Commit 5263b053 authored by Bernhard Schmidt's avatar Bernhard Schmidt

New upstream version 4.2.8p12+dfsg

parent cf394574
---
(4.2.8p12) 2018/08/14 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability
- fixed stack buffer overflow in the openhost() command-line call
of NTPQ/NTPDC <perlinger@ntp.org>
* [Sec 3012] noepeer tweaks. <stenn@ntp.org>
* [Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org>
* [Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
other TrustedBSD platforms
- applied patch by Ian Lepore <perlinger@ntp.org>
* [Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
- changed interaction with SCM to signal pending startup
* [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
- rework of ntpq 'nextvar()' key/value parsing
* [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
* [Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
* [Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
* [Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3471] Check for openssl/[ch]mac.h. HStenn.
- add #define ENABLE_CMAC support in configure. HStenn.
* [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
* [Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
- patch by Stephen Friedl
* [Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
- fixed IO redirection and CTRL-C handling in ntq and ntpdc
* [Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
* [Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
- initial patch by Hal Murray; also fixed refclock_report() trouble
* [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org>
* [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
- According to Brooks Davis, there was only one location <perlinger@ntp.org>
* [Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
- applied patch by Gerry Garvey
* [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
with modifications
New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
* [Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
- applied patch by Miroslav Lichvar
* [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov.
* [Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
- integrated patch by Reinhard Max
* [Bug 2821] minor build issues <perlinger@ntp.org>
- applied patches by Christos Zoulas, including real bug fixes
* html/authopt.html: cleanup, from <stenn@ntp.org>
* ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org>
* Symmetric key range is 1-65535. Update docs. <stenn@ntp.org>
* html/authentic.html: cleanup, from <stenn@ntp.org>
---
(4.2.8p11) 2018/02/27 Released by Harlan Stenn <stenn@ntp.org>
* [Sec 3454] Unauthenticated packet can reset authenticated interleave
associations. HStenn.
......@@ -14,16 +78,16 @@
- applied patch by Sean Haugh
* [Bug 3452] PARSE driver prints uninitialized memory. <perlinger@ntp.org>
* [Bug 3450] Dubious error messages from plausibility checks in get_systime()
- removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
- removed error log caused by rounding/slew, ensured postcondition <perlinger@ntp.org>
* [Bug 3447] AES-128-CMAC (fixes) <perlinger@ntp.org>
- refactoring the MAC code, too
* [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org
* [Bug 3439] When running multiple commands / hosts in ntpq... <perlinger@ntp.org>
- applied patch by ggarvey
- applied patch by ggarvey
* [Bug 3438] Negative values and values > 999 days in... <perlinger@ntp.org>
- applied patch by ggarvey (with minor mods)
- applied patch by ggarvey (with minor mods)
* [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain
- applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
- applied patch (with mods) by Miroslav Lichvar <perlinger@ntp.org>
* [Bug 3435] anchor NTP era alignment <perlinger@ntp.org>
* [Bug 3433] sntp crashes when run with -a. <stenn@ntp.org>
* [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2"
......
--
NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
NTP 4.2.8p12 (Harlan Stenn <stenn@ntp.org>, 2018/14/09)
NOTE: this NEWS file will be undergoing more revisions.
......@@ -7,6 +7,77 @@ Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes a "hole" in the noepeer capability introduced to ntpd
in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by
ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements:
* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc.
* [Sec 3012] Fix a hole in the new "noepeer" processing.
* Bug Fixes:
[Bug 3521] Fix a logic bug in the INVALIDNAK checks. <stenn@ntp.org>
[Bug 3509] Add support for running as non-root on FreeBSD, Darwin,
other TrustedBSD platforms
- applied patch by Ian Lepore <perlinger@ntp.org>
[Bug 3506] Service Control Manager interacts poorly with NTPD <perlinger@ntp.org>
- changed interaction with SCM to signal pending startup
[Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3485] Undefined sockaddr used in error messages in ntp_config.c <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3484] ntpq response from ntpd is incorrect when REFID is null <perlinger@ntp.org>
- rework of ntpq 'nextvar()' key/value parsing
[Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
[Bug 3480] Refclock sample filter not cleared on clock STEP <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods)
[Bug 3476]ctl_putstr() sends empty unquoted string [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though
[Bug 3475] modify prettydate() to suppress output of zero time <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3474] Missing pmode in mode7 peer info response <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3471] Check for openssl/[ch]mac.h. HStenn.
