From: Michael Tremer Date: Mon, 22 Dec 2014 16:29:35 +0000 (+0100) Subject: ntp: Update to 4.2.8 X-Git-Url: http://git.ipfire.org/?p=people%2Fms%2Fipfire-3.x.git;a=commitdiff_plain;h=4579e6806acab5ccde4a16686569936b018ce9e3 ntp: Update to 4.2.8 CVE-2014-9293 ntp: automatic generation of weak default key in config_auth() CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys CVE-2014-9295 ntp: Multiple buffer overflows via specially-crafted packets CVE-2014-9296 ntp: receive() missing return on error --- diff --git a/ntp/ntp.nm b/ntp/ntp.nm index 9c8bb5666..ba72e6293 100644 --- a/ntp/ntp.nm +++ b/ntp/ntp.nm @@ -4,9 +4,9 @@ ############################################################################### name = ntp -version = %{ver_major}.6p5 +version = %{ver_major}.8 ver_major = 4.2 -release = 2 +release = 1 groups = System/Daemons url = http://www.ntp.org/ @@ -61,9 +61,6 @@ build make ${PARALLELISMFLAGS} - sed -i 's|$ntpq = "ntpq"|$ntpq = "%{sbindir}/ntpq"|' scripts/ntptrace - sed -i 's|ntpq -c |%{sbindir}/ntpq -c |' scripts/ntp-wait - # Build ntpstat. make -C ntpstat-0.2 end @@ -191,39 +188,6 @@ packages end end - package %{name}-perl - summary = NTP utilities written in Perl. - description - This package contains Perl scripts ntp-wait and ntptrace. - end - groups = Applications/System - - requires - %{name} = %{thisver} - end - - files - %{sbindir}/ntp-wait - %{sbindir}/ntptrace - %{mandir}/man8/ntp-wait.8* - %{mandir}/man8/ntptrace.8* - %{unitdir}/ntp-wait.service - end - - script preun - systemctl --no-reload disable ntp-wait.service >/dev/null 2>&1 || : - systemctl stop ntp-wait.service >/dev/null 2>&1 || : - end - - script postun - systemctl daemon-reload >/dev/null 2>&1 || : - end - - script postup - systemctl daemon-reload >/dev/null 2>&1 || : - end - end - package %{name}-devel template DEVEL end diff --git a/ntp/patches/ntp-4.2.4p7-getprecision.patch b/ntp/patches/ntp-4.2.4p7-getprecision.patch deleted file mode 100644 index ecf6defaf..000000000 --- a/ntp/patches/ntp-4.2.4p7-getprecision.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ntp-4.2.4p7/ntpd/ntp_proto.c.getprecision ntp-4.2.4p7/ntpd/ntp_proto.c ---- ntp-4.2.4p7/ntpd/ntp_proto.c.getprecision 2009-09-29 14:16:22.000000000 +0200 -+++ ntp-4.2.4p7/ntpd/ntp_proto.c 2009-09-29 14:18:13.000000000 +0200 -@@ -3099,7 +3099,7 @@ peer_unfit( - /* - * Find the precision of this particular machine - */ --#define MINSTEP 100e-9 /* minimum clock increment (s) */ -+#define MINSTEP 10e-9 /* minimum clock increment (s) */ - #define MAXSTEP 20e-3 /* maximum clock increment (s) */ - #define MINLOOPS 5 /* minimum number of step samples */ - diff --git a/ntp/patches/ntp-4.2.6p1-cmsgalign.patch b/ntp/patches/ntp-4.2.6p1-cmsgalign.patch deleted file mode 100644 index 0e4b8ccc7..000000000 --- a/ntp/patches/ntp-4.2.6p1-cmsgalign.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff -up ntp-4.2.6p1/ntpd/ntp_io.c.cmsgalign ntp-4.2.6p1/ntpd/ntp_io.c ---- ntp-4.2.6p1/ntpd/ntp_io.c.cmsgalign 2010-03-04 18:28:53.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntp_io.c 2010-03-04 18:30:34.000000000 +0100 -@@ -3194,8 +3194,8 @@ read_network_packet( - msghdr.msg_namelen = fromlen; - msghdr.msg_iov = &iovec; - msghdr.msg_iovlen = 1; -- msghdr.msg_control = (void *)&control; -- msghdr.msg_controllen = sizeof(control); -+ msghdr.msg_control = (void *)((long)(control + 7) & -8); /* align to 8 bytes */ -+ msghdr.msg_controllen = sizeof(control) - 8; - msghdr.msg_flags = 0; - rb->recv_length = recvmsg(fd, &msghdr, 0); - #endif diff --git a/ntp/patches/ntp-4.2.6p1-linkfastmath.patch b/ntp/patches/ntp-4.2.6p1-linkfastmath.patch deleted file mode 100644 index 5a859d395..000000000 --- a/ntp/patches/ntp-4.2.6p1-linkfastmath.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ntp-4.2.6p1/ntpd/Makefile.in.linkfastmath ntp-4.2.6p1/ntpd/Makefile.in ---- ntp-4.2.6p1/ntpd/Makefile.in.linkfastmath 2010-02-09 11:19:25.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/Makefile.in 2010-03-03 16:57:40.000000000 +0100 -@@ -365,7 +365,7 @@ man_MANS = $(srcdir)/ntpd.1 - # sqrt ntp_control.o - # floor refclock_wwv.o - # which are (usually) provided by -lm. --ntpd_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntp.a -lm @LCRYPTO@ @LSCF@ -+ntpd_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntp.a -lm -ffast-math @LCRYPTO@ @LSCF@ - ntpdsim_LDADD = $(LDADD) $(LIBOPTS_LDADD) ../libntp/libntpsim.a -lm @LCRYPTO@ @LSCF@ - ntpdsim_CFLAGS = $(CFLAGS) -DSIM - check_y2k_LDADD = $(LDADD) ../libntp/libntp.a diff --git a/ntp/patches/ntp-4.2.6p1-logdefault.patch b/ntp/patches/ntp-4.2.6p1-logdefault.patch deleted file mode 100644 index ae816b741..000000000 --- a/ntp/patches/ntp-4.2.6p1-logdefault.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ntp-4.2.6p1/ntpd/ntp_config.c.logdefault ntp-4.2.6p1/ntpd/ntp_config.c ---- ntp-4.2.6p1/ntpd/ntp_config.c.logdefault 2010-01-24 11:01:45.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntp_config.c 2010-03-09 17:44:09.000000000 +0100 -@@ -3794,7 +3794,7 @@ getconfig( - - #endif /* SYS_WINNT */ - res_fp = NULL; -- ntp_syslogmask = NLOG_SYNCMASK; /* set more via logconfig */ -+ ntp_syslogmask = NLOG_SYNCMASK | NLOG_EVENT | NLOG_STATUS; /* set more via logconfig */ - - /* - * install a non default variable with this daemon version diff --git a/ntp/patches/ntp-4.2.6p1-retcode.patch b/ntp/patches/ntp-4.2.6p1-retcode.patch deleted file mode 100644 index 6d676d274..000000000 --- a/ntp/patches/ntp-4.2.6p1-retcode.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ntp-4.2.6p1/ntpd/ntp_proto.c.retcode ntp-4.2.6p1/ntpd/ntp_proto.c ---- ntp-4.2.6p1/ntpd/ntp_proto.c.retcode 2009-12-09 08:36:36.