update for libtls default cert changes.

bonus: this exposed a few missing const qualifiers.

src/usr.sbin/ntpd/constraint.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.37 2018/11/06 20:41:36 jsing Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.38 2018/11/29 14:25:07 tedu Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -339,7 +339,7 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
 	/* Init TLS and load CA certs before chroot() */
 	if (tls_init() == -1)
 		fatalx("tls_init");
-	if ((conf->ca = tls_load_file(TLS_CA_CERT_FILE,
+	if ((conf->ca = tls_load_file(tls_default_ca_cert_file(),
 	    &conf->ca_len, NULL)) == NULL)
 		fatalx("failed to load constraint ca");
 

src/usr.sbin/ntpd/ntpd.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: ntpd.c,v 1.118 2018/11/06 20:41:36 jsing Exp $ */
+/*	$OpenBSD: ntpd.c,v 1.119 2018/11/29 14:25:07 tedu Exp $ */
 
 /*
  * Copyright (c) 2003, 2004 Henning Brauer <henning@openbsd.org>
@@ -248,7 +248,7 @@ main(int argc, char *argv[])
 	 * Constraint processes are forked with certificates in memory,
 	 * then privdrop into chroot before speaking to the outside world.
 	 */
-	if (unveil(TLS_CA_CERT_FILE, "r") == -1)
+	if (unveil(tls_default_ca_cert_file(), "r") == -1)
 		err(1, "unveil");
 	if (unveil("/usr/sbin/ntpd", "x") == -1)
 		err(1, "unveil");