From 6f149a27d07f574cf47a79b30f4f977e21477b1e Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Fri, 27 Mar 2015 23:14:15 -0500 Subject: [PATCH 09/15] Notify the user when constraint support is disabled. Update the manpage and warn if constraints are configured but ntpd is built without libtls present. From Paul B. Henson. --- src/usr.sbin/ntpd/config.c | 3 +++ src/usr.sbin/ntpd/constraint.c | 2 ++ src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++-- 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c index 224c913383..8f913d8b1e 100644 --- a/src/usr.sbin/ntpd/config.c +++ b/src/usr.sbin/ntpd/config.c @@ -184,6 +184,9 @@ new_constraint(void) p->id = ++constraint_maxid; p->fd = -1; +#ifndef HAVE_LIBTLS + log_warnx("constraint configured without libtls support"); +#endif return (p); } diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c index 6529070d14..f23d363889 100644 --- a/src/usr.sbin/ntpd/constraint.c +++ b/src/usr.sbin/ntpd/constraint.c @@ -354,12 +354,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid) if (setpriority(PRIO_PROCESS, 0, 0) == -1) log_warn("could not set priority"); +#ifdef HAVE_LIBTLS /* Init TLS and load CA certs before chroot() */ if (tls_init() == -1) fatalx("tls_init"); if ((conf->ca = tls_load_file(tls_default_ca_cert_file(), &conf->ca_len, NULL)) == NULL) fatalx("failed to load constraint ca"); +#endif if (chroot(pw_dir) == -1) fatal("chroot"); diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5 index 775343f400..dadf3dea6d 100644 --- a/src/usr.sbin/ntpd/ntpd.conf.5 +++ b/src/usr.sbin/ntpd/ntpd.conf.5 @@ -216,8 +216,15 @@ authenticated constraint, thereby reducing the impact of unauthenticated NTP man-in-the-middle attacks. Received NTP packets with time information falling outside of a range -near the constraint will be discarded and such NTP servers -will be marked as invalid. +near the constraint will be discarded and such NTP servers will be marked as +invalid. +.Pp +Support for constraints is only available if +.Xr ntpd 8 +has been linked with libtls from LibreSSL. Configuring a constraint +without libtls causes +.Xr ntpd 8 +to log a warning message on startup. .Bl -tag -width Ds .It Ic constraint from Ar url [ip...] Specify the URL, IP address or the hostname of an HTTPS server to -- 2.26.0