Accepting request 903544 from network:time

- boo#1187906: Consolidate all references to the helper script.
- bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode,
  but needed for calculating refids from IPv6 addresses as part of
  the NTP protocol (rfc5905). As this is a non-cryptographic use of
  MD5 we can use our own implementation without violating FIPS
  rules: chrony-refid-internal-md5.patch .

OBS-URL: https://build.opensuse.org/request/show/903544
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/chrony?expand=0&rev=31

chrony-dnssrv@.service

@@ -5,4 +5,4 @@ Wants=network-online.target
 
 [Service]
 Type=oneshot
-ExecStart=@LIBEXECDIR@/chrony/helper update-dnssrv-servers %I
+ExecStart=@CHRONY_HELPER@ update-dnssrv-servers %I

chrony-refid-internal-md5.patch

@@ -0,0 +1,45 @@
+--- util.c.orig
++++ util.c
+@@ -32,7 +32,13 @@
+ #include "logging.h"
+ #include "memory.h"
+ #include "util.h"
+-#include "hash.h"
++/*
++ * We use the internal MD5 implementation here to avoid trouble with
++ * FIPS. This is OK, because MD5 is only being used for the non-crypto
++ * purpose of hashing 128 bit IPv6 addresses to 32 bit referenc IDs,
++ * as required by RFC 5905.
++ */
++#include "md5.c"
+ 
+ #define NSEC_PER_SEC 1000000000
+ 
+@@ -392,21 +398,17 @@ UTI_IsIPReal(const IPAddr *ip)
+ uint32_t
+ UTI_IPToRefid(const IPAddr *ip)
+ {
+-  static int MD5_hash = -1;
+-  unsigned char buf[16];
++  MD5_CTX ctx;
++  unsigned char *buf = &ctx.digest;
+ 
+   switch (ip->family) {
+     case IPADDR_INET4:
+       return ip->addr.in4;
+     case IPADDR_INET6:
+-      if (MD5_hash < 0)
+-        MD5_hash = HSH_GetHashId(HSH_MD5);
+-
+-      if (MD5_hash < 0 ||
+-          HSH_Hash(MD5_hash, (const unsigned char *)ip->addr.in6, sizeof (ip->addr.in6),
+-                   NULL, 0, buf, sizeof (buf)) != sizeof (buf))
+-        LOG_FATAL("Could not get MD5");
+-
++      MD5Init(&ctx);
++      MD5Update(&ctx, (unsigned const char *)ip->addr.in6,
++                     sizeof(ip->addr.in6));
++      MD5Final(&ctx);
+       return (uint32_t)buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3];
+   }
+   return 0;

chrony-service-helper.patch

@@ -5,7 +5,7 @@ diff -burNE chrony-3.5_orig/examples/chronyd.service chrony-3.5/examples/chronyd
  PIDFile=/run/chrony/chronyd.pid
  EnvironmentFile=-/etc/sysconfig/chronyd
  ExecStart=/usr/sbin/chronyd $OPTIONS
-+ExecStartPost=@LIBEXECDIR@/chrony/helper update-daemon
++ExecStartPost=@CHRONY_HELPER@ update-daemon
  PrivateTmp=yes
  ProtectHome=yes
  ProtectSystem=full

chrony.changes

@@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Thu Jul  1 12:38:13 UTC 2021 - Reinhard Max <max@suse.com>
+
+- boo#1187906: Consolidate all references to the helper script.
+- bsc#1173760: MD5 is not available from mozilla-nss in FIPS mode,
+  but needed for calculating refids from IPv6 addresses as part of
+  the NTP protocol (rfc5905). As this is a non-cryptographic use of
+  MD5 we can use our own implementation without violating FIPS
+  rules: chrony-refid-internal-md5.patch .
+
 -------------------------------------------------------------------
 Sun Jun 13 13:29:36 UTC 2021 - Callum Farmer <gmbr3@opensuse.org>
 

chrony.dhclient

@@ -8,13 +8,13 @@ chrony_config() {
 		for server in $new_ntp_servers; do
 			echo "$server ${NTPSERVERARGS:-iburst}" >> $SERVERFILE
 		done
-		/usr/share/chrony-helper update-daemon || :
+		@CHRONY_HELPER@ update-daemon || :
 	fi
 }
 
 chrony_restore() {
 	if [ -f $SERVERFILE ]; then
 		rm -f $SERVERFILE
-		/usr/share/chrony-helper update-daemon || :
+		@CHRONY_HELPER@ update-daemon || :
 	fi
 }

chrony.spec

@@ -25,6 +25,7 @@
 %if ! %{defined _fillupdir}
   %define _fillupdir %{_localstatedir}/adm/fillup-templates
 %endif
+%define chrony_helper %{_libexecdir}/chrony/helper
 Name:           chrony
 Version:        4.1
 Release:        0
@@ -53,6 +54,7 @@ Patch0:         chrony-config.patch
 Patch1:         chrony-service-helper.patch
 Patch2:         chrony-logrotate.patch
 Patch3:         chrony-service-ordering.patch
+Patch4:         chrony-refid-internal-md5.patch
 BuildRequires:  NetworkManager-devel
 BuildRequires:  bison
 BuildRequires:  gcc-c++
@@ -63,10 +65,10 @@ BuildRequires:  pkgconfig
 BuildRequires:  pps-tools-devel
 # The timezone package is needed for the "make check" tests. It can be
 # removed if the call to make check is ever deleted.
+BuildRequires:  sysuser-tools
 BuildRequires:  timezone
 BuildRequires:  pkgconfig(systemd)
 BuildRequires:  rubygem(asciidoctor)
-BuildRequires:  sysuser-tools
 Recommends:     logrotate
 Requires(post): %fillup_prereq
 %sysusers_requires
@@ -147,11 +149,12 @@ e.g. because the servers will be set via DHCP.
 
 %prep
 %setup -q -a 10
+sed -e 's-@CHRONY_HELPER@-%{chrony_helper}-g' -i %{PATCH1} %{SOURCE3} %{SOURCE5}
 %patch0 -p1
-sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{PATCH1}
 %patch1 -p1
 %patch2 -p1
 %patch3
+%patch4
 
 # Remove pool statements from the default /etc/chrony.conf. They will
 # be provided by branding packages in /etc/chrony.d/pool.conf .
@@ -203,7 +206,6 @@ install -Dpm 0644 examples/chronyd.service \
   %{buildroot}%{_unitdir}/chronyd.service
 install -Dpm 0644 examples/chrony-wait.service \
   %{buildroot}%{_unitdir}/chrony-wait.service
-sed -e 's-@LIBEXECDIR@-%{_libexecdir}-g' -i %{SOURCE5}
 install -Dpm 0644 %{SOURCE5} \
   %{buildroot}%{_unitdir}/chrony-dnssrv@.service
 install -Dpm 0644 %{SOURCE6} \
@@ -221,8 +223,7 @@ echo 'chronyd.service' > \
 
 install -Dpm 0644 %{SOURCE2} \
   %{buildroot}%{_fillupdir}/sysconfig.chronyd
-install -Dpm 755 %{SOURCE4} \
+install -Dpm 755 %{SOURCE4} %{buildroot}%{chrony_helper}
-  %{buildroot}%{_libexecdir}/%name/helper
 
 install -d %{buildroot}%{_localstatedir}/log/chrony
 touch %{buildroot}%{_localstatedir}/lib/chrony/{drift,rtc}