From 5af29fb326ea1abbbb166a3ffba713a1aebaf126 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Fri, 23 Nov 2012 01:12:25 +0100 Subject: [PATCH] ntp: New package. As chrony does not support network support, we have to go back to ntpd. --- ntp/ntp.conf | 53 ++ ntp/ntp.cryptopw | 4 + ntp/ntp.keys | 5 + ntp/ntp.nm | 224 +++++++++ ntp/ntp.step-tickers | 3 + ntp/ntpdate-wrapper | 36 ++ ntp/ntpdate.sysconfig | 8 + ntp/patches/ntp-4.2.4p7-getprecision.patch | 12 + ntp/patches/ntp-4.2.6p1-cmsgalign.patch | 14 + ntp/patches/ntp-4.2.6p1-linkfastmath.patch | 12 + ntp/patches/ntp-4.2.6p1-logdefault.patch | 12 + ntp/patches/ntp-4.2.6p1-retcode.patch | 12 + ntp/patches/ntp-4.2.6p1-sleep.patch | 495 +++++++++++++++++++ ntp/patches/ntp-4.2.6p2-multiopts.patch | 21 + ntp/patches/ntp-4.2.6p3-bcast.patch | 93 ++++ ntp/patches/ntp-4.2.6p3-broadcastdelay.patch | 31 ++ ntp/patches/ntp-4.2.6p4-droproot.patch | 207 ++++++++ ntp/patches/ntp-4.2.6p4-htmldoc.patch | 76 +++ ntp/patches/ntp-4.2.6p4-mlock.patch | 140 ++++++ ntp/patches/ntp-4.2.6p4-rtnetlink.patch | 15 + ntp/patches/ntp-4.2.6p5-delaycalib.patch | 12 + ntp/patches/ntp-4.2.6p5-fipsmd5.patch | 47 ++ ntp/patches/ntpstat-0.2-1-clksrc.patch | 12 + ntp/patches/ntpstat-0.2-2-multipacket.patch | 12 + ntp/patches/ntpstat-0.2-3-sysvars.patch | 15 + ntp/patches/ntpstat-0.2-4-maxerror.patch | 38 ++ ntp/patches/ntpstat-0.2-5-errorbit.patch | 32 ++ ntp/systemd/ntp-wait.service | 14 + ntp/systemd/ntpd.service | 12 + ntp/systemd/ntpdate.service | 13 + 30 files changed, 1680 insertions(+) create mode 100644 ntp/ntp.conf create mode 100644 ntp/ntp.cryptopw create mode 100644 ntp/ntp.keys create mode 100644 ntp/ntp.nm create mode 100644 ntp/ntp.step-tickers create mode 100755 ntp/ntpdate-wrapper create mode 100644 ntp/ntpdate.sysconfig create mode 100644 ntp/patches/ntp-4.2.4p7-getprecision.patch create mode 100644 ntp/patches/ntp-4.2.6p1-cmsgalign.patch create mode 100644 ntp/patches/ntp-4.2.6p1-linkfastmath.patch create mode 100644 ntp/patches/ntp-4.2.6p1-logdefault.patch create mode 100644 ntp/patches/ntp-4.2.6p1-retcode.patch create mode 100644 ntp/patches/ntp-4.2.6p1-sleep.patch create mode 100644 ntp/patches/ntp-4.2.6p2-multiopts.patch create mode 100644 ntp/patches/ntp-4.2.6p3-bcast.patch create mode 100644 ntp/patches/ntp-4.2.6p3-broadcastdelay.patch create mode 100644 ntp/patches/ntp-4.2.6p4-droproot.patch create mode 100644 ntp/patches/ntp-4.2.6p4-htmldoc.patch create mode 100644 ntp/patches/ntp-4.2.6p4-mlock.patch create mode 100644 ntp/patches/ntp-4.2.6p4-rtnetlink.patch create mode 100644 ntp/patches/ntp-4.2.6p5-delaycalib.patch create mode 100644 ntp/patches/ntp-4.2.6p5-fipsmd5.patch create mode 100644 ntp/patches/ntpstat-0.2-1-clksrc.patch create mode 100644 ntp/patches/ntpstat-0.2-2-multipacket.patch create mode 100644 ntp/patches/ntpstat-0.2-3-sysvars.patch create mode 100644 ntp/patches/ntpstat-0.2-4-maxerror.patch create mode 100644 ntp/patches/ntpstat-0.2-5-errorbit.patch create mode 100644 ntp/systemd/ntp-wait.service create mode 100644 ntp/systemd/ntpd.service create mode 100644 ntp/systemd/ntpdate.service diff --git a/ntp/ntp.conf b/ntp/ntp.conf new file mode 100644 index 000000000..baa57b3ae --- /dev/null +++ b/ntp/ntp.conf @@ -0,0 +1,53 @@ +# For more information about this file, see the man pages +# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). + +driftfile VARNTP/drift + +# Permit time synchronization with our time source, but do not +# permit the source to query or modify the service on this system. +restrict default kod nomodify notrap nopeer noquery +restrict -6 default kod nomodify notrap nopeer noquery + +# Permit all access over the loopback interface. This could +# be tightened as well, but to do so would effect some of +# the administrative functions. +restrict 127.0.0.1 +restrict -6 ::1 + +# Hosts on local network are less restricted. +#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap + +# Use public servers from the pool.ntp.org project. +# Please consider joining the pool (http://www.pool.ntp.org/join.html). +server 0.VENDORZONE.pool.ntp.org iburst +server 1.VENDORZONE.pool.ntp.org iburst +server 2.VENDORZONE.pool.ntp.org iburst +server 3.VENDORZONE.pool.ntp.org iburst + +#broadcast 192.168.1.255 autokey # broadcast server +#broadcastclient # broadcast client +#broadcast 224.0.1.1 autokey # multicast server +#multicastclient 224.0.1.1 # multicast client +#manycastserver 239.255.254.254 # manycast server +#manycastclient 239.255.254.254 autokey # manycast client + +# Enable public key cryptography. +#crypto + +includefile ETCNTP/crypto/pw + +# Key file containing the keys and key identifiers used when operating +# with symmetric key cryptography. +keys ETCNTP/keys + +# Specify the key identifiers which are trusted. +#trustedkey 4 8 42 + +# Specify the key identifier to use with the ntpdc utility. +#requestkey 8 + +# Specify the key identifier to use with the ntpq utility. +#controlkey 8 + +# Enable writing of statistics records. +#statistics clockstats cryptostats loopstats peerstats diff --git a/ntp/ntp.cryptopw b/ntp/ntp.cryptopw new file mode 100644 index 000000000..b76b0ca91 --- /dev/null +++ b/ntp/ntp.cryptopw @@ -0,0 +1,4 @@ +# Specify the password to decrypt files containing private keys and identity +# parameters. This is required only if these files have been encrypted. +# +#crypto pw apassword diff --git a/ntp/ntp.keys b/ntp/ntp.keys new file mode 100644 index 000000000..5500a718b --- /dev/null +++ b/ntp/ntp.keys @@ -0,0 +1,5 @@ +# +# PLEASE DO NOT USE THE DEFAULT VALUES HERE. +# +#65535 M akey +#1 M pass diff --git a/ntp/ntp.nm b/ntp/ntp.nm new file mode 100644 index 000000000..2c97eeef8 --- /dev/null +++ b/ntp/ntp.nm @@ -0,0 +1,224 @@ +############################################################################### +# IPFire.org - An Open Source Firewall Solution # +# Copyright (C) - IPFire Development Team # +############################################################################### + +name = ntp +version = %{ver_major}.6p5 +ver_major = 4.2 +release = 1 + +groups = System/Daemons +url = http://www.ntp.org/ +license = (MIT and BSD and BSD with advertising) and GPLv2 +summary = The NTP daemon and utilities. + +description + The Network Time Protocol (NTP) is used to synchronize a computer's + time with another reference time source. This package includes ntpd + (a daemon which continuously adjusts system time) and utilities used + to query and configure the ntpd daemon. +end + +source_dl = http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-%{ver_major}/ +sources += ntpstat-0.2.tgz + +# The vendor part in the NTP pool address. +VENDORZONE = %{DISTRO_SNAME} + +build + requires + libcap-devel + libedit-devel + openssl-devel + perl-HTML-Parser + pps-tools-devel + end + + prepare + %{MACRO_EXTRACT_TARBALL} + + ln -svf ../ntpstat-0.2 . + + %{MACRO_PATCHES} + end + + configure_options += \ + --sysconfdir=%{sysconfdir}/ntp/crypto \ + --with-openssl-libdir=%{libdir} \ + --enable-all-clocks \ + --enable-parse-clocks \ + --enable-ntp-signd=%{localstatedir}/run/ntp_signd + + build + ./configure %{configure_options} + + echo "#define KEYFILE \"%{sysconfdir}/ntp/keys\"" >> ntpdate/ntpdate.h + echo "#define NTP_VAR \"%{localstatedir}/log/ntpstats/\"" >> config.h + + make ${PARALLELISMFLAGS} + + sed -i 's|$ntpq = "ntpq"|$ntpq = "%{sbindir}/ntpq"|' scripts/ntptrace + sed -i 's|ntpq -c |%{sbindir}/ntpq -c |' scripts/ntp-wait + + # Build ntpstat. + make -C ntpstat-0.2 + end + + make_install_targets += bindir=%{sbindir} + + install_cmds + mkdir -pv %{BUILDROOT}%{mandir}/man{5,8} + sed -i "s/sntp\.1/sntp\.8/" %{BUILDROOT}%{mandir}/man1/sntp.1 + mv -v %{BUILDROOT}%{mandir}/man{1/sntp.1,8/sntp.8} + rm -rfv %{BUILDROOT}%{mandir}/man1 + + # Install ntpstat. + pushd ntpstat-0.2 + mkdir -pv %{BUILDROOT}%{bindir} + install -m 755 ntpstat %{BUILDROOT}%{bindir} + install -m 644 ntpstat.1 %{BUILDROOT}%{mandir}/man8/ntpstat.8 + popd + + # Fix section numbers. + sed -i 's/\(\.TH[a-zA-Z ]*\)[1-9]\(.