From df4870ab119cb88962bfbb68740ff31a406fe4b5 Mon Sep 17 00:00:00 2001 From: otto <> Date: Wed, 6 Nov 2019 13:35:25 +0000 Subject: [PATCH] Allow the singular constraint clause to list multiple addresses; ok deraadt@ --- src/usr.sbin/ntpd/ntpd.conf.5 | 11 ++++++++--- src/usr.sbin/ntpd/parse.y | 36 ++++++++++++++++++++++++++++++++--- 2 files changed, 41 insertions(+), 6 deletions(-) diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5 index 08062bcf..a501b3ce 100644 --- a/src/usr.sbin/ntpd/ntpd.conf.5 +++ b/src/usr.sbin/ntpd/ntpd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ntpd.conf.5,v 1.37 2017/08/10 22:59:42 job Exp $ +.\" $OpenBSD: ntpd.conf.5,v 1.38 2019/11/06 13:35:25 otto Exp $ .\" .\" Copyright (c) 2003, 2004 Henning Brauer .\" @@ -14,7 +14,7 @@ .\" AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT .\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: August 10 2017 $ +.Dd $Mdocdate: November 6 2019 $ .Dt NTPD.CONF 5 .Os .Sh NAME @@ -193,9 +193,13 @@ Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid. .Bl -tag -width Ds -.It Ic constraint from Ar url +.It Ic constraint from Ar url [ip...] Specify the URL, IP address or the hostname of an HTTPS server to provide a constraint. +If the url is followed by one or more addresses the url and addresses will be +tried until a working one is found. +The url path and expected certificate name is always taken from the +url specified. If .Ic constraint from is used more than once, @@ -204,6 +208,7 @@ will calculate a median constraint from all the servers specified. .Bd -literal -offset indent server ntp.example.org constraint from www.example.com +constraint from "https://9.9.9.9" "2620:fe::9" .Ed .It Ic constraints from Ar url As with diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y index a58da2f2..51379ae3 100644 --- a/src/usr.sbin/ntpd/parse.y +++ b/src/usr.sbin/ntpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.73 2019/07/16 14:15:40 otto Exp $ */ +/* $OpenBSD: parse.y,v 1.74 2019/11/06 13:35:25 otto Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -88,7 +88,7 @@ typedef struct { %token ERROR %token STRING %token NUMBER -%type address url +%type address url urllist %type listen_opts listen_opts_l listen_opt %type server_opts server_opts_l server_opt %type sensor_opts sensor_opts_l sensor_opt @@ -272,7 +272,7 @@ main : LISTEN ON address listen_opts { free($3->name); free($3); } - | CONSTRAINT FROM url { + | CONSTRAINT FROM urllist { struct constraint *p; struct ntp_addr *h, *next; @@ -329,6 +329,36 @@ address : STRING { } ; +urllist : urllist address { + struct ntp_addr *p, *q = NULL; + struct in_addr ina; + struct in6_addr in6a; + + if (inet_pton(AF_INET, $2->name, &ina) != 1 && + inet_pton(AF_INET6, $2->name, &in6a) != 1) { + yyerror("url can only be followed by IP " + "addresses"); + free($2->name); + free($2); + YYERROR; + } + p = $2->a; + while (p != NULL) { + q = p; + p = p->next; + } + if (q != NULL) { + q->next = $1->a; + $1->a = $2->a; + free($2); + } + $$ = $1; + } + | url { + $$ = $1; + } + ; + url : STRING { char *hname, *path;