From 1dc8c501a66ac05bea4700809ae22da9231bb951 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar0@gmail.com>
Date: Fri, 30 Oct 2020 17:02:49 +0100
Subject: [PATCH 1/3] chrony: rework loading of configuration

Instead of loading /etc/chrony/chrony.conf from the file generated from
the chrony UCI configuration, use the confdir directive in the main
config to load the generated file. This should make it obvious that
chrony is configured in UCI and it can also be easily disabled.

Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
---
 net/chrony/files/chrony.conf  |  3 ++-
 net/chrony/files/chronyd.init | 11 +++++------
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/chrony/files/chrony.conf b/net/chrony/files/chrony.conf
index 410e63b94..4ad195c3e 100644
--- a/net/chrony/files/chrony.conf
+++ b/net/chrony/files/chrony.conf
@@ -1,4 +1,5 @@
-# This file is included from config file generated from /etc/config/chrony
+# Load UCI configuration
+confdir /var/etc/chrony.d
 
 # Log clock errors above 0.5 seconds
 logchange 0.5
diff --git a/net/chrony/files/chronyd.init b/net/chrony/files/chronyd.init
index 492f755ff..42b052d8b 100644
--- a/net/chrony/files/chronyd.init
+++ b/net/chrony/files/chronyd.init
@@ -4,8 +4,8 @@
 START=15
 USE_PROCD=1
 PROG=/usr/sbin/chronyd
-CONFIGFILE=/var/etc/chrony.conf
-INCLUDEFILE=/etc/chrony/chrony.conf
+CONFIGFILE=/etc/chrony/chrony.conf
+INCLUDEFILE=/var/etc/chrony.d/10-uci.conf
 
 handle_source() {
 	local cfg=$1 sourcetype=$2 hostname minpoll maxpoll iburst
@@ -57,20 +57,19 @@ start_service() {
 	. /lib/functions/network.sh
 
 	procd_open_instance
-	procd_set_param command $PROG -n -f $CONFIGFILE
+	procd_set_param command $PROG -n
 	procd_set_param file $CONFIGFILE
 	procd_set_param file $INCLUDEFILE
 	procd_close_instance
 
 	config_load chrony
-	mkdir -p $(dirname $CONFIGFILE)
+	mkdir -p $(dirname $INCLUDEFILE)
 
 	(
-		echo include $INCLUDEFILE
 		config_foreach handle_source server server
 		config_foreach handle_source pool pool
 		config_foreach handle_source peer peer
 		config_foreach handle_allow allow
 		config_foreach handle_makestep makestep
-	) > $CONFIGFILE
+	) > $INCLUDEFILE
 }

From b9d6d6cdd0c4353a141c4a4c27337b7734a8d352 Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar0@gmail.com>
Date: Fri, 30 Oct 2020 20:02:48 +0100
Subject: [PATCH 2/3] chrony: improve hotplug script

- Use the chronyc onoffline command to update state of all sources
  per current routing configuration
- Don't ignore the "ifupdate" action
- Add NTP servers from DHCP for the interface that went up instead of
  the wan4+wan6 interfaces
- Save the servers to files loaded by the sourcedir directive to not
  lose them when chronyd is restarted, and remove them when the
  interface goes down

Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
---
 net/chrony/files/chrony.conf    |  3 +++
 net/chrony/files/chrony.hotplug | 35 +++++++++++++++++----------------
 2 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/net/chrony/files/chrony.conf b/net/chrony/files/chrony.conf
index 4ad195c3e..c427e85ac 100644
--- a/net/chrony/files/chrony.conf
+++ b/net/chrony/files/chrony.conf
@@ -1,6 +1,9 @@
 # Load UCI configuration
 confdir /var/etc/chrony.d
 
+# Load NTP servers from DHCP if enabled in UCI
+sourcedir /var/run/chrony-dhcp
+
 # Log clock errors above 0.5 seconds
 logchange 0.5
 
diff --git a/net/chrony/files/chrony.hotplug b/net/chrony/files/chrony.hotplug
index 6ab210466..eb44c28ee 100644
--- a/net/chrony/files/chrony.hotplug
+++ b/net/chrony/files/chrony.hotplug
@@ -1,20 +1,18 @@
 #!/bin/sh
 # Set chronyd online/offline status, allow NTP access and add servers from DHCP
 
-[ "$ACTION" = ifup -o "$ACTION" = ifdown ] || exit 0
+SOURCEFILE="/var/run/chrony-dhcp/$INTERFACE.sources"
 
 run_command() {
 	/usr/bin/chronyc -n "$*" > /dev/null 2>&1
 }
 
-run_command tracking || exit 0
+run_command onoffline
 
-. /lib/functions/network.sh
-
-network_find_wan iface4
-network_find_wan6 iface6
-run_command $([ -n "$iface4" ] && echo online || echo offline) 0.0.0.0/0.0.0.0
-run_command $([ -n "$iface6" ] && echo online || echo offline) ::/0
+if [ "$ACTION" = ifdown ] && [ -f "$SOURCEFILE" ]; then
+	rm -f "$SOURCEFILE"
+	run_command reload sources
+fi
 
 [ "$ACTION" = ifup ] || exit 0
 
@@ -32,13 +30,16 @@ done
 
 . /usr/share/libubox/jshn.sh
 
-for iface in $iface4 $iface6; do
-	json_load "$(ifstatus $iface)"
-	json_select data
-	json_get_var dhcp_ntp_servers ntpserver
+json_load "$(ifstatus "$INTERFACE")"
+json_select data
+json_get_var dhcp_ntp_servers ntpserver
 
