diff options
Diffstat (limited to 'contrib/ntp/libntp')
| -rw-r--r-- | contrib/ntp/libntp/Makefile.am | 1 | ||||
| -rw-r--r-- | contrib/ntp/libntp/Makefile.in | 67 | ||||
| -rw-r--r-- | contrib/ntp/libntp/a_md5encrypt.c | 62 | ||||
| -rw-r--r-- | contrib/ntp/libntp/audio.c | 6 | ||||
| -rw-r--r-- | contrib/ntp/libntp/libssl_compat.c | 335 | ||||
| -rw-r--r-- | contrib/ntp/libntp/ntp_calendar.c | 85 | ||||
| -rw-r--r-- | contrib/ntp/libntp/ntp_intres.c | 62 | ||||
| -rw-r--r-- | contrib/ntp/libntp/ssl_init.c | 11 | ||||
| -rw-r--r-- | contrib/ntp/libntp/work_fork.c | 18 |
9 files changed, 532 insertions, 115 deletions
diff --git a/contrib/ntp/libntp/Makefile.am b/contrib/ntp/libntp/Makefile.am index 26a4709..874739a 100644 --- a/contrib/ntp/libntp/Makefile.am +++ b/contrib/ntp/libntp/Makefile.am @@ -73,6 +73,7 @@ libntp_a_SRCS = \ iosignal.c \ is_ip_address.c \ lib_strbuf.c \ + libssl_compat.c \ machines.c \ mktime.c \ modetoa.c \ diff --git a/contrib/ntp/libntp/Makefile.in b/contrib/ntp/libntp/Makefile.in index 9125c19..46b7926 100644 --- a/contrib/ntp/libntp/Makefile.in +++ b/contrib/ntp/libntp/Makefile.in @@ -150,15 +150,15 @@ am__libntp_a_SOURCES_DIST = systime.c a_md5encrypt.c adjtime.c \ calyearstart.c clocktime.c clocktypes.c decodenetnum.c \ dofptoa.c dolfptoa.c emalloc.c findconfig.c getopt.c \ hextoint.c hextolfp.c humandate.c icom.c iosignal.c \ - is_ip_address.c lib_strbuf.c machines.c mktime.c modetoa.c \ - mstolfp.c msyslog.c netof.c ntp_calendar.c ntp_crypto_rnd.c \ - ntp_intres.c ntp_libopts.c ntp_lineedit.c ntp_random.c \ - ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c octtoint.c \ - prettydate.c refidsmear.c recvbuff.c refnumtoa.c snprintf.c \ - socket.c socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \ - strl_obsd.c syssignal.c timetoa.c timevalops.c uglydate.c \ - vint64ops.c work_fork.c work_thread.c ymd2yd.c \ - $(srcdir)/../lib/isc/assertions.c \ + is_ip_address.c lib_strbuf.c libssl_compat.c machines.c \ + mktime.c modetoa.c mstolfp.c msyslog.c netof.c ntp_calendar.c \ + ntp_crypto_rnd.c ntp_intres.c ntp_libopts.c ntp_lineedit.c \ + ntp_random.c ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c \ + octtoint.c prettydate.c refidsmear.c recvbuff.c refnumtoa.c \ + snprintf.c socket.c socktoa.c socktohost.c ssl_init.c \ + statestr.c strdup.c strl_obsd.c syssignal.c timetoa.c \ + timevalops.c uglydate.c vint64ops.c work_fork.c work_thread.c \ + ymd2yd.c $(srcdir)/../lib/isc/assertions.c \ $(srcdir)/../lib/isc/buffer.c \ $(srcdir)/../lib/isc/backtrace-emptytbl.c \ $(srcdir)/../lib/isc/backtrace.c \ @@ -209,20 +209,21 @@ am__objects_4 = a_md5encrypt.$(OBJEXT) adjtime.$(OBJEXT) \ getopt.$(OBJEXT) hextoint.$(OBJEXT) hextolfp.$(OBJEXT) \ humandate.$(OBJEXT) icom.$(OBJEXT) iosignal.$(OBJEXT) \ is_ip_address.$(OBJEXT) lib_strbuf.$(OBJEXT) \ - machines.$(OBJEXT) mktime.$(OBJEXT) modetoa.$(OBJEXT) \ - mstolfp.$(OBJEXT) msyslog.$(OBJEXT) netof.$(OBJEXT) \ - ntp_calendar.$(OBJEXT) ntp_crypto_rnd.$(OBJEXT) \ - ntp_intres.$(OBJEXT) ntp_libopts.$(OBJEXT) \ - ntp_lineedit.$(OBJEXT) ntp_random.$(OBJEXT) \ - ntp_rfc2553.$(OBJEXT) ntp_worker.$(OBJEXT) numtoa.$(OBJEXT) \ - numtohost.$(OBJEXT) octtoint.$(OBJEXT) prettydate.$(OBJEXT) \ - refidsmear.$(OBJEXT) recvbuff.$(OBJEXT) refnumtoa.$(OBJEXT) \ - snprintf.$(OBJEXT) socket.$(OBJEXT) socktoa.$(OBJEXT) \ - socktohost.$(OBJEXT) ssl_init.$(OBJEXT) statestr.$(OBJEXT) \ - strdup.$(OBJEXT) strl_obsd.$(OBJEXT) syssignal.$(OBJEXT) \ - timetoa.$(OBJEXT) timevalops.$(OBJEXT) uglydate.$(OBJEXT) \ - vint64ops.$(OBJEXT) work_fork.$(OBJEXT) work_thread.$(OBJEXT) \ - ymd2yd.$(OBJEXT) $(am__objects_3) $(am__objects_1) + libssl_compat.$(OBJEXT) machines.$(OBJEXT) mktime.$(OBJEXT) \ + modetoa.$(OBJEXT) mstolfp.$(OBJEXT) msyslog.$(OBJEXT) \ + netof.$(OBJEXT) ntp_calendar.$(OBJEXT) \ + ntp_crypto_rnd.$(OBJEXT) ntp_intres.$(OBJEXT) \ + ntp_libopts.$(OBJEXT) ntp_lineedit.$(OBJEXT) \ + ntp_random.$(OBJEXT) ntp_rfc2553.$(OBJEXT) \ + ntp_worker.$(OBJEXT) numtoa.$(OBJEXT) numtohost.$(OBJEXT) \ + octtoint.$(OBJEXT) prettydate.$(OBJEXT) refidsmear.$(OBJEXT) \ + recvbuff.$(OBJEXT) refnumtoa.$(OBJEXT) snprintf.$(OBJEXT) \ + socket.$(OBJEXT) socktoa.$(OBJEXT) socktohost.$(OBJEXT) \ + ssl_init.