ntp: Update to 4.2.8
authorMichael Tremer <michael.tremer@ipfire.org>
Mon, 22 Dec 2014 16:29:35 +0000 (17:29 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Mon, 22 Dec 2014 16:29:35 +0000 (17:29 +0100)
CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()
CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys
CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets
CVE-2014-9296 ntp: receive() missing return on error

16 files changed:
ntp/ntp.nm
ntp/patches/ntp-4.2.4p7-getprecision.patch [deleted file]
ntp/patches/ntp-4.2.6p1-cmsgalign.patch [deleted file]
ntp/patches/ntp-4.2.6p1-linkfastmath.patch [deleted file]
ntp/patches/ntp-4.2.6p1-logdefault.patch [deleted file]
ntp/patches/ntp-4.2.6p1-retcode.patch [deleted file]
ntp/patches/ntp-4.2.6p1-sleep.patch [deleted file]
ntp/patches/ntp-4.2.6p2-multiopts.patch [deleted file]
ntp/patches/ntp-4.2.6p3-bcast.patch [deleted file]
ntp/patches/ntp-4.2.6p3-broadcastdelay.patch [deleted file]
ntp/patches/ntp-4.2.6p4-droproot.patch [deleted file]
ntp/patches/ntp-4.2.6p4-htmldoc.patch [deleted file]
ntp/patches/ntp-4.2.6p4-mlock.patch [deleted file]
ntp/patches/ntp-4.2.6p4-rtnetlink.patch [deleted file]
ntp/patches/ntp-4.2.6p5-delaycalib.patch [deleted file]
ntp/patches/ntp-4.2.6p5-fipsmd5.patch [deleted file]

index 9c8bb56..ba72e62 100644 (file)
@@ -4,9 +4,9 @@
 ###############################################################################
 
 name       = ntp
-version    = %{ver_major}.6p5
+version    = %{ver_major}.8
 ver_major  = 4.2
-release    = 2
+release    = 1
 
 groups     = System/Daemons
 url        = http://www.ntp.org/
@@ -61,9 +61,6 @@ build
 
                make ${PARALLELISMFLAGS}
 
-               sed -i 's|$ntpq = "ntpq"|$ntpq = "%{sbindir}/ntpq"|' scripts/ntptrace
-               sed -i 's|ntpq -c |%{sbindir}/ntpq -c |' scripts/ntp-wait
-
                # Build ntpstat.
                make -C ntpstat-0.2
        end
@@ -191,39 +188,6 @@ packages
                end
        end
 
-       package %{name}-perl
-               summary = NTP utilities written in Perl.
-               description
-                       This package contains Perl scripts ntp-wait and ntptrace.
-               end
-               groups = Applications/System
-
-               requires
-                       %{name} = %{thisver}
-               end
-
-               files
-                       %{sbindir}/ntp-wait
-                       %{sbindir}/ntptrace
-                       %{mandir}/man8/ntp-wait.8*
-                       %{mandir}/man8/ntptrace.8*
-                       %{unitdir}/ntp-wait.service
-               end
-
-               script preun
-                       systemctl --no-reload disable ntp-wait.service >/dev/null 2>&1 || :
-                       systemctl stop ntp-wait.service >/dev/null 2>&1 || :
-               end
-
-               script postun
-                       systemctl daemon-reload >/dev/null 2>&1 || :
-               end
-
-               script postup
-                       systemctl daemon-reload >/dev/null 2>&1 || :
-               end
-       end
-
        package %{name}-devel
                template DEVEL
        end
diff --git a/ntp/patches/ntp-4.2.4p7-getprecision.patch b/ntp/patches/ntp-4.2.4p7-getprecision.patch
deleted file mode 100644 (file)
index ecf6def..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.4p7/ntpd/ntp_proto.c.getprecision ntp-4.2.4p7/ntpd/ntp_proto.c
---- ntp-4.2.4p7/ntpd/ntp_proto.c.getprecision  2009-09-29 14:16:22.000000000 +0200
-+++ ntp-4.2.4p7/ntpd/ntp_proto.c       2009-09-29 14:18:13.000000000 +0200
-@@ -3099,7 +3099,7 @@ peer_unfit(
- /*
-  * Find the precision of this particular machine
-  */
--#define MINSTEP 100e-9                /* minimum clock increment (s) */
-+#define MINSTEP 10e-9         /* minimum clock increment (s) */
- #define MAXSTEP 20e-3         /* maximum clock increment (s) */
- #define MINLOOPS 5            /* minimum number of step samples */
diff --git a/ntp/patches/ntp-4.2.6p1-cmsgalign.patch b/ntp/patches/ntp-4.2.6p1-cmsgalign.patch
deleted file mode 100644 (file)
index 0e4b8cc..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-diff -up ntp-4.2.6p1/ntpd/ntp_io.c.cmsgalign ntp-4.2.6p1/ntpd/ntp_io.c
---- ntp-4.2.6p1/ntpd/ntp_io.c.cmsgalign        2010-03-04 18:28:53.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntp_io.c  2010-03-04 18:30:34.000000000 +0100
-@@ -3194,8 +3194,8 @@ read_network_packet(
-       msghdr.msg_namelen    = fromlen;
-       msghdr.msg_iov        = &iovec;
-       msghdr.msg_iovlen     = 1;
--      msghdr.msg_control    = (void *)&control;
--      msghdr.msg_controllen = sizeof(control);
-+      msghdr.msg_control    = (void *)((long)(control + 7) & -8); /* align to 8 bytes */
-+      msghdr.msg_controllen = sizeof(control) - 8;
-       msghdr.msg_flags      = 0;
-       rb->recv_length       = recvmsg(fd, &msghdr, 0);
- #endif
diff --git a/ntp/patches/ntp-4.2.6p1-linkfastmath.patch b/ntp/patches/ntp-4.2.6p1-linkfastmath.patch
deleted file mode 100644 (file)
index 5a859d3..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.6p1/ntpd/Makefile.in.linkfastmath ntp-4.2.6p1/ntpd/Makefile.in
---- ntp-4.2.6p1/ntpd/Makefile.in.linkfastmath  2010-02-09 11:19:25.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/Makefile.in       2010-03-03 16:57:40.000000000 +0100
-@@ -365,7 +365,7 @@ man_MANS = $(srcdir)/ntpd.1
- # sqrt                                ntp_control.o
- # floor                               refclock_wwv.o
- # which are (usually) provided by -lm.
