diff --git a/.chrony.metadata b/.chrony.metadata index 0e4fc3a..59f2c95 100644 --- a/.chrony.metadata +++ b/.chrony.metadata @@ -1,2 +1,2 @@ -0f5de043b395311a58bcf4be9800f7118afd5f59 SOURCES/chrony-4.2.tar.gz -2e1fac8161ea8d92d76532c0b272fb31799bc310 SOURCES/clknetsim-824c48.tar.gz +4661e5df181a9761b73caeaef2f2ab755bbe086a SOURCES/chrony-4.5.tar.gz +e021461c23fe4e5c46fd53c449587d8f6cc217ae SOURCES/clknetsim-5d1dc0.tar.gz diff --git a/.gitignore b/.gitignore index 851aa77..a1b6ce7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/chrony-4.2.tar.gz -SOURCES/clknetsim-824c48.tar.gz +SOURCES/chrony-4.5.tar.gz +SOURCES/clknetsim-5d1dc0.tar.gz diff --git a/SOURCES/chrony-cmac.patch b/SOURCES/chrony-cmac.patch new file mode 100644 index 0000000..b8884d3 --- /dev/null +++ b/SOURCES/chrony-cmac.patch @@ -0,0 +1,56 @@ +commit 8eb5dd54efd13aa0209aea38dbad2a7904377f75 +Author: Miroslav Lichvar +Date: Tue Sep 17 13:00:43 2024 +0200 + + configure: enable AES-CMAC using gnutls + + Allow gnutls to be used for AES-CMAC when nettle doesn't support it + without switching also hashing. + +diff --git a/configure b/configure +index eefe5de8..0fb3aa38 100755 +--- a/configure ++++ b/configure +@@ -937,14 +937,26 @@ if [ $feat_sechash = "1" ] && [ "x$HASH_LINK" = "x" ] && [ $try_gnutls = "1" ]; + HASH_LINK="$test_link" + MYCPPFLAGS="$MYCPPFLAGS $test_cflags" + add_def FEAT_SECHASH ++ fi ++fi + +- if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \ +- 'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);' +- then +- add_def HAVE_CMAC +- EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o" +- EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o" +- fi ++if [ $feat_sechash = "1" ] && [ $try_gnutls = "1" ] && ++ ! grep '#define HAVE_CMAC' config.h > /dev/null; then ++ if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then ++ test_cflags="" ++ test_link="" ++ else ++ test_cflags="`pkg_config --cflags gnutls`" ++ test_link="`pkg_config --libs gnutls`" ++ fi ++ if test_code 'CMAC in gnutls' 'gnutls/crypto.h' "$test_cflags" "$test_link" \ ++ 'return gnutls_hmac_init((void *)1, GNUTLS_MAC_AES_CMAC_128, (void *)2, 0);' ++ then ++ add_def HAVE_CMAC ++ EXTRA_OBJECTS="$EXTRA_OBJECTS cmac_gnutls.o" ++ EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS cmac_gnutls.o" ++ LIBS="$LIBS $test_link" ++ MYCPPFLAGS="$MYCPPFLAGS $test_cflags" + fi + fi + +@@ -978,7 +990,7 @@ EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS $HASH_OBJ" + LIBS="$LIBS $HASH_LINK" + + if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then +- if [ "$HASH_OBJ" = "hash_gnutls.o" ]; then ++ if echo "$HASH_OBJ $EXTRA_OBJECTS" | grep "_gnutls\.o" > /dev/null; then + test_cflags="" + test_link="" + else diff --git a/SOURCES/chrony-defconfig.patch b/SOURCES/chrony-defconfig.patch index b471de8..24f3123 100644 --- a/SOURCES/chrony-defconfig.patch +++ b/SOURCES/chrony-defconfig.patch @@ -27,3 +27,12 @@ diff -up chrony-4.1/examples/chrony.conf.example2.defconfig chrony-4.1/examples/ # Get TAI-UTC offset and leap seconds from the system tz database. #leapsectz right/UTC +diff -up chrony-4.5/examples/chrony.keys.example.keys chrony-4.5/examples/chrony.keys.example +--- chrony-4.5/examples/chrony.keys.example.keys 2023-12-05 14:22:10.000000000 +0100 ++++ chrony-4.5/examples/chrony.keys.example 2023-12-06 09:59:26.089508934 +0100 +@@ -11,5 +11,3 @@ + #1 MD5 AVeryLongAndRandomPassword + #2 MD5 HEX:12114855C7931009B4049EF3EFC48A139C3F989F + #3 SHA1 HEX:B2159C05D6A219673A3B7E896B6DE07F6A440995 +-#4 AES128 HEX:2DA837C4B6573748CA692B8C828E4891 +-#5 AES256 HEX:2666B8099BFF2D5BA20876121788ED24D2BE59111B8FFB562F0F56AE6EC7246E diff --git a/SOURCES/chrony-ipsourcename.patch b/SOURCES/chrony-ipsourcename.patch deleted file mode 100644 index 426ca8a..0000000 --- a/SOURCES/chrony-ipsourcename.patch +++ /dev/null @@ -1,108 +0,0 @@ -commit 33a1fe7a9ce223d6287ab7b11bca3208e9255cdd -Author: Miroslav Lichvar -Date: Wed Mar 9 15:30:16 2022 +0100 - - ntp: split out conf_id allocation - -diff --git a/ntp_sources.c b/ntp_sources.c -index 3cbb2ae7..30770825 100644 ---- a/ntp_sources.c -+++ b/ntp_sources.c -@@ -698,21 +698,25 @@ static int get_unused_pool_id(void) - - /* ================================================== */ - --NSR_Status --NSR_AddSource(NTP_Remote_Address *remote_addr, NTP_Source_Type type, -- SourceParameters *params, uint32_t *conf_id) -+static uint32_t -+get_next_conf_id(uint32_t *conf_id) - { -- NSR_Status s; -- -- s = add_source(remote_addr, NULL, type, params, INVALID_POOL, last_conf_id + 1); -- if (s != NSR_Success) -- return s; -- - last_conf_id++; -+ - if (conf_id) - *conf_id = last_conf_id; - -- return s; -+ return last_conf_id; -+} -+ -+/* ================================================== */ -+ -+NSR_Status -+NSR_AddSource(NTP_Remote_Address *remote_addr, NTP_Source_Type type, -+ SourceParameters *params, uint32_t *conf_id) -+{ -+ return add_source(remote_addr, NULL, type, params, INVALID_POOL, -+ get_next_conf_id(conf_id)); - } - - /* ================================================== */ -@@ -725,6 +729,7 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type, - struct SourcePool *sp; - NTP_Remote_Address remote_addr; - int i, new_sources, pool_id; -+ uint32_t cid; - - /* If the name is an IP address, add the source with the address directly */ - if (UTI_StringToIP(name, &remote_addr.ip_addr)) { -@@ -770,14 +775,12 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type, - - append_unresolved_source(us); - -- last_conf_id++; -- if (conf_id) -- *conf_id = last_conf_id; -+ cid = get_next_conf_id(conf_id); - - for (i = 0; i < new_sources; i++) { - if (i > 0) - remote_addr.ip_addr.addr.id = ++last_address_id; -- if (add_source(&remote_addr, name, type, params, us->pool_id, last_conf_id) != NSR_Success) -+ if (add_source(&remote_addr, name, type, params, us->pool_id, cid) != NSR_Success) - return NSR_TooManySources; - } - - -commit 1219f99935ca9597eb0e4f4c6039e536462cf1a6 -Author: Miroslav Lichvar -Date: Wed Mar 9 15:34:16 2022 +0100 - - ntp: keep original source IP address - - When an added source is specified by IP address, save the original - string instead of formatting a new string from the parsed address, which - can be different (e.g. compressed vs expanded IPv6 address). - - This fixes the chronyc sourcename command and -N option to print the IP - address exactly as it was specified in