diff --git a/Makefile.inc1 b/Makefile.inc1 index 44af27d8963b..cc3ab0f5eda2 100644 --- a/Makefile.inc1 +++ b/Makefile.inc1 @@ -968,29 +968,10 @@ _worldtmp: .PHONY .endif # !defined(NO_CLEAN) @mkdir -p ${WORLDTMP} @touch ${WORLDTMP}/${.TARGET} - -.for _dir in \ - lib lib/casper lib/geom usr legacy/bin legacy/usr - mkdir -p ${WORLDTMP}/${_dir} -.endfor - ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ - -p ${WORLDTMP}/legacy/usr >/dev/null - ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.include.dist \ - -p ${WORLDTMP}/legacy/usr/include >/dev/null - ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ - -p ${WORLDTMP}/usr >/dev/null - ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.include.dist \ - -p ${WORLDTMP}/usr/include >/dev/null - ln -sf ${.CURDIR}/sys ${WORLDTMP} -.if ${MK_DEBUG_FILES} != "no" - ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ - -p ${WORLDTMP}/legacy/usr/lib >/dev/null - ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ - -p ${WORLDTMP}/usr/lib >/dev/null -.endif -.for _mtree in ${LOCAL_MTREE} - ${WORLDTMP_MTREE} -f ${.CURDIR}/${_mtree} -p ${WORLDTMP} > /dev/null -.endfor +# We can't use mtree to create the worldtmp directories since it may not be +# available on the target system (this happens e.g. when building on non-FreeBSD) + cd ${.CURDIR}/tools/build; \ + ${MAKE} DIRPRFX=tools/build/ DESTDIR=${WORLDTMP}/legacy installdirs _legacy: @echo @echo "--------------------------------------------------------------" @@ -1003,6 +984,19 @@ _bootstrap-tools: @echo ">>> stage 1.2: bootstrap tools" @echo "--------------------------------------------------------------" ${_+_}cd ${.CURDIR}; ${BMAKE} bootstrap-tools + mkdir -p ${WORLDTMP}/usr ${WORLDTMP}/lib/casper ${WORLDTMP}/lib/geom + ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.usr.dist \ + -p ${WORLDTMP}/usr >/dev/null + ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.include.dist \ + -p ${WORLDTMP}/usr/include >/dev/null + ln -sf ${.CURDIR}/sys ${WORLDTMP} +.if ${MK_DEBUG_FILES} != "no" + ${WORLDTMP_MTREE} -f ${.CURDIR}/etc/mtree/BSD.debug.dist \ + -p ${WORLDTMP}/usr/lib >/dev/null +.endif +.for _mtree in ${LOCAL_MTREE} + ${WORLDTMP_MTREE} -f ${.CURDIR}/${_mtree} -p ${WORLDTMP} > /dev/null +.endfor _cleanobj: .if !defined(NO_CLEAN) @echo @@ -2037,6 +2031,10 @@ ${_bt}-usr.bin/yacc: ${_bt}-lib/liby _gensnmptree= usr.sbin/bsnmpd/gensnmptree .endif +.if ${MK_LOCALES} != "no" +_localedef= usr.bin/localedef +.endif + # We need to build tblgen when we're building clang or lld, either as # bootstrap tools, or as the part of the normal build. .if ${MK_CLANG_BOOTSTRAP} != "no" || ${MK_CLANG} != "no" || \ @@ -2098,7 +2096,7 @@ bootstrap-tools: .PHONY ${_crunchgen} \ ${_nmtree} \ ${_vtfontcvt} \ - usr.bin/localedef + ${_localedef} ${_bt}-${_tool}: .PHONY .MAKE ${_+_}@${ECHODIR} "===> ${_tool} (obj,all,install)"; \ cd ${.CURDIR}/${_tool}; \ diff --git a/Makefile.libcompat b/Makefile.libcompat index c2c729fdcfe1..b339567c08ed 100644 --- a/Makefile.libcompat +++ b/Makefile.libcompat @@ -14,6 +14,11 @@ LIB32CPUFLAGS= -march=i686 -mmmx -msse -msse2 .else LIB32CPUFLAGS= -march=${TARGET_CPUTYPE} .endif +.if ${WANT_COMPILER_TYPE} == gcc || \ + (defined(X_COMPILER_TYPE) && ${X_COMPILER_TYPE} == gcc) +.else +LIB32CPUFLAGS+= -target x86_64-unknown-freebsd12.0 +.endif LIB32CPUFLAGS+= -m32 LIB32WMAKEENV= MACHINE=i386 MACHINE_ARCH=i386 \ MACHINE_CPU="i686 mmx sse sse2" diff --git a/ObsoleteFiles.inc b/ObsoleteFiles.inc index 55e95fefc3b5..d0ab15d48f21 100644 --- a/ObsoleteFiles.inc +++ b/ObsoleteFiles.inc @@ -174,6 +174,11 @@ OLD_FILES+=usr/lib/clang/6.0.1/lib/freebsd/libclang_rt.ubsan_standalone_cxx-x86_ OLD_DIRS+=usr/lib/clang/6.0.1/lib/freebsd OLD_DIRS+=usr/lib/clang/6.0.1/lib OLD_DIRS+=usr/lib/clang/6.0.1 +# 20180819: Remove deprecated arc4random(3) stir/addrandom interfaces +OLD_FILES+=usr/share/man/man3/arc4random_addrandom.3.gz +OLD_FILES+=usr/share/man/man3/arc4random_stir.3.gz +# 20180819: send-pr(1) placeholder removal +OLD_FILES+=usr/bin/send-pr # 20180725: Cleanup old libcasper.so.0 OLD_LIBS+=lib/libcasper.so.0 # 20180722: indent(1) option renamed, test files follow diff --git a/UPDATING b/UPDATING index 327bbecd7aa2..0995a2698fba 100644 --- a/UPDATING +++ b/UPDATING @@ -31,6 +31,23 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 12.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20170822: + devctl freeze/that have gone into the tree, the rc scripts have been + updated to use them and devmatch has been changed. You should update + kernel, userland and rc scripts all at the same time. + +20180818: + The default interpreter has been switched from 4th to Lua. + LOADER_DEFAULT_INTERP, documented in build(7), will override the default + interpreter. If you have custom FORTH code you will need to set + LOADER_DEFAULT_INTERP=4th (valid values are 4th, lua or simp) in + src.conf for the build. This will create default hard links between + loader and loader_4th instead of loader and loader_lua, the new default. + If you are using UEFI it will create the proper hard link to loader.efi. + + bhyve uses userboot.so. It remains 4th-only until some issues are solved + regarding coexisting with multiple versions of FreeBSD are resolved. + 20180815: ls(1) now respects the COLORTERM environment variable used in other systems and software to indicate that a colored terminal is both diff --git a/bin/ls/ls.1 b/bin/ls/ls.1 index 6f4303a349a1..dde947be9875 100644 --- a/bin/ls/ls.1 +++ b/bin/ls/ls.1 @@ -32,7 +32,7 @@ .\" @(#)ls.1 8.7 (Berkeley) 7/29/94 .\" $FreeBSD$ .\" -.Dd August 16, 2018 +.Dd August 18, 2018 .Dt LS 1 .Os .Sh NAME @@ -252,6 +252,26 @@ environment variable is set and not empty. .Pp .Cm never will disable color regardless of environment variables. +.Pp +For compatibility with GNU coreutils, +.Nm +supports +.Cm yes +or +.Cm force +as equivalent to +.Cm always , +.Cm no +or +.Cm none +as equivalent to +.Cm never , +and +.Cm tty +or +.Cm if-tty +as equivalent to +.Cm auto . .It Fl d Directories are listed as plain files (not searched recursively). .It Fl f diff --git a/bin/ls/ls.c b/bin/ls/ls.c index 9a8e855176eb..3929dd47be5a 100644 --- a/bin/ls/ls.c +++ b/bin/ls/ls.c @@ -200,6 +200,32 @@ do_color(void) return (do_color_from_env()); } +#ifdef COLORLS +static bool +do_color_always(const char *term) +{ + + return (strcmp(term, "always") == 0 || strcmp(term, "yes") == 0 || + strcmp(term, "force") == 0); +} + +static bool +do_color_never(const char *term) +{ + + return (strcmp(term, "never") == 0 || strcmp(term, "no") == 0 || + strcmp(term, "none") == 0); +} + +static bool +do_color_auto(const char *term) +{ + + return (strcmp(term, "auto") == 0 || strcmp(term, "tty") == 0 || + strcmp(term, "if-tty") == 0); +} +#endif /* COLORLS */ + int main(int argc, char *argv[]) { @@ -406,11 +432,11 @@ main(int argc, char *argv[]) break; #ifdef COLORLS case COLOR_OPT: - if (optarg == NULL || strcmp(optarg, "always") == 0) + if (optarg == NULL || do_color_always(optarg)) colorflag = COLORFLAG_ALWAYS; - else if (strcmp(optarg, "auto") == 0) + else if (do_color_auto(optarg)) colorflag = COLORFLAG_AUTO; - else if (strcmp(optarg, "never") == 0) + else if (do_color_never(optarg)) colorflag = COLORFLAG_NEVER; else errx(2, "unsupported --color value '%s' (must be always, auto, or never)", diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/get.ipv4remote.pl b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/get.ipv4remote.pl index 5f58eb8e0ca8..c07e46bbd976 100755 --- a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/get.ipv4remote.pl +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/get.ipv4remote.pl @@ -27,11 +27,12 @@ #pragma ident "%Z%%M% %I% %E% SMI" # -# get.ipv4remote.pl [tcpport] +# get.ipv4remote.pl [port] [proto] # # Find an IPv4 reachable remote host using both ifconfig(1M) and ping(1M). -# If a tcpport is specified, return a host that is also listening on this -# TCP port. Print the local address and the remote address, or an +# If a port is specified, return a host that is also listening on this +# port. If the port is specified, the protocol can also be specified and +# defaults to tcp. Print the local address and the remote address, or an # error message if no suitable remote host was found. Exit status is 0 if # a host was found. # @@ -41,7 +42,8 @@ use IO::Socket; my $MAXHOSTS = 32; # max hosts to port scan my $TIMEOUT = 3; # connection timeout -my $tcpport = @ARGV == 1 ? $ARGV[0] : 0; +my $port = @ARGV >= 1 ? $ARGV[0] : 0; +my $proto = @ARGV == 2 ? $ARGV[1] : "tcp"; # # Determine local IP address @@ -79,14 +81,15 @@ while () { if (/bytes from (.