--ntpd_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntp.a -lm @LCRYPTO@ @LSCF@
-+ntpd_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntp.a -lm -ffast-math @LCRYPTO@ @LSCF@
- ntpdsim_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntpsim.a -lm @LCRYPTO@ @LSCF@
- ntpdsim_CFLAGS = $(CFLAGS) -DSIM
- check_y2k_LDADD = $(LDADD) ../libntp/libntp.a
diff --git a/ntp/patches/ntp-4.2.6p1-logdefault.patch b/ntp/patches/ntp-4.2.6p1-logdefault.patch
deleted file mode 100644 (file)
index ae816b7..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.6p1/ntpd/ntp_config.c.logdefault ntp-4.2.6p1/ntpd/ntp_config.c
---- ntp-4.2.6p1/ntpd/ntp_config.c.logdefault   2010-01-24 11:01:45.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntp_config.c      2010-03-09 17:44:09.000000000 +0100
-@@ -3794,7 +3794,7 @@ getconfig(
- #endif /* SYS_WINNT */
-       res_fp = NULL;
--      ntp_syslogmask = NLOG_SYNCMASK; /* set more via logconfig */
-+      ntp_syslogmask = NLOG_SYNCMASK | NLOG_EVENT | NLOG_STATUS; /* set more via logconfig */
-       /*
-        * install a non default variable with this daemon version
diff --git a/ntp/patches/ntp-4.2.6p1-retcode.patch b/ntp/patches/ntp-4.2.6p1-retcode.patch
deleted file mode 100644 (file)
index 6d676d2..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.6p1/ntpd/ntp_proto.c.retcode ntp-4.2.6p1/ntpd/ntp_proto.c
---- ntp-4.2.6p1/ntpd/ntp_proto.c.retcode       2009-12-09 08:36:36.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntp_proto.c       2010-03-03 16:06:00.000000000 +0100
-@@ -269,7 +269,7 @@ transmit(
-                                           "ntpd: no servers found");
-                                       printf(
-                                           "ntpd: no servers found\n");
--                                      exit (0);
-+                                      exit (1);
-                               }
-                       }
-               }
diff --git a/ntp/patches/ntp-4.2.6p1-sleep.patch b/ntp/patches/ntp-4.2.6p1-sleep.patch
deleted file mode 100644 (file)
index 577ef26..0000000
+++ /dev/null
@@ -1,495 +0,0 @@
-diff -up ntp-4.2.6p1/include/ntp_refclock.h.sleep ntp-4.2.6p1/include/ntp_refclock.h
---- ntp-4.2.6p1/include/ntp_refclock.h.sleep   2009-12-09 08:36:35.000000000 +0100
-+++ ntp-4.2.6p1/include/ntp_refclock.h 2010-03-10 19:27:46.000000000 +0100
-@@ -260,6 +260,7 @@ extern     void    refclock_control (sockaddr_u
-                                   struct refclockstat *);
- extern        int     refclock_open   (char *, u_int, u_int);
- extern        int     refclock_setup  (int, u_int, u_int);
-+extern        int     refclock_timer_needed   (struct peer *);
- extern        void    refclock_timer  (struct peer *);
- extern        void    refclock_transmit (struct peer *);
- extern        int     refclock_ioctl  (int, u_int);
-diff -up ntp-4.2.6p1/include/ntp_stdlib.h.sleep ntp-4.2.6p1/include/ntp_stdlib.h
---- ntp-4.2.6p1/include/ntp_stdlib.h.sleep     2009-12-09 08:36:35.000000000 +0100
-+++ ntp-4.2.6p1/include/ntp_stdlib.h   2010-03-10 19:27:46.000000000 +0100
-@@ -116,6 +116,7 @@ extern     const char * FindConfig (const ch
- extern        void    signal_no_reset (int, RETSIGTYPE (*func)(int));
- extern        void    getauthkeys     (const char *);
-+extern        int     auth_agekeys_needed (void);
- extern        void    auth_agekeys    (void);
- extern        void    rereadkeys      (void);
-diff -up ntp-4.2.6p1/include/ntpd.h.sleep ntp-4.2.6p1/include/ntpd.h
---- ntp-4.2.6p1/include/ntpd.h.sleep   2009-12-09 08:36:35.000000000 +0100
-+++ ntp-4.2.6p1/include/ntpd.h 2010-03-10 19:27:46.000000000 +0100
-@@ -112,8 +112,10 @@ extern    void    block_io_and_alarm      (void);
- /* ntp_loopfilter.c */
- extern        void    init_loopfilter(void);
- extern        int     local_clock(struct peer *, double);
--extern        void    adj_host_clock(void);
-+extern        int     adj_host_clock_needed(void);
-+extern        void    adj_host_clock(int);
- extern        void    loop_config(int, double);
-+extern        int     huffpuff_enabled(void);
- extern        void    huffpuff(void);
- extern        u_long  sys_clocktime;
- extern        u_int   sys_tai;
-@@ -219,6 +221,8 @@ extern     void    hack_restrict   (int, sockaddr
- /* ntp_timer.c */
- extern        void    init_timer      (void);
- extern        void    reinit_timer    (void);
-+extern        double  get_timeout     (l_fp *);
-+extern        int     timer_elapsed   (l_fp, int);
- extern        void    timer           (void);
- extern        void    timer_clr_stats (void);
- extern  void    timer_interfacetimeout (u_long);
-diff -up ntp-4.2.6p1/libntp/authkeys.c.sleep ntp-4.2.6p1/libntp/authkeys.c
---- ntp-4.2.6p1/libntp/authkeys.c.sleep        2009-12-09 08:36:35.000000000 +0100
-+++ ntp-4.2.6p1/libntp/authkeys.c      2010-03-10 19:27:46.000000000 +0100
-@@ -445,6 +445,25 @@ auth_delkeys(void)
-       }
- }
-+int
-+auth_agekeys_needed(void) {
-+      struct savekey *sk;
-+      int i;
-+
-+      if (authnumkeys > 20)
-+              return 1;
-+
-+      for (i = 0; i < HASHSIZE; i++) {
-+              sk = key_hash[i];
-+              while (sk != 0) {
-+                      if (sk->lifetime > 0)
-+                              return 1;
-+                      sk = sk->next;
-+              }
-+      }
-+      return 0;
-+}
-+
- /*
-  * auth_agekeys - delete keys whose lifetimes have expired
-  */
-diff -up ntp-4.2.6p1/ntpd/ntp_loopfilter.c.sleep ntp-4.2.6p1/ntpd/ntp_loopfilter.c
---- ntp-4.2.6p1/ntpd/ntp_loopfilter.c.sleep    2009-12-09 08:36:36.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntp_loopfilter.c  2010-03-10 19:27:46.000000000 +0100
-@@ -677,6 +677,13 @@ local_clock(
- #endif /* LOCKCLOCK */
- }
-+int
-+adj_host_clock_needed(void)
-+{
-+      return !(!ntp_enable || mode_ntpdate || (pll_control &&
-+          kern_enable));
-+}
-+ 
- /*
-  * adj_host_clock - Called once every second to update the local clock.
-@@ -686,7 +693,7 @@ local_clock(
-  */
- void
- adj_host_clock(
--      void
-+      int time_elapsed
-       )
- {
-       double  adjustment;
-@@ -698,7 +705,7 @@ adj_host_clock(
-        * since the poll interval can exceed one day, the old test
-        * would be counterproductive.
-        */
--      sys_rootdisp += clock_phi;
-+      sys_rootdisp += clock_phi * time_elapsed;
- #ifndef LOCKCLOCK
-       /*
-@@ -819,6 +826,12 @@ set_freq(
- #endif /* KERNEL_PLL */
- }
-+int
-+huffpuff_enabled(void)
-+{
-+      return sys_huffpuff != NULL;
-+}
-+
- /*
-  * huff-n'-puff filter
-  */
-diff -up ntp-4.2.6p1/ntpd/ntp_refclock.c.sleep ntp-4.2.6p1/ntpd/ntp_refclock.c
---- ntp-4.2.6p1/ntpd/ntp_refclock.c.sleep      2009-12-09 08:36:36.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntp_refclock.c    2010-03-10 19:27:46.000000000 +0100
-@@ -268,6 +268,21 @@ refclock_unpeer(
- }
-+int
-+refclock_timer_needed(
-+      struct peer *peer       /* peer structure pointer */
-+      )
-+{
-+      u_char clktype;
-+      int unit;
-+
-+      clktype = peer->refclktype;
-+      unit = peer->refclkunit;
-+      if (refclock_conf[clktype]->clock_timer != noentry)
-+              return 1;
-+      return 0;
-+}
-+
- /*
-  * refclock_timer - called once per second for housekeeping.
-  */
-diff -up ntp-4.2.6p1/ntpd/ntp_timer.c.sleep ntp-4.2.6p1/ntpd/ntp_timer.c
---- ntp-4.2.6p1/ntpd/ntp_timer.c.sleep 2009-12-09 08:36:35.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntp_timer.c       2010-03-11 15:23:59.000000000 +0100
-@@ -56,7 +56,6 @@ static       u_long adjust_timer;    /* second ti
- static        u_long stats_timer;     /* stats timer */
- static        u_long huffpuff_timer;  /* huff-n'-puff timer */
- u_long        leapsec;                /* leapseconds countdown */
--l_fp  sys_time;               /* current system time */
- #ifdef OPENSSL
- static        u_long revoke_timer;    /* keys revoke timer */
- static        u_long keys_timer;      /* session key timer */
-@@ -74,6 +73,12 @@ volatile u_long alarm_overflow;
- #define       DAY     (24 * HOUR)
- u_long current_time;          /* seconds since startup */
-+l_fp timer_base;
-+int time_elapsed;
-+
-+#define TIMEOUT_TS_SIZE 2
-+l_fp timeout_ts[TIMEOUT_TS_SIZE];
-+unsigned int timeout_ts_index;
- /*
-  * Stats.  Number of overflows and number of calls to transmit().
