ntpsec: update to 1.1.9

== 2020-05-23: 1.1.9 ==
Correctly parse ntpq :config output on Python 3 and check return MACs.
Add AES and other algorithm support to ntpq and ntpdig, from OpenSSL.
Remove support for NetInfo. NetInfo was last supported in Mac OS X v10.4
The configure step now supports --disable-nts for running
on systems with older versions of OpenSSL.
The default restrictions now start with noquery and limited
to reduce the opportunities for being used for DDoS-ing.
The draft RFC for NTS has dropped support for TLSv1.2
  We now need OpenSSL with TLSv1.3 support (version 1.1.1 or newer).
  The config keyword +tlsciphers+ has been removed.
Additional filtering and sort options have been added to ntpq/mrulist
  Details are in the man page.
Rate limiting has been cleaned up.
  With "restrict limited", traffic is now limited to
  an average of 1 packet per second with bursts of 20.
  (needs doc and maybe config)
SIGHUP and hourly checks have been unified.  Both now
  check for a new log file
  check for a new certificate file
  check for a new leap file
SIGHUP also restarts all pending DNS and NTS probes.
NTS client now requires ALPN on TLSv1.3.
asciidoctor (1.5.8 or newer) is now supported and is the preferred AsciiDoc
processor.  asciidoc is still supported, but the minimum supported version
has been raised from 8.6.0 to 8.6.8.  asciidoc3 (3.0.2 or newer) is also
supported.
HTML docs are now built by default if an AsciiDoc processor is installed.  If
you do not want HTML docs, configure with --disable-doc.  (Note:  Man pages
are controlled by a separate --disable-manpage.)
Analysis shows that CVE-2020-11868, affecting NTP Classic,
cannot affect us, as the peer mode involved has been removed.

== 2019-11-17: 1.1.8 ==
Fix bug in NTS-KE client so that NTP server names work.
Fix/tweak several NTS logging messages.

== 2019-09-02: 1.1.7 ==
The numeric literal argument of the 'time1' fudge option on a clock
can now have one or more letter suffixes that compensate for era
rollover in a GPS device.  Each "g" adds the number of seconds in a
1024-week (10-bit) GPS era. Each "G" adds the number of seconds in a
8192-week (13-bit) GPS era.
The neoclock4x driver has been removed, due to the hardware and the
vendor having utterly vanished from the face of the earth.
The NTS ALPN negotiation sequence has been modified for improved
interoperability with other NTS implementations.
NTS key rotation now happens every 24 hours.  It used to rotate
every hour to enable testing of recovery from stale cookies.

== 2019-07-10: 1.1.6 ==
Fixes to code quality checks.
Fixes to NTS server list.
Fix to bug #600.

== 2019-06-30: 1.1.5 ==
Add ALPN for the NTS server, as required by the NTP draft.
Revert some ntpq behavior.

== 2019-06-21: 1.1.4 ==

NTS is now implemented.  See .../devel/nts.adoc
https://tools.ietf.org/html/draft-ietf-ntp-using-nts-for-ntp
We thank Cisco for sponsoring the NTS development.
Lots of fixes and cleanups to PPS, both implementation and documentation.
Pthread support is now required.  --disable-dns-lookup is gone.
NIST lockclock mode is now a runtime option set by the (previously unused)
flag1 mode bit of the local-clock driver.
As always, lots of minor fixups and cleanups everywhere.  See the git log.

6 files changed, 189 insertions, 139 deletions

diff --git a/time/ntpsec/Makefile b/time/ntpsec/Makefile
index cc240903ff0..5447bced6ef 100644
--- a/time/ntpsec/Makefile
+++ b/time/ntpsec/Makefile
@@ -1,7 +1,6 @@
-# $NetBSD: Makefile,v 1.7 2020/06/02 08:24:53 adam Exp $
+# $NetBSD: Makefile,v 1.8 2020/08/15 02:31:28 tnn Exp $
 
-DISTNAME=	ntpsec-1.1.3
-PKGREVISION=	3
+DISTNAME=	ntpsec-1.1.9
 CATEGORIES=	time
 MASTER_SITES=	http://ftp.ntpsec.org/pub/releases/
 