*\)/\18\2/' \ + %{BUILDROOT}%{mandir}/man8/*.8 + + mkdir -pv %{BUILDROOT}/%{sysconfdir}/sysconfig + mkdir -pv %{BUILDROOT}/%{localstatedir}/{lib/ntp,log/ntpstats} + mkdir -pv %{BUILDROOT}%{prefix}/lib + touch %{BUILDROOT}/%{localstatedir}/lib/ntp/{drift,sntp-kod} + + sed \ + -e "s@VENDORZONE@%{VENDORZONE}@g" \ + -e "s@ETCNTP@%{sysconfdir}/ntp@g" \ + -e "s@VARNTP@%{localstatedir}/lib/ntp@g" \ + < %{DIR_SOURCE}/ntp.conf > %{BUILDROOT}%{sysconfdir}/ntp.conf + + mkdir -pv %{BUILDROOT}%{sysconfdir}/ntp + sed -e "s@VENDORZONE@%{VENDORZONE}@g" \ + < %{DIR_SOURCE}/ntp.step-tickers > %{BUILDROOT}%{sysconfdir}/ntp/step-tickers + + # Install crypto pw. + mkdir -pv %{BUILDROOT}%{sysconfdir}/ntp/crypto + install -p -m 600 %{DIR_SOURCE}/ntp.cryptopw \ + %{BUILDROOT}%{sysconfdir}/ntp/crypto/pw + + # Install keys. + install -p -m 600 %{DIR_SOURCE}/ntp.keys \ + %{BUILDROOT}%{sysconfdir}/ntp/keys + + # Install ntpdate wrapper. + install -p -m 755 %{DIR_SOURCE}/ntpdate-wrapper\ + %{BUILDROOT}%{prefix}/lib/ntpdate-wrapper + install -p -m 644 %{DIR_SOURCE}/ntpdate.sysconfig \ + %{BUILDROOT}%{sysconfdir}/sysconfig/ntpdate + + mkdir -pv %{unitdir}/ntp-units.d + echo "ntpd.service" > %{unitdir}/ntp-units.d/60-ntpd.list + end +end + +packages + package %{name} + requires + ntpdate = %{thisver} + end + + datafiles + %{localstatedir}/lib/ntp/drift + end + + script postin + systemctl daemon-reload >/dev/null 2>&1 || : + end + + script preun + systemctl --no-reload disable ntpd.service >/dev/null 2>&1 || : + systemctl stop ntpd.service >/dev/null 2>&1 || : + end + + script postun + systemctl daemon-reload >/dev/null 2>&1 || : + end + + script postup + systemctl daemon-reload >/dev/null 2>&1 || : + systemctl try-restart ntpd.service >/dev/null 2>&1 || : + end + end + + package ntpdate + summary = Utility to set the date and time via NTP. + + description + ntpdate is a program for retrieving the date and time + from NTP servers. + end + + files + %{sbindir}/ntpdate + %{mandir}/man8/ntpdate.8* + end + + script prein + getent group ntp >/dev/null || groupadd -g 38 ntp || : + getent passwd ntp >/dev/null || useradd -u 38 -g 38 -s /sbin/nologin \ + -M -r -d %{sysconfdir}/ntp ntp || : + end + + script postin + systemctl daemon-reload >/dev/null 2>&1 || : + end + + script preun + systemctl --no-reload disable ntpdate.service >/dev/null 2>&1 || : + systemctl stop ntpdate.service >/dev/null 2>&1 || : + end + + script postun + systemctl daemon-reload >/dev/null 2>&1 || : + end + end + + package %{name}-perl + summary = NTP utilities written in Perl. + description + This package contains Perl scripts ntp-wait and ntptrace. + end + groups = Applications/System + + requires + %{name} = %{thisver} + end + + files + %{sbindir}/ntp-wait + %{sbindir}/ntptrace + %{mandir}/man8/ntp-wait.8* + %{mandir}/man8/ntptrace.8* + %{unitdir}/ntp-wait.service + end + + script preun + systemctl --no-reload disable ntp-wait.service >/dev/null 2>&1 || : + systemctl stop ntp-wait.service >/dev/null 2>&1 || : + end + + script postun + systemctl daemon-reload >/dev/null 2>&1 || : + end + + script postup + systemctl daemon-reload >/dev/null 2>&1 || : + end + end + + package %{name}-devel + template DEVEL + end + + package %{name}-debuginfo + template DEBUGINFO + end +end diff --git a/ntp/ntp.step-tickers b/ntp/ntp.step-tickers new file mode 100644 index 000000000..fae7889a8 --- /dev/null +++ b/ntp/ntp.step-tickers @@ -0,0 +1,3 @@ +# List of servers used for initial synchronization. + +0.VENDORZONE.pool.ntp.org diff --git a/ntp/ntpdate-wrapper b/ntp/ntpdate-wrapper new file mode 100755 index 000000000..5baeab0d4 --- /dev/null +++ b/ntp/ntpdate-wrapper @@ -0,0 +1,36 @@ +#!/bin/bash + +ntpconf=/etc/ntp.conf +ntpstep=/etc/ntp/step-tickers + +[ "$EUID" != "0" ] && exit 4 +[ -x /usr/sbin/ntpdate ] || exit 5 +[ -f /etc/sysconfig/ntpdate ] || exit 6 +. /etc/sysconfig/ntpdate + +[ -f $ntpstep ] && tickers=$(sed 's/#.*//' $ntpstep) || tickers= + +if ! echo "$tickers" | grep -qi '[a-z0-9]' && [ -f $ntpconf ]; then + # the step-tickers file doesn't specify a server, + # use servers from ntp.conf instead + tickers=$(awk '$1=="peer"||$1=="server"{print $2}' $ntpconf | \ + grep -Ev '127\.127\.[0-9]+\.[0-9]+') +fi + +if ! echo "$tickers" | grep -qi '[a-z0-9]'; then + echo "NTP server not specified in $ntpstep or $ntpconf" + exit 6 +fi + +[ -z "$RETRIES" ] && RETRIES=2 +retry=0 +while true; do + /usr/sbin/ntpdate -U ntp -s -b $OPTIONS $tickers &> /dev/null + RETVAL=$? + [ $RETVAL -eq 0 ] || [ $retry -ge "$RETRIES" ] && break + sleep $[10 * (1 << $retry)] + retry=$[$retry + 1] +done + +[ $RETVAL -eq 0 ] && [ "$SYNC_HWCLOCK" = "yes" ] && /sbin/hwclock --systohc +exit $RETVAL diff --git a/ntp/ntpdate.sysconfig b/ntp/ntpdate.sysconfig new file mode 100644 index 000000000..2502779ae --- /dev/null +++ b/ntp/ntpdate.sysconfig @@ -0,0 +1,8 @@ +# Options for ntpdate +OPTIONS="-p 2" + +# Number of retries before giving up +RETRIES=2 + +# Set to 'yes' to sync hw clock after successful ntpdate +SYNC_HWCLOCK=no diff --git a/ntp/patches/ntp-4.2.4p7-getprecision.patch b/ntp/patches/ntp-4.2.4p7-getprecision.patch new file mode 100644 index 000000000..ecf6defaf --- /dev/null +++ b/ntp/patches/ntp-4.2.4p7-getprecision.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.4p7/ntpd/ntp_proto.c.getprecision ntp-4.2.4p7/ntpd/ntp_proto.c +--- ntp-4.2.4p7/ntpd/ntp_proto.c.getprecision 2009-09-29 14:16:22.000000000 +0200 ++++ ntp-4.2.4p7/ntpd/ntp_proto.c 2009-09-29 14:18:13.000000000 +0200 +@@ -3099,7 +3099,7 @@ peer_unfit( + /* + * Find the precision of this particular machine + */ +-#define MINSTEP 100e-9 /* minimum clock increment (s) */ ++#define MINSTEP 10e-9 /* minimum clock increment (s) */ + #define MAXSTEP 20e-3 /* maximum clock increment (s) */ + #define MINLOOPS 5 /* minimum number of step samples */ + diff --git a/ntp/patches/ntp-4.2.6p1-cmsgalign.patch b/ntp/patches/ntp-4.2.6p1-cmsgalign.patch new file mode 100644 index 000000000..0e4b8ccc7 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p1-cmsgalign.patch @@ -0,0 +1,14 @@ +diff -up ntp-4.2.6p1/ntpd/ntp_io.c.cmsgalign ntp-4.2.6p1/ntpd/ntp_io.c +--- ntp-4.2.6p1/ntpd/ntp_io.c.cmsgalign 2010-03-04 18:28:53.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntp_io.c 2010-03-04 18:30:34.000000000 +0100 +@@ -3194,8 +3194,8 @@ read_network_packet( + msghdr.msg_namelen = fromlen; + msghdr.msg_iov = &iovec; + msghdr.msg_iovlen = 1; +- msghdr.msg_control = (void *)&control; +- msghdr.msg_controllen = sizeof(control); ++ msghdr.msg_control = (void *)((long)(control + 7) & -8); /* align to 8 bytes */ ++ msghdr.msg_controllen = sizeof(control) - 8; + msghdr.msg_flags = 0; + rb->recv_length = recvmsg(fd, &msghdr, 0); + #endif diff --git a/ntp/patches/ntp-4.2.6p1-linkfastmath.patch b/ntp/patches/ntp-4.2.6p1-linkfastmath.patch new file mode 100644 index 000000000..5a859d395 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p1-linkfastmath.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.6p1/ntpd/Makefile.in.linkfastmath ntp-4.2.6p1/ntpd/Makefile.in +--- ntp-4.2.6p1/ntpd/Makefile.in.linkfastmath 2010-02-09 11:19:25.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/Makefile.in 2010-03-03 16:57:40.000000000 +0100 +@@ -365,7 +365,7 @@ man_MANS = $(srcdir)/ntpd.1 + # sqrt ntp_control.o + # floor refclock_wwv.o + # which are (usually) provided by -lm. +-ntpd_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntp.a -lm @LCRYPTO@ @LSCF@ ++ntpd_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntp.a -lm -ffast-math @LCRYPTO@ @LSCF@ + ntpdsim_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntpsim.a -lm @LCRYPTO@ @LSCF@ + ntpdsim_CFLAGS = $(CFLAGS) -DSIM + check_y2k_LDADD = $(LDADD) ../libntp/libntp.a diff --git a/ntp/patches/ntp-4.2.6p1-logdefault.patch b/ntp/patches/ntp-4.2.6p1-logdefault.patch new file mode 100644 index 000000000..ae816b741 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p1-logdefault.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.6p1/ntpd/ntp_config.c.logdefault ntp-4.2.6p1/ntpd/ntp_config.c +--- ntp-4.2.6p1/ntpd/ntp_config.c.logdefault 2010-01-24 11:01:45.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntp_config.c 2010-03-09 17:44:09.000000000 +0100 +@@ -3794,7 +3794,7 @@ getconfig( + + #endif /* SYS_WINNT */ + res_fp = NULL; +- ntp_syslogmask = NLOG_SYNCMASK; /* set more via logconfig */ ++ ntp_syslogmask = NLOG_SYNCMASK | NLOG_EVENT | NLOG_STATUS; /* set more via logconfig */ + + /* + * install a non default variable with this daemon version diff --git a/ntp/patches/ntp-4.2.6p1-retcode.patch b/ntp/patches/ntp-4.2.6p1-retcode.patch new file mode 100644 index 000000000..6d676d274 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p1-retcode.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.6p1/ntpd/ntp_proto.c.retcode ntp-4.2.6p1/ntpd/ntp_proto.c +--- ntp-4.2.6p1/ntpd/ntp_proto.c.retcode 2009-12-09 08:36:36.