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntp_proto.c 2010-03-03 16:06:00.000000000 +0100 -@@ -269,7 +269,7 @@ transmit( - "ntpd: no servers found"); - printf( - "ntpd: no servers found\n"); -- exit (0); -+ exit (1); - } - } - } diff --git a/ntp/patches/ntp-4.2.6p1-sleep.patch b/ntp/patches/ntp-4.2.6p1-sleep.patch deleted file mode 100644 index 577ef26ee..000000000 --- a/ntp/patches/ntp-4.2.6p1-sleep.patch +++ /dev/null @@ -1,495 +0,0 @@ -diff -up ntp-4.2.6p1/include/ntp_refclock.h.sleep ntp-4.2.6p1/include/ntp_refclock.h ---- ntp-4.2.6p1/include/ntp_refclock.h.sleep 2009-12-09 08:36:35.000000000 +0100 -+++ ntp-4.2.6p1/include/ntp_refclock.h 2010-03-10 19:27:46.000000000 +0100 -@@ -260,6 +260,7 @@ extern void refclock_control (sockaddr_u - struct refclockstat *); - extern int refclock_open (char *, u_int, u_int); - extern int refclock_setup (int, u_int, u_int); -+extern int refclock_timer_needed (struct peer *); - extern void refclock_timer (struct peer *); - extern void refclock_transmit (struct peer *); - extern int refclock_ioctl (int, u_int); -diff -up ntp-4.2.6p1/include/ntp_stdlib.h.sleep ntp-4.2.6p1/include/ntp_stdlib.h ---- ntp-4.2.6p1/include/ntp_stdlib.h.sleep 2009-12-09 08:36:35.000000000 +0100 -+++ ntp-4.2.6p1/include/ntp_stdlib.h 2010-03-10 19:27:46.000000000 +0100 -@@ -116,6 +116,7 @@ extern const char * FindConfig (const ch - extern void signal_no_reset (int, RETSIGTYPE (*func)(int)); - - extern void getauthkeys (const char *); -+extern int auth_agekeys_needed (void); - extern void auth_agekeys (void); - extern void rereadkeys (void); - -diff -up ntp-4.2.6p1/include/ntpd.h.sleep ntp-4.2.6p1/include/ntpd.h ---- ntp-4.2.6p1/include/ntpd.h.sleep 2009-12-09 08:36:35.000000000 +0100 -+++ ntp-4.2.6p1/include/ntpd.h 2010-03-10 19:27:46.000000000 +0100 -@@ -112,8 +112,10 @@ extern void block_io_and_alarm (void); - /* ntp_loopfilter.c */ - extern void init_loopfilter(void); - extern int local_clock(struct peer *, double); --extern void adj_host_clock(void); -+extern int adj_host_clock_needed(void); -+extern void adj_host_clock(int); - extern void loop_config(int, double); -+extern int huffpuff_enabled(void); - extern void huffpuff(void); - extern u_long sys_clocktime; - extern u_int sys_tai; -@@ -219,6 +221,8 @@ extern void hack_restrict (int, sockaddr - /* ntp_timer.c */ - extern void init_timer (void); - extern void reinit_timer (void); -+extern double get_timeout (l_fp *); -+extern int timer_elapsed (l_fp, int); - extern void timer (void); - extern void timer_clr_stats (void); - extern void timer_interfacetimeout (u_long); -diff -up ntp-4.2.6p1/libntp/authkeys.c.sleep ntp-4.2.6p1/libntp/authkeys.c ---- ntp-4.2.6p1/libntp/authkeys.c.sleep 2009-12-09 08:36:35.000000000 +0100 -+++ ntp-4.2.6p1/libntp/authkeys.c 2010-03-10 19:27:46.000000000 +0100 -@@ -445,6 +445,25 @@ auth_delkeys(void) - } - } - -+int -+auth_agekeys_needed(void) { -+ struct savekey *sk; -+ int i; -+ -+ if (authnumkeys > 20) -+ return 1; -+ -+ for (i = 0; i < HASHSIZE; i++) { -+ sk = key_hash[i]; -+ while (sk != 0) { -+ if (sk->lifetime > 0) -+ return 1; -+ sk = sk->next; -+ } -+ } -+ return 0; -+} -+ - /* - * auth_agekeys - delete keys whose lifetimes have expired - */ -diff -up ntp-4.2.6p1/ntpd/ntp_loopfilter.c.sleep ntp-4.2.6p1/ntpd/ntp_loopfilter.c ---- ntp-4.2.6p1/ntpd/ntp_loopfilter.c.sleep 2009-12-09 08:36:36.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntp_loopfilter.c 2010-03-10 19:27:46.000000000 +0100 -@@ -677,6 +677,13 @@ local_clock( - #endif /* LOCKCLOCK */ - } - -+int -+adj_host_clock_needed(void) -+{ -+ return !(!ntp_enable || mode_ntpdate || (pll_control && -+ kern_enable)); -+} -+ - - /* - * adj_host_clock - Called once every second to update the local clock. -@@ -686,7 +693,7 @@ local_clock( - */ - void - adj_host_clock( -- void -+ int time_elapsed - ) - { - double adjustment; -@@ -698,7 +705,7 @@ adj_host_clock( - * since the poll interval can exceed one day, the old test - * would be counterproductive. - */ -- sys_rootdisp += clock_phi; -+ sys_rootdisp += clock_phi * time_elapsed; - - #ifndef LOCKCLOCK - /* -@@ -819,6 +826,12 @@ set_freq( - #endif /* KERNEL_PLL */ - } - -+int -+huffpuff_enabled(void) -+{ -+ return sys_huffpuff != NULL; -+} -+ - /* - * huff-n'-puff filter - */ -diff -up ntp-4.2.6p1/ntpd/ntp_refclock.c.sleep ntp-4.2.6p1/ntpd/ntp_refclock.c ---- ntp-4.2.6p1/ntpd/ntp_refclock.c.sleep 2009-12-09 08:36:36.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntp_refclock.c 2010-03-10 19:27:46.000000000 +0100 -@@ -268,6 +268,21 @@ refclock_unpeer( - } - - -+int -+refclock_timer_needed( -+ struct peer *peer /* peer structure pointer */ -+ ) -+{ -+ u_char clktype; -+ int unit; -+ -+ clktype = peer->refclktype; -+ unit = peer->refclkunit; -+ if (refclock_conf[clktype]->clock_timer != noentry) -+ return 1; -+ return 0; -+} -+ - /* - * refclock_timer - called once per second for housekeeping. - */ -diff -up ntp-4.2.6p1/ntpd/ntp_timer.c.sleep ntp-4.2.6p1/ntpd/ntp_timer.c ---- ntp-4.2.6p1/ntpd/ntp_timer.c.sleep 2009-12-09 08:36:35.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntp_timer.c 2010-03-11 15:23:59.000000000 +0100 -@@ -56,7 +56,6 @@ static u_long adjust_timer; /* second ti - static u_long stats_timer; /* stats timer */ - static u_long huffpuff_timer; /* huff-n'-puff timer */ - u_long leapsec; /* leapseconds countdown */ --l_fp sys_time; /* current system time */ - #ifdef OPENSSL - static u_long revoke_timer; /* keys revoke timer */ - static u_long keys_timer; /* session key timer */ -@@ -74,6 +73,12 @@ volatile u_long alarm_overflow; - #define DAY (24 * HOUR) - - u_long current_time; /* seconds since startup */ -+l_fp timer_base; -+int time_elapsed; -+ -+#define TIMEOUT_TS_SIZE 2 -+l_fp timeout_ts[TIMEOUT_TS_SIZE]; -+unsigned int timeout_ts_index; - - /* - * Stats. Number of overflows and number of calls to transmit(). -@@ -110,6 +115,8 @@ static RETSIGTYPE alarming (int); - void - reinit_timer(void) - { -+ get_systime(&timer_base); -+#if 0 - #if !defined(SYS_WINNT) && !defined(VMS) - # if defined(HAVE_TIMER_CREATE) && defined(HAVE_TIMER_SETTIME) - timer_gettime(ntpd_timerid, &itimer); -@@ -143,6 +150,7 @@ reinit_timer(void) - setitimer(ITIMER_REAL, &itimer, (struct itimerval *)0); - # endif - # endif /* VMS */ -+#endif - } - - /* -@@ -165,6 +173,12 @@ init_timer(void) - timer_xmtcalls = 0; - timer_timereset = 0; - -+ get_systime(&timer_base); -+ -+ for (timeout_ts_index = 0; timeout_ts_index < TIMEOUT_TS_SIZE; timeout_ts_index++) -+ L_CLR(&timeout_ts[timeout_ts_index]); -+ timeout_ts_index = 0; -+#if 0 - #if !defined(SYS_WINNT) - /* - * Set up the alarm interrupt. The first comes 2**EVENT_TIMEOUT -@@ -226,6 +240,7 @@ init_timer(void) - } - - #endif /* SYS_WINNT */ -+#endif - } - - #if defined(SYS_WINNT) -@@ -236,6 +251,104 @@ get_timer_handle(void) - } - #endif - -+double -+get_timeout(l_fp *now) -+{ -+ register struct peer *peer, *next_peer; -+ u_int n; -+ double r; -+ int next; -+ l_fp ts; -+ -+ ts = *now; -+ L_SUB(&ts, &timeout_ts[timeout_ts_index]); -+ timeout_ts[timeout_ts_index] = *now; -+ timeout_ts_index = (timeout_ts_index + 1) % TIMEOUT_TS_SIZE; -+ -+ /* don't waste CPU time if called too frequently */ -+ if (ts.l_ui == 0) { -+ next = 1; -+ goto finish; -+ } -+ -+ next = current_time + HOUR; -+ -+ if (adj_host_clock_needed()) { -+ next = 1; -+ goto finish; -+ } -+ for (n = 0; n < NTP_HASH_SIZE; n++) { -+ for (peer = peer_hash[n]; peer != 0; peer = next_peer) { -+ next_peer = peer->next; -+#ifdef REFCLOCK -+ if (peer->flags & FLAG_REFCLOCK && refclock_timer_needed(peer)) { -+ next = 1; -+ goto finish; -+ } -+#endif /* REFCLOCK */ -+ if (peer->action) -+ next = min(next, peer->nextaction); -+ next = min(next, peer->nextdate); -+ } -+ } -+ -+ if (leapsec > 0) -+ next = min(next, leapsec); -+ -+ if (huffpuff_enabled()) -+ next = min(next, huffpuff_timer); -+ -+#ifdef OPENSSL -+ if (auth_agekeys_needed()) -+ next = min(next, keys_timer); -+ if (sys_leap != LEAP_NOTINSYNC) -+ next = min(next, revoke_timer); -+#endif /* OPENSSL */ -+ -+ if (interface_interval) -+ next = min(next, interface_timer); -+ -+ next = min(next, stats_timer); -+ -+ next -= current_time; -+ if (next <= 0) -+ next = 1; -+finish: -+ ts = timer_base; -+ ts.l_ui += next; -+ L_SUB(&ts, now); -+ LFPTOD(&ts, r); -+#ifdef DEBUG -+ DPRINTF(2, ("timer: timeout %f\n", r)); -+#endif -+ -+ return r; -+} -+ -+int -+timer_elapsed(l_fp now, int timeout) -+{ -+ int elapsed; -+ -+ L_SUB(&now, &timer_base); -+ elapsed = now.l_i; -+ if (elapsed < 0 || elapsed > timeout + 10) { -+#ifdef DEBUG -+ DPRINTF(2, ("timer: unexpected time jump\n")); -+#endif -+ elapsed = 0; -+ reinit_timer(); -+ -+ } -+ timer_base.l_ui += elapsed; -+ time_elapsed += elapsed; -+ current_time += elapsed; -+#ifdef DEBUG -+ DPRINTF(2, ("timer: time elapsed %d\n", time_elapsed)); -+#endif -+ return time_elapsed; -+} -+ - /* - * timer - event timer - */ -@@ -251,11 +364,9 @@ timer(void) - * kiss-o'-deatch function and implement the association - * polling function.. - */ -- current_time++; -- get_systime(&sys_time); - if (adjust_timer <= current_time) { -- adjust_timer += 1; -- adj_host_clock(); -+ adjust_timer += time_elapsed; -+ adj_host_clock(time_elapsed); - #ifdef REFCLOCK - for (n = 0; n < NTP_HASH_SIZE; n++) { - for (peer = peer_hash[n]; peer != 0; peer = next_peer) { -@@ -286,7 +397,7 @@ timer(void) - * 128 s or less. - */ - if (peer->throttle > 0) -- peer->throttle--; -+ peer->throttle -= min(peer->throttle, time_elapsed); - if (peer->nextdate <= current_time) { - #ifdef REFCLOCK - if (peer->flags & FLAG_REFCLOCK) -@@ -333,7 +444,7 @@ timer(void) - * set. - */ - if (leapsec > 0) { -- leapsec--; -+ leapsec -= min(leapsec, time_elapsed); - if (leapsec == 0) { - sys_leap = LEAP_NOWARNING; - sys_tai = leap_tai; -@@ -398,11 +509,15 @@ timer(void) - * Finally, write hourly stats. - */ - if (stats_timer <= current_time) { -+ l_fp sys_time; -+ get_systime(&sys_time); - stats_timer += HOUR; - write_stats(); - if (sys_tai != 0 && sys_time.l_ui > leap_expire) - report_event(EVNT_LEAPVAL, NULL, NULL); - } -+ -+ time_elapsed = 0; - } - - -diff -up ntp-4.2.6p1/ntpd/ntpd.c.sleep ntp-4.2.6p1/ntpd/ntpd.c ---- ntp-4.2.6p1/ntpd/ntpd.c.sleep 2010-03-10 19:27:46.000000000 +0100 -+++ ntp-4.2.6p1/ntpd/ntpd.c 2010-03-10 19:27:46.000000000 +0100 -@@ -195,8 +195,6 @@ extern const char *Version; - - char const *progname; - --int was_alarmed; -- - #ifdef DECL_SYSCALL - /* - * We put this here, since the argument profile is syscall-specific -@@ -1033,7 +1031,7 @@ getgroup: - #else /* normal I/O */ - - BLOCK_IO_AND_ALARM(); -- was_alarmed = 0; -+ - for (;;) - { - # if !defined(HAVE_SIGNALED_IO) -@@ -1041,42 +1039,39 @@ getgroup: - extern int maxactivefd; - - fd_set rdfdes; -- int nfound; --# endif -+ int nfound, time_elapsed; - -- if (alarm_flag) /* alarmed? */ -- { -- was_alarmed = 1; -- alarm_flag = 0; -- } -+ time_elapsed = 0; -+# endif - -- if (!was_alarmed && has_full_recv_buffer() == ISC_FALSE) -+ if (has_full_recv_buffer() == ISC_FALSE) - { - /* - * Nothing to do. Wait for something. - */ - # ifndef HAVE_SIGNALED_IO -+ double timeout; -+ - rdfdes = activefds; --# if defined(VMS) || defined(SYS_VXWORKS) -- /* make select() wake up after one second */ -- { -- struct timeval t1; -+ get_systime(&now); -+ timeout = get_timeout(&now); - -- t1.tv_sec = 1; t1.tv_usec = 0; -+ if (timeout > 0.0) { -+ struct timeval t1; -+ -+ t1.tv_sec = timeout; -+ t1.tv_usec = (timeout - t1.tv_sec) * 1000000; - nfound = select(maxactivefd+1, &rdfdes, (fd_set *)0, - (fd_set *)0, &t1); -- } --# else -- nfound = select(maxactivefd+1, &rdfdes, (fd_set *)0, -- (fd_set *)0, (struct timeval *)0); --# endif /* VMS */ -- if (nfound > 0) -- { -- l_fp ts; -+ get_systime(&now); -+ } else -+ nfound = 0; - -- get_systime(&ts); -+ time_elapsed = timer_elapsed(now, timeout); - -- (void)input_handler(&ts); -+ if (nfound > 0) -+ { -+ (void)input_handler(&now); - } - else if (nfound == -1 && errno != EINTR) - msyslog(LOG_ERR, "select() error: %m"); -@@ -1085,17 +1080,13 @@ getgroup: - msyslog(LOG_DEBUG, "select(): nfound=%d, error: %m", nfound); - # endif /* DEBUG */ - # else /* HAVE_SIGNALED_IO */ -+# error not supported by sleep patch - - wait_for_signal(); - # endif /* HAVE_SIGNALED_IO */ -- if (alarm_flag) /* alarmed? */ -- { -- was_alarmed = 1; -- alarm_flag = 0; -- } - } - -- if (was_alarmed) -+ if (time_elapsed > 0) - { - UNBLOCK_IO_AND_ALARM(); - /* -@@ -1103,7 +1094,6 @@ getgroup: - * to process expiry. - */ - timer(); -- was_alarmed = 0; - BLOCK_IO_AND_ALARM(); - } - -@@ -1121,19 +1111,8 @@ getgroup: - rbuf = get_full_recv_buffer(); - while (rbuf != NULL) - { -- if (alarm_flag) -- { -- was_alarmed = 1; -- alarm_flag = 0; -- } - UNBLOCK_IO_AND_ALARM(); - -- if (was_alarmed) -- { /* avoid timer starvation during lengthy I/O handling */ -- timer(); -- was_alarmed = 0; -- } -- - /* - * Call the data procedure to handle each received - * packet. diff --git a/ntp/patches/ntp-4.2.6p2-multiopts.patch b/ntp/patches/ntp-4.2.6p2-multiopts.patch deleted file mode 100644 index c4ea45983..000000000 --- a/ntp/patches/ntp-4.2.6p2-multiopts.