Portable build framework for OpenNTPD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.4 KiB

4 years ago
5 years ago
4 years ago
4 years ago
4 years ago
4 years ago
8 years ago
6 years ago
8 years ago
4 years ago
4 years ago
4 years ago
4 years ago
  1. From 6f149a27d07f574cf47a79b30f4f977e21477b1e Mon Sep 17 00:00:00 2001
  2. From: Brent Cook <busterb@gmail.com>
  3. Date: Fri, 27 Mar 2015 23:14:15 -0500
  4. Subject: [PATCH 09/15] Notify the user when constraint support is disabled.
  5. Update the manpage and warn if constraints are
  6. configured but ntpd is built without libtls present.
  7. From Paul B. Henson.
  8. ---
  9. src/usr.sbin/ntpd/config.c | 3 +++
  10. src/usr.sbin/ntpd/constraint.c | 2 ++
  11. src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++--
  12. 3 files changed, 14 insertions(+), 2 deletions(-)
  13. diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
  14. index 224c913383..8f913d8b1e 100644
  15. --- a/src/usr.sbin/ntpd/config.c
  16. +++ b/src/usr.sbin/ntpd/config.c
  17. @@ -184,6 +184,9 @@ new_constraint(void)
  18. p->id = ++constraint_maxid;
  19. p->fd = -1;
  20. +#ifndef HAVE_LIBTLS
  21. + log_warnx("constraint configured without libtls support");
  22. +#endif
  23. return (p);
  24. }
  25. diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
  26. index 6529070d14..f23d363889 100644
  27. --- a/src/usr.sbin/ntpd/constraint.c
  28. +++ b/src/usr.sbin/ntpd/constraint.c
  29. @@ -354,12 +354,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
  30. if (setpriority(PRIO_PROCESS, 0, 0) == -1)
  31. log_warn("could not set priority");
  32. +#ifdef HAVE_LIBTLS
  33. /* Init TLS and load CA certs before chroot() */
  34. if (tls_init() == -1)
  35. fatalx("tls_init");
  36. if ((conf->ca = tls_load_file(tls_default_ca_cert_file(),
  37. &conf->ca_len, NULL)) == NULL)
  38. fatalx("failed to load constraint ca");
  39. +#endif
  40. if (chroot(pw_dir) == -1)
  41. fatal("chroot");
  42. diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
  43. index 775343f400..dadf3dea6d 100644
  44. --- a/src/usr.sbin/ntpd/ntpd.conf.5
  45. +++ b/src/usr.sbin/ntpd/ntpd.conf.5
  46. @@ -216,8 +216,15 @@ authenticated constraint,
  47. thereby reducing the impact of unauthenticated NTP
  48. man-in-the-middle attacks.
  49. Received NTP packets with time information falling outside of a range
  50. -near the constraint will be discarded and such NTP servers
  51. -will be marked as invalid.
  52. +near the constraint will be discarded and such NTP servers will be marked as
  53. +invalid.
  54. +.Pp
  55. +Support for constraints is only available if
  56. +.Xr ntpd 8
  57. +has been linked with libtls from LibreSSL. Configuring a constraint
  58. +without libtls causes
  59. +.Xr ntpd 8
  60. +to log a warning message on startup.
  61. .Bl -tag -width Ds
  62. .It Ic constraint from Ar url [ip...]
  63. Specify the URL, IP address or the hostname of an HTTPS server to
  64. --
  65. 2.26.0