Update patches: remove integer overflow, add constraint helper

patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch

@@ -1,7 +1,7 @@
-From 9e246d0c8dbe98db5e2408a3472d380ddebf7717 Mon Sep 17 00:00:00 2001
+From 12b5412a7b2004ade1ece0872151c8fe3bb40e04 Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Tue, 30 Dec 2014 09:10:22 -0600
-Subject: [PATCH 01/10] Handle IPv6 DNS records on IPv4 networks more liberally
+Subject: [PATCH 01/11] Handle IPv6 DNS records on IPv4 networks more liberally
 
 Rather than fail on IPv4 only networks when seeing an IPv6 DNS record,
 just give a warning.
@@ -13,7 +13,7 @@ Original Author: Stefan Praszalowicz <stefan.praszalowicz@avedya.com>
  1 file changed, 10 insertions(+), 3 deletions(-)
 
 diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
-index 21711ae..18aa81d 100644
+index 1d982d6..e717d69 100644
 --- a/src/usr.sbin/ntpd/client.c
 +++ b/src/usr.sbin/ntpd/client.c
 @@ -138,9 +138,16 @@ client_query(struct ntp_peer *p)

patches/0002-EAI_NODATA-does-not-exist-everywhere.patch

@@ -1,7 +1,7 @@
-From 27af6267c4062130307e30a807bda9fb71ae0760 Mon Sep 17 00:00:00 2001
+From 1e47d56c25f283ed9fe71594bed96eaf15babc5e Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Tue, 30 Dec 2014 09:04:08 -0600
-Subject: [PATCH 02/10] EAI_NODATA does not exist everywhere
+Subject: [PATCH 02/11] EAI_NODATA does not exist everywhere
 
 FreeBSD says it is deprecated #ifdef's it out.
 

patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch

@@ -1,7 +1,7 @@
-From 627d0d1bf727acc53e2ac58136aec4780f2fdf61 Mon Sep 17 00:00:00 2001
+From 1428f299aa499b50fcd18e63b1493bae8d2714ab Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Mon, 12 Jan 2015 21:16:54 -0600
-Subject: [PATCH 03/10] Use LOG_NTP syslog facility if it is available
+Subject: [PATCH 03/11] Use LOG_NTP syslog facility if it is available
 
 FreeBSD PR:     114191
 Submitted by:   Robert Archer <freebsd@deathbeforedecaf.net>

patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch

@@ -1,7 +1,7 @@
-From 4a0d934afddc6c9f0f736de84509a7c671f27ddd Mon Sep 17 00:00:00 2001
+From b5bb8f5408cd54fff33d64c8f28d3847648334ab Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Tue, 30 Dec 2014 09:02:50 -0600
-Subject: [PATCH 04/10] conditionally fill in sin_len/sin6_len if they exist
+Subject: [PATCH 04/11] conditionally fill in sin_len/sin6_len if they exist
 
 ---
  src/usr.sbin/ntpd/config.c | 8 ++++++++

patches/0005-check-if-rdomain-support-is-available.patch

@@ -1,7 +1,7 @@
-From d5d1799dba61af8a263507839a9a2f92293093ae Mon Sep 17 00:00:00 2001
+From 63674f2828a535709805738711503c08efb0e7d4 Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Tue, 30 Dec 2014 09:05:46 -0600
-Subject: [PATCH 05/10] check if rdomain support is available.
+Subject: [PATCH 05/11] check if rdomain support is available.
 
 Handle FreeBSD's calling rdomain 'FIB'.
  - from naddy@openbsd.org
@@ -13,7 +13,7 @@ Handle FreeBSD's calling rdomain 'FIB'.
  4 files changed, 22 insertions(+), 1 deletion(-)
 
 diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
-index 18aa81d..d47869b 100644
+index e717d69..2be1f93 100644
 --- a/src/usr.sbin/ntpd/client.c
 +++ b/src/usr.sbin/ntpd/client.c
 @@ -149,10 +149,12 @@ client_query(struct ntp_peer *p)

patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch

@@ -1,7 +1,7 @@
-From 78693e2c2d509ef30ca5a2f942657b94887bdc4e Mon Sep 17 00:00:00 2001
+From a65fc1f204c49a92d3b15866c7468576f0088929 Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Tue, 30 Dec 2014 09:20:03 -0600
-Subject: [PATCH 06/10] update ntpd.conf to indicate OS-dependent options
+Subject: [PATCH 06/11] update ntpd.conf to indicate OS-dependent options
 