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -up ntp-4.2.6p2/ntpd/ntpd-opts.c.multiopts ntp-4.2.6p2/ntpd/ntpd-opts.c ---- ntp-4.2.6p2/ntpd/ntpd-opts.c.multiopts 2010-09-15 17:37:10.000000000 +0200 -+++ ntp-4.2.6p2/ntpd/ntpd-opts.c 2010-10-01 13:28:49.000000000 +0200 -@@ -755,7 +755,7 @@ static tOptDesc optDesc[ OPTION_CT ] = { - { /* entry idx, value */ 18, VALUE_OPT_PIDFILE, - /* equiv idx, value */ 18, VALUE_OPT_PIDFILE, - /* equivalenced to */ NO_EQUIVALENT, -- /* min, max, act ct */ 0, 1, 0, -+ /* min, max, act ct */ 0, 2, 0, - /* opt state flags */ PIDFILE_FLAGS, 0, - /* last opt argumnt */ { NULL }, - /* arg list/cookie */ NULL, -@@ -839,7 +839,7 @@ static tOptDesc optDesc[ OPTION_CT ] = { - { /* entry idx, value */ 25, VALUE_OPT_USER, - /* equiv idx, value */ 25, VALUE_OPT_USER, - /* equivalenced to */ NO_EQUIVALENT, -- /* min, max, act ct */ 0, 1, 0, -+ /* min, max, act ct */ 0, 2, 0, - /* opt state flags */ USER_FLAGS, 0, - /* last opt argumnt */ { NULL }, - /* arg list/cookie */ NULL, diff --git a/ntp/patches/ntp-4.2.6p3-bcast.patch b/ntp/patches/ntp-4.2.6p3-bcast.patch deleted file mode 100644 index 57581f3d9..000000000 --- a/ntp/patches/ntp-4.2.6p3-bcast.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff -up ntp-4.2.6p3/ntpd/ntp_io.c.bcast ntp-4.2.6p3/ntpd/ntp_io.c ---- ntp-4.2.6p3/ntpd/ntp_io.c.bcast 2010-12-25 10:40:36.000000000 +0100 -+++ ntp-4.2.6p3/ntpd/ntp_io.c 2011-01-05 17:46:13.820049150 +0100 -@@ -151,6 +151,8 @@ int ninterfaces; /* Total number of in - - int disable_dynamic_updates; /* scan interfaces once only */ - -+static int pktinfo_status = 0; /* is IP_PKTINFO on wildipv4 iface enabled? */ -+ - #ifdef REFCLOCK - /* - * Refclock stuff. We keep a chain of structures with data concerning -@@ -2254,6 +2256,17 @@ set_reuseaddr( - #endif /* ! SO_EXCLUSIVEADDRUSE */ - } - -+static void -+set_pktinfo(int flag) -+{ -+ if (wildipv4 == NULL) -+ return; -+ if (setsockopt(wildipv4->fd, SOL_IP, IP_PKTINFO, &flag, sizeof (flag))) { -+ msyslog(LOG_ERR, "set_pktinfo: setsockopt(IP_PKTINFO, %s) failed: %m", flag ? "on" : "off"); -+ } else -+ pktinfo_status = flag; -+} -+ - /* - * This is just a wrapper around an internal function so we can - * make other changes as necessary later on -@@ -2659,6 +2672,7 @@ io_setbclient(void) - } - } - set_reuseaddr(0); -+ set_pktinfo(1); - if (nif > 0) - DPRINTF(1, ("io_setbclient: Opened broadcast clients\n")); - else if (!nif) -@@ -2685,6 +2699,7 @@ io_unsetbclient(void) - continue; - socket_broadcast_disable(ep, &ep->sin); - } -+ set_pktinfo(0); - } - - /* -@@ -3392,7 +3407,8 @@ read_network_packet( - #ifdef HAVE_TIMESTAMP - struct msghdr msghdr; - struct iovec iovec; -- char control[TIMESTAMP_CTLMSGBUF_SIZE]; -+ char control[sizeof (struct cmsghdr) * 2 + sizeof (struct timeval) + -+ sizeof (struct in_pktinfo) + 32]; - #endif - - /* -@@ -3403,7 +3419,7 @@ read_network_packet( - */ - - rb = get_free_recv_buffer(); -- if (NULL == rb || itf->ignore_packets) { -+ if (NULL == rb || (itf->ignore_packets && !(pktinfo_status && itf == wildipv4))) { - char buf[RX_BUFF_SIZE]; - sockaddr_u from; - -@@ -3463,6 +3479,27 @@ read_network_packet( - return (buflen); - } - -+ if (pktinfo_status && itf->ignore_packets && itf == wildipv4) { -+ /* check for broadcast on 255.255.255.255, exception allowed on wildipv4 */ -+ struct cmsghdr *cmsg; -+ struct in_pktinfo *pktinfo = NULL; -+ -+ if ((cmsg = CMSG_FIRSTHDR(&msghdr))) -+ do { -+ if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_PKTINFO) -+ pktinfo = (struct in_pktinfo *) CMSG_DATA(cmsg); -+ } while ((cmsg = CMSG_NXTHDR(&msghdr, cmsg))); -+ if (pktinfo && pktinfo->ipi_addr.s_addr == INADDR_BROADCAST) { -+ DPRINTF(4, ("INADDR_BROADCAST\n")); -+ } else { -+ DPRINTF(4, ("%s on (%lu) fd=%d from %s\n", "ignore", -+ free_recvbuffs(), fd, stoa(&rb->recv_srcadr))); -+ packets_ignored++; -+ freerecvbuf(rb); -+ return (buflen); -+ } -+ } -+ - DPRINTF(3, ("read_network_packet: fd=%d length %d from %s\n", - fd, buflen, stoa(&rb->recv_srcadr))); - diff --git a/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch b/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch deleted file mode 100644 index f9c192978..000000000 --- a/ntp/patches/ntp-4.2.6p3-broadcastdelay.patch +++ /dev/null @@ -1,31 +0,0 @@ -==== ntpd/ntp_proto.c ==== -2010-10-22 01:55:45-04:00, stenn@deacon.udel.edu +2 -5 - [Bug 1670] Fix peer->bias and broadcastdelay - ---- 1.307/ntpd/ntp_proto.c 2010-10-11 21:06:05 -07:00 -+++ 1.308/ntpd/ntp_proto.c 2010-10-21 22:55:45 -07:00 -@@ -929,7 +929,6 @@ receive( - - } else { - peer->delay = sys_bdelay; -- peer->bias = -sys_bdelay / 2.; - } - break; - } -@@ -1570,7 +1569,6 @@ process_packet( - p_del = fabs(t21 - t34); - p_offset = (t21 + t34) / 2.; - } -- p_offset += peer->bias; - p_disp = LOGTOD(sys_precision) + LOGTOD(peer->precision) + - clock_phi * p_del; - -@@ -1647,7 +1645,7 @@ process_packet( - /* - * That was awesome. Now hand off to the clock filter. - */ -- clock_filter(peer, p_offset, p_del, p_disp); -+ clock_filter(peer, p_offset + peer->bias, p_del, p_disp); - - /* - * If we are in broadcast calibrate mode, return to broadcast diff --git a/ntp/patches/ntp-4.2.6p4-droproot.patch b/ntp/patches/ntp-4.2.6p4-droproot.patch deleted file mode 100644 index 1d953d18b..000000000 --- a/ntp/patches/ntp-4.2.6p4-droproot.patch +++ /dev/null @@ -1,207 +0,0 @@ -diff -up ntp-4.2.6p4/html/ntpdate.html.droproot ntp-4.2.6p4/html/ntpdate.html ---- ntp-4.2.6p4/html/ntpdate.html.droproot 2011-07-11 04:18:25.000000000 +0200 -+++ ntp-4.2.6p4/html/ntpdate.html 2011-10-05 15:47:29.643634928 +0200 -@@ -18,7 +18,7 @@ -
-

