Portable build framework for OpenNTPD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

68 lines
2.4 KiB

  1. From c685d444684c047721ce4c3789aa50eab7ed7a91 Mon Sep 17 00:00:00 2001
  2. From: Brent Cook <busterb@gmail.com>
  3. Date: Fri, 27 Mar 2015 23:14:15 -0500
  4. Subject: [PATCH 10/12] Notify the user when constraint support is disabled.
  5. Update the manpage and make a constraint line a fatal error if it is
  6. configured but ntpd is built without libtls present.
  7. From Paul B. Henson.
  8. ---
  9. src/usr.sbin/ntpd/config.c | 3 +++
  10. src/usr.sbin/ntpd/constraint.c | 2 ++
  11. src/usr.sbin/ntpd/ntpd.conf.5 | 7 +++++--
  12. 3 files changed, 10 insertions(+), 2 deletions(-)
  13. diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
  14. index 87de17a..5a75030 100644
  15. --- a/src/usr.sbin/ntpd/config.c
  16. +++ b/src/usr.sbin/ntpd/config.c
  17. @@ -219,6 +219,9 @@ new_constraint(void)
  18. p->id = ++constraint_maxid;
  19. p->fd = -1;
  20. +#ifndef HAVE_LIBTLS
  21. + fatal("constraint configured without libtls support");
  22. +#endif
  23. return (p);
  24. }
  25. diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
  26. index 3fc837f..72b3980 100644
  27. --- a/src/usr.sbin/ntpd/constraint.c
  28. +++ b/src/usr.sbin/ntpd/constraint.c
  29. @@ -288,12 +288,14 @@ priv_constraint_child(struct constraint *cstr, struct ntp_addr_msg *am,
  30. if (setpriority(PRIO_PROCESS, 0, 0) == -1)
  31. log_warn("could not set priority");
  32. +#ifdef HAVE_LIBTLS
  33. /* Init TLS and load cert before chroot() */
  34. if (tls_init() == -1)
  35. fatalx("tls_init");
  36. if ((conf->ca = tls_load_file(CONSTRAINT_CA,
  37. &conf->ca_len, NULL)) == NULL)
  38. log_warnx("constraint certificate verification turned off");
  39. +#endif
  40. if (chroot(pw_dir) == -1)
  41. fatal("chroot");
  42. diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
  43. index 87f94e8..7f729d2 100644
  44. --- a/src/usr.sbin/ntpd/ntpd.conf.5
  45. +++ b/src/usr.sbin/ntpd/ntpd.conf.5
  46. @@ -185,8 +185,11 @@ authenticated constraint,
  47. thereby reducing the impact of unauthenticated NTP
  48. man-in-the-middle attacks.
  49. Received NTP packets with time information falling outside of a range
  50. -near the constraint will be discarded and such NTP servers
  51. -will be marked as invalid.
  52. +near the constraint will be discarded and such NTP servers will be marked as
  53. +invalid. Contraints are only available if
  54. +.Xr ntpd 8
  55. +has been compiled with libtls support. Configuring a constraint without libtls
  56. +support will result in a fatal error.
  57. .Bl -tag -width Ds
  58. .It Ic constraint from Ar url
  59. Specify the URL, IP address or the hostname of an HTTPS server to
  60. --
  61. 2.6.3