@@ -30,9 +29,6 @@ RCD_SCRIPTS=		ntpd
 REPLACE_PYTHON+=	ntpclients/*.py
 PY_PATCHPLIST=		yes
 
-# kludge for waf-2.x; fixed upstream already. see patch-wafhelpers_waf.py.
-CFLAGS+=	-I../../build -I../../include
-
 .include "../../devel/waf/waf.mk"
 .include "../../geography/gpsd/buildlink3.mk"
 .include "../../lang/python/application.mk"
diff --git a/time/ntpsec/PLIST b/time/ntpsec/PLIST
index a11b74a1310..2731c6f91ad 100644
--- a/time/ntpsec/PLIST
+++ b/time/ntpsec/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.2 2019/07/02 00:13:07 gdt Exp $
+@comment $NetBSD: PLIST,v 1.3 2020/08/15 02:31:28 tnn Exp $
 bin/ntpdig
 bin/ntpfrob
 bin/ntpkeygen
@@ -13,6 +13,7 @@ bin/ntptime
 bin/ntptrace
 bin/ntpviz
 bin/ntpwait
+${PYSITELIB}/ntp-${PKGVERSION}.egg-info
 ${PYSITELIB}/ntp/__init__.py
 ${PYSITELIB}/ntp/agentx.py
 ${PYSITELIB}/ntp/agentx_packet.py
@@ -41,3 +42,169 @@ man/man8/ntpsnmpd.8
 man/man8/ntptime.8
 man/man8/ntpwait.8
 sbin/ntpd
+share/doc/ntpsec/404.html
+share/doc/ntpsec/NTS-QuickStart.html
+share/doc/ntpsec/access.html
+share/doc/ntpsec/accopt.html
+share/doc/ntpsec/asciidoc.css
+share/doc/ntpsec/asciidoc.js
+share/doc/ntpsec/assoc.html
+share/doc/ntpsec/authentic.html
+share/doc/ntpsec/authopt.html
+share/doc/ntpsec/bugs.html
+share/doc/ntpsec/build.html
+share/doc/ntpsec/clock.html
+share/doc/ntpsec/clockopt.html
+share/doc/ntpsec/cluster.html
+share/doc/ntpsec/comdex.html
+share/doc/ntpsec/confopt.html
+share/doc/ntpsec/copyright.html
+share/doc/ntpsec/debug.html
+share/doc/ntpsec/decode.html
+share/doc/ntpsec/discipline.html
+share/doc/ntpsec/discover.html
+share/doc/ntpsec/driver_arbiter.html
+share/doc/ntpsec/driver_generic.html
+share/doc/ntpsec/driver_gpsd.html
+share/doc/ntpsec/driver_howto.html
+share/doc/ntpsec/driver_hpgps.html
+share/doc/ntpsec/driver_jjy.html
+share/doc/ntpsec/driver_local.html
+share/doc/ntpsec/driver_modem.html
+share/doc/ntpsec/driver_nmea.html
+share/doc/ntpsec/driver_oncore.html
+share/doc/ntpsec/driver_pps.html
+share/doc/ntpsec/driver_shm.html
+share/doc/ntpsec/driver_spectracom.html
+share/doc/ntpsec/driver_trimble.html
+share/doc/ntpsec/driver_truetime.html
+share/doc/ntpsec/driver_zyfer.html
+share/doc/ntpsec/extern.html
+share/doc/ntpsec/filter.html
