package/ntpsec: new package

- set 'CC="$(HOSTCC)"' to avoid cross-compile failure (see [1]):

  /bin/sh: line 1: .../build/ntpsec-1_2_0/build/host/ntpd/keyword-gen: cannot execute binary file: Exec format error

  Waf: Leaving directory `.../build/ntpsec-1_2_0/build/host'
  Build failed
   -> task in 'ntp_keyword.h' failed with exit status 126 (run with -v to display more information)

- set '-std=gnu99"' to avoid compile failure with old compilers

- explicitly set PYTHON_CONFIG

- add patch 001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch to
  fix ntptime jfmt5/ofmt5 jfmt6/ofmt6 related compile failure

- add patch 0002-wscript-remove-checks-for-bsd-string.h-fixes-host-co.patch to
  fix host-compile failure in case target libbsd is detected

- add SYSV init file (S49ntp)

- add example ntpd.conf (with legacy option enabled and provide skeleton
  for NTS configuration)

- add config option for NTS support

- add ntp user/group and run ntpd as restricted user

- add libcap dependency (compile time optional but needed for droproot
  support)

[1] https://gitlab.com/NTPsec/ntpsec/-/issues/694

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Thomas: S49ntp -> S49ntpd]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>

DEVELOPERS

@@ -2314,6 +2314,7 @@ F:	package/libcamera-apps/
 F:	package/libevdev/
 F:	package/libuev/
 F:	package/log4cplus/
+F:	package/ntpsec/
 F:	package/postgresql/
 F:	package/python-colorzero/
 F:	package/python-flask-wtf/

package/Config.in

@@ -2314,6 +2314,7 @@ endif
 	source "package/nmap/Config.in"
 	source "package/noip/Config.in"
 	source "package/ntp/Config.in"
+	source "package/ntpsec/Config.in"
 	source "package/nuttcp/Config.in"
 	source "package/odhcp6c/Config.in"
 	source "package/odhcploc/Config.in"

package/ntpsec/0001-ntptime-fix-jfmt5-ofmt5-jfmt6-ofmt6-related-compile-.patch

@@ -0,0 +1,90 @@
+From aa9ed14c7f4d0edbda9370760b44be045638f8a0 Mon Sep 17 00:00:00 2001
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Mon, 4 Oct 2021 22:25:58 +0200
+Subject: [PATCH] ntptime: fix jfmt5/ofmt5 jfmt6/ofmt6 related compile failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Use same define guard for definiton as for usage ('HAVE_STRUCT_NTPTIMEVAL_TAI'
+instead of 'NTP_API && NTP_API > 3').
+
+While at it use HAVE_STRUCT_NTPTIMEVAL_TAI define guard for the two remaining
+places using NTP_API (which is not defined by the uclibc sys/timex.h header).
+
+Fixes:
+
+  ../../ntptime/ntptime.c: In function ‘main’:
+  ../../ntptime/ntptime.c:349:17: error: ‘jfmt5’ undeclared (first use in this function); did you mean ‘jfmt6’?
+    349 |   printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
+        |                 ^~~~~
+        |                 jfmt6
+  ../../ntptime/ntptime.c:349:17: note: each undeclared identifier is reported only once for each function it appears in
+  ../../ntptime/ntptime.c:349:25: error: ‘ofmt5’ undeclared (first use in this function); did you mean ‘ofmt6’?
+    349 |   printf(json ? jfmt5 : ofmt5, (long)ntv.tai);
+        |                         ^~~~~
+        |                         ofmt6
+  ../../ntptime/ntptime.c:321:15: warning: unused variable ‘jfmt6’ [-Wunused-variable]
+    321 |   const char *jfmt6 = "";
+        |               ^~~~~
+  ../../ntptime/ntptime.c:311:15: warning: unused variable ‘ofmt6’ [-Wunused-variable]
+    311 |   const char *ofmt6 = "\n";
+        |               ^~~~~
+
+[Upstream: https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1245]
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ ntptime/ntptime.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ntptime/ntptime.c b/ntptime/ntptime.c
+index ff861cb3b..7fbd09977 100644
+--- a/ntptime/ntptime.c
++++ b/ntptime/ntptime.c
+@@ -138,7 +138,7 @@ main(
+ 			ntx.modes |= MOD_NANO;
+ 			break;
+ #endif
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ 		case 'T':
+ 			ntx.modes = MOD_TAI;
+ 			ntx.constant = atoi(ntp_optarg);
+@@ -222,7 +222,7 @@ main(
+ #else
+ "",
+ #endif
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ "-T tai_offset	set TAI offset\n",
+ #else
+ "",
+@@ -305,21 +305,21 @@ main(
+ 		const char *ofmt2 = "  time %s, (.%0*d),\n";
+ 		const char *ofmt3 = "  maximum error %lu us, estimated error %lu us";
+ 		const char *ofmt4 = "  ntptime=%x.%x unixtime=%x.%0*d %s";
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ 		const char *ofmt5 = ", TAI offset %ld\n";
+ #else
+ 		const char *ofmt6 = "\n";
+-#endif /* NTP_API */
++#endif /* HAVE_STRUCT_NTPTIMEVAL_TAI */
+ 		/* JSON formats */
+ 		const char *jfmt1 = "{\"gettime-code\":%d,\"gettime-status\":\"%s\",";
+ 		const char *jfmt2 = "\"time\":\"%s\",\"fractional-time\":\".%0*d\",";
+ 		const char *jfmt3 = "\"maximum-error\":%lu,\"estimated-error\":%lu,";
+ 		const char *jfmt4 = "\"raw-ntp-time\":\"%x.%x\",\"raw-unix-time\":\"%x.%0*d %s\",";
+-#if defined NTP_API && NTP_API > 3
++#if defined(HAVE_STRUCT_NTPTIMEVAL_TAI)
+ 		const char *jfmt5 = "\"TAI-offset\":%d,";
+ #else
+ 		const char *jfmt6 = "";
+-#endif /* NTP_API */
++#endif /* HAVE_STRUCT_NTPTIMEVAL_TAI */
+ 		printf(json ? jfmt1 : ofmt1, status, timex_state(status));
+ 		time_frac = ntv.time.tv_frac_sec;
+ #ifdef STA_NANO
+-- 
+2.34.1
+