- add #define ENABLE_CMAC support in configure. HStenn.
[Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL <perlinger@ntp.org>
[Bug 3469] Incomplete string compare [...] in is_refclk_addr <perlinger@ntp.org>
- patch by Stephen Friedl
[Bug 3467] Potential memory fault in ntpq [...] <perlinger@ntp.org>
- fixed IO redirection and CTRL-C handling in ntq and ntpdc
[Bug 3465] Default TTL values cannot be used <perlinger@ntp.org>
[Bug 3461] refclock_shm.c: clear error status on clock recovery <perlinger@ntp.org>
- initial patch by Hal Murray; also fixed refclock_report() trouble
[Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. <stenn@ntp.org>
[Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer
- According to Brooks Davis, there was only one location <perlinger@ntp.org>
[Bug 3449] ntpq - display "loop" instead of refid [...] <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3445] Symmetric peer won't sync on startup <perlinger@ntp.org>
- applied patch by Gerry Garvey
[Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey,
with modifications
New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c.
[Bug 3434] ntpd clears STA_UNSYNC on start <perlinger@ntp.org>
- applied patch by Miroslav Lichvar
[Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov.
[Bug 3121] Drop root privileges for the forked DNS worker <perlinger@ntp.org>
- integrated patch by Reinhard Max
[Bug 2821] minor build issues <perlinger@ntp.org>
- applied patches by Christos Zoulas, including real bug fixes
html/authopt.html: cleanup, from <stenn@ntp.org>
ntpd/ntpd.c: DROPROOT cleanup. <stenn@ntp.org>
Symmetric key range is 1-65535. Update docs. <stenn@ntp.org>
--
NTP 4.2.8p11 (Harlan Stenn <stenn@ntp.org>, 2018/02/27)
Focus: Security, Bug fixes, enhancements.
Severity: MEDIUM
This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity
vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and
provides 65 other non-security fixes and improvements:
......
......@@ -311,6 +311,9 @@
/* Provide the explicit 127.0.0.0/8 martian filter? */
#undef ENABLE_BUG3020_FIX
/* Enable CMAC support? */
#undef ENABLE_CMAC
/* nls support in libopts */
#undef ENABLE_NLS
......@@ -372,6 +375,14 @@
/* Define to 1 if you have the `daemon' function. */
#undef HAVE_DAEMON
/* Define to 1 if you have the declaration of `siglongjmp', and to 0 if you
don't. */
#undef HAVE_DECL_SIGLONGJMP
/* Define to 1 if you have the declaration of `sigsetjmp', and to 0 if you
don't. */
#undef HAVE_DECL_SIGSETJMP
/* Define to 1 if you have the declaration of `strerror_r', and to 0 if you
don't. */
#undef HAVE_DECL_STRERROR_R
......@@ -653,6 +664,12 @@
/* if you have NT Threads */
#undef HAVE_NT_THREADS
/* Define to 1 if you have the <openssl/cmac.h> header file. */
#undef HAVE_OPENSSL_CMAC_H
/* Define to 1 if you have the <openssl/hmac.h> header file. */
#undef HAVE_OPENSSL_HMAC_H
/* Define to 1 if the system has the type `pid_t'. */
#undef HAVE_PID_T
......@@ -957,6 +974,9 @@
/* Define to 1 if you have the <sys/lock.h> header file. */
#undef HAVE_SYS_LOCK_H
/* Define to 1 if you have the <sys/mac.h> header file. */
#undef HAVE_SYS_MAC_H
/* Define to 1 if you have the <sys/mman.h> header file. */
#undef HAVE_SYS_MMAN_H
......@@ -1117,6 +1137,9 @@
/* Do we have the TIO serial stuff? */
#undef HAVE_TIO_SERIAL_STUFF
/* Are TrustedBSD MAC policy privileges available? */
#undef HAVE_TRUSTEDBSD_MAC
/* Define to 1 if the system has the type `uint16_t'. */
#undef HAVE_UINT16_T
......
