Browse Source

Use TLS_CA_CERT_FILE instead of a separate define.

ok beck@ bluhm@ tb@
OPENBSD_6_5
jsing 6 years ago
parent
commit
3fab6cbb08
3 changed files with 6 additions and 6 deletions
  1. +2
    -2
      src/usr.sbin/ntpd/constraint.c
  2. +3
    -2
      src/usr.sbin/ntpd/ntpd.c
  3. +1
    -2
      src/usr.sbin/ntpd/ntpd.h

+ 2
- 2
src/usr.sbin/ntpd/constraint.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.36 2018/11/05 00:13:36 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.37 2018/11/06 20:41:36 jsing Exp $ */
/* /*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -339,7 +339,7 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
/* Init TLS and load CA certs before chroot() */ /* Init TLS and load CA certs before chroot() */
if (tls_init() == -1) if (tls_init() == -1)
fatalx("tls_init"); fatalx("tls_init");
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
if ((conf->ca = tls_load_file(TLS_CA_CERT_FILE,
&conf->ca_len, NULL)) == NULL) &conf->ca_len, NULL)) == NULL)
fatalx("failed to load constraint ca"); fatalx("failed to load constraint ca");


+ 3
- 2
src/usr.sbin/ntpd/ntpd.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntpd.c,v 1.117 2018/08/31 18:45:02 deraadt Exp $ */
/* $OpenBSD: ntpd.c,v 1.118 2018/11/06 20:41:36 jsing Exp $ */
/* /*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -31,6 +31,7 @@
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <syslog.h> #include <syslog.h>
#include <tls.h>
#include <time.h> #include <time.h>
#include <unistd.h> #include <unistd.h>
#include <fcntl.h> #include <fcntl.h>
@ -247,7 +248,7 @@ main(int argc, char *argv[])
* Constraint processes are forked with certificates in memory, * Constraint processes are forked with certificates in memory,
* then privdrop into chroot before speaking to the outside world. * then privdrop into chroot before speaking to the outside world.
*/ */
if (unveil("/etc/ssl/cert.pem", "r") == -1)
if (unveil(TLS_CA_CERT_FILE, "r") == -1)
err(1, "unveil"); err(1, "unveil");
if (unveil("/usr/sbin/ntpd", "x") == -1) if (unveil("/usr/sbin/ntpd", "x") == -1)
err(1, "unveil"); err(1, "unveil");


+ 1
- 2
src/usr.sbin/ntpd/ntpd.h View File

@ -1,4 +1,4 @@
/* $OpenBSD: ntpd.h,v 1.136 2018/08/04 11:07:14 mestre Exp $ */
/* $OpenBSD: ntpd.h,v 1.137 2018/11/06 20:41:36 jsing Exp $ */
/* /*
* Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org> * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@ -80,7 +80,6 @@
#define CONSTRAINT_PORT "443" /* HTTPS port */ #define CONSTRAINT_PORT "443" /* HTTPS port */
#define CONSTRAINT_MAXHEADERLENGTH 8192 #define CONSTRAINT_MAXHEADERLENGTH 8192
#define CONSTRAINT_PASSFD (STDERR_FILENO + 1) #define CONSTRAINT_PASSFD (STDERR_FILENO + 1)
#define CONSTRAINT_CA "/etc/ssl/cert.pem"
#define PARENT_SOCK_FILENO CONSTRAINT_PASSFD #define PARENT_SOCK_FILENO CONSTRAINT_PASSFD


Loading…
Cancel
Save