 Also, clarify listening behavior based on a patch from
 Dererk <dererk@debian.org>
@@ -11,7 +11,7 @@ Debian bug ID: 575705
  1 file changed, 8 insertions(+), 3 deletions(-)
 
 diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
-index accc87b..8ece0de 100644
+index 0254fa7..25efcae 100644
 --- a/src/usr.sbin/ntpd/ntpd.conf.5
 +++ b/src/usr.sbin/ntpd/ntpd.conf.5
 @@ -38,9 +38,14 @@ The basic configuration options are as follows:

patches/0007-allow-overriding-default-user-and-file-locations.patch

@@ -1,7 +1,7 @@
-From 2c3e47ccae2f7e15ca324489968e208c215fef5a Mon Sep 17 00:00:00 2001
+From ee0a5875edc403406175dc8b21c4d20448f9f6de Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Thu, 1 Jan 2015 07:18:11 -0600
-Subject: [PATCH 07/10] allow overriding default user and file locations
+Subject: [PATCH 07/11] allow overriding default user and file locations
 
 Allow the build process to override the default ntpd file paths and
 default user.

patches/0008-add-p-option-to-create-a-pid-file.patch

@@ -1,7 +1,7 @@
-From 39b0d8bc55f07cc2d15c7a60ee77c41e00b8c9b1 Mon Sep 17 00:00:00 2001
+From c699cfbb1e9fb4acc10f12642ce497e38c013391 Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Wed, 31 Dec 2014 08:26:41 -0600
-Subject: [PATCH 08/10] add -p option to create a pid file
+Subject: [PATCH 08/11] add -p option to create a pid file
 
 This is used in both the Gentoo and Debian ports.
 
@@ -13,7 +13,7 @@ Origin: https://bugs.gentoo.org/show_bug.cgi?id=493082
  3 files changed, 33 insertions(+), 5 deletions(-)
 
 diff --git a/src/usr.sbin/ntpd/ntpd.8 b/src/usr.sbin/ntpd/ntpd.8
-index 18b12e8..9eb1fee 100644
+index af56fb9..b11b5ca 100644
 --- a/src/usr.sbin/ntpd/ntpd.8
 +++ b/src/usr.sbin/ntpd/ntpd.8
 @@ -25,6 +25,7 @@
@@ -24,7 +24,7 @@ index 18b12e8..9eb1fee 100644
  .Ek
  .Sh DESCRIPTION
  The
-@@ -56,6 +57,9 @@ instead of the default
+@@ -59,6 +60,9 @@ instead of the default
  .It Fl n
  Configtest mode.
  Only check the configuration file for validity.
@@ -35,7 +35,7 @@ index 18b12e8..9eb1fee 100644
  Do not set the time immediately at startup.
  This is the default.
 diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
-index a02d9f5..304e050 100644
+index 045bdd4..c7935bf 100644
 --- a/src/usr.sbin/ntpd/ntpd.c
 +++ b/src/usr.sbin/ntpd/ntpd.c
 @@ -83,6 +83,18 @@ sighdlr(int sig)
@@ -59,7 +59,7 @@ index a02d9f5..304e050 100644
  {
 @@ -92,7 +104,7 @@ usage(void)
  		fprintf(stderr,
- 		    "usage: ntpctl [-s all | peers | Sensors | status]\n");
+ 		    "usage: ntpctl -s all | peers | Sensors | status\n");
  	else
 -		fprintf(stderr, "usage: %s [-dnSsv] [-f file]\n",
 +		fprintf(stderr, "usage: %s [-dnSsv] [-f file] [-p file]\n",
@@ -134,10 +134,10 @@ index a02d9f5..304e050 100644
  			timeout = INFTIM;
  			break;
 diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h
-index cfbd603..8f13b00 100644
+index 4d5b3ad..6403391 100644
 --- a/src/usr.sbin/ntpd/ntpd.h
 +++ b/src/usr.sbin/ntpd/ntpd.h
-@@ -237,6 +237,7 @@ struct ntpd_conf {
+@@ -239,6 +239,7 @@ struct ntpd_conf {
  	u_int						constraint_errors;
  	u_int8_t					*ca;
  	size_t						ca_len;

