file = NULL;
+static char *nts_auth_token_file = NULL;
 static char *drift_file = NULL;
 static int drift_file_interval = 3600;
 static char *rtc_file = NULL;
@@ -281,6 +282,7 @@ static ARR_Instance nts_server_key_files; /* array of (char *) */
 static int nts_server_port = NKE_PORT;
 static int nts_server_processes = 1;
 static int nts_server_connections = 100;
+static int nts_longterm_connections = 5;
 static int nts_refresh = 2419200; /* 4 weeks */
 static int nts_rotate = 604800; /* 1 week */
 static ARR_Instance nts_trusted_certs_paths; /* array of (char *) */
@@ -515,6 +517,7 @@ CNF_Finalise(void)
   Free(dumpdir);
   Free(hwclock_file);
   Free(keys_file);
+  Free(nts_auth_token_file);
   Free(leapsec_tz);
   Free(leapsec_list);
   Free(logdir);
@@ -662,6 +665,8 @@ CNF_ParseLine(const char *filename, int number, char *line)
     parse_initstepslew(p);
   } else if (!strcasecmp(command, "keyfile")) {
     parse_string(p, &keys_file);
+  } else if (!strcasecmp(command, "ntsauthtokenfile")) {
+    parse_string(p, &nts_auth_token_file);
   } else if (!strcasecmp(command, "leapsecmode")) {
     parse_leapsecmode(p);
   } else if (!strcasecmp(command, "leapsectz")) {
@@ -698,6 +703,8 @@ CNF_ParseLine(const char *filename, int number, char *line)
     parse_double(p, &max_jitter);
   } else if (!strcasecmp(command, "maxntsconnections")) {
     parse_int(p, &nts_server_connections, 1, INT_MAX);
+  } else if (!strcasecmp(command, "maxntslongtermconnections")) {
+    parse_int(p, &nts_longterm_connections, 0, INT_MAX);
   } else if (!strcasecmp(command, "maxsamples")) {
     parse_int(p, &max_samples, 0, INT_MAX);
   } else if (!strcasecmp(command, "maxslewrate")) {
@@ -2000,6 +2007,8 @@ CNF_CheckReadOnlyAccess(void)
 
   if (keys_file)
     UTI_CheckReadOnlyAccess(keys_file);
+  if (nts_auth_token_file)
+    UTI_CheckReadOnlyAccess(nts_auth_token_file);
   for (i = 0; i < ARR_GetSize(nts_server_key_files); i++)
     UTI_CheckReadOnlyAccess(*(char **)ARR_GetElement(nts_server_key_files, i));
 }
@@ -2215,6 +2224,14 @@ CNF_GetKeysFile(void)
 
 /* ================================================== */
 
+char *
+CNF_GetNtsAuthTokenFile(void)
+{
+  return nts_auth_token_file;
+}
+
+/* ================================================== */
+
 double
 CNF_GetRtcAutotrim(void)
 {
@@ -2842,6 +2859,14 @@ CNF_GetNtsServerConnections(void)
 
 /* ================================================== */
 
+int
+CNF_GetNtsLongtermConnections(void)
+{
+  return nts_longterm_connections;
+}
+
+/* ================================================== */
+
 int
 CNF_GetNtsRefresh(void)
 {

conf.h

@@ -68,6 +68,7 @@ extern int CNF_GetLogRtc(void);
 extern int CNF_GetLogRefclocks(void);
 extern int CNF_GetLogTempComp(void);
 extern char *CNF_GetKeysFile(void);
+extern char *CNF_GetNtsAuthTokenFile(void);
 extern char *CNF_GetRtcFile(void);
 extern int CNF_GetManualEnabled(void);
 extern ARR_Instance CNF_GetOpenCommands(void);
@@ -173,6 +174,7 @@ extern int CNF_GetNtsServerCertAndKeyFiles(const char ***certs, const char ***ke
 extern int CNF_GetNtsServerPort(void);
 extern int CNF_GetNtsServerProcesses(void);
 extern int CNF_GetNtsServerConnections(void);
+extern int CNF_GetNtsLongtermConnections(void);
 extern int CNF_GetNtsRefresh(void);
 extern int CNF_GetNtsRotate(void);
 extern int CNF_GetNtsTrustedCertsPaths(const char ***paths, uint32_t **ids);

doc/chrony.conf.adoc

@@ -1860,6 +1860,15 @@ This directive can be used multiple times to specify multiple keys. The number
 of keys must be the same as the number of certificates, and the corresponding
 files must be specified in the same order.
 
+[[ntsauthtokenfile]]*ntsauthtokenfile* _file_::
+This directive specifies a file containing the authentication tokens used
+to check a pool connecting to chrony is allowed to do so. The file needs to be
+readable by the user under which *chronyd* is running after dropping root
+privileges. For security reasons, it should not be readable by other users.
++
+The file should contain one authentication token per line, and all lines
+including the last one should be ended with a newline. Emtpy lines are ignored.
+
 [[ntsprocesses]]*ntsprocesses* _processes_::
 This directive specifies how many helper processes will *chronyd* operating
 as an NTS server start for handling client NTS-KE requests in order to improve
@@ -1873,6 +1882,13 @@ per process that the NTS server will accept. The default value is 100. The
 maximum practical value is half of the system *FD_SETSIZE* constant (usually
 1024).
 
+[[maxntslongtermconnections]]*maxntslongtermconnections* _connections_::
+This directive specifies the maximum number of concurrent longterm NTS-KE
+connections per process that the NTS server will accept from pools. The
+default value is 5. This value should be kept smaller than *maxntsconnections*,
+otherwise clients trying to use the server may get starved from new
+connections.
+
 [[ntsaeads2]]*ntsaeads* _ID_...::
 This directive specifies a list of IDs of Authenticated Encryption with
 Associated Data (AEAD) algorithms enabled for NTS authentication of NTP

nts_ke.h

@@ -41,6 +41,11 @@
 #define NKE_RECORD_NTPV4_SERVER_NEGOTIATION 6
 #define NKE_RECORD_NTPV4_PORT_NEGOTIATION 7
 #define NKE_RECORD_COMPLIANT_128GCM_EXPORT 1024
+#define NKE_RECORD_KEEP_ALIVE           0x4000
+#define NKE_RECORD_SUPPORTED_ALGORITHMS 0x4001
+#define NKE_RECORD_SUPPORTED_PROTOCOLS  0x4004
+#define NKE_RECORD_FIXED_KEY            0x4002
+#define NKE_RECORD_AUTH_TOKEN           0x4005
 
 #define NKE_NEXT_PROTOCOL_NTPV4         0