+share/doc/ntpsec/generic_howto.html
+share/doc/ntpsec/history.html
+share/doc/ntpsec/huffpuff.html
+share/doc/ntpsec/icons/home.gif
+share/doc/ntpsec/icons/mail2.gif
+share/doc/ntpsec/icons/sitemap.png
+share/doc/ntpsec/index.html
+share/doc/ntpsec/kern.html
+share/doc/ntpsec/kernpps.html
+share/doc/ntpsec/leap.html
+share/doc/ntpsec/leapsmear.html
+share/doc/ntpsec/miscopt.html
+share/doc/ntpsec/mode6.html
+share/doc/ntpsec/monopt.html
+share/doc/ntpsec/msyslog.html
+share/doc/ntpsec/ntp_conf.html
+share/doc/ntpsec/ntp_config.html
+share/doc/ntpsec/ntp_keys.html
+share/doc/ntpsec/ntpd.html
+share/doc/ntpsec/ntpdig.html
+share/doc/ntpsec/ntpfrob.html
+share/doc/ntpsec/ntpkeygen.html
+share/doc/ntpsec/ntpleapfetch.html
+share/doc/ntpsec/ntploggps.html
+share/doc/ntpsec/ntplogtemp.html
+share/doc/ntpsec/ntpmon.html
+share/doc/ntpsec/ntpq.html
+share/doc/ntpsec/ntpsec.html
+share/doc/ntpsec/ntpsnmpd.html
+share/doc/ntpsec/ntpspeak.html
+share/doc/ntpsec/ntpsweep.html
+share/doc/ntpsec/ntptime.html
+share/doc/ntpsec/ntptrace.html
+share/doc/ntpsec/ntpviz.html
+share/doc/ntpsec/ntpwait.html
+share/doc/ntpsec/oncore-shmem.html
+share/doc/ntpsec/orphan.html
+share/doc/ntpsec/outside-tools.html
+share/doc/ntpsec/parsedata.html
+share/doc/ntpsec/pic/SAppr.jpg
+share/doc/ntpsec/pic/alice11.gif
+share/doc/ntpsec/pic/alice13.gif
+share/doc/ntpsec/pic/alice15.gif
+share/doc/ntpsec/pic/alice23.gif
+share/doc/ntpsec/pic/alice32.gif
+share/doc/ntpsec/pic/alice35.gif
+share/doc/ntpsec/pic/alice38.gif
+share/doc/ntpsec/pic/alice44.gif
+share/doc/ntpsec/pic/alice47.gif
+share/doc/ntpsec/pic/alice51.gif
+share/doc/ntpsec/pic/alice61.gif
+share/doc/ntpsec/pic/barnstable.gif
+share/doc/ntpsec/pic/beaver.gif
+share/doc/ntpsec/pic/boom3.gif
+share/doc/ntpsec/pic/boom3a.gif
+share/doc/ntpsec/pic/boom4.gif
+share/doc/ntpsec/pic/broad.gif
+share/doc/ntpsec/pic/bustardfly.gif
+share/doc/ntpsec/pic/c51.jpg
+share/doc/ntpsec/pic/clocktower128.png
+share/doc/ntpsec/pic/description.jpg
+share/doc/ntpsec/pic/discipline.gif
+share/doc/ntpsec/pic/dogsnake.gif
+share/doc/ntpsec/pic/driver_palisade.gif
+share/doc/ntpsec/pic/fg6021.gif
+share/doc/ntpsec/pic/fig_3_1.gif
+share/doc/ntpsec/pic/flatheads.gif
+share/doc/ntpsec/pic/flt1.gif