patches/0009-initialize-setproctitle-where-needed.patch

@@ -1,7 +1,7 @@
-From f22fd1f0b3f4f5ec49c668f95776cee5214ea7e9 Mon Sep 17 00:00:00 2001
+From caac2ba644741d6e09e80671612ae34f5f7dbf24 Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Mon, 12 Jan 2015 06:18:31 -0600
-Subject: [PATCH 09/10] initialize setproctitle where needed
+Subject: [PATCH 09/11] initialize setproctitle where needed
 
 We need to save a copy of argv and __progname to avoid setproctitle
 clobbering them.
@@ -10,7 +10,7 @@ clobbering them.
  1 file changed, 20 insertions(+)
 
 diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c
-index 304e050..4d2d11d 100644
+index c7935bf..44caa80 100644
 --- a/src/usr.sbin/ntpd/ntpd.c
 +++ b/src/usr.sbin/ntpd/ntpd.c
 @@ -112,6 +112,13 @@ usage(void)

patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch

@@ -1,7 +1,7 @@
-From f529c668149aea4c10d3192e9f17631c268ab547 Mon Sep 17 00:00:00 2001
+From e659eb618e6f0563c7db796a0ba71569a1c4da27 Mon Sep 17 00:00:00 2001
 From: Brent Cook <busterb@gmail.com>
 Date: Mon, 12 Jan 2015 21:17:35 -0600
-Subject: [PATCH 10/10] document SIGUSR1 fallback if SIGINFO is not
+Subject: [PATCH 10/11] document SIGUSR1 fallback if SIGINFO is not
  implemented.
 
 ---
@@ -9,10 +9,10 @@ Subject: [PATCH 10/10] document SIGUSR1 fallback if SIGINFO is not
  1 file changed, 5 insertions(+), 1 deletion(-)
 
 diff --git a/src/usr.sbin/ntpd/ntpd.8 b/src/usr.sbin/ntpd/ntpd.8
-index 9eb1fee..b15912f 100644
+index b11b5ca..24f08e0 100644
 --- a/src/usr.sbin/ntpd/ntpd.8
 +++ b/src/usr.sbin/ntpd/ntpd.8
-@@ -126,7 +126,11 @@ When
+@@ -129,7 +129,11 @@ When
  .Pq engine
  receives a
  .Dv SIGINFO

patches/0011-Account-for-integer-overflows-with-a-32-bit-time_t.patch

@@ -1,64 +0,0 @@
-From 0155adc8a0e61c0b1b7dc8febcba049b0d84bb31 Mon Sep 17 00:00:00 2001
-From: Brent Cook <busterb@gmail.com>
-Date: Sun, 22 Mar 2015 16:18:20 -0500
-Subject: [PATCH 11/11] Account for integer overflows with a 32-bit time_t
-
-If the current time is set past Feb. 2036, adding the NTP epoch offset
-overflows the time_t. While all systems in 2036 should have been running
-with a larger time_t for some time, today an invalid system clock cannot
-be reset with the overflow.
-
-Thanks to @Romua1d on github for point it out.
----
- src/usr.sbin/ntpd/client.c |  6 +++++-
- src/usr.sbin/ntpd/util.c   | 12 ++++++++++--
- 2 files changed, 15 insertions(+), 3 deletions(-)
-
-diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c
-index d47869b..70879c0 100644
---- a/src/usr.sbin/ntpd/client.c
-+++ b/src/usr.sbin/ntpd/client.c
-@@ -269,7 +269,11 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime)
- 		if (cmsg->cmsg_level == SOL_SOCKET &&
- 		    cmsg->cmsg_type == SCM_TIMESTAMP) {
- 			memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv));
--			T4 += tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec;
-+			/*
-+			 * account for overflow that occurs on OSes that still
-+			 * have a 32-bit time_t.
-+			 */
-+			T4 += (uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec;
- 			break;
- 		}
- 	}
-diff --git a/src/usr.sbin/ntpd/util.c b/src/usr.sbin/ntpd/util.c
-index 0867ed7..e9f6d50 100644
---- a/src/usr.sbin/ntpd/util.c
-+++ b/src/usr.sbin/ntpd/util.c
-@@ -45,13 +45,21 @@ gettime(void)
- 	if (gettimeofday(&tv, NULL) == -1)
- 		fatal("gettimeofday");
- 
--	return (tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec);
-+	/*
-+	 * account for overflow that occurs on OSes that still
-+	 * have a 32-bit time_t.
-+	 */
-+	return ((uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec);
- }
- 
- double
- gettime_from_timeval(struct timeval *tv)
- {
--	return (tv->tv_sec + JAN_1970 + 1.0e-6 * tv->tv_usec);
-+	/*
-+	 * account for overflow that occurs on OSes that still
-+	 * have a 32-bit time_t.
-+	 */
-+	return ((uint64_t)tv->tv_sec + JAN_1970 + 1.0e-6 * tv->tv_usec);
- }
- 
- time_t
--- 
-1.9.1
-

