aboutsummaryrefslogtreecommitdiffstats
path: root/contrib/ntp/libntp
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/ntp/libntp')
-rw-r--r--contrib/ntp/libntp/Makefile.am1
-rw-r--r--contrib/ntp/libntp/Makefile.in67
-rw-r--r--contrib/ntp/libntp/a_md5encrypt.c62
-rw-r--r--contrib/ntp/libntp/audio.c6
-rw-r--r--contrib/ntp/libntp/libssl_compat.c335
-rw-r--r--contrib/ntp/libntp/ntp_calendar.c85
-rw-r--r--contrib/ntp/libntp/ntp_intres.c62
-rw-r--r--contrib/ntp/libntp/ssl_init.c11
-rw-r--r--contrib/ntp/libntp/work_fork.c18
9 files changed, 532 insertions, 115 deletions
diff --git a/contrib/ntp/libntp/Makefile.am b/contrib/ntp/libntp/Makefile.am
index 26a4709e8b54..874739a18846 100644
--- a/contrib/ntp/libntp/Makefile.am
+++ b/contrib/ntp/libntp/Makefile.am
@@ -73,6 +73,7 @@ libntp_a_SRCS = \
iosignal.c \
is_ip_address.c \
lib_strbuf.c \
+ libssl_compat.c \
machines.c \
mktime.c \
modetoa.c \
diff --git a/contrib/ntp/libntp/Makefile.in b/contrib/ntp/libntp/Makefile.in
index 4c0fb4dbdd9c..8dfa04c68013 100644
--- a/contrib/ntp/libntp/Makefile.in
+++ b/contrib/ntp/libntp/Makefile.in
@@ -150,15 +150,15 @@ am__libntp_a_SOURCES_DIST = systime.c a_md5encrypt.c adjtime.c \
calyearstart.c clocktime.c clocktypes.c decodenetnum.c \
dofptoa.c dolfptoa.c emalloc.c findconfig.c getopt.c \
hextoint.c hextolfp.c humandate.c icom.c iosignal.c \
- is_ip_address.c lib_strbuf.c machines.c mktime.c modetoa.c \
- mstolfp.c msyslog.c netof.c ntp_calendar.c ntp_crypto_rnd.c \
- ntp_intres.c ntp_libopts.c ntp_lineedit.c ntp_random.c \
- ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c octtoint.c \
- prettydate.c refidsmear.c recvbuff.c refnumtoa.c snprintf.c \
- socket.c socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \
- strl_obsd.c syssignal.c timetoa.c timevalops.c uglydate.c \
- vint64ops.c work_fork.c work_thread.c ymd2yd.c \
- $(srcdir)/../lib/isc/assertions.c \
+ is_ip_address.c lib_strbuf.c libssl_compat.c machines.c \
+ mktime.c modetoa.c mstolfp.c msyslog.c netof.c ntp_calendar.c \
+ ntp_crypto_rnd.c ntp_intres.c ntp_libopts.c ntp_lineedit.c \
+ ntp_random.c ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c \
+ octtoint.c prettydate.c refidsmear.c recvbuff.c refnumtoa.c \
+ snprintf.c socket.c socktoa.c socktohost.c ssl_init.c \
+ statestr.c strdup.c strl_obsd.c syssignal.c timetoa.c \
+ timevalops.c uglydate.c vint64ops.c work_fork.c work_thread.c \
+ ymd2yd.c $(srcdir)/../lib/isc/assertions.c \
$(srcdir)/../lib/isc/buffer.c \
$(srcdir)/../lib/isc/backtrace-emptytbl.c \
$(srcdir)/../lib/isc/backtrace.c \
@@ -209,20 +209,21 @@ am__objects_4 = a_md5encrypt.$(OBJEXT) adjtime.$(OBJEXT) \
getopt.$(OBJEXT) hextoint.$(OBJEXT) hextolfp.$(OBJEXT) \
humandate.$(OBJEXT) icom.$(OBJEXT) iosignal.$(OBJEXT) \
is_ip_address.$(OBJEXT) lib_strbuf.$(OBJEXT) \
- machines.$(OBJEXT) mktime.$(OBJEXT) modetoa.$(OBJEXT) \
- mstolfp.$(OBJEXT) msyslog.$(OBJEXT) netof.$(OBJEXT) \
- ntp_calendar.$(OBJEXT) ntp_crypto_rnd.$(OBJEXT) \
- ntp_intres.$(OBJEXT) ntp_libopts.$(OBJEXT) \
- ntp_lineedit.$(OBJEXT) ntp_random.$(OBJEXT) \
- ntp_rfc2553.$(OBJEXT) ntp_worker.$(OBJEXT) numtoa.$(OBJEXT) \
- numtohost.$(OBJEXT) octtoint.$(OBJEXT) prettydate.$(OBJEXT) \
- refidsmear.$(OBJEXT) recvbuff.$(OBJEXT) refnumtoa.$(OBJEXT) \
- snprintf.$(OBJEXT) socket.$(OBJEXT) socktoa.$(OBJEXT) \
- socktohost.$(OBJEXT) ssl_init.$(OBJEXT) statestr.$(OBJEXT) \
- strdup.$(OBJEXT) strl_obsd.$(OBJEXT) syssignal.$(OBJEXT) \
- timetoa.$(OBJEXT) timevalops.$(OBJEXT) uglydate.$(OBJEXT) \
- vint64ops.$(OBJEXT) work_fork.$(OBJEXT) work_thread.$(OBJEXT) \
- ymd2yd.$(OBJEXT) $(am__objects_3) $(am__objects_1)