$(OBJEXT) statestr.$(OBJEXT) strdup.$(OBJEXT) \ + strl_obsd.$(OBJEXT) syssignal.$(OBJEXT) timetoa.$(OBJEXT) \ + timevalops.$(OBJEXT) uglydate.$(OBJEXT) vint64ops.$(OBJEXT) \ + work_fork.$(OBJEXT) work_thread.$(OBJEXT) ymd2yd.$(OBJEXT) \ + $(am__objects_3) $(am__objects_1) am_libntp_a_OBJECTS = systime.$(OBJEXT) $(am__objects_4) libntp_a_OBJECTS = $(am_libntp_a_OBJECTS) libntpsim_a_AR = $(AR) $(ARFLAGS) @@ -233,15 +234,15 @@ am__libntpsim_a_SOURCES_DIST = systime_s.c a_md5encrypt.c adjtime.c \ calyearstart.c clocktime.c clocktypes.c decodenetnum.c \ dofptoa.c dolfptoa.c emalloc.c findconfig.c getopt.c \ hextoint.c hextolfp.c humandate.c icom.c iosignal.c \ - is_ip_address.c lib_strbuf.c machines.c mktime.c modetoa.c \ - mstolfp.c msyslog.c netof.c ntp_calendar.c ntp_crypto_rnd.c \ - ntp_intres.c ntp_libopts.c ntp_lineedit.c ntp_random.c \ - ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c octtoint.c \ - prettydate.c refidsmear.c recvbuff.c refnumtoa.c snprintf.c \ - socket.c socktoa.c socktohost.c ssl_init.c statestr.c strdup.c \ - strl_obsd.c syssignal.c timetoa.c timevalops.c uglydate.c \ - vint64ops.c work_fork.c work_thread.c ymd2yd.c \ - $(srcdir)/../lib/isc/assertions.c \ + is_ip_address.c lib_strbuf.c libssl_compat.c machines.c \ + mktime.c modetoa.c mstolfp.c msyslog.c netof.c ntp_calendar.c \ + ntp_crypto_rnd.c ntp_intres.c ntp_libopts.c ntp_lineedit.c \ + ntp_random.c ntp_rfc2553.c ntp_worker.c numtoa.c numtohost.c \ + octtoint.c prettydate.c refidsmear.c recvbuff.c refnumtoa.c \ + snprintf.c socket.c socktoa.c socktohost.c ssl_init.c \ + statestr.c strdup.c strl_obsd.c syssignal.c timetoa.c \ + timevalops.c uglydate.c vint64ops.c work_fork.c work_thread.c \ + ymd2yd.c $(srcdir)/../lib/isc/assertions.c \ $(srcdir)/../lib/isc/buffer.c \ $(srcdir)/../lib/isc/backtrace-emptytbl.c \ $(srcdir)/../lib/isc/backtrace.c \ @@ -665,6 +666,7 @@ libntp_a_SRCS = \ iosignal.c \ is_ip_address.c \ lib_strbuf.c \ + libssl_compat.c \ machines.c \ mktime.c \ modetoa.c \ @@ -813,6 +815,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/is_ip_address.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib_strbuf.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libssl_compat.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/log.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/machines.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/md5.Po@am__quote@ diff --git a/contrib/ntp/libntp/a_md5encrypt.c b/contrib/ntp/libntp/a_md5encrypt.c index 618ccd9..7edcd2e 100644 --- a/contrib/ntp/libntp/a_md5encrypt.c +++ b/contrib/ntp/libntp/a_md5encrypt.c @@ -11,6 +11,7 @@ #include "ntp.h" #include "ntp_md5.h" /* provides OpenSSL digest API */ #include "isc/string.h" +#include "libssl_compat.h" /* * MD5authencrypt - generate message digest * @@ -26,7 +27,7 @@ MD5authencrypt( { u_char digest[EVP_MAX_MD_SIZE]; u_int len; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; /* * Compute digest of key concatenated with packet. Note: the @@ -34,18 +35,20 @@ MD5authencrypt( * was creaded. */ INIT_SSL(); -#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL - if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) { + ctx = EVP_MD_CTX_new(); + if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) { msyslog(LOG_ERR, "MAC encrypt: digest init failed"); + EVP_MD_CTX_free(ctx); return (0); } -#else - EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); -#endif - EVP_DigestUpdate(&ctx, key, cache_secretsize); - EVP_DigestUpdate(&ctx, (u_char *)pkt, length); - EVP_DigestFinal(&ctx, digest, &len); + EVP_DigestUpdate(ctx, key, cache_secretsize); + EVP_DigestUpdate(ctx, (u_char *)pkt, length); + EVP_DigestFinal(ctx, digest, &len); + EVP_MD_CTX_free(ctx); + /* If the MAC is longer than the MAX then truncate it. */ + if (len > MAX_MAC_LEN - 4) + len = MAX_MAC_LEN - 4; memmove((u_char *)pkt + length + 4, digest, len); return (len + 4); } @@ -67,7 +70,7 @@ MD5authdecrypt( { u_char digest[EVP_MAX_MD_SIZE]; u_int len; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; /* * Compute digest of key concatenated with packet. Note: the @@ -75,24 +78,26 @@ MD5authdecrypt( * was created. */ INIT_SSL(); -#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL - if (!EVP_DigestInit(&ctx, EVP_get_digestbynid(type))) { + ctx = EVP_MD_CTX_new(); + if (!