diff options
author | Paul Eggleton <paul.eggleton@linux.intel.com> | 2014-12-25 22:29:03 +0000 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2014-12-29 14:48:20 -0500 |
commit | fb6b87bf67a2dbe6b50143eb8429c736f61fea2e (patch) | |
tree | ef66373b40f575e19f7f2904c0b166901d44758c /meta-networking/recipes-support/ntp/ntp | |
parent | 3e0c561ea7a50a15f077f1a51c0cdc7a958a1c86 (diff) | |
download | meta-openembedded-fb6b87bf67a2dbe6b50143eb8429c736f61fea2e.tar.gz |
ntp: upgrade to 4.2.8
* Upgrade to 4.2.8 which fixes several security issues, including
CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296. For
more details please see:
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
* LIC_FILES_CHKSUM changed due to a number of copyright year and patch
list changes; nothing material about the license text changed.
* This version moves a number of binaries from sbindir to bindir;
there's supposed to be a configure option --with-locfile=legacy to use
the old layout but it does not seem to work. I guess we'll just have
to live with the change.
* Drop patches which are no longer applicable.
* Merge inc file into recipe; there were too many changes required to
the inc file in this version and it's unlikely it was much use split
out in any case.
* Move remaining files in files/ to ntp/
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'meta-networking/recipes-support/ntp/ntp')
6 files changed, 347 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp-4.2.4_p6-nano.patch b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.4_p6-nano.patch new file mode 100644 index 000000000..cb1e2f734 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.4_p6-nano.patch | |||
@@ -0,0 +1,17 @@ | |||
1 | --- a/include/ntp_syscall.h.orig 2009-05-19 16:44:55.048156467 -0400 | ||
2 | +++ b/include/ntp_syscall.h 2009-05-19 16:46:19.293323686 -0400 | ||
3 | @@ -14,6 +14,14 @@ | ||
4 | # include <sys/timex.h> | ||
5 | #endif | ||
6 | |||
7 | +#if defined(ADJ_NANO) && !defined(MOD_NANO) | ||
8 | +#define MOD_NANO ADJ_NANO | ||
9 | +#endif | ||
10 | + | ||
11 | +#if defined(ADJ_TAI) && !defined(MOD_TAI) | ||
12 | +#define MOD_TAI ADJ_TAI | ||
13 | +#endif | ||
14 | + | ||
15 | #ifndef NTP_SYSCALLS_LIBC | ||
16 | #ifdef NTP_SYSCALLS_STD | ||
17 | # define ntp_adjtime(t) syscall(SYS_ntp_adjtime, (t)) | ||
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp-4.2.8-ntp-keygen-no-openssl.patch b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.8-ntp-keygen-no-openssl.patch new file mode 100644 index 000000000..9b9af63ca --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.8-ntp-keygen-no-openssl.patch | |||
@@ -0,0 +1,168 @@ | |||
1 | Fix ntp-keygen build without OpenSSL | ||
2 | |||
3 | Patch borrowed from Gentoo, originally from upstream | ||
4 | Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> | ||
5 | Upstream-Status: Backport | ||
6 | |||
7 | Upstream commit: | ||
8 | http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg | ||
9 | Gentoo bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=533238 | ||
10 | |||
11 | Signed-off-by: Markos Chandras <hwoarang@gentoo.org> | ||
12 | Index: ntp-4.2.8/Makefile.am | ||
13 | =================================================================== | ||
14 | --- ntp-4.2.8.orig/Makefile.am | ||
15 | +++ ntp-4.2.8/Makefile.am | ||
16 | @@ -2,7 +2,10 @@ ACLOCAL_AMFLAGS = -I sntp/m4 -I sntp/lib | ||
17 | |||
18 | NULL = | ||
19 | |||
20 | +# moved sntp first to get libtool and libevent built. | ||
21 | + | ||
22 | SUBDIRS = \ | ||
23 | + sntp \ | ||
24 | scripts \ | ||
25 | include \ | ||
26 | libntp \ | ||
27 | @@ -17,7 +20,6 @@ SUBDIRS = \ | ||
28 | clockstuff \ | ||