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
# Generated by GNU Autoconf 2.69 for ntp 4.2.8p11.
# Generated by GNU Autoconf 2.69 for ntp 4.2.8p12.
#
# Report bugs to <http://bugs.ntp.org./>.
#
......@@ -590,8 +590,8 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='ntp'
PACKAGE_TARNAME='ntp'
PACKAGE_VERSION='4.2.8p11'
PACKAGE_STRING='ntp 4.2.8p11'
PACKAGE_VERSION='4.2.8p12'
PACKAGE_STRING='ntp 4.2.8p12'
PACKAGE_BUGREPORT='http://bugs.ntp.org./'
PACKAGE_URL='http://www.ntp.org./'
......@@ -968,6 +968,7 @@ enable_c99_snprintf
enable_clockctl
enable_linuxcaps
enable_solarisprivs
enable_trustedbsd_mac
with_arlib
with_net_snmp_config
enable_libseccomp
......@@ -1614,7 +1615,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
\`configure' configures ntp 4.2.8p11 to adapt to many kinds of systems.
\`configure' configures ntp 4.2.8p12 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
......@@ -1684,7 +1685,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
short | recursive ) echo "Configuration of ntp 4.2.8p11:";;
short | recursive ) echo "Configuration of ntp 4.2.8p12:";;
esac
cat <<\_ACEOF
......@@ -1731,6 +1732,8 @@ Optional Features and Packages:
--enable-clockctl s Use /dev/clockctl for non-root clock control
--enable-linuxcaps + Use Linux capabilities for non-root clock control
--enable-solarisprivs + Use Solaris privileges for non-root clock control
--enable-trustedbsd-mac s Use TrustedBSD MAC policy for non-root clock
control
--with-arlib - deprecated, arlib not distributed
--with-net-snmp-config + =net-snmp-config
--enable-libseccomp EXPERIMENTAL: enable support for libseccomp
......@@ -1923,7 +1926,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
ntp configure 4.2.8p11
ntp configure 4.2.8p12
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
......@@ -2632,7 +2635,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
It was created by ntp $as_me 4.2.8p11, which was
It was created by ntp $as_me 4.2.8p12, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
......@@ -3633,7 +3636,7 @@ fi
# Define the identity of the package.
PACKAGE='ntp'
VERSION='4.2.8p11'
VERSION='4.2.8p12'
cat >>confdefs.h <<_ACEOF
......@@ -24026,7 +24029,40 @@ esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ntp_have_solarisprivs" >&5
$as_echo "$ntp_have_solarisprivs" >&6; }
case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in
for ac_header in sys/mac.h
do :
ac_fn_c_check_header_mongrel "$LINENO" "sys/mac.h" "ac_cv_header_sys_mac_h" "$ac_includes_default"
if test "x$ac_cv_header_sys_mac_h" = xyes; then :
cat >>confdefs.h <<_ACEOF
#define HAVE_SYS_MAC_H 1
_ACEOF
fi
done
# Check whether --enable-trustedbsd_mac was given.
if test "${enable_trustedbsd_mac+set}" = set; then :
enableval=$enable_trustedbsd_mac; ntp_use_trustedbsd_mac=$enableval
fi
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if we should use TrustedBSD MAC privileges" >&5
$as_echo_n "checking if we should use TrustedBSD MAC privileges... " >&6; }
case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in
yesyes)
$as_echo "#define HAVE_TRUSTEDBSD_MAC 1" >>confdefs.h
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ntp_use_trustedbsd_mac" >&5
$as_echo "$ntp_use_trustedbsd_mac" >&6; }
case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in
*yes*)
$as_echo "#define HAVE_DROPROOT 1" >>confdefs.h
......@@ -30311,6 +30347,19 @@ $as_echo "$ntp_openssl" >&6; }
case "$ntp_openssl" in
yes)
for ac_header in openssl/cmac.h openssl/hmac.h
do :
as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh`
ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default"
if eval test \"x\$"$as_ac_Header"\" = x"yes"; then :
cat >>confdefs.h <<_ACEOF
#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1
_ACEOF
fi
done
$as_echo "#define OPENSSL /**/" >>confdefs.h
......@@ -30534,6 +30583,21 @@ LIBS="$NTPO_SAVED_LIBS"
{ ntp_openssl_from_pkg_config=; unset ntp_openssl_from_pkg_config;}
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if we want to enable CMAC support" >&5
$as_echo_n "checking if we want to enable CMAC support... " >&6; }
case "$ac_cv_header_openssl_cmac_h" in
yes)
$as_echo "#define ENABLE_CMAC 1" >>confdefs.h
ans="yes"
;;
*) ans="no"
;;
esac
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ans" >&5
$as_echo "$ans" >&6; }
......@@ -33221,6 +33285,32 @@ fi
###
ac_fn_c_check_decl "$LINENO" "sigsetjmp" "ac_cv_have_decl_sigsetjmp" "#include <setjmp.h>
"
if test "x$ac_cv_have_decl_sigsetjmp" = xyes; then :
ac_have_decl=1
else
ac_have_decl=0
fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_SIGSETJMP $ac_have_decl
_ACEOF
ac_fn_c_check_decl "$LINENO" "siglongjmp" "ac_cv_have_decl_siglongjmp" "#include <setjmp.h>
"
if test "x$ac_cv_have_decl_siglongjmp" = xyes; then :
ac_have_decl=1
else
ac_have_decl=0
fi
cat >>confdefs.h <<_ACEOF
#define HAVE_DECL_SIGLONGJMP $ac_have_decl
_ACEOF
###
......@@ -33964,7 +34054,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
This file was extended by ntp $as_me 4.2.8p11, which was
This file was extended by ntp $as_me 4.2.8p12, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
......@@ -34031,7 +34121,7 @@ _ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
ntp config.status 4.2.8p11
ntp config.status 4.2.8p12
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
......