(ctx && EVP_DigestInit(ctx, EVP_get_digestbynid(type)))) { msyslog(LOG_ERR, "MAC decrypt: digest init failed"); + EVP_MD_CTX_free(ctx); return (0); } -#else - EVP_DigestInit(&ctx, EVP_get_digestbynid(type)); -#endif - EVP_DigestUpdate(&ctx, key, cache_secretsize); - EVP_DigestUpdate(&ctx, (u_char *)pkt, length); - EVP_DigestFinal(&ctx, digest, &len); + EVP_DigestUpdate(ctx, key, cache_secretsize); + EVP_DigestUpdate(ctx, (u_char *)pkt, length); + EVP_DigestFinal(ctx, digest, &len); + EVP_MD_CTX_free(ctx); + /* If the MAC is longer than the MAX then truncate it. */ + if (len > MAX_MAC_LEN - 4) + len = MAX_MAC_LEN - 4; if (size != (size_t)len + 4) { msyslog(LOG_ERR, "MAC decrypt: MAC length error"); return (0); } - return !isc_tsmemcmp(digest, (const char *)pkt + length + 4, len); + return !isc_tsmemcmp(digest, (u_char *)pkt + length + 4, len); } /* @@ -106,7 +111,7 @@ addr2refid(sockaddr_u *addr) { u_char digest[20]; u_int32 addr_refid; - EVP_MD_CTX ctx; + EVP_MD_CTX *ctx; u_int len; if (IS_IPV4(addr)) @@ -114,24 +119,23 @@ addr2refid(sockaddr_u *addr) INIT_SSL(); -#if defined(OPENSSL) && OPENSSL_VERSION_NUMBER >= 0x0090700fL - EVP_MD_CTX_init(&ctx); + ctx = EVP_MD_CTX_new(); + EVP_MD_CTX_init(ctx); #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW /* MD5 is not used as a crypto hash here. */ - EVP_MD_CTX_set_flags(&ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); + EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); #endif - if (!EVP_DigestInit_ex(&ctx, EVP_md5(), NULL)) { + if (!EVP_DigestInit_ex(ctx, EVP_md5(), NULL)) { msyslog(LOG_ERR, "MD5 init failed"); + EVP_MD_CTX_free(ctx); /* pedantic... but safe */ exit(1); } -#else - EVP_DigestInit(&ctx, EVP_md5()); -#endif - EVP_DigestUpdate(&ctx, (u_char *)PSOCK_ADDR6(addr), + EVP_DigestUpdate(ctx, (u_char *)PSOCK_ADDR6(addr), sizeof(struct in6_addr)); - EVP_DigestFinal(&ctx, digest, &len); + EVP_DigestFinal(ctx, digest, &len); + EVP_MD_CTX_free(ctx); memcpy(&addr_refid, digest, sizeof(addr_refid)); return (addr_refid); } diff --git a/contrib/ntp/libntp/audio.c b/contrib/ntp/libntp/audio.c index 726dfa9..3b0a0b3 100644 --- a/contrib/ntp/libntp/audio.c +++ b/contrib/ntp/libntp/audio.c @@ -55,7 +55,7 @@ static struct audio_device device; /* audio device ident */ #ifdef PCM_STYLE_SOUND # define INIT_FILE "/etc/ntp.audio" int agc = SOUND_MIXER_WRITE_RECLEV; /* or IGAIN or LINE */ -int monitor = SOUND_MIXER_WRITE_VOLUME; /* or OGAIN */ +int audiomonitor = SOUND_MIXER_WRITE_VOLUME; /* or OGAIN */ int devmask = 0; int recmask = 0; char cf_c_dev[100], cf_i_dev[100], cf_agc[100], cf_monitor[100]; @@ -334,7 +334,7 @@ audio_init( /* devmask */ i = mixer_name(cf_monitor, devmask); if (i >= 0) - monitor = MIXER_WRITE(i); + audiomonitor = MIXER_WRITE(i); else printf("monitor %s not in devmask %#x\n", cf_monitor, devmask); @@ -412,7 +412,7 @@ audio_gain( # endif l |= r << 8; if (cf_monitor[0] != '\0') - rval = ioctl(ctl_fd, monitor, &l ); + rval = ioctl(ctl_fd, audiomonitor, &l ); else rval = ioctl(ctl_fd, SOUND_MIXER_WRITE_VOLUME, &l); diff --git a/contrib/ntp/libntp/libssl_compat.c b/contrib/ntp/libntp/libssl_compat.c new file mode 100644 index 0000000..ce6acb7 --- /dev/null +++ b/contrib/ntp/libntp/libssl_compat.c @@ -0,0 +1,335 @@ +/* + * libssl_compat.c -- OpenSSL v1.1 compatibility functions + * + * --------------------------------------------------------------------- + * Written by Juergen Perlinger <perlinger@ntp.org> for the NTP project + * + * Based on an idea by Kurt Roeckx <kurt@roeckx.be> + * + * --------------------------------------------------------------------- + * This is a clean room implementation of shim functions that have + * counterparts in the OpenSSL v1.1 API but not in earlier versions. So + * while OpenSSL broke binary compatibility with v1.1, this shim module + * should provide the necessary source code compatibility with older + * versions of OpenSSL. + * --------------------------------------------------------------------- + */ +#include "config.h" + +#include <string.h> +#include <openssl/bn.h> +#include <openssl/evp.h> + +#include "ntp_types.h" + +/* ----------------------------------------------------------------- */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +/* ----------------------------------------------------------------- */ + +#include "libssl_compat.h" +#include "ntp_assert.h" + +/* -------------------------------------------------------------------- + * replace a BIGNUM owned by the caller with another one if it's not + * NULL, taking over the ownership of the new value. This clears & frees + * the old value -- the clear might be overkill, but it's better to err + * on the side of paranoia here. + */ +static void +replace_bn_nn( + BIGNUM ** ps, + BIGNUM * n + ) +{ + if (n) { + REQUIRE(*ps != n); + BN_clear_free(*ps); + *ps = n; + } +} + +/* -------------------------------------------------------------------- + * allocation and deallocation of prime number callbacks + */ +BN_GENCB* +sslshimBN_GENCB_new(void) +{ + return calloc(1,sizeof(BN_GENCB)); +} + +void +sslshimBN_GENCB_free( + BN_GENCB *cb + ) +{ + free(cb); +} + +/* -------------------------------------------------------------------- + * allocation and deallocation of message digests + */ +EVP_MD_CTX* +sslshim_EVP_MD_CTX_new(void) +{ + return calloc(1, sizeof(EVP_MD_CTX)); +} + +void +sslshim_EVP_MD_CTX_free( + EVP_MD_CTX * pctx + ) +{ + free(pctx); +} + +/* -------------------------------------------------------------------- + * get EVP keys and key type + */ +int +sslshim_EVP_PKEY_id( + const EVP_PKEY *pkey + ) +{ + return (pkey) ? pkey->type : EVP_PKEY_NONE; +} + +int +sslshim_EVP_PKEY_base_id( + const EVP_PKEY *pkey + ) +{ + return (pkey) ? EVP_PKEY_type(pkey->type) : EVP_PKEY_NONE; +} + +RSA* +sslshim_EVP_PKEY_get0_RSA( + EVP_PKEY * pkey + ) +{ + return (pkey) ? pkey->pkey.rsa : NULL; +} + +DSA* +sslshim_EVP_PKEY_get0_DSA( + EVP_PKEY * pkey + ) +{ + return (pkey) ? pkey->pkey.dsa : NULL; +} + +/* -------------------------------------------------------------------- + * set/get RSA params + */ +void +sslshim_RSA_get0_key( + const RSA * prsa, + const BIGNUM ** pn, + const BIGNUM ** pe, + const BIGNUM ** pd + ) +{ + REQUIRE(prsa != NULL); + + if (pn) + *pn = prsa->n; + if (pe) + *pe = prsa->e; + if (pd) + *pd = prsa->d; +} + +int +sslshim_RSA_set0_key( + RSA * prsa, + BIGNUM * n, + BIGNUM * e, + BIGNUM * d + ) +{ + REQUIRE(prsa != NULL); + if (!((prsa->n || n) && (prsa->e || e))) + return 0; + + replace_bn_nn(&prsa->n, n); + replace_bn_nn(&prsa->e, e); + replace_bn_nn(&prsa->d, d); + + return 1; +} + +void +sslshim_RSA_get0_factors( + const RSA * prsa, + const BIGNUM ** pp, + const BIGNUM ** pq + ) +{ + REQUIRE(prsa != NULL); + + if (pp) + *pp = prsa->p; + if (pq) + *pq = prsa->q; +} + +int +sslshim_RSA_set0_factors( + RSA * prsa, + BIGNUM * p, + BIGNUM * q + ) +{ + REQUIRE(prsa != NULL); + if (!((prsa->p || p) && (prsa->q || q))) + return 0; + + replace_bn_nn(&prsa->p, p); + replace_bn_nn(&prsa->q, q); + + return 1; +} + +int +sslshim_RSA_set0_crt_params( + RSA * prsa, + BIGNUM * dmp1, + BIGNUM * dmq1, + BIGNUM * iqmp + ) +{ + REQUIRE(prsa != NULL); + if (!((prsa->dmp1 || dmp1) && + (prsa->dmq1 || dmq1) && + (prsa->iqmp || iqmp) )) + return 0; + + replace_bn_nn(&prsa->dmp1, dmp1); + replace_bn_nn(&prsa->dmq1, dmq1); + replace_bn_nn(&prsa->iqmp, iqmp); + + return 1; +} + +/* -------------------------------------------------------------------- + * set/get DSA signature parameters + */ +void +sslshim_DSA_SIG_get0( + const DSA_SIG * psig, + const BIGNUM ** pr, + const BIGNUM ** ps + ) +{ + REQUIRE(psig != NULL); + + if (pr != NULL) + *pr = psig->r; + if (ps != NULL) + *ps = psig->s; +} + +int +sslshim_DSA_SIG_set0( + DSA_SIG * psig, + BIGNUM * r, + BIGNUM * s + ) +{ + REQUIRE(psig != NULL); + if (!(r && s)) + return 0; + + replace_bn_nn(&psig->r, r); + replace_bn_nn(&psig->s, s); + + return 1; +} + +/* -------------------------------------------------------------------- + * get/set DSA parameters + */ +void +sslshim_DSA_get0_pqg( + const DSA * pdsa, + const BIGNUM ** pp, + const BIGNUM ** pq, + const BIGNUM ** pg + ) +{ + REQUIRE(pdsa != NULL); + + if (pp != NULL) + *pp = pdsa->p; + if (pq != NULL) + *pq = pdsa->q; + if (pg != NULL) + *pg = pdsa->g; +} + +int +sslshim_DSA_set0_pqg( + DSA * pdsa, + BIGNUM * p, + BIGNUM * q, + BIGNUM * g + ) +{ + if (!