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntp_proto.c 2010-03-03 16:06:00.000000000 +0100 +@@ -269,7 +269,7 @@ transmit( + "ntpd: no servers found"); + printf( + "ntpd: no servers found\n"); +- exit (0); ++ exit (1); + } + } + } diff --git a/ntp/patches/ntp-4.2.6p1-sleep.patch b/ntp/patches/ntp-4.2.6p1-sleep.patch new file mode 100644 index 000000000..577ef26ee --- /dev/null +++ b/ntp/patches/ntp-4.2.6p1-sleep.patch @@ -0,0 +1,495 @@ +diff -up ntp-4.2.6p1/include/ntp_refclock.h.sleep ntp-4.2.6p1/include/ntp_refclock.h +--- ntp-4.2.6p1/include/ntp_refclock.h.sleep 2009-12-09 08:36:35.000000000 +0100 ++++ ntp-4.2.6p1/include/ntp_refclock.h 2010-03-10 19:27:46.000000000 +0100 +@@ -260,6 +260,7 @@ extern void refclock_control (sockaddr_u + struct refclockstat *); + extern int refclock_open (char *, u_int, u_int); + extern int refclock_setup (int, u_int, u_int); ++extern int refclock_timer_needed (struct peer *); + extern void refclock_timer (struct peer *); + extern void refclock_transmit (struct peer *); + extern int refclock_ioctl (int, u_int); +diff -up ntp-4.2.6p1/include/ntp_stdlib.h.sleep ntp-4.2.6p1/include/ntp_stdlib.h +--- ntp-4.2.6p1/include/ntp_stdlib.h.sleep 2009-12-09 08:36:35.000000000 +0100 ++++ ntp-4.2.6p1/include/ntp_stdlib.h 2010-03-10 19:27:46.000000000 +0100 +@@ -116,6 +116,7 @@ extern const char * FindConfig (const ch + extern void signal_no_reset (int, RETSIGTYPE (*func)(int)); + + extern void getauthkeys (const char *); ++extern int auth_agekeys_needed (void); + extern void auth_agekeys (void); + extern void rereadkeys (void); + +diff -up ntp-4.2.6p1/include/ntpd.h.sleep ntp-4.2.6p1/include/ntpd.h +--- ntp-4.2.6p1/include/ntpd.h.sleep 2009-12-09 08:36:35.000000000 +0100 ++++ ntp-4.2.6p1/include/ntpd.h 2010-03-10 19:27:46.000000000 +0100 +@@ -112,8 +112,10 @@ extern void block_io_and_alarm (void); + /* ntp_loopfilter.c */ + extern void init_loopfilter(void); + extern int local_clock(struct peer *, double); +-extern void adj_host_clock(void); ++extern int adj_host_clock_needed(void); ++extern void adj_host_clock(int); + extern void loop_config(int, double); ++extern int huffpuff_enabled(void); + extern void huffpuff(void); + extern u_long sys_clocktime; + extern u_int sys_tai; +@@ -219,6 +221,8 @@ extern void hack_restrict (int, sockaddr + /* ntp_timer.c */ + extern void init_timer (void); + extern void reinit_timer (void); ++extern double get_timeout (l_fp *); ++extern int timer_elapsed (l_fp, int); + extern void timer (void); + extern void timer_clr_stats (void); + extern void timer_interfacetimeout (u_long); +diff -up ntp-4.2.6p1/libntp/authkeys.c.sleep ntp-4.2.6p1/libntp/authkeys.c +--- ntp-4.2.6p1/libntp/authkeys.c.sleep 2009-12-09 08:36:35.000000000 +0100 ++++ ntp-4.2.6p1/libntp/authkeys.c 2010-03-10 19:27:46.000000000 +0100 +@@ -445,6 +445,25 @@ auth_delkeys(void) + } + } + ++int ++auth_agekeys_needed(void) { ++ struct savekey *sk; ++ int i; ++ ++ if (authnumkeys > 20) ++ return 1; ++ ++ for (i = 0; i < HASHSIZE; i++) { ++ sk = key_hash[i]; ++ while (sk != 0) { ++ if (sk->lifetime > 0) ++ return 1; ++ sk = sk->next; ++ } ++ } ++ return 0; ++} ++ + /* + * auth_agekeys - delete keys whose lifetimes have expired + */ +diff -up ntp-4.2.6p1/ntpd/ntp_loopfilter.c.sleep ntp-4.2.6p1/ntpd/ntp_loopfilter.c +--- ntp-4.2.6p1/ntpd/ntp_loopfilter.c.sleep 2009-12-09 08:36:36.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntp_loopfilter.c 2010-03-10 19:27:46.000000000 +0100 +@@ -677,6 +677,13 @@ local_clock( + #endif /* LOCKCLOCK */ + } + ++int ++adj_host_clock_needed(void) ++{ ++ return !(!ntp_enable || mode_ntpdate || (pll_control && ++ kern_enable)); ++} ++ + + /* + * adj_host_clock - Called once every second to update the local clock. +@@ -686,7 +693,7 @@ local_clock( + */ + void + adj_host_clock( +- void ++ int time_elapsed + ) + { + double adjustment; +@@ -698,7 +705,7 @@ adj_host_clock( + * since the poll interval can exceed one day, the old test + * would be counterproductive. + */ +- sys_rootdisp += clock_phi; ++ sys_rootdisp += clock_phi * time_elapsed; + + #ifndef LOCKCLOCK + /* +@@ -819,6 +826,12 @@ set_freq( + #endif /* KERNEL_PLL */ + } + ++int ++huffpuff_enabled(void) ++{ ++ return sys_huffpuff != NULL; ++} ++ + /* + * huff-n'-puff filter + */ +diff -up ntp-4.2.6p1/ntpd/ntp_refclock.c.sleep ntp-4.2.6p1/ntpd/ntp_refclock.c +--- ntp-4.2.6p1/ntpd/ntp_refclock.c.sleep 2009-12-09 08:36:36.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntp_refclock.c 2010-03-10 19:27:46.000000000 +0100 +@@ -268,6 +268,21 @@ refclock_unpeer( + } + + ++int ++refclock_timer_needed( ++ struct peer *peer /* peer structure pointer */ ++ ) ++{ ++ u_char clktype; ++ int unit; ++ ++ clktype = peer->refclktype; ++ unit = peer->refclkunit; ++ if (refclock_conf[clktype]->clock_timer != noentry) ++ return 1; ++ return 0; ++} ++ + /* + * refclock_timer - called once per second for housekeeping. + */ +diff -up ntp-4.2.6p1/ntpd/ntp_timer.c.sleep ntp-4.2.6p1/ntpd/ntp_timer.c +--- ntp-4.2.6p1/ntpd/ntp_timer.c.sleep 2009-12-09 08:36:35.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntp_timer.c 2010-03-11 15:23:59.000000000 +0100 +@@ -56,7 +56,6 @@ static u_long adjust_timer; /* second ti + static u_long stats_timer; /* stats timer */ + static u_long huffpuff_timer; /* huff-n'-puff timer */ + u_long leapsec; /* leapseconds countdown */ +-l_fp sys_time; /* current system time */ + #ifdef OPENSSL + static u_long revoke_timer; /* keys revoke timer */ + static u_long keys_timer; /* session key timer */ +@@ -74,6 +73,12 @@ volatile u_long alarm_overflow; + #define DAY (24 * HOUR) + + u_long current_time; /* seconds since startup */ ++l_fp timer_base; ++int time_elapsed; ++ ++#define TIMEOUT_TS_SIZE 2 ++l_fp timeout_ts[TIMEOUT_TS_SIZE]; ++unsigned int timeout_ts_index; + + /* + * Stats. Number of overflows and number of calls to transmit(). +@@ -110,6 +115,8 @@ static RETSIGTYPE alarming (int); + void + reinit_timer(void) + { ++ get_systime(&timer_base); ++#if 0 + #if !defined(SYS_WINNT) && !defined(VMS) + # if defined(HAVE_TIMER_CREATE) && defined(HAVE_TIMER_SETTIME) + timer_gettime(ntpd_timerid, &itimer); +@@ -143,6 +150,7 @@ reinit_timer(void) + setitimer(ITIMER_REAL, &itimer, (struct itimerval *)0); + # endif + # endif /* VMS */ ++#endif + } + + /* +@@ -165,6 +173,12 @@ init_timer(void) + timer_xmtcalls = 0; + timer_timereset = 0; + ++ get_systime(&timer_base); ++ ++ for (timeout_ts_index = 0; timeout_ts_index < TIMEOUT_TS_SIZE; timeout_ts_index++) ++ L_CLR(&timeout_ts[timeout_ts_index]); ++ timeout_ts_index = 0; ++#if 0 + #if !defined(SYS_WINNT) + /* + * Set up the alarm interrupt. The first comes 2**EVENT_TIMEOUT +@@ -226,6 +240,7 @@ init_timer(void) + } + + #endif /* SYS_WINNT */ ++#endif + } + + #if defined(SYS_WINNT) +@@ -236,6 +251,104 @@ get_timer_handle(void) + } + #endif + ++double ++get_timeout(l_fp *now) ++{ ++ register struct peer *peer, *next_peer; ++ u_int n; ++ double r; ++ int next; ++ l_fp ts; ++ ++ ts = *now; ++ L_SUB(&ts, &timeout_ts[timeout_ts_index]); ++ timeout_ts[timeout_ts_index] = *now; ++ timeout_ts_index = (timeout_ts_index + 1) % TIMEOUT_TS_SIZE; ++ ++ /* don't waste CPU time if called too frequently */ ++ if (ts.l_ui == 0) { ++ next = 1; ++ goto finish; ++ } ++ ++ next = current_time + HOUR; ++ ++ if (adj_host_clock_needed()) { ++ next = 1; ++ goto finish; ++ } ++ for (n = 0; n < NTP_HASH_SIZE; n++) { ++ for (peer = peer_hash[n]; peer != 0; peer = next_peer) { ++ next_peer = peer->next; ++#ifdef REFCLOCK ++ if (peer->flags & FLAG_REFCLOCK && refclock_timer_needed(peer)) { ++ next = 1; ++ goto finish; ++ } ++#endif /* REFCLOCK */ ++ if (peer->action) ++ next = min(next, peer->nextaction); ++ next = min(next, peer->nextdate); ++ } ++ } ++ ++ if (leapsec > 0) ++ next = min(next, leapsec); ++ ++ if (huffpuff_enabled()) ++ next = min(next, huffpuff_timer); ++ ++#ifdef OPENSSL ++ if (auth_agekeys_needed()) ++ next = min(next, keys_timer); ++ if (sys_leap != LEAP_NOTINSYNC) ++ next = min(next, revoke_timer); ++#endif /* OPENSSL */ ++ ++ if (interface_interval) ++ next = min(next, interface_timer); ++ ++ next = min(next, stats_timer); ++ ++ next -= current_time; ++ if (next <= 0) ++ next = 1; ++finish: ++ ts = timer_base; ++ ts.l_ui += next; ++ L_SUB(&ts, now); ++ LFPTOD(&ts, r); ++#ifdef DEBUG ++ DPRINTF(2, ("timer: timeout %f\n", r)); ++#endif ++ ++ return r; ++} ++ ++int ++timer_elapsed(l_fp now, int timeout) ++{ ++ int elapsed; ++ ++ L_SUB(&now, &timer_base); ++ elapsed = now.l_i; ++ if (elapsed < 0 || elapsed > timeout + 10) { ++#ifdef DEBUG ++ DPRINTF(2, ("timer: unexpected time jump\n")); ++#endif ++ elapsed = 0; ++ reinit_timer(); ++ ++ } ++ timer_base.l_ui += elapsed; ++ time_elapsed += elapsed; ++ current_time += elapsed; ++#ifdef DEBUG ++ DPRINTF(2, ("timer: time elapsed %d\n", time_elapsed)); ++#endif ++ return time_elapsed; ++} ++ + /* + * timer - event timer + */ +@@ -251,11 +364,9 @@ timer(void) + * kiss-o'-deatch function and implement the association + * polling function.. + */ +- current_time++; +- get_systime(&sys_time); + if (adjust_timer <= current_time) { +- adjust_timer += 1; +- adj_host_clock(); ++ adjust_timer += time_elapsed; ++ adj_host_clock(time_elapsed); + #ifdef REFCLOCK + for (n = 0; n < NTP_HASH_SIZE; n++) { + for (peer = peer_hash[n]; peer != 0; peer = next_peer) { +@@ -286,7 +397,7 @@ timer(void) + * 128 s or less. + */ + if (peer->throttle > 0) +- peer->throttle--; ++ peer->throttle -= min(peer->throttle, time_elapsed); + if (peer->nextdate <= current_time) { + #ifdef REFCLOCK + if (peer->flags & FLAG_REFCLOCK) +@@ -333,7 +444,7 @@ timer(void) + * set. + */ + if (leapsec > 0) { +- leapsec--; ++ leapsec -= min(leapsec, time_elapsed); + if (leapsec == 0) { + sys_leap = LEAP_NOWARNING; + sys_tai = leap_tai; +@@ -398,11 +509,15 @@ timer(void) + * Finally, write hourly stats. + */ + if (stats_timer <= current_time) { ++ l_fp sys_time; ++ get_systime(&sys_time); + stats_timer += HOUR; + write_stats(); + if (sys_tai != 0 && sys_time.l_ui > leap_expire) + report_event(EVNT_LEAPVAL, NULL, NULL); + } ++ ++ time_elapsed = 0; + } + + +diff -up ntp-4.2.6p1/ntpd/ntpd.c.sleep ntp-4.2.6p1/ntpd/ntpd.c +--- ntp-4.2.6p1/ntpd/ntpd.c.sleep 2010-03-10 19:27:46.000000000 +0100 ++++ ntp-4.2.6p1/ntpd/ntpd.c 2010-03-10 19:27:46.000000000 +0100 +@@ -195,8 +195,6 @@ extern const char *Version; + + char const *progname; + +-int was_alarmed; +- + #ifdef DECL_SYSCALL + /* + * We put this here, since the argument profile is syscall-specific +@@ -1033,7 +1031,7 @@ getgroup: + #else /* normal I/O */ + + BLOCK_IO_AND_ALARM(); +- was_alarmed = 0; ++ + for (;;) + { + # if !defined(HAVE_SIGNALED_IO) +@@ -1041,42 +1039,39 @@ getgroup: + extern int maxactivefd; + + fd_set rdfdes; +- int nfound; +-# endif ++ int nfound, time_elapsed; + +- if (alarm_flag) /* alarmed? */ +- { +- was_alarmed = 1; +- alarm_flag = 0; +- } ++ time_elapsed = 0; ++# endif + +- if (!was_alarmed && has_full_recv_buffer() == ISC_FALSE) ++ if (has_full_recv_buffer() == ISC_FALSE) + { + /* + * Nothing to do. Wait for something. + */ + # ifndef HAVE_SIGNALED_IO ++ double timeout; ++ + rdfdes = activefds; +-# if defined(VMS) || defined(SYS_VXWORKS) +- /* make select() wake up after one second */ +- { +- struct timeval t1; ++ get_systime(&now); ++ timeout = get_timeout(&now); + +- t1.tv_sec = 1; t1.tv_usec = 0; ++ if (timeout > 0.0) { ++ struct timeval t1; ++ ++ t1.tv_sec = timeout; ++ t1.tv_usec = (timeout - t1.tv_sec) * 1000000; + nfound = select(maxactivefd+1, &rdfdes, (fd_set *)0, + (fd_set *)0, &t1); +- } +-# else +- nfound = select(maxactivefd+1, &rdfdes, (fd_set *)0, +- (fd_set *)0, (struct timeval *)0); +-# endif /* VMS */ +- if (nfound > 0) +- { +- l_fp ts; ++ get_systime(&now); ++ } else ++ nfound = 0; + +- get_systime(&ts); ++ time_elapsed = timer_elapsed(now, timeout); + +- (void)input_handler(&ts); ++ if (nfound > 0) ++ { ++ (void)input_handler(&now); + } + else if (nfound == -1 && errno != EINTR) + msyslog(LOG_ERR, "select() error: %m"); +@@ -1085,17 +1080,13 @@ getgroup: + msyslog(LOG_DEBUG, "select(): nfound=%d, error: %m", nfound); + # endif /* DEBUG */ + # else /* HAVE_SIGNALED_IO */ ++# error not supported by sleep patch + + wait_for_signal(); + # endif /* HAVE_SIGNALED_IO */ +- if (alarm_flag) /* alarmed? */ +- { +- was_alarmed = 1; +- alarm_flag = 0; +- } + } + +- if (was_alarmed) ++ if (time_elapsed > 0) + { + UNBLOCK_IO_AND_ALARM(); + /* +@@ -1103,7 +1094,6 @@ getgroup: + * to process expiry. + */ + timer(); +- was_alarmed = 0; + BLOCK_IO_AND_ALARM(); + } + +@@ -1121,19 +1111,8 @@ getgroup: + rbuf = get_full_recv_buffer(); + while (rbuf != NULL) + { +- if (alarm_flag) +- { +- was_alarmed = 1; +- alarm_flag = 0; +- } + UNBLOCK_IO_AND_ALARM(); + +- if (was_alarmed) +- { /* avoid timer starvation during lengthy I/O handling */ +- timer(); +- was_alarmed = 0; +- } +- + /* + * Call the data procedure to handle each received + * packet. diff --git a/ntp/patches/ntp-4.2.6p2-multiopts.patch b/ntp/patches/ntp-4.2.6p2-multiopts.patch new file mode 100644 index 000000000..c4ea45983 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p2-multiopts.patch @@ -0,0 +1,21 @@ +diff -up ntp-4.2.6p2/ntpd/ntpd-opts.c.multiopts ntp-4.2.6p2/ntpd/ntpd-opts.c +--- ntp-4.2.6p2/ntpd/ntpd-opts.c.multiopts 2010-09-15 17:37:10.000000000 +0200 ++++ ntp-4.2.6p2/ntpd/ntpd-opts.c 2010-10-01 13:28:49.000000000 +0200 +@@ -755,7 +755,7 @@ static tOptDesc optDesc[ OPTION_CT ] = { + { /* entry idx, value */ 18, VALUE_OPT_PIDFILE, + /* equiv idx, value */ 18, VALUE_OPT_PIDFILE, + /* equivalenced to */ NO_EQUIVALENT, +- /* min, max, act ct */ 0, 1, 0, ++ /* min, max, act ct */ 0, 2, 0, + /* opt state flags */ PIDFILE_FLAGS, 0, + /* last opt argumnt */ { NULL }, + /* arg list/cookie */ NULL, +@@ -839,7 +839,7 @@ static tOptDesc optDesc[ OPTION_CT ] = { + { /* entry idx, value */ 25, VALUE_OPT_USER, + /* equiv idx, value */ 25, VALUE_OPT_USER, + /* equivalenced to */ NO_EQUIVALENT, +- /* min, max, act ct */ 0, 1, 0, ++ /* min, max, act ct */ 0, 2, 0, + /* opt state flags */ USER_FLAGS, 0, + /* last opt argumnt */ { NULL }, + /* arg list/cookie */ NULL, diff --git a/ntp/patches/ntp-4.2.6p3-bcast.patch b/ntp/patches/ntp-4.2.6p3-bcast.patch new file mode 100644 index 000000000..57581f3d9 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p3-bcast.patch @@ -0,0 +1,93 @@ +diff -up ntp-4.2.6p3/ntpd/ntp_io.c.bcast ntp-4.2.6p3/ntpd/ntp_io.c +--- ntp-4.2.6p3/ntpd/ntp_io.c.bcast 2010-12-25 10:40:36.000000000 +0100 ++++ ntp-4.2.6p3/ntpd/ntp_io.c 2011-01-05 17:46:13.820049150 +0100 +@@ -151,6 +151,8 @@ int ninterfaces; /* Total number of in + + int disable_dynamic_updates; /* scan interfaces once only */ + ++static int pktinfo_status = 0; /* is IP_PKTINFO on wildipv4 iface enabled? */ ++ + #ifdef REFCLOCK + /* + * Refclock stuff. We keep a chain of structures with data concerning +@@ -2254,6 +2256,17 @@ set_reuseaddr( + #endif /* ! SO_EXCLUSIVEADDRUSE */ + } + ++static void ++set_pktinfo(int flag) ++{ ++ if (wildipv4 == NULL) ++ return; ++ if (setsockopt(wildipv4->fd, SOL_IP, IP_PKTINFO, &flag, sizeof (flag))) { ++ msyslog(LOG_ERR, "set_pktinfo: setsockopt(IP_PKTINFO, %s) failed: %m", flag ? "on" : "off"); ++ } else ++ pktinfo_status = flag; ++} ++ + /* + * This is just a wrapper around an internal function so we can + * make other changes as necessary later on +@@ -2659,6 +2672,7 @@ io_setbclient(void) + } + } + set_reuseaddr(0); ++ set_pktinfo(1); + if (nif > 0) + DPRINTF(1, ("io_setbclient: Opened broadcast clients\n")); + else if (!nif) +@@ -2685,6 +2699,7 @@ io_unsetbclient(void) + continue; + socket_broadcast_disable(ep, &ep->sin); + } ++ set_pktinfo(0); + } + + /* +@@ -3392,7 +3407,8 @@ read_network_packet( + #ifdef HAVE_TIMESTAMP + struct msghdr msghdr; + struct iovec iovec; +- char control[TIMESTAMP_CTLMSGBUF_SIZE]; ++ char control[sizeof (struct cmsghdr) * 2 + sizeof (struct timeval) + ++ sizeof (struct in_pktinfo) + 32]; + #endif + + /* +@@ -3403,7 +3419,7 @@ read_network_packet( + */ + + rb = get_free_recv_buffer(); +- if (NULL == rb || itf->ignore_packets) { ++ if (NULL == rb || (itf->ignore_packets && !(pktinfo_status && itf == wildipv4))) { + char buf[RX_BUFF_SIZE]; + sockaddr_u from; + +@@ -3463,6 +3479,27 @@ read_network_packet( + return (buflen); + } + ++ if (pktinfo_status && itf->ignore_packets && itf == wildipv4) { ++ /* check for broadcast on 255.255.255.255, exception allowed on wildipv4 */ ++ struct cmsghdr *cmsg; ++ struct in_pktinfo *pktinfo = NULL; ++ ++ if ((cmsg = CMSG_FIRSTHDR(&msghdr))) ++ do { ++ if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO) ++ pktinfo = (struct in_pktinfo *) CMSG_DATA(cmsg); ++ } while ((cmsg = CMSG_NXTHDR(&msghdr, cmsg))); ++ if (pktinfo && pktinfo->ipi_addr.s_addr == INADDR_BROADCAST) { ++ DPRINTF(4, ("INADDR_BROADCAST\n")); ++ } else { ++ DPRINTF(4, ("%s on (%lu) fd=%d from %s\n", "ignore", ++ free_recvbuffs(), fd, stoa(&rb->recv_srcadr))); ++ packets_ignored++; ++ freerecvbuf(rb); ++ return (buflen); ++ } ++ } ++ + DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n", + fd, buflen, stoa(&rb->recv_srcadr))); + diff --git a/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch b/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch new file mode 100644 index 000000000..f9c192978 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch @@ -0,0 +1,31 @@ +==== ntpd/ntp_proto.c ==== +2010-10-22 01:55:45-04:00, stenn@deacon.udel.edu +2 -5 + [Bug 1670] Fix peer->bias and broadcastdelay + +--- 1.307/ntpd/ntp_proto.c 2010-10-11 21:06:05 -07:00 ++++ 1.308/ntpd/ntp_proto.c 2010-10-21 22:55:45 -07:00 +@@ -929,7 +929,6 @@ receive( + + } else { + peer->delay = sys_bdelay; +- peer->bias = -sys_bdelay / 2.; + } + break; + } +@@ -1570,7 +1569,6 @@ process_packet( + p_del = fabs(t21 - t34); + p_offset = (t21 + t34) / 2.; + } +- p_offset += peer->bias; + p_disp = LOGTOD(sys_precision) + LOGTOD(peer->precision) + + clock_phi * p_del; + +@@ -1647,7 +1645,7 @@ process_packet( + /* + * That was awesome. Now hand off to the clock filter. + */ +- clock_filter(peer, p_offset, p_del, p_disp); ++ clock_filter(peer, p_offset + peer->bias, p_del, p_disp); + + /* + * If we are in broadcast calibrate mode, return to broadcast diff --git a/ntp/patches/ntp-4.2.6p4-droproot.patch b/ntp/patches/ntp-4.2.6p4-droproot.patch new file mode 100644 index 000000000..1d953d18b --- /dev/null +++ b/ntp/patches/ntp-4.2.6p4-droproot.patch @@ -0,0 +1,207 @@ +diff -up ntp-4.2.6p4/html/ntpdate.html.droproot ntp-4.2.6p4/html/ntpdate.html +--- ntp-4.2.6p4/html/ntpdate.html.droproot 2011-07-11 04:18:25.000000000 +0200 ++++ ntp-4.2.6p4/html/ntpdate.html 2011-10-05 15:47:29.643634928 +0200 +@@ -18,7 +18,7 @@ +
+

