Portable build framework for OpenNTPD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

72 lines
2.4 KiB

8 years ago
7 years ago
8 years ago
8 years ago
7 years ago
  1. From e76aeb2f1854ae698325aa03fe1f0b7f7bcbf411 Mon Sep 17 00:00:00 2001
  2. From: Brent Cook <busterb@gmail.com>
  3. Date: Fri, 27 Mar 2015 23:14:15 -0500
  4. Subject: [PATCH 09/13] Notify the user when constraint support is disabled.
  5. Update the manpage and warn if constraints are
  6. configured but ntpd is built without libtls present.
  7. From Paul B. Henson.
  8. ---
  9. src/usr.sbin/ntpd/config.c | 3 +++
  10. src/usr.sbin/ntpd/constraint.c | 2 ++
  11. src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++--
  12. 3 files changed, 14 insertions(+), 2 deletions(-)
  13. diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
  14. index a84635ab7..430992137 100644
  15. --- a/src/usr.sbin/ntpd/config.c
  16. +++ b/src/usr.sbin/ntpd/config.c
  17. @@ -219,6 +219,9 @@ new_constraint(void)
  18. p->id = ++constraint_maxid;
  19. p->fd = -1;
  20. +#ifndef HAVE_LIBTLS
  21. + log_warnx("constraint configured without libtls support");
  22. +#endif
  23. return (p);
  24. }
  25. diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
  26. index 7e259af2d..8a3ddacc1 100644
  27. --- a/src/usr.sbin/ntpd/constraint.c
  28. +++ b/src/usr.sbin/ntpd/constraint.c
  29. @@ -336,12 +336,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
  30. if (setpriority(PRIO_PROCESS, 0, 0) == -1)
  31. log_warn("could not set priority");
  32. +#ifdef HAVE_LIBTLS
  33. /* Init TLS and load CA certs before chroot() */
  34. if (tls_init() == -1)
  35. fatalx("tls_init");
  36. if ((conf->ca = tls_load_file(CONSTRAINT_CA,
  37. &conf->ca_len, NULL)) == NULL)
  38. fatalx("failed to load constraint ca");
  39. +#endif
  40. if (chroot(pw_dir) == -1)
  41. fatal("chroot");
  42. diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
  43. index e3c0ddd78..4218b811b 100644
  44. --- a/src/usr.sbin/ntpd/ntpd.conf.5
  45. +++ b/src/usr.sbin/ntpd/ntpd.conf.5
  46. @@ -195,8 +195,15 @@ authenticated constraint,
  47. thereby reducing the impact of unauthenticated NTP
  48. man-in-the-middle attacks.
  49. Received NTP packets with time information falling outside of a range
  50. -near the constraint will be discarded and such NTP servers
  51. -will be marked as invalid.
  52. +near the constraint will be discarded and such NTP servers will be marked as
  53. +invalid.
  54. +.Pp
  55. +Support for constraints is only available if
  56. +.Xr ntpd 8
  57. +has been linked with libtls from LibreSSL. Configuring a constraint
  58. +without libtls causes
  59. +.Xr ntpd 8
  60. +to log a warning message on startup.
  61. .Bl -tag -width Ds
  62. .It Ic constraint from Ar url
  63. Specify the URL, IP address or the hostname of an HTTPS server to
  64. --
  65. 2.13.0