From 22bd0a37e9cb18f06a16817716e9c8f67bb63756 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 27 Mar 2015 23:16:46 -0500 Subject: [PATCH] Update patches: remove integer overflow, add constraint helper --- ...records-on-IPv4-networks-more-libera.patch | 6 +- ...EAI_NODATA-does-not-exist-everywhere.patch | 4 +- ...P-syslog-facility-if-it-is-available.patch | 4 +- ...ll-in-sin_len-sin6_len-if-they-exist.patch | 4 +- ...heck-if-rdomain-support-is-available.patch | 6 +- ...onf-to-indicate-OS-dependent-options.patch | 6 +- ...ding-default-user-and-file-locations.patch | 4 +- ...08-add-p-option-to-create-a-pid-file.patch | 16 ++--- ...initialize-setproctitle-where-needed.patch | 6 +- ...-fallback-if-SIGINFO-is-not-implemen.patch | 8 +-- ...teger-overflows-with-a-32-bit-time_t.patch | 64 ------------------ ...-when-constraint-support-is-disabled.patch | 66 +++++++++++++++++++ 12 files changed, 98 insertions(+), 96 deletions(-) delete mode 100644 patches/0011-Account-for-integer-overflows-with-a-32-bit-time_t.patch create mode 100644 patches/0011-Notify-the-user-when-constraint-support-is-disabled.patch diff --git a/patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch b/patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch index 4549a1e..0bc92a3 100644 --- a/patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch +++ b/patches/0001-Handle-IPv6-DNS-records-on-IPv4-networks-more-libera.patch @@ -1,7 +1,7 @@ -From 9e246d0c8dbe98db5e2408a3472d380ddebf7717 Mon Sep 17 00:00:00 2001 +From 12b5412a7b2004ade1ece0872151c8fe3bb40e04 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 30 Dec 2014 09:10:22 -0600 -Subject: [PATCH 01/10] Handle IPv6 DNS records on IPv4 networks more liberally +Subject: [PATCH 01/11] Handle IPv6 DNS records on IPv4 networks more liberally Rather than fail on IPv4 only networks when seeing an IPv6 DNS record, just give a warning. @@ -13,7 +13,7 @@ Original Author: Stefan Praszalowicz 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c -index 21711ae..18aa81d 100644 +index 1d982d6..e717d69 100644 --- a/src/usr.sbin/ntpd/client.c +++ b/src/usr.sbin/ntpd/client.c @@ -138,9 +138,16 @@ client_query(struct ntp_peer *p) diff --git a/patches/0002-EAI_NODATA-does-not-exist-everywhere.patch b/patches/0002-EAI_NODATA-does-not-exist-everywhere.patch index 6372922..8d70515 100644 --- a/patches/0002-EAI_NODATA-does-not-exist-everywhere.patch +++ b/patches/0002-EAI_NODATA-does-not-exist-everywhere.patch @@ -1,7 +1,7 @@ -From 27af6267c4062130307e30a807bda9fb71ae0760 Mon Sep 17 00:00:00 2001 +From 1e47d56c25f283ed9fe71594bed96eaf15babc5e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 30 Dec 2014 09:04:08 -0600 -Subject: [PATCH 02/10] EAI_NODATA does not exist everywhere +Subject: [PATCH 02/11] EAI_NODATA does not exist everywhere FreeBSD says it is deprecated #ifdef's it out. diff --git a/patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch b/patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch index 240995c..d3dc870 100644 --- a/patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch +++ b/patches/0003-Use-LOG_NTP-syslog-facility-if-it-is-available.patch @@ -1,7 +1,7 @@ -From 627d0d1bf727acc53e2ac58136aec4780f2fdf61 Mon Sep 17 00:00:00 2001 +From 