+share/doc/ntpsec/pic/flt2.gif
+share/doc/ntpsec/pic/flt3.gif
+share/doc/ntpsec/pic/flt4.gif
+share/doc/ntpsec/pic/flt5.gif
+share/doc/ntpsec/pic/flt6.gif
+share/doc/ntpsec/pic/flt7.gif
+share/doc/ntpsec/pic/flt8.gif
+share/doc/ntpsec/pic/flt9.gif
+share/doc/ntpsec/pic/gps167.jpg
+share/doc/ntpsec/pic/hornraba.gif
+share/doc/ntpsec/pic/howland.jpg
+share/doc/ntpsec/pic/igclock.gif
+share/doc/ntpsec/pic/kelly_pogo_earthday.jpg
+share/doc/ntpsec/pic/looking.jpg
+share/doc/ntpsec/pic/neoclock4x.gif
+share/doc/ntpsec/pic/oncore_evalbig.gif
+share/doc/ntpsec/pic/oncore_utplusbig.gif
+share/doc/ntpsec/pic/orchestra.gif
+share/doc/ntpsec/pic/oz2.gif
+share/doc/ntpsec/pic/panda.gif
+share/doc/ntpsec/pic/pd_om006.gif
+share/doc/ntpsec/pic/pd_om011.gif
+share/doc/ntpsec/pic/peer.gif
+share/doc/ntpsec/pic/pogo-enemy2.png
+share/doc/ntpsec/pic/pogo.gif
+share/doc/ntpsec/pic/pogo1a.gif
+share/doc/ntpsec/pic/pogo3a.gif
+share/doc/ntpsec/pic/pogo4.gif
+share/doc/ntpsec/pic/pogo5.gif
+share/doc/ntpsec/pic/pogo6.gif
+share/doc/ntpsec/pic/pogo7.gif
+share/doc/ntpsec/pic/pogo8.gif
+share/doc/ntpsec/pic/pogocell.gif
+share/doc/ntpsec/pic/pzf511.jpg
+share/doc/ntpsec/pic/radio2.jpg
+share/doc/ntpsec/pic/sheepb.jpg
+share/doc/ntpsec/pic/stack1a.jpg
+share/doc/ntpsec/pic/stats.gif
+share/doc/ntpsec/pic/sx5.gif
+share/doc/ntpsec/pic/thunderbolt.jpg
+share/doc/ntpsec/pic/time1.gif
+share/doc/ntpsec/pic/tonea.gif
+share/doc/ntpsec/pic/tribeb.gif
+share/doc/ntpsec/pic/which-way-is.up.jpg
+share/doc/ntpsec/pic/wingdorothy.gif
+share/doc/ntpsec/poll.html
+share/doc/ntpsec/pps.html
+share/doc/ntpsec/prefer.html
+share/doc/ntpsec/quick.html
+share/doc/ntpsec/rate.html
+share/doc/ntpsec/rdebug.html
+share/doc/ntpsec/refclock.html
+share/doc/ntpsec/rollover.html
+share/doc/ntpsec/select.html
+share/doc/ntpsec/sitemap.html
+share/doc/ntpsec/standards.html
+share/doc/ntpsec/stats.html
+share/doc/ntpsec/tf582_4.html
+share/doc/ntpsec/warp.html
diff --git a/time/ntpsec/distinfo b/time/ntpsec/distinfo
index a22e7b009df..b9f413d7aab 100644
--- a/time/ntpsec/distinfo
+++ b/time/ntpsec/distinfo
@@ -1,9 +1,7 @@
-$NetBSD: distinfo,v 1.1 2019/03/25 15:40:35 tnn Exp $
+$NetBSD: distinfo,v 1.2 2020/08/15 02:31:28 tnn Exp $
 