+ libssl_compat.$(OBJEXT) machines.$(OBJEXT) mktime.$(OBJEXT) \
+ modetoa.$(OBJEXT) mstolfp.$(OBJEXT) msyslog.$(OBJEXT) \
+ netof.$(OBJEXT) ntp_calendar.$(OBJEXT) \
+ ntp_crypto_rnd.$(OBJEXT) ntp_intres.$(OBJEXT) \
+ ntp_libopts.$(OBJEXT) ntp_lineedit.$(OBJEXT) \
+ ntp_random.$(OBJEXT) ntp_rfc2553.$(OBJEXT) \
+ ntp_worker.$(OBJEXT) numtoa.$(OBJEXT) numtohost.$(OBJEXT) \
+ octtoint.$(OBJEXT) prettydate.$(OBJEXT) refidsmear.$(OBJEXT) \
+ recvbuff.$(OBJEXT) refnumtoa.$(OBJEXT) snprintf.$(OBJEXT) \
+ socket.$(OBJEXT) socktoa.$(OBJEXT) socktohost.$(OBJEXT) \
+ ssl_init.$(OBJEXT) statestr.$(OBJEXT) strdup.$(OBJEXT) \
+ strl_obsd.$(OBJEXT) syssignal.$(OBJEXT) timetoa.$(OBJEXT) \
+ timevalops.$(OBJEXT) uglydate.$(OBJEXT) vint64ops.$(OBJEXT) \
+ work_fork.$(OBJEXT) work_thread.$(OBJEXT) ymd2yd.$(OBJEXT) \
+ $(am__objects_3) $(am__objects_1)
am_libntp_a_OBJECTS = systime.$(OBJEXT) $(am__objects_4)
libntp_a_OBJECTS = $(am_libntp_a_OBJECTS)
libntpsim_a_AR = $(AR) $(ARFLAGS)
@@ -233,15 +234,15 @@ am__libntpsim_a_SOURCES_DIST = systime_s.c a_md5encrypt.c adjtime.c \
calyearstart.c clocktime.c clocktypes.c decodenetnum.c \
dofptoa.c dolfptoa.c emalloc.c findconfig.c getopt.c \
hextoint.c hextolfp.c humandate.c icom.c iosignal.c \
- is_ip_address.c lib_strbuf.c machines.c mktime.c modetoa.c \
- mstolfp.c msyslog.c netof.c ntp_calendar.c ntp_crypto_rnd.c \
- ntp_intres.c ntp_libopts.c ntp_lineedit.c ntp_random.c \
- ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c octtoint.c \
- prettydate.c refidsmear.c recvbuff.c refnumtoa.c snprintf.c \
- socket.c socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \
- strl_obsd.c syssignal.c timetoa.c timevalops.c uglydate.c \
- vint64ops.c work_fork.c work_thread.c ymd2yd.c \
- $(srcdir)/../lib/isc/assertions.c \
+ is_ip_address.c lib_strbuf.c libssl_compat.c machines.c \
+ mktime.c modetoa.c mstolfp.c msyslog.c netof.c ntp_calendar.c \
+ ntp_crypto_rnd.c ntp_intres.c ntp_libopts.c ntp_lineedit.c \
+ ntp_random.c ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c \
+ octtoint.c prettydate.c refidsmear.c recvbuff.c refnumtoa.c \
+ snprintf.c socket.c socktoa.c socktohost.c ssl_init.c \
+ statestr.c strdup.c strl_obsd.c syssignal.c timetoa.c \
+ timevalops.c uglydate.c vint64ops.c work_fork.c work_thread.c \
+ ymd2yd.c $(srcdir)/../lib/isc/assertions.c \
$(srcdir)/../lib/isc/buffer.c \
$(srcdir)/../lib/isc/backtrace-emptytbl.c \
$(srcdir)/../lib/isc/backtrace.c \
@@ -665,6 +666,7 @@ libntp_a_SRCS = \
iosignal.c \
is_ip_address.c \
lib_strbuf.c \
+ libssl_compat.c \
machines.c \
mktime.c \
modetoa.c \
@@ -813,6 +815,7 @@ distclean-compile:
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/is_ip_address.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib_strbuf.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libssl_compat.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/machines.Po@am__quote@
@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Po@am__quote@
diff --git a/contrib/ntp/libntp/a_md5encrypt.c b/contrib/ntp/libntp/a_md5encrypt.c
index 618ccd9de102..7edcd2e30583 100644
--- a/contrib/ntp/libntp/a_md5encrypt.c
+++ b/contrib/ntp/libntp/a_md5encrypt.c
@@ -11,6 +11,7 @@
#include "ntp.h"
#include "ntp_md5.h" /* provides OpenSSL digest API */
#include "isc/string.h"
+#include "libssl_compat.h"
/*
* MD5authencrypt - generate message digest
*
@@ -26,7 +27,7 @@ MD5authencrypt(
{
u_char digest[EVP_MAX_MD_SIZE];
u_int len;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
/*
* Compute digest of key concatenated with packet. Note: the
@@ -34,18 +35,20 @@ MD5authencrypt(
* was creaded.