-@@ -110,6 +115,8 @@ static     RETSIGTYPE alarming (int);
- void 
- reinit_timer(void)
- {
-+      get_systime(&timer_base);
-+#if 0
- #if !defined(SYS_WINNT) && !defined(VMS)
- #  if defined(HAVE_TIMER_CREATE) && defined(HAVE_TIMER_SETTIME)
-       timer_gettime(ntpd_timerid, &itimer);
-@@ -143,6 +150,7 @@ reinit_timer(void)
-       setitimer(ITIMER_REAL, &itimer, (struct itimerval *)0);
- #  endif
- # endif /* VMS */
-+#endif
- }
- /*
-@@ -165,6 +173,12 @@ init_timer(void)
-       timer_xmtcalls = 0;
-       timer_timereset = 0;
-+      get_systime(&timer_base);
-+
-+      for (timeout_ts_index = 0; timeout_ts_index < TIMEOUT_TS_SIZE; timeout_ts_index++)
-+              L_CLR(&timeout_ts[timeout_ts_index]);
-+      timeout_ts_index = 0;
-+#if 0
- #if !defined(SYS_WINNT)
-       /*
-        * Set up the alarm interrupt.  The first comes 2**EVENT_TIMEOUT
-@@ -226,6 +240,7 @@ init_timer(void)
-       }
- #endif /* SYS_WINNT */
-+#endif
- }
- #if defined(SYS_WINNT)
-@@ -236,6 +251,104 @@ get_timer_handle(void)
- }
- #endif
-+double
-+get_timeout(l_fp *now)
-+{
-+      register struct peer *peer, *next_peer;
-+      u_int   n;
-+      double r;
-+      int next;
-+      l_fp ts;
-+
-+      ts = *now;
-+      L_SUB(&ts, &timeout_ts[timeout_ts_index]);
-+      timeout_ts[timeout_ts_index] = *now;
-+      timeout_ts_index = (timeout_ts_index + 1) % TIMEOUT_TS_SIZE;
-+
-+      /* don't waste CPU time if called too frequently */
-+      if (ts.l_ui == 0) {
-+              next = 1;
-+              goto finish;
-+      }
-+
-+      next = current_time + HOUR;
-+
-+      if (adj_host_clock_needed()) {
-+              next = 1;
-+              goto finish;
-+      }
-+      for (n = 0; n < NTP_HASH_SIZE; n++) {
-+              for (peer = peer_hash[n]; peer != 0; peer = next_peer) {
-+                      next_peer = peer->next;
-+#ifdef REFCLOCK
-+                      if (peer->flags & FLAG_REFCLOCK && refclock_timer_needed(peer)) {
-+                              next = 1;
-+                              goto finish;
-+                      }
-+#endif /* REFCLOCK */
-+                      if (peer->action)
-+                             next = min(next, peer->nextaction);
-+                      next = min(next, peer->nextdate);
-+              }
-+      }
-+
-+      if (leapsec > 0)
-+              next = min(next, leapsec);
-+
-+      if (huffpuff_enabled())
-+              next = min(next, huffpuff_timer);
-+
-+#ifdef OPENSSL
-+      if (auth_agekeys_needed())
-+              next = min(next, keys_timer);
-+      if (sys_leap != LEAP_NOTINSYNC)
-+              next = min(next, revoke_timer);
-+#endif /* OPENSSL */
-+
-+      if (interface_interval)
-+              next = min(next, interface_timer);
-+
-+      next = min(next, stats_timer);
-+
-+      next -= current_time;
-+      if (next <= 0)
-+              next = 1;
-+finish:
-+      ts = timer_base;
-+      ts.l_ui += next;
-+      L_SUB(&ts, now);
-+      LFPTOD(&ts, r);
-+#ifdef DEBUG 
-+      DPRINTF(2, ("timer: timeout %f\n", r));
-+#endif
-+
-+      return r;
-+}
-+
-+int
-+timer_elapsed(l_fp now, int timeout)
-+{
-+      int elapsed;
-+
-+      L_SUB(&now, &timer_base);
-+      elapsed = now.l_i;
-+      if (elapsed < 0 || elapsed > timeout + 10) {
-+#ifdef DEBUG 
-+              DPRINTF(2, ("timer: unexpected time jump\n"));
-+#endif
-+              elapsed = 0;
-+              reinit_timer();
-+
-+      }
-+      timer_base.l_ui += elapsed;
-+      time_elapsed += elapsed;
-+      current_time += elapsed;
-+#ifdef DEBUG 
-+      DPRINTF(2, ("timer: time elapsed %d\n", time_elapsed));
-+#endif
-+      return time_elapsed;
-+}
-+
- /*
-  * timer - event timer
-  */
-@@ -251,11 +364,9 @@ timer(void)
-        * kiss-o'-deatch function and implement the association
-        * polling function..
-        */
--      current_time++;
--      get_systime(&sys_time);
-       if (adjust_timer <= current_time) {
--              adjust_timer += 1;
--              adj_host_clock();
-+              adjust_timer += time_elapsed;
-+              adj_host_clock(time_elapsed);
- #ifdef REFCLOCK
-               for (n = 0; n < NTP_HASH_SIZE; n++) {
-                       for (peer = peer_hash[n]; peer != 0; peer = next_peer) {
-@@ -286,7 +397,7 @@ timer(void)
-                        * 128 s or less.
-                        */
-                       if (peer->throttle > 0)
--                              peer->throttle--;
-+                              peer->throttle -= min(peer->throttle, time_elapsed);
-                       if (peer->nextdate <= current_time) {
- #ifdef REFCLOCK
-                               if (peer->flags & FLAG_REFCLOCK)
-@@ -333,7 +444,7 @@ timer(void)
-        * set.
-        */
-       if (leapsec > 0) {
--              leapsec--;
-+              leapsec -= min(leapsec, time_elapsed);
-               if (leapsec == 0) {
-                       sys_leap = LEAP_NOWARNING;
-                       sys_tai = leap_tai;
-@@ -398,11 +509,15 @@ timer(void)
-        * Finally, write hourly stats.
-        */
-       if (stats_timer <= current_time) {
-+              l_fp sys_time;
-+              get_systime(&sys_time);
-               stats_timer += HOUR;
-               write_stats();
-               if (sys_tai != 0 && sys_time.l_ui > leap_expire)
-                       report_event(EVNT_LEAPVAL, NULL, NULL);
-       }
-+
-+      time_elapsed = 0;
- }
-diff -up ntp-4.2.6p1/ntpd/ntpd.c.sleep ntp-4.2.6p1/ntpd/ntpd.c
---- ntp-4.2.6p1/ntpd/ntpd.c.sleep      2010-03-10 19:27:46.000000000 +0100
-+++ ntp-4.2.6p1/ntpd/ntpd.c    2010-03-10 19:27:46.000000000 +0100
-@@ -195,8 +195,6 @@ extern const char *Version;
- char const *progname;
--int was_alarmed;
--
- #ifdef DECL_SYSCALL
- /*
-  * We put this here, since the argument profile is syscall-specific
-@@ -1033,7 +1031,7 @@ getgroup:
- #else /* normal I/O */
-       BLOCK_IO_AND_ALARM();
--      was_alarmed = 0;
-+
-       for (;;)
-       {
- # if !defined(HAVE_SIGNALED_IO)
-@@ -1041,42 +1039,39 @@ getgroup:
-               extern int maxactivefd;
-               fd_set rdfdes;
--              int nfound;
--# endif
-+              int nfound, time_elapsed;
--              if (alarm_flag)         /* alarmed? */
--              {
--                      was_alarmed = 1;
--                      alarm_flag = 0;
--              }
-+              time_elapsed = 0;
-+# endif
--              if (!was_alarmed && has_full_recv_buffer() == ISC_FALSE)
-+              if (has_full_recv_buffer() == ISC_FALSE)
-               {
-                       /*
-                        * Nothing to do.  Wait for something.