Disclaimer: The functionality of this program is now available in the ntpd program. See the -q command line option in the ntpd - Network Time Protocol (NTP) daemon page. After a suitable period of mourning, the ntpdate program is to be retired from this distribution

-

Synopsis

-- ntpdate [ -46bBdqsuv ] [ -a key ] [ -e authdelay ] [ -k keyfile ] [ -o version ] [ -p samples ] [ -t timeout ] server [ ... ] -+ ntpdate [ -46bBdqsuv ] [ -a key ] [ -e authdelay ] [ -k keyfile ] [ -o version ] [ -p samples ] [ -t timeout ] [ -U user_name ] server [ ... ] -

Description

-

ntpdate sets the local date and time by polling the Network Time Protocol (NTP) server(s) given as the server arguments to determine the correct time. It must be run as root on the local host. A number of samples are obtained from each of the servers specified and a subset of the NTP clock filter and selection algorithms are applied to select the best of these. Note that the accuracy and reliability of ntpdate depends on the number of servers, the number of polls each time it is run and the interval between runs.

-

ntpdate can be run manually as necessary to set the host clock, or it can be run from the host startup script to set the clock at boot time. This is useful in some cases to set the clock initially before starting the NTP daemon ntpd. It is also possible to run ntpdate from a cron script. However, it is important to note that ntpdate with contrived cron scripts is no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use. Finally, since ntpdate does not discipline the host clock frequency as does ntpd, the accuracy using ntpdate is limited.

-@@ -58,6 +58,10 @@ -
Direct ntpdate to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronize with hosts beyond the firewall. Note that the -d option always uses unprivileged ports. -
-v -
Be verbose. This option will cause ntpdate's version identification string to be logged. -+
-U user_name
-+
ntpdate process drops root privileges and changes user ID to -+ user_name and group ID to the primary group of -+ server_user. - -

