|
From e87fd0e43800dbf3fd9781fb4c7bbc2fe7b1d2a4 Mon Sep 17 00:00:00 2001
|
|
From: Brent Cook <busterb@gmail.com>
|
|
Date: Fri, 27 Mar 2015 23:14:15 -0500
|
|
Subject: [PATCH 09/13] Notify the user when constraint support is disabled.
|
|
|
|
Update the manpage and make a constraint line a fatal error if it is
|
|
configured but ntpd is built without libtls present.
|
|
From Paul B. Henson.
|
|
---
|
|
src/usr.sbin/ntpd/config.c | 3 +++
|
|
src/usr.sbin/ntpd/constraint.c | 2 ++
|
|
src/usr.sbin/ntpd/ntpd.conf.5 | 7 +++++--
|
|
3 files changed, 10 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
|
|
index 87de17a..5a75030 100644
|
|
--- a/src/usr.sbin/ntpd/config.c
|
|
+++ b/src/usr.sbin/ntpd/config.c
|
|
@@ -219,6 +219,9 @@ new_constraint(void)
|
|
p->id = ++constraint_maxid;
|
|
p->fd = -1;
|
|
|
|
+#ifndef HAVE_LIBTLS
|
|
+ fatal("constraint configured without libtls support");
|
|
+#endif
|
|
return (p);
|
|
}
|
|
|
|
diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
|
|
index e19d68e..791a74c 100644
|
|
--- a/src/usr.sbin/ntpd/constraint.c
|
|
+++ b/src/usr.sbin/ntpd/constraint.c
|
|
@@ -340,12 +340,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
|
|
(am = calloc(1, sizeof(*am))) == NULL)
|
|
fatal("%s: calloc", __func__);
|
|
|
|
+#ifdef HAVE_LIBTLS
|
|
/* Init TLS and load CA certs before chroot() */
|
|
if (tls_init() == -1)
|
|
fatalx("tls_init");
|
|
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
|
|
&conf->ca_len, NULL)) == NULL)
|
|
fatalx("failed to load constraint ca");
|
|
+#endif
|
|
|
|
if (chroot(pw_dir) == -1)
|
|
fatal("chroot");
|
|
diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
|
|
index 87f94e8..7f729d2 100644
|
|
--- a/src/usr.sbin/ntpd/ntpd.conf.5
|
|
+++ b/src/usr.sbin/ntpd/ntpd.conf.5
|
|
@@ -185,8 +185,11 @@ authenticated constraint,
|
|
thereby reducing the impact of unauthenticated NTP
|
|
man-in-the-middle attacks.
|
|
Received NTP packets with time information falling outside of a range
|
|
-near the constraint will be discarded and such NTP servers
|
|
-will be marked as invalid.
|
|
+near the constraint will be discarded and such NTP servers will be marked as
|
|
+invalid. Contraints are only available if
|
|
+.Xr ntpd 8
|
|
+has been compiled with libtls support. Configuring a constraint without libtls
|
|
+support will result in a fatal error.
|
|
.Bl -tag -width Ds
|
|
.It Ic constraint from Ar url
|
|
Specify the URL, IP address or the hostname of an HTTPS server to
|
|
--
|
|
2.10.1
|
|
|