-                        */
- # ifndef HAVE_SIGNALED_IO
-+                      double timeout;
-+
-                       rdfdes = activefds;
--#  if defined(VMS) || defined(SYS_VXWORKS)
--                      /* make select() wake up after one second */
--                      {
--                              struct timeval t1;
-+                      get_systime(&now);
-+                      timeout = get_timeout(&now);
--                              t1.tv_sec = 1; t1.tv_usec = 0;
-+                      if (timeout > 0.0) {
-+                              struct timeval t1;
-+
-+                              t1.tv_sec = timeout;
-+                              t1.tv_usec = (timeout - t1.tv_sec) * 1000000;
-                               nfound = select(maxactivefd+1, &rdfdes, (fd_set *)0,
-                                               (fd_set *)0, &t1);
--                      }
--#  else
--                      nfound = select(maxactivefd+1, &rdfdes, (fd_set *)0,
--                                      (fd_set *)0, (struct timeval *)0);
--#  endif /* VMS */
--                      if (nfound > 0)
--                      {
--                              l_fp ts;
-+                              get_systime(&now);
-+                      } else
-+                              nfound = 0;
--                              get_systime(&ts);
-+                      time_elapsed = timer_elapsed(now, timeout);
--                              (void)input_handler(&ts);
-+                      if (nfound > 0)
-+                      {
-+                              (void)input_handler(&now);
-                       }
-                       else if (nfound == -1 && errno != EINTR)
-                               msyslog(LOG_ERR, "select() error: %m");
-@@ -1085,17 +1080,13 @@ getgroup:
-                               msyslog(LOG_DEBUG, "select(): nfound=%d, error: %m", nfound);
- #  endif /* DEBUG */
- # else /* HAVE_SIGNALED_IO */
-+#  error not supported by sleep patch
-                       wait_for_signal();
- # endif /* HAVE_SIGNALED_IO */
--                      if (alarm_flag)         /* alarmed? */
--                      {
--                              was_alarmed = 1;
--                              alarm_flag = 0;
--                      }
-               }
--              if (was_alarmed)
-+              if (time_elapsed > 0)
-               {
-                       UNBLOCK_IO_AND_ALARM();
-                       /*
-@@ -1103,7 +1094,6 @@ getgroup:
-                        * to process expiry.
-                        */
-                       timer();
--                      was_alarmed = 0;
-                       BLOCK_IO_AND_ALARM();
-               }
-@@ -1121,19 +1111,8 @@ getgroup:
-                       rbuf = get_full_recv_buffer();
-                       while (rbuf != NULL)
-                       {
--                              if (alarm_flag)
--                              {
--                                      was_alarmed = 1;
--                                      alarm_flag = 0;
--                              }
-                               UNBLOCK_IO_AND_ALARM();
--                              if (was_alarmed)
--                              {       /* avoid timer starvation during lengthy I/O handling */
--                                      timer();
--                                      was_alarmed = 0;
--                              }
--
-                               /*
-                                * Call the data procedure to handle each received
-                                * packet.
diff --git a/ntp/patches/ntp-4.2.6p2-multiopts.patch b/ntp/patches/ntp-4.2.6p2-multiopts.patch
deleted file mode 100644 (file)
index c4ea459..0000000
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -up ntp-4.2.6p2/ntpd/ntpd-opts.c.multiopts ntp-4.2.6p2/ntpd/ntpd-opts.c
---- ntp-4.2.6p2/ntpd/ntpd-opts.c.multiopts     2010-09-15 17:37:10.000000000 +0200
-+++ ntp-4.2.6p2/ntpd/ntpd-opts.c       2010-10-01 13:28:49.000000000 +0200
-@@ -755,7 +755,7 @@ static tOptDesc optDesc[ OPTION_CT ] = {
-   {  /* entry idx, value */ 18, VALUE_OPT_PIDFILE,
-      /* equiv idx, value */ 18, VALUE_OPT_PIDFILE,
-      /* equivalenced to  */ NO_EQUIVALENT,
--     /* min, max, act ct */ 0, 1, 0,
-+     /* min, max, act ct */ 0, 2, 0,
-      /* opt state flags  */ PIDFILE_FLAGS, 0,
-      /* last opt argumnt */ { NULL },
-      /* arg list/cookie  */ NULL,
-@@ -839,7 +839,7 @@ static tOptDesc optDesc[ OPTION_CT ] = {
-   {  /* entry idx, value */ 25, VALUE_OPT_USER,
-      /* equiv idx, value */ 25, VALUE_OPT_USER,
-      /* equivalenced to  */ NO_EQUIVALENT,
--     /* min, max, act ct */ 0, 1, 0,
-+     /* min, max, act ct */ 0, 2, 0,
-      /* opt state flags  */ USER_FLAGS, 0,
-      /* last opt argumnt */ { NULL },
-      /* arg list/cookie  */ NULL,
diff --git a/ntp/patches/ntp-4.2.6p3-bcast.patch b/ntp/patches/ntp-4.2.6p3-bcast.patch
deleted file mode 100644 (file)
index 57581f3..0000000
+++ /dev/null
@@ -1,93 +0,0 @@
-diff -up ntp-4.2.6p3/ntpd/ntp_io.c.bcast ntp-4.2.6p3/ntpd/ntp_io.c
---- ntp-4.2.6p3/ntpd/ntp_io.c.bcast    2010-12-25 10:40:36.000000000 +0100
-+++ ntp-4.2.6p3/ntpd/ntp_io.c  2011-01-05 17:46:13.820049150 +0100
-@@ -151,6 +151,8 @@ int ninterfaces;                   /* Total number of in
- int disable_dynamic_updates;          /* scan interfaces once only */
-+static int pktinfo_status = 0;                /* is IP_PKTINFO on wildipv4 iface enabled? */
-+
- #ifdef REFCLOCK
- /*
-  * Refclock stuff.    We keep a chain of structures with data concerning
-@@ -2254,6 +2256,17 @@ set_reuseaddr(
- #endif /* ! SO_EXCLUSIVEADDRUSE */
- }
-+static void
-+set_pktinfo(int flag)
-+{
-+      if (wildipv4 == NULL)
-+              return;
-+      if (setsockopt(wildipv4->fd, SOL_IP, IP_PKTINFO, &flag, sizeof (flag))) {
-+              msyslog(LOG_ERR, "set_pktinfo: setsockopt(IP_PKTINFO, %s) failed: %m", flag ? "on" : "off");
-+      } else
-+              pktinfo_status = flag;
-+}
-+
- /*
-  * This is just a wrapper around an internal function so we can
-  * make other changes as necessary later on
-@@ -2659,6 +2672,7 @@ io_setbclient(void)
-               }
-       }
-       set_reuseaddr(0);
-+      set_pktinfo(1);
-       if (nif > 0)
-               DPRINTF(1, ("io_setbclient: Opened broadcast clients\n"));
-       else if (!nif)
-@@ -2685,6 +2699,7 @@ io_unsetbclient(void)
-                       continue;
-               socket_broadcast_disable(ep, &ep->sin);
-       }
-+      set_pktinfo(0);
- }
- /*
-@@ -3392,7 +3407,8 @@ read_network_packet(
- #ifdef HAVE_TIMESTAMP
-       struct msghdr msghdr;
-       struct iovec iovec;
--      char control[TIMESTAMP_CTLMSGBUF_SIZE];
-+      char control[sizeof (struct cmsghdr) * 2 + sizeof (struct timeval) +
-+              sizeof (struct in_pktinfo) + 32];
- #endif
-       /*
-@@ -3403,7 +3419,7 @@ read_network_packet(
-        */
-       rb = get_free_recv_buffer();
--      if (NULL == rb || itf->ignore_packets) {
-+      if (NULL == rb || (itf->ignore_packets && !(pktinfo_status && itf == wildipv4))) {
-               char buf[RX_BUFF_SIZE];
-               sockaddr_u from;
-@@ -3463,6 +3479,27 @@ read_network_packet(
-               return (buflen);
-       }
-+      if (pktinfo_status && itf->ignore_packets && itf == wildipv4) {
-+              /* check for broadcast on 255.255.255.255, exception allowed on wildipv4 */
-+              struct cmsghdr *cmsg;
-+              struct in_pktinfo *pktinfo = NULL;
-+
-+              if ((cmsg = CMSG_FIRSTHDR(&msghdr)))
-+                      do {
-+                              if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO)
-+                                      pktinfo = (struct in_pktinfo *) CMSG_DATA(cmsg);
-+                      } while ((cmsg = CMSG_NXTHDR(&msghdr, cmsg)));
-+              if (pktinfo && pktinfo->ipi_addr.s_addr == INADDR_BROADCAST) {
-+                      DPRINTF(4, ("INADDR_BROADCAST\n"));
-+              } else {
-+                      DPRINTF(4, ("%s on (%lu) fd=%d from %s\n", "ignore",
-+                              free_recvbuffs(), fd, stoa(&rb->recv_srcadr)));
-+                      packets_ignored++;
-+                      freerecvbuf(rb);
-+                      return (buflen);
-+              }
-+      }
-+
-       DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n",
-                   fd, buflen, stoa(&rb->recv_srcadr)));
diff --git a/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch b/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch
deleted file mode 100644 (file)
index f9c1929..0000000
+++ /dev/null
@@ -1,31 +0,0 @@
-==== ntpd/ntp_proto.c ====
-2010-10-22 01:55:45-04:00, stenn@deacon.udel.edu +2 -5
-  [Bug 1670] Fix peer->bias and broadcastdelay
-
---- 1.307/ntpd/ntp_proto.c     2010-10-11 21:06:05 -07:00
-+++ 1.308/ntpd/ntp_proto.c     2010-10-21 22:55:45 -07:00
-@@ -929,7 +929,6 @@ receive(
-                       } else {
-                               peer->delay = sys_bdelay;
--                              peer->bias = -sys_bdelay / 2.;
-                       }
-                       break;
-               }
-@@ -1570,7 +1569,6 @@ process_packet(
-               p_del = fabs(t21 - t34);
-               p_offset = (t21 + t34) / 2.;
-       }
--      p_offset += peer->bias;
-       p_disp = LOGTOD(sys_precision) + LOGTOD(peer->precision) +
-           clock_phi * p_del;
-@@ -1647,7 +1645,7 @@ process_packet(
-       /*
-        * That was awesome. Now hand off to the clock filter.