the configuration file or chronyc - add command. - -diff --git a/ntp_sources.c b/ntp_sources.c -index 30770825..d46c211d 100644 ---- a/ntp_sources.c -+++ b/ntp_sources.c -@@ -353,7 +353,6 @@ add_source(NTP_Remote_Address *remote_addr, char *name, NTP_Source_Type type, - record_lock = 1; - - record = get_record(slot); -- assert(!name || !UTI_IsStringIP(name)); - record->name = Strdup(name ? name : UTI_IPToString(&remote_addr->ip_addr)); - record->data = NCR_CreateInstance(remote_addr, type, params, record->name); - record->remote_addr = NCR_GetRemoteAddress(record->data); -@@ -734,7 +733,8 @@ NSR_AddSourceByName(char *name, int port, int pool, NTP_Source_Type type, - /* If the name is an IP address, add the source with the address directly */ - if (UTI_StringToIP(name, &remote_addr.ip_addr)) { - remote_addr.port = port; -- return NSR_AddSource(&remote_addr, type, params, conf_id); -+ return add_source(&remote_addr, name, type, params, INVALID_POOL, -+ get_next_conf_id(conf_id)); - } - - /* Make sure the name is at least printable and has no spaces */ diff --git a/SOURCES/chrony-nm-dispatcher-dhcp.patch b/SOURCES/chrony-nm-dispatcher-dhcp.patch index 7d132c1..f2381a5 100644 --- a/SOURCES/chrony-nm-dispatcher-dhcp.patch +++ b/SOURCES/chrony-nm-dispatcher-dhcp.patch @@ -1,3 +1,67 @@ +First, revert upstream changes since 4.2 + +diff --git a/examples/chrony.nm-dispatcher.dhcp b/examples/chrony.nm-dispatcher.dhcp +index 547ce83f..6ea4c370 100644 +--- a/examples/chrony.nm-dispatcher.dhcp ++++ b/examples/chrony.nm-dispatcher.dhcp +@@ -1,7 +1,8 @@ + #!/bin/sh + # This is a NetworkManager dispatcher script for chronyd to update +-# its NTP sources with servers from DHCP options passed by NetworkManager +-# in the DHCP4_NTP_SERVERS and DHCP6_DHCP6_NTP_SERVERS environment variables. ++# its NTP sources passed from DHCP options. Note that this script is ++# specific to NetworkManager-dispatcher due to use of the ++# DHCP4_NTP_SERVERS environment variable. + + export LC_ALL=C + +@@ -9,23 +10,17 @@ interface=$1 + action=$2 + + chronyc=/usr/bin/chronyc +-server_options=iburst ++default_server_options=iburst + server_dir=/var/run/chrony-dhcp + + dhcp_server_file=$server_dir/$interface.sources +-dhcp_ntp_servers="$DHCP4_NTP_SERVERS $DHCP6_DHCP6_NTP_SERVERS" ++# DHCP4_NTP_SERVERS is passed from DHCP options by NetworkManager. ++nm_dhcp_servers=$DHCP4_NTP_SERVERS + + add_servers_from_dhcp() { + rm -f "$dhcp_server_file" +- for server in $dhcp_ntp_servers; do +- # Check for invalid characters (from the DHCPv6 NTP FQDN suboption) +- len1=$(printf '%s' "$server" | wc -c) +- len2=$(printf '%s' "$server" | tr -d -c 'A-Za-z0-9:.-' | wc -c) +- if [ "$len1" -ne "$len2" ] || [ "$len2" -lt 1 ] || [ "$len2" -gt 255 ]; then +- continue +- fi +- +- printf 'server %s %s\n' "$server" "$server_options" >> "$dhcp_server_file" ++ for server in $nm_dhcp_servers; do ++ echo "server $server $default_server_options" >> "$dhcp_server_file" + done + $chronyc reload sources > /dev/null 2>&1 || : + } +@@ -39,11 +34,10 @@ clear_servers_from_dhcp() { + + mkdir -p $server_dir + +-case "$action" in +- up|dhcp4-change|dhcp6-change) +- add_servers_from_dhcp;; +- down) +- clear_servers_from_dhcp;; +-esac ++if [ "$action" = "up" ] || [ "$action" = "dhcp4-change" ]; then ++ add_servers_from_dhcp ++elif [ "$action" = "down" ]; then ++ clear_servers_from_dhcp ++fi + + exit 0 + From: Robert Fairley Date: Wed, 17 Jun 2020 10:14:19 -0400 Subject: [PATCH] examples/nm-dispatcher.dhcp: use sysconfig diff --git a/SOURCES/chrony-reload.patch b/SOURCES/chrony-reload.patch new file mode 100644 index 0000000..b8ac742 --- /dev/null +++ b/SOURCES/chrony-reload.patch @@ -0,0 +1,86 @@ +commit f49be7f06343ee27fff2950937d7f6742f53976f +Author: Miroslav Lichvar +Date: Tue Mar 12 14:30:27 2024 +0100 + + conf: don't load sourcedir during initstepslew and RTC init + + If the reload sources command was received in the chronyd start-up + sequence with initstepslew and/or RTC init (-s option), the sources + loaded from sourcedirs caused a crash due to failed assertion after + adding sources specified in the config. + + Ignore the reload sources command until chronyd enters the normal + operation mode. + + Fixes: 519796de3756 ("conf: add sourcedirs directive") + +diff --git a/conf.c b/conf.c +index 6eae11c9..8849bdce 100644 +--- a/conf.c ++++ b/conf.c +@@ -298,6 +298,8 @@ static ARR_Instance ntp_sources; + static ARR_Instance ntp_source_dirs; + /* Array of uint32_t corresponding to ntp_sources (for sourcedirs reload) */ + static ARR_Instance ntp_source_ids; ++/* Flag indicating ntp_sources and ntp_source_ids are used for sourcedirs */ ++static int conf_ntp_sources_added = 0; + + /* Array of RefclockParameters */ + static ARR_Instance refclock_sources; +@@ -1689,8 +1691,12 @@ reload_source_dirs(void) + NSR_Status s; + int d, pass; + ++ /* Ignore reload command before adding configured sources */ ++ if (!conf_ntp_sources_added) ++ return; ++ + prev_size = ARR_GetSize(ntp_source_ids); +- if (prev_size > 0 && ARR_GetSize(ntp_sources) != prev_size) ++ if (ARR_GetSize(ntp_sources) != prev_size) + assert(0); + + /* Save the current sources and their configuration IDs */ +@@ -1859,7 +1865,10 @@ CNF_AddSources(void) + Free(source->params.name); + } + ++ /* The arrays will be used for sourcedir (re)loading */ + ARR_SetSize(ntp_sources, 0); ++ ARR_SetSize(ntp_source_ids, 0); ++ conf_ntp_sources_added = 1; + + reload_source_dirs(); + } +diff --git a/test/simulation/203-initreload b/test/simulation/203-initreload +new file mode 100755 +index 00000000..cf7924b8 +--- /dev/null ++++ b/test/simulation/203-initreload +@@ -0,0 +1,26 @@ ++#!/usr/bin/env bash ++ ++. ./test.common ++ ++check_config_h 'FEAT_CMDMON 1' || test_skip ++ ++# Test fix "conf: don't load sourcedir during initstepslew and RTC init" ++ ++test_start "reload during initstepslew" ++ ++client_conf="initstepslew 5 192.168.123.1 ++sourcedir tmp" ++client_server_conf="#" ++chronyc_conf="reload sources" ++chronyc_start=4 ++ ++echo 'server 192.168.123.1' > tmp/sources.sources ++ ++run_test || test_fail ++check_chronyd_exit || test_fail ++check_source_selection || test_fail ++check_sync || test_fail ++ ++check_log_messages "Added source 192\.168\.123\.1" 1 1 || test_fail ++ ++test_pass diff --git a/SOURCES/chrony-serverstats.patch b/SOURCES/chrony-serverstats.patch new file mode 100644 index 