|
|
- From 521fd6f63f1b75b9a921d60f7dbb96da253418fd Mon Sep 17 00:00:00 2001
- From: Brent Cook <busterb@gmail.com>
- Date: Fri, 27 Mar 2015 23:14:15 -0500
- Subject: [PATCH 09/15] Notify the user when constraint support is disabled.
-
- Update the manpage and warn if constraints are
- configured but ntpd is built without libtls present.
- From Paul B. Henson.
- ---
- src/usr.sbin/ntpd/config.c | 3 +++
- src/usr.sbin/ntpd/constraint.c | 2 ++
- src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++--
- 3 files changed, 14 insertions(+), 2 deletions(-)
-
- diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
- index 0208b8dfb4..c2f9422f38 100644
- --- a/src/usr.sbin/ntpd/config.c
- +++ b/src/usr.sbin/ntpd/config.c
- @@ -163,6 +163,9 @@ new_constraint(void)
- p->id = ++constraint_maxid;
- p->fd = -1;
-
- +#ifndef HAVE_LIBTLS
- + log_warnx("constraint configured without libtls support");
- +#endif
- return (p);
- }
-
- diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
- index 841a28829d..b537a42e57 100644
- --- a/src/usr.sbin/ntpd/constraint.c
- +++ b/src/usr.sbin/ntpd/constraint.c
- @@ -339,12 +339,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
- if (setpriority(PRIO_PROCESS, 0, 0) == -1)
- log_warn("could not set priority");
-
- +#ifdef HAVE_LIBTLS
- /* Init TLS and load CA certs before chroot() */
- if (tls_init() == -1)
- fatalx("tls_init");
- if ((conf->ca = tls_load_file(tls_default_ca_cert_file(),
- &conf->ca_len, NULL)) == NULL)
- fatalx("failed to load constraint ca");
- +#endif
-
- if (chroot(pw_dir) == -1)
- fatal("chroot");
- diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
- index eee239bf52..5181a9c504 100644
- --- a/src/usr.sbin/ntpd/ntpd.conf.5
- +++ b/src/usr.sbin/ntpd/ntpd.conf.5
- @@ -195,8 +195,15 @@ authenticated constraint,
- thereby reducing the impact of unauthenticated NTP
- man-in-the-middle attacks.
- Received NTP packets with time information falling outside of a range
- -near the constraint will be discarded and such NTP servers
- -will be marked as invalid.
- +near the constraint will be discarded and such NTP servers will be marked as
- +invalid.
- +.Pp
- +Support for constraints is only available if
- +.Xr ntpd 8
- +has been linked with libtls from LibreSSL. Configuring a constraint
- +without libtls causes
- +.Xr ntpd 8
- +to log a warning message on startup.
- .Bl -tag -width Ds
- .It Ic constraint from Ar url
- Specify the URL, IP address or the hostname of an HTTPS server to
- --
- 2.21.0
-
|