*): / and not defined $Broadcast{$1}) { my $addr = $1; - if ($tcpport != 0) { + if ($port != 0) { # # Test TCP # my $socket = IO::Socket::INET->new( - Proto => "tcp", + Type => SOCK_STREAM, + Proto => $proto, PeerAddr => $addr, - PeerPort => $tcpport, + PeerPort => $port, Timeout => $TIMEOUT, ); next unless $socket; diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4localsctp.ksh b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4localsctp.ksh new file mode 100755 index 000000000000..594ef71dc597 --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4localsctp.ksh @@ -0,0 +1,137 @@ +#!/usr/bin/env ksh +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. +# + +# +# Test {ip,sctp}:::{send,receive} of IPv4 SCTP to local host. +# +# This may fail due to: +# +# 1. A change to the ip stack breaking expected probe behavior, +# which is the reason we are testing. +# 2. The lo0 interface missing or not up. +# 3. An unlikely race causes the unlocked global send/receive +# variables to be corrupted. +# +# This test performs a SCTP association and checks that at least the +# following packet counts were traced: +# +# 7 x ip:::send (4 during the setup, 3 during the teardown) +# 7 x sctp:::send (4 during the setup, 3 during the teardown) +# 7 x ip:::receive (4 during the setup, 3 during the teardown) +# 7 x sctp:::receive (4 during the setup, 3 during the teardown) + +# The actual count tested is 7 each way, since we are tracing both +# source and destination events. +# + +if (( $# != 1 )); then + print -u2 "expected one argument: " + exit 2 +fi + +dtrace=$1 +local=127.0.0.1 +DIR=/var/tmp/dtest.$$ + +sctpport=1024 +bound=5000 +while [ $sctpport -lt $bound ]; do + ncat --sctp -z $local $sctpport > /dev/null || break + sctpport=$(($sctpport + 1)) +done +if [ $sctpport -eq $bound ]; then + echo "couldn't find an available SCTP port" + exit 1 +fi + +mkdir $DIR +cd $DIR + +# ncat will exit when the association is closed. +ncat --sctp --listen $local $sctpport & + +cat > test.pl <<-EOPERL + use IO::Socket; + my \$s = IO::Socket::INET->new( + Type => SOCK_STREAM, + Proto => "sctp", + LocalAddr => "$local", + PeerAddr => "$local", + PeerPort => $sctpport, + Timeout => 3); + die "Could not connect to host $local port $sctpport \$@" unless \$s; + close \$s; + sleep(2); +EOPERL + +$dtrace -c 'perl test.pl' -qs /dev/stdin <ip_saddr == "$local" && args[2]->ip_daddr == "$local" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipsend++; +} + +sctp:::send +/args[2]->ip_saddr == "$local" && args[2]->ip_daddr == "$local"/ +{ + sctpsend++; +} + +ip:::receive +/args[2]->ip_saddr == "$local" && args[2]->ip_daddr == "$local" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipreceive++; +} + +sctp:::receive +/args[2]->ip_saddr == "$local" && args[2]->ip_daddr == "$local"/ +{ + sctpreceive++; +} + +END +{ + printf("Minimum SCTP events seen\n\n"); + printf("ip:::send (%d) - %s\n", ipsend, ipsend >= 7 ? "yes" : "no"); + printf("ip:::receive (%d) - %s\n", ipreceive, ipreceive >= 7 ? "yes" : "no"); + printf("sctp:::send (%d) - %s\n", sctpsend, sctpsend >= 7 ? "yes" : "no"); + printf("sctp:::receive (%d) - %s\n", sctpreceive, sctpreceive >= 7 ? "yes" : "no"); +} +EODTRACE + +status=$? + +cd / +/bin/rm -rf $DIR + +exit $status diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4localsctp.ksh.out b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4localsctp.ksh.out new file mode 100644 index 000000000000..8c708770971b --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4localsctp.ksh.out @@ -0,0 +1,7 @@ +Minimum SCTP events seen + +ip:::send - yes +ip:::receive - yes +sctp:::send - yes +sctp:::receive - yes + diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4remotesctp.ksh b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4remotesctp.ksh new file mode 100755 index 000000000000..60dabf7a8b94 --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4remotesctp.ksh @@ -0,0 +1,130 @@ +#!/usr/bin/env ksh93 +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2008, 2010, Oracle and/or its affiliates. All rights reserved. +# + +# +# Test {sctp,ip}:::{send,receive} of IPv4 SCTP to a remote host. +# +# This may fail due to: +# +# 1. A change to the ip stack breaking expected probe behavior, +# which is the reason we are testing. +# 2. No physical network interface is plumbed and up. +# 3. No other hosts on this subnet are reachable and listening on ssh. +# 4. An unlikely race causes the unlocked global send/receive +# variables to be corrupted. +# +# This test performs an SCTP association and checks that at least the +# following packet counts were traced: +# +# 4 x ip:::send (2 during setup, 2 during teardown) +# 4 x sctp:::send (2 during connection setup, 2 during connection teardown) +# 3 x ip:::receive (2 during setup, 1 during teardown) +# 3 x sctp:::receive (2 during setup, 1 during teardown) + +if (( $# != 1 )); then + print -u2 "expected one argument: " + exit 2 +fi + +dtrace=$1 +getaddr=./get.ipv4remote.pl +sctpport=80 +DIR=/var/tmp/dtest.$$ + +if [[ ! -x $getaddr ]]; then + print -u2 "could not find or execute sub program: $getaddr" + exit 3 +fi +$getaddr $sctpport sctp | read source dest +if (( $? != 0 )); then + exit 4 +fi + +mkdir $DIR +cd $DIR + +cat > test.pl <<-EOPERL + use IO::Socket; + my \$s = IO::Socket::INET->new( + Type => SOCK_STREAM, + Proto => "sctp", + LocalAddr => "$source", + PeerAddr => "$dest", + PeerPort => $sctpport, + Timeout => 3); + die "Could not connect to host $dest port $sctpport \$@" unless \$s; + close \$s; + sleep(2); +EOPERL + +$dtrace -c 'perl test.pl' -qs /dev/stdin <ip_saddr == "$source" && args[2]->ip_daddr == "$dest" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipsend++; +} + +sctp:::send +/args[2]->ip_saddr == "$source" && args[2]->ip_daddr == "$dest"/ +{ + sctpsend++; +} + +ip:::receive +/args[2]->ip_saddr == "$dest" && args[2]->ip_daddr == "$source" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipreceive++; +} + +sctp:::receive +/args[2]->ip_saddr == "$dest" && args[2]->ip_daddr == "$source"/ +{ + sctpreceive++; +} + +END +{ + printf("Minimum SCTP events seen\n\n"); + printf("ip:::send - %s\n", ipsend >= 4 ? "yes" : "no"); + printf("ip:::receive - %s\n", ipreceive >= 3 ? "yes" : "no"); + printf("sctp:::send - %s\n", sctpsend >= 4 ? "yes" : "no"); + printf("sctp:::receive - %s\n", sctpreceive >= 3 ? "yes" : "no"); +} +EODTRACE + +status=$? + +cd / +/bin/rm -rf $DIR + +exit $status diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4remotesctp.ksh.out b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4remotesctp.ksh.out new file mode 100644 index 000000000000..8c708770971b --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.ipv4remotesctp.ksh.out @@ -0,0 +1,7 @@ +Minimum SCTP events seen + +ip:::send - yes +ip:::receive - yes +sctp:::send - yes +sctp:::receive - yes + diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.localsctpstate.ksh b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.localsctpstate.ksh new file mode 100755 index 000000000000..7fb21644b459 --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.localsctpstate.ksh @@ -0,0 +1,159 @@ +#!/usr/bin/env ksh +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +# + +# +# Test sctp:::state-change and sctp:::{send,receive} by connecting to +# the local discard service. +# A number of state transition events along with SCTP send and +# receive events for the message should result. +# +# This may fail due to: +# +# 1. A change to the ip stack breaking expected probe behavior, +# which is the reason we are testing. +# 2. The lo0 interface missing or not up. +# 3. An unlikely race causes the unlocked global send/receive +# variables to be corrupted. +# +# This test performs a SCTP connection and checks that at least the +# following packet counts were traced: +# +# 7 x ip:::send (4 during the setup, 3 during the teardown) +# 7 x sctp:::send (4 during the setup, 3 during the teardown) +# 7 x ip:::receive (4 during the setup, 3 during the teardown) +# 7 x sctp:::receive (4 during the setup, 3 during the teardown) +# +# The actual count tested is 7 each way, since we are tracing both +# source and destination events. +# + +if (( $# != 1 )); then + print -u2 "expected one argument: " + exit 2 +fi + +dtrace=$1 +local=127.0.0.1 +DIR=/var/tmp/dtest.