Disclaimer: The functionality of this program is now available in the ntpd program. See the -q command line option in the ntpd - Network Time Protocol (NTP) daemon page. After a suitable period of mourning, the ntpdate program is to be retired from this distribution

+

Synopsis

+- ntpdate [ -46bBdqsuv ] [ -a key ] [ -e authdelay ] [ -k keyfile ] [ -o version ] [ -p samples ] [ -t timeout ] server [ ... ] ++ ntpdate [ -46bBdqsuv ] [ -a key ] [ -e authdelay ] [ -k keyfile ] [ -o version ] [ -p samples ] [ -t timeout ] [ -U user_name ] server [ ... ] +

Description

+

ntpdate sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the server arguments to determine the correct time. It must be run as root on the local host. A number of samples are obtained from each of the servers specified and a subset of the NTP clock filter and selection algorithms are applied to select the best of these. Note that the accuracy and reliability of ntpdate depends on the number of servers, the number of polls each time it is run and the interval between runs.

+

ntpdate can be run manually as necessary to set the host clock, or it can be run from the host startup script to set the clock at boot time. This is useful in some cases to set the clock initially before starting the NTP daemon ntpd. It is also possible to run ntpdate from a cron script. However, it is important to note that ntpdate with contrived cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since ntpdate does not discipline the host clock frequency as does ntpd, the accuracy using ntpdate is limited.

+@@ -58,6 +58,10 @@ +
Direct ntpdate to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronize with hosts beyond the firewall. Note that the -d option always uses unprivileged ports. +
-v +
Be verbose. This option will cause ntpdate's version identification string to be logged. ++
-U user_name
++
ntpdate process drops root privileges and changes user ID to ++ user_name and group ID to the primary group of ++ server_user. + +