......@@ -3014,6 +3014,17 @@ AC_MSG_RESULT([$ans])
NTP_OPENSSL
AC_MSG_CHECKING([if we want to enable CMAC support])
case "$ac_cv_header_openssl_cmac_h" in
yes)
AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?])
ans="yes"
;;
*) ans="no"
;;
esac
AC_MSG_RESULT([$ans])
NTP_CRYPTO_RAND
# if we are using OpenSSL (--with-crypto), by default Autokey is enabled
......@@ -4380,6 +4391,10 @@ NTP_PROBLEM_TESTS
###
AC_CHECK_DECLS([sigsetjmp,siglongjmp], [], [], [[#include <setjmp.h>]])
###
AC_DEFINE_DIR([NTP_KEYSDIR], [sysconfdir],
[Default location of crypto key info])
......
This diff is collapsed.
This diff is collapsed.
......@@ -13,7 +13,7 @@
Walt Kelly</a>
<p>The chicken is getting configuration advice.</p>
<p>Last update:
<!-- #BeginDate format:En2m -->10-Mar-2014 05:01<!-- #EndDate -->
<!-- #BeginDate format:En2m -->24-Jul-2018 07:27<!-- #EndDate -->
UTC</p>
<br clear="left">
<h4>Related Links</h4>
......@@ -67,7 +67,7 @@ Walt Kelly</a>
<dt><tt>ident</tt> <em><tt>group</tt></em></dt>
<dd>Specify the group name for the association. See the <a href="autokey.html">Autokey Public-Key Authentication</a> page for further information.</dd>
<dt><tt>key</tt> <i><tt>key</tt></i></dt>
<dd>Send and receive packets authenticated by the symmetric key scheme described in the <a href="authentic.html">Authentication Support</a> page. The <i><tt>key</tt></i> specifies the key identifier with values from 1 to 65534, inclusive. This option is mutually exclusive with the <tt>autokey</tt> option.</dd> <dt><tt>minpoll <i>minpoll<br>
<dd>Send and receive packets authenticated by the symmetric key scheme described in the <a href="authentic.html">Authentication Support</a> page. The <i><tt>key</tt></i> specifies the key identifier with values from 1 to 65535, inclusive. This option is mutually exclusive with the <tt>autokey</tt> option.</dd> <dt><tt>minpoll <i>minpoll<br>
</i></tt><tt>maxpoll <i>maxpoll</i></tt></dt>
<dd>These options specify the minimum and maximum poll intervals for NTP messages, in seconds as a power of two. The maximum poll interval defaults to 10 (1024 s), but can be increased by the <tt>maxpoll</tt> option to an upper limit of 17 (36 hr). The minimum poll interval defaults to 6 (64 s), but can be decreased by the <tt>minpoll</tt> option to a lower limit of 3 (8 s). Additional information about this option is on the <a href="poll.html">Poll Program</a> page.</dd>
<dt><tt>mode <i>option</i></tt></dt>
......