$$ + +sctpport=1024 +bound=5000 +while [ $sctpport -lt $bound ]; do + ncat --sctp -z $local $sctpport > /dev/null || break + sctpport=$(($sctpport + 1)) +done +if [ $sctpport -eq $bound ]; then + echo "couldn't find an available SCTP port" + exit 1 +fi + +mkdir $DIR +cd $DIR + +# ncat will exit when the association is closed. +ncat --sctp --listen $local $sctpport & + +cat > test.pl <<-EOPERL + use IO::Socket; + my \$s = IO::Socket::INET->new( + Type => SOCK_STREAM, + Proto => "sctp", + LocalAddr => "$local", + PeerAddr => "$local", + PeerPort => $sctpport, + Timeout => 3); + die "Could not connect to host $local port $sctpport \$@" unless \$s; + close \$s; + sleep(2); +EOPERL + +$dtrace -c 'perl test.pl' -qs /dev/stdin <ip_saddr == "$local" && args[2]->ip_daddr == "$local" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipsend++; +} + +sctp:::send +/args[2]->ip_saddr == "$local" && args[2]->ip_daddr == "$local" && + (args[4]->sctp_sport == $sctpport || args[4]->sctp_dport == $sctpport)/ +{ + sctpsend++; +} + +ip:::receive +/args[2]->ip_saddr == "$local" && args[2]->ip_daddr == "$local" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipreceive++; +} + +sctp:::receive +/args[2]->ip_saddr == "$local" && args[2]->ip_daddr == "$local" && + (args[4]->sctp_sport == $sctpport || args[4]->sctp_dport == $sctpport)/ +{ + sctpreceive++; +} + +sctp:::state-change +{ + state_event[args[3]->sctps_state]++; +} + +END +{ + printf("Minimum SCTP events seen\n\n"); + printf("ip:::send - %s\n", ipsend >= 7 ? "yes" : "no"); + printf("ip:::receive - %s\n", ipreceive >= 7 ? "yes" : "no"); + printf("sctp:::send - %s\n", sctpsend >= 7 ? "yes" : "no"); + printf("sctp:::receive - %s\n", sctpreceive >= 7 ? "yes" : "no"); + printf("sctp:::state-change to cookie-wait - %s\n", + state_event[SCTP_STATE_COOKIE_WAIT] >=1 ? "yes" : "no"); + printf("sctp:::state-change to cookie-echoed - %s\n", + state_event[SCTP_STATE_COOKIE_ECHOED] >=1 ? "yes" : "no"); + printf("sctp:::state-change to established - %s\n", + state_event[SCTP_STATE_ESTABLISHED] >= 2 ? "yes" : "no"); + printf("sctp:::state-change to shutdown-sent - %s\n", + state_event[SCTP_STATE_SHUTDOWN_SENT] >= 1 ? "yes" : "no"); + printf("sctp:::state-change to shutdown-received - %s\n", + state_event[SCTP_STATE_SHUTDOWN_RECEIVED] >= 1 ? "yes" : "no"); + printf("sctp:::state-change to shutdown-ack-sent - %s\n", + state_event[SCTP_STATE_SHUTDOWN_ACK_SENT] >= 1 ? "yes" : "no"); +} +EODTRACE + +status=$? + +cd / +/bin/rm -rf $DIR + +exit $status diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.localsctpstate.ksh.out b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.localsctpstate.ksh.out new file mode 100644 index 000000000000..8fe345a1785b --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.localsctpstate.ksh.out @@ -0,0 +1,12 @@ +Minimum SCTP events seen + +ip:::send - yes +ip:::receive - yes +sctp:::send - yes +sctp:::receive - yes +sctp:::state-change to cookie-wait - yes +sctp:::state-change to cookie-echoed - yes +sctp:::state-change to established - yes +sctp:::state-change to shutdown-sent - yes +sctp:::state-change to shutdown-received - yes +sctp:::state-change to shutdown-ack-sent - yes diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.remotesctpstate.ksh b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.remotesctpstate.ksh new file mode 100755 index 000000000000..3209c04e042c --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.remotesctpstate.ksh @@ -0,0 +1,149 @@ +#!/usr/bin/env ksh93 +# +# CDDL HEADER START +# +# The contents of this file are subject to the terms of the +# Common Development and Distribution License (the "License"). +# You may not use this file except in compliance with the License. +# +# You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE +# or http://www.opensolaris.org/os/licensing. +# See the License for the specific language governing permissions +# and limitations under the License. +# +# When distributing Covered Code, include this CDDL HEADER in each +# file and include the License file at usr/src/OPENSOLARIS.LICENSE. +# If applicable, add the following below this CDDL HEADER, with the +# fields enclosed by brackets "[]" replaced with your own identifying +# information: Portions Copyright [yyyy] [name of copyright owner] +# +# CDDL HEADER END +# + +# +# Copyright (c) 2010, Oracle and/or its affiliates. All rights reserved. +# + +# +# Test sctp:::state-change and sctp:::{send,receive} by connecting to +# the remote http service. +# A number of state transition events along with sctp send and receive +# events for the message should result. +# +# This may fail due to: +# +# 1. A change to the ip stack breaking expected probe behavior, +# which is the reason we are testing. +# 2. The lo0 interface missing or not up. +# 3. The remote ssh service is not online. +# 4. An unlikely race causes the unlocked global send/receive +# variables to be corrupted. +# +# This test performs a SCTP association to the http service (port 80) and +# checks that at least the following packet counts were traced: +# +# 4 x ip:::send (2 during setup, 2 during teardown) +# 4 x sctp:::send (2 during setup, 2 during teardown) +# 3 x ip:::receive (2 during setup, 1 during teardown) +# 3 x sctp:::receive (2 during setup, 1 during teardown) +# + +if (( $# != 1 )); then + print -u2 "expected one argument: " + exit 2 +fi + +dtrace=$1 +getaddr=./get.ipv4remote.pl +sctpport=80 +DIR=/var/tmp/dtest.$$ + +if [[ ! -x $getaddr ]]; then + print -u2 "could not find or execute sub program: $getaddr" + exit 3 +fi +$getaddr $sctpport sctp | read source dest +if (( $? != 0 )); then + exit 4 +fi + +mkdir $DIR +cd $DIR + +cat > test.pl <<-EOPERL + use IO::Socket; + my \$s = IO::Socket::INET->new( + Type => SOCK_STREAM, + Proto => "sctp", + LocalAddr => "$source", + PeerAddr => "$dest", + PeerPort => $sctpport, + Timeout => 3); + die "Could not connect to host $dest port $sctpport \$@" unless \$s; + close \$s; + sleep(2); +EOPERL + +$dtrace -c 'perl test.pl' -qs /dev/stdin <ip_saddr == "$source" && args[2]->ip_daddr == "$dest" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipsend++; +} + +sctp:::send +/args[2]->ip_saddr == "$source" && args[2]->ip_daddr == "$dest" && + args[4]->sctp_dport == $sctpport/ +{ + sctpsend++; +} + +ip:::receive +/args[2]->ip_saddr == "$dest" && args[2]->ip_daddr == "$source" && + args[4]->ipv4_protocol == IPPROTO_SCTP/ +{ + ipreceive++; +} + +sctp:::receive +/args[2]->ip_saddr == "$dest" && args[2]->ip_daddr == "$source" && + args[4]->sctp_sport == $sctpport/ +{ + sctpreceive++; +} + +sctp:::state-change +{ + state_event[args[3]->sctps_state]++; +} + +END +{ + printf("Minimum SCTP events seen\n\n"); + printf("ip:::send - %s\n", ipsend >= 4 ? "yes" : "no"); + printf("ip:::receive - %s\n", ipreceive >= 3 ? "yes" : "no"); + printf("sctp:::send - %s\n", sctpsend >= 4 ? "yes" : "no"); + printf("sctp:::receive - %s\n", sctpreceive >= 3 ? "yes" : "no"); + printf("sctp:::state-change to cookie-wait - %s\n", + state_event[SCTP_STATE_COOKIE_WAIT] >=1 ? "yes" : "no"); + printf("sctp:::state-change to cookie-echoed - %s\n", + state_event[SCTP_STATE_COOKIE_ECHOED] >= 1 ? "yes" : "no"); + printf("sctp:::state-change to established - %s\n", + state_event[SCTP_STATE_ESTABLISHED] >= 1 ? "yes" : "no"); + printf("sctp:::state-change to shutdown-sent - %s\n", + state_event[SCTP_STATE_SHUTDOWN-SENT] >= 1 ? "yes" : "no"); +} +EODTRACE + +status=$? + +cd / +/bin/rm -rf $DIR + +exit $status diff --git a/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.remotesctpstate.ksh.out b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.remotesctpstate.ksh.out new file mode 100644 index 000000000000..a39b14fcfcb3 --- /dev/null +++ b/cddl/contrib/opensolaris/cmd/dtrace/test/tst/common/ip/tst.remotesctpstate.ksh.out @@ -0,0 +1,12 @@ +Minimum SCTP events seen + +ip:::send - yes +ip:::receive - yes +SCTP:::send - yes +sctp:::receive - yes +sctp:::state-change to cookie-wait - yes +sctp:::state-change to cookie-echoed - yes +sctp:::state-change to established - yes +sctp:::state-change to shutdown-sent - yes +sctp:::state-change to closed - yes + diff --git a/cddl/lib/libdtrace/Makefile b/cddl/lib/libdtrace/Makefile index 13cf557ad53e..bc58855ffc5d 100644 --- a/cddl/lib/libdtrace/Makefile +++ b/cddl/lib/libdtrace/Makefile @@ -51,6 +51,7 @@ DSRCS= errno.d \ io.d \ ip.d \ psinfo.d \ + sctp.d \ siftr.d \ signal.d \ tcp.d \ diff --git a/cddl/lib/libdtrace/sctp.d b/cddl/lib/libdtrace/sctp.d new file mode 100644 index 000000000000..5dc776bdb971 --- /dev/null +++ b/cddl/lib/libdtrace/sctp.d @@ -0,0 +1,171 @@ +/* + * CDDL HEADER START + * + * The contents of this file are subject to the terms of the + * Common Development and Distribution License (the "License"). + * You may not use this file except in compliance with the License. + * + * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE + * or http://www.opensolaris.org/os/licensing. + * See the License for the specific language governing permissions + * and limitations under the License. + * + * When distributing Covered Code, include this CDDL HEADER in each + * file and include the License file at usr/src/OPENSOLARIS.LICENSE. + * If applicable, add the following below this CDDL HEADER, with the + * fields enclosed by brackets "[]" replaced with your own identifying + * information: Portions Copyright [yyyy] [name of copyright