29 | kernel \ | ||
30 | util \ | ||
31 | - sntp \ | ||
32 | tests \ | ||
33 | $(NULL) | ||
34 | |||
35 | @@ -64,7 +66,6 @@ BUILT_SOURCES = \ | ||
36 | .gcc-warning \ | ||
37 | 'libtool \ | ||
38 | html/.datecheck \ | ||
39 | - sntp/built-sources-only \ | ||
40 | $(srcdir)/COPYRIGHT \ | ||
41 | $(srcdir)/.checkChangeLog \ | ||
42 | $(NULL) | ||
43 | Index: ntp-4.2.8/configure.ac | ||
44 | =================================================================== | ||
45 | --- ntp-4.2.8.orig/configure.ac | ||
46 | +++ ntp-4.2.8/configure.ac | ||
47 | @@ -102,7 +102,7 @@ esac | ||
48 | enable_nls=no | ||
49 | LIBOPTS_CHECK_NOBUILD([sntp/libopts]) | ||
50 | |||
51 | -NTP_ENABLE_LOCAL_LIBEVENT | ||
52 | +NTP_LIBEVENT_CHECK_NOBUILD([2], [sntp/libevent]) | ||
53 | |||
54 | NTP_LIBNTP | ||
55 | |||
56 | @@ -771,6 +771,10 @@ esac | ||
57 | |||
58 | #### | ||
59 | |||
60 | +AC_CHECK_FUNCS([arc4random_buf]) | ||
61 | + | ||
62 | +#### | ||
63 | + | ||
64 | saved_LIBS="$LIBS" | ||
65 | LIBS="$LIBS $LDADD_LIBNTP" | ||
66 | AC_CHECK_FUNCS([daemon]) | ||
67 | Index: ntp-4.2.8/libntp/ntp_crypto_rnd.c | ||
68 | =================================================================== | ||
69 | --- ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c | ||
70 | +++ ntp-4.2.8/libntp/ntp_crypto_rnd.c | ||
71 | @@ -24,6 +24,21 @@ | ||
72 | int crypto_rand_init = 0; | ||
73 | #endif | ||
74 | |||
75 | +#ifndef HAVE_ARC4RANDOM_BUF | ||
76 | +static void | ||
77 | +arc4random_buf(void *buf, size_t nbytes); | ||
78 | + | ||
79 | +void | ||
80 | +evutil_secure_rng_get_bytes(void *buf, size_t nbytes); | ||
81 | + | ||
82 | +static void | ||
83 | +arc4random_buf(void *buf, size_t nbytes) | ||
84 | +{ | ||
85 | + evutil_secure_rng_get_bytes(buf, nbytes); | ||
86 | + return; | ||
87 | +} | ||
88 | +#endif | ||
89 | + | ||
90 | /* | ||
91 | * As of late 2014, here's how we plan to provide cryptographic-quality | ||
92 | * random numbers: | ||
93 | Index: ntp-4.2.8/sntp/configure.ac | ||
94 | =================================================================== | ||
95 | --- ntp-4.2.8.orig/sntp/configure.ac | ||
96 | +++ ntp-4.2.8/sntp/configure.ac | ||
97 | @@ -97,11 +97,14 @@ esac | ||
98 | enable_nls=no | ||
99 | LIBOPTS_CHECK | ||
100 | |||
101 | -AM_COND_IF( | ||
102 | - [BUILD_SNTP], | ||
103 | - [NTP_LIBEVENT_CHECK], | ||
104 | - [NTP_LIBEVENT_CHECK_NOBUILD] | ||
105 | -) | ||
106 | +# From when we only used libevent for sntp: | ||
107 | +#AM_COND_IF( | ||
108 | +# [BUILD_SNTP], | ||
109 | +# [NTP_LIBEVENT_CHECK], | ||
110 | +# [NTP_LIBEVENT_CHECK_NOBUILD] | ||
111 | +#) | ||
112 | + | ||
113 | +NTP_LIBEVENT_CHECK([2]) | ||
114 | |||
115 | # Checks for libraries. | ||
116 | |||
117 | Index: ntp-4.2.8/sntp/m4/ntp_libevent.m4 | ||
118 | =================================================================== | ||
119 | --- ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 | ||
120 | +++ ntp-4.2.8/sntp/m4/ntp_libevent.m4 | ||
121 | @@ -1,4 +1,25 @@ | ||
122 | -dnl NTP_ENABLE_LOCAL_LIBEVENT -*- Autoconf -*- | ||
123 | +# SYNOPSIS -*- Autoconf -*- | ||
124 | +# | ||
125 | +# NTP_ENABLE_LOCAL_LIBEVENT | ||
126 | +# NTP_LIBEVENT_CHECK([MINVERSION [, DIR]]) | ||
127 | +# NTP_LIBEVENT_CHECK_NOBUILD([MINVERSION [, DIR]]) | ||
128 | +# | ||
129 | +# DESCRIPTION | ||
130 | +# | ||
131 | +# AUTHOR | ||
132 | +# | ||
133 | +# Harlan Stenn | ||
134 | +# | ||
135 | +# LICENSE | ||
136 | +# | ||
137 | +# This file is Copyright (c) 2014 Network Time Foundation | ||
138 | +# | ||
139 | +# Copying and distribution of this file, with or without modification, are | ||
140 | +# permitted in any medium without royalty provided the copyright notice, | ||