-        */
--      clock_filter(peer, p_offset, p_del, p_disp);
-+      clock_filter(peer, p_offset + peer->bias, p_del, p_disp);
-       /*
-        * If we are in broadcast calibrate mode, return to broadcast
diff --git a/ntp/patches/ntp-4.2.6p4-droproot.patch b/ntp/patches/ntp-4.2.6p4-droproot.patch
deleted file mode 100644 (file)
index 1d953d1..0000000
+++ /dev/null
@@ -1,207 +0,0 @@
-diff -up ntp-4.2.6p4/html/ntpdate.html.droproot ntp-4.2.6p4/html/ntpdate.html
---- ntp-4.2.6p4/html/ntpdate.html.droproot     2011-07-11 04:18:25.000000000 +0200
-+++ ntp-4.2.6p4/html/ntpdate.html      2011-10-05 15:47:29.643634928 +0200
-@@ -18,7 +18,7 @@
-               <hr>
-               <p>Disclaimer: The functionality of this program is now available in the <tt>ntpd</tt> program. See the <tt>-q</tt> command line option in the <a href="ntpd.html"><tt>ntpd</tt> - Network Time Protocol (NTP) daemon</a> page. After a suitable period of mourning, the <tt>ntpdate</tt> program is to be retired from this distribution</p>
-               <h4>Synopsis</h4>
--              <tt>ntpdate [ -46bBdqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ] [ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [ -t <i>timeout</i> ] <i>server</i> [ ... ]</tt>
-+              <tt>ntpdate [ -46bBdqsuv ] [ -a <i>key</i> ] [ -e <i>authdelay</i> ] [ -k <i>keyfile</i> ] [ -o <i>version</i> ] [ -p <i>samples</i> ] [ -t <i>timeout</i> ] [ -U <i>user_name</i> ] <i>server</i> [ ... ]</tt>
-               <h4>Description</h4>
-               <p><tt>ntpdate</tt> sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the <i>server</i> arguments to determine the correct time. It must be run as root on the local host. A number of samples are obtained from each of the servers specified and a subset of the NTP clock filter and selection algorithms are applied to select the best of these. Note that the accuracy and reliability of <tt>ntpdate</tt> depends on the number of servers, the number of polls each time it is run and the interval between runs.</p>
-               <p><tt>ntpdate</tt> can be run manually as necessary to set the host clock, or it can be run from the host startup script to set the clock at boot time. This is useful in some cases to set the clock initially before starting the NTP daemon <tt>ntpd</tt>. It is also possible to run <tt>ntpdate</tt> from a <tt>cron</tt> script. However, it is important to note that <tt>ntpdate</tt> with contrived <tt>cron</tt> scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since <tt>ntpdate</tt> does not discipline the host clock frequency as does <tt>ntpd</tt>, the accuracy using <tt>ntpdate</tt> is limited.</p>
-@@ -58,6 +58,10 @@
-                       <dd>Direct <tt>ntpdate</tt> to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronize with hosts beyond the firewall. Note that the <tt>-d</tt> option always uses unprivileged ports.
-                       <dt><tt>-<i>v</i></tt>
-                       <dd>Be verbose. This option will cause <tt>ntpdate</tt>'s version identification string to be logged.
-+                      <dt><tt>-U <i>user_name</i></tt></dt>
-+                      <dd>ntpdate process drops root privileges and changes user ID to
-+                      <i>user_name</i> and group ID to the primary group of 
-+                      <i>server_user</i>.
-               </dl>
-               <h4>Diagnostics</h4>
-               <tt>ntpdate</tt>'s exit status is zero if it finds a server and updates the clock, and nonzero otherwise.
-diff -up ntp-4.2.6p4/ntpdate/ntpdate.c.droproot ntp-4.2.6p4/ntpdate/ntpdate.c
---- ntp-4.2.6p4/ntpdate/ntpdate.c.droproot     2011-05-25 07:06:09.000000000 +0200
-+++ ntp-4.2.6p4/ntpdate/ntpdate.c      2011-10-05 15:45:39.570555972 +0200
-@@ -49,6 +49,12 @@
- #include <arpa/inet.h>
-+/* Linux capabilities */
-+#include <sys/capability.h>
-+#include <sys/prctl.h>
-+#include <pwd.h>
-+#include <grp.h>
-+
- #ifdef SYS_VXWORKS
- # include "ioLib.h"
- # include "sockLib.h"
-@@ -153,6 +159,11 @@ int simple_query = 0;
- int unpriv_port = 0;
- /*
-+ * Use capabilities to drop privileges and switch uids
-+ */
-+char *server_user;
-+
-+/*
-  * Program name.
-  */
- char *progname;
-@@ -294,6 +305,88 @@ void clear_globals()
- static ni_namelist *getnetinfoservers (void);
- #endif
-+/* This patch is adapted (copied) from Chris Wings drop root patch
-+ * for xntpd.