Diagnostics

+ ntpdate's exit status is zero if it finds a server and updates the clock, and nonzero otherwise. +diff -up ntp-4.2.6p4/ntpdate/ntpdate.c.droproot ntp-4.2.6p4/ntpdate/ntpdate.c +--- ntp-4.2.6p4/ntpdate/ntpdate.c.droproot 2011-05-25 07:06:09.000000000 +0200 ++++ ntp-4.2.6p4/ntpdate/ntpdate.c 2011-10-05 15:45:39.570555972 +0200 +@@ -49,6 +49,12 @@ + + #include + ++/* Linux capabilities */ ++#include ++#include ++#include ++#include ++ + #ifdef SYS_VXWORKS + # include "ioLib.h" + # include "sockLib.h" +@@ -153,6 +159,11 @@ int simple_query = 0; + int unpriv_port = 0; + + /* ++ * Use capabilities to drop privileges and switch uids ++ */ ++char *server_user; ++ ++/* + * Program name. + */ + char *progname; +@@ -294,6 +305,88 @@ void clear_globals() + static ni_namelist *getnetinfoservers (void); + #endif + ++/* This patch is adapted (copied) from Chris Wings drop root patch ++ * for xntpd. ++ */ ++void drop_root(uid_t server_uid, gid_t server_gid) ++{ ++ cap_t caps; ++ ++ if (prctl(PR_SET_KEEPCAPS, 1)) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed"); ++ } ++ else { ++ fprintf(stderr, "prctl(PR_SET_KEEPCAPS, 1) failed.\n"); ++ } ++ exit(1); ++ } ++ ++ if ( setgroups(0, NULL) == -1 ) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "setgroups failed."); ++ } ++ else { ++ fprintf(stderr, "setgroups failed.\n"); ++ } ++ exit(1); ++ } ++ ++ if ( setegid(server_gid) == -1 || seteuid(server_uid) == -1 ) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid, ++ server_gid); ++ } ++ else { ++ fprintf(stderr, "setegid/seteuid to uid=%d/gid=%d failed.\n", server_uid, ++ server_gid); ++ } ++ exit(1); ++ } ++ ++ caps = cap_from_text("cap_sys_time=epi"); ++ if (caps == NULL) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "cap_from_text failed."); ++ } ++ else { ++ fprintf(stderr, "cap_from_text failed.\n"); ++ } ++ exit(1); ++ } ++ ++ if (cap_set_proc(caps) == -1) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "cap_set_proc failed."); ++ } ++ else { ++ fprintf(stderr, "cap_set_proc failed.\n"); ++ } ++ exit(1); ++ } ++ ++ /* Try to free the memory from cap_from_text */ ++ cap_free( caps ); ++ ++ if ( setregid(server_gid, server_gid) == -1 || ++ setreuid(server_uid, server_uid) == -1 ) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.", ++ server_uid, server_gid); ++ } ++ else { ++ fprintf(stderr, "setregid/setreuid to uid=%d/gid=%d failed.\n", ++ server_uid, server_gid); ++ } ++ exit(1); ++ } ++ ++ if (syslogit) { ++ msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).", ++ getuid(), getgid(), geteuid(), getegid()); ++ } ++} ++ + /* + * Main program. Initialize us and loop waiting for I/O and/or + * timer expiries. +@@ -341,6 +434,8 @@ ntpdatemain ( + + init_lib(); /* sets up ipv4_works, ipv6_works */ + ++ server_user = NULL; ++ + /* Check to see if we have IPv6. Otherwise default to IPv4 */ + if (!ipv6_works) + ai_fam_templ = AF_INET; +@@ -352,7 +447,7 @@ ntpdatemain ( + /* + * Decode argument list + */ +- while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uv")) != EOF) ++ while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uvU:")) != EOF) + switch (c) + { + case '4': +@@ -429,6 +524,14 @@ ntpdatemain ( + case 'u': + unpriv_port = 1; + break; ++ case 'U': ++ if (ntp_optarg) { ++ server_user = strdup(ntp_optarg); ++ } ++ else { ++ ++errflg; ++ } ++ break; + case '?': + ++errflg; + break; +@@ -438,7 +541,7 @@ ntpdatemain ( + + if (errflg) { + (void) fprintf(stderr, +- "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...\n", ++ "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] [-U username] server ...\n", + progname); + exit(2); + } +@@ -544,6 +647,24 @@ ntpdatemain ( + initializing = 0; + was_alarmed = 0; + ++ if (server_user) { ++ struct passwd *pwd = NULL; ++ ++ /* Lookup server_user uid/gid before chroot/chdir */ ++ pwd = getpwnam( server_user ); ++ if ( pwd == NULL ) { ++ if (syslogit) { ++ msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user); ++ } ++ else { ++ fprintf(stderr, "Failed to lookup user '%s'.\n", server_user); ++ } ++ exit(1); ++ } ++ drop_root(pwd->pw_uid, pwd->pw_gid); ++ } ++ ++ + while (complete_servers < sys_numservers) { + #ifdef HAVE_POLL_H + struct pollfd* rdfdes; diff --git a/ntp/patches/ntp-4.2.6p4-htmldoc.patch b/ntp/patches/ntp-4.2.6p4-htmldoc.patch new file mode 100644 index 000000000..2b2dab760 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p4-htmldoc.patch @@ -0,0 +1,76 @@ +diff -up ntp-4.2.6p4/html/authopt.html.htmldoc ntp-4.2.6p4/html/authopt.html +--- ntp-4.2.6p4/html/authopt.html.htmldoc 2011-07-11 04:18:25.000000000 +0200 ++++ ntp-4.2.6p4/html/authopt.html 2011-10-05 17:30:09.463244610 +0200 +@@ -364,7 +364,7 @@ UTC

+ are left unspecified, the default names are used as described below. Unless + the complete path and name of the file are specified, the location of a file + is relative to the keys directory specified in the keysdir configuration +- command or default /usr/local/etc. Following are the options.
++ command or default /etc/ntp/crypto. Following are the options. + +
+ +@@ -396,7 +396,7 @@ UTC

+
Specifies the complete path to the MD5 key file containing the keys and key IDs used by ntpd, ntpq and ntpdc when operating with symmetric key cryptography. This is the same operation as the -k command line option. Note that the directory path for Autokey media is specified by the keysdir command.
+ +
keysdir pathK
+-
This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is /usr/local/etc/. Note that the path for the symmetric keys file is specified by the keys command.
++
This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is /etc/ntp/crypto. Note that the path for the symmetric keys file is specified by the keys command.
+ +
requestkey keyid
+
Specifies the key ID to use with the +diff -up ntp-4.2.6p4/html/keygen.html.htmldoc ntp-4.2.6p4/html/keygen.html +--- ntp-4.2.6p4/html/keygen.html.htmldoc 2011-07-11 04:18:26.000000000 +0200 ++++ ntp-4.2.6p4/html/keygen.html 2011-10-05 17:30:09.463244610 +0200 +@@ -206,7 +206,6 @@ +

All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize the internal pseudo-random number generator used by the OpenSSL library routines. If a site supports ssh, it is very likely that means to do this are already available. The entropy seed used by the OpenSSL library is contained in a file, usually called .rnd, which must be available when starting the ntp-keygen program or ntpd daemon.

+ +

The OpenSSL library looks for the file using the path specified by the RANDFILE environment variable in the user home directory, whether root or some other user. If the RANDFILE environment variable is not present, the library looks for the .rnd file in the user home directory. Since both the ntp-keygen program and ntpd daemon must run as root, the logical place to put this file is in /.rnd or /root/.rnd. If the file is not available or cannot be written, the program exits with a message to the system log.

+-

On systems that provide /dev/urandom, the randomness device is used instead and the file specified by the randfile subcommand or the RANDFILE environment variable is ignored.

+ +

Cryptographic Data Files

+ +diff -up ntp-4.2.6p4/html/ntpd.html.htmldoc ntp-4.2.6p4/html/ntpd.html +--- ntp-4.2.6p4/html/ntpd.html.htmldoc 2011-07-11 04:18:26.000000000 +0200 ++++ ntp-4.2.6p4/html/ntpd.html 2011-10-05 17:34:07.545384008 +0200 +@@ -214,14 +214,14 @@ + + + statistics path +- /var/NTP ++ /var/log/ntpstats/ + -s + statsdir + + + keys path +- /usr/local/etc +- -k ++ /etc/ntp/crypto ++ none + keysdir + + +diff -up ntp-4.2.6p4/html/ntpdate.html.htmldoc ntp-4.2.6p4/html/ntpdate.html +--- ntp-4.2.6p4/html/ntpdate.html.htmldoc 2011-10-05 17:30:09.438244595 +0200 ++++ ntp-4.2.6p4/html/ntpdate.html 2011-10-05 17:36:24.195463971 +0200 +@@ -43,7 +43,7 @@ +
-e authdelay +
Specify the processing delay to perform an authentication function as the value authdelay, in seconds and fraction (see ntpd for details). This number is usually small enough to be negligible for most purposes, though specifying a value may improve timekeeping on very slow CPU's. +
-k keyfile +-
Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp.keys. This file should be in the format described in ntpd. ++
Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp/keys. This file should be in the format described in ntpd. +
-o version +
Specify the NTP version for outgoing packets as the integer version, which can be 1 or 2. The default is 4. This allows ntpdate to be used with older NTP versions. +
-p samples +@@ -66,7 +66,7 @@ +

Diagnostics

+ ntpdate's exit status is zero if it finds a server and updates the clock, and nonzero otherwise. +

Files

+- /etc/ntp.keys - encryption keys used by ntpdate. ++ /etc/ntp/keys - encryption keys used by ntpdate. +

Bugs

+ The slew adjustment is actually 50% larger than the measured offset, since this (it is argued) will tend to keep a badly drifting clock more accurate. This is probably not a good idea and may cause a troubling hunt for some values of the kernel variables tick and tickadj.  +
+diff -up ntp-4.2.6p4/html/ntpdc.html.htmldoc ntp-4.2.6p4/html/ntpdc.html +diff -up ntp-4.2.6p4/html/ntpq.html.htmldoc ntp-4.2.6p4/html/ntpq.html diff --git a/ntp/patches/ntp-4.2.6p4-mlock.patch b/ntp/patches/ntp-4.2.6p4-mlock.patch new file mode 100644 index 000000000..354f7d54e --- /dev/null +++ b/ntp/patches/ntp-4.2.6p4-mlock.patch @@ -0,0 +1,140 @@ +diff -up ntp-4.2.6p4/html/ntpd.html.mlock ntp-4.2.6p4/html/ntpd.html +--- ntp-4.2.6p4/html/ntpd.html.mlock 2011-10-06 13:08:50.897274352 +0200 ++++ ntp-4.2.6p4/html/ntpd.html 2011-10-06 13:08:50.909274362 +0200 +@@ -32,7 +32,7 @@ + +
+

Synopsis

+- ntpd [ -46aAbdDgLnNqx ] [ -c conffile ] [ -f driftfile ] [ -i jaildir ] [ -I iface ] [ -k keyfile ] [ -l logfile ] [ -p pidfile ] [ -P priority ] [ -r broadcastdelay ] [ -s statsdir ] [ -t key ] [ -u user[:group] ] [ -U interface_update_interval ] [ -v variable ] [ -V variable ] ++ ntpd [ -46aAbdDgLmnNqx ] [ -c conffile ] [ -f driftfile ] [ -i jaildir ] [ -I iface ] [ -k keyfile ] [ -l logfile ] [ -p pidfile ] [ -P priority ] [ -r broadcastdelay ] [ -s statsdir ] [ -t key ] [ -u user[:group] ] [ -U interface_update_interval ] [ -v variable ] [ -V variable ] +

Description

+

The ntpd program is an operating system daemon that synchronises the system clock with remote NTP time servers or local reference clocks. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The program can operate in any of several modes, as described on the Association Management page, and with both symmetric key and public key cryptography, as described on the Authentication Options page.