Diagnostics

- ntpdate's exit status is zero if it finds a server and updates the clock, and nonzero otherwise. -diff -up ntp-4.2.6p4/ntpdate/ntpdate.c.droproot ntp-4.2.6p4/ntpdate/ntpdate.c ---- ntp-4.2.6p4/ntpdate/ntpdate.c.droproot 2011-05-25 07:06:09.000000000 +0200 -+++ ntp-4.2.6p4/ntpdate/ntpdate.c 2011-10-05 15:45:39.570555972 +0200 -@@ -49,6 +49,12 @@ - - #include - -+/* Linux capabilities */ -+#include -+#include -+#include -+#include -+ - #ifdef SYS_VXWORKS - # include "ioLib.h" - # include "sockLib.h" -@@ -153,6 +159,11 @@ int simple_query = 0; - int unpriv_port = 0; - - /* -+ * Use capabilities to drop privileges and switch uids -+ */ -+char *server_user; -+ -+/* - * Program name. - */ - char *progname; -@@ -294,6 +305,88 @@ void clear_globals() - static ni_namelist *getnetinfoservers (void); - #endif - -+/* This patch is adapted (copied) from Chris Wings drop root patch -+ * for xntpd. -+ */ -+void drop_root(uid_t server_uid, gid_t server_gid) -+{ -+ cap_t caps; -+ -+ if (prctl(PR_SET_KEEPCAPS, 1)) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "prctl(PR_SET_KEEPCAPS, 1) failed"); -+ } -+ else { -+ fprintf(stderr, "prctl(PR_SET_KEEPCAPS, 1) failed.\n"); -+ } -+ exit(1); -+ } -+ -+ if ( setgroups(0, NULL) == -1 ) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "setgroups failed."); -+ } -+ else { -+ fprintf(stderr, "setgroups failed.\n"); -+ } -+ exit(1); -+ } -+ -+ if ( setegid(server_gid) == -1 || seteuid(server_uid) == -1 ) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "setegid/seteuid to uid=%d/gid=%d failed.", server_uid, -+ server_gid); -+ } -+ else { -+ fprintf(stderr, "setegid/seteuid to uid=%d/gid=%d failed.\n", server_uid, -+ server_gid); -+ } -+ exit(1); -+ } -+ -+ caps = cap_from_text("cap_sys_time=epi"); -+ if (caps == NULL) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "cap_from_text failed."); -+ } -+ else { -+ fprintf(stderr, "cap_from_text failed.\n"); -+ } -+ exit(1); -+ } -+ -+ if (cap_set_proc(caps) == -1) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "cap_set_proc failed."); -+ } -+ else { -+ fprintf(stderr, "cap_set_proc failed.\n"); -+ } -+ exit(1); -+ } -+ -+ /* Try to free the memory from cap_from_text */ -+ cap_free( caps ); -+ -+ if ( setregid(server_gid, server_gid) == -1 || -+ setreuid(server_uid, server_uid) == -1 ) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "setregid/setreuid to uid=%d/gid=%d failed.", -+ server_uid, server_gid); -+ } -+ else { -+ fprintf(stderr, "setregid/setreuid to uid=%d/gid=%d failed.\n", -+ server_uid, server_gid); -+ } -+ exit(1); -+ } -+ -+ if (syslogit) { -+ msyslog(LOG_DEBUG, "running as uid(%d)/gid(%d) euid(%d)/egid(%d).", -+ getuid(), getgid(), geteuid(), getegid()); -+ } -+} -+ - /* - * Main program. Initialize us and loop waiting for I/O and/or - * timer expiries. -@@ -341,6 +434,8 @@ ntpdatemain ( - - init_lib(); /* sets up ipv4_works, ipv6_works */ - -+ server_user = NULL; -+ - /* Check to see if we have IPv6. Otherwise default to IPv4 */ - if (!ipv6_works) - ai_fam_templ = AF_INET; -@@ -352,7 +447,7 @@ ntpdatemain ( - /* - * Decode argument list - */ -- while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uv")) != EOF) -+ while ((c = ntp_getopt(argc, argv, "46a:bBde:k:o:p:qst:uvU:")) != EOF) - switch (c) - { - case '4': -@@ -429,6 +524,14 @@ ntpdatemain ( - case 'u': - unpriv_port = 1; - break; -+ case 'U': -+ if (ntp_optarg) { -+ server_user = strdup(ntp_optarg); -+ } -+ else { -+ ++errflg; -+ } -+ break; - case '?': - ++errflg; - break; -@@ -438,7 +541,7 @@ ntpdatemain ( - - if (errflg) { - (void) fprintf(stderr, -- "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] server ...\n", -+ "usage: %s [-46bBdqsuv] [-a key#] [-e delay] [-k file] [-p samples] [-o version#] [-t timeo] [-U username] server ...\n", - progname); - exit(2); - } -@@ -544,6 +647,24 @@ ntpdatemain ( - initializing = 0; - was_alarmed = 0; - -+ if (server_user) { -+ struct passwd *pwd = NULL; -+ -+ /* Lookup server_user uid/gid before chroot/chdir */ -+ pwd = getpwnam( server_user ); -+ if ( pwd == NULL ) { -+ if (syslogit) { -+ msyslog(LOG_ERR, "Failed to lookup user '%s'.", server_user); -+ } -+ else { -+ fprintf(stderr, "Failed to lookup user '%s'.\n", server_user); -+ } -+ exit(1); -+ } -+ drop_root(pwd->pw_uid, pwd->pw_gid); -+ } -+ -+ - while (complete_servers < sys_numservers) { - #ifdef HAVE_POLL_H - struct pollfd* rdfdes; diff --git a/ntp/patches/ntp-4.2.6p4-htmldoc.patch b/ntp/patches/ntp-4.2.6p4-htmldoc.patch deleted file mode 100644 index 2b2dab760..000000000 --- a/ntp/patches/ntp-4.2.6p4-htmldoc.patch +++ /dev/null @@ -1,76 +0,0 @@ -diff -up ntp-4.2.6p4/html/authopt.html.htmldoc ntp-4.2.6p4/html/authopt.html ---- ntp-4.2.6p4/html/authopt.html.htmldoc 2011-07-11 04:18:25.000000000 +0200 -+++ ntp-4.2.6p4/html/authopt.html 2011-10-05 17:30:09.463244610 +0200 -@@ -364,7 +364,7 @@ UTC

- are left unspecified, the default names are used as described below. Unless - the complete path and name of the file are specified, the location of a file - is relative to the keys directory specified in the keysdir configuration -- command or default /usr/local/etc. Following are the options.
-+ command or default /etc/ntp/crypto. Following are the options. - -
- -@@ -396,7 +396,7 @@ UTC

-
Specifies the complete path to the MD5 key file containing the keys and key IDs used by ntpd, ntpq and ntpdc when operating with symmetric key cryptography. This is the same operation as the -k command line option. Note that the directory path for Autokey media is specified by the keysdir command.
- -
keysdir pathK
--
This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is /usr/local/etc/. Note that the path for the symmetric keys file is specified by the keys command.
-+
This command specifies the default directory path for Autokey cryptographic keys, parameters and certificates. The default is /etc/ntp/crypto. Note that the path for the symmetric keys file is specified by the keys command.
- -
requestkey keyid
-
Specifies the key ID to use with the -diff -up ntp-4.2.6p4/html/keygen.html.htmldoc ntp-4.2.6p4/html/keygen.html ---- ntp-4.2.6p4/html/keygen.html.htmldoc 2011-07-11 04:18:26.000000000 +0200 -+++ ntp-4.2.6p4/html/keygen.html 2011-10-05 17:30:09.463244610 +0200 -@@ -206,7 +206,6 @@ -

All cryptographically sound key generation schemes must have means to randomize the entropy seed used to initialize the internal pseudo-random number generator used by the OpenSSL library routines. If a site supports ssh, it is very likely that means to do this are already available. The entropy seed used by the OpenSSL library is contained in a file, usually called .rnd, which must be available when starting the ntp-keygen program or ntpd daemon.

- -

The OpenSSL library looks for the file using the path specified by the RANDFILE environment variable in the user home directory, whether root or some other user. If the RANDFILE environment variable is not present, the library looks for the .rnd file in the user home directory. Since both the ntp-keygen program and ntpd daemon must run as root, the logical place to put this file is in /.rnd or /root/.rnd. If the file is not available or cannot be written, the program exits with a message to the system log.

--

On systems that provide /dev/urandom, the randomness device is used instead and the file specified by the randfile subcommand or the RANDFILE environment variable is ignored.

- -

Cryptographic Data Files

- -diff -up ntp-4.2.6p4/html/ntpd.html.htmldoc ntp-4.2.6p4/html/ntpd.html ---- ntp-4.2.6p4/html/ntpd.html.htmldoc 2011-07-11 04:18:26.000000000 +0200 -+++ ntp-4.2.6p4/html/ntpd.html 2011-10-05 17:34:07.545384008 +0200 -@@ -214,14 +214,14 @@ - - - statistics path -- /var/NTP -+ /var/log/ntpstats/ - -s - statsdir - - - keys path -- /usr/local/etc -- -k -+ /etc/ntp/crypto -+ none - keysdir - - -diff -up ntp-4.2.6p4/html/ntpdate.html.htmldoc ntp-4.2.6p4/html/ntpdate.html ---- ntp-4.2.6p4/html/ntpdate.html.htmldoc 2011-10-05 17:30:09.438244595 +0200 -+++ ntp-4.2.6p4/html/ntpdate.html 2011-10-05 17:36:24.195463971 +0200 -@@ -43,7 +43,7 @@ -
-e authdelay -
Specify the processing delay to perform an authentication function as the value authdelay, in seconds and fraction (see ntpd for details). This number is usually small enough to be negligible for most purposes, though specifying a value may improve timekeeping on very slow CPU's. -
-k keyfile --
Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp.keys. This file should be in the format described in ntpd. -+
Specify the path for the authentication key file as the string keyfile. The default is /etc/ntp/keys. This file should be in the format described in ntpd. -
-o version -
Specify the NTP version for outgoing packets as the integer version, which can be 1 or 2. The default is 4. This allows ntpdate to be used with older NTP versions. -
-p samples -@@ -66,7 +66,7 @@ -