-+ */
-+void drop_root(uid_t server_uid, gid_t server_gid)
-+{
-+  cap_t caps;
-+
-+  if (prctl(PR_SET_KEEPCAPS, 1)) {
-+              if (syslogit) {
-+                      msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed");
-+              }
-+              else {
-+                      fprintf(stderr, "prctl(PR_SET_KEEPCAPS, 1) failed.\n");
-+              }
-+    exit(1);
-+  }
-+
-+  if ( setgroups(0, NULL) == -1 ) {
-+              if (syslogit) {
-+                      msyslog(LOG_ERR, "setgroups failed.");
-+              }
-+              else {
-+                      fprintf(stderr, "setgroups failed.\n");
-+              }
-+    exit(1);
-+  }
-+
-+  if ( setegid(server_gid) == -1 || seteuid(server_uid) == -1 ) {
-+              if (syslogit) {
-+                      msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid,
-+                                                      server_gid);
-+              }
-+              else {
-+                      fprintf(stderr, "setegid/seteuid to uid=%d/gid=%d failed.\n", server_uid,
-+                                                      server_gid);
-+              }
-+    exit(1);
-+  }
-+
-+  caps = cap_from_text("cap_sys_time=epi");
-+  if (caps == NULL) {
-+              if (syslogit) {
-+                      msyslog(LOG_ERR, "cap_from_text failed.");
-+              }
-+              else {
-+                      fprintf(stderr, "cap_from_text failed.\n");
-+              }
-+    exit(1);
-+  }
-+
-+  if (cap_set_proc(caps) == -1) {
-+              if (syslogit) {
-+                      msyslog(LOG_ERR, "cap_set_proc failed.");
-+              }
-+              else {
-+                      fprintf(stderr, "cap_set_proc failed.\n");
-+              }
-+    exit(1);
-+  }
-+  
-+  /* Try to free the memory from cap_from_text */
-+  cap_free( caps );
-+
-+  if ( setregid(server_gid, server_gid) == -1 ||
-+       setreuid(server_uid, server_uid) == -1 ) {
-+              if (syslogit) {
-+                      msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.",
-+                                                      server_uid, server_gid);
-+              }
-+              else {
-+                      fprintf(stderr, "setregid/setreuid to uid=%d/gid=%d failed.\n",
-+                                                      server_uid, server_gid);
-+              }
-+    exit(1);
-+  }
-+
-+      if (syslogit) {
-+              msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).",
-+                                              getuid(), getgid(), geteuid(), getegid());
-+      }
-+}
-+
- /*
-  * Main program.  Initialize us and loop waiting for I/O and/or
-  * timer expiries.
-@@ -341,6 +434,8 @@ ntpdatemain (
-       init_lib();     /* sets up ipv4_works, ipv6_works */
-+      server_user = NULL;
-+
-       /* Check to see if we have IPv6. Otherwise default to IPv4 */
-       if (!ipv6_works)
-               ai_fam_templ = AF_INET;
-@@ -352,7 +447,7 @@ ntpdatemain (
-       /*
-        * Decode argument list
-        */
--      while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uv")) != EOF)
-+      while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uvU:")) != EOF)
-               switch (c)
-               {
-               case '4':
-@@ -429,6 +524,14 @@ ntpdatemain (
-               case 'u':
-                       unpriv_port = 1;
-                       break;
-+              case 'U':
-+                      if (ntp_optarg) {
-+                              server_user = strdup(ntp_optarg);
-+                      }
-+                      else {
-+                              ++errflg;
-+                      }
-+                      break;
-               case '?':
-                       ++errflg;
-                       break;
-@@ -438,7 +541,7 @@ ntpdatemain (
-       
-       if (errflg) {
-               (void) fprintf(stderr,
--                  "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...\n",
-+                  "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] [-U username] server ...\n",
-                   progname);
-               exit(2);
-       }
-@@ -544,6 +647,24 @@ ntpdatemain (
-       initializing = 0;
-       was_alarmed = 0;
-+      if (server_user) {
-+              struct passwd *pwd = NULL;
-+
-+              /* Lookup server_user uid/gid before chroot/chdir */
-+              pwd = getpwnam( server_user );
-+              if ( pwd == NULL ) {
-+                      if (syslogit) {
-+                              msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user);
-+                      }
-+                      else {
-+                              fprintf(stderr, "Failed to lookup user '%s'.\n", server_user);
-+                      }
-+                      exit(1);
-+              }
-+              drop_root(pwd->pw_uid, pwd->pw_gid);
-+      }
-+
-+
-       while (complete_servers < sys_numservers) {
- #ifdef HAVE_POLL_H
-               struct pollfd* rdfdes;
diff --git a/ntp/patches/ntp-4.2.6p4-htmldoc.patch b/ntp/patches/ntp-4.2.6p4-htmldoc.patch
deleted file mode 100644 (file)
index 2b2dab7..0000000
+++ /dev/null
@@ -1,76 +0,0 @@
-diff -up ntp-4.2.6p4/html/authopt.html.htmldoc ntp-4.2.6p4/html/authopt.html
---- ntp-4.2.6p4/html/authopt.html.htmldoc      2011-07-11 04:18:25.000000000 +0200
-+++ ntp-4.2.6p4/html/authopt.html      2011-10-05 17:30:09.463244610 +0200
-@@ -364,7 +364,7 @@ UTC</p>
-       are left unspecified, the default names are used as described below. Unless
-       the complete path and name of the file are specified, the location of a file
-       is relative to the keys directory specified in the <tt>keysdir</tt> configuration
--      command or default <tt>/usr/local/etc</tt>. Following are the options.</dd>
-+      command or default <tt>/etc/ntp/crypto</tt>. Following are the options.</dd>
- <dd><dl>
-@@ -396,7 +396,7 @@ UTC</p>
- <dd>Specifies the complete path to the MD5 key file containing the keys and key IDs used by <tt>ntpd</tt>, <tt>ntpq</tt> and <tt>ntpdc</tt> when operating with symmetric key cryptography. This is the same operation as the <tt>-k </tt>command line option. Note that the directory path for Autokey media is specified by the <tt>keysdir</tt> command.</dd>
- <dt id="keysdir"><tt>keysdir <i>path</i></tt>K</dt>
--<dd>This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is <tt>/usr/local/etc/</tt>. Note that the path for the symmetric keys file is specified by the <tt>keys</tt> command.</dd>
-+<dd>This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is <tt>/etc/ntp/crypto</tt>. Note that the path for the symmetric keys file is specified by the <tt>keys</tt> command.</dd>
- <dt id="requestkey"><tt>requestkey <i>keyid</i></tt></dt>
- <dd>Specifies the key ID to use with the
-diff -up ntp-4.2.6p4/html/keygen.html.htmldoc ntp-4.2.6p4/html/keygen.html
---- ntp-4.2.6p4/html/keygen.html.htmldoc       2011-07-11 04:18:26.000000000 +0200
-+++ ntp-4.2.6p4/html/keygen.html       2011-10-05 17:30:09.463244610 +0200
-@@ -206,7 +206,6 @@
- <p>All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize the internal pseudo-random number generator used by the OpenSSL library routines. If a site supports <tt>ssh</tt>, it is very likely that means to do this are already available. The entropy seed used by the OpenSSL library is contained in a file, usually called <tt>.rnd</tt>, which must be available when starting the <tt>ntp-keygen</tt> program or <tt>ntpd</tt> daemon.</p>
- <p>The OpenSSL library looks for the file using the path specified by the <tt>RANDFILE</tt> environment variable in the user home directory, whether root or some other user. If the <tt>RANDFILE</tt> environment variable is not present, the library looks for the <tt>.rnd</tt> file in the user home directory. Since both the <tt>ntp-keygen</tt> program and <tt>ntpd</tt> daemon must run as root, the logical place to put this file is in <tt>/.rnd</tt> or <tt>/root/.rnd</tt>. If the file is not available or cannot be written, the program exits with a message to the system log.</p>
--<p>On systems that provide /dev/urandom, the randomness device is used instead and the file specified by the <tt>randfile</tt> subcommand or the <tt>RANDFILE</tt> environment variable is ignored.</p>
- <h4 id="priv">Cryptographic Data Files</h4>
-diff -up ntp-4.2.6p4/html/ntpd.html.htmldoc ntp-4.2.6p4/html/ntpd.html
---- ntp-4.2.6p4/html/ntpd.html.htmldoc 2011-07-11 04:18:26.000000000 +0200
-+++ ntp-4.2.6p4/html/ntpd.html 2011-10-05 17:34:07.545384008 +0200
-@@ -214,14 +214,14 @@
-                       </tr>
-                       <tr>
-                               <td width="30%">statistics path</td>
--                              <td width="30%"><tt>/var/NTP</tt></td>
-+                              <td width="30%"><tt>/var/log/ntpstats/</tt></td>
-                               <td width="20%"><tt>-s</tt></td>
-                               <td width="20%"><tt>statsdir</tt></td>
-                       </tr>
-                       <tr>
-                               <td width="30%">keys path</td>
--                              <td width="30%"><tt>/usr/local/etc</tt></td>
--                              <td width="20%"><tt>-k</tt></td>
-+                              <td width="30%"><tt>/etc/ntp/crypto</tt></td>
-+                              <td width="20%"><tt>none</tt></td>
-                               <td width="20%"><tt>keysdir</tt></td>
-                       </tr>
-               </table>
-diff -up ntp-4.2.6p4/html/ntpdate.html.htmldoc ntp-4.2.6p4/html/ntpdate.html
---- ntp-4.2.6p4/html/ntpdate.html.htmldoc      2011-10-05 17:30:09.438244595 +0200
-+++ ntp-4.2.6p4/html/ntpdate.html      2011-10-05 17:36:24.195463971 +0200
-@@ -43,7 +43,7 @@
-                       <dt><tt>-e <i>authdelay</i></tt>
-                       <dd>Specify the processing delay to perform an authentication function as the value <i>authdelay</i>, in seconds and fraction (see <tt>ntpd</tt> for details). This number is usually small enough to be negligible for most purposes, though specifying a value may improve timekeeping on very slow CPU's.