*/
INIT_SSL();
-#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL
- if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
+ ctx = EVP_MD_CTX_new();
+ if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) {
msyslog(LOG_ERR,
"MAC encrypt: digest init failed");
+ EVP_MD_CTX_free(ctx);
return (0);
}
-#else
- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
-#endif
- EVP_DigestUpdate(&ctx, key, cache_secretsize);
- EVP_DigestUpdate(&ctx, (u_char *)pkt, length);
- EVP_DigestFinal(&ctx, digest, &len);
+ EVP_DigestUpdate(ctx, key, cache_secretsize);
+ EVP_DigestUpdate(ctx, (u_char *)pkt, length);
+ EVP_DigestFinal(ctx, digest, &len);
+ EVP_MD_CTX_free(ctx);
+ /* If the MAC is longer than the MAX then truncate it. */
+ if (len > MAX_MAC_LEN - 4)
+ len = MAX_MAC_LEN - 4;
memmove((u_char *)pkt + length + 4, digest, len);
return (len + 4);
}
@@ -67,7 +70,7 @@ MD5authdecrypt(
{
u_char digest[EVP_MAX_MD_SIZE];
u_int len;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
/*
* Compute digest of key concatenated with packet. Note: the
@@ -75,24 +78,26 @@ MD5authdecrypt(
* was created.
*/
INIT_SSL();
-#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL
- if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) {
+ ctx = EVP_MD_CTX_new();
+ if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) {
msyslog(LOG_ERR,
"MAC decrypt: digest init failed");
+ EVP_MD_CTX_free(ctx);
return (0);
}
-#else
- EVP_DigestInit(&ctx, EVP_get_digestbynid(type));
-#endif
- EVP_DigestUpdate(&ctx, key, cache_secretsize);
- EVP_DigestUpdate(&ctx, (u_char *)pkt, length);
- EVP_DigestFinal(&ctx, digest, &len);
+ EVP_DigestUpdate(ctx, key, cache_secretsize);
+ EVP_DigestUpdate(ctx, (u_char *)pkt, length);
+ EVP_DigestFinal(ctx, digest, &len);
+ EVP_MD_CTX_free(ctx);
+ /* If the MAC is longer than the MAX then truncate it. */
+ if (len > MAX_MAC_LEN - 4)
+ len = MAX_MAC_LEN - 4;
if (size != (size_t)len + 4) {
msyslog(LOG_ERR,
"MAC decrypt: MAC length error");
return (0);
}
- return !isc_tsmemcmp(digest, (const char *)pkt + length + 4, len);
+ return !isc_tsmemcmp(digest, (u_char *)pkt + length + 4, len);
}
/*
@@ -106,7 +111,7 @@ addr2refid(sockaddr_u *addr)
{
u_char digest[20];
u_int32 addr_refid;
- EVP_MD_CTX ctx;
+ EVP_MD_CTX *ctx;
u_int len;
if (IS_IPV4(addr))
@@ -114,24 +119,23 @@ addr2refid(sockaddr_u *addr)
INIT_SSL();
-#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL
- EVP_MD_CTX_init(&ctx);
+ ctx = EVP_MD_CTX_new();
+ EVP_MD_CTX_init(ctx);
#ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW
/* MD5 is not used as a crypto hash here. */
- EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
+ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
#endif
- if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) {
+ if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) {
msyslog(LOG_ERR,
"MD5 init failed");
+ EVP_MD_CTX_free(ctx); /* pedantic... but safe */
exit(1);
}
-#else
- EVP_DigestInit(&ctx, EVP_md5());
-#endif
- EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr),
+ EVP_DigestUpdate(ctx, (u_char *)PSOCK_ADDR6(addr),
sizeof(struct in6_addr));
- EVP_DigestFinal(&ctx, digest, &len);
+ EVP_DigestFinal(ctx, digest, &len);
+ EVP_MD_CTX_free(ctx);
memcpy(&addr_refid, digest, sizeof(addr_refid));
return (addr_refid);
}
diff --git a/contrib/ntp/libntp/audio.c b/contrib/ntp/libntp/audio.c
index 726dfa94d819..3b0a0b364c11 100644
--- a/contrib/ntp/libntp/audio.c
+++ b/contrib/ntp/libntp/audio.c
@@ -55,7 +55,7 @@ static struct audio_device device; /* audio device ident */
#ifdef PCM_STYLE_SOUND
# define INIT_FILE "/etc/ntp.audio"
int agc = SOUND_MIXER_WRITE_RECLEV; /* or IGAIN or LINE */
-int monitor = SOUND_MIXER_WRITE_VOLUME; /* or OGAIN */
+int audiomonitor = SOUND_MIXER_WRITE_VOLUME; /* or OGAIN */
int devmask = 0;
int recmask = 0;
char cf_c_dev[100], cf_i_dev[100], cf_agc[100], cf_monitor[100];
@@ -334,7 +334,7 @@ audio_init(
/* devmask */
i = mixer_name(cf_monitor, devmask);
if (i >= 0)
- monitor = MIXER_WRITE(i);
+ audiomonitor = MIXER_WRITE(i);
else
printf("monitor %s not in devmask %#x\n",
cf_monitor, devmask);
@@ -412,7 +412,7 @@ audio_gain(
# endif
l |= r << 8;
if (cf_monitor[0] != '\0')
- rval = ioctl(ctl_fd, monitor, &l );
+ rval = ioctl(ctl_fd, audiomonitor, &l );
else
rval = ioctl(ctl_fd, SOUND_MIXER_WRITE_VOLUME,
&l);
diff --git a/contrib/ntp/libntp/libssl_compat.c b/contrib/ntp/libntp/libssl_compat.c
new file mode 100644
index 000000000000..ce6acb7d3c78
--- /dev/null
+++ b/contrib/ntp/libntp/libssl_compat.c
@@ -0,0 +1,335 @@
+/*
+ * libssl_compat.c -- OpenSSL v1.1 compatibility functions
+ *
+ * ---------------------------------------------------------------------
+ * Written by Juergen Perlinger <perlinger@ntp.org> for the NTP project
+ *
+ * Based on an idea by Kurt Roeckx <kurt@roeckx.be>
+ *
+ * ---------------------------------------------------------------------
+ * This is a clean room implementation of shim functions that have
+ * counterparts in the OpenSSL v1.1 API but not in earlier versions. So
+ * while OpenSSL broke binary compatibility with v1.1, this shim module
+ * should provide the necessary source code compatibility with older
+ * versions of OpenSSL.