......@@ -11,7 +11,7 @@
<p><img src="pic/alice23.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/%7emills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a></p>
<p>Alice holds the key.</p>
<p>Last update:
<!-- #BeginDate format:En2m -->11-Jan-2018 11:55<!-- #EndDate -->
<!-- #BeginDate format:En2m -->24-Jul-2018 07:27<!-- #EndDate -->
UTC</p>
<br clear="left">
<h4>Related Links</h4>
......@@ -313,7 +313,7 @@
</pre></td></tr></table>
<p>Figure 1 shows a typical symmetric keys file used by the reference
implementation. Each line of the file contains three or four fields,
first an integer between 1 and 65534, inclusive, representing the key
first an integer between 1 and 65535, inclusive, representing the key
identifier used in the <tt>server</tt> and <tt>peer</tt> configuration
commands. Second is the key type for the message digest algorithm,
which in the absence of the OpenSSL library must be <tt>MD5</tt> to
......
......@@ -11,7 +11,7 @@
<img src="pic/rabbit.gif" alt="gif" align="left"><a href="http://www.eecis.udel.edu/~mills/pictures.html">from <i>Alice's Adventures in Wonderland</i>, Lewis Carroll</a>
<p>I told you it was eyeball and wristwatch.</p>
<p>Last update:
<!-- #BeginDate format:En2m -->9-Feb-2014 03:34<!-- #EndDate -->
<!-- #BeginDate format:En2m -->21-Jul-2018 04:09<!-- #EndDate -->
UTC</p>
<br clear="left">
<hr>
......@@ -63,7 +63,7 @@ Protocol (SNTP) Client</a> page. After a suitable period of mourning, the <tt>n
<dt><tt>-s</tt></dt>
<dd>Divert logging output from the standard output (default) to the system <tt>syslog</tt> facility. This is designed primarily for convenience of <tt>cron</tt> scripts.</dd>
<dt><tt>-t <i>timeout</i></tt></dt>
<dd>Specify the maximum time waiting for a server response as the value <i>timeout</i>, in seconds and fraction. The value is is rounded to a multiple of 0.2 seconds. The default is 1 second, a value suitable for polling across a LAN.</dd>
<dd>Specify the maximum time waiting for a server response as the value <i>timeout</i>, in seconds and fraction. The value is is rounded to a multiple of 0.2 seconds. The default is 2 seconds, a value suitable for polling across a LAN.</dd>
<dt><tt>-u</tt></dt>
<dd>Direct <tt>ntpdate</tt> to use an unprivileged port for outgoing packets. This is most useful when behind a firewall that blocks incoming traffic to privileged ports, and you want to synchronize with hosts beyond the firewall. Note that the <tt>-d</tt> option always uses unprivileged ports.
<dt><tt>-<i>v</i></tt></dt>
......
......@@ -610,6 +610,18 @@ struct pkt {
#define STRATUM_TO_PKT(s) ((u_char)(((s) == (STRATUM_UNSPEC)) ?\
(STRATUM_PKT_UNSPEC) : (s)))
/*
* A test to determine if the refid should be interpreted as text string.
* This is usually the case for a refclock, which has stratum 0 internally,
* which results in sys_stratum 1 if the refclock becomes system peer, or
* in case of a kiss-of-death (KoD) packet that has STRATUM_PKT_UNSPEC (==0)
* in the packet which is converted to STRATUM_UNSPEC when the packet
* is evaluated.
*/
#define REFID_ISTEXT(s) (((s) <= 1) || ((s) >= STRATUM_UNSPEC))
/*
* Event codes. Used for reporting errors/events to the control module
*/
......
......@@ -7,8 +7,13 @@
#define NTP_MD5_H
#ifdef OPENSSL
# include "openssl/evp.h"
# include <openssl/evp.h>
# include "libssl_compat.h"
# ifdef HAVE_OPENSSL_CMAC_H
# include <openssl/cmac.h>
# define CMAC "AES128CMAC"
# define AES_128_KEY_SIZE 16
# endif /*HAVE_OPENSSL_CMAC_H*/
#else /* !OPENSSL follows */
/*
* Provide OpenSSL-alike MD5 API if we're not using OpenSSL
......