owner] + * + * CDDL HEADER END + * + * $FreeBSD$ + */ +/* + * Copyright (c) 2018 Michael Tuexen + */ + +#pragma D depends_on library ip.d +#pragma D depends_on library socket.d +#pragma D depends_on module kernel +#pragma D depends_on provider sctp + +#pragma D binding "1.13" SCTP_STATE_MASK +inline int32_t SCTP_STATE_MASK = 0x0000007f; +#pragma D binding "1.13" SCTP_STATE_SHUTDOWN_PENDING +inline int32_t SCTP_STATE_SHUTDOWN_PENDING = 0x00000080; +#pragma D binding "1.13" SCTP_STATE_CLOSED_SOCKET +inline int32_t SCTP_STATE_CLOSED_SOCKET = 0x00000100; +#pragma D binding "1.13" SCTP_STATE_ABOUT_TO_BE_FREED +inline int32_t SCTP_STATE_ABOUT_TO_BE_FREED = 0x00000200; +#pragma D binding "1.13" SCTP_STATE_ABOUT_TO_BE_FREED +inline int32_t SCTP_STATE_PARTIAL_MSG_LEFT = 0x00000400; +#pragma D binding "1.13" SCTP_STATE_PARTIAL_MSG_LEFT +inline int32_t SCTP_STATE_WAS_ABORTED = 0x00000800; +#pragma D binding "1.13" SCTP_STATE_IN_ACCEPT_QUEUE +inline int32_t SCTP_STATE_IN_ACCEPT_QUEUE = 0x00001000; +#pragma D binding "1.13" SCTP_STATE_BOUND +inline int32_t SCTP_STATE_BOUND = 0x00001000; +#pragma D binding "1.13" SCTP_STATE_EMPTY +inline int32_t SCTP_STATE_EMPTY = 0x00000000; +#pragma D binding "1.13" SCTP_STATE_CLOSED +inline int32_t SCTP_STATE_CLOSED = 0x00000000; +#pragma D binding "1.13" SCTP_STATE_INUSE +inline int32_t SCTP_STATE_INUSE = 0x00000001; +#pragma D binding "1.13" SCTP_STATE_COOKIE_WAIT +inline int32_t SCTP_STATE_COOKIE_WAIT = 0x00000002; +#pragma D binding "1.13" SCTP_STATE_COOKIE_ECHOED +inline int32_t SCTP_STATE_COOKIE_ECHOED = 0x00000004; +#pragma D binding "1.13" SCTP_STATE_ESTABLISHED +inline int32_t SCTP_STATE_ESTABLISHED = 0x00000008; +#pragma D binding "1.13" SCTP_STATE_OPEN +inline int32_t SCTP_STATE_OPEN = 0x00000008; +#pragma D binding "1.13" SCTP_STATE_SHUTDOWN_SENT +inline int32_t SCTP_STATE_SHUTDOWN_SENT = 0x00000010; +#pragma D binding "1.13" SCTP_STATE_SHUTDOWN_RECEIVED +inline int32_t SCTP_STATE_SHUTDOWN_RECEIVED = 0x00000020; +#pragma D binding "1.13" SCTP_STATE_SHUTDOWN_ACK_SENT +inline int32_t SCTP_STATE_SHUTDOWN_ACK_SENT = 0x00000040; + +/* SCTP association state strings. */ +#pragma D binding "1.13" sctp_state_string +inline string sctp_state_string[int32_t state] = + state & SCTP_STATE_ABOUT_TO_BE_FREED ? "state-closed" : + state & SCTP_STATE_SHUTDOWN_PENDING ? "state-shutdown-pending" : + (state & SCTP_STATE_MASK) == SCTP_STATE_EMPTY ? "state-closed" : + (state & SCTP_STATE_MASK) == SCTP_STATE_INUSE ? "state-closed" : + (state & SCTP_STATE_MASK) == SCTP_STATE_COOKIE_WAIT ? "state-cookie-wait" : + (state & SCTP_STATE_MASK) == SCTP_STATE_COOKIE_ECHOED ? "state-cookie-echoed" : + (state & SCTP_STATE_MASK) == SCTP_STATE_OPEN ? "state-established" : + (state & SCTP_STATE_MASK) == SCTP_STATE_SHUTDOWN_SENT ? "state-shutdown-sent" : + (state & SCTP_STATE_MASK) == SCTP_STATE_SHUTDOWN_RECEIVED ? "state-shutdown-received" : + (state & SCTP_STATE_MASK) == SCTP_STATE_SHUTDOWN_ACK_SENT ? "state-shutdown-ack-sent" : + ""; + +/* + * sctpsinfo contains stable SCTP details. + */ +typedef struct sctpsinfo { + uintptr_t sctps_addr; /* pointer to struct sctp_tcb */ + int sctps_num_raddrs; /* number of remote addresses */ + uintptr_t sctps_raddrs; /* pointer to struct sctp_nets */ + int sctps_num_laddrs; /* number of local addresses */ + uintptr_t sctps_laddrs; /* pointer to struct sctp_laddr */ + uint16_t sctps_lport; /* local port */ + uint16_t sctps_rport; /* remote port */ + string sctps_laddr; /* local address, as a string */ + string sctps_raddr; /* remote address, as a string */ + int32_t sctps_state; +} sctpsinfo_t; + +/* + * sctplsinfo provides the old SCTP state for state changes. + */ +typedef struct sctplsinfo { + int32_t sctps_state; /* previous SCTP state */ +} sctplsinfo_t; + +/* + * sctpinfo is the SCTP header fields. + */ +typedef struct sctpinfo { + uint16_t sctp_sport; /* source port */ + uint16_t sctp_dport; /* destination port */ + uint32_t sctp_verify; /* verification tag */ + uint32_t sctp_checksum; /* CRC32C of the SCTP packet */ + struct sctphdr *sctp_hdr; /* raw SCTP header */ +} sctpinfo_t; + +#pragma D binding "1.13" translator +translator csinfo_t < struct sctp_tcb *p > { + cs_addr = NULL; + cs_cid = (uint64_t)p; + cs_pid = 0; + cs_zoneid = 0; +}; + +#pragma D binding "1.13" translator +translator sctpsinfo_t < struct sctp_tcb *p > { + sctps_addr = (uintptr_t)p; + sctps_num_raddrs = p == NULL ? -1 : p->asoc.numnets; + sctps_raddrs = p == NULL ? NULL : (uintptr_t)(p->asoc.nets.tqh_first); + sctps_num_laddrs = p == NULL ? -1 : + p->sctp_ep == NULL ? -1 : + p->sctp_ep->laddr_count; + sctps_laddrs = p == NULL ? NULL : + p->sctp_ep == NULL ? NULL : + (uintptr_t)(p->sctp_ep->sctp_addr_list.lh_first); + sctps_lport = p == NULL ? 0 : + p->sctp_ep == NULL ? 0 : + ntohs(p->sctp_ep->ip_inp.inp.inp_inc.inc_ie.ie_lport); + sctps_rport = p == NULL ? 0 : ntohs(p->rport); + sctps_laddr = p == NULL ? "" : + p->asoc.primary_destination == NULL ? "" : + p->asoc.primary_destination->ro._s_addr == NULL ? "" : + p->asoc.primary_destination->ro._s_addr->address.sa.sa_family == AF_INET ? + inet_ntoa(&p->asoc.primary_destination->ro._s_addr->address.sin.sin_addr.s_addr) : + p->asoc.primary_destination->ro._s_addr->address.sa.sa_family == AF_INET6 ? + inet_ntoa6(&p->asoc.primary_destination->ro._s_addr->address.sin6.sin6_addr) : + ""; + sctps_raddr = p == NULL ? "" : + p->asoc.primary_destination == NULL ? "" : + p->asoc.primary_destination->ro._l_addr.sa.sa_family == AF_INET ? + inet_ntoa(&p->asoc.primary_destination->ro._l_addr.sin.sin_addr.s_addr) : + p->asoc.primary_destination->ro._l_addr.sa.sa_family == AF_INET6 ? + inet_ntoa6(&p->asoc.primary_destination->ro._l_addr.sin6.sin6_addr) : + ""; + sctps_state = p == NULL ? SCTP_STATE_CLOSED : p->asoc.state; +}; + +#pragma D binding "1.13" translator +translator sctpinfo_t < struct sctphdr *p > { + sctp_sport = p == NULL ? 0 : ntohs(p->src_port); + sctp_dport = p == NULL ? 0 : ntohs(p->dest_port); + sctp_verify = p == NULL ? 0 : ntohl(p->v_tag); + sctp_checksum = p == NULL ? 0 : ntohl(p->checksum); + sctp_hdr = p; +}; + +#pragma D binding "1.13" translator +translator sctplsinfo_t < int state > { + sctps_state = state; +}; diff --git a/cddl/lib/libzpool/Makefile b/cddl/lib/libzpool/Makefile index c3e64911ebd8..1f329a98ec44 100644 --- a/cddl/lib/libzpool/Makefile +++ b/cddl/lib/libzpool/Makefile @@ -61,6 +61,7 @@ CFLAGS+= -DWANTS_MUTEX_OWNED CFLAGS+= -I${SRCTOP}/lib/libpthread/thread CFLAGS+= -I${SRCTOP}/lib/libpthread/sys CFLAGS+= -I${SRCTOP}/lib/libthr/arch/${MACHINE_CPUARCH}/include +CFLAGS.gcc+= -fms-extensions LIBADD= md pthread z nvpair avl umem diff --git a/cddl/usr.bin/ztest/Makefile b/cddl/usr.bin/ztest/Makefile index 63ec0ff9cc66..acd6bb7c6e3a 100644 --- a/cddl/usr.bin/ztest/Makefile +++ b/cddl/usr.bin/ztest/Makefile @@ -24,6 +24,7 @@ CSTD= c99 # Since there are many asserts in this program, it makes no sense to compile # it without debugging. CFLAGS+= -g -DDEBUG=1 -Wno-format +CFLAGS.gcc+= -fms-extensions HAS_TESTS= SUBDIR.${MK_TESTS}+= tests diff --git a/cddl/usr.sbin/dtrace/tests/common/ip/Makefile b/cddl/usr.sbin/dtrace/tests/common/ip/Makefile index c47aac901cb4..25a214b7f37b 100644 --- a/cddl/usr.sbin/dtrace/tests/common/ip/Makefile +++ b/cddl/usr.sbin/dtrace/tests/common/ip/Makefile @@ -9,6 +9,8 @@ PACKAGE= tests ${PACKAGE}FILES= \ tst.ipv4localicmp.ksh \ tst.ipv4localicmp.ksh.out \ + tst.ipv4localsctp.ksh \ + tst.ipv4localsctp.ksh.out \ tst.ipv4localtcp.ksh \ tst.ipv4localtcp.ksh.out \ tst.ipv4localudp.ksh \ @@ -17,6 +19,8 @@ ${PACKAGE}FILES= \ tst.ipv4localudplite.ksh.out \ tst.ipv4remoteicmp.ksh \ tst.ipv4remoteicmp.ksh.out \ + tst.ipv4remotesctp.ksh \ + tst.ipv4remotesctp.ksh.out \ tst.ipv4remotetcp.ksh \ tst.ipv4remotetcp.ksh.out \ tst.ipv4remoteudp.ksh \ @@ -27,8 +31,12 @@ ${PACKAGE}FILES= \ tst.ipv6localicmp.ksh.out \ tst.ipv6remoteicmp.ksh \ tst.ipv6remoteicmp.ksh.out \ + tst.localsctpstate.ksh \ + tst.localsctpstate.ksh.out \ tst.localtcpstate.ksh \ tst.localtcpstate.ksh.out \ + tst.remotesctpstate.ksh \ + tst.remotesctpstate.ksh.out \ tst.remotetcpstate.ksh \ tst.remotetcpstate.ksh.out \ diff --git a/cddl/usr.sbin/dtrace/tests/tools/exclude.sh b/cddl/usr.sbin/dtrace/tests/tools/exclude.sh index 1a4d8bd7cdb9..db5796039a0d 100755 --- a/cddl/usr.sbin/dtrace/tests/tools/exclude.sh +++ b/cddl/usr.sbin/dtrace/tests/tools/exclude.sh @@ -117,11 +117,13 @@ exclude SKIP common/builtinvar/tst.ipl.d exclude SKIP common/builtinvar/tst.ipl1.d # These tests rely on being able to find a host via broadcast pings. +exclude EXFAIL common/ip/tst.ipv4remotesctp.ksh exclude EXFAIL common/ip/tst.ipv4remotetcp.ksh exclude EXFAIL common/ip/tst.ipv4remoteudp.ksh exclude EXFAIL common/ip/tst.ipv4remoteudplite.ksh exclude EXFAIL common/ip/tst.ipv6remoteicmp.ksh exclude EXFAIL common/ip/tst.ipv4remoteicmp.ksh +exclude EXFAIL common/ip/tst.remotesctpstate.ksh exclude EXFAIL common/ip/tst.remotetcpstate.ksh # Tries to enable pid$target:libc::entry, though there's no "libc" module. diff --git a/cddl/usr.sbin/zdb/Makefile b/cddl/usr.sbin/zdb/Makefile index cccfe15c823b..8c919341f8e3 100644 --- a/cddl/usr.sbin/zdb/Makefile +++ b/cddl/usr.sbin/zdb/Makefile @@ -25,6 +25,7 @@ CFLAGS+= -I${SRCTOP}/cddl/contrib/opensolaris/head LIBADD= nvpair umem uutil zfs zpool +CFLAGS.gcc+= -fms-extensions # Since there are many asserts in this program, it makes no sense to compile # it without debugging. CFLAGS+= -g -DDEBUG=1 diff --git a/contrib/llvm/tools/lld/docs/ld.lld.1 b/contrib/llvm/tools/lld/docs/ld.lld.1 index 92d890f8cadb..67591f2bbcac 100644 --- a/contrib/llvm/tools/lld/docs/ld.lld.1 +++ b/contrib/llvm/tools/lld/docs/ld.lld.1 @@ -3,7 +3,7 @@ .