+ * ---------------------------------------------------------------------
+ */
+#include "config.h"
+
+#include <string.h>
+#include <openssl/bn.h>
+#include <openssl/evp.h>
+
+#include "ntp_types.h"
+
+/* ----------------------------------------------------------------- */
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+/* ----------------------------------------------------------------- */
+
+#include "libssl_compat.h"
+#include "ntp_assert.h"
+
+/* --------------------------------------------------------------------
+ * replace a BIGNUM owned by the caller with another one if it's not
+ * NULL, taking over the ownership of the new value. This clears & frees
+ * the old value -- the clear might be overkill, but it's better to err
+ * on the side of paranoia here.
+ */
+static void
+replace_bn_nn(
+ BIGNUM ** ps,
+ BIGNUM * n
+ )
+{
+ if (n) {
+ REQUIRE(*ps != n);
+ BN_clear_free(*ps);
+ *ps = n;
+ }
+}
+
+/* --------------------------------------------------------------------
+ * allocation and deallocation of prime number callbacks
+ */
+BN_GENCB*
+sslshimBN_GENCB_new(void)
+{
+ return calloc(1,sizeof(BN_GENCB));
+}
+
+void
+sslshimBN_GENCB_free(
+ BN_GENCB *cb
+ )
+{
+ free(cb);
+}
+
+/* --------------------------------------------------------------------
+ * allocation and deallocation of message digests
+ */
+EVP_MD_CTX*
+sslshim_EVP_MD_CTX_new(void)
+{
+ return calloc(1, sizeof(EVP_MD_CTX));
+}
+
+void
+sslshim_EVP_MD_CTX_free(
+ EVP_MD_CTX * pctx
+ )
+{
+ free(pctx);
+}
+
+/* --------------------------------------------------------------------
+ * get EVP keys and key type
+ */
+int
+sslshim_EVP_PKEY_id(
+ const EVP_PKEY *pkey
+ )
+{
+ return (pkey) ? pkey->type : EVP_PKEY_NONE;
+}
+
+int
+sslshim_EVP_PKEY_base_id(
+ const EVP_PKEY *pkey
+ )
+{
+ return (pkey) ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE;
+}
+
+RSA*
+sslshim_EVP_PKEY_get0_RSA(
+ EVP_PKEY * pkey
+ )
+{
+ return (pkey) ? pkey->pkey.rsa : NULL;
+}
+
+DSA*
+sslshim_EVP_PKEY_get0_DSA(
+ EVP_PKEY * pkey
+ )
+{
+ return (pkey) ? pkey->pkey.dsa : NULL;
+}
+
+/* --------------------------------------------------------------------
+ * set/get RSA params
+ */
+void
+sslshim_RSA_get0_key(
+ const RSA * prsa,
+ const BIGNUM ** pn,
+ const BIGNUM ** pe,
+ const BIGNUM ** pd
+ )
+{
+ REQUIRE(prsa != NULL);
+
+ if (pn)
+ *pn = prsa->n;
+ if (pe)
+ *pe = prsa->e;
+ if (pd)
+ *pd = prsa->d;
+}
+
+int
+sslshim_RSA_set0_key(
+ RSA * prsa,
+ BIGNUM * n,
+ BIGNUM * e,
+ BIGNUM * d
+ )
+{
+ REQUIRE(prsa != NULL);
+ if (!((prsa->n || n) && (prsa->e || e)))
+ return 0;
+
+ replace_bn_nn(&prsa->n, n);
+ replace_bn_nn(&prsa->e, e);
+ replace_bn_nn(&prsa->d, d);
+
+ return 1;
+}
+
+void
+sslshim_RSA_get0_factors(
+ const RSA * prsa,
+ const BIGNUM ** pp,
+ const BIGNUM ** pq
+ )
+{
+ REQUIRE(prsa != NULL);
+
+ if (pp)
+ *pp = prsa->p;
+ if (pq)
+ *pq = prsa->q;
+}
+
+int
+sslshim_RSA_set0_factors(
+ RSA * prsa,
+ BIGNUM * p,
+ BIGNUM * q
+ )
+{
+ REQUIRE(prsa != NULL);
+ if (!((prsa->p || p) && (prsa->q || q)))
+ return 0;
+
+ replace_bn_nn(&prsa->p, p);
+ replace_bn_nn(&prsa->q, q);
+
+ return 1;
+}
+
+int
+sslshim_RSA_set0_crt_params(
+ RSA * prsa,
+ BIGNUM * dmp1,
+ BIGNUM * dmq1,
+ BIGNUM * iqmp
+ )
+{
+ REQUIRE(prsa != NULL);
+ if (!((prsa->dmp1 || dmp1) &&
+ (prsa->dmq1 || dmq1) &&
+ (prsa->iqmp || iqmp) ))
+ return 0;
+
+ replace_bn_nn(&prsa->dmp1, dmp1);
+ replace_bn_nn(&prsa->dmq1, dmq1);
+ replace_bn_nn(&prsa->iqmp, iqmp);
+
+ return 1;
+}
+