-                       <dt><tt>-k <i>keyfile</i></tt>
--                      <dd>Specify the path for the authentication key file as the string <i>keyfile</i>. The default is <tt>/etc/ntp.keys</tt>. This file should be in the format described in <tt>ntpd</tt>.
-+                      <dd>Specify the path for the authentication key file as the string <i>keyfile</i>. The default is <tt>/etc/ntp/keys</tt>. This file should be in the format described in <tt>ntpd</tt>.
-                       <dt><tt>-o <i>version</i></tt>
-                       <dd>Specify the NTP version for outgoing packets as the integer <i>version</i>, which can be 1 or 2. The default is 4. This allows <tt>ntpdate</tt> to be used with older NTP versions.
-                       <dt><tt>-p <i>samples</i></tt>
-@@ -66,7 +66,7 @@
-               <h4>Diagnostics</h4>
-               <tt>ntpdate</tt>'s exit status is zero if it finds a server and updates the clock, and nonzero otherwise.
-               <h4>Files</h4>
--              <tt>/etc/ntp.keys</tt> - encryption keys used by <tt>ntpdate</tt>.
-+              <tt>/etc/ntp/keys</tt> - encryption keys used by <tt>ntpdate</tt>.
-               <h4>Bugs</h4>
-               The slew adjustment is actually 50% larger than the measured offset, since this (it is argued) will tend to keep a badly drifting clock more accurate. This is probably not a good idea and may cause a troubling hunt for some values of the kernel variables <tt>tick</tt> and <tt>tickadj</tt>.&nbsp;
-               <hr>
-diff -up ntp-4.2.6p4/html/ntpdc.html.htmldoc ntp-4.2.6p4/html/ntpdc.html
-diff -up ntp-4.2.6p4/html/ntpq.html.htmldoc ntp-4.2.6p4/html/ntpq.html
diff --git a/ntp/patches/ntp-4.2.6p4-mlock.patch b/ntp/patches/ntp-4.2.6p4-mlock.patch
deleted file mode 100644 (file)
index 354f7d5..0000000
+++ /dev/null
@@ -1,140 +0,0 @@
-diff -up ntp-4.2.6p4/html/ntpd.html.mlock ntp-4.2.6p4/html/ntpd.html
---- ntp-4.2.6p4/html/ntpd.html.mlock   2011-10-06 13:08:50.897274352 +0200
-+++ ntp-4.2.6p4/html/ntpd.html 2011-10-06 13:08:50.909274362 +0200
-@@ -32,7 +32,7 @@
-               </ul>
-               <hr>
-               <h4 id="synop">Synopsis</h4>
--              <tt>ntpd [ -46aAbdDgLnNqx ] [ -c <i>conffile</i> ] [ -f <i>driftfile</i> ] [ -i <i>jaildir</i> ] [ -I <i>iface</i> ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ] [ -p <i>pidfile</i> ] [ -P <i>priority</i> ] [ -r <i>broadcastdelay</i> ] [ -s <i>statsdir</i> ] [ -t <i>key</i> ] [ -u <i>user</i>[:<i>group</i>] ] [ -U <i>interface_update_interval</i> ] [ -v <i>variable</i> ] [ -V <i>variable</i> ]</tt>
-+              <tt>ntpd [ -46aAbdDgLmnNqx ] [ -c <i>conffile</i> ] [ -f <i>driftfile</i> ] [ -i <i>jaildir</i> ] [ -I <i>iface</i> ] [ -k <i>keyfile</i> ] [ -l <i>logfile</i> ] [ -p <i>pidfile</i> ] [ -P <i>priority</i> ] [ -r <i>broadcastdelay</i> ] [ -s <i>statsdir</i> ] [ -t <i>key</i> ] [ -u <i>user</i>[:<i>group</i>] ] [ -U <i>interface_update_interval</i> ] [ -v <i>variable</i> ] [ -V <i>variable</i> ]</tt>
-               <h4 id="descr">Description</h4>
-               <p>The <tt>ntpd</tt> program is an operating system daemon that synchronises the system clock with remote NTP&nbsp;time servers or local reference clocks. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The program can operate in any of several modes, as described on the <a href="assoc.html">Association Management</a> page, and with both symmetric key and public key cryptography, as described on the <a href="manyopt.html">Authentication Options</a> page.</p>
-               <p>The <tt>ntpd</tt> program ordinarily requires a configuration file as desccribe on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the <a href="manyopt.html">Automatic Server Discovery</a> page.</p>
-@@ -123,6 +123,8 @@
-                       <dd>Do not listen to virtual interfaces, defined as those with names containing a colon. This option is deprecated. Please consider using the configuration file <a href="miscopt.html#interface">interface</a> command, which is more versatile.</dd>
-                       <dt><tt>-M</tt></dt>
-                       <dd>Raise scheduler precision to its maximum (1 msec) using timeBeginPeriod. (Windows only)</dd>
-+                      <dt><tt>-m</tt>
-+                      <dd>Lock memory.
-                       <dt><tt>-n</tt></dt>
-                       <dd>Don't fork.</dd>
-                       <dt><tt>-N</tt></dt>
-diff -up ntp-4.2.6p4/ntpd/ntpd-opts.c.mlock ntp-4.2.6p4/ntpd/ntpd-opts.c
---- ntp-4.2.6p4/ntpd/ntpd-opts.c.mlock 2011-09-23 05:36:04.000000000 +0200
-+++ ntp-4.2.6p4/ntpd/ntpd-opts.c       2011-10-06 13:10:54.082360146 +0200
-@@ -276,6 +276,15 @@ static char const zNice_Name[]          
- #define NICE_FLAGS       (OPTST_DISABLED)
- /*
-+ *  Mlock option description:
-+ */
-+static char const zMlockText[] =
-+        "Lock memory";
-+static char const zMlock_NAME[]              = "MLOCK";
-+static char const zMlock_Name[]              = "mlock";
-+#define MLOCK_FLAGS       (OPTST_DISABLED)
-+
-+/*
-  *  Pidfile option description:
-  */
- static char const zPidfileText[] =
-@@ -903,6 +912,18 @@ static tOptDesc optDesc[OPTION_CT] = {
-      /* desc, NAME, name */ zPccfreqText, zPccfreq_NAME, zPccfreq_Name,
-      /* disablement strs */ NULL, NULL },
-+  {  /* entry idx, value */ 32, VALUE_OPT_MLOCK,
-+     /* equiv idx, value */ 32, VALUE_OPT_MLOCK,
-+     /* equivalenced to  */ NO_EQUIVALENT,
-+     /* min, max, act ct */ 0, 1, 0,
-+     /* opt state flags  */ MLOCK_FLAGS, 0,
-+     /* last opt argumnt */ { NULL },
-+     /* arg list/cookie  */ NULL,
-+     /* must/cannot opts */ NULL, NULL,
-+     /* option proc      */ NULL,
-+     /* desc, NAME, name */ zMlockText, zMlock_NAME, zMlock_Name,
-+     /* disablement strs */ NULL, NULL },
-+
-   {  /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION,
-      /* equiv idx value  */ NO_EQUIVALENT, 0,
-      /* equivalenced to  */ NO_EQUIVALENT,
-@@ -1018,7 +1039,7 @@ tOptions ntpdOptions = {
-       NO_EQUIVALENT, /* '-#' option index */
-       NO_EQUIVALENT /* index of default opt */
-     },
--    35 /* full option count */, 32 /* user option count */,
-+    36 /* full option count */, 33 /* user option count */,
-     ntpd_full_usage, ntpd_short_usage,
-     NULL, NULL,
-     PKGDATADIR, ntpd_packager_info
-diff -up ntp-4.2.6p4/ntpd/ntpd-opts.h.mlock ntp-4.2.6p4/ntpd/ntpd-opts.h
---- ntp-4.2.6p4/ntpd/ntpd-opts.h.mlock 2011-09-23 05:36:04.000000000 +0200