0000000..a5131fe --- /dev/null +++ b/SOURCES/chrony-serverstats.patch @@ -0,0 +1,39 @@ +commit e11b518a1ffa704986fb1f1835c425844ba248ef +Author: Miroslav Lichvar +Date: Mon Jan 8 11:35:56 2024 +0100 + + ntp: fix authenticated requests in serverstats + + Fix the CLG_UpdateNtpStats() call to count requests passing the + authentication check instead of requests triggering a KoD response + (i.e. NTS NAK). + +diff --git a/ntp_core.c b/ntp_core.c +index 023e60b2..35801744 100644 +--- a/ntp_core.c ++++ b/ntp_core.c +@@ -2736,7 +2736,7 @@ NCR_ProcessRxUnknown(NTP_Remote_Address *remote_addr, NTP_Local_Address *local_a + CLG_DisableNtpTimestamps(&ntp_rx); + } + +- CLG_UpdateNtpStats(kod != 0 && info.auth.mode != NTP_AUTH_NONE && ++ CLG_UpdateNtpStats(kod == 0 && info.auth.mode != NTP_AUTH_NONE && + info.auth.mode != NTP_AUTH_MSSNTP, + rx_ts->source, interleaved ? tx_ts->source : NTP_TS_DAEMON); + +diff --git a/test/system/010-nts b/test/system/010-nts +index 8d92bbc8..b215efa3 100755 +--- a/test/system/010-nts ++++ b/test/system/010-nts +@@ -45,6 +45,11 @@ check_chronyc_output "^Name/IP address Mode KeyID Type KLen Last Atm + ========================================================================= + 127\.0\.0\.1 NTS 1 (30|15) (128|256) [0-9] 0 0 [78] ( 64|100)$" || test_fail + ++run_chronyc "serverstats" || test_fail ++check_chronyc_output "NTS-KE connections accepted: 1 ++NTS-KE connections dropped : 0 ++Authenticated NTP packets : [1-9][0-9]*" || test_fail ++ + stop_chronyd || test_fail + check_chronyd_messages || test_fail + check_chronyd_files || test_fail diff --git a/SOURCES/chrony-services.patch b/SOURCES/chrony-services.patch index 955be90..77a3c22 100644 --- a/SOURCES/chrony-services.patch +++ b/SOURCES/chrony-services.patch @@ -2,7 +2,7 @@ diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service index 72b028f2..b3aa7aa2 100644 --- a/examples/chrony-wait.service +++ b/examples/chrony-wait.service -@@ -16,32 +16,5 @@ TimeoutStartSec=180 +@@ -16,31 +16,5 @@ TimeoutStartSec=180 RemainAfterExit=yes StandardOutput=null @@ -15,7 +15,6 @@ index 72b028f2..b3aa7aa2 100644 -MemoryDenyWriteExecute=yes -PrivateDevices=yes -PrivateUsers=yes --ProcSubset=pid -ProtectClock=yes -ProtectControlGroups=yes -ProtectHome=yes @@ -39,7 +38,7 @@ diff --git a/examples/chronyd.service b/examples/chronyd.service index 4fb930ef..289548cb 100644 --- a/examples/chronyd.service +++ b/examples/chronyd.service -@@ -10,40 +10,9 @@ Type=forking +@@ -10,39 +10,9 @@ Type=forking PIDFile=/run/chrony/chronyd.pid EnvironmentFile=-/etc/sysconfig/chronyd ExecStart=/usr/sbin/chronyd $OPTIONS @@ -57,7 +56,6 @@ index 4fb930ef..289548cb 100644 -MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateTmp=yes --ProcSubset=pid -ProtectControlGroups=yes ProtectHome=yes -ProtectHostname=yes diff --git a/SPECS/chrony.spec b/SPECS/chrony.spec index 0df92f7..78d40b8 100644 --- a/SPECS/chrony.spec +++ b/SPECS/chrony.spec @@ -1,24 +1,24 @@ %global _hardened_build 1 -%global clknetsim_ver 824c48 +%global clknetsim_ver 5d1dc0 %global ntp2chrony_ver 233b75 %bcond_without debug %bcond_without nts Name: chrony -Version: 4.2 -Release: 1%{?dist} +Version: 4.5 +Release: 2%{?dist} Summary: