diff options
author | Paul Eggleton <paul.eggleton@linux.intel.com> | 2014-12-25 22:29:03 +0000 |
---|---|---|
committer | Joe MacDonald <joe_macdonald@mentor.com> | 2014-12-29 14:48:20 -0500 |
commit | fb6b87bf67a2dbe6b50143eb8429c736f61fea2e (patch) | |
tree | ef66373b40f575e19f7f2904c0b166901d44758c /meta-networking/recipes-support/ntp/ntp | |
parent | 3e0c561ea7a50a15f077f1a51c0cdc7a958a1c86 (diff) | |
download | meta-openembedded-contrib-fb6b87bf67a2dbe6b50143eb8429c736f61fea2e.tar.gz |
ntp: upgrade to 4.2.8
* Upgrade to 4.2.8 which fixes several security issues, including
CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296. For
more details please see:
https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
* LIC_FILES_CHKSUM changed due to a number of copyright year and patch
list changes; nothing material about the license text changed.
* This version moves a number of binaries from sbindir to bindir;
there's supposed to be a configure option --with-locfile=legacy to use
the old layout but it does not seem to work. I guess we'll just have
to live with the change.
* Drop patches which are no longer applicable.
* Merge inc file into recipe; there were too many changes required to
the inc file in this version and it's unlikely it was much use split
out in any case.
* Move remaining files in files/ to ntp/
Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Diffstat (limited to 'meta-networking/recipes-support/ntp/ntp')
6 files changed, 347 insertions, 0 deletions
diff --git a/meta-networking/recipes-support/ntp/ntp/ntp-4.2.4_p6-nano.patch b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.4_p6-nano.patch new file mode 100644 index 0000000000..cb1e2f7341 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.4_p6-nano.patch @@ -0,0 +1,17 @@ +--- a/include/ntp_syscall.h.orig 2009-05-19 16:44:55.048156467 -0400 ++++ b/include/ntp_syscall.h 2009-05-19 16:46:19.293323686 -0400 +@@ -14,6 +14,14 @@ + # include <sys/timex.h> + #endif + ++#if defined(ADJ_NANO) && !defined(MOD_NANO) ++#define MOD_NANO ADJ_NANO ++#endif ++ ++#if defined(ADJ_TAI) && !defined(MOD_TAI) ++#define MOD_TAI ADJ_TAI ++#endif ++ + #ifndef NTP_SYSCALLS_LIBC + #ifdef NTP_SYSCALLS_STD + # define ntp_adjtime(t) syscall(SYS_ntp_adjtime, (t)) diff --git a/meta-networking/recipes-support/ntp/ntp/ntp-4.2.8-ntp-keygen-no-openssl.patch b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.8-ntp-keygen-no-openssl.patch new file mode 100644 index 0000000000..9b9af63ca3 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntp-4.2.8-ntp-keygen-no-openssl.patch @@ -0,0 +1,168 @@ +Fix ntp-keygen build without OpenSSL + +Patch borrowed from Gentoo, originally from upstream +Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com> +Upstream-Status: Backport + +Upstream commit: +http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=5497b345z5MNTuNvJWuqPSje25NQTg +Gentoo bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=533238 + +Signed-off-by: Markos Chandras <hwoarang@gentoo.org> +Index: ntp-4.2.8/Makefile.am +=================================================================== +--- ntp-4.2.8.orig/Makefile.am ++++ ntp-4.2.8/Makefile.am +@@ -2,7 +2,10 @@ ACLOCAL_AMFLAGS = -I sntp/m4 -I sntp/lib + + NULL = + ++# moved sntp first to get libtool and libevent built. ++ + SUBDIRS = \ ++ sntp \ + scripts \ + include \ + libntp \ +@@ -17,7 +20,6 @@ SUBDIRS = \ + clockstuff \ + kernel \ + util \ +- sntp \ + tests \ + $(NULL) + +@@ -64,7 +66,6 @@ BUILT_SOURCES = \ + .gcc-warning \ + 'libtool \ + html/.datecheck \ +- sntp/built-sources-only \ + $(srcdir)/COPYRIGHT \ + $(srcdir)/.checkChangeLog \ + $(NULL) +Index: ntp-4.2.8/configure.ac +=================================================================== +--- ntp-4.2.8.orig/configure.ac ++++ ntp-4.2.8/configure.ac +@@ -102,7 +102,7 @@ esac + enable_nls=no + LIBOPTS_CHECK_NOBUILD([sntp/libopts]) + +-NTP_ENABLE_LOCAL_LIBEVENT ++NTP_LIBEVENT_CHECK_NOBUILD([2], [sntp/libevent]) + + NTP_LIBNTP + +@@ -771,6 +771,10 @@ esac + + #### + ++AC_CHECK_FUNCS([arc4random_buf]) ++ ++#### ++ + saved_LIBS="$LIBS" + LIBS="$LIBS $LDADD_LIBNTP" + AC_CHECK_FUNCS([daemon]) +Index: ntp-4.2.8/libntp/ntp_crypto_rnd.c +=================================================================== +--- ntp-4.2.8.orig/libntp/ntp_crypto_rnd.c ++++ ntp-4.2.8/libntp/ntp_crypto_rnd.c +@@ -24,6 +24,21 @@ + int crypto_rand_init = 0; + #endif + ++#ifndef HAVE_ARC4RANDOM_BUF ++static void ++arc4random_buf(void *buf, size_t nbytes); ++ ++void ++evutil_secure_rng_get_bytes(void *buf, size_t nbytes); ++ ++static void ++arc4random_buf(void *buf, size_t nbytes) ++{ ++ evutil_secure_rng_get_bytes(buf, nbytes); ++ return; ++} ++#endif ++ + /* + * As of late 2014, here's how we plan to provide cryptographic-quality + * random numbers: +Index: ntp-4.2.8/sntp/configure.ac +=================================================================== +--- ntp-4.2.8.orig/sntp/configure.ac ++++ ntp-4.2.8/sntp/configure.ac +@@ -97,11 +97,14 @@ esac + enable_nls=no + LIBOPTS_CHECK + +-AM_COND_IF( +- [BUILD_SNTP], +- [NTP_LIBEVENT_CHECK], +- [NTP_LIBEVENT_CHECK_NOBUILD] +-) ++# From when we only used libevent for sntp: ++#AM_COND_IF( ++# [BUILD_SNTP], ++# [NTP_LIBEVENT_CHECK], ++# [NTP_LIBEVENT_CHECK_NOBUILD] ++#) ++ ++NTP_LIBEVENT_CHECK([2]) + + # Checks for libraries. + +Index: ntp-4.2.8/sntp/m4/ntp_libevent.m4 +=================================================================== +--- ntp-4.2.8.orig/sntp/m4/ntp_libevent.m4 ++++ ntp-4.2.8/sntp/m4/ntp_libevent.m4 +@@ -1,4 +1,25 @@ +-dnl NTP_ENABLE_LOCAL_LIBEVENT -*- Autoconf -*- ++# SYNOPSIS -*- Autoconf -*- ++# ++# NTP_ENABLE_LOCAL_LIBEVENT ++# NTP_LIBEVENT_CHECK([MINVERSION [, DIR]]) ++# NTP_LIBEVENT_CHECK_NOBUILD([MINVERSION [, DIR]]) ++# ++# DESCRIPTION ++# ++# AUTHOR ++# ++# Harlan Stenn ++# ++# LICENSE ++# ++# This file is Copyright (c) 2014 Network Time Foundation ++# ++# Copying and distribution of this file, with or without modification, are ++# permitted in any medium without royalty provided the copyright notice, ++# author attribution and this notice are preserved. This file is offered ++# as-is, without any warranty. ++ ++dnl NTP_ENABLE_LOCAL_LIBEVENT + dnl + dnl Provide only the --enable-local-libevent command-line option. + dnl +@@ -29,7 +50,7 @@ dnl If NOBUILD is provided as the 3rd ar + dnl but DO NOT invoke DIR/configure if we are going to use our bundled + dnl version. This may be the case for nested packages. + dnl +-dnl provide --enable-local-libevent . ++dnl provides --enable-local-libevent . + dnl + dnl Examples: + dnl +Index: ntp-4.2.8/util/Makefile.am +=================================================================== +--- ntp-4.2.8.orig/util/Makefile.am ++++ ntp-4.2.8/util/Makefile.am +@@ -19,6 +19,7 @@ AM_LDFLAGS = $(LDFLAGS_NTP) + LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) $(PTHREAD_LIBS) + tg2_LDADD= ../libntp/libntp.a $(LDADD_LIBNTP) $(LIBM) + ntp_keygen_LDADD = version.o $(LIBOPTS_LDADD) ../libntp/libntp.a ++ntp_keygen_LDADD += $(LDADD_LIBEVENT) + ntp_keygen_LDADD += $(LDADD_LIBNTP) $(PTHREAD_LIBS) $(LDADD_NTP) $(LIBM) + ntp_keygen_SOURCES = ntp-keygen.c ntp-keygen-opts.c ntp-keygen-opts.h + diff --git a/meta-networking/recipes-support/ntp/ntp/ntp.conf b/meta-networking/recipes-support/ntp/ntp/ntp.conf new file mode 100644 index 0000000000..676e186453 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntp.conf @@ -0,0 +1,17 @@ +# This is the most basic ntp configuration file +# The driftfile must remain in a place specific to this +# machine - it records the machine specific clock error +driftfile /var/lib/ntp/drift +# This should be a server that is close (in IP terms) +# to the machine. Add other servers as required. +# Unless you un-comment the line below ntpd will sync +# only against the local system clock. +# +# server time.server.example.com +# +# Using local hardware clock as fallback +# Disable this when using ntpd -q -g -x as ntpdate or it will sync to itself +server 