((pdsa->p || p) && (pdsa->q || q) && (pdsa->g || g))) + return 0; + + replace_bn_nn(&pdsa->p, p); + replace_bn_nn(&pdsa->q, q); + replace_bn_nn(&pdsa->g, g); + + return 1; +} + +void +sslshim_DSA_get0_key( + const DSA * pdsa, + const BIGNUM ** ppub_key, + const BIGNUM ** ppriv_key + ) +{ + REQUIRE(pdsa != NULL); + + if (ppub_key != NULL) + *ppub_key = pdsa->pub_key; + if (ppriv_key != NULL) + *ppriv_key = pdsa->priv_key; +} + +int +sslshim_DSA_set0_key( + DSA * pdsa, + BIGNUM * pub_key, + BIGNUM * priv_key + ) +{ + REQUIRE(pdsa != NULL); + if (!(pdsa->pub_key || pub_key)) + return 0; + + replace_bn_nn(&pdsa->pub_key, pub_key); + replace_bn_nn(&pdsa->priv_key, priv_key); + + return 1; +} + +int +sslshim_X509_get_signature_nid( + const X509 *x + ) +{ + return OBJ_obj2nid(x->sig_alg->algorithm); +} + +/* ----------------------------------------------------------------- */ +#else /* OPENSSL_VERSION_NUMBER >= v1.1.0 */ +/* ----------------------------------------------------------------- */ + +NONEMPTY_TRANSLATION_UNIT + +/* ----------------------------------------------------------------- */ +#endif +/* ----------------------------------------------------------------- */ diff --git a/contrib/ntp/libntp/ntp_calendar.c b/contrib/ntp/libntp/ntp_calendar.c index ff6ead3..4bfb0e7 100644 --- a/contrib/ntp/libntp/ntp_calendar.c +++ b/contrib/ntp/libntp/ntp_calendar.c @@ -91,7 +91,7 @@ /* *--------------------------------------------------------------------- * replacing the 'time()' function - * -------------------------------------------------------------------- + *--------------------------------------------------------------------- */ static systime_func_ptr systime_func = &time; @@ -395,7 +395,7 @@ ntpcal_get_build_date( /* *--------------------------------------------------------------------- * basic calendar stuff - * -------------------------------------------------------------------- + *--------------------------------------------------------------------- */ /* month table for a year starting with March,1st */ @@ -443,11 +443,11 @@ static const uint16_t real_month_table[2][13] = { */ /* - * ================================================================== + * ==================================================================== * * General algorithmic stuff * - * ================================================================== + * ==================================================================== */ /* @@ -495,7 +495,7 @@ static const uint16_t real_month_table[2][13] = { * 32/16bit divisions and is still performant is a bit more * difficult. Since most usecases can be coded in a way that does only * require the 32-bit version a 64bit version is NOT provided here. - * --------------------------------------------------------------------- + *--------------------------------------------------------------------- */ int32_t ntpcal_periodic_extend( @@ -542,8 +542,35 @@ ntpcal_periodic_extend( return pivot; } +/*--------------------------------------------------------------------- + * Note to the casual reader + * + * In the next two functions you will find (or would have found...) + * the expression + * + * res.Q_s -= 0x80000000; + * + * There was some ruckus about a possible programming error due to + * integer overflow and sign propagation. + * + * This assumption is based on a lack of understanding of the C + * standard. (Though this is admittedly not one of the most 'natural' + * aspects of the 'C' language and easily to get wrong.) + * + * see + * http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1570.pdf + * "ISO/IEC 9899:201x Committee Draft — April 12, 2011" + * 6.4.4.1 Integer constants, clause 5 + * + * why there is no sign extension/overflow problem here. + * + * But to ease the minds of the doubtful, I added back the 'u' qualifiers + * that somehow got lost over the last years. + */ + + /* - *------------------------------------------------------------------- + *--------------------------------------------------------------------- * Convert a timestamp in NTP scale to a 64bit seconds value in the UN*X * scale with proper epoch unfolding around a given pivot or the current * system time. This function happily accepts negative