[SA-14:31] Fix multiple vulnerabilities in NTP suite.
[EN-14:13] Fix directory deletion issue in freebsd-update.

Approved by: so

MFS r260639 (MFC r260637):

Disable 'monitor' feature in ntpd by default.

Security: FreeBSD-SA-14:02.ntpd
Approved by: re (gjb)

Remove svn:mergeinfo from the releng/10.0 branch.

After branch creation from stable/10, the stable/10 branch mergeinfo
was moved to the root of the branch.

Since there have not been any merges from stable/10 to releng/10.0
yet, we do not need to track any of the existing mergeinfo here.

Merges to releng/10.0 should now be done to the root of the branch.

For future branches during the release cycle, unless otherwise noted,
this change will be done as part of the stable/ and releng/ branch
creation.

Discussed with: peter
Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

- Copy stable/10 (r259064) to releng/10.0 as part of the
10.0-RELEASE cycle.
- Update __FreeBSD_version [1]
- Set branch name to -RC1

[1] 10.0-CURRENT __FreeBSD_version value ended at '55', so
start releng/10.0 at '100' so the branch is started with
a value ending in zero.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Copy head (r256279) to stable/10 as part of the 10.0-RELEASE cycle.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Clean some 'svn:executable' properties in the tree.

Submitted by: Christoph Mallon
MFC after: 3 days

Clean up hardcoded ar(1) flags in the tree to use the global ARFLAGS in
share/mk/sys.mk instead.

This is part of a medium term project to permit deterministic builds of
FreeBSD.

Submitted by: Erik Cederstrand <erik@cederstrand.dk>
Reviewed by: imp, toolchain@
Approved by: cperciva
MFC after: 2 weeks

Remove extraneous log message

When ntp switched between PLL and FLL mode it produced a log message
"kernel time sync status change %04x". This issue is reported in ntp
bug 452[1] which claims that this behaviour is normal and the log
message isn't necessary. I'm not sure exactly when it was removed, but
it's gone in the latest ntp release (4.2.6p5).

[1] http://bugs.ntp.org/show_bug.cgi?id=452

Approved by: roberto

With retirement of cpumask_t and usage of cpuset_t for representing a
mask of CPUs, pc_other_cpus and pc_cpumask become highly inefficient.

Remove them and replace their usage with custom pc_cpuid magic (as,
atm, pc_cpumask can be easilly represented by (1 << pc_cpuid) and
pc_other_cpus by (all_cpus & ~(1 << pc_cpuid))).

This change is not targeted for MFC because of struct pcpu members
removal and dependency by cpumask_t retirement.

MD review by: marcel, marius, alc
Tested by: pluknet
MD testing by: marcel, marius, gonzo, andreast

In case ntp cannot resolve a hostname on startup it will queue the entry
for resolving by a child process that, upon success, will add the entry
to the config of the running running parent process.

Unfortunately there are a couple of bugs with this, fixed in various
later versions of upstream in potentially different ways due to other
code changes:

1) Upon server [-46] <FQDN> the [-46] are used as FQDN for later resolving
which does not work. Make sure we always pass the name (or IP there).

2) The intermediate file to carry the information to the child process
does not know about -4/-6 restrictions, so that a dual-stacked host
could resolve to an IPv6 address but that might be unreachable (see
r223626) leading to no working synchronization ignoring a IPv4 record.
Thus alter the intermediate format to also pass the address family
(AF_UNSPEC (default), AF_INET or AF_INET6) to the child process
depending on -4 or -6.

3) Make the child process to parse the new intermediate file format and
save the address family for getaddrinfo() hints flags.

4) Change child to always reload resolv.conf calling res_init() before
trying to resolve names. This will pick up resolv.conf changes or
new resolv.confs should they have not existed or been empty or
unusable on ntp startup. This fix is more conditional in upstream
versions but given FreeBSD has res_init there is no need for the
configure logic as well.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 9 days

Compare port numbers correctly. They are stored by SRCPORT()
in host byte order, so we need to compare them as such.
Properly compare IPv6 addresses as well.

This allows the, by default, 8 badaddrs slots per address
family to work correctly and only print sendto() errors once.

The change is no longer applicable to any latest upstream versions.

Approved by: roberto
Sponsored by: Sandvine Incorporated
MFC after: 1 week

etire the cpumask_t type and replace it with cpuset_t usage.

This is intended to fix the bug where cpu mask objects are
capped to 32. MAXCPU, then, can now arbitrarely bumped to whatever
value. Anyway, as long as several structures in the kernel are
statically allocated and sized as MAXCPU, it is suggested to keep it
as low as possible for the time being.

