blob: 85a7c72949f27dfc2d29965b5d1a78535db5ff21 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
|
diff -u -r openntpd-5.7p4-orig/src/config.c openntpd-5.7p4/src/config.c
--- openntpd-5.7p4-orig/src/config.c 2015-03-24 18:18:56.000000000 -0700
+++ openntpd-5.7p4/src/config.c 2015-05-25 16:48:59.000000000 -0700
@@ -218,6 +218,9 @@
fatal("new_constraint calloc");
p->id = ++constraint_maxid;
+#ifndef HAVE_LIBTLS
+ fatal("constraint configured without libtls support");
+#endif
return (p);
}
diff -u -r openntpd-5.7p4-orig/src/ntp.c openntpd-5.7p4/src/ntp.c
--- openntpd-5.7p4-orig/src/ntp.c 2015-03-11 19:15:36.000000000 -0700
+++ openntpd-5.7p4/src/ntp.c 2015-05-25 16:48:59.000000000 -0700
@@ -110,12 +110,14 @@
return (pid);
}
+#ifdef HAVE_LIBTLS
tls_init();
/* Verification will be turned off if CA is not found */
if ((conf->ca = tls_load_file(CONSTRAINT_CA,
&conf->ca_len, NULL)) == NULL)
log_warnx("constraint certificate verification turned off");
+#endif
/* in this case the parent didn't init logging and didn't daemonize */
if (nconf->settime && !nconf->debug) {
diff -u -r openntpd-5.7p4-orig/src/ntpd.conf.5 openntpd-5.7p4/src/ntpd.conf.5
--- openntpd-5.7p4-orig/src/ntpd.conf.5 2015-03-24 18:18:56.000000000 -0700
+++ openntpd-5.7p4/src/ntpd.conf.5 2015-05-25 16:48:59.000000000 -0700
@@ -192,8 +192,11 @@
.Sq Man-In-The-Middle
attacks.
Received NTP packets with time information falling outside of a range
-near the constraint will be discarded and such NTP servers
-will be marked as invalid.
+near the constraint will be discarded and such NTP servers will be marked as
+invalid. Contraints are only available if
+.Xr ntpd 8
+has been compiled with libtls support. Configuring a constraint without libtls
+support will result in a fatal error.
.Bl -tag -width Ds
.It Ic constraint from Ar url
Specify the URL, IP address or the hostname of an HTTPS server to
Only in openntpd-5.7p4/src: ntpd.conf.5.orig
|
GitWeb