+

The ntpd program ordinarily requires a configuration file as desccribe on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the Automatic Server Discovery page.

+@@ -123,6 +123,8 @@ +
Do not listen to virtual interfaces, defined as those with names containing a colon. This option is deprecated. Please consider using the configuration file interface command, which is more versatile.
+
-M
+
Raise scheduler precision to its maximum (1 msec) using timeBeginPeriod. (Windows only)
++
-m ++
Lock memory. +
-n
+
Don't fork.
+
-N
+diff -up ntp-4.2.6p4/ntpd/ntpd-opts.c.mlock ntp-4.2.6p4/ntpd/ntpd-opts.c +--- ntp-4.2.6p4/ntpd/ntpd-opts.c.mlock 2011-09-23 05:36:04.000000000 +0200 ++++ ntp-4.2.6p4/ntpd/ntpd-opts.c 2011-10-06 13:10:54.082360146 +0200 +@@ -276,6 +276,15 @@ static char const zNice_Name[] + #define NICE_FLAGS (OPTST_DISABLED) + + /* ++ * Mlock option description: ++ */ ++static char const zMlockText[] = ++ "Lock memory"; ++static char const zMlock_NAME[] = "MLOCK"; ++static char const zMlock_Name[] = "mlock"; ++#define MLOCK_FLAGS (OPTST_DISABLED) ++ ++/* + * Pidfile option description: + */ + static char const zPidfileText[] = +@@ -903,6 +912,18 @@ static tOptDesc optDesc[OPTION_CT] = { + /* desc, NAME, name */ zPccfreqText, zPccfreq_NAME, zPccfreq_Name, + /* disablement strs */ NULL, NULL }, + ++ { /* entry idx, value */ 32, VALUE_OPT_MLOCK, ++ /* equiv idx, value */ 32, VALUE_OPT_MLOCK, ++ /* equivalenced to */ NO_EQUIVALENT, ++ /* min, max, act ct */ 0, 1, 0, ++ /* opt state flags */ MLOCK_FLAGS, 0, ++ /* last opt argumnt */ { NULL }, ++ /* arg list/cookie */ NULL, ++ /* must/cannot opts */ NULL, NULL, ++ /* option proc */ NULL, ++ /* desc, NAME, name */ zMlockText, zMlock_NAME, zMlock_Name, ++ /* disablement strs */ NULL, NULL }, ++ + { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, + /* equiv idx value */ NO_EQUIVALENT, 0, + /* equivalenced to */ NO_EQUIVALENT, +@@ -1018,7 +1039,7 @@ tOptions ntpdOptions = { + NO_EQUIVALENT, /* '-#' option index */ + NO_EQUIVALENT /* index of default opt */ + }, +- 35 /* full option count */, 32 /* user option count */, ++ 36 /* full option count */, 33 /* user option count */, + ntpd_full_usage, ntpd_short_usage, + NULL, NULL, + PKGDATADIR, ntpd_packager_info +diff -up ntp-4.2.6p4/ntpd/ntpd-opts.h.mlock ntp-4.2.6p4/ntpd/ntpd-opts.h +--- ntp-4.2.6p4/ntpd/ntpd-opts.h.mlock 2011-09-23 05:36:04.000000000 +0200 ++++ ntp-4.2.6p4/ntpd/ntpd-opts.h 2011-10-06 13:08:50.910274363 +0200 +@@ -81,6 +81,7 @@ typedef enum { +- INDEX_OPT_VERSION = 32, +- INDEX_OPT_HELP = 33, +- INDEX_OPT_MORE_HELP = 34 ++ INDEX_OPT_MLOCK = 32, ++ INDEX_OPT_VERSION = 33, ++ INDEX_OPT_HELP = 34, ++ INDEX_OPT_MORE_HELP = 35 + } teOptIndex; + +-#define OPTION_CT 35 ++#define OPTION_CT 36 +@@ -187,6 +188,10 @@ typedef enum { + # warning undefining MODIFYMMTIMER due to option name conflict + # undef MODIFYMMTIMER + # endif ++# ifdef MLOCK ++# warning undefining MLOCK due to option name conflict ++# undef MLOCK ++# endif + # ifdef NOFORK + # warning undefining NOFORK due to option name conflict + # undef NOFORK +@@ -268,6 +273,7 @@ typedef enum { + # undef LOGFILE + # undef NOVIRTUALIPS + # undef MODIFYMMTIMER ++# undef MLOCK + # undef NOFORK + # undef NICE + # undef PIDFILE +@@ -306,6 +312,7 @@ typedef enum { + #define VALUE_OPT_LOGFILE 'l' + #define VALUE_OPT_NOVIRTUALIPS 'L' + #define VALUE_OPT_MODIFYMMTIMER 'M' ++#define VALUE_OPT_MLOCK 'm' + #define VALUE_OPT_NOFORK 'n' + #define VALUE_OPT_NICE 'N' + #define VALUE_OPT_PIDFILE 'p' +diff -up ntp-4.2.6p4/ntpd/ntpd.c.mlock ntp-4.2.6p4/ntpd/ntpd.c +--- ntp-4.2.6p4/ntpd/ntpd.c.mlock 2011-10-06 13:08:50.869274334 +0200 ++++ ntp-4.2.6p4/ntpd/ntpd.c 2011-10-06 13:08:50.911274363 +0200 +@@ -723,7 +723,8 @@ ntpdmain( + } + #endif + +-#if defined(HAVE_MLOCKALL) && defined(MCL_CURRENT) && defined(MCL_FUTURE) ++#if defined(MCL_CURRENT) && defined(MCL_FUTURE) ++ if (HAVE_OPT( MLOCK )) { + # ifdef HAVE_SETRLIMIT + /* + * Set the stack limit to something smaller, so that we don't lock a lot +@@ -749,7 +750,7 @@ ntpdmain( + * fail if we drop root privlege. To be useful the value + * has to be larger than the largest ntpd resident set size. + */ +- rl.rlim_cur = rl.rlim_max = 32*1024*1024; ++ rl.rlim_cur = rl.rlim_max = 64*1024*1024; + if (setrlimit(RLIMIT_MEMLOCK, &rl) == -1) { + msyslog(LOG_ERR, "Cannot set RLIMIT_MEMLOCK: %m"); + } +@@ -761,6 +762,7 @@ ntpdmain( + */ + if (mlockall(MCL_CURRENT|MCL_FUTURE) < 0) + msyslog(LOG_ERR, "mlockall(): %m"); ++ } + #else /* not (HAVE_MLOCKALL && MCL_CURRENT && MCL_FUTURE) */ + # ifdef HAVE_PLOCK + # ifdef PROCLOCK diff --git a/ntp/patches/ntp-4.2.6p4-rtnetlink.patch b/ntp/patches/ntp-4.2.6p4-rtnetlink.patch new file mode 100644 index 000000000..06d2e879d --- /dev/null +++ b/ntp/patches/ntp-4.2.6p4-rtnetlink.patch @@ -0,0 +1,15 @@ +diff -up ntp-4.2.6p4/ntpd/ntp_io.c.rtnetlink ntp-4.2.6p4/ntpd/ntp_io.c +--- ntp-4.2.6p4/ntpd/ntp_io.c.rtnetlink 2011-10-05 15:49:17.061711033 +0200 ++++ ntp-4.2.6p4/ntpd/ntp_io.c 2011-10-05 15:49:17.074711042 +0200 +@@ -4549,10 +4549,7 @@ init_async_notifications() + #ifdef HAVE_RTNETLINK + memset(&sa, 0, sizeof(sa)); + sa.nl_family = PF_NETLINK; +- sa.nl_groups = RTMGRP_LINK | RTMGRP_IPV4_IFADDR +- | RTMGRP_IPV6_IFADDR | RTMGRP_IPV4_ROUTE +- | RTMGRP_IPV4_MROUTE | RTMGRP_IPV6_ROUTE +- | RTMGRP_IPV6_MROUTE; ++ sa.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR; + if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { + msyslog(LOG_ERR, + "bind failed on routing socket (%m) - using polled interface update"); diff --git a/ntp/patches/ntp-4.2.6p5-delaycalib.patch b/ntp/patches/ntp-4.2.6p5-delaycalib.patch new file mode 100644 index 000000000..7e9a31097 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p5-delaycalib.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.delaycalib ntp-4.2.6p5/ntpd/ntp_proto.c +--- ntp-4.2.6p5/ntpd/ntp_proto.c.delaycalib 2012-02-28 15:57:57.000000000 +0100 ++++ ntp-4.2.6p5/ntpd/ntp_proto.c 2012-02-28 16:01:30.080135978 +0100 +@@ -1514,7 +1514,7 @@ process_packet( + */ + if (FLAG_BC_VOL & peer->flags) { + peer->flags &= ~FLAG_BC_VOL; +- peer->delay = (peer->offset - p_offset) * 2; ++ peer->delay = fabs(peer->offset - p_offset) * 2; + } + p_del = peer->delay; + p_offset += p_del / 2; diff --git a/ntp/patches/ntp-4.2.6p5-fipsmd5.patch b/ntp/patches/ntp-4.2.6p5-fipsmd5.patch new file mode 100644 index 000000000..b6d8889f4 --- /dev/null +++ b/ntp/patches/ntp-4.2.6p5-fipsmd5.patch @@ -0,0 +1,47 @@ +diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c +--- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 2011-12-01 03:55:17.000000000 +0100 ++++ ntp-4.2.6p5/libntp/a_md5encrypt.c 2012-10-24 16:24:04.972358878 +0200 +@@ -38,7 +38,11 @@ MD5authencrypt( + * was creaded. + */ + INIT_SSL(); +- EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); ++ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) { ++ msyslog(LOG_ERR, ++ "MAC encrypt: digest init failed"); ++ return (0); ++ } + EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen); + EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length); + EVP_DigestFinal(&ctx, digest, &len); +@@ -71,7 +75,11 @@ MD5authdecrypt( + * was created. + */ + INIT_SSL(); +- EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); ++ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) { ++ msyslog(LOG_ERR, ++ "MAC decrypt: digest init failed"); ++ return (0); ++ } + EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen); + EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length); + EVP_DigestFinal(&ctx, digest, &len); +@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr) + return (NSRCADR(addr)); + + INIT_SSL(); +- EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5)); ++ EVP_MD_CTX_init(&ctx); ++#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW ++ /* MD5 is not used as a crypto hash here. */ ++ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); ++#endif ++ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) { ++ msyslog(LOG_ERR, ++ "MD5 init failed"); ++ exit(1); ++ } + EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr), + sizeof(struct in6_addr)); + EVP_DigestFinal(&ctx, digest, &len); diff --git a/ntp/patches/ntpstat-0.2-1-clksrc.patch b/ntp/patches/ntpstat-0.2-1-clksrc.patch new file mode 100644 index 000000000..c427f1fec --- /dev/null +++ b/ntp/patches/ntpstat-0.2-1-clksrc.