+/* --------------------------------------------------------------------
+ * set/get DSA signature parameters
+ */
+void
+sslshim_DSA_SIG_get0(
+ const DSA_SIG * psig,
+ const BIGNUM ** pr,
+ const BIGNUM ** ps
+ )
+{
+ REQUIRE(psig != NULL);
+
+ if (pr != NULL)
+ *pr = psig->r;
+ if (ps != NULL)
+ *ps = psig->s;
+}
+
+int
+sslshim_DSA_SIG_set0(
+ DSA_SIG * psig,
+ BIGNUM * r,
+ BIGNUM * s
+ )
+{
+ REQUIRE(psig != NULL);
+ if (!(r && s))
+ return 0;
+
+ replace_bn_nn(&psig->r, r);
+ replace_bn_nn(&psig->s, s);
+
+ return 1;
+}
+
+/* --------------------------------------------------------------------
+ * get/set DSA parameters
+ */
+void
+sslshim_DSA_get0_pqg(
+ const DSA * pdsa,
+ const BIGNUM ** pp,
+ const BIGNUM ** pq,
+ const BIGNUM ** pg
+ )
+{
+ REQUIRE(pdsa != NULL);
+
+ if (pp != NULL)
+ *pp = pdsa->p;
+ if (pq != NULL)
+ *pq = pdsa->q;
+ if (pg != NULL)
+ *pg = pdsa->g;
+}
+
+int
+sslshim_DSA_set0_pqg(
+ DSA * pdsa,
+ BIGNUM * p,
+ BIGNUM * q,
+ BIGNUM * g
+ )
+{
+ if (!((pdsa->p || p) && (pdsa->q || q) && (pdsa->g || g)))
+ return 0;
+
+ replace_bn_nn(&pdsa->p, p);
+ replace_bn_nn(&pdsa->q, q);
+ replace_bn_nn(&pdsa->g, g);
+
+ return 1;
+}
+
+void
+sslshim_DSA_get0_key(
+ const DSA * pdsa,
+ const BIGNUM ** ppub_key,
+ const BIGNUM ** ppriv_key
+ )
+{
+ REQUIRE(pdsa != NULL);
+
+ if (ppub_key != NULL)
+ *ppub_key = pdsa->pub_key;
+ if (ppriv_key != NULL)
+ *ppriv_key = pdsa->priv_key;
+}
+
+int
+sslshim_DSA_set0_key(
+ DSA * pdsa,
+ BIGNUM * pub_key,
+ BIGNUM * priv_key
+ )
+{
+ REQUIRE(pdsa != NULL);
+ if (!(pdsa->pub_key || pub_key))
+ return 0;
+
+ replace_bn_nn(&pdsa->pub_key, pub_key);
+ replace_bn_nn(&pdsa->priv_key, priv_key);
+
+ return 1;
+}
+
+int
+sslshim_X509_get_signature_nid(
+ const X509 *x
+ )
+{
+ return OBJ_obj2nid(x->sig_alg->algorithm);
+}
+
+/* ----------------------------------------------------------------- */
+#else /* OPENSSL_VERSION_NUMBER >= v1.1.0 */
+/* ----------------------------------------------------------------- */
+
+NONEMPTY_TRANSLATION_UNIT
+
+/* ----------------------------------------------------------------- */
+#endif
+/* ----------------------------------------------------------------- */
diff --git a/contrib/ntp/libntp/ntp_calendar.c b/contrib/ntp/libntp/ntp_calendar.c
index ff6ead364e5a..4bfb0e723c01 100644
--- a/contrib/ntp/libntp/ntp_calendar.c
+++ b/contrib/ntp/libntp/ntp_calendar.c
@@ -91,7 +91,7 @@
/*
*---------------------------------------------------------------------
* replacing the 'time()' function
- * --------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
static systime_func_ptr systime_func = &time;
@@ -395,7 +395,7 @@ ntpcal_get_build_date(
/*
*---------------------------------------------------------------------
* basic calendar stuff
- * --------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
/* month table for a year starting with March,1st */
@@ -443,11 +443,11 @@ static const uint16_t real_month_table[2][13] = {
*/
/*
- * ==================================================================
+ * ====================================================================
*
* General algorithmic stuff
*
- * ==================================================================
+ * ====================================================================
*/
/*
@@ -495,7 +495,7 @@ static const uint16_t real_month_table[2][13] = {
* 32/16bit divisions and is still performant is a bit more
* difficult. Since most usecases can be coded in a way that does only
* require the 32-bit version a 64bit version is NOT provided here.