patches/0011-Notify-the-user-when-constraint-support-is-disabled.patch

@@ -0,0 +1,66 @@
+From c964f9f8a4ca92d961255935ac1ed2f681702607 Mon Sep 17 00:00:00 2001
+From: Brent Cook <busterb@gmail.com>
+Date: Fri, 27 Mar 2015 23:14:15 -0500
+Subject: [PATCH 11/11] Notify the user when constraint support is disabled.
+
+Update the manpage and make a constraint line a fatal error if it is
+configured but ntpd is built without libtls present.
+From Paul B. Henson.
+---
+ src/usr.sbin/ntpd/config.c    | 3 +++
+ src/usr.sbin/ntpd/ntp.c       | 2 ++
+ src/usr.sbin/ntpd/ntpd.conf.5 | 7 +++++--
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
+index 2e39604..779aed6 100644
+--- a/src/usr.sbin/ntpd/config.c
++++ b/src/usr.sbin/ntpd/config.c
+@@ -218,6 +218,9 @@ new_constraint(void)
+ 		fatal("new_constraint calloc");
+ 	p->id = ++constraint_maxid;
+ 
++#ifndef HAVE_LIBTLS
++	fatal("constraint configured without libtls support");
++#endif
+ 	return (p);
+ }
+ 
+diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c
+index 0a9b4be..eb8af7b 100644
+--- a/src/usr.sbin/ntpd/ntp.c
++++ b/src/usr.sbin/ntpd/ntp.c
+@@ -112,10 +112,12 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf,
+ 
+ 	tls_init();
+ 
++#ifdef HAVE_LIBTLS
+ 	/* Verification will be turned off if CA is not found */
+ 	if ((conf->ca = tls_load_file(CONSTRAINT_CA,
+ 	    &conf->ca_len, NULL)) == NULL)
+ 		log_warnx("constraint certificate verification turned off");
++#endif
+ 
+ 	/* in this case the parent didn't init logging and didn't daemonize */
+ 	if (nconf->settime && !nconf->debug) {
+diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
+index 25efcae..2dee297 100644
+--- a/src/usr.sbin/ntpd/ntpd.conf.5
++++ b/src/usr.sbin/ntpd/ntpd.conf.5
+@@ -191,8 +191,11 @@ authenticated constraint,
+ thereby reducing the impact of unauthenticated NTP
+ man-in-the-middle attacks.
+ Received NTP packets with time information falling outside of a range
+-near the constraint will be discarded and such NTP servers
+-will be marked as invalid.
++near the constraint will be discarded and such NTP servers will be marked as
++invalid. Contraints are only available if
++.Xr ntpd 8
++has been compiled with libtls support. Configuring a constraint without libtls
++support will result in a fatal error.
+ .Bl -tag -width Ds
+ .It Ic constraint from Ar url
+ Specify the URL, IP address or the hostname of an HTTPS server to
+-- 
+1.9.1
+