package/ntpsec/0002-wscript-remove-checks-for-bsd-string.h-fixes-host-co.patch

@@ -0,0 +1,73 @@
+From 54fbeaa68a59f536819d1cfb2e9204176fbff54b Mon Sep 17 00:00:00 2001
+From: Peter Seiderer <ps.report@gmx.net>
+Date: Thu, 16 Dec 2021 23:27:35 +0100
+Subject: [PATCH] wscript: remove checks for bsd/string.h, fixes host-compile
+ failure
+
+Fixes the following host-compile failure while cross-compiling
+in case target libbsd is found:
+
+  [2/2] Compiling build/host/ntpd/ntp_parser.tab.c
+  In file included from ../../include/ntp.h:15,
+                   from .../build/ntpsec-1_2_1/ntpd/ntp_parser.y:16:
+  ../../include/ntp_stdlib.h:20:10: fatal error: bsd/string.h: No such file or directory
+     20 | #include <bsd/string.h>
+        |          ^~~~~~~~~~~~~~
+  compilation terminated.
+
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ include/ntp_stdlib.h |  4 ----
+ wscript              | 14 --------------
+ 2 files changed, 18 deletions(-)
+
+diff --git a/include/ntp_stdlib.h b/include/ntp_stdlib.h
+index fe4d78e5c..73d97084f 100644
+--- a/include/ntp_stdlib.h
++++ b/include/ntp_stdlib.h
+@@ -16,10 +16,6 @@
+ #include "ntp_malloc.h"
+ #include "ntp_syslog.h"
+ 
+-#ifdef HAVE_BSD_STRING_H
+-#include <bsd/string.h>
+-#endif
+-
+ #ifdef __GNUC__
+ #define NTP_PRINTF(fmt, args) __attribute__((__format__(__printf__, fmt, args)))
+ #else
+diff --git a/wscript b/wscript
+index 641073f00..aa04b1d1c 100644
+--- a/wscript
++++ b/wscript
+@@ -660,19 +660,6 @@ int main(int argc, char **argv) {
+                        prerequisites=ft[1], use=ft[2],
+                        mandatory=ft[3])
+ 
+-    # check for BSD versions outside of libc
+-    if not ctx.get_define("HAVE_STRLCAT"):
+-        ret = probe_function(ctx, function='strlcat',
+-                             prerequisites=['bsd/string.h'])
+-        if ret:
+-            ctx.define("HAVE_STRLCAT", 1, comment="Using bsd/strlcat")
+-
+-    if not ctx.get_define("HAVE_STRLCPY"):
+-        ret = probe_function(ctx, function='strlcpy',
+-                             prerequisites=['bsd/string.h'])
+-        if ret:
+-            ctx.define("HAVE_STRLCPY", 1, comment="Using bsd/strlcpy")
+-
+     # Nobody uses the symbol, but this seems like a good sanity check.
+     ctx.check_cc(header_name="stdbool.h", mandatory=True,
+                  comment="Sanity check.")
+@@ -691,7 +678,6 @@ int main(int argc, char **argv) {
+     optional_headers = (
+         "alloca.h",
+         ("arpa/nameser.h", ["sys/types.h"]),
+-        "bsd/string.h",     # bsd emulation
+         ("ifaddrs.h", ["sys/types.h"]),
+         ("linux/if_addr.h", ["sys/socket.h"]),
+         ("linux/rtnetlink.h", ["sys/socket.h"]),
+-- 
+2.34.1
+