1428f299aa499b50fcd18e63b1493bae8d2714ab Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 12 Jan 2015 21:16:54 -0600 -Subject: [PATCH 03/10] Use LOG_NTP syslog facility if it is available +Subject: [PATCH 03/11] Use LOG_NTP syslog facility if it is available FreeBSD PR: 114191 Submitted by: Robert Archer diff --git a/patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch b/patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch index 26b7698..522d1ff 100644 --- a/patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch +++ b/patches/0004-conditionally-fill-in-sin_len-sin6_len-if-they-exist.patch @@ -1,7 +1,7 @@ -From 4a0d934afddc6c9f0f736de84509a7c671f27ddd Mon Sep 17 00:00:00 2001 +From b5bb8f5408cd54fff33d64c8f28d3847648334ab Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 30 Dec 2014 09:02:50 -0600 -Subject: [PATCH 04/10] conditionally fill in sin_len/sin6_len if they exist +Subject: [PATCH 04/11] conditionally fill in sin_len/sin6_len if they exist --- src/usr.sbin/ntpd/config.c | 8 ++++++++ diff --git a/patches/0005-check-if-rdomain-support-is-available.patch b/patches/0005-check-if-rdomain-support-is-available.patch index d36a5de..0502842 100644 --- a/patches/0005-check-if-rdomain-support-is-available.patch +++ b/patches/0005-check-if-rdomain-support-is-available.patch @@ -1,7 +1,7 @@ -From d5d1799dba61af8a263507839a9a2f92293093ae Mon Sep 17 00:00:00 2001 +From 63674f2828a535709805738711503c08efb0e7d4 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 30 Dec 2014 09:05:46 -0600 -Subject: [PATCH 05/10] check if rdomain support is available. +Subject: [PATCH 05/11] check if rdomain support is available. Handle FreeBSD's calling rdomain 'FIB'. - from naddy@openbsd.org @@ -13,7 +13,7 @@ Handle FreeBSD's calling rdomain 'FIB'. 4 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c -index 18aa81d..d47869b 100644 +index e717d69..2be1f93 100644 --- a/src/usr.sbin/ntpd/client.c +++ b/src/usr.sbin/ntpd/client.c @@ -149,10 +149,12 @@ client_query(struct ntp_peer *p) diff --git a/patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch b/patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch index c5243a9..9f93e3f 100644 --- a/patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch +++ b/patches/0006-update-ntpd.conf-to-indicate-OS-dependent-options.patch @@ -1,7 +1,7 @@ -From 78693e2c2d509ef30ca5a2f942657b94887bdc4e Mon Sep 17 00:00:00 2001 +From a65fc1f204c49a92d3b15866c7468576f0088929 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Tue, 30 Dec 2014 09:20:03 -0600 -Subject: [PATCH 06/10] update ntpd.conf to indicate OS-dependent options +Subject: [PATCH 06/11] update ntpd.conf to indicate OS-dependent options Also, clarify listening behavior based on a patch from Dererk @@ -11,7 +11,7 @@ Debian bug ID: 575705 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5 -index accc87b..8ece0de 100644 +index 0254fa7..25efcae 100644 --- a/src/usr.sbin/ntpd/ntpd.conf.5 +++ b/src/usr.sbin/ntpd/ntpd.conf.5 @@ -38,9 +38,14 @@ The basic configuration options are as follows: diff --git a/patches/0007-allow-overriding-default-user-and-file-locations.patch b/patches/0007-allow-overriding-default-user-and-file-locations.patch index 9c33ccd..7f179d5 100644 --- a/patches/0007-allow-overriding-default-user-and-file-locations.patch +++ b/patches/0007-allow-overriding-default-user-and-file-locations.patch @@ -1,7 +1,7 @@ -From 2c3e47ccae2f7e15ca324489968e208c215fef5a Mon Sep 17 00:00:00 2001 +From ee0a5875edc403406175dc8b21c4d20448f9f6de Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Thu, 1 Jan 2015 07:18:11 -0600 -Subject: [PATCH 07/10] allow overriding default user and file locations +Subject: [PATCH 07/11] allow overriding default user and file locations Allow the build process to override the default ntpd file paths and default user. diff --git a/patches/0008-add-p-option-to-create-a-pid-file.patch b/patches/0008-add-p-option-to-create-a-pid-file.patch index 86a4128..a030d62 100644 --- a/patches/0008-add-p-option-to-create-a-pid-file.patch +++ b/patches/0008-add-p-option-to-create-a-pid-file.patch @@ -1,7 +1,7 @@ -From 39b0d8bc55f07cc2d15c7a60ee77c41e00b8c9b1 Mon Sep 17 00:00:00 2001 +From c699cfbb1e9fb4acc10f12642ce497e38c013391 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Wed, 31 Dec 2014 08:26:41 -0600 -Subject: [PATCH 08/10] add -p option to create a pid file +Subject: [PATCH 08/11] add -p option to create a pid file This is used in both the Gentoo and Debian ports. @@ -13,7 +13,7 @@ Origin: https://bugs.gentoo.org/show_bug.cgi?id=493082 3 files changed, 33 insertions(+), 5 deletions(-) diff --git a/src/usr.sbin/ntpd/ntpd.8 b/src/usr.sbin/ntpd/ntpd.8 -index 18b12e8..9eb1fee 100644 +index af56fb9..b11b5ca 100644 --- a/src/usr.sbin/ntpd/ntpd.8 +++ b/src/usr.sbin/ntpd/ntpd.8 @@ -25,6 +25,7 @@ @@ -24,7 +24,7 @@ index 18b12e8..9eb1fee 100644 .Ek .Sh DESCRIPTION The -@@ -56,6 +57,9 @@ instead of the default +@@ -59,6 +60,9 @@ instead of the default .It Fl n Configtest mode. Only check the configuration file for validity. @@ -35,7 +35,7 @@ index 18b12e8..9eb1fee 100644 Do not set the time immediately at startup. This is the default. diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c -index a02d9f5..304e050 100644 +index 045bdd4..c7935bf 100644 --- a/src/usr.sbin/ntpd/ntpd.c +++ b/src/usr.sbin/ntpd/ntpd.c @@ -83,6 +83,18 @@ sighdlr(int sig) @@ -59,7 +59,7 @@ index a02d9f5..304e050 100644 { @@ -92,7 +104,7 @@ usage(void) fprintf(stderr, - "usage: ntpctl [-s all | peers | Sensors | status]\n"); + "usage: ntpctl -s all | peers | Sensors | status\n"); else - fprintf(stderr, "usage: %s [-dnSsv] [-f file]\n", + fprintf(stderr, "usage: %s [-dnSsv] [-f file] [-p file]\n", @@ -134,10 +134,10 @@ index a02d9f5..304e050 100644 timeout = INFTIM; break; diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h -index cfbd603..8f13b00 100644 +index 4d5b3ad..6403391 100644 --- a/src/usr.sbin/ntpd/ntpd.h +++ b/src/usr.sbin/ntpd/ntpd.h -@@ -237,6 +237,7 @@ struct ntpd_conf { +@@ -239,6 +239,7 @@ struct ntpd_conf { u_int constraint_errors; u_int8_t *ca; size_t ca_len; diff --git a/patches/0009-initialize-setproctitle-where-needed.patch b/patches/0009-initialize-setproctitle-where-needed.patch index 79f96ef..f7f78c2 100644 --- a/patches/0009-initialize-setproctitle-where-needed.patch +++ b/patches/0009-initialize-setproctitle-where-needed.patch @@ -1,7 +1,7 @@ -From f22fd1f0b3f4f5ec49c668f95776cee5214ea7e9 Mon Sep 17 00:00:00 2001 +From caac2ba644741d6e09e80671612ae34f5f7dbf24 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 12 Jan 2015 06:18:31 -0600 -Subject: [PATCH 09/10] initialize setproctitle where needed +Subject: [PATCH 09/11] initialize setproctitle where needed We need to save a copy of argv and __progname to avoid setproctitle clobbering them. @@ -10,7 +10,7 @@ clobbering them. 1 file changed, 20 insertions(+) diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c -index 304e050..4d2d11d 100644 +index c7935bf..44caa80 100644 --- a/src/usr.sbin/ntpd/ntpd.c +++ b/src/usr.sbin/ntpd/ntpd.c @@ -112,6 +112,13 @@ usage(void) diff --git a/patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch b/patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch index 57a80f9..8ae1ea6 100644 --- a/patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch +++ b/patches/0010-document-SIGUSR1-fallback-if-SIGINFO-is-not-implemen.patch @@ -1,7 +1,7 @@ -From f529c668149aea4c10d3192e9f17631c268ab547 Mon Sep 17 00:00:00 2001 +From e659eb618e6f0563c7db796a0ba71569a1c4da27 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 12 Jan 2015 21:17:35 -0600 -Subject: [PATCH 10/10] document SIGUSR1 fallback if SIGINFO is not +Subject: [PATCH 10/11] document SIGUSR1 fallback if SIGINFO is not implemented. --- @@ -9,10 +9,10 @@ Subject: [PATCH 10/10] document SIGUSR1 fallback if SIGINFO is not 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/usr.sbin/ntpd/ntpd.8 b/src/usr.sbin/ntpd/ntpd.8 -index 9eb1fee..b15912f 100644 +index b11b5ca..24f08e0 100644 --- a/src/usr.sbin/ntpd/ntpd.8 +++ b/src/usr.sbin/ntpd/ntpd.8 -@@ -126,7 +126,11 @@ When +@@ -129,7 +129,11 @@ When .Pq engine receives a .Dv SIGINFO diff --git a/patches/0011-Account-for-integer-overflows-with-a-32-bit-time_t.patch b/patches/0011-Account-for-integer-overflows-with-a-32-bit-time_t.patch deleted file mode 100644 index 3bf6364..0000000 --- a/patches/0011-Account-for-integer-overflows-with-a-32-bit-time_t.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 0155adc8a0e61c0b1b7dc8febcba049b0d84bb31 Mon Sep 17 00:00:00 2001 -From: Brent Cook -Date: Sun, 22 Mar 2015 16:18:20 -0500 -Subject: [PATCH 11/11] Account for integer overflows with a 32-bit time_t - -If the current time is set past Feb. 2036, adding the NTP epoch offset -overflows the time_t. While all systems in 2036 should have been running -with a larger time_t for some time, today an invalid system clock cannot -be reset with the overflow. - -Thanks to @Romua1d on github for point it out. ---- - src/usr.sbin/ntpd/client.c | 6 +++++- - src/usr.sbin/ntpd/util.c | 12 ++++++++++-- - 2 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/src/usr.sbin/ntpd/client.c b/src/usr.sbin/ntpd/client.c -index d47869b..70879c0 100644 ---- a/src/usr.sbin/ntpd/client.c -+++ b/src/usr.sbin/ntpd/client.c -@@ -269,7 +269,11 @@ client_dispatch(struct ntp_peer *p, u_int8_t settime) - if (cmsg->cmsg_level == SOL_SOCKET && - cmsg->cmsg_type == SCM_TIMESTAMP) { - memcpy(&tv, CMSG_DATA(cmsg), sizeof(tv)); -- T4 += tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec; -+ /* -+ * account for overflow that occurs on OSes that still -+ * have a 32-bit time_t. -+ */ -+ T4 += (uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec; - break; - } - } -diff --git a/src/usr.sbin/ntpd/util.c b/src/usr.sbin/ntpd/util.c -index 0867ed7..e9f6d50 100644 ---- a/src/usr.sbin/ntpd/util.c -+++ b/src/usr.sbin/ntpd/util.c -@@ -45,13 +45,21 @@ gettime(void) - if (gettimeofday(&tv, NULL) == -1) - fatal("gettimeofday"); - -- return (tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec); -+ /* -+ * account for overflow that occurs on OSes that still -+ * have a 32-bit time_t. -+ */ -+ return ((uint64_t)tv.tv_sec + JAN_1970 + 1.0e-6 * tv.tv_usec); - } - - double - gettime_from_timeval(struct timeval *tv) - { -- return (tv->tv_sec + JAN_1970 + 1.0e-6 * tv->tv_usec); -+ /* -+ * account for overflow that occurs on OSes that still -+ * have a 32-bit time_t. -+ */ -+ return ((uint64_t)tv->tv_sec + JAN_1970 + 1.0e-6 * tv->tv_usec); - } - - time_t --- -1.9.1 - diff --git a/patches/0011-Notify-the-user-when-constraint-support-is-disabled.patch b/patches/0011-Notify-the-user-when-constraint-support-is-disabled.patch new file mode 100644 index 0000000..512a89f --- /dev/null +++ b/patches/0011-Notify-the-user-when-constraint-support-is-disabled.patch @@ -0,0 +1,66 @@ +From c964f9f8a4ca92d961255935ac1ed2f681702607 Mon Sep 17 00:00:00 2001 +From: Brent Cook +Date: Fri, 27 Mar 2015 23:14:15 -0500 +Subject: [PATCH 11/11] Notify the user when constraint support is disabled. + +Update the manpage and make a constraint line a fatal error if it is +configured but ntpd is built without libtls present. +From Paul B. Henson. +--- + src/usr.sbin/ntpd/config.c | 3 +++ + src/usr.sbin/ntpd/ntp.c | 2 ++ + src/usr.sbin/ntpd/ntpd.conf.5 | 7 +++++-- + 3 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c +index 2e39604..779aed6 100644 +--- a/src/usr.sbin/ntpd/config.c ++++ b/src/usr.sbin/ntpd/config.c +@@ -218,6 +218,9 @@ new_constraint(void) + fatal("new_constraint calloc"); + p->id = ++constraint_maxid; + ++#ifndef HAVE_LIBTLS ++ fatal("constraint configured without libtls support"); ++#endif + return (p); + } + +diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c +index 0a9b4be..eb8af7b 100644 +--- a/src/usr.sbin/ntpd/ntp.c ++++ b/src/usr.sbin/ntpd/ntp.c +@@ -112,10 +112,12 @@ ntp_main(int pipe_prnt[2], int fd_ctl, struct ntpd_conf *nconf, + + tls_init(); + ++#ifdef HAVE_LIBTLS + /* Verification will be turned off if CA is not found */ + if ((conf->ca = tls_load_file(CONSTRAINT_CA, + &conf->ca_len, NULL)) == NULL) + log_warnx("constraint certificate verification turned off"); ++#endif + + /* in this case the parent didn't init logging and didn't daemonize */ + if (nconf->settime && !nconf->debug) { +diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5 +index 25efcae..2dee297 100644 +--- a/src/usr.sbin/ntpd/ntpd.conf.5 ++++ b/src/usr.sbin/ntpd/ntpd.conf.5 +@@ -191,8 +191,11 @@ authenticated constraint, + thereby reducing the impact of unauthenticated NTP + man-in-the-middle attacks. + Received NTP packets with time information falling outside of a range +-near the constraint will be discarded and such NTP servers +-will be marked as invalid. ++near the constraint will be discarded and such NTP servers will be marked as ++invalid. Contraints are only available if ++.Xr ntpd 8 ++has been compiled with libtls support. Configuring a constraint without libtls ++support will result in a fatal error. + .Bl -tag -width Ds + .It Ic constraint from Ar url + Specify the URL, IP address or the hostname of an HTTPS server to +-- +1.9.1 +