Diagnostics

- ntpdate's exit status is zero if it finds a server and updates the clock, and nonzero otherwise. -

Files

-- /etc/ntp.keys - encryption keys used by ntpdate. -+ /etc/ntp/keys - encryption keys used by ntpdate. -

Bugs

- The slew adjustment is actually 50% larger than the measured offset, since this (it is argued) will tend to keep a badly drifting clock more accurate. This is probably not a good idea and may cause a troubling hunt for some values of the kernel variables tick and tickadj.  -
-diff -up ntp-4.2.6p4/html/ntpdc.html.htmldoc ntp-4.2.6p4/html/ntpdc.html -diff -up ntp-4.2.6p4/html/ntpq.html.htmldoc ntp-4.2.6p4/html/ntpq.html diff --git a/ntp/patches/ntp-4.2.6p4-mlock.patch b/ntp/patches/ntp-4.2.6p4-mlock.patch deleted file mode 100644 index 354f7d54e..000000000 --- a/ntp/patches/ntp-4.2.6p4-mlock.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff -up ntp-4.2.6p4/html/ntpd.html.mlock ntp-4.2.6p4/html/ntpd.html ---- ntp-4.2.6p4/html/ntpd.html.mlock 2011-10-06 13:08:50.897274352 +0200 -+++ ntp-4.2.6p4/html/ntpd.html 2011-10-06 13:08:50.909274362 +0200 -@@ -32,7 +32,7 @@ - -
-

Synopsis

-- ntpd [ -46aAbdDgLnNqx ] [ -c conffile ] [ -f driftfile ] [ -i jaildir ] [ -I iface ] [ -k keyfile ] [ -l logfile ] [ -p pidfile ] [ -P priority ] [ -r broadcastdelay ] [ -s statsdir ] [ -t key ] [ -u user[:group] ] [ -U interface_update_interval ] [ -v variable ] [ -V variable ] -+ ntpd [ -46aAbdDgLmnNqx ] [ -c conffile ] [ -f driftfile ] [ -i jaildir ] [ -I iface ] [ -k keyfile ] [ -l logfile ] [ -p pidfile ] [ -P priority ] [ -r broadcastdelay ] [ -s statsdir ] [ -t key ] [ -u user[:group] ] [ -U interface_update_interval ] [ -v variable ] [ -V variable ] -

Description

-

The ntpd program is an operating system daemon that synchronises the system clock with remote NTP time servers or local reference clocks. It is a complete implementation of the Network Time Protocol (NTP) version 4, but also retains compatibility with version 3, as defined by RFC-1305, and version 1 and 2, as defined by RFC-1059 and RFC-1119, respectively. The program can operate in any of several modes, as described on the Association Management page, and with both symmetric key and public key cryptography, as described on the Authentication Options page.

-

The ntpd program ordinarily requires a configuration file as desccribe on the Configuration Commands and Options collection above. However a client can discover remote servers and configure them automatically. This makes it possible to deploy a fleet of workstations without specifying configuration details specific to the local environment. Further details are on the Automatic Server Discovery page.