-+++ ntp-4.2.6p4/ntpd/ntpd-opts.h       2011-10-06 13:08:50.910274363 +0200
-@@ -81,6 +81,7 @@ typedef enum {
--    INDEX_OPT_VERSION           = 32,
--    INDEX_OPT_HELP              = 33,
--    INDEX_OPT_MORE_HELP         = 34
-+    INDEX_OPT_MLOCK             = 32,
-+    INDEX_OPT_VERSION           = 33,
-+    INDEX_OPT_HELP              = 34,
-+    INDEX_OPT_MORE_HELP         = 35
- } teOptIndex;
--#define OPTION_CT    35
-+#define OPTION_CT    36
-@@ -187,6 +188,10 @@ typedef enum {
- #  warning undefining MODIFYMMTIMER due to option name conflict
- #  undef   MODIFYMMTIMER
- # endif
-+# ifdef    MLOCK
-+#  warning undefining MLOCK due to option name conflict
-+#  undef   MLOCK
-+# endif
- # ifdef    NOFORK
- #  warning undefining NOFORK due to option name conflict
- #  undef   NOFORK
-@@ -268,6 +273,7 @@ typedef enum {
- # undef LOGFILE
- # undef NOVIRTUALIPS
- # undef MODIFYMMTIMER
-+# undef MLOCK
- # undef NOFORK
- # undef NICE
- # undef PIDFILE
-@@ -306,6 +312,7 @@ typedef enum {
- #define VALUE_OPT_LOGFILE        'l'
- #define VALUE_OPT_NOVIRTUALIPS   'L'
- #define VALUE_OPT_MODIFYMMTIMER  'M'
-+#define VALUE_OPT_MLOCK          'm'
- #define VALUE_OPT_NOFORK         'n'
- #define VALUE_OPT_NICE           'N'
- #define VALUE_OPT_PIDFILE        'p'
-diff -up ntp-4.2.6p4/ntpd/ntpd.c.mlock ntp-4.2.6p4/ntpd/ntpd.c
---- ntp-4.2.6p4/ntpd/ntpd.c.mlock      2011-10-06 13:08:50.869274334 +0200
-+++ ntp-4.2.6p4/ntpd/ntpd.c    2011-10-06 13:08:50.911274363 +0200
-@@ -723,7 +723,8 @@ ntpdmain(
-       }
- #endif
--#if defined(HAVE_MLOCKALL) && defined(MCL_CURRENT) && defined(MCL_FUTURE)
-+#if defined(MCL_CURRENT) && defined(MCL_FUTURE)
-+    if (HAVE_OPT( MLOCK )) {
- # ifdef HAVE_SETRLIMIT
-       /*
-        * Set the stack limit to something smaller, so that we don't lock a lot
-@@ -749,7 +750,7 @@ ntpdmain(
-            * fail if we drop root privlege.  To be useful the value
-            * has to be larger than the largest ntpd resident set size.
-            */
--          rl.rlim_cur = rl.rlim_max = 32*1024*1024;
-+          rl.rlim_cur = rl.rlim_max = 64*1024*1024;
-           if (setrlimit(RLIMIT_MEMLOCK, &rl) == -1) {
-               msyslog(LOG_ERR, "Cannot set RLIMIT_MEMLOCK: %m");
-           }
-@@ -761,6 +762,7 @@ ntpdmain(
-        */
-       if (mlockall(MCL_CURRENT|MCL_FUTURE) < 0)
-               msyslog(LOG_ERR, "mlockall(): %m");
-+    }
- #else /* not (HAVE_MLOCKALL && MCL_CURRENT && MCL_FUTURE) */
- # ifdef HAVE_PLOCK
- #  ifdef PROCLOCK
diff --git a/ntp/patches/ntp-4.2.6p4-rtnetlink.patch b/ntp/patches/ntp-4.2.6p4-rtnetlink.patch
deleted file mode 100644 (file)
index 06d2e87..0000000
+++ /dev/null
@@ -1,15 +0,0 @@
-diff -up ntp-4.2.6p4/ntpd/ntp_io.c.rtnetlink ntp-4.2.6p4/ntpd/ntp_io.c
---- ntp-4.2.6p4/ntpd/ntp_io.c.rtnetlink        2011-10-05 15:49:17.061711033 +0200
-+++ ntp-4.2.6p4/ntpd/ntp_io.c  2011-10-05 15:49:17.074711042 +0200
-@@ -4549,10 +4549,7 @@ init_async_notifications()
- #ifdef HAVE_RTNETLINK
-       memset(&sa, 0, sizeof(sa));
-       sa.nl_family = PF_NETLINK;
--      sa.nl_groups = RTMGRP_LINK | RTMGRP_IPV4_IFADDR
--                     | RTMGRP_IPV6_IFADDR | RTMGRP_IPV4_ROUTE
--                     | RTMGRP_IPV4_MROUTE | RTMGRP_IPV6_ROUTE
--                     | RTMGRP_IPV6_MROUTE;
-+      sa.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR;
-       if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
-               msyslog(LOG_ERR,
-                       "bind failed on routing socket (%m) - using polled interface update");
diff --git a/ntp/patches/ntp-4.2.6p5-delaycalib.patch b/ntp/patches/ntp-4.2.6p5-delaycalib.patch
deleted file mode 100644 (file)
index 7e9a310..0000000
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.delaycalib ntp-4.2.6p5/ntpd/ntp_proto.c
---- ntp-4.2.6p5/ntpd/ntp_proto.c.delaycalib    2012-02-28 15:57:57.000000000 +0100
-+++ ntp-4.2.6p5/ntpd/ntp_proto.c       2012-02-28 16:01:30.080135978 +0100
-@@ -1514,7 +1514,7 @@ process_packet(
-                */
-               if (FLAG_BC_VOL & peer->flags) {
-                       peer->flags &= ~FLAG_BC_VOL;
--                      peer->delay = (peer->offset - p_offset) * 2;
-+                      peer->delay = fabs(peer->offset - p_offset) * 2;
-               }
-               p_del = peer->delay;
-               p_offset += p_del / 2;
diff --git a/ntp/patches/ntp-4.2.6p5-fipsmd5.patch b/ntp/patches/ntp-4.2.6p5-fipsmd5.patch
deleted file mode 100644 (file)
index b6d8889..0000000
+++ /dev/null
@@ -1,47 +0,0 @@
-diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c
---- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5  2011-12-01 03:55:17.000000000 +0100
-+++ ntp-4.2.6p5/libntp/a_md5encrypt.c  2012-10-24 16:24:04.972358878 +0200
-@@ -38,7 +38,11 @@ MD5authencrypt(
-        * was creaded.
-        */
-       INIT_SSL();
--      EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
-+      if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
-+              msyslog(LOG_ERR,
-+                  "MAC encrypt: digest init failed");
-+              return (0);
-+      }
-       EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
-       EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
-       EVP_DigestFinal(&ctx, digest, &len);
-@@ -71,7 +75,11 @@ MD5authdecrypt(
-        * was created.
-        */
-       INIT_SSL();
--      EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
-+      if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
-+              msyslog(LOG_ERR,
-+                  "MAC decrypt: digest init failed");
-+              return (0);
-+      }
-       EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen);
-       EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length);
-       EVP_DigestFinal(&ctx, digest, &len);
-@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr)
-               return (NSRCADR(addr));
-       INIT_SSL();
--      EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5));
-+      EVP_MD_CTX_init(&ctx);
-+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
-+      /* MD5 is not used as a crypto hash here. */
-+      EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-+#endif
-+      if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
-+              msyslog(LOG_ERR,
-+                  "MD5 init failed");
-+              exit(1);
-+      }
-       EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
-           sizeof(struct in6_addr));
-       EVP_DigestFinal(&ctx, digest, &len);