Portable build framework for OpenNTPD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.4 KiB

6 years ago
6 years ago
6 years ago
6 years ago
8 years ago
6 years ago
8 years ago
6 years ago
  1. From 1c8dc7b9bda86123ccc6744142a80520b75e0b9e Mon Sep 17 00:00:00 2001
  2. From: Brent Cook <busterb@gmail.com>
  3. Date: Fri, 27 Mar 2015 23:14:15 -0500
  4. Subject: [PATCH 09/14] Notify the user when constraint support is disabled.
  5. Update the manpage and warn if constraints are
  6. configured but ntpd is built without libtls present.
  7. From Paul B. Henson.
  8. ---
  9. src/usr.sbin/ntpd/config.c | 3 +++
  10. src/usr.sbin/ntpd/constraint.c | 2 ++
  11. src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++--
  12. 3 files changed, 14 insertions(+), 2 deletions(-)
  13. diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
  14. index 0208b8dfb4..c2f9422f38 100644
  15. --- a/src/usr.sbin/ntpd/config.c
  16. +++ b/src/usr.sbin/ntpd/config.c
  17. @@ -163,6 +163,9 @@ new_constraint(void)
  18. p->id = ++constraint_maxid;
  19. p->fd = -1;
  20. +#ifndef HAVE_LIBTLS
  21. + log_warnx("constraint configured without libtls support");
  22. +#endif
  23. return (p);
  24. }
  25. diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
  26. index 76dc4f7bdf..ec7c38df68 100644
  27. --- a/src/usr.sbin/ntpd/constraint.c
  28. +++ b/src/usr.sbin/ntpd/constraint.c
  29. @@ -336,12 +336,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
  30. if (setpriority(PRIO_PROCESS, 0, 0) == -1)
  31. log_warn("could not set priority");
  32. +#ifdef HAVE_LIBTLS
  33. /* Init TLS and load CA certs before chroot() */
  34. if (tls_init() == -1)
  35. fatalx("tls_init");
  36. if ((conf->ca = tls_load_file(tls_default_ca_cert_file(),
  37. &conf->ca_len, NULL)) == NULL)
  38. fatalx("failed to load constraint ca");
  39. +#endif
  40. if (chroot(pw_dir) == -1)
  41. fatal("chroot");
  42. diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
  43. index eee239bf52..5181a9c504 100644
  44. --- a/src/usr.sbin/ntpd/ntpd.conf.5
  45. +++ b/src/usr.sbin/ntpd/ntpd.conf.5
  46. @@ -195,8 +195,15 @@ authenticated constraint,
  47. thereby reducing the impact of unauthenticated NTP
  48. man-in-the-middle attacks.
  49. Received NTP packets with time information falling outside of a range
  50. -near the constraint will be discarded and such NTP servers
  51. -will be marked as invalid.
  52. +near the constraint will be discarded and such NTP servers will be marked as
  53. +invalid.
  54. +.Pp
  55. +Support for constraints is only available if
  56. +.Xr ntpd 8
  57. +has been linked with libtls from LibreSSL. Configuring a constraint
  58. +without libtls causes
  59. +.Xr ntpd 8
  60. +to log a warning message on startup.
  61. .Bl -tag -width Ds
  62. .It Ic constraint from Ar url
  63. Specify the URL, IP address or the hostname of an HTTPS server to
  64. --
  65. 2.20.1