......@@ -12,12 +12,6 @@
#include "ntp_md5.h" /* provides OpenSSL digest API */
#include "isc/string.h"
#ifdef OPENSSL
# include "openssl/cmac.h"
# define CMAC "AES128CMAC"
# define AES_128_KEY_SIZE 16
#endif
typedef struct {
const void * buf;
size_t len;
......@@ -28,7 +22,7 @@ typedef struct {
size_t len;
} rwbuffT;
#ifdef OPENSSL
#if defined(OPENSSL) && defined(ENABLE_CMAC)
static size_t
cmac_ctx_size(
CMAC_CTX * ctx)
......@@ -42,7 +36,7 @@ cmac_ctx_size(
}
return mlen;
}
#endif /*OPENSSL*/
#endif /*OPENSSL && ENABLE_CMAC*/
static size_t
make_mac(
......@@ -63,6 +57,7 @@ make_mac(
INIT_SSL();
/* Check if CMAC key type specific code required */
# ifdef ENABLE_CMAC
if (ktype == NID_cmac) {
CMAC_CTX * ctx = NULL;
void const * keyptr = key->buf;
......@@ -100,7 +95,9 @@ make_mac(
if (ctx)
CMAC_CTX_cleanup(ctx);
}
else { /* generic MAC handling */
else
# endif /*ENABLE_CMAC*/
{ /* generic MAC handling */
EVP_MD_CTX * ctx = EVP_MD_CTX_new();
u_int uilen = 0;
......@@ -153,7 +150,7 @@ make_mac(
if (ktype == NID_md5)
{
EVP_MD_CTX * ctx = EVP_MD_CTX_new();
uint uilen = 0;
u_int uilen = 0;
if (digest->len < 16) {
msyslog(LOG_ERR, "%s", "MAC encrypt: MAC md5 buf too small.");
......
......@@ -1873,7 +1873,7 @@ basedate_eval_string(
goto buildstamp;
}
rc = scanf(str, "%lu%n", &ned, &nc);
rc = sscanf(str, "%lu%n", &ned, &nc);
if (rc == 1 && (size_t)nc == sl) {
if (ned <= INT32_MAX)
return (int32_t)ned;
......
......@@ -170,6 +170,11 @@ common_prettydate(
LIB_GETBUF(bp);
if (ts->l_ui == 0 && ts->l_uf == 0) {
strlcpy (bp, "(no time)", LIB_BUFLENGTH);
return (bp);
}
/* get & fix milliseconds */
ntps = ts->l_ui;
msec = ts->l_uf / 4294967; /* fract / (2 ** 32 / 1000) */
......
......@@ -13,16 +13,16 @@
#include <lib_strbuf.h>
#ifdef OPENSSL
# include "openssl/cmac.h"
# include "openssl/crypto.h"
# include "openssl/err.h"
# include "openssl/evp.h"
# include "openssl/opensslv.h"
# include <openssl/crypto.h>
# include <openssl/err.h>
# include <openssl/evp.h>
# include <openssl/opensslv.h>
# include "libssl_compat.h"
# define CMAC_LENGTH 16
# define CMAC "AES128CMAC"
# ifdef HAVE_OPENSSL_CMAC_H
# include <openssl/cmac.h>
# define CMAC_LENGTH 16
# define CMAC "AES128CMAC"
# endif /*HAVE_OPENSSL_CMAC_H*/
int ssl_init_done;
#if OPENSSL_VERSION_NUMBER < 0x10100000L
......@@ -126,6 +126,7 @@ keytype_from_text(
key_type = OBJ_sn2nid(upcased);
# ifdef ENABLE_CMAC
if (!key_type && !strncmp(CMAC, upcased, strlen(CMAC) + 1)) {
key_type = NID_cmac;
......@@ -134,6 +135,7 @@ keytype_from_text(
__FILE__, __LINE__, __func__, CMAC);
}
}
# endif /*ENABLE_CMAC*/
#else
key_type = 0;
......@@ -153,6 +155,7 @@ keytype_from_text(
digest_len = (md) ? EVP_MD_size(md) : 0;
if (!md || digest_len <= 0) {
# ifdef ENABLE_CMAC
if (key_type == NID_cmac) {
digest_len = CMAC_LENGTH;
......@@ -160,7 +163,9 @@ keytype_from_text(
fprintf(stderr, "%s:%d:%s():%s:len\n",
__FILE__, __LINE__, __func__, CMAC);
}
} else {
} else
# endif /*ENABLE_CMAC*/
{
fprintf(stderr,
"key type %s is not supported by OpenSSL\n",
keytype_name(key_type));
......@@ -209,6 +214,7 @@ keytype_name(