- * ---------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
int32_t
ntpcal_periodic_extend(
@@ -542,8 +542,35 @@ ntpcal_periodic_extend(
return pivot;
}
+/*---------------------------------------------------------------------
+ * Note to the casual reader
+ *
+ * In the next two functions you will find (or would have found...)
+ * the expression
+ *
+ * res.Q_s -= 0x80000000;
+ *
+ * There was some ruckus about a possible programming error due to
+ * integer overflow and sign propagation.
+ *
+ * This assumption is based on a lack of understanding of the C
+ * standard. (Though this is admittedly not one of the most 'natural'
+ * aspects of the 'C' language and easily to get wrong.)
+ *
+ * see
+ * http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf
+ * "ISO/IEC 9899:201x Committee Draft — April 12, 2011"
+ * 6.4.4.1 Integer constants, clause 5
+ *
+ * why there is no sign extension/overflow problem here.
+ *
+ * But to ease the minds of the doubtful, I added back the 'u' qualifiers
+ * that somehow got lost over the last years.
+ */
+
+
/*
- *-------------------------------------------------------------------
+ *---------------------------------------------------------------------
* Convert a timestamp in NTP scale to a 64bit seconds value in the UN*X
* scale with proper epoch unfolding around a given pivot or the current
* system time. This function happily accepts negative pivot values as
@@ -553,7 +580,7 @@ ntpcal_periodic_extend(
* This is also a periodic extension, but since the cycle is 2^32 and
* the shift is 2^31, we can do some *very* fast math without explicit
* divisions.
- *-------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
vint64
ntpcal_ntp_to_time(
@@ -568,7 +595,7 @@ ntpcal_ntp_to_time(
res.q_s = (pivot != NULL)
? *pivot
: now();
- res.Q_s -= 0x80000000; /* unshift of half range */
+ res.Q_s -= 0x80000000u; /* unshift of half range */
ntp -= (uint32_t)JAN_1970; /* warp into UN*X domain */
ntp -= res.D_s.lo; /* cycle difference */
res.Q_s += (uint64_t)ntp; /* get expanded time */
@@ -581,7 +608,7 @@ ntpcal_ntp_to_time(
? *pivot
: now();
res = time_to_vint64(&tmp);
- M_SUB(res.D_s.hi, res.D_s.lo, 0, 0x80000000);
+ M_SUB(res.D_s.hi, res.D_s.lo, 0, 0x80000000u);
ntp -= (uint32_t)JAN_1970; /* warp into UN*X domain */
ntp -= res.D_s.lo; /* cycle difference */
M_ADD(res.D_s.hi, res.D_s.lo, 0, ntp);
@@ -592,7 +619,7 @@ ntpcal_ntp_to_time(
}
/*
- *-------------------------------------------------------------------
+ *---------------------------------------------------------------------
* Convert a timestamp in NTP scale to a 64bit seconds value in the NTP
* scale with proper epoch unfolding around a given pivot or the current
* system time.
@@ -602,7 +629,7 @@ ntpcal_ntp_to_time(
* This is also a periodic extension, but since the cycle is 2^32 and
* the shift is 2^31, we can do some *very* fast math without explicit
* divisions.
- *-------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
vint64
ntpcal_ntp_to_ntp(
@@ -617,7 +644,7 @@ ntpcal_ntp_to_ntp(
res.q_s = (pivot)
? *pivot
: now();
- res.Q_s -= 0x80000000; /* unshift of half range */
+ res.Q_s -= 0x80000000u; /* unshift of half range */
res.Q_s += (uint32_t)JAN_1970; /* warp into NTP domain */
ntp -= res.D_s.lo; /* cycle difference */
res.Q_s += (uint64_t)ntp; /* get expanded time */
@@ -642,20 +669,20 @@ ntpcal_ntp_to_ntp(
/*
- * ==================================================================
+ * ====================================================================
*
* Splitting values to composite entities
*
- * ==================================================================
+ * ====================================================================
*/
/*
- *-------------------------------------------------------------------
+ *---------------------------------------------------------------------
* Split a 64bit seconds value into elapsed days in 'res.hi' and
* elapsed seconds since midnight in 'res.lo' using explicit floor
* division. This function happily accepts negative time values as
* timestamps before the respective epoch start.
- * -------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
ntpcal_split
ntpcal_daysplit(
@@ -736,11 +763,11 @@ ntpcal_daysplit(
}
/*
- *-------------------------------------------------------------------
+ *---------------------------------------------------------------------
* Split a 32bit seconds value into h/m/s and excessive days. This
* function happily accepts negative time values as timestamps before
* midnight.
- * -------------------------------------------------------------------
+ *---------------------------------------------------------------------
*/
static int32_t
priv_timesplit(
@@ -773,7 +800,7 @@ priv_timesplit(
}
/*
- * ---------------------------------------------------------------------
+ *---------------------------------------------------------------------
* Given the number of elapsed days in the calendar era, split this
* number into the number of elapsed years in 'res.hi' and the number
* of elapsed days of that year in 'res.lo'.