-SHA1 (ntpsec-1.1.3.tar.gz) = 221300deec696ad63c1540fec49b72046b2654f0
-RMD160 (ntpsec-1.1.3.tar.gz) = cdaae8f682cd4cc97a37d86aca1d3196cfea0437
-SHA512 (ntpsec-1.1.3.tar.gz) = df60c5fa63d4c94529ba1e8b21c7d6b5d0c9fb810ed7546a621b072725a6ff03edbd2dcbc3baf19ac3b3a9b82d7aff3ddee4ab8c93559b7065ed06a211b538c4
-Size (ntpsec-1.1.3.tar.gz) = 2462330 bytes
-SHA1 (patch-pylib_poly.py) = 90694c1ef806e87e74628c820659ffad26580b26
-SHA1 (patch-wafhelpers_waf.py) = 9c87a5ebac7b94f5d956abf92ceb52ffa49626c8
-SHA1 (patch-wscript) = 8ddb7b542f6ad805f49a94f5ceb7c80117529609
+SHA1 (ntpsec-1.1.9.tar.gz) = 8385180fd7e99420095680862a6640b85139719f
+RMD160 (ntpsec-1.1.9.tar.gz) = ff7d8c93a18d9020b327b843dc121c3f53fbce26
+SHA512 (ntpsec-1.1.9.tar.gz) = e04267aa675a5b528f3478d00329a569ecb9bbe2b6ad18697020854d2ee451bc188c4603cd5f420a08a7e3bf047d2db1301416f57f9156df23aceb1f57303b0b
+Size (ntpsec-1.1.9.tar.gz) = 2606066 bytes
+SHA1 (patch-wscript) = f34ff4f2f13d559651e5c302a0d792f53d458933
diff --git a/time/ntpsec/patches/patch-pylib_poly.py b/time/ntpsec/patches/patch-pylib_poly.py
deleted file mode 100644
index ce0fee7f02b..00000000000
--- a/time/ntpsec/patches/patch-pylib_poly.py
+++ /dev/null
@@ -1,19 +0,0 @@
-$NetBSD: patch-pylib_poly.py,v 1.1 2019/03/25 15:40:35 tnn Exp $
-
-- NetBSD fix from upstream:
-  https://gitlab.com/NTPsec/ntpsec/commit/a4453ee5a4edf87cf081fe69f5c214a8b2a82b58
-
---- pylib/poly.py.orig	2019-01-14 05:40:59.000000000 +0000
-+++ pylib/poly.py
-@@ -103,9 +103,9 @@ else:  # Python 3
-                                 newline="\n", line_buffering=True)
- 
-     # This is the one situation where we *can* force unicode.
--    if "UTF-8" != sys.stdout.encoding:
-+    if "utf-8" != sys.stdout.encoding.lower():
-         forced_utf8 = True
-         sys.stdout = make_std_wrapper(sys.stdout)
--    if "UTF-8" != sys.stderr.encoding:
-+    if "utf-8" != sys.stderr.encoding.lower():
-         forced_utf8 = True
-         sys.stderr = make_std_wrapper(sys.stderr)
diff --git a/time/ntpsec/patches/patch-wafhelpers_waf.py b/time/ntpsec/patches/patch-wafhelpers_waf.py
deleted file mode 100644
index a0e266df8a4..00000000000
--- a/time/ntpsec/patches/patch-wafhelpers_waf.py
+++ /dev/null
@@ -1,23 +0,0 @@
-$NetBSD: patch-wafhelpers_waf.py,v 1.1 2019/03/25 15:40:35 tnn Exp $
-
-Kludge for waf 2.0. Added include paths in CFLAGS in pkgsrc Makefile instead.
-
---- wafhelpers/waf.py.orig	2019-01-14 05:40:59.000000000 +0000
-+++ wafhelpers/waf.py
-@@ -6,14 +6,14 @@ from waflib.TaskGen import before_method
- @feature('bld_include')
- def insert_blddir(self):
-     bldnode = self.bld.bldnode.parent.abspath()
--    self.includes += [bldnode]
-+#    self.includes += [bldnode]
- 
- 
- @before_method('apply_incpaths')
- @feature('src_include')
- def insert_srcdir(self):
-     srcnode = self.bld.srcnode.abspath()
--    self.includes += ["%s/include" % srcnode]
-+#    self.includes += ["%s/include" % srcnode]
- 
- 
- def manpage_subst_fun(self, code):
diff --git a/time/ntpsec/patches/patch-wscript b/time/ntpsec/patches/patch-wscript
index b0046ffdffd..029d6b42e7d 100644
--- a/time/ntpsec/patches/patch-wscript
+++ b/time/ntpsec/patches/patch-wscript
@@ -1,96 +1,27 @@
-$NetBSD: patch-wscript,v 1.1 2019/03/25 15:40:35 tnn Exp $
+$NetBSD: patch-wscript,v 1.2 2020/08/15 02:31:28 tnn Exp $
 