127.127.1.0 +fudge 127.127.1.0 stratum 14 +# Defining a default security setting +restrict default diff --git a/meta-networking/recipes-support/ntp/ntp/ntpd b/meta-networking/recipes-support/ntp/ntp/ntpd new file mode 100755 index 0000000000..d1b9c49076 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntpd @@ -0,0 +1,84 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: ntp +# Required-Start: $network $remote_fs $syslog +# Required-Stop: $network $remote_fs $syslog +# Default-Start: 2 3 4 5 +# Default-Stop: +# Short-Description: Start NTP daemon +### END INIT INFO + +PATH=/sbin:/bin:/usr/bin:/usr/sbin + +DAEMON=/usr/sbin/ntpd +PIDFILE=/var/run/ntpd.pid + +# ntpd init.d script for ntpdc from ntp.isc.org +test -x $DAEMON -a -r /etc/ntp.conf || exit 0 + +# rcS contains TICKADJ +test -r /etc/default/rcS && . /etc/default/rcS + +# Source function library. +. /etc/init.d/functions + +# Functions to do individual actions +settick(){ + # If TICKADJ is set we *must* adjust it before we start, because the + # driftfile relies on the correct setting + test -n "$TICKADJ" -a -x /usr/sbin/tickadj && { + echo -n "Setting tick to $TICKADJ: " + /usr/sbin/tickadj "$TICKADJ" + echo "done" + } +} +startdaemon(){ + # The -g option allows ntpd to step the time to correct it just + # once. The daemon will exit if the clock drifts too much after + # this. If ntpd seems to disappear after a while assume TICKADJ + # above is set to a totally incorrect value. + echo -n "Starting ntpd: " + start-stop-daemon --start --quiet --oknodo --pidfile $PIDFILE --startas $DAEMON -- -u ntp:ntp -p $PIDFILE "$@" + echo "done" +} +stopdaemon(){ + echo -n "Stopping ntpd: " + start-stop-daemon --stop --quiet --oknodo -p $PIDFILE + echo "done" +} + +case "$1" in + start) + settick + startdaemon -g + ;; + stop) + stopdaemon + ;; + force-reload) + stopdaemon + settick + startdaemon -g + ;; + restart) + # Don't reset the tick here + stopdaemon + startdaemon -g + ;; + reload) + # Must do this by hand, but don't do -g + stopdaemon + startdaemon + ;; + status) + status /usr/sbin/ntpd; + exit $? + ;; + *) + echo "Usage: ntpd { start | stop | status | restart | reload }" >&2 + exit 1 + ;; +esac + +exit 0 diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate b/meta-networking/recipes-support/ntp/ntp/ntpdate new file mode 100755 index 0000000000..17b64d1335 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate @@ -0,0 +1,54 @@ +#!/bin/sh + +PATH=/sbin:/bin:/usr/bin:/usr/sbin + +test -x /usr/sbin/ntpdate || exit 0 + +if test -f /etc/default/ntpdate ; then +. /etc/default/ntpdate +fi + +if [ "$NTPSERVERS" = "" ] ; then + if [ "$METHOD" = "" -a "$1" != "silent" ] ; then + echo "Please set NTPSERVERS in /etc/default/ntpdate" + exit 1 + else + exit 0 + fi +fi + +# This is a heuristic: The idea is that if a static interface is brought +# up, that is a major event, and we can put in some extra effort to fix +# the system time. Feel free to change this, especially if you regularly +# bring up new network interfaces. +if [ "$METHOD" = static ]; then + OPTS="-b" +fi + +if [ "$METHOD" = loopback ]; then + exit 0 +fi + +( + +LOCKFILE=/var/lock/ntpdate + +# Avoid running more than one at a time +if [ -x /usr/bin/lockfile-create ]; then + lockfile-create $LOCKFILE + lockfile-touch $LOCKFILE & + LOCKTOUCHPID="$!" +fi + +if /usr/sbin/ntpdate -s $OPTS $NTPSERVERS 2>/dev/null; then + if [ "$UPDATE_HWCLOCK" = "yes" ]; then + hwclock --systohc || : + fi +fi + +if [ -x /usr/bin/lockfile-create ] ; then + kill $LOCKTOUCHPID + lockfile-remove $LOCKFILE +fi + +) & diff --git a/meta-networking/recipes-support/ntp/ntp/ntpdate.default b/meta-networking/recipes-support/ntp/ntp/ntpdate.default new file mode 100644 index 0000000000..486b6e07d3 --- /dev/null +++ b/meta-networking/recipes-support/ntp/ntp/ntpdate.default @@ -0,0 +1,7 @@ +# Configuration script used by ntpdate-sync script + +NTPSERVERS="" + +# Set to "yes" to write time to hardware clock on success +UPDATE_HWCLOCK="no" + |