package/ntpsec/Config.in

@@ -0,0 +1,28 @@
+config BR2_PACKAGE_NTPSEC
+	bool "ntpsec"
+	select BR2_PACKAGE_LIBCAP
+	select BR2_PACKAGE_OPENSSL
+	select BR2_PACKAGE_PYTHON3
+	help
+	  NTPsec project - a secure, hardened, and improved
+	  implementation of Network Time Protocol derived
+	  from NTP Classic, Dave Mills’s original.
+
+	  Provides things like ntpd, ntpdate, ntpq, etc...
+
+	  https://www.ntpsec.org/
+
+if BR2_PACKAGE_NTPSEC
+
+config BR2_PACKAGE_NTPSEC_CLASSIC_MODE
+	bool "classic-mode"
+	help
+	  Enable strict configuration and log-format compatibility
+	  with NTP Classic.
+
+config BR2_PACKAGE_NTPSEC_NTS
+	bool "NTS support"
+	help
+	  Enable Network Time Security (NTS) support.
+
+endif

package/ntpsec/S49ntpd

@@ -0,0 +1,58 @@
+#!/bin/sh
+#
+# Starts Network Time Protocol daemon
+#
+
+DAEMON="ntpd"
+PIDFILE="/var/run/$DAEMON.pid"
+
+NTPD_ARGS="-g -u ntp:ntp -s /var/run/ntp"
+
+# shellcheck source=/dev/null
+[ -r "/etc/default/$DAEMON" ] && . "/etc/default/$DAEMON"
+
+mkdir -p /var/run/ntp && chown ntp:ntp /var/run/ntp
+
+start() {
+	printf 'Starting %s: ' "$DAEMON"
+	# shellcheck disable=SC2086 # we need the word splitting
+	start-stop-daemon -S -q -p "$PIDFILE" -x "/usr/sbin/$DAEMON" \
+		-- $NTPD_ARGS -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+stop() {
+	printf 'Stopping %s: ' "$DAEMON"
+	start-stop-daemon -K -q -p "$PIDFILE"
+	status=$?
+	if [ "$status" -eq 0 ]; then
+		rm -f "$PIDFILE"
+		echo "OK"
+	else
+		echo "FAIL"
+	fi
+	return "$status"
+}
+
+restart() {
+	stop
+	sleep 1
+	start
+}
+
+case "$1" in
+	start|stop|restart)
+		"$1";;
+	reload)
+		# Restart, since there is no true "reload" feature.
+		restart;;
+	*)
+		echo "Usage: $0 {start|stop|restart|reload}"
+		exit 1
+esac

package/ntpsec/ntpd.etc.conf

@@ -0,0 +1,33 @@
+#
+# legacy NTP configuration
+#
+pool 0.pool.ntp.org iburst
+pool 1.pool.ntp.org iburst
+pool 2.pool.ntp.org iburst
+pool 3.pool.ntp.org iburst
+
+#
+# NTS configuration
+#
+# Notes:
+#  - uncomment the following lines to enable NTS support (but
+#    make sure the initial clock is up-to-date (otherwise the
+#    NTS certificate validation will fail with 'NTSc: certificate invalid:
+#    9=>certificate is not yet valid' as on boards without RTC support)
+#    and/or keep at least one line from the legacy NTP lines
+#  - enable BR2_PACKAGE_CA_CERTIFICATES to gain access to the certificate
+#    files
+#
+# server time.cloudflare.com nts  # Global, anycast
+# server nts.ntp.se:4443 nts      # Sweden
+# server ntpmon.dcs1.biz nts      # Singapore
+# server ntp1.glypnod.com nts     # San Francisco
+# server ntp2.glypnod.com nts     # London
+#
+# ca /usr/share/ca-certificates/mozilla
+
+# Allow only time queries, at a limited rate, sending KoD when in excess.
+# Allow all local queries (IPv4, IPv6)
+restrict default nomodify nopeer noquery limited kod
+restrict 127.0.0.1
+restrict [::1]