@@ -1053,11 +1080,11 @@ ntpcal_time_to_date(
/*
- * ==================================================================
+ * ====================================================================
*
* merging composite entities
*
- * ==================================================================
+ * ====================================================================
*/
/*
@@ -1251,8 +1278,8 @@ ntpcal_edate_to_eradays(
* Convert ELAPSED years/months/days of gregorian calendar to elapsed
* days in year.
*
- * Note: This will give the true difference to the start of the given year,
- * even if months & days are off-scale.
+ * Note: This will give the true difference to the start of the given
+ * year, even if months & days are off-scale.
*---------------------------------------------------------------------
*/
int32_t
@@ -1434,11 +1461,11 @@ ntpcal_date_to_time(
/*
- * ==================================================================
+ * ====================================================================
*
* extended and unchecked variants of caljulian/caltontp
*
- * ==================================================================
+ * ====================================================================
*/
int
ntpcal_ntp64_to_date(
@@ -1500,11 +1527,11 @@ ntpcal_date_to_ntp(
/*
- * ==================================================================
+ * ====================================================================
*
* day-of-week calculations
*
- * ==================================================================
+ * ====================================================================
*/
/*
* Given a RataDie and a day-of-week, calculate a RDN that is reater-than,
@@ -1557,7 +1584,7 @@ ntpcal_weekday_lt(
}
/*
- * ==================================================================
+ * ====================================================================
*
* ISO week-calendar conversions
*
@@ -1601,7 +1628,7 @@ ntpcal_weekday_lt(
* smallest possible powers of two, so the division can be implemented
* as shifts if the optimiser chooses to do so.
*
- * ==================================================================
+ * ====================================================================
*/
/*
diff --git a/contrib/ntp/libntp/ntp_intres.c b/contrib/ntp/libntp/ntp_intres.c
index 0b5bb7534256..7aa288af57b2 100644
--- a/contrib/ntp/libntp/ntp_intres.c
+++ b/contrib/ntp/libntp/ntp_intres.c
@@ -118,14 +118,16 @@
* is managed by the code which calls the *_complete routines.
*/
+
/* === typedefs === */
typedef struct blocking_gai_req_tag { /* marshalled args */
size_t octets;
u_int dns_idx;
time_t scheduled;
time_t earliest;
- struct addrinfo hints;
int retry;
+ struct addrinfo hints;
+ u_int qflags;
gai_sometime_callback callback;
void * context;
size_t nodesize;
@@ -205,8 +207,8 @@ static dnsworker_ctx * get_worker_context(blocking_child *, u_int);
static void scheduled_sleep(time_t, time_t,
dnsworker_ctx *);
static void manage_dns_retry_interval(time_t *, time_t *,
- int *,
- time_t *);
+ int *, time_t *,
+ int/*BOOL*/);
static int should_retry_dns(int, int);
#ifdef HAVE_RES_INIT
static void reload_resolv_conf(dnsworker_ctx *);
@@ -230,13 +232,14 @@ static void getnameinfo_sometime_complete(blocking_work_req,
* invokes provided callback completion function.
*/
int
-getaddrinfo_sometime(
+getaddrinfo_sometime_ex(
const char * node,
const char * service,
const struct addrinfo * hints,
int retry,
gai_sometime_callback callback,
- void * context
+ void * context,
+ u_int qflags
)
{
blocking_gai_req * gai_req;
@@ -277,6 +280,7 @@ getaddrinfo_sometime(
gai_req->context = context;
gai_req->nodesize = nodesize;
gai_req->servsize = servsize;
+ gai_req->qflags = qflags;
memcpy((char *)gai_req + sizeof(*gai_req), node, nodesize);
memcpy((char *)gai_req + sizeof(*gai_req) + nodesize, service,
@@ -451,6 +455,20 @@ blocking_getaddrinfo(
return 0;
}
+int
+getaddrinfo_sometime(
+ const char * node,
+ const char * service,
+ const struct addrinfo * hints,
+ int retry,
+ gai_sometime_callback callback,
+ void * context
+ )
+{
+ return getaddrinfo_sometime_ex(node, service, hints, retry,
+ callback, context, 0);
+}
+
static void
getaddrinfo_sometime_complete(
@@ -470,7 +488,7 @@ getaddrinfo_sometime_complete(
char * service;
char * canon_start;
time_t time_now;
- int again;
+ int again, noerr;
int af;
const char * fam_spec;
int i;
@@ -498,8 +516,9 @@ getaddrinfo_sometime_complete(
gai_req->dns_idx, humantime(time_now)));
}
} else {
- again = should_retry_dns(gai_resp->retcode,
- gai_resp->gai_errno);
+ noerr = !!(gai_req->qflags & GAIR_F_IGNDNSERR);
+ again = noerr || should_retry_dns(
+ gai_resp->retcode, gai_resp->gai_errno);
/*
* exponential backoff of DNS retries to 64s
*/
@@ -528,9 +547,10 @@ getaddrinfo_sometime_complete(
gai_strerror(gai_resp->retcode),
gai_resp->retcode);
}
- manage_dns_retry_interval(&gai_req->scheduled,
- &gai_req->earliest, &gai_req->retry,
- &child_ctx->next_dns_timeslot);
+ manage_dns_retry_interval(
+ &gai_req->scheduled, &gai_req->earliest,
+ &gai_req->retry, &child_ctx->next_dns_timeslot,
+ noerr);
if (!queue_blocking_request(
BLOCKING_GETADDRINFO,
gai_req,
@@ -826,7 +846,7 @@ getnameinfo_sometime_complete(
if (gni_req->retry > 0)
manage_dns_retry_interval(&gni_req->scheduled,
&gni_req->earliest, &gni_req->retry,
- &child_ctx->next_dns_timeslot);
+ &child_ctx->next_dns_timeslot, FALSE);
if (gni_req->retry > 0 && again) {
if (!queue_blocking_request(
@@ -1033,18 +1053,32 @@ manage_dns_retry_interval(
time_t * pscheduled,
time_t * pwhen,
int * pretry,
- time_t * pnext_timeslot
+ time_t * pnext_timeslot,
+ int forever
)
{
time_t now;
time_t when;
int retry;
+ int retmax;
now = time(NULL);
retry = *pretry;
when = max(now + retry, *pnext_timeslot);
*pnext_timeslot = when;
- retry = min(64, retry << 1);
+
+ /* this exponential backoff is slower than doubling up: The
+ * sequence goes 2-3-4-6-8-12-16-24-32... and the upper limit is
+ * 64 seconds for things that should not repeat forever, and
+ * 1024 when repeated forever.