pivot values as @@ -553,7 +580,7 @@ ntpcal_periodic_extend( * This is also a periodic extension, but since the cycle is 2^32 and * the shift is 2^31, we can do some *very* fast math without explicit * divisions. - *------------------------------------------------------------------- + *--------------------------------------------------------------------- */ vint64 ntpcal_ntp_to_time( @@ -568,7 +595,7 @@ ntpcal_ntp_to_time( res.q_s = (pivot != NULL) ? *pivot : now(); - res.Q_s -= 0x80000000; /* unshift of half range */ + res.Q_s -= 0x80000000u; /* unshift of half range */ ntp -= (uint32_t)JAN_1970; /* warp into UN*X domain */ ntp -= res.D_s.lo; /* cycle difference */ res.Q_s += (uint64_t)ntp; /* get expanded time */ @@ -581,7 +608,7 @@ ntpcal_ntp_to_time( ? *pivot : now(); res = time_to_vint64(&tmp); - M_SUB(res.D_s.hi, res.D_s.lo, 0, 0x80000000); + M_SUB(res.D_s.hi, res.D_s.lo, 0, 0x80000000u); ntp -= (uint32_t)JAN_1970; /* warp into UN*X domain */ ntp -= res.D_s.lo; /* cycle difference */ M_ADD(res.D_s.hi, res.D_s.lo, 0, ntp); @@ -592,7 +619,7 @@ ntpcal_ntp_to_time( } /* - *------------------------------------------------------------------- + *--------------------------------------------------------------------- * Convert a timestamp in NTP scale to a 64bit seconds value in the NTP * scale with proper epoch unfolding around a given pivot or the current * system time. @@ -602,7 +629,7 @@ ntpcal_ntp_to_time( * This is also a periodic extension, but since the cycle is 2^32 and * the shift is 2^31, we can do some *very* fast math without explicit * divisions. - *------------------------------------------------------------------- + *--------------------------------------------------------------------- */ vint64 ntpcal_ntp_to_ntp( @@ -617,7 +644,7 @@ ntpcal_ntp_to_ntp( res.q_s = (pivot) ? *pivot : now(); - res.Q_s -= 0x80000000; /* unshift of half range */ + res.Q_s -= 0x80000000u; /* unshift of half range */ res.Q_s += (uint32_t)JAN_1970; /* warp into NTP domain */ ntp -= res.D_s.lo; /* cycle difference */ res.Q_s += (uint64_t)ntp; /* get expanded time */ @@ -642,20 +669,20 @@ ntpcal_ntp_to_ntp( /* - * ================================================================== + * ==================================================================== * * Splitting values to composite entities * - * ================================================================== + * ==================================================================== */ /* - *------------------------------------------------------------------- + *--------------------------------------------------------------------- * Split a 64bit seconds value into elapsed days in 'res.hi' and * elapsed seconds since midnight in 'res.lo' using explicit floor * division. This function happily accepts negative time values as * timestamps before the respective epoch start. - * ------------------------------------------------------------------- + *--------------------------------------------------------------------- */ ntpcal_split ntpcal_daysplit( @@ -736,11 +763,11 @@ ntpcal_daysplit( } /* - *------------------------------------------------------------------- + *--------------------------------------------------------------------- * Split a 32bit seconds value into h/m/s and excessive days. This * function happily accepts negative time values as timestamps before * midnight. - * ------------------------------------------------------------------- + *--------------------------------------------------------------------- */ static int32_t priv_timesplit( @@ -773,7 +800,7 @@ priv_timesplit( } /* - * --------------------------------------------------------------------- + *--------------------------------------------------------------------- * Given the number of elapsed days in the calendar era, split this * number into the number of elapsed years in 'res.hi' and the number * of elapsed days of that year in 'res.lo'. @@ -1053,11 +1080,11 @@ ntpcal_time_to_date( /* - * ================================================================== + * ==================================================================== * * merging composite entities * - * ================================================================== + * ==================================================================== */ /* @@ -1251,8 +1278,8 @@ ntpcal_edate_to_eradays( * Convert ELAPSED years/months/days of gregorian calendar to elapsed * days in year. * - * Note: This will give the true difference to the start of the given year, - * even if months & days are off-scale. + * Note: This will give the true difference to the start of the given + * year, even if months & days are off-scale. *--------------------------------------------------------------------- */ int32_t @@ -1434,11 +1461,11 @@ ntpcal_date_to_time( /* - * ================================================================== + * ==================================================================== * * extended and unchecked variants of caljulian/caltontp * - * ================================================================== + * ==================================================================== */ int ntpcal_ntp64_to_date( @@ -1500,11 +1527,11 @@ ntpcal_date_to_ntp( /* - * ================================================================== + * ==================================================================== * * day-of-week calculations * - * ================================================================== + * ==================================================================== */ /* * Given a RataDie and a day-of-week, calculate a RDN that is reater-than, @@ -1557,7 +1584,7 @@ ntpcal_weekday_lt( } /* - * ================================================================== + * ==================================================================== * * ISO week-calendar conversions * @@ -1601,7 +1628,7 @@ ntpcal_weekday_lt( * smallest possible powers of two, so the division can be implemented * as shifts if the optimiser chooses to do so. * - * ================================================================== + * ==================================================================== */ /* diff --git a/contrib/ntp/libntp/ntp_intres.c b/contrib/ntp/libntp/ntp_intres.c index 0b5bb75..7aa288a 100644 --- a/contrib/ntp/libntp/ntp_intres.c +++ b/contrib/ntp/libntp/ntp_intres.c @@ -118,14 +118,16 @@ * is managed by the code which calls the *_complete routines. */ + /* === typedefs === */ typedef struct blocking_gai_req_tag { /* marshalled args */ size_t octets; u_int dns_idx; time_t scheduled; time_t earliest; - struct addrinfo hints; int retry; + struct addrinfo hints; + u_int qflags; gai_sometime_callback callback; void * context; size_t nodesize; @@ -205,8 +207,8 @@ static dnsworker_ctx * get_worker_context(blocking_child *, u_int); static void scheduled_sleep(time_t, time_t, dnsworker_ctx *); static void manage_dns_retry_interval(time_t *, time_t *, - int *, - time_t *); + int *, time_t *, + int/*BOOL*/); static int should_retry_dns(int, int); #ifdef HAVE_RES_INIT static void reload_resolv_conf(dnsworker_ctx *); @@ -230,13 +232,14 @@ static void getnameinfo_sometime_complete(blocking_work_req, * invokes provided callback completion function. */ int -getaddrinfo_sometime( +getaddrinfo_sometime_ex( const char * node, const char * service, const struct addrinfo * hints, int retry, gai_sometime_callback callback, - void * context + void * context, + u_int qflags ) { blocking_gai_req * gai_req; @@ -277,6 +280,7 @@ getaddrinfo_sometime( gai_req->context = context; gai_req->nodesize = nodesize; gai_req->servsize = servsize; + gai_req->qflags = qflags; memcpy((char *)gai_req + sizeof(*gai_req), node, nodesize); memcpy((char *)gai_req + sizeof(*gai_req) + nodesize, service, @@ -451,6 +455,20 @@ blocking_getaddrinfo( return 0; } +int +getaddrinfo_sometime( + const char * node, + const char * service, + const struct addrinfo * hints, + int retry, + gai_sometime_callback callback, + void * context + ) +{ + return getaddrinfo_sometime_ex(node, service, hints, retry, + callback, context, 0); +} + static void getaddrinfo_sometime_complete( @@ -470,7 +488,7 @@ getaddrinfo_sometime_complete( char * service; char * canon_start; time_t time_now; - int again; + int again, noerr; int af; const char * fam_spec; int i; @@ -498,8 +516,9 @@ getaddrinfo_sometime_complete( gai_req->dns_idx, humantime(time_now))); } } else { - again = should_retry_dns(gai_resp->retcode, - gai_resp->gai_errno); + noerr = !!