141 | +# author attribution and this notice are preserved. This file is offered | ||
142 | +# as-is, without any warranty. | ||
143 | + | ||
144 | +dnl NTP_ENABLE_LOCAL_LIBEVENT | ||
145 | dnl | ||
146 | dnl Provide only the --enable-local-libevent command-line option. | ||
147 | dnl | ||
148 | @@ -29,7 +50,7 @@ dnl If NOBUILD is provided as the 3rd ar | ||
149 | dnl but DO NOT invoke DIR/configure if we are going to use our bundled | ||
150 | dnl version. This may be the case for nested packages. | ||
151 | dnl | ||
152 | -dnl provide --enable-local-libevent . | ||
153 | +dnl provides --enable-local-libevent . | ||
154 | dnl | ||
155 | dnl Examples: | ||
156 | dnl | ||
157 | Index: ntp-4.2.8/util/Makefile.am | ||
158 | =================================================================== | ||
159 | --- ntp-4.2.8.orig/util/Makefile.am | ||
160 | +++ ntp-4.2.8/util/Makefile.am | ||
161 | @@ -19,6 +19,7 @@ AM_LDFLAGS = $(LDFLAGS_NTP) | ||
162 | LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS) | ||
163 | tg2_LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) | ||
164 | ntp_keygen_LDADD = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a | ||
165 | +ntp_keygen_LDADD += $(LDADD_LIBEVENT) | ||
166 | ntp_keygen_LDADD += $(LDADD_LIBNTP) $(PTHREAD_LIBS) $(LDADD_NTP) $(LIBM) | ||
167 | ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h | ||
168 | |||
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf new file mode 100644 index 000000000..676e18645 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf | |||
@@ -0,0 +1,17 @@ | |||
1 | # This is the most basic ntp configuration file | ||
2 | # The driftfile must remain in a place specific to this | ||
3 | # machine - it records the machine specific clock error | ||
4 | driftfile /var/lib/ntp/drift | ||
5 | # This should be a server that is close (in IP terms) | ||
6 | # to the machine. Add other servers as required. | ||
7 | # Unless you un-comment the line below ntpd will sync | ||
8 | # only against the local system clock. | ||
9 | # | ||
10 | # server time.server.example.com | ||
11 | # | ||
12 | # Using local hardware clock as fallback | ||
13 | # Disable this when using ntpd -q -g -x as ntpdate or it will sync to itself | ||
14 | server 127.127.1.0 | ||
15 | fudge 127.127.1.0 stratum 14 | ||
16 | # Defining a default security setting | ||
17 | restrict default | ||
diff --git a/meta-networking/recipes-support/ntp/ntp/ntpd b/meta-networking/recipes-support/ntp/ntp/ntpd new file mode 100755 index 000000000..d1b9c4907 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntpd | |||
@@ -0,0 +1,84 @@ | |||
1 | #! /bin/sh | ||
2 | |||
3 | ### BEGIN INIT INFO | ||
4 | # Provides: ntp | ||
5 | # Required-Start: $network $remote_fs $syslog | ||
6 | # Required-Stop: $network $remote_fs $syslog | ||
7 | # Default-Start: 2 3 4 5 | ||
8 | # Default-Stop: | ||
9 | # Short-Description: Start NTP daemon | ||
10 | ### END INIT INFO | ||
11 | |||
12 | PATH=/sbin:/bin:/usr/bin:/usr/sbin | ||
13 | |||
14 | DAEMON=/usr/sbin/ntpd | ||
15 | PIDFILE=/var/run/ntpd.pid | ||
16 | |||
17 | # ntpd init.d script for ntpdc from ntp.isc.org | ||
18 | test -x $DAEMON -a -r /etc/ntp.conf || exit 0 | ||
19 | |||
20 | # rcS contains TICKADJ | ||
21 | test -r /etc/default/rcS && . /etc/default/rcS | ||
22 | |||
23 | # Source function library. | ||
24 | . /etc/init.d/functions | ||
25 | |||
26 | # Functions to do individual actions | ||
27 | settick(){ | ||
28 | # If TICKADJ is set we *must* adjust it before we start, because the | ||
29 | # driftfile relies on the correct setting | ||
30 | test -n "$TICKADJ" -a -x /usr/sbin/tickadj && { | ||
31 | echo -n "Setting tick to $TICKADJ: " | ||
