ntp: Vendor import of ntp-4.2.8p18

MFC: 3 days

Merge commit '1f833b3fc9968c3dd7ed79ccf0525ebf16c891ad' into main

ntp: import ntp-4.2.8p16

Security: NtpBUg3767, NtpBug3808, NtpBug3807 (CVE-2023-26555)
MFC after: immediately

MFV r362565:

Update 4.2.8p14 --> 4.2.8p15

Summary: Systems that use a CMAC algorithm in ntp.keys will not release
a bit of memory on each packet that uses a CMAC keyid, eventually causing
ntpd to run out of memory and fail. The CMAC cleanup from
https://bugs.ntp.org/3447, part of ntp-4.2.8p11, introduced a bug whereby
the CMAC data structure was no longer completely removed.

MFC after: 3 days
Security: NTP Bug 3661

MFV r358616:

Update ntp-4.2.8p13 --> 4.2.8p14.

The advisory can be found at:
http://support.ntp.org/bin/view/Main/SecurityNotice#\
March_2020_ntp_4_2_8p14_NTP_Rele

No CVEs have been documented yet.

MFC after: now
Security: http://support.ntp.org/bin/view/Main/NtpBug3610
http://support.ntp.org/bin/view/Main/NtpBug3596
http://support.ntp.org/bin/view/Main/NtpBug3592

MFV r338092: ntp 4.2.8p12.

Relnotes: yes

MFV r330102: ntp 4.2.8p11

MFV r315791: ntp 4.2.8p10.

MFV r301238:

ntp 4.2.8p8.

Security: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954
Security: CVE-2016-4955, CVE-2016-4956
Security: FreeBSD-SA-16:24.ntp
With hat: so

MFV r298691:

ntp 4.2.8p7.

Security: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security: CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security: CVE-2016-2519
Security: FreeBSD-SA-16:16.ntp
With hat: so

MFV r294491: ntp 4.2.8p6.

Security: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security: CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security: CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security: CVE-2015-8140, CVE-2015-8158
With hat: so

MFV r293415:

ntp 4.2.8p5

Reviewed by: cy, roberto
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D4828

MFV ntp-4.2.8p4 (r289715)

Security: VuXML: c4a18a12-77fc-11e5-a687-206a8a720317
Security: CVE-2015-7871
Security: CVE-2015-7855
Security: CVE-2015-7854
Security: CVE-2015-7853
Security: CVE-2015-7852
Security: CVE-2015-7851
Security: CVE-2015-7850
Security: CVE-2015-7849
Security: CVE-2015-7848
Security: CVE-2015-7701
Security: CVE-2015-7703
Security: CVE-2015-7704, CVE-2015-7705
Security: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Sponsored by: Nginx, Inc.

MFV ntp-4.2.8p3 (r284990).

Approved by: roberto, delphij
Security: VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security: http://bugs.ntp.org/show_bug.cgi?id=2853
Security: https://www.kb.cert.org/vuls/id/668167
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

MFV ntp 4.2.8p1 (r258945, r275970, r276091, r276092, r276093, r278284)

Thanks to roberto for providing pointers to wedge this into HEAD.

Approved by: roberto

ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by: ume
Reviewed by: bz, gnn
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D1527

Correct comparison of IPv6 wildcard address.

MFC after: 3 days

Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 1 week

The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char. For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by: roberto
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
Filed as: Bug 1936 on ntp.org

Merge 4.2.4p8 into contrib (r200452 & r200454).

Subversion is being difficult here so take a hammer and get it in.

MFC after: 2 weeks
Security: CVE-2009-3563

Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess. It does away with an annoying
message.

Reviewed by: bz, roberto
MFC after: 2 weeks

Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after: 2 weeks

Flatten the dist and various 4.n.n trees in preparation of future ntp imports.

Virgin import of ntpd 4.2.0

Virgin import of ntpd 4.1.1a

Virgin import of ntpd 4.1.0

Fix potential alignement problems on Alpha + IPv6.

This is done on the vendor branch to avoid spamming the tree. It has been
sent to the NTP maintainers already.

Submitted by: shin

Virgin import of ntpd 4.0.99b

Virgin import of ntpd 4.0.98f

ntp: import ntp-4.2.8p16

Security: NtpBUg3767, NtpBug3808, NtpBug3807 (CVE-2023-26555)
MFC after: immediately

MFV r362565:

Update 4.2.8p14 --> 4.2.8p15

Summary: Systems that use a CMAC algorithm in ntp.keys will not release
a bit of memory on each packet that uses a CMAC keyid, eventually causing
ntpd to run out of memory and fail. The CMAC cleanup from
https://bugs.ntp.org/3447, part of ntp-4.2.8p11, introduced a bug whereby
the CMAC data structure was no longer completely removed.

MFC after: 3 days
Security: NTP Bug 3661

MFV r358616:

Update ntp-4.2.8p13 --> 4.2.8p14.

