Portable build framework for OpenNTPD
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

68 lines
2.3 KiB

From e87fd0e43800dbf3fd9781fb4c7bbc2fe7b1d2a4 Mon Sep 17 00:00:00 2001
From: Brent Cook <busterb@gmail.com>
Date: Fri, 27 Mar 2015 23:14:15 -0500
Subject: [PATCH 09/13] Notify the user when constraint support is disabled.
Update the manpage and make a constraint line a fatal error if it is
configured but ntpd is built without libtls present.
From Paul B. Henson.
---
src/usr.sbin/ntpd/config.c | 3 +++
src/usr.sbin/ntpd/constraint.c | 2 ++
src/usr.sbin/ntpd/ntpd.conf.5 | 7 +++++--
3 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/usr.sbin/ntpd/config.c b/src/usr.sbin/ntpd/config.c
index 87de17a..5a75030 100644
--- a/src/usr.sbin/ntpd/config.c
+++ b/src/usr.sbin/ntpd/config.c
@@ -219,6 +219,9 @@ new_constraint(void)
p->id = ++constraint_maxid;
p->fd = -1;
+#ifndef HAVE_LIBTLS
+ fatal("constraint configured without libtls support");
+#endif
return (p);
}
diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
index e19d68e..791a74c 100644
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@@ -340,12 +340,14 @@ priv_constraint_child(const char *pw_dir, uid_t pw_uid, gid_t pw_gid)
(am = calloc(1, sizeof(*am))) == NULL)
fatal("%s: calloc", __func__);
+#ifdef HAVE_LIBTLS
/* Init TLS and load CA certs before chroot() */
if (tls_init() == -1)
fatalx("tls_init");
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
&conf->ca_len, NULL)) == NULL)
fatalx("failed to load constraint ca");
+#endif
if (chroot(pw_dir) == -1)
fatal("chroot");
diff --git a/src/usr.sbin/ntpd/ntpd.conf.5 b/src/usr.sbin/ntpd/ntpd.conf.5
index 87f94e8..7f729d2 100644
--- a/src/usr.sbin/ntpd/ntpd.conf.5
+++ b/src/usr.sbin/ntpd/ntpd.conf.5
@@ -185,8 +185,11 @@ authenticated constraint,
thereby reducing the impact of unauthenticated NTP
man-in-the-middle attacks.
Received NTP packets with time information falling outside of a range
-near the constraint will be discarded and such NTP servers
-will be marked as invalid.
+near the constraint will be discarded and such NTP servers will be marked as
+invalid. Contraints are only available if
+.Xr ntpd 8
+has been compiled with libtls support. Configuring a constraint without libtls
+support will result in a fatal error.
.Bl -tag -width Ds
.It Ic constraint from Ar url
Specify the URL, IP address or the hostname of an HTTPS server to
--
2.10.1