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat ntp-4.2.4p7/ntpstat-0.2/ntpstat.c +--- ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat 2002-06-10 08:02:12.000000000 +0200 ++++ ntp-4.2.4p7/ntpstat-0.2/ntpstat.c 2009-07-20 12:22:35.000000000 +0200 +@@ -187,7 +187,7 @@ int main (void) { + else + printf("unknown source"); + +- if (!strncmp(clksrcname[clksrc],clksrcname[6],sizeof(clksrcname[6]))) { ++ if (clksrc == 6) { + // source of sync is another NTP server so check the IP address + strncpy(buff, ntpmsg.payload, sizeof(buff)); + if ((newstr = strstr (buff, REFID))) { diff --git a/ntp/patches/ntpstat-0.2-2-multipacket.patch b/ntp/patches/ntpstat-0.2-2-multipacket.patch new file mode 100644 index 000000000..ca2125704 --- /dev/null +++ b/ntp/patches/ntpstat-0.2-2-multipacket.patch @@ -0,0 +1,12 @@ +diff -up ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat ntp-4.2.4p7/ntpstat-0.2/ntpstat.c +--- ntp-4.2.4p7/ntpstat-0.2/ntpstat.c.ntpstat 2002-06-10 08:02:12.000000000 +0200 ++++ ntp-4.2.4p7/ntpstat-0.2/ntpstat.c 2009-07-20 12:22:35.000000000 +0200 +@@ -151,7 +151,7 @@ int main (void) { + /* For the reply message to be valid, the first byte should be as sent, + and the second byte should be the same, with the response bit set */ + byte1ok = ((ntpmsg.byte1&0x3F) == B1VAL); +- byte2ok = (ntpmsg.byte2 == (B2VAL|RMASK)); ++ byte2ok = ((ntpmsg.byte2 & ~MMASK) == (B2VAL|RMASK)); + if (!(byte1ok && byte2ok)) { + fprintf (stderr,"status word is 0x%02x%02x\n", ntpmsg.byte1,ntpmsg.byte2 ); + die ("return data appears to be invalid based on status word"); diff --git a/ntp/patches/ntpstat-0.2-3-sysvars.patch b/ntp/patches/ntpstat-0.2-3-sysvars.patch new file mode 100644 index 000000000..3f641a92b --- /dev/null +++ b/ntp/patches/ntpstat-0.2-3-sysvars.patch @@ -0,0 +1,15 @@ +diff -up ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.sysvars ntp-4.2.6p1/ntpstat-0.2/ntpstat.c +--- ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.sysvars 2010-05-03 11:27:47.000000000 +0200 ++++ ntp-4.2.6p1/ntpstat-0.2/ntpstat.c 2010-05-03 11:32:56.000000000 +0200 +@@ -89,9 +89,9 @@ int main (void) { + "modem"}; /* 9 */ + char *newstr; + char *dispstr; +- const char DISP[] = "rootdispersion="; ++ const char DISP[] = "rootdisp="; + const char STRATUM[] = "stratum="; +- const char POLL[] = "poll="; ++ const char POLL[] = "tc="; + const char REFID[] = "refid="; + + /* initialise timeout value */ diff --git a/ntp/patches/ntpstat-0.2-4-maxerror.patch b/ntp/patches/ntpstat-0.2-4-maxerror.patch new file mode 100644 index 000000000..f8ab750ad --- /dev/null +++ b/ntp/patches/ntpstat-0.2-4-maxerror.patch @@ -0,0 +1,38 @@ +diff -up ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.maxerror ntp-4.2.6p1/ntpstat-0.2/ntpstat.c +--- ntp-4.2.6p1/ntpstat-0.2/ntpstat.c.maxerror 2010-05-03 11:37:49.000000000 +0200 ++++ ntp-4.2.6p1/ntpstat-0.2/ntpstat.c 2010-05-03 12:20:08.000000000 +0200 +@@ -89,7 +89,9 @@ int main (void) { + "modem"}; /* 9 */ + char *newstr; + char *dispstr; ++ char *delaystr; + const char DISP[] = "rootdisp="; ++ const char DELAY[] = "rootdelay="; + const char STRATUM[] = "stratum="; + const char POLL[] = "tc="; + const char REFID[] = "refid="; +@@ -235,16 +237,19 @@ int main (void) { + /* Set the position of the start of the string to + "rootdispersion=" part of the string. */ + strncpy(buff, ntpmsg.payload, sizeof(buff)); +- if ((newstr = strstr (buff, DISP))) { +- newstr += sizeof(DISP) - 1; +- dispstr = strtok(newstr,"."); ++ if ((dispstr = strstr (buff, DISP)) && (delaystr = strstr (buff, DELAY))) { ++ dispstr += sizeof(DISP) - 1; ++ dispstr = strtok(dispstr,","); ++ delaystr += sizeof(DELAY) - 1; ++ delaystr = strtok(delaystr,","); + + /* Check the resultant string is of a reasonable length */ +- if ((strlen (dispstr) == 0) || (strlen (dispstr) > 4)) { ++ if ((strlen (dispstr) == 0) || (strlen (dispstr) > 10) || ++ (strlen (delaystr) == 0) || (strlen (delaystr) > 10)) { + printf ("accuracy unreadable\n"); + } + else { +- printf(" time correct to within %s ms\n",dispstr); ++ printf(" time correct to within %.0f ms\n", atof(dispstr) + atof(delaystr) / 2.0); + } + } else { + rc=1; diff --git a/ntp/patches/ntpstat-0.2-5-errorbit.patch b/ntp/patches/ntpstat-0.2-5-errorbit.patch new file mode 100644 index 000000000..06e93426a --- /dev/null +++ b/ntp/patches/ntpstat-0.2-5-errorbit.patch @@ -0,0 +1,32 @@ +diff -up ntp-4.2.6p4/ntpstat-0.2/ntpstat.c.errorbit ntp-4.2.6p4/ntpstat-0.2/ntpstat.c +--- ntp-4.2.6p4/ntpstat-0.2/ntpstat.c.errorbit 2011-10-06 13:41:38.591669772 +0200 ++++ ntp-4.2.6p4/ntpstat-0.2/ntpstat.c 2011-10-06 16:50:01.708315811 +0200 +@@ -104,6 +104,7 @@ int main (void) { + FD_ZERO(&fds); + + inet_aton("127.0.0.1", &address); ++ memset(&sock, 0, sizeof (sock));; + sock.sin_family = AF_INET; + sock.sin_addr = address; + sock.sin_port = htons(NTP_PORT); +@@ -159,15 +160,18 @@ int main (void) { + die ("return data appears to be invalid based on status word"); + } + +- if (!(ntpmsg.byte2 | EMASK)) { ++ if (ntpmsg.byte2 & EMASK) { + fprintf (stderr,"status byte2 is %02x\n", ntpmsg.byte2 ); + die ("error bit is set in reply"); + } + +- if (!(ntpmsg.byte2 | MMASK)) { ++ /* ignore the more bit */ ++#if 0 ++ if (ntpmsg.byte2 & MMASK) { + fprintf (stderr,"status byte2 is %02x\n", ntpmsg.byte2 ); + fprintf (stderr,"More bit unexpected in reply"); + } ++#endif + + /* if the leap indicator (LI), which is the two most significant bits + in status byte1, are both one, then the clock is not synchronised. */ diff --git a/ntp/systemd/ntp-wait.service b/ntp/systemd/ntp-wait.service new file mode 100644 index 000000000..8d67e1353 --- /dev/null +++ b/ntp/systemd/ntp-wait.service @@ -0,0 +1,14 @@ +[Unit] +Description=Wait for ntpd to synchronize system clock +After=ntpd.service +Requires=ntpd.service +Before=time-sync.target +Wants=time-sync.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/ntp-wait +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target diff --git a/ntp/systemd/ntpd.service b/ntp/systemd/ntpd.service new file mode 100644 index 000000000..8c333535b --- /dev/null +++ b/ntp/systemd/ntpd.service @@ -0,0 +1,12 @@ +[Unit] +Description=Network Time Service +After=syslog.target ntpdate.service + +[Service] +Type=forking +ExecStart=/usr/sbin/ntpd -u ntp:ntp -g +PrivateTmp=true +ControlGroup=cpu:/ + +[Install] +WantedBy=multi-user.target diff --git a/ntp/systemd/ntpdate.service b/ntp/systemd/ntpdate.service new file mode 100644 index 000000000..167f08826 --- /dev/null +++ b/ntp/systemd/ntpdate.service @@ -0,0 +1,13 @@ +[Unit] +Description=Set time via NTP +After=syslog.target network.target nss-lookup.target +Before=time-sync.target +Wants=time-sync.target + +[Service] +Type=oneshot +ExecStart=/usr/lib/ntpdate-wrapper +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target -- 2.39.2