The advisory can be found at:
http://support.ntp.org/bin/view/Main/SecurityNotice#\
March_2020_ntp_4_2_8p14_NTP_Rele

No CVEs have been documented yet.

MFC after: now
Security: http://support.ntp.org/bin/view/Main/NtpBug3610
http://support.ntp.org/bin/view/Main/NtpBug3596
http://support.ntp.org/bin/view/Main/NtpBug3592

MFV r338092: ntp 4.2.8p12.

Relnotes: yes

MFV r330102: ntp 4.2.8p11

MFV r315791: ntp 4.2.8p10.

MFV r301238:

ntp 4.2.8p8.

Security: CVE-2016-4957, CVE-2016-4953, CVE-2016-4954
Security: CVE-2016-4955, CVE-2016-4956
Security: FreeBSD-SA-16:24.ntp
With hat: so

MFV r298691:

ntp 4.2.8p7.

Security: CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550
Security: CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518
Security: CVE-2016-2519
Security: FreeBSD-SA-16:16.ntp
With hat: so

MFV r294491: ntp 4.2.8p6.

Security: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975
Security: CVE-2015-7976, CVE-2015-7977, CVE-2015-7978
Security: CVE-2015-7979, CVE-2015-8138, CVE-2015-8139
Security: CVE-2015-8140, CVE-2015-8158
With hat: so

MFV r293415:

ntp 4.2.8p5

Reviewed by: cy, roberto
Relnotes: yes
Differential Revision: https://reviews.freebsd.org/D4828

MFV ntp-4.2.8p4 (r289715)

Security: VuXML: c4a18a12-77fc-11e5-a687-206a8a720317
Security: CVE-2015-7871
Security: CVE-2015-7855
Security: CVE-2015-7854
Security: CVE-2015-7853
Security: CVE-2015-7852
Security: CVE-2015-7851
Security: CVE-2015-7850
Security: CVE-2015-7849
Security: CVE-2015-7848
Security: CVE-2015-7701
Security: CVE-2015-7703
Security: CVE-2015-7704, CVE-2015-7705
Security: CVE-2015-7691, CVE-2015-7692, CVE-2015-7702
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
Sponsored by: Nginx, Inc.

MFV ntp-4.2.8p3 (r284990).

Approved by: roberto, delphij
Security: VuXML: 0d0f3050-1f69-11e5-9ba9-d050996490d0
Security: http://bugs.ntp.org/show_bug.cgi?id=2853
Security: https://www.kb.cert.org/vuls/id/668167
Security: http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi

MFV ntp 4.2.8p1 (r258945, r275970, r276091, r276092, r276093, r278284)

Thanks to roberto for providing pointers to wedge this into HEAD.

Approved by: roberto

ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by: ume
Reviewed by: bz, gnn
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D1527

Correct comparison of IPv6 wildcard address.

MFC after: 3 days

Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 1 week

The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char. For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by: roberto
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
Filed as: Bug 1936 on ntp.org

Merge 4.2.4p8 into contrib (r200452 & r200454).

Subversion is being difficult here so take a hammer and get it in.

MFC after: 2 weeks
Security: CVE-2009-3563

Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess. It does away with an annoying
message.

Reviewed by: bz, roberto
MFC after: 2 weeks

Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after: 2 weeks

Flatten the dist and various 4.n.n trees in preparation of future ntp imports.

Virgin import of ntpd 4.2.0

Virgin import of ntpd 4.1.1a

Virgin import of ntpd 4.1.0

Fix potential alignement problems on Alpha + IPv6.

This is done on the vendor branch to avoid spamming the tree. It has been
sent to the NTP maintainers already.

Submitted by: shin

Virgin import of ntpd 4.0.99b

Virgin import of ntpd 4.0.98f

ntpd tries to bind to IPv6 interfaces in 'tentative' state and fails as IPv6 is
actually disabled. Fix it by making ntpd ignore such interfaces.

Submitted by: ume
Reviewed by: bz, gnn
MFC after: 1 week
Differential Revision: https://reviews.freebsd.org/D1527

Correct comparison of IPv6 wildcard address.

MFC after: 3 days

Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 1 week

The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char. For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by: roberto
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
Filed as: Bug 1936 on ntp.org

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

MFC r199995:
Don't try to bind to an anycast address. The KAME IPv6 stack doesn't
allow bind to an anycast address. It does away with an annoying
message.

Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess. It does away with an annoying
message.

Reviewed by: bz, roberto
MFC after: 2 weeks

- Import the HEAD csup code which is the basis for the cvsmode work.

Virgin import of ntpd 4.2.0

Virgin import of ntpd 4.1.1a

Virgin import of ntpd 4.1.0

Fix potential alignement problems on Alpha + IPv6.

This is done on the vendor branch to avoid spamming the tree. It has been
sent to the NTP maintainers already.

Submitted by: shin

Virgin import of ntpd 4.0.99b

Virgin import of ntpd 4.0.98f