package/ntpsec/ntpsec.hash

@@ -0,0 +1,4 @@
+# Locally calculated
+sha256  71c9f4bde6953bbc048bbaf278da81c451a56cc08d6772542b4ad37c67d72e89  ntpsec-NTPsec_1_2_1.tar.bz2
+sha256  b4db4de3317c3b0554ed91eb692968800bdfd6ad2c16ffbeee8ce4895ed91da4  LICENSE.adoc
+sha256  d3b21470adadd9abd9c6d675378f8c371ac5a4ea6dbec91859e02fadca3c0856  docs/copyright.adoc

package/ntpsec/ntpsec.mk

@@ -0,0 +1,68 @@
+################################################################################
+#
+# ntpsec
+#
+################################################################################
+
+NTPSEC_VERSION_MAJOR = 1
+NTPSEC_VERSION_MINOR = 2
+NTPSEC_VERSION_POINT = 1
+NTPSEC_VERSION = $(NTPSEC_VERSION_MAJOR)_$(NTPSEC_VERSION_MINOR)_$(NTPSEC_VERSION_POINT)
+NTPSEC_SOURCE = ntpsec-NTPsec_$(NTPSEC_VERSION).tar.bz2
+NTPSEC_SITE = https://gitlab.com/NTPsec/ntpsec/-/archive/NTPsec_$(NTPSEC_VERSION)
+NTPSEC_LICENSE = BSD-2-Clause, NTP, BSD-3-Clause, MIT
+NTPSEC_LICENSE_FILES = LICENSE.adoc docs/copyright.adoc
+
+NTPSEC_CPE_ID_VENDOR = ntpsec
+NTPSEC_CPE_ID_VERSION = $(NTPSEC_VERSION_MAJOR).$(NTPSEC_VERSION_MINOR)
+NTPSEC_CPE_ID_UPDATE = $(NTPSEC_VERSION_POINT)
+
+NTPSEC_DEPENDENCIES = \
+	host-pkgconf \
+	python3 \
+	libcap \
+	openssl
+
+# CC="$(HOSTCC)" is strange but needed to build some host tools, the
+# cross-compiler will properly be used to build target code thanks to
+# --cross-compiler
+NTPSEC_CONF_OPTS = \
+	CC="$(HOSTCC)" \
+	PYTHON_CONFIG="$(STAGING_DIR)/usr/bin/python3-config" \
+	--libdir=/usr/lib/python$(PYTHON3_VERSION_MAJOR)/site-packages/ntp \
+	--cross-compiler="$(TARGET_CC)" \
+	--cross-cflags="$(TARGET_CFLAGS) -std=gnu99" \
+	--cross-ldflags="$(TARGET_LDFLAGS)" \
+	--notests \
+	--enable-early-droproot \
+	--disable-mdns-registration \
+	--enable-pylib=ffi \
+	--nopyc \
+	--nopyo \
+	--nopycache \
+	--disable-doc \
+	--disable-manpage
+
+ifeq ($(BR2_PACKAGE_NTPSEC_CLASSIC_MODE),y)
+NTPSEC_CONF_OPTS += --enable-classic-mode
+endif
+
+# no '--enable-nts' option available
+ifeq ($(BR2_PACKAGE_NTPSEC_NTS),)
+NTPSEC_CONF_OPTS += --disable-nts
+endif
+
+define NTPSEC_INSTALL_NTPSEC_CONF
+	$(INSTALL) -m 644 package/ntpsec/ntpd.etc.conf $(TARGET_DIR)/etc/ntp.conf
+endef
+NTPSEC_POST_INSTALL_TARGET_HOOKS += NTPSEC_INSTALL_NTPSEC_CONF
+
+define NTPSEC_INSTALL_INIT_SYSV
+	$(INSTALL) -D -m 755 package/ntpsec/S49ntpd $(TARGET_DIR)/etc/init.d/S49ntpd
+endef
+
+define NTPSEC_USERS
+	ntp -1 ntp -1 * - - - ntpd user
+endef
+
+$(eval $(waf-package))