-@@ -123,6 +123,8 @@ -
Do not listen to virtual interfaces, defined as those with names containing a colon. This option is deprecated. Please consider using the configuration file interface command, which is more versatile.
-
-M
-
Raise scheduler precision to its maximum (1 msec) using timeBeginPeriod. (Windows only)
-+
-m -+
Lock memory. -
-n
-
Don't fork.
-
-N
-diff -up ntp-4.2.6p4/ntpd/ntpd-opts.c.mlock ntp-4.2.6p4/ntpd/ntpd-opts.c ---- ntp-4.2.6p4/ntpd/ntpd-opts.c.mlock 2011-09-23 05:36:04.000000000 +0200 -+++ ntp-4.2.6p4/ntpd/ntpd-opts.c 2011-10-06 13:10:54.082360146 +0200 -@@ -276,6 +276,15 @@ static char const zNice_Name[] - #define NICE_FLAGS (OPTST_DISABLED) - - /* -+ * Mlock option description: -+ */ -+static char const zMlockText[] = -+ "Lock memory"; -+static char const zMlock_NAME[] = "MLOCK"; -+static char const zMlock_Name[] = "mlock"; -+#define MLOCK_FLAGS (OPTST_DISABLED) -+ -+/* - * Pidfile option description: - */ - static char const zPidfileText[] = -@@ -903,6 +912,18 @@ static tOptDesc optDesc[OPTION_CT] = { - /* desc, NAME, name */ zPccfreqText, zPccfreq_NAME, zPccfreq_Name, - /* disablement strs */ NULL, NULL }, - -+ { /* entry idx, value */ 32, VALUE_OPT_MLOCK, -+ /* equiv idx, value */ 32, VALUE_OPT_MLOCK, -+ /* equivalenced to */ NO_EQUIVALENT, -+ /* min, max, act ct */ 0, 1, 0, -+ /* opt state flags */ MLOCK_FLAGS, 0, -+ /* last opt argumnt */ { NULL }, -+ /* arg list/cookie */ NULL, -+ /* must/cannot opts */ NULL, NULL, -+ /* option proc */ NULL, -+ /* desc, NAME, name */ zMlockText, zMlock_NAME, zMlock_Name, -+ /* disablement strs */ NULL, NULL }, -+ - { /* entry idx, value */ INDEX_OPT_VERSION, VALUE_OPT_VERSION, - /* equiv idx value */ NO_EQUIVALENT, 0, - /* equivalenced to */ NO_EQUIVALENT, -@@ -1018,7 +1039,7 @@ tOptions ntpdOptions = { - NO_EQUIVALENT, /* '-#' option index */ - NO_EQUIVALENT /* index of default opt */ - }, -- 35 /* full option count */, 32 /* user option count */, -+ 36 /* full option count */, 33 /* user option count */, - ntpd_full_usage, ntpd_short_usage, - NULL, NULL, - PKGDATADIR, ntpd_packager_info -diff -up ntp-4.2.6p4/ntpd/ntpd-opts.h.mlock ntp-4.2.6p4/ntpd/ntpd-opts.h ---- ntp-4.2.6p4/ntpd/ntpd-opts.h.mlock 2011-09-23 05:36:04.000000000 +0200 -+++ ntp-4.2.6p4/ntpd/ntpd-opts.h 2011-10-06 13:08:50.910274363 +0200 -@@ -81,6 +81,7 @@ typedef enum { -- INDEX_OPT_VERSION = 32, -- INDEX_OPT_HELP = 33, -- INDEX_OPT_MORE_HELP = 34 -+ INDEX_OPT_MLOCK = 32, -+ INDEX_OPT_VERSION = 33, -+ INDEX_OPT_HELP = 34, -+ INDEX_OPT_MORE_HELP = 35 - } teOptIndex; - --#define OPTION_CT 35 -+#define OPTION_CT 36 -@@ -187,6 +188,10 @@ typedef enum { - # warning undefining MODIFYMMTIMER due to option name conflict - # undef MODIFYMMTIMER - # endif -+# ifdef MLOCK -+# warning undefining MLOCK due to option name conflict -+# undef MLOCK -+# endif - # ifdef NOFORK - # warning undefining NOFORK due to option name conflict - # undef NOFORK -@@ -268,6 +273,7 @@ typedef enum { - # undef LOGFILE - # undef NOVIRTUALIPS - # undef MODIFYMMTIMER -+# undef MLOCK - # undef NOFORK - # undef NICE - # undef PIDFILE -@@ -306,6 +312,7 @@ typedef enum { - #define VALUE_OPT_LOGFILE 'l' - #define VALUE_OPT_NOVIRTUALIPS 'L' - #define VALUE_OPT_MODIFYMMTIMER 'M' -+#define VALUE_OPT_MLOCK 'm' - #define VALUE_OPT_NOFORK 'n' - #define VALUE_OPT_NICE 'N' - #define VALUE_OPT_PIDFILE 'p' -diff -up ntp-4.2.6p4/ntpd/ntpd.c.mlock ntp-4.2.6p4/ntpd/ntpd.c ---- ntp-4.2.6p4/ntpd/ntpd.c.mlock 2011-10-06 13:08:50.869274334 +0200 -+++ ntp-4.2.6p4/ntpd/ntpd.c 2011-10-06 13:08:50.911274363 +0200 -@@ -723,7 +723,8 @@ ntpdmain( - } - #endif - --#if defined(HAVE_MLOCKALL) && defined(MCL_CURRENT) && defined(MCL_FUTURE) -+#if defined(MCL_CURRENT) && defined(MCL_FUTURE) -+ if (HAVE_OPT( MLOCK )) { - # ifdef HAVE_SETRLIMIT - /* - * Set the stack limit to something smaller, so that we don't lock a lot -@@ -749,7 +750,7 @@ ntpdmain( - * fail if we drop root privlege. To be useful the value - * has to be larger than the largest ntpd resident set size. - */ -- rl.rlim_cur = rl.rlim_max = 32*1024*1024; -+ rl.rlim_cur = rl.rlim_max = 64*1024*1024; - if (setrlimit(RLIMIT_MEMLOCK, &rl) == -1) { - msyslog(LOG_ERR, "Cannot set RLIMIT_MEMLOCK: %m"); - } -@@ -761,6 +762,7 @@ ntpdmain( - */ - if (mlockall(MCL_CURRENT|MCL_FUTURE) < 0) - msyslog(LOG_ERR, "mlockall(): %m"); -+ } - #else /* not (HAVE_MLOCKALL && MCL_CURRENT && MCL_FUTURE) */ - # ifdef HAVE_PLOCK - # ifdef PROCLOCK diff --git a/ntp/patches/ntp-4.2.6p4-rtnetlink.patch b/ntp/patches/ntp-4.2.6p4-rtnetlink.patch deleted file mode 100644 index 06d2e879d..000000000 --- a/ntp/patches/ntp-4.2.6p4-rtnetlink.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -up ntp-4.2.6p4/ntpd/ntp_io.c.rtnetlink ntp-4.2.6p4/ntpd/ntp_io.c ---- ntp-4.2.6p4/ntpd/ntp_io.c.rtnetlink 2011-10-05 15:49:17.061711033 +0200 -+++ ntp-4.2.6p4/ntpd/ntp_io.c 2011-10-05 15:49:17.074711042 +0200 -@@ -4549,10 +4549,7 @@ init_async_notifications() - #ifdef HAVE_RTNETLINK - memset(&sa, 0, sizeof(sa)); - sa.nl_family = PF_NETLINK; -- sa.nl_groups = RTMGRP_LINK | RTMGRP_IPV4_IFADDR -- | RTMGRP_IPV6_IFADDR | RTMGRP_IPV4_ROUTE -- | RTMGRP_IPV4_MROUTE | RTMGRP_IPV6_ROUTE -- | RTMGRP_IPV6_MROUTE; -+ sa.nl_groups = RTMGRP_IPV4_IFADDR | RTMGRP_IPV6_IFADDR; - if (bind(fd, (struct sockaddr *)&sa, sizeof(sa)) < 0) { - msyslog(LOG_ERR, - "bind failed on routing socket (%m) - using polled interface update"); diff --git a/ntp/patches/ntp-4.2.6p5-delaycalib.patch b/ntp/patches/ntp-4.2.6p5-delaycalib.patch deleted file mode 100644 index 7e9a31097..000000000 --- a/ntp/patches/ntp-4.2.6p5-delaycalib.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up ntp-4.2.6p5/ntpd/ntp_proto.c.delaycalib ntp-4.2.6p5/ntpd/ntp_proto.c ---- ntp-4.2.6p5/ntpd/ntp_proto.c.delaycalib 2012-02-28 15:57:57.000000000 +0100 -+++ ntp-4.2.6p5/ntpd/ntp_proto.c 2012-02-28 16:01:30.080135978 +0100 -@@ -1514,7 +1514,7 @@ process_packet( - */ - if (FLAG_BC_VOL & peer->flags) { - peer->flags &= ~FLAG_BC_VOL; -- peer->delay = (peer->offset - p_offset) * 2; -+ peer->delay = fabs(peer->offset - p_offset) * 2; - } - p_del = peer->delay; - p_offset += p_del / 2; diff --git a/ntp/patches/ntp-4.2.6p5-fipsmd5.patch b/ntp/patches/ntp-4.2.6p5-fipsmd5.patch deleted file mode 100644 index b6d8889f4..000000000 --- a/ntp/patches/ntp-4.2.6p5-fipsmd5.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff -up ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 ntp-4.2.6p5/libntp/a_md5encrypt.c ---- ntp-4.2.6p5/libntp/a_md5encrypt.c.fipsmd5 2011-12-01 03:55:17.000000000 +0100 -+++ ntp-4.2.6p5/libntp/a_md5encrypt.c 2012-10-24 16:24:04.972358878 +0200 -@@ -38,7 +38,11 @@ MD5authencrypt( - * was creaded. - */ - INIT_SSL(); -- EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); -+ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) { -+ msyslog(LOG_ERR, -+ "MAC encrypt: digest init failed"); -+ return (0); -+ } - EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen); - EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length); - EVP_DigestFinal(&ctx, digest, &len); -@@ -71,7 +75,11 @@ MD5authdecrypt( - * was created. - */ - INIT_SSL(); -- EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); -+ if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) { -+ msyslog(LOG_ERR, -+ "MAC decrypt: digest init failed"); -+ return (0); -+ } - EVP_DigestUpdate(&ctx, key, (u_int)cache_keylen); - EVP_DigestUpdate(&ctx, (u_char *)pkt, (u_int)length); - EVP_DigestFinal(&ctx, digest, &len); -@@ -101,7 +109,16 @@ addr2refid(sockaddr_u *addr) - return (NSRCADR(addr)); - - INIT_SSL(); -- EVP_DigestInit(&ctx, EVP_get_digestbynid(NID_md5)); -+ EVP_MD_CTX_init(&ctx); -+#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW -+ /* MD5 is not used as a crypto hash here. */ -+ EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); -+#endif -+ if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) { -+ msyslog(LOG_ERR, -+ "MD5 init failed"); -+ exit(1); -+ } - EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr), - sizeof(struct in6_addr)); - EVP_DigestFinal(&ctx, digest, &len);