\" .\" This man page documents only lld's ELF linking support, obtained originally .\" from FreeBSD. -.Dd July 30, 2018 +.Dd August 22, 2018 .Dt LD.LLD 1 .Os .Sh NAME @@ -451,6 +451,13 @@ Make the main stack executable. Stack permissions are recorded in the .Dv PT_GNU_STACK segment. +.It Cm ifunc-noplt +Do not emit PLT entries for GNU ifuncs. +Instead, preserve relocations for ifunc call sites so that they may +be applied by a run-time loader. +Note that this feature requires special loader support and will +generally result in application crashes when used outside of freestanding +environments. .It Cm initfirst Sets the .Dv DF_1_INITFIRST diff --git a/contrib/ntp/ChangeLog b/contrib/ntp/ChangeLog index b4ee4247a8d6..f381a093cf94 100644 --- a/contrib/ntp/ChangeLog +++ b/contrib/ntp/ChangeLog @@ -1,4 +1,68 @@ --- +(4.2.8p12) 2018/08/14 Released by Harlan Stenn + +* [Sec 3505] CVE-2018-12327 - Arbitrary Code Execution Vulnerability + - fixed stack buffer overflow in the openhost() command-line call + of NTPQ/NTPDC +* [Sec 3012] noepeer tweaks. +* [Bug 3521] Fix a logic bug in the INVALIDNAK checks. +* [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, + other TrustedBSD platforms + - applied patch by Ian Lepore +* [Bug 3506] Service Control Manager interacts poorly with NTPD + - changed interaction with SCM to signal pending startup +* [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() + - applied patch by Gerry Garvey +* [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c + - applied patch by Gerry Garvey +* [Bug 3484] ntpq response from ntpd is incorrect when REFID is null + - rework of ntpq 'nextvar()' key/value parsing +* [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) + - applied patch by Gerry Garvey (with mods) +* [Bug 3480] Refclock sample filter not cleared on clock STEP + - applied patch by Gerry Garvey +* [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq + - applied patch by Gerry Garvey (with mods) +* [Bug 3476]ctl_putstr() sends empty unquoted string [...] + - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though +* [Bug 3475] modify prettydate() to suppress output of zero time + - applied patch by Gerry Garvey +* [Bug 3474] Missing pmode in mode7 peer info response + - applied patch by Gerry Garvey +* [Bug 3471] Check for openssl/[ch]mac.h. HStenn. + - add #define ENABLE_CMAC support in configure. HStenn. +* [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL +* [Bug 3469] Incomplete string compare [...] in is_refclk_addr + - patch by Stephen Friedl +* [Bug 3467] Potential memory fault in ntpq [...] + - fixed IO redirection and CTRL-C handling in ntq and ntpdc +* [Bug 3465] Default TTL values cannot be used +* [Bug 3461] refclock_shm.c: clear error status on clock recovery + - initial patch by Hal Murray; also fixed refclock_report() trouble +* [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. +* [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer + - According to Brooks Davis, there was only one location +* [Bug 3449] ntpq - display "loop" instead of refid [...] + - applied patch by Gerry Garvey +* [Bug 3445] Symmetric peer won't sync on startup + - applied patch by Gerry Garvey +* [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, + with modifications + New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. +* [Bug 3434] ntpd clears STA_UNSYNC on start + - applied patch by Miroslav Lichvar +* [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. +* [Bug 3121] Drop root privileges for the forked DNS worker + - integrated patch by Reinhard Max +* [Bug 2821] minor build issues + - applied patches by Christos Zoulas, including real bug fixes +* html/authopt.html: cleanup, from +* ntpd/ntpd.c: DROPROOT cleanup. +* Symmetric key range is 1-65535. Update docs. +* html/authentic.html: cleanup, from + +--- +(4.2.8p11) 2018/02/27 Released by Harlan Stenn * [Sec 3454] Unauthenticated packet can reset authenticated interleave associations. HStenn. @@ -14,16 +78,16 @@ - applied patch by Sean Haugh * [Bug 3452] PARSE driver prints uninitialized memory. * [Bug 3450] Dubious error messages from plausibility checks in get_systime() - - removed error log caused by rounding/slew, ensured postcondition + - removed error log caused by rounding/slew, ensured postcondition * [Bug 3447] AES-128-CMAC (fixes) - refactoring the MAC code, too * [Bug 3441] Validate the assumption that AF_UNSPEC is 0. stenn@ntp.org * [Bug 3439] When running multiple commands / hosts in ntpq... - - applied patch by ggarvey + - applied patch by ggarvey * [Bug 3438] Negative values and values > 999 days in... - - applied patch by ggarvey (with minor mods) + - applied patch by ggarvey (with minor mods) * [Bug 3437] ntpd tries to open socket with AF_UNSPEC domain - - applied patch (with mods) by Miroslav Lichvar + - applied patch (with mods) by Miroslav Lichvar * [Bug 3435] anchor NTP era alignment * [Bug 3433] sntp crashes when run with -a. * [Bug 3430] ntpq dumps core (SIGSEGV) for "keytype md2" diff --git a/contrib/ntp/NEWS b/contrib/ntp/NEWS index b30f187cbceb..8dc0f0f728a6 100644 --- a/contrib/ntp/NEWS +++ b/contrib/ntp/NEWS @@ -1,5 +1,5 @@ -- -NTP 4.2.8p11 (Harlan Stenn , 2018/02/27) +NTP 4.2.8p12 (Harlan Stenn , 2018/14/09) NOTE: this NEWS file will be undergoing more revisions. @@ -7,6 +7,77 @@ Focus: Security, Bug fixes, enhancements. Severity: MEDIUM +This release fixes a "hole" in the noepeer capability introduced to ntpd +in ntp-4.2.8p11, and a buffer overflow in the openhost() function used by +ntpq and ntpdc. It also provides 26 other bugfixes, and 4 other improvements: + +* [Sec 3505] Buffer overflow in the openhost() call of ntpq and ntpdc. + +* [Sec 3012] Fix a hole in the new "noepeer" processing. + +* Bug Fixes: + [Bug 3521] Fix a logic bug in the INVALIDNAK checks. + [Bug 3509] Add support for running as non-root on FreeBSD, Darwin, + other TrustedBSD platforms + - applied patch by Ian Lepore + [Bug 3506] Service Control Manager interacts poorly with NTPD + - changed interaction with SCM to signal pending startup + [Bug 3486] Buffer overflow in ntpq/ntpq.c:tstflags() + - applied patch by Gerry Garvey + [Bug 3485] Undefined sockaddr used in error messages in ntp_config.c + - applied patch by Gerry Garvey + [Bug 3484] ntpq response from ntpd is incorrect when REFID is null + - rework of ntpq 'nextvar()' key/value parsing + [Bug 3482] Fixes for compilation warnings (ntp_io.c & ntpq-subs.c) + - applied patch by Gerry Garvey (with mods) + [Bug 3480] Refclock sample filter not cleared on clock STEP + - applied patch by Gerry Garvey + [Bug 3479] ctl_putrefid() allows unsafe characters through to ntpq + - applied patch by Gerry Garvey (with mods) + [Bug 3476]ctl_putstr() sends empty unquoted string [...] + - applied patch by Gerry Garvey (with mods); not sure if that's bug or feature, though + [Bug 3475] modify prettydate() to suppress output of zero time + - applied patch by Gerry Garvey + [Bug 3474] Missing pmode in mode7 peer info response + - applied patch by Gerry Garvey + [Bug 3471] Check for openssl/[ch]mac.h. HStenn. + - add #define ENABLE_CMAC support in configure. HStenn. + [Bug 3470] ntpd4.2.8p11 fails to compile without OpenSSL + [Bug 3469] Incomplete string compare [...] in is_refclk_addr + - patch by Stephen Friedl + [Bug 3467] Potential memory fault in ntpq [...] + - fixed IO redirection and CTRL-C handling in ntq and ntpdc + [Bug 3465] Default TTL values cannot be used + [Bug 3461] refclock_shm.c: clear error status on clock recovery + - initial patch by Hal Murray; also fixed refclock_report() trouble + [Bug 3460] Fix typo in ntpq.texi, reported by Kenyon Ralph. + [Bug 3456] Use uintptr_t rather than size_t to store an integer in a pointer + - According to Brooks Davis, there was only one location + [Bug 3449] ntpq - display "loop" instead of refid [...] + - applied patch by Gerry Garvey + [Bug 3445] Symmetric peer won't sync on startup + - applied patch by Gerry Garvey + [Bug 3442] Fixes for ntpdate as suggested by Gerry Garvey, + with modifications + New macro REFID_ISTEXT() which is also used in ntpd/ntp_control.c. + [Bug 3434] ntpd clears STA_UNSYNC on start + - applied patch by Miroslav Lichvar + [Bug 3426] ntpdate.html -t default is 2 seconds. Leonid Evdokimov. + [Bug 3121] Drop root privileges for the forked DNS worker + - integrated patch by Reinhard Max + [Bug 2821] minor build issues + - applied patches by Christos Zoulas, including real bug fixes + html/authopt.html: cleanup, from + ntpd/ntpd.c: DROPROOT cleanup. + Symmetric key range is 1-65535. Update docs. + +-- +NTP 4.2.8p11 (Harlan Stenn , 2018/02/27) + +Focus: Security, Bug fixes, enhancements. + +Severity: MEDIUM + This release fixes 2 low-/medium-, 1 informational/medum-, and 2 low-severity vulnerabilities in ntpd, one medium-severity vulernability in ntpq, and provides 65 other non-security fixes and improvements: diff --git a/contrib/ntp/config.h.in b/contrib/ntp/config.h.in index 13f9bc838f15..e91f86b1f93a 100644 --- a/contrib/ntp/config.h.in +++ b/contrib/ntp/config.h.in @@ -311,6 +311,9 @@ /* Provide the explicit 127.0.0.0/8 martian filter? */ #undef ENABLE_BUG3020_FIX +/* Enable CMAC support? */ +#undef ENABLE_CMAC + /* nls support in libopts */ #undef ENABLE_NLS @@ -372,6 +375,14 @@ /* Define to 1 if you have the `daemon' function. */ #undef HAVE_DAEMON +/* Define to 1 if you have the declaration of `siglongjmp', and to 0 if you + don't. */ +#undef HAVE_DECL_SIGLONGJMP + +/* Define to 1 if you have the declaration of `sigsetjmp', and to 0 if you + don't. */ +#undef HAVE_DECL_SIGSETJMP + /* Define to 1 if you have the declaration of `strerror_r', and to 0 if you don't. */ #undef HAVE_DECL_STRERROR_R @@ -653,6 +664,12 @@ /* if you have NT Threads */ #undef HAVE_NT_THREADS +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_CMAC_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_OPENSSL_HMAC_H + /* Define to 1 if the system has the type `pid_t'. */ #undef HAVE_PID_T @@ -957,6 +974,9 @@ /* Define to 1 if you have the header file. */ #undef HAVE_SYS_LOCK_H +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_MAC_H + /* Define to 1 if you have the header file. */ #undef HAVE_SYS_MMAN_H @@ -1117,6 +1137,9 @@ /* Do we have the TIO serial stuff? */ #undef HAVE_TIO_SERIAL_STUFF +/* Are TrustedBSD MAC policy privileges available? */ +#undef HAVE_TRUSTEDBSD_MAC + /* Define to 1 if the system has the type `uint16_t'. */ #undef HAVE_UINT16_T diff --git a/contrib/ntp/configure b/contrib/ntp/configure index 1ab45bc43888..0ba239416fac 100755 --- a/contrib/ntp/configure +++ b/contrib/ntp/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for ntp 4.2.8p11. +# Generated by GNU Autoconf 2.69 for ntp 4.2.8p12. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='ntp' PACKAGE_TARNAME='ntp' -PACKAGE_VERSION='4.2.8p11' -PACKAGE_STRING='ntp 4.2.8p11' +PACKAGE_VERSION='4.2.8p12' +PACKAGE_STRING='ntp 4.2.8p12' PACKAGE_BUGREPORT='http://bugs.ntp.org./' PACKAGE_URL='http://www.ntp.org./' @@ -968,6 +968,7 @@ enable_c99_snprintf enable_clockctl enable_linuxcaps enable_solarisprivs +enable_trustedbsd_mac with_arlib with_net_snmp_config enable_libseccomp @@ -1614,7 +1615,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures ntp 4.2.8p11 to adapt to many kinds of systems. +\`configure' configures ntp 4.2.8p12 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1684,7 +1685,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of ntp 4.2.8p11:";; + short | recursive ) echo "Configuration of ntp 4.2.8p12:";; esac cat <<\_ACEOF @@ -1731,6 +1732,8 @@ Optional Features and Packages: --enable-clockctl s Use /dev/clockctl for non-root clock control --enable-linuxcaps + Use Linux capabilities for non-root clock control --enable-solarisprivs + Use Solaris privileges for non-root clock control + --enable-trustedbsd-mac s Use TrustedBSD MAC policy for non-root clock + control --with-arlib - deprecated, arlib not distributed --with-net-snmp-config + =net-snmp-config --enable-libseccomp EXPERIMENTAL: enable support for libseccomp @@ -1923,7 +1926,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -ntp configure 4.2.8p11 +ntp configure 4.2.8p12 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2632,7 +2635,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by ntp $as_me 4.2.8p11, which was +It was created by ntp $as_me 4.2.8p12, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -3633,7 +3636,7 @@ fi # Define the identity of the package. PACKAGE='ntp' - VERSION='4.2.8p11' + VERSION='4.2.8p12' cat >>confdefs.h <<_ACEOF @@ -24026,7 +24029,40 @@ esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ntp_have_solarisprivs" >&5 $as_echo "$ntp_have_solarisprivs" >&6; } -case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs" in +for ac_header in sys/mac.h +do : + ac_fn_c_check_header_mongrel "$LINENO" "sys/mac.h" "ac_cv_header_sys_mac_h" "$ac_includes_default" +if test "x$ac_cv_header_sys_mac_h" = xyes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_SYS_MAC_H 1 +_ACEOF + +fi + +done + + +# Check whether --enable-trustedbsd_mac was given. +if test "${enable_trustedbsd_mac+set}" = set; then : + enableval=$enable_trustedbsd_mac; ntp_use_trustedbsd_mac=$enableval + +fi + + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if we should use TrustedBSD MAC privileges" >&5 +$as_echo_n "checking if we should use TrustedBSD MAC privileges... " >&6; } + +case "$ntp_use_trustedbsd_mac$ac_cv_header_sys_mac_h" in + yesyes) + +$as_echo "#define HAVE_TRUSTEDBSD_MAC 1" >>confdefs.h + +esac + +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ntp_use_trustedbsd_mac" >&5 +$as_echo "$ntp_use_trustedbsd_mac" >&6; } + +case "$ntp_use_dev_clockctl$ntp_have_linuxcaps$ntp_have_solarisprivs$ntp_use_trustedbsd_mac" in *yes*) $as_echo "#define HAVE_DROPROOT 1" >>confdefs.h @@ -30311,6 +30347,19 @@ $as_echo "$ntp_openssl" >&6; } case "$ntp_openssl" in yes) + for ac_header in openssl/cmac.h openssl/hmac.h +do : + as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` +ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" +if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : + cat >>confdefs.h <<_ACEOF +#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 +_ACEOF + +fi + +done + $as_echo "#define OPENSSL /**/" >>confdefs.h @@ -30534,6 +30583,21 @@ LIBS="$NTPO_SAVED_LIBS" { ntp_openssl_from_pkg_config=; unset ntp_openssl_from_pkg_config;} +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if we want to enable CMAC support" >&5 +$as_echo_n "checking if we want to enable CMAC support... " >&6; } +case "$ac_cv_header_openssl_cmac_h" in + yes) + +$as_echo "#define ENABLE_CMAC 1" >>confdefs.h + + ans="yes" + ;; + *) ans="no" + ;; +esac +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ans" >&5 +$as_echo "$ans" >&6; } + @@ -33221,6 +33285,32 @@ fi +### + +ac_fn_c_check_decl "$LINENO" "sigsetjmp" "ac_cv_have_decl_sigsetjmp" "#include +" +if test "x$ac_cv_have_decl_sigsetjmp" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_SIGSETJMP $ac_have_decl +_ACEOF +ac_fn_c_check_decl "$LINENO" "siglongjmp" "ac_cv_have_decl_siglongjmp" "#include +" +if test "x$ac_cv_have_decl_siglongjmp" = xyes; then : + ac_have_decl=1 +else + ac_have_decl=0 +fi + +cat >>confdefs.h <<_ACEOF +#define HAVE_DECL_SIGLONGJMP $ac_have_decl +_ACEOF + + ### @@ -33964,7 +34054,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by ntp $as_me 4.2.8p11, which was +This file was extended by ntp $as_me 4.2.8p12, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -34031,7 +34121,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -ntp config.status 4.2.8p11 +ntp config.status 4.2.8p12 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/contrib/ntp/configure.ac b/contrib/ntp/configure.ac index 4e7e06af6167..1f477c514188 100644 --- a/contrib/ntp/configure.ac +++ b/contrib/ntp/configure.ac @@ -3014,6 +3014,17 @@ AC_MSG_RESULT([$ans]) NTP_OPENSSL +AC_MSG_CHECKING([if we want to enable CMAC support]) +case "$ac_cv_header_openssl_cmac_h" in + yes) + AC_DEFINE([ENABLE_CMAC], [1], [Enable CMAC support?]) + ans="yes" + ;; + *) ans="no" + ;; +esac +AC_MSG_RESULT([$ans]) + NTP_CRYPTO_RAND # if we are using OpenSSL (--with-crypto), by default Autokey is enabled @@ -4380,6 +4391,10 @@ NTP_PROBLEM_TESTS ### +AC_CHECK_DECLS([sigsetjmp,siglongjmp], [], [], [[#include ]]) + +### + AC_DEFINE_DIR([NTP_KEYSDIR], [sysconfdir], [Default location of crypto key info]) diff --git a/contrib/ntp/html/authentic.html b/contrib/ntp/html/authentic.html index 06bb67bc727a..52703e4566e5 100644 --- a/contrib/ntp/html/authentic.html +++ b/contrib/ntp/html/authentic.html @@ -1,91 +1,223 @@ - - - -Authentication Support - - - - -