Technical notes on this commit itself:
- More functions to handle with cpuset_t objects are introduced.
The most notable are cpusetobj_ffs() (which calculates a ffs(3)
for a cpuset_t object), cpusetobj_strprint() (which prepares a string
representing a cpuset_t object) and cpusetobj_strscan() (which
creates a valid cpuset_t starting from a string representation).
- pc_cpumask and pc_other_cpus are target to be removed soon.
With the moving from cpumask_t to cpuset_t they are now inefficient
and not really useful. Anyway, for the time being, please note that
access to pcpu datas is protected by sched_pin() in order to avoid
migrating the CPU while reading more than one (possible) word
- Please note that size of cpuset_t objects may differ between kernel
and userland. While this is not directly related to the patch itself,
it is good to understand that concept and possibly use the patch
as a reference on how to deal with cpuset_t objects in userland, when
accessing kernland members.
- KTR_CPUMASK is changed and now is represented through a string, to be
set as the example reported in NOTES.

Please additively note that no MAXCPU is bumped in this patch, but
private testing has been done until to MAXCPU=128 on a real 8x8x2(htt)
machine (amd64).

Please note that the FreeBSD version is not yet bumped because of
the upcoming pcpu changes. However, note that this patch is not
targeted for MFC.

People to thank for the time spent on this patch:
- sbruno, pluknet and Nicholas Esborn (nick AT desert DOT net) tested
several revision of the patches and really helped in improving
stability of this work.
- marius fixed several bugs in the sparc64 implementation and reviewed
patches related to ktr.
- jeff and jhb discussed the basic approach followed.
- kib and marcel made targeted review on some specific part of the
patch.
- marius, art, nwhitehorn and andreast reviewed MD specific part of
the patch.
- marius, andreast, gonzo, nwhitehorn and jceel tested MD specific
implementations of the patch.
- Other people have made contributions on other patches that have been
already committed and have been listed separately.

Companies that should be mentioned for having participated at several
degrees:
- Yahoo! for having offered the machines used for testing on big
count of CPUs.
- The FreeBSD Foundation for having sponsored my devsummit attendance,
which has been instrumental.
- Sandvine for having offered offices and infrastructure during
development.

(I really hope I didn't forget anyone, if it happened I apologize in
advance).

The argument to setsockopt for IP_MULTICAST_LOOP depends on operating
system and is decided upon by configure and could be an u_int or a
u_char. For FreeBSD it is a u_char.

For IPv6 however RFC 3493, 5.2 defines the argument to
IPV6_MULTICAST_LOOP to be an unsigned integer so make sure we always
use that using a second variable for the IPV6 case.
This is to get rid of these error messages every 5 minutes on some
systems:
ntpd[1530]: setsockopt IPV6_MULTICAST_LOOP failure: Invalid argument
on socket 22, addr fe80::... for multicast address ff02::101

While here also fix the copy&paste error in the log message for
IPV6_MULTICAST_LOOP.

Reviewed by: roberto
Sponsored by: The FreeBSD Foundation
Sponsored by: iXsystems
MFC after: 10 days
Filed as: Bug 1936 on ntp.org

Merger of the quota64 project into head.

This joint work of Dag-Erling Smørgrav and myself updates the
FFS quota system to support both traditional 32-bit and new 64-bit
quotas (for those of you who want to put 2+Tb quotas on your users).

By default quotas are not compiled into the kernel. To include them
in your kernel configuration you need to specify:

options QUOTA # Enable FFS quotas

If you are already running with the current 32-bit quotas, they
should continue to work just as they have in the past. If you
wish to convert to using 64-bit quotas, use `quotacheck -c 64';
if you wish to revert from 64-bit quotas back to 32-bit quotas,
use `quotacheck -c 32'.

There is a new library of functions to simplify the use of the
quota system, do `man quotafile' for details. If your application
is currently using the quotactl(2), it is highly recommended that
you convert your application to use the quotafile interface.
Note that existing binaries will continue to work.

Special thanks to John Kozubik of rsync.net for getting me
interested in pursuing 64-bit quota support and for funding
part of my development time on this project.

Merge 4.2.4p8 into contrib (r200452 & r200454).

Subversion is being difficult here so take a hammer and get it in.

MFC after: 2 weeks
Security: CVE-2009-3563

Bootstrap mergeinfo (thanks des@).

Don't try to bind to an anycast addeess. The KAME IPv6 stack doesn't
allow bind to an anycast addeess. It does away with an annoying
message.

Reviewed by: bz, roberto
MFC after: 2 weeks

Remove build timestamps from the following files:
/boot/kernel/hptrr.ko
/etc/mail/*.cf
/lib/libcrypto.so.5
/usr/bin/ntpq
/usr/sbin/amd
/usr/sbin/iasl
/usr/sbin/ntpd
/usr/sbin/ntpdate
/usr/sbin/ntpdc

There does not appear to be any purpose to having these timestamps, and
they have the irritating consequence that the aforementioned files will
be different every time they are rebuilt.

After this commit, the only remaining build timestamps are in the kernel,
the boot loaders, /usr/include/osreldate.h (the year in the copyright
notice), and lib*.a (the timestamps on all of the included .o files).