An NTP client/server Group: System Environment/Daemons License: GPLv2 -URL: https://chrony.tuxfamily.org -Source0: https://download.tuxfamily.org/chrony/chrony-%{version}%{?prerelease}.tar.gz +URL: https://chrony-project.org +Source0: https://chrony-project.org/releases/chrony-%{version}%{?prerelease}.tar.gz Source1: chrony.dhclient Source2: chrony.helper Source3: chrony-dnssrv@.service Source4: chrony-dnssrv@.timer # simulator for test suite -Source10: https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/clknetsim-%{clknetsim_ver}.tar.gz +Source10: https://gitlab.com/chrony/clknetsim/-/archive/master/clknetsim-%{clknetsim_ver}.tar.gz # script for converting ntp configuration to chrony Source11: https://github.com/mlichvar/ntp2chrony/raw/%{ntp2chrony_ver}/ntp2chrony/ntp2chrony.py %{?gitpatch:Patch0: chrony-%{version}%{?prerelease}-%{gitpatch}.patch.gz} @@ -30,10 +30,14 @@ Patch0: chrony-services.patch Patch1: chrony-nm-dispatcher-dhcp.patch # add NTP servers from DHCP when starting service Patch2: chrony-service-helper.patch -# revert upstream changes in packaged chrony.conf example +# revert upstream changes in packaged configuration examples Patch3: chrony-defconfig.patch -# fix chronyc sourcename command to print IP address in original format -Patch4: chrony-ipsourcename.patch +# fix serverstats to correctly count authenticated packets +Patch4: chrony-serverstats.patch +# fix crash on reload command during start +Patch5: chrony-reload.patch +# enable AES-CMAC support using gnutls (but keep nettle for hashing) +Patch6: chrony-cmac.patch BuildRequires: libcap-devel libedit-devel nettle-devel pps-tools-devel %ifarch %{ix86} x86_64 %{arm} aarch64 mipsel mips64el ppc64 ppc64le s390 s390x @@ -70,7 +74,9 @@ service to other computers in the network. %patch1 -p1 -b .nm-dispatcher-dhcp %patch2 -p1 -b .service-helper %patch3 -p1 -b .defconfig -%patch4 -p1 -b .ipsourcename +%patch4 -p1 -b .serverstats +%patch5 -p1 +%patch6 -p1 -b .cmac %{?gitpatch: echo %{version}-%{gitpatch} > version.txt} @@ -81,7 +87,7 @@ md5sum -c <<-EOF | (! grep -v 'OK$') 96999221eeef476bd49fe97b97503126 examples/chrony.keys.example 6a3178c4670de7de393d9365e2793740 examples/chrony.logrotate fabb5b3f127b802c27c82837feff0fe6 examples/chrony.nm-dispatcher.dhcp - 8f5a98fcb400a482d355b929d04b5518 examples/chrony.nm-dispatcher.onoffline + 4e85d36595727318535af3387411070c examples/chrony.nm-dispatcher.onoffline 56d221eba8ce8a2e03d3e0dd87999a81 examples/chronyd.service EOF @@ -102,7 +108,7 @@ touch -r examples/chrony.conf.example2 chrony.conf # regenerate the file from getdate.y rm -f getdate.c -mv clknetsim-%{clknetsim_ver}* test/simulation/clknetsim +mv clknetsim-*-%{clknetsim_ver}* test/simulation/clknetsim install -m 644 -p %{SOURCE11} ntp2chrony.py @@ -219,6 +225,13 @@ fi %dir %attr(750,chrony,chrony) %{_localstatedir}/log/chrony %changelog +* Wed Sep 18 2024 Miroslav Lichvar 4.5-2.el8_10 +- fix crash on reload command during start (RHEL-59112) +- enable AES-CMAC support using gnutls (RHEL-59032) + +* Wed Jan 10 2024 Miroslav Lichvar 4.5-1 +- update to 4.5 (RHEL-21069 RHEL-10701) + * Tue Jul 25 2023 MSVSphere Packaging Team - 4.2-1 - Rebuilt for MSVSphere 8.8