@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.27 2016/05/06 16:49:46 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.28 2016/05/21 13:46:10 jsing Exp $ */
/*
* Copyright ( c ) 2015 Reyk Floeter < reyk @ openbsd . org >
@ -292,12 +292,12 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
if ( setpriority ( PRIO_PROCESS , 0 , 0 ) = = - 1 )
log_warn ( " could not set priority " ) ;
/* Init TLS and load cert before chroot() */
/* Init TLS and load CA certs before chroot() */
if ( tls_init ( ) = = - 1 )
fatalx ( " tls_init " ) ;
if ( ( conf - > ca = tls_load_file ( CONSTRAINT_CA ,
& conf - > ca_len , NULL ) ) = = NULL )
log_warn x ( " constraint certificate verification turned off " ) ;
fata lx( " failed to load constraint ca " ) ;
if ( chroot ( pw_dir ) = = - 1 )
fatal ( " chroot " ) ;
@ -821,9 +821,6 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
if ( tls_config_set_ciphers ( httpsdate - > tls_config , " compat " ) ! = 0 )
goto fail ;
/* XXX we have to pre-resolve, so name and host are not equal */
tls_config_insecure_noverifyname ( httpsdate - > tls_config ) ;
if ( ca = = NULL | | ca_len = = 0 )
tls_config_insecure_noverifycert ( httpsdate - > tls_config ) ;
else
@ -867,9 +864,10 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
if ( tls_configure ( httpsdate - > tls_ctx , httpsdate - > tls_config ) = = - 1 )
goto fail ;
if ( tls_connect ( httpsdate - > tls_ctx ,
httpsdate - > tls_addr , httpsdate - > tls_port ) = = - 1 ) {
log_debug ( " tls failed: %s: %s " , httpsdate - > tls_addr ,
if ( tls_connect_servername ( httpsdate - > tls_ctx , httpsdate - > tls_addr ,
httpsdate - > tls_port , httpsdate - > tls_hostname ) = = - 1 ) {
log_warnx ( " tls connect failed: %s (%s): %s " ,
httpsdate - > tls_addr , httpsdate - > tls_hostname ,
tls_error ( httpsdate - > tls_ctx ) ) ;
goto fail ;
}
@ -880,8 +878,12 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
ret = tls_write ( httpsdate - > tls_ctx , buf , len ) ;
if ( ret = = TLS_WANT_POLLIN | | ret = = TLS_WANT_POLLOUT )
continue ;
if ( ret < 0 )
if ( ret < 0 ) {
log_warnx ( " tls write failed: %s (%s): %s " ,
httpsdate - > tls_addr , httpsdate - > tls_hostname ,
tls_error ( httpsdate - > tls_ctx ) ) ;
goto fail ;
}
buf + = ret ;
len - = ret ;
}
@ -916,8 +918,8 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
free ( line ) ;
}
return ( 0 ) ;
fail :
httpsdate_free ( httpsdate ) ;
return ( - 1 ) ;