fix(timesyncd): make transmit timestamp in NTP requests fully random

[deepin-ci-robot]

Summary

Backport upstream fix to make the transmit timestamp in NTP requests fully random. This improves security against off-path attackers by generating a random nonce for each request instead of using the actual system clock, which was leaking the current system time.

Changes

• Add debian/patches/fix-timesyncd-randomize-transmit-timestamp.patch
• Modify debian/patches/series
• Modify debian/changelog

Upstream

systemd/systemd@678bd12

Generated-By: glm-5-turbo
Co-Authored-By: deepin-ci-robot packages@deepin.org

[deepin-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yukarichiba for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• https:/raw.githubusercontent.com/deepin-community/template-repository/master/debian/deepin/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

TAG Bot

TAG: 255.2-4deepin37
EXISTED: no
DISTRIBUTION: unstable

[lionheartyu]

这个 patch 的作用是将 NTP 请求中的发送时间戳（transmit timestamp）从真实时间改为完全随机数，目的是提升安全性。

具体改动：

之前的做法：

用 clock_gettime 获取真实系统时间，将其（加上 1900-1970 偏移量）写入 NTP 报文的 trans_time 字段
服务器会把这个时间原样回传作为 origin timestamp，客户端用来匹配回应
改后的做法：

用 random_bytes() 生成一个随机 64-bit 值（request_nonce）作为 transmit timestamp
服务器同样原样回传，客户端比对 request_nonce 来验证回应
为什么要这样做，有两个好处：

防御 off-path 攻击者：攻击者若想伪造 NTP 回应，必须猜中 64-bit 随机 nonce，概率极低；而如果用真实时间，攻击者可以预测或枚举可能的时间值，更容易伪造匹配的回应，从而注入虚假时间。

避免泄露系统时间：原来的实现会在每个 NTP 请求报文中暴露当前系统时间（精确到纳秒），改为随机数后不再泄露任何系统信息。

顺带一提，trans_time 的记录（clock_gettime）被保留并移到 sendto 之前，但仅用于本地的时延计算，不再发送到网络上。