|
From 49228b4b3b4c49430f93629b75871154e01154f1 Mon Sep 17 00:00:00 2001
|
|
From: Brent Cook <busterb@gmail.com>
|
|
Date: Fri, 27 Mar 2015 23:14:15 -0500
|
|
Subject: [PATCH 09/18] Notify the user when constraint support is disabled.
|
|
|
|
Update the manpage and warn if constraints are
|
|
configured but ntpd is built without libtls present.
|
|
From Paul B. Henson.
|
|
---
|
|
src/usr.sbin/ntpd/config.c | 3 +++
|
|
src/usr.sbin/ntpd/constraint.c | 2 ++
|
|
src/usr.sbin/ntpd/ntpd.conf.5 | 11 +++++++++--
|
|
3 files changed, 14 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
|
|
index e243818c25..856c3147cc 100644
|
|
--- a/src/usr.sbin/ntpd/config.c
|
|
+++ b/src/usr.sbin/ntpd/config.c
|
|
@@ -187,6 +187,9 @@ new_constraint(void)
|
|
p->id = ++constraint_maxid;
|
|
p->fd = -1;
|
|
|
|
+#ifndef HAVE_LIBTLS
|
|
+ log_warnx("constraint configured without libtls support");
|
|
+#endif
|
|
return (p);
|
|
}
|
|
|
|
diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
|
|
index 6529070d14..f23d363889 100644
|
|
--- a/src/usr.sbin/ntpd/constraint.c
|
|
+++ b/src/usr.sbin/ntpd/constraint.c
|
|
@@ -354,12 +354,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
|
|
if (setpriority(PRIO_PROCESS, 0, 0) == -1)
|
|
log_warn("could not set priority");
|
|
|
|
+#ifdef HAVE_LIBTLS
|
|
/* Init TLS and load CA certs before chroot() */
|
|
if (tls_init() == -1)
|
|
fatalx("tls_init");
|
|
if ((conf->ca = tls_load_file(tls_default_ca_cert_file(),
|
|
&conf->ca_len, NULL)) == NULL)
|
|
fatalx("failed to load constraint ca");
|
|
+#endif
|
|
|
|
if (chroot(pw_dir) == -1)
|
|
fatal("chroot");
|
|
diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
|
|
index 98368d914b..bd7314c63b 100644
|
|
--- a/src/usr.sbin/ntpd/ntpd.conf.5
|
|
+++ b/src/usr.sbin/ntpd/ntpd.conf.5
|
|
@@ -216,8 +216,15 @@ authenticated constraint,
|
|
thereby reducing the impact of unauthenticated NTP
|
|
man-in-the-middle attacks.
|
|
Received NTP packets with time information falling outside of a range
|
|
-near the constraint will be discarded and such NTP servers
|
|
-will be marked as invalid.
|
|
+near the constraint will be discarded and such NTP servers will be marked as
|
|
+invalid.
|
|
+.Pp
|
|
+Support for constraints is only available if
|
|
+.Xr ntpd 8
|
|
+has been linked with libtls from LibreSSL. Configuring a constraint
|
|
+without libtls causes
|
|
+.Xr ntpd 8
|
|
+to log a warning message on startup.
|
|
.Bl -tag -width Ds
|
|
.It Ic constraint from Ar url [ip...]
|
|
Specify the URL, IP address or the hostname of an HTTPS server to
|
|
--
|
|
2.27.0
|
|
|