Reviewed by: scottl (hptrr), gshapiro (sendmail), simon (openssl),
roberto (ntp), jkim (acpica)
Approved by: re (kib)

Prevent integer overflow in direct pipe write code from circumventing
virtual-to-physical page lookups. [09:09]

Add missing permissions check for SIOCSIFINFO_IN6 ioctl. [09:10]

Fix buffer overflow in "autokey" negotiation in ntpd(8). [09:11]

Approved by: so (cperciva)
Approved by: re (not really, but SVN wants this...)
Security: FreeBSD-SA-09:09.pipe
Security: FreeBSD-SA-09:10.ipv6
Security: FreeBSD-SA-09:11.ntpd

Remove empty directories from the HEAD.

Discussed with: developers, imp

Merge r191298 into HEAD.

Prevent a buffer overflow in ntpq. Patch taken from the PR database
after being committed to the official ntp tree and present in 4.2.4p7-rc2.

It will be MFH to the upcoming 7.2 pending re approval.

Obtained from: https://support.ntp.org/bugs/show_bug.cgi?id=1144
MFC after: 3 days
Security: http://www.securityfocus.com/bid/34481
CVE-2009-0159

Correct ntpd(8) cryptographic signature bypass [SA-09:04].

Correct BIND DNSSEC incorrect checks for malformed signatures
[SA-09:04].

Security: FreeBSD-SA-09:03.ntpd
Security: FreeBSD-SA-09:04.bind
Obtained from: ISC [SA-09:04]
Approved by: so (simon)

Merge from vendor/ntp/dist: r182856:

Apply updated patch from bin/92839 to avoid two possible buffer overflows.

PR: bin/92839
Submitted by: Helge Oldach <freebsdntpd@oldach.net>

Merge ntpd & friends 4.2.4p5 from vendor/ntp/dist into head. Next commit
will update usr.sbin/ntp to match this.

MFC after: 2 weeks

Move FREEBSD-upgrade as well.

Move FREEBSD-Xlist in a more proper location.

Reset mergeinfo for contrib/ntp (per the wiki page).

This commit was generated by cvs2svn to compensate for changes in r162735,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r138451,
which included commits to RCS files with non-trunk default branches.

This commit was generated by cvs2svn to compensate for changes in r132536,
which included commits to RCS files with non-trunk default branches.

Remove an extra '}'.

Update information on build/import.

Merge conflicts.

Lots of added files, some removed and quite a large number of renames :(

Merge conflicts (see also previous commit).

Reinsert our local changes to ntp_control.c:

1.4: Do not log every potential exploit attempt since a denial-of-service
may result
1.5: int -> unsigned char fixes

Revert this file to the vendor version, we don't need to have our own
version of it. Will help further upgrades.

This commit was generated by cvs2svn to compensate for changes in r132451,
which included commits to RCS files with non-trunk default branches.

Merge conflicts.

MFC after: 1 month

This commit was generated by cvs2svn to compensate for changes in r106424,
which included commits to RCS files with non-trunk default branches.

Update for 4.1.1a.

Tested on: Sparc64 (panther), Alpha (beast) & i386

This commit was generated by cvs2svn to compensate for changes in r106167,
which included commits to RCS files with non-trunk default branches.

Merge conflicts.

MFC after: 1 month

This commit was generated by cvs2svn to compensate for changes in r106163,
which included commits to RCS files with non-trunk default branches.

Merge after 4.1.0 import.

Update for 4.1.0 import.

Redo the int -> unsigned changes jedgar did. It should have been submitted
back but it was off the vendor branch anyway so...

This commit was generated by cvs2svn to compensate for changes in r82498,
which included commits to RCS files with non-trunk default branches.

Do not log every potential exploit attempt since a denial-of-service
may result.

- Correct off-by-one error and buffer underflow from previous fix
- int -> unsigned char fixes

Submitted by: ache, dillon, Mark Andrews, et.al. (on -security)

Fix a potential ROOT-exploit in NTPD.

PR: 26358
Reviewed by: dima

This commit was generated by cvs2svn to compensate for changes in r57738,
which included commits to RCS files with non-trunk default branches.

Update for ntp 4.0.99b.

Merge conflicts with the import of 4.0.99b.

This commit was generated by cvs2svn to compensate for changes in r56746,
which included commits to RCS files with non-trunk default branches.

This is the list of files excluded from the original tarball.

Reviewed by: peter, obrien

Commit a fix several warnings on alpha for sysctlbyname arguments. It could
have resulted in stack corruption. A patch has been sent to the ntp author
for inclusion in next version.

Obtained from: peter

Please all welcome the long-awaited upgrade from our ancient xntpd 3.4f
to a brand new and shiny ntpd 4.0.98f.

I got tired of waiting for 4.1.0 and there is the feature freeze deadline
so here it is. This is the contrib/ part of the upgrade. The Makefile glue
will be added very soon in usr.sbin.

It builds and runs on both i386 and alpha (Thanks Peter!).

The bad news is that manpages no longer exist, everything is in HTML. I'll
commit the text version of each HTML file in /usr/share/doc/ntp soon to have
at least the help files w/o needing to get the entire contrib/ntp tree.

I'll commit FREEBSD-Xlist as soon as I can skip over $FreeBSD$ checks...

Reviewed by: peter, obrien
Pushed by: phk

This commit was generated by cvs2svn to compensate for changes in r54359,
which included commits to RCS files with non-trunk default branches.