32 | /usr/sbin/tickadj "$TICKADJ" | ||
33 | echo "done" | ||
34 | } | ||
35 | } | ||
36 | startdaemon(){ | ||
37 | # The -g option allows ntpd to step the time to correct it just | ||
38 | # once. The daemon will exit if the clock drifts too much after | ||
39 | # this. If ntpd seems to disappear after a while assume TICKADJ | ||
40 | # above is set to a totally incorrect value. | ||
41 | echo -n "Starting ntpd: " | ||
42 | start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -u ntp:ntp -p $PIDFILE "$@" | ||
43 | echo "done" | ||
44 | } | ||
45 | stopdaemon(){ | ||
46 | echo -n "Stopping ntpd: " | ||
47 | start-stop-daemon --stop --quiet --oknodo -p $PIDFILE | ||
48 | echo "done" | ||
49 | } | ||
50 | |||
51 | case "$1" in | ||
52 | start) | ||
53 | settick | ||
54 | startdaemon -g | ||
55 | ;; | ||
56 | stop) | ||
57 | stopdaemon | ||
58 | ;; | ||
59 | force-reload) | ||
60 | stopdaemon | ||
61 | settick | ||
62 | startdaemon -g | ||
63 | ;; | ||
64 | restart) | ||
65 | # Don't reset the tick here | ||
66 | stopdaemon | ||
67 | startdaemon -g | ||
68 | ;; | ||
69 | reload) | ||
70 | # Must do this by hand, but don't do -g | ||
71 | stopdaemon | ||
72 | startdaemon | ||
73 | ;; | ||
74 | status) | ||
75 | status /usr/sbin/ntpd; | ||
76 | exit $? | ||
77 | ;; | ||
78 | *) | ||
79 | echo "Usage: ntpd { start | stop | status | restart | reload }" >&2 | ||
80 | exit 1 | ||
81 | ;; | ||
82 | esac | ||
83 | |||
84 | exit 0 | ||
diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate new file mode 100755 index 000000000..17b64d133 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate | |||
@@ -0,0 +1,54 @@ | |||
1 | #!/bin/sh | ||
2 | |||
3 | PATH=/sbin:/bin:/usr/bin:/usr/sbin | ||
4 | |||
5 | test -x /usr/sbin/ntpdate || exit 0 | ||
6 | |||
7 | if test -f /etc/default/ntpdate ; then | ||
8 | . /etc/default/ntpdate | ||
9 | fi | ||
10 | |||
11 | if [ "$NTPSERVERS" = "" ] ; then | ||
12 | if [ "$METHOD" = "" -a "$1" != "silent" ] ; then | ||
13 | echo "Please set NTPSERVERS in /etc/default/ntpdate" | ||
14 | exit 1 | ||
15 | else | ||
16 | exit 0 | ||
17 | fi | ||
18 | fi | ||
19 | |||
20 | # This is a heuristic: The idea is that if a static interface is brought | ||
21 | # up, that is a major event, and we can put in some extra effort to fix | ||
22 | # the system time. Feel free to change this, especially if you regularly | ||
23 | # bring up new network interfaces. | ||
24 | if [ "$METHOD" = static ]; then | ||
25 | OPTS="-b" | ||
26 | fi | ||
27 | |||
28 | if [ "$METHOD" = loopback ]; then | ||
29 | exit 0 | ||
30 | fi | ||
31 | |||
32 | ( | ||
33 | |||
34 | LOCKFILE=/var/lock/ntpdate | ||
35 | |||
36 | # Avoid running more than one at a time | ||
37 | if [ -x /usr/bin/lockfile-create ]; then | ||
38 | lockfile-create $LOCKFILE | ||
39 | lockfile-touch $LOCKFILE & | ||
40 | LOCKTOUCHPID="$!" | ||
41 | fi | ||
42 | |||
43 | if /usr/sbin/ntpdate -s $OPTS $NTPSERVERS 2>/dev/null; then | ||
44 | if [ "$UPDATE_HWCLOCK" = "yes" ]; then | ||
45 | hwclock --systohc || : | ||
46 | fi | ||
47 | fi | ||
48 | |||
49 | if [ -x /usr/bin/lockfile-create ] ; then | ||
50 | kill $LOCKTOUCHPID | ||
51 | lockfile-remove $LOCKFILE | ||
52 | fi | ||
53 | |||
54 | ) & | ||
diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate.default b/meta-networking/recipes-support/ntp/ntp/ntpdate.default new file mode 100644 index 000000000..486b6e07d --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate.default | |||
@@ -0,0 +1,7 @@ | |||
1 | # Configuration script used by ntpdate-sync script | ||
2 | |||
3 | NTPSERVERS="" | ||
4 | |||
5 | # Set to "yes" to write time to hardware clock on success | ||
6 | UPDATE_HWCLOCK="no" | ||
7 | |||