+ */
+ retmax = forever ? 1024 : 64;
+ retry <<= 1;
+ if (retry & (retry - 1))
+ retry &= (retry - 1);
+ else
+ retry -= (retry >> 2);
+ retry = min(retmax, retry);
*pscheduled = now;
*pwhen = when;
diff --git a/contrib/ntp/libntp/ssl_init.c b/contrib/ntp/libntp/ssl_init.c
index a9d1d546dfb8..ef0f1c185a88 100644
--- a/contrib/ntp/libntp/ssl_init.c
+++ b/contrib/ntp/libntp/ssl_init.c
@@ -15,6 +15,7 @@
#ifdef OPENSSL
#include "openssl/err.h"
#include "openssl/evp.h"
+#include "libssl_compat.h"
void atexit_ssl_cleanup(void);
@@ -62,6 +63,7 @@ ssl_check_version(void)
INIT_SSL();
}
+
#endif /* OPENSSL */
@@ -84,7 +86,6 @@ keytype_from_text(
u_char digest[EVP_MAX_MD_SIZE];
char * upcased;
char * pch;
- EVP_MD_CTX ctx;
/*
* OpenSSL digest short names are capitalized, so uppercase the
@@ -110,8 +111,12 @@ keytype_from_text(
if (NULL != pdigest_len) {
#ifdef OPENSSL
- EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type));
- EVP_DigestFinal(&ctx, digest, &digest_len);
+ EVP_MD_CTX *ctx;
+
+ ctx = EVP_MD_CTX_new();
+ EVP_DigestInit(ctx, EVP_get_digestbynid(key_type));
+ EVP_DigestFinal(ctx, digest, &digest_len);
+ EVP_MD_CTX_free(ctx);
if (digest_len > max_digest_len) {
fprintf(stderr,
"key type %s %u octet digests are too big, max %lu\n",
diff --git a/contrib/ntp/libntp/work_fork.c b/contrib/ntp/libntp/work_fork.c
index 6c9545aa9cbc..8223fdd2f9b2 100644
--- a/contrib/ntp/libntp/work_fork.c
+++ b/contrib/ntp/libntp/work_fork.c
@@ -114,18 +114,24 @@ interrupt_worker_sleep(void)
/*
* harvest_child_status() runs in the parent.
+ *
+ * Note the error handling -- this is an interaction with SIGCHLD.
+ * SIG_IGN on SIGCHLD on some OSes means do not wait but reap
+ * automatically. Since we're not really interested in the result code,
+ * we simply ignore the error.
*/
static void
harvest_child_status(
blocking_child * c
)
{
- if (c->pid)
- {
+ if (c->pid) {
/* Wait on the child so it can finish terminating */
if (waitpid(c->pid, NULL, 0) == c->pid)
TRACE(4, ("harvested child %d\n", c->pid));
- else msyslog(LOG_ERR, "error waiting on child %d: %m", c->pid);
+ else if (errno != ECHILD)
+ msyslog(LOG_ERR, "error waiting on child %d: %m", c->pid);
+ c->pid = 0;
}
}
@@ -162,7 +168,6 @@ cleanup_after_child(
close(c->resp_read_pipe);
c->resp_read_pipe = -1;
}
- c->pid = 0;
c->resp_read_ctx = NULL;
DEBUG_INSIST(-1 == c->req_read_pipe);
DEBUG_INSIST(-1 == c->resp_write_pipe);
@@ -461,7 +466,10 @@ fork_blocking_child(
fflush(stdout);
fflush(stderr);
- signal_no_reset(SIGCHLD, SIG_IGN);
+ /* [BUG 3050] setting SIGCHLD to SIG_IGN likely causes unwanted
+ * or undefined effects. We don't do it and leave SIGCHLD alone.
+ */
+ /* signal_no_reset(SIGCHLD, SIG_IGN); */
childpid = fork();
if (-1 == childpid) {