 - don't hardcode PREFIX
-- waf-2.x support from upstream:
-  https://gitlab.com/NTPsec/ntpsec/commit/ff6f50b1ce7d7c2a552b27c6e8fb19639a7bf82a
 
---- wscript.orig	2019-01-14 05:40:59.000000000 +0000
+--- wscript.orig	2020-05-24 03:00:19.000000000 +0000
 +++ wscript
-@@ -536,20 +536,12 @@ int main(int argc, char **argv) {
+@@ -497,18 +497,10 @@ int main(int argc, char **argv) {
  
      # XXX: hack
-     if ctx.env.DEST_OS in ["freebsd", "openbsd"]:
--        ctx.env.PLATFORM_INCLUDES = ["/usr/local/include"]
--        ctx.env.PLATFORM_LIBPATH = ["/usr/local/lib"]
+     if ctx.env.DEST_OS in ["freebsd"]:
+-        ctx.env.INCLUDES = ["/usr/local/include"]
+-        ctx.env.LIBPATH = ["/usr/local/lib"]
 +        pass
-     elif ctx.env.DEST_OS == "netbsd":
--        ctx.env.PLATFORM_INCLUDES = ["/usr/pkg/include"]
--        ctx.env.PLATFORM_LIBPATH = ["/usr/lib", "/usr/pkg/lib"]
+     elif ctx.env.DEST_OS == "netbsd" and os.path.isdir("/usr/pkg/include"):
+-        ctx.env.INCLUDES = ["/usr/pkg/include"]
+-        ctx.env.LIBPATH = ["/usr/pkg/lib"]
+-        ctx.env.LDFLAGS += ["-rpath=/usr/pkg/lib"]
 +        pass
-     elif ctx.env.DEST_OS == "win32":
-         ctx.load("msvc")
      elif ctx.env.DEST_OS == "darwin":
 -        # macports location
 -        if os.path.isdir("/opt/local/include"):
--            ctx.env.PLATFORM_INCLUDES = ["/opt/local/include"]
+-            ctx.env.INCLUDES = ["/opt/local/include"]
 -        if os.path.isdir("/opt/local/lib"):
--            ctx.env.PLATFORM_LIBPATH = ["/opt/local/lib"]
--        # OS X needs this for IPv6
+-            ctx.env.LIBPATH = ["/opt/local/lib"]
+         # OS X needs this for IPv6
          ctx.define("__APPLE_USE_RFC_3542", 1,
                     comment="Needed for IPv6 support")
-     elif ctx.env.DEST_OS == "sunos":
-@@ -558,6 +550,29 @@ int main(int argc, char **argv) {
-         ctx.define("_POSIX_C_SOURCE", "200112L", quote=False)
-         ctx.define("__EXTENSIONS__", "1", quote=False)
- 
-+    # Borrowed from waf-1.9, when type_name and field_name were valid keywords
-+    SNIP_TYPE = '''
-+    int main(int argc, char **argv) {
-+        (void)argc; (void)argv;
-+        if ((%(type_name)s *) 0) return 0;
-+        if (sizeof (%(type_name)s)) return 0;
-+        return 1;
-+    }
-+    '''
-+
-+    SNIP_FIELD = '''
-+    #include <stddef.h>
-+    int main(int argc, char **argv) {
-+        char *off;
-+        (void)argc; (void)argv;
-+        off = (char*) &((%(type_name)s*)0)->%(field_name)s;
-+        return (size_t) off < sizeof(%(type_name)s);
-+    }
-+    '''
-+
-+    def to_header(header_name):
-+        return ''.join(['#include <%s>\n' % x for x in Utils.to_list(header_name)])
-+
-     structures = (
-         ("struct if_laddrconf", ["sys/types.h", "net/if6.h"], False),
-         ("struct if_laddrreq", ["sys/types.h", "net/if6.h"], False),
-@@ -565,14 +580,12 @@ int main(int argc, char **argv) {
-         ("struct ntptimeval", ["sys/time.h", "sys/timex.h"], False),
-     )
-     for (s, h, r) in structures:
--        ctx.check_cc(type_name=s, header_name=h, mandatory=r)
--
--    # waf's SNIP_FIELD should likely include this header itself
--    # This is needed on some systems to get size_t for following checks
--    ctx.check_cc(auto_add_header_name=True,
--                 header_name="stddef.h",
--                 define_name="",           # omit from config.h
--                 mandatory=False)
-+        ctx.check_cc(
-+            fragment=to_header(h) + SNIP_TYPE % {'type_name': s},
-+            msg='Checking for type %s' % s,
-+            define_name=ctx.have_define(s.upper()),
-+            mandatory=r,
-+        )
- 
-     structure_fields = (
-         ("struct timex", "time_tick", ["sys/time.h", "sys/timex.h"]),
-@@ -582,7 +595,12 @@ int main(int argc, char **argv) {
-         # first in glibc 2.12
-     )
-     for (s, f, h) in structure_fields:
--        ctx.check_cc(type_name=s, field_name=f, header_name=h, mandatory=False)
-+        ctx.check_cc(
-+            fragment=to_header(h) + SNIP_FIELD % {'type_name': s, 'field_name': f},
-+            msg='Checking for field %s in %s' % (f, s),
-+            define_name=ctx.have_define((s + '_' + f).upper()),
-+            mandatory=False,
-+        )
- 
-     # mostly used by timetoa.h and timespecops.h
-     sizeofs = [