Browse Source

handle constraints in ntpd.conf as a warning rather than fatal error

OPENBSD_6_2
Brent Cook 7 years ago
parent
commit
d8f57f465d
5 changed files with 21 additions and 17 deletions
  1. +17
    -13
      patches/0009-Notify-the-user-when-constraint-support-is-disabled.patch
  2. +1
    -1
      patches/0010-add-a-method-for-updating-the-realtime-clock-on-sync.patch
  3. +1
    -1
      patches/0011-Deal-with-missing-SO_TIMESTAMP.patch
  4. +1
    -1
      patches/0012-check-result-of-ftello-ftruncate.patch
  5. +1
    -1
      patches/0013-set-IPV6_V6ONLY-if-we-are-binding-to-an-IPv6-address.patch

+ 17
- 13
patches/0009-Notify-the-user-when-constraint-support-is-disabled.patch View File

@ -1,19 +1,19 @@
From efb678b08cbff1e994513621b113e864dec9e0c6 Mon Sep 17 00:00:00 2001
From e76aeb2f1854ae698325aa03fe1f0b7f7bcbf411 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Fri, 27 Mar 2015 23:14:15 -0500 Date: Fri, 27 Mar 2015 23:14:15 -0500
Subject: [PATCH 09/13] Notify the user when constraint support is disabled. Subject: [PATCH 09/13] Notify the user when constraint support is disabled.
Update the manpage and make a constraint line a fatal error if it is
Update the manpage and warn if constraints are
configured but ntpd is built without libtls present. configured but ntpd is built without libtls present.
From Paul B. Henson. From Paul B. Henson.
--- ---
src/usr.sbin/ntpd/config.c | 3 +++
src/usr.sbin/ntpd/constraint.c | 2 ++
src/usr.sbin/ntpd/ntpd.conf.5 | 7 +++++--
3 files changed, 10 insertions(+), 2 deletions(-)
src/usr.sbin/ntpd/config.c | 3 +++
src/usr.sbin/ntpd/constraint.c | 2 ++
src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++--
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index a84635ab7..d46fca62f 100644
index a84635ab7..430992137 100644
--- a/src/usr.sbin/ntpd/config.c --- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c +++ b/src/usr.sbin/ntpd/config.c
@@ -219,6 +219,9 @@ new_constraint(void) @@ -219,6 +219,9 @@ new_constraint(void)
@ -21,7 +21,7 @@ index a84635ab7..d46fca62f 100644
p->fd = -1; p->fd = -1;
+#ifndef HAVE_LIBTLS +#ifndef HAVE_LIBTLS
+ fatal("constraint configured without libtls support");
+ log_warnx("constraint configured without libtls support");
+#endif +#endif
return (p); return (p);
} }
@ -46,20 +46,24 @@ index 7e259af2d..8a3ddacc1 100644
if (chroot(pw_dir) == -1) if (chroot(pw_dir) == -1)
fatal("chroot"); fatal("chroot");
diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5 diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
index e3c0ddd78..804ebaa12 100644
index e3c0ddd78..4218b811b 100644
--- a/src/usr.sbin/ntpd/ntpd.conf.5 --- a/src/usr.sbin/ntpd/ntpd.conf.5
+++ b/src/usr.sbin/ntpd/ntpd.conf.5 +++ b/src/usr.sbin/ntpd/ntpd.conf.5
@@ -195,8 +195,11 @@ authenticated constraint,
@@ -195,8 +195,15 @@ authenticated constraint,
thereby reducing the impact of unauthenticated NTP thereby reducing the impact of unauthenticated NTP
man-in-the-middle attacks. man-in-the-middle attacks.
Received NTP packets with time information falling outside of a range Received NTP packets with time information falling outside of a range
-near the constraint will be discarded and such NTP servers -near the constraint will be discarded and such NTP servers
-will be marked as invalid. -will be marked as invalid.
+near the constraint will be discarded and such NTP servers will be marked as +near the constraint will be discarded and such NTP servers will be marked as
+invalid. Contraints are only available if
+invalid.
+.Pp
+Support for constraints is only available if
+.Xr ntpd 8 +.Xr ntpd 8
+has been compiled with libtls support. Configuring a constraint without libtls
+support will result in a fatal error.
+has been linked with libtls from LibreSSL. Configuring a constraint
+without libtls causes
+.Xr ntpd 8
+to log a warning message on startup.
.Bl -tag -width Ds .Bl -tag -width Ds
.It Ic constraint from Ar url .It Ic constraint from Ar url
Specify the URL, IP address or the hostname of an HTTPS server to Specify the URL, IP address or the hostname of an HTTPS server to


+ 1
- 1
patches/0010-add-a-method-for-updating-the-realtime-clock-on-sync.patch View File

@ -1,4 +1,4 @@
From daec8e4e9571441a76485ae566b1e974d96752a9 Mon Sep 17 00:00:00 2001
From 3fbb0bef99d10fdacda9583b8c0f80efd82797db Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com> From: Brent Cook <busterb@gmail.com>
Date: Mon, 4 May 2015 04:27:29 -0500 Date: Mon, 4 May 2015 04:27:29 -0500
Subject: [PATCH 10/13] add a method for updating the realtime clock on sync Subject: [PATCH 10/13] add a method for updating the realtime clock on sync


+ 1
- 1
patches/0011-Deal-with-missing-SO_TIMESTAMP.patch View File

@ -1,4 +1,4 @@
From 551dfcb76bfcd11299729e69d4df5c61bcc6a994 Mon Sep 17 00:00:00 2001
From 3d2500746a780d03c48b7dd10e821a5944ae33ed Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@openbsd.org> From: Brent Cook <bcook@openbsd.org>
Date: Sun, 6 Dec 2015 22:35:38 -0600 Date: Sun, 6 Dec 2015 22:35:38 -0600
Subject: [PATCH 11/13] Deal with missing SO_TIMESTAMP Subject: [PATCH 11/13] Deal with missing SO_TIMESTAMP


+ 1
- 1
patches/0012-check-result-of-ftello-ftruncate.patch View File

@ -1,4 +1,4 @@
From 974f13df1d84aa9199288cf4689db4f19f28af16 Mon Sep 17 00:00:00 2001
From cf9058ca118785f7e73e163e9c4691cbf726dfcc Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@openbsd.org> From: Brent Cook <bcook@openbsd.org>
Date: Mon, 21 Dec 2015 05:53:20 -0600 Date: Mon, 21 Dec 2015 05:53:20 -0600
Subject: [PATCH 12/13] check result of ftello/ftruncate Subject: [PATCH 12/13] check result of ftello/ftruncate


+ 1
- 1
patches/0013-set-IPV6_V6ONLY-if-we-are-binding-to-an-IPv6-address.patch View File

@ -1,4 +1,4 @@
From 1e633c87b63e0933c854f82b965a3bd686eb0c1c Mon Sep 17 00:00:00 2001
From b00291c2d9c8ecd1b17cb7d33a2e24819e550d26 Mon Sep 17 00:00:00 2001
From: Brent Cook <bcook@openbsd.org> From: Brent Cook <bcook@openbsd.org>
Date: Sat, 13 Aug 2016 14:22:02 -0500 Date: Sat, 13 Aug 2016 14:22:02 -0500
Subject: [PATCH 13/13] set IPV6_V6ONLY if we are binding to an IPv6 address Subject: [PATCH 13/13] set IPV6_V6ONLY if we are binding to an IPv6 address


Loading…
Cancel
Save