-	for server in $dhcp_ntp_servers; do
-		run_command add $(NTP_SOURCE_HOSTNAME=$server config_foreach \
-				handle_source dhcp_ntp_server server)
-	done
-done
+[ -z "$dhcp_ntp_servers" ] && exit 0
+
+mkdir -p "$(dirname "$SOURCEFILE")"
+
+for NTP_SOURCE_HOSTNAME in $dhcp_ntp_servers; do
+	config_foreach handle_source dhcp_ntp_server server
+done > "$SOURCEFILE"
+
+run_command reload sources

From 21c0f580f1c3701a96cf0621f3ec431fa57e034d Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar0@gmail.com>
Date: Fri, 30 Oct 2020 20:57:35 +0100
Subject: [PATCH 3/3] chrony: improve configuration

Extend configuration of NTP sources in UCI:
- Add nts option to enable NTS
- Add disabled option to allow inactive sources

Add nts section to UCI with:
- rtccheck option to disable certificate time checks on systems that
  don't have an RTC to avoid the chicken-and-egg problem (it is less
  secure, but still should be better than no NTS at all)
- systemcerts option to disable system certificates
- trustedcerts option to specify path to trusted certificates

Save NTS keys and cookies by default to avoid unnecessary NTS-KE
sessions when restarted or switching back to an already used NTS source.
Also, save the drift to stabilize the clock after chronyd restart.

Signed-off-by: Miroslav Lichvar <mlichvar0@gmail.com>
---
 net/chrony/Makefile            |  2 +-
 net/chrony/files/chrony.conf   |  8 +++++++-
 net/chrony/files/chrony.config |  5 +++++
 net/chrony/files/chronyd.init  | 20 +++++++++++++++++++-
 4 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/net/chrony/Makefile b/net/chrony/Makefile
index f69be16fe..99e933d17 100644
--- a/net/chrony/Makefile
+++ b/net/chrony/Makefile
@@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=chrony
 PKG_VERSION:=4.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://download.tuxfamily.org/chrony/
diff --git a/net/chrony/files/chrony.conf b/net/chrony/files/chrony.conf
index c427e85ac..a4d24a7c6 100644
--- a/net/chrony/files/chrony.conf
+++ b/net/chrony/files/chrony.conf
@@ -10,5 +10,11 @@ logchange 0.5
 # Don't log client accesses
 noclientlog
 
-# set the system clock else the kernel will always stay in UNSYNC state
+# Mark the system clock as synchronized
 rtcsync
+
+# Record the clock's drift
+driftfile /var/run/chrony/drift
+
+# Save NTS keys and cookies
+ntsdumpdir /var/run/chrony
diff --git a/net/chrony/files/chrony.config b/net/chrony/files/chrony.config
index 63f494d7a..7214ce430 100644
--- a/net/chrony/files/chrony.config
+++ b/net/chrony/files/chrony.config
@@ -5,6 +5,7 @@ config pool
 
 config dhcp_ntp_server
 	option iburst 'yes'
+	option disabled 'no'
 
 config allow
 	option interface 'lan'
@@ -12,3 +13,7 @@ config allow
 config makestep
 	option threshold '1.0'
 	option limit '3'
+
+config nts
+	option rtccheck 'yes'
+	option systemcerts 'yes'
diff --git a/net/chrony/files/chronyd.init b/net/chrony/files/chronyd.init
index 42b052d8b..a734d431e 100644
--- a/net/chrony/files/chronyd.init
+++ b/net/chrony/files/chronyd.init
@@ -6,21 +6,26 @@ USE_PROCD=1
 PROG=/usr/sbin/chronyd
 CONFIGFILE=/etc/chrony/chrony.conf
 INCLUDEFILE=/var/etc/chrony.d/10-uci.conf
+RTCDEVICE=/dev/rtc0
 
 handle_source() {
-	local cfg=$1 sourcetype=$2 hostname minpoll maxpoll iburst
+	local cfg=$1 sourcetype=$2 disabled hostname minpoll maxpoll iburst nts
 
+	config_get_bool disabled "$cfg" disabled 0
+	[ "$disabled" = "1" ] && return
 	hostname=$NTP_SOURCE_HOSTNAME
 	[ -z "$hostname" ] && config_get hostname "$cfg" hostname
 	[ -z "$hostname" ] && return
 	config_get minpoll "$cfg" minpoll
 	config_get maxpoll "$cfg" maxpoll
 	config_get_bool iburst "$cfg" iburst 0
+	config_get_bool nts "$cfg" nts 0
 	echo $(
 		echo $sourcetype $hostname
 		[ -n "$minpoll" ] && echo minpoll $minpoll
 		[ -n "$maxpoll" ] && echo maxpoll $maxpoll
 		[ "$iburst" = "1" ] && echo iburst
+		[ "$nts" = "1" ] && echo nts
 	)
 }
 
@@ -53,6 +58,18 @@ handle_makestep() {
 	echo makestep $threshold $limit
 }
 
+handle_nts() {
+	local cfg=$1 threshold limit
+
+	config_get_bool rtccheck "$cfg" rtccheck 0
+	config_get_bool systemcerts "$cfg" systemcerts 1
+	config_get trustedcerts "$cfg" trustedcerts
+	# Disable certificate time checks if no RTC is present
+	[ "$rtccheck" = "1" ] && ! [ -c $RTCDEVICE ] && echo nocerttimecheck 1
+	[ "$systemcerts" = "0" ] && echo nosystemcert
+	[ -n "$trustedcerts" ] && echo ntstrustedcerts "$trustedcerts"
+}
+
 start_service() {
 	. /lib/functions/network.sh
 
@@ -71,5 +88,6 @@ start_service() {
 		config_foreach handle_source peer peer
 		config_foreach handle_allow allow
 		config_foreach handle_makestep makestep
+		config_foreach handle_nts nts
 	) > $INCLUDEFILE
 }