Authentication Support

-giffrom Alice's Adventures in Wonderland, Lewis Carroll -

Our resident cryptographer; now you see him, now you don't.

-

Last update: - 5-Feb-2016 09:13 - UTC

-
-

Related Links

- - -

Table of Contents

- -
-

Introduction

-

This page describes the various cryptographic authentication provisions in NTPv4. Authentication support allows the NTP client to verify that servers are in fact known and trusted and not intruders intending accidentally or intentionally to masquerade as a legitimate server. A detailed discussion of the NTP multi-layer security model and vulnerability analysis is in the white paper NTP Security Analysis.

-

The NTPv3 specification (RFC-1305) defined an authentication scheme properly described as symmetric key cryptography. It used the Data Encryption Standard (DES) algorithm operating in cipher-block chaining (CBC) mode. Subsequently, this algorithm was replaced by the RSA Message Digest 5 (MD5) algorithm commonly called keyed-MD5. Either algorithm computes a message digest or one-way hash which can be used to verify the client has the same message digest as the server. The MD5 message digest algorithm is included in the distribution, so without further cryptographic support, the distribution can be freely exported.

-

If the OpenSSL cryptographic library is installed prior to building the distribution, all message digest algorithms included in the library may be used, including SHA and SHA1. However, if conformance to FIPS 140-2 is required, only a limited subset of these algorithms can be used. This library is available from http://www.openssl.org and can be installed using the procedures outlined in the Building and Installing the Distribution page. Once installed, the configure and build process automatically detects the library and links the library routines -required.

-

In addition to the symmetric key algorithms, this distribution includes support for the Autokey public key algorithms and protocol specified in RFC-5906 "Network Time Protocol Version 4: Autokey Specification". This support is available only if the OpenSSL library has been installed and the --enable-autokey option is used when the distribution is built.

-

Public key cryptography is generally considered more secure than symmetric key cryptography, since the security is based on private and public values which are generated by each participant and where the private value is never revealed. Autokey uses X.509 public certificates, which can be produced by commercial services, the OpenSSL application program, or the ntp-keygen utility program in the NTP software distribution.

-

Note that according to US law, NTP binaries including OpenSSL library components, including the OpenSSL library itself, cannot be exported outside the US without license from the US Department of Commerce. Builders outside the US are advised to obtain the OpenSSL library directly from OpenSSL, which is outside the US, and build outside the US.

-

Authentication is configured separately for each association using the key or autokey option of the server configuration command, as described in the Server Options page. The ntp-keygen page describes the files required for the various authentication schemes. Further details are in the briefings, papers and reports at the NTP project page linked from www.ntp.org.

-

By default, the client sends non-authenticated packets and the server responds with non-authenticated packets. If the client sends authenticated packets, the server responds with authenticated packets if correct, or a crypto-NAK packet if not. In the case of unsolicited packets which might consume significant resources, such as broadcast or symmetric mode packets, authentication is required, unless overridden by a disable auth command. In the current climate of targeted broadcast or "letterbomb" attacks, defeating this requirement would be decidedly dangerous. In any case, the notrust flag, described on the Access Control Options page, can be used to disable access to all but correctly authenticated clients.

-

Symmetric Key Cryptography

-

The original NTPv3 specification (RFC-1305), as well as the current NTPv4 specification (RFC-5905), allows any one of possibly 65,534 message digest keys (excluding zero), each distinguished by a 32-bit key ID, to authenticate an association. The servers and clients involved must agree on the key ID, key type and key to authenticate NTP packets.

-

The message digest is a cryptographic hash computed by an algorithm such as MD5, SHA, or AES-128 CMAC. When authentication is specified, a message authentication code (MAC) is appended to the NTP packet header. The MAC consists of a 32-bit key identifier (key ID) followed by a 128- or 160-bit message digest. The algorithm computes the digest as the hash of a 128- or 160- bit message digest key concatenated with the NTP packet header fields with the exception of the MAC. On transmit, the message digest is computed and inserted in the MAC. On receive, the message digest is computed and compared with the MAC. The packet is accepted only if the two MACs are identical. If a discrepancy is found by the client, the client ignores the packet, but raises an alarm. If this happens at the server, the server returns a special message called a crypto-NAK. Since the crypto-NAK is protected by the loopback test, an intruder cannot disrupt the protocol by sending a bogus crypto-NAK.

-

Keys and related information are specified in a keys file, which must be distributed and stored using secure means beyond the scope of the NTP protocol itself. Besides the keys used for ordinary NTP associations, additional keys can be used as passwords for the ntpq and ntpdc utility programs. Ordinarily, the ntp.keys file is generated by the ntp-keygen program, but it can be constructed and edited using an ordinary text editor.

-

Each line of the keys file consists of three or four fields: a key ID in the range 1 to 65,534, inclusive, a key type, a message digest key consisting of a printable ASCII string less than 40 characters or a 40-character hex digit string, and an optional comma-separated list of IPs that are allowed to serve time. If the OpenSSL library is installed, the key type can be any message digest algorithm supported by the library. If the OpenSSL library is not installed, the only permitted key type is MD5.

- - -
- Figure 1. Typical Symmetric Key File -
-
-# ntpkey_MD5key_bk.ntp.org.3595864945
-# Thu Dec 12 19:22:25 2013
+  
+    
+    
+    Authentication Support
+    
+    
+    
+  
+  
+    

Authentication Support

+ giffrom Alice's Adventures in Wonderland, Lewis Carroll +

Our resident cryptographer; now you see him, now you don't.

+

Last update: + 24-Jul-2018 09:12 + UTC

+
+

Related Links

+ + +

Table of Contents

+ +
+

Introduction

+

This page describes the various cryptographic authentication + provisions in NTPv4. Authentication support allows the NTP client to + verify that servers are in fact known and trusted and not intruders + intending accidentally or intentionally to masquerade as a legitimate + server. A detailed discussion of the NTP multi-layer security model + and vulnerability analysis is in the white + paper NTP + Security Analysis.

+

The NTPv3 specification (RFC-1305) defined an authentication scheme + properly described as symmetric key cryptography. It used + the Data Encryption Standard (DES) algorithm operating in cipher-block + chaining (CBC) mode. Subsequently, this algorithm was replaced by the + RSA Message Digest 5 (MD5) algorithm commonly called keyed-MD5. + Either algorithm computes a message digest or one-way hash which can + be used to verify the client has the same message digest as the + server. The MD5 message digest algorithm is included in the + distribution, so without further cryptographic support, the + distribution can be freely exported.

+

If the OpenSSL cryptographic library is installed prior to building + the distribution, all message digest algorithms included in the + library may be used, including SHA and SHA1. However, if conformance + to FIPS 140-2 is required, only a limited subset of these algorithms + can be used. This library is available + from http://www.openssl.org and + can be installed using the procedures outlined in + the Building and Installing the Distribution + page. Once installed, the configure and build process automatically + detects the library and links the library routines required.

+

In addition to the symmetric key algorithms, this distribution + includes support for the Autokey public key algorithms and protocol + specified in RFC-5906 "Network Time Protocol Version 4: Autokey + Specification". This support is available only if the OpenSSL + library has been installed and the --enable-autokey option is + used when the distribution is built.

+

Public key cryptography is generally considered more secure than + symmetric key cryptography, since the security is based on private and + public values which are generated by each participant and where the + private value is never revealed. Autokey uses X.509 public + certificates, which can be produced by commercial services, the + OpenSSL application program, or + the ntp-keygen utility program in + the NTP software distribution.

+

Note that according to US law, NTP binaries including OpenSSL library + components, including the OpenSSL library itself, cannot be exported + outside the US without license from the US Department of Commerce. + Builders outside the US are advised to obtain the OpenSSL library + directly from OpenSSL, which is outside the US, and build outside the + US.

