From 071d21a66c0814efcecdba702a11d886fc1b444e Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Fri, 27 Mar 2015 23:14:15 -0500
Subject: [PATCH 09/13] Notify the user when constraint support is disabled.

Update the manpage and warn if constraints are
configured but ntpd is built without libtls present.
From Paul B. Henson.
---
 src/usr.sbin/ntpd/config.c     |  3 +++
 src/usr.sbin/ntpd/constraint.c |  2 ++
 src/usr.sbin/ntpd/ntpd.conf.5  | 11 +++++++++--
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index a84635ab77..430992137a 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -219,6 +219,9 @@ new_constraint(void)
 	p->id = ++constraint_maxid;
 	p->fd = -1;
 
+#ifndef HAVE_LIBTLS
+	log_warnx("constraint configured without libtls support");
+#endif
 	return (p);
 }
 
diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
index 7e259af2d8..8a3ddacc10 100644
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@@ -336,12 +336,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
 	if (setpriority(PRIO_PROCESS, 0, 0) == -1)
 		log_warn("could not set priority");
 
+#ifdef HAVE_LIBTLS
 	/* Init TLS and load CA certs before chroot() */
 	if (tls_init() == -1)
 		fatalx("tls_init");
 	if ((conf->ca = tls_load_file(CONSTRAINT_CA,
 	    &conf->ca_len, NULL)) == NULL)
 		fatalx("failed to load constraint ca");
+#endif
 
 	if (chroot(pw_dir) == -1)
 		fatal("chroot");
diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
index eee239bf52..5181a9c504 100644
--- a/src/usr.sbin/ntpd/ntpd.conf.5
+++ b/src/usr.sbin/ntpd/ntpd.conf.5
@@ -195,8 +195,15 @@ authenticated constraint,
 thereby reducing the impact of unauthenticated NTP
 man-in-the-middle attacks.
 Received NTP packets with time information falling outside of a range
-near the constraint will be discarded and such NTP servers
-will be marked as invalid.
+near the constraint will be discarded and such NTP servers will be marked as
+invalid.
+.Pp
+Support for constraints is only available if
+.Xr ntpd 8
+has been linked with libtls from LibreSSL. Configuring a constraint
+without libtls causes
+.Xr ntpd 8
+to log a warning message on startup.
 .Bl -tag -width Ds
 .It Ic constraint from Ar url
 Specify the URL, IP address or the hostname of an HTTPS server to
-- 
2.14.0