(gai_req->qflags & GAIR_F_IGNDNSERR); + again = noerr || should_retry_dns( + gai_resp->retcode, gai_resp->gai_errno); /* * exponential backoff of DNS retries to 64s */ @@ -528,9 +547,10 @@ getaddrinfo_sometime_complete( gai_strerror(gai_resp->retcode), gai_resp->retcode); } - manage_dns_retry_interval(&gai_req->scheduled, - &gai_req->earliest, &gai_req->retry, - &child_ctx->next_dns_timeslot); + manage_dns_retry_interval( + &gai_req->scheduled, &gai_req->earliest, + &gai_req->retry, &child_ctx->next_dns_timeslot, + noerr); if (!queue_blocking_request( BLOCKING_GETADDRINFO, gai_req, @@ -826,7 +846,7 @@ getnameinfo_sometime_complete( if (gni_req->retry > 0) manage_dns_retry_interval(&gni_req->scheduled, &gni_req->earliest, &gni_req->retry, - &child_ctx->next_dns_timeslot); + &child_ctx->next_dns_timeslot, FALSE); if (gni_req->retry > 0 && again) { if (!queue_blocking_request( @@ -1033,18 +1053,32 @@ manage_dns_retry_interval( time_t * pscheduled, time_t * pwhen, int * pretry, - time_t * pnext_timeslot + time_t * pnext_timeslot, + int forever ) { time_t now; time_t when; int retry; + int retmax; now = time(NULL); retry = *pretry; when = max(now + retry, *pnext_timeslot); *pnext_timeslot = when; - retry = min(64, retry << 1); + + /* this exponential backoff is slower than doubling up: The + * sequence goes 2-3-4-6-8-12-16-24-32... and the upper limit is + * 64 seconds for things that should not repeat forever, and + * 1024 when repeated forever. + */ + retmax = forever ? 1024 : 64; + retry <<= 1; + if (retry & (retry - 1)) + retry &= (retry - 1); + else + retry -= (retry >> 2); + retry = min(retmax, retry); *pscheduled = now; *pwhen = when; diff --git a/contrib/ntp/libntp/ssl_init.c b/contrib/ntp/libntp/ssl_init.c index a9d1d54..ef0f1c1 100644 --- a/contrib/ntp/libntp/ssl_init.c +++ b/contrib/ntp/libntp/ssl_init.c @@ -15,6 +15,7 @@ #ifdef OPENSSL #include "openssl/err.h" #include "openssl/evp.h" +#include "libssl_compat.h" void atexit_ssl_cleanup(void); @@ -62,6 +63,7 @@ ssl_check_version(void) INIT_SSL(); } + #endif /* OPENSSL */ @@ -84,7 +86,6 @@ keytype_from_text( u_char digest[EVP_MAX_MD_SIZE]; char * upcased; char * pch; - EVP_MD_CTX ctx; /* * OpenSSL digest short names are capitalized, so uppercase the @@ -110,8 +111,12 @@ keytype_from_text( if (NULL != pdigest_len) { #ifdef OPENSSL - EVP_DigestInit(&ctx, EVP_get_digestbynid(key_type)); - EVP_DigestFinal(&ctx, digest, &digest_len); + EVP_MD_CTX *ctx; + + ctx = EVP_MD_CTX_new(); + EVP_DigestInit(ctx, EVP_get_digestbynid(key_type)); + EVP_DigestFinal(ctx, digest, &digest_len); + EVP_MD_CTX_free(ctx); if (digest_len > max_digest_len) { fprintf(stderr, "key type %s %u octet digests are too big, max %lu\n", diff --git a/contrib/ntp/libntp/work_fork.c b/contrib/ntp/libntp/work_fork.c index 6c9545a..8223fdd 100644 --- a/contrib/ntp/libntp/work_fork.c +++ b/contrib/ntp/libntp/work_fork.c @@ -114,18 +114,24 @@ interrupt_worker_sleep(void) /* * harvest_child_status() runs in the parent. + * + * Note the error handling -- this is an interaction with SIGCHLD. + * SIG_IGN on SIGCHLD on some OSes means do not wait but reap + * automatically. Since we're not really interested in the result code, + * we simply ignore the error. */ static void harvest_child_status( blocking_child * c ) { - if (c->pid) - { + if (c->pid) { /* Wait on the child so it can finish terminating */ if (waitpid(c->pid, NULL, 0) == c->pid) TRACE(4, ("harvested child %d\n", c->pid)); - else msyslog(LOG_ERR, "error waiting on child %d: %m", c->pid); + else if (errno != ECHILD) + msyslog(LOG_ERR, "error waiting on child %d: %m", c->pid); + c->pid = 0; } } @@ -162,7 +168,6 @@ cleanup_after_child( close(c->resp_read_pipe); c->resp_read_pipe = -1; } - c->pid = 0; c->resp_read_ctx = NULL; DEBUG_INSIST(-1 == c->req_read_pipe); DEBUG_INSIST(-1 == c->resp_write_pipe); @@ -461,7 +466,10 @@ fork_blocking_child( fflush(stdout); fflush(stderr); - signal_no_reset(SIGCHLD, SIG_IGN); + /* [BUG 3050] setting SIGCHLD to SIG_IGN likely causes unwanted + * or undefined effects. We don't do it and leave SIGCHLD alone. + */ + /* signal_no_reset(SIGCHLD, SIG_IGN); */ childpid = fork(); if (-1 == childpid) { |