+

Authentication is configured separately for each association using + the key or autokey option of the server + configuration command, as described in + the Server Options page. + The ntp-keygen page describes the files + required for the various authentication schemes. Further details are + in the briefings, papers and reports at the NTP project page linked + from www.ntp.org.

+

By default, the client sends non-authenticated packets and the server + responds with non-authenticated packets. If the client sends + authenticated packets, the server responds with authenticated packets + if correct, or a crypto-NAK packet if not. In the case of unsolicited + packets which might consume significant resources, such as broadcast + or symmetric mode packets, authentication is required, unless + overridden by a disable auth command. In the current climate + of targeted broadcast or "letterbomb" attacks, defeating + this requirement would be decidedly dangerous. In any case, + the notrust flag, described on + the Access Control Options page, can be + used to disable access to all but correctly authenticated clients.

+

Symmetric Key Cryptography

+

The original NTPv3 specification (RFC-1305), as well as the current + NTPv4 specification (RFC-5905), allows any one of possibly 65,535 + message digest keys (excluding zero), each distinguished by a 32-bit + key ID, to authenticate an association. The servers and clients + involved must agree on the key ID, key type and key to authenticate + NTP packets.

+

The message digest is a cryptographic hash computed by an algorithm + such as MD5, SHA, or AES-128 CMAC. When authentication is specified, + a message authentication code (MAC) is appended to the NTP packet + header. The MAC consists of a 32-bit key identifier (key ID) followed + by a 128- or 160-bit message digest. The algorithm computes the + digest as the hash of a 128- or 160- bit message digest key + concatenated with the NTP packet header fields with the exception of + the MAC. On transmit, the message digest is computed and inserted in + the MAC. On receive, the message digest is computed and compared with + the MAC. The packet is accepted only if the two MACs are identical. + If a discrepancy is found by the client, the client ignores the + packet, but raises an alarm. If this happens at the server, the + server returns a special message called a crypto-NAK. Since + the crypto-NAK is protected by the loopback test, an intruder cannot + disrupt the protocol by sending a bogus crypto-NAK.

+

Keys and related information are specified in a keys file, which must + be distributed and stored using secure means beyond the scope of the + NTP protocol itself. Besides the keys used for ordinary NTP + associations, additional keys can be used as passwords for + the ntpq + and ntpdc utility programs. + Ordinarily, the ntp.keys file is generated by + the ntp-keygen program, but it can + be constructed and edited using an ordinary text editor.

+

Each line of the keys file consists of three or four fields: a key + ID in the range 1 to 65,535, inclusive, a key type, a message digest + key consisting of a printable ASCII string less than 40 characters or + a 40-character hex digit string, and an optional comma-separated list + of IPs that are allowed to serve time. If the OpenSSL library is + installed, the key type can be any message digest algorithm supported + by the library. If the OpenSSL library is not installed, the only + permitted key type is MD5.

+ + +
+ Figure 1. Typical Symmetric Key File +
+
+	    # ntpkey_MD5key_bk.ntp.org.3595864945
+	    # Thu Dec 12 19:22:25 2013
 
-1  MD5 L";Nw<`.I<f4U0)247"i  # MD5 key
-2  MD5 &>l0%XXK9O'51VwV<xq~  # MD5 key
-3  MD5 lb4zLW~d^!K:]RsD'qb6  # MD5 key
-4  MD5 Yue:tL[+vR)M`n~bY,'?  # MD5 key
-5  MD5 B;fxlKgr/&4ZTbL6=RxA  # MD5 key
-6  MD5 4eYwa`o}3i@@V@..R9!l  # MD5 key
-7  MD5 `A.([h+;wTQ|xfi%Sn_!  # MD5 key
-8  MD5 45:V,r4]l6y^JH6"Sh?F  # MD5 key
-9  MD5 3-5vcn*6l29DS?Xdsg)*  # MD5 key
-10 MD5 2late4Me              # MD5 key
-11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c  # SHA1 key
-12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74  # SHA1 key
-13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9  # SHA1 key
-14 SHA  a5332809c8878dd3a5b918819108a111509aeceb  # SHA  key
-15 MD2  2fe16c88c760ff2f16d4267e36c1aa6c926e6964  # MD2  key
-16 MD4  b2691811dc19cfc0e2f9bcacd74213f29812183d  # MD4  key
-17 MD5  e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c  # MD5  key
-18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc  # MDC2 key
-19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2  # RIPEMD160 key
-20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878  # AES128CMAC key
-  
-

Figure 1 shows a typical keys file used by the reference implementation when the OpenSSL library is installed. In this figure, for key IDs in he range 1-10, the key is interpreted as a printable ASCII string. For key IDs in the range 11-20, the key is a 40-character hex digit string. The key is truncated or zero-filled internally to either 128 or 160 bits, depending on the key type. The line can be edited later or new lines can be added to change any field. The key can be changed to a password, such as 2late4Me for key ID 10. Note that two or more keys files can be combined in any order as long as the key IDs are distinct.

-

When ntpd is started, it reads the keys file specified by the keys command and installs the keys in the key cache. However, individual keys must be activated with the trustedkey configuration command before use. This allows, for instance, the installation of possibly several batches of keys and then activating a key remotely using ntpq or ntpdc. The requestkey command selects the key ID used as the password for the ntpdc utility, while the controlkey command selects the key ID used as the password for the ntpq utility.

-

Microsoft Windows Authentication

-

In addition to the above means, ntpd now supports Microsoft Windows MS-SNTP authentication using Active Directory services. This support was contributed by the Samba Team and is still in development. It is enabled using the mssntp flag of the restrict command described on the Access Control Options page. Note: Potential users should be aware that these services involve a TCP connection to another process that could potentially block, denying services to other users. Therefore, this flag should be used only for a dedicated server with no clients other than MS-SNTP.

-

Public Key Cryptography

-

See the Autokey Public-Key Authentication page.

-
- - + 1 MD5 L";Nw<`.I<f4U0)247"i # MD5 key + 2 MD5 &>l0%XXK9O'51VwV<xq~ # MD5 key + 3 MD5 lb4zLW~d^!K:]RsD'qb6 # MD5 key + 4 MD5 Yue:tL[+vR)M`n~bY,'? # MD5 key + 5 MD5 B;fxlKgr/&4ZTbL6=RxA # MD5 key + 6 MD5 4eYwa`o}3i@@V@..R9!l # MD5 key + 7 MD5 `A.([h+;wTQ|xfi%Sn_! # MD5 key + 8 MD5 45:V,r4]l6y^JH6"Sh?F # MD5 key + 9 MD5 3-5vcn*6l29DS?Xdsg)* # MD5 key + 10 MD5 2late4Me # MD5 key + 11 SHA1 a27872d3030a9025b8446c751b4551a7629af65c # SHA1 key + 12 SHA1 21bc3b4865dbb9e920902abdccb3e04ff97a5e74 # SHA1 key + 13 SHA1 2b7736fe24fef5ba85ae11594132ab5d6f6daba9 # SHA1 key + 14 SHA a5332809c8878dd3a5b918819108a111509aeceb # SHA key + 15 MD2 2fe16c88c760ff2f16d4267e36c1aa6c926e6964 # MD2 key + 16 MD4 b2691811dc19cfc0e2f9bcacd74213f29812183d # MD4 key + 17 MD5 e4d6735b8bdad58ec5ffcb087300a17f7fef1f7c # MD5 key + 18 MDC2 a8d5e2315c025bf3a79174c87fbd10477de2eabc # MDC2 key + 19 RIPEMD160 77ca332cafb30e3cafb174dcd5b80ded7ba9b3d2 # RIPEMD160 key + 20 AES128CMAC f92ff73eee86c1e7dc638d6489a04e4e555af878 # AES128CMAC key + 21 MD5 sampo 10.1.2.3/24 +
+

Figure 1 shows a typical symmetric keys file used by the reference + implementation when the OpenSSL library is installed. Each line of + the file contains three or four fields. The first field is an integer + between 1 and 65535, inclusive, representing the key identifier. The + second field is the digest algorithm, which in the absence of the + OpenSSL library must be MD5, which designates the MD5 message + digest algorithm. The third field is the key. The optional fourth + field is one or more comma-separated IPs. An IP may end with an + optional /subnetbits suffix, which limits the acceptance of + the key identifier to packets claiming to be from the described IP + space. In this example, for the key IDs in the range 1-10 the key is + interpreted as a printable ASCII string. For the key IDs in the range + 11-20, the key is a 40-character hex digit string. In either case, + the key is truncated or zero-filled internally to either 128 or 160 + bits, depending on the key type. The line can be edited later or new + lines can be added to change any field. The key can be changed to a + password, such as 2late4Me for key ID 10. Note that two or + more keys files can be combined in any order as long as the key IDs + are distinct.

+

When ntpd is started, it reads the keys file specified by + the keys command and installs the keys in the key cache. + However, individual keys must be activated with + the trustedkey configuration command before use. This + allows, for instance, the installation of possibly several batches of + keys and then activating a key remotely using ntpq + or ntpdc. The requestkey command selects the key ID + used as the password for the ntpdc utility, while + the controlkey command selects the key ID used as the + password for the ntpq utility.

+

Microsoft Windows Authentication

+

In addition to the above means, ntpd now supports Microsoft + Windows MS-SNTP authentication using Active Directory services. This + support was contributed by the Samba Team and is still in development. + It is enabled using the mssntp flag of the restrict + command described on the Access Control + Options page. Note: Potential users should + be aware that these services involve a TCP connection to another + process that could potentially block, denying services to other users. + Therefore, this flag should be used only for a dedicated server with + no clients other than MS-SNTP.

+

Public Key Cryptography

+

See the Autokey Public-Key Authentication + page.

+
+ + diff --git a/contrib/ntp/html/authopt.html b/contrib/ntp/html/authopt.html index 9504deb8ad69..c9484ef9ad5c 100644 --- a/contrib/ntp/html/authopt.html +++ b/contrib/ntp/html/